Download the PHP package hfryan/php-cop without Composer
On this page you can find all versions of the php package hfryan/php-cop. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download hfryan/php-cop
More information about hfryan/php-cop
Files in hfryan/php-cop
Package php-cop
Short Description PHP Cop checks composer.lock and flags outdated or suspicious packages.
License MIT
Homepage https://github.com/hfryan/php-cop
FAQ
Example:
In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
- Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
- To use Composer is sometimes complicated. Especially for beginners.
- Composer needs much resources. Sometimes they are not available on a simple webspace.
- If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
- Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Informations about the package php-cop
PHPCop 🚓
Dependency Patrol — PHP Security Scanner
PHPCop is a powerful PHP security scanner that analyzes your composer.lock file to identify vulnerabilities, outdated packages, and maintenance issues in your dependencies. Keep your applications secure with comprehensive dependency health monitoring.
Why PHPCop? 🤔
- 🛡️ Security First - Detect known CVEs and security vulnerabilities before they impact your application
- 📊 Professional Reports - Generate beautiful HTML and Markdown reports for stakeholders
- ⚙️ CI/CD Ready - Perfect exit codes and quiet modes for automated pipelines
- 🎯 Zero Configuration - Works out of the box, configure only what you need
- 🚀 Fast & Efficient - Minimal overhead with intelligent caching and parallel processing
- 👥 Team Friendly - Share security policies via committed configuration files
Features
- 🚨 Security Vulnerability Detection - Scans for known CVEs using
composer audit - ⬆️ Outdated Package Detection - Identifies packages with newer versions available
- 🚫 Abandoned Package Detection - Flags packages that are no longer maintained
- ⌛ Stale Package Detection - Finds packages that haven't been updated in months
- 🔥 Laravel Integration - Automatic Laravel detection with framework-specific security recommendations
- 📊 Multiple Output Formats - Table, JSON, Markdown, and HTML output
- 🎯 Advanced Filtering - Filter by dependency type, licenses, and vulnerability severity
- 🎚️ Configurable Thresholds - Set custom severity levels and staleness periods
- ⚡ High Performance - Parallel API calls and intelligent caching for fast scans
- 🚀 CI/CD Ready - Returns appropriate exit codes for automation
Quick Start 🚀
That's it! PHPCop will analyze your composer.lock and show you any security issues, outdated packages, or maintenance concerns.
Installation
Method 1: Global Installation (Recommended for regular use)
Alternative manual setup: If you prefer to configure PATH manually:
On macOS/Linux:
On Windows:
Method 2: Per-Project Installation (Simplest)
Method 3: PHAR Download (Recommended for CI/CD)
Download the latest PHAR release for zero-dependency deployment:
Benefits:
- ✅ No Composer or dependencies required
- ✅ Single file deployment
- ✅ Perfect for CI/CD pipelines
- ✅ Works in Docker containers
- ✅ Consistent across environments
Usage
Basic Scan
Output Formats
Custom Options
CI/CD Integration 🚀
PHPCop is designed for seamless CI/CD integration with intelligent exit codes and automation-friendly features.
Enhanced Exit Codes (Default)
PHPCop uses granular exit codes to provide precise information for automated pipelines:
CI/CD Examples
GitHub Actions Integration
PHPCop provides a pre-built GitHub Action for seamless CI/CD integration:
Quick Setup (Recommended)
Advanced Configuration
Action Inputs
| Input | Default | Description |
|---|---|---|
format |
table |
Output format: table, json, md, html |
fail-on |
high |
Minimum severity to fail: low, moderate, high, critical |
stale-months |
18 |
Months to flag packages as stale |
exclude-dev |
false |
Exclude dev dependencies from scan |
only-dev |
false |
Only scan dev dependencies |
min-severity |
low |
Minimum vulnerability severity to report |
ignore-packages |
'' |
Comma-separated packages to ignore |
license-allowlist |
'' |
Comma-separated allowed licenses |
license-denylist |
'' |
Comma-separated denied licenses |
exit-code |
enhanced |
Exit code behavior: legacy, enhanced |
comment-pr |
true |
Post scan results as PR comment |
upload-artifacts |
true |
Upload reports as artifacts |
working-directory |
. |
Directory to run scan in |
Action Outputs
| Output | Description |
|---|---|
exit-code |
The exit code from PHPCop scan |
issues-found |
Number of issues found |
vulnerabilities-found |
Number of vulnerabilities found |
report-file |
Path to the generated report file |
Using Outputs
Manual PHAR Download (Alternative)
Docker Integration
Sample Output
Laravel Integration 🔥
PHPCop automatically detects Laravel projects and provides framework-specific security insights!
Automatic Detection
PHPCop detects Laravel projects automatically by looking for:
artisanfile in project rootlaravel/frameworkin composer dependencies
When a Laravel project is detected, PHPCop provides:
Laravel-Specific Features
🎯 Framework Version Display
🔥 Laravel Package Highlighting Laravel ecosystem packages are highlighted with a 🔥 badge:
laravel/frameworklaravel/sanctum,laravel/passportlivewire/livewirelaravel/horizon,laravel/telescope- And more!
⚠️ Laravel Security Recommendations Automatic security checks for common Laravel issues:
- .env file protection - Warns if .env might be committed to git
- EOL version detection - Flags Laravel 10 and earlier as end-of-life
- Critical CVE awareness - Highlights known Laravel vulnerabilities:
- CVE-2025-54068 (Livewire v3 RCE)
- CVE-2024-52301 (Environment variable manipulation)
📦 Laravel Package Context Get specific security guidance for Laravel packages:
Example Output
For a Laravel 11 Project:
JSON Output with Laravel Data:
Laravel Best Practices
PHPCop helps enforce Laravel security best practices:
- ✅ Keep Laravel framework updated
- ✅ Monitor Laravel ecosystem packages (Livewire, Sanctum, etc.)
- ✅ Prevent APP_KEY leaks
- ✅ Stay on supported Laravel versions (11+)
- ✅ Watch for framework-specific CVEs
Advanced Filtering 🎯
PHPCop provides powerful filtering options to focus your security analysis:
Dependency Type Filtering
License Filtering
Vulnerability Severity Filtering
Combined Filtering Examples
Performance & Caching ⚡
PHPCop is optimized for speed with intelligent caching and parallel processing:
Parallel API Calls
- Concurrent requests - Fetches package data in parallel instead of sequentially
- Significant speedup - 10-50x faster for projects with many dependencies
- Automatic batching - Groups API calls for maximum efficiency
Intelligent Caching
- Multi-level cache - Memory cache + persistent file cache
- Smart TTL - 1-hour default cache lifetime (configurable)
- Automatic cleanup - Expired cache files are removed automatically
- Cross-run persistence - Subsequent scans use cached data for speed
Cache Control
Cache Location: {system-temp}/phpcop-cache/
Performance Tips
- First run: May take longer as cache is populated
- Subsequent runs: Near-instant for unchanged dependencies
- CI environments: Consider
--no-cachefor fresh builds - Development: Keep caching enabled for faster iteration
Configuration
Configuration File
Create a .phpcop.json file in your project root for persistent settings:
Command Options
| Option | Default | Description |
|---|---|---|
--format |
table |
Output format: table, json, md, html |
--stale-months |
18 |
Months to flag packages as stale |
--fail-on |
high |
Minimum severity to fail: low, moderate, high, critical |
--composer-bin |
composer |
Path to composer executable |
--quiet, -q |
false |
Disable progress bar and animations |
--config, -c |
.phpcop.json |
Path to configuration file |
--ignore-packages |
[] |
Comma-separated packages to ignore |
--only-dev |
false |
Only scan dev dependencies |
--exclude-dev |
false |
Exclude dev dependencies from scan |
--license-allowlist |
[] |
Comma-separated list of allowed licenses |
--license-denylist |
[] |
Comma-separated list of denied licenses |
--min-severity |
low |
Minimum vulnerability severity: low, moderate, high, critical |
--no-cache |
false |
Disable response caching (force fresh API calls) |
--exit-code |
enhanced |
Exit code behavior: legacy, enhanced |
Note: Command-line options override configuration file settings.
Requirements
- PHP 8.3 or higher
- Composer 2.x
- A
composer.lockfile in your project
Building from Source 🔧
Building the PHAR
To build your own PHAR archive:
The generated phpcop.phar file is self-contained and can be distributed independently.
Development Commands
Contributing 🤝
We welcome contributions! Here's how you can help:
- 🐛 Bug Reports - Open an issue with details and reproduction steps
- 💡 Feature Requests - Share your ideas for new functionality
- 🔧 Code Contributions - Submit a pull request with your improvements
- 📖 Documentation - Help improve our docs and examples
- 🌟 Spread the Word - Star the repo, share with colleagues, write blog posts
Support
- 📚 Documentation - Check our comprehensive README and examples
- 🐛 Issues - Report bugs on GitHub Issues
- 💬 Discussions - Join conversations in GitHub Discussions
- 📦 Packagist - View package details on Packagist
License
Released under the MIT License. Free for personal and commercial use.
Built with ❤️ for the PHP community
Keep your dependencies secure, one scan at a time! 🚓
All versions of php-cop with dependencies
symfony/console Version ^7.3
symfony/process Version ^7.3
guzzlehttp/guzzle Version ^7.8
composer/semver Version ^3.4