# PHP - Composer

Note

The support for this language is currently in beta. Vulnerability results may be less accurate than normal.

We support tracking PHP dependencies installed using Composer dependency manager (opens new window). Either by looking at its composer.json file or lock file composer.lock (recommended). You will get the most accurate results if you let us scan your composer.lock file because it contains resolved versions of your direct and indirect dependencies, hence we recommend to keep this file in your repository.

The composer.lock file is generated whenever one of the following is run:

composer install
composer required
composer update

By keeping both your composer.json and composer.lock files committed to your repository, we will automatically scan them for dependencies, vulnerabilities and licenses when you have done any of our integrations to your CI/CD pipeline.