sbominator/scaninator

v0.1.2 2025-03-17 10:11 UTC

README

A PHP dependency scanner that analyzes PHP files to extract and resolve all include/require statements. This tool can scan both local files and PHP files from GitHub repositories.

Requirements

  • PHP 7.0 or later
  • Composer
  • Git (for GitHub repository scanning)
  • PHP Tokenizer extension

Installation

  1. Clone the repository:

    git clone https://github.com/sbominator/scaninator.git
    cd scaninator
  2. Install dependencies with Composer:

    composer install

Usage

Command Line Interface

The simplest way to use Scaninator is through the command line:

php cli.php <filename or GitHub URL>

Examples

Scan a local file:

php cli.php path/to/file.php

Scan a file from a GitHub repository:

php cli.php https://github.com/owner/repo/blob/main/path/to/file.php

Programmatic Usage

You can also use Scaninator in your own PHP scripts:

<?php
require 'vendor/autoload.php';

$scanner = new \Scaninator\Scaninator('path/to/file.php');
$dependencies = $scanner->get_dependencies();

print_r($dependencies);

Retrieving SBOM Data

For GitHub repositories, you can retrieve the Software Bill of Materials (SBOM) without performing a full scan:

<?php
require 'vendor/autoload.php';

$scanner = new \Scaninator\Scaninator('https://github.com/owner/repo');
$sbom = $scanner->get_sbom();

print_r($sbom);

This will fetch the dependency graph SBOM directly from GitHub's API without cloning or scanning the repository.

Features

  • Scans PHP files for require, require_once, include, and include_once statements
  • Resolves paths of dependencies (handles relative paths, __DIR__, etc.)
  • Recursively analyzes dependencies to build a complete dependency tree
  • Support for scanning files directly from GitHub repositories
  • Retrieve SBOM data directly from GitHub repositories

Contributing

please see CONTRIBUTING.md for more information.

License

This project is open source and available under the MIT License.