Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

giotsa's avatar

Scanning Laravel Vendors and SNYK

Dear Community Members, I have a question regarding Laravel (ver. 12) vendors, for the project we build the small application on Laravel, deploying code into the Azure repo and trying to use the azure DevOps to build image and delivery to final deployment destination, using SNYK vulnerability testing in the middle. But we faced problems while scanning the project code, SNYK reported some vulnerabilities in vendors part: symphony, technickcom, in laravel framework and more, detecting path-traversal, Cross-site Scripting (XSS), command injection etc., evaluating the impact as HIGH for 24 cases, medium 67 and low 83. Vendors are latest version and as I know thrusted, as they are included by Laravel package. So, the question is how to achieve the zero issues in SNYK? should we trust the vendors without scanning? if yes then based on what statement? If scanning is not necessary then we need the justification, which we will provide to devops. Kindly asking to advise what to do with vendors part of the Laravel, I suppose touching them and scanning with the tools that we are scanning the home-made code is a bad idea?! :)

0 likes
2 replies
LaryAI's avatar
LaryAI
AI
2 months ago
Level 58

Sure! Here’s a comprehensive answer for your Laracasts forum question.

Solution:

This is a common question for anyone using dependency management tools and modern frameworks. Here’s how to approach scanning Laravel vendor code with Snyk:

1. Should you scan vendor (third-party) libraries?

Yes, you should scan your dependencies for vulnerabilities, but how you interpret and respond to the results is important.

Key Points:

  • You are responsible for all code running in your environment, including dependencies.
  • Snyk and similar tools scan for known vulnerabilities in dependencies.
  • Not all flagged vulnerabilities are immediately exploitable/critical in your actual use case.

2. Why does Snyk report so many issues in vendor code?

  • Vendor code includes packages maintained by many third parties.
  • Vulnerabilities may exist in direct dependencies (your code requires) or transitive dependencies (a dependency of a dependency).
  • Some vulnerabilities may be theoretical (e.g. a code path exists, but you don’t use that feature).

3. Should you ignore vendor vulnerabilities?

No, but you must triage them with awareness:

  • Review Snyk's report and distinguish between critical issues you must address and less relevant ones.
  • Focus first on critical/high vulnerabilities that are exploitable in your context.
  • If a vulnerability is in a code path you don’t use, or is unexploitable in your environment, you can consider it less urgent—but ideally, you want to keep all dependencies up-to-date.

4. Reducing or resolving vendor vulnerabilities

a) Update your dependencies

Run:

composer update

to ensure all libraries are at their latest patched versions. Snyk relies on the security fixes being available upstream.

b) Review Snyk output carefully

Look at which packages and where the issues are (e.g. Symfony, technickcom). Determine if there’s a patch or security fix available.

c) Ignore/override low-risk exclusions (if justifiable)

Snyk allows you to ignore or suppress vulnerabilities [with justification]:

snyk ignore --id=VULN-ID --reason="Not exploitable in our environment"

But you should have clear internal documentation/justification for this, especially if reporting to security or DevOps.

d) Monitor and automate

  • Set up Snyk’s GitHub/GitLab app for automated PR alerts.
  • Review vulnerabilities with each release or deployment.

5. Providing justification for DevOps/security

Sample justification:

We scan all dependencies for vulnerabilities. For vendor packages, we:
- Ensure they are up to date via `composer update`
- Review all high/critical vulnerabilities for exploitability in our context
- Suppress/ignore vulnerabilities only with documentation and approval (per Snyk report)
- Trust upstream/maintainers (Laravel, Symfony, etc.) to address known vulnerabilities
- Continually monitor and patch as needed

6. Never change vendor files directly

  • Never edit vendor code manually—that will break updates and composer integrity!

Summary:

  • Scan all code, but analyze the results
  • Update dependencies proactively
  • Suppress ignored vulnerabilities only with strong justification
  • Never change files in vendor/; rely on updates/patches

This is normal practice in DevSecOps pipelines.

Let me know if you need a code/config example or Snyk JSON output sample!

1 like
giotsa's avatar

I researched a bit and it appears that Snyk has several type of scan: "code", "test" etc. I'm interesting to find out the best practice scanning approach and the most correct way to test the whole application in the CI pipeline, which folders should be scan as SAST and which SCA? should I test all code that laravel project root folder has, including all sub folders, with "code" or should I separate our own code from the open source (folder "vendor") and do the separate testing with different types?

Please or to participate in this conversation.