/php-static-analysis-tools

A reviewed list of useful PHP static analysis tools

OtherNOASSERTION

Static analysis tools for PHP

A curated list of static analysis tools for PHP.

Contributing

See CONTRIBUTING.

Table of Contents

Bugs finders

Tools to report issues in code that are or lead to bugs.

  • AppChecker - static analysis tool for finding bugs, weaknesses and vulnerabilities in source code
  • Code insight - A tool for analysing other project code bases.
  • Churn-PHP - Discover files in need of refactoring.
  • Eir - A static vulnerability analysis tool written in C#.
  • Exakat - Smart static analysis.
  • Garcon - A static code analyser for vulnerabilities in PHP scripts. Currently supports SQL injection, command line injection and persistent XSS.
  • jscpd - Copy/paste detector for programming source code.
  • Mondrian - A code analysis tool using Graph Theory.
  • Pfff - Tools for code analysis, visualizations, or style-preserving source transformation.
  • PHP Analysis - A library for analysing and modifying PHP Source Code in Rascal (PHP AiR).
  • PHP Assumption - Finds weak assumptions in the code, suggest to turn them into stronger validations.
  • PhpCodeAnalyzer - Finds usage of non-built-in extensions.
  • PHPCodeFixer - Finds usage of deprecated functions, variables and ini directives.
  • php7mar - PHP 7 Migration Assistant Report.
  • phpcallgraph - Generate static call graphs. Such a graph visualizes the call dependencies among methods or functions of an application..
  • PHPCPD - Spots copy/pasted code, and help enforcing DRY rule.
  • Phan - The static analyzer by Rasmus, PHP Creator.
  • Phortress - A PHP static code analyser for potential vulnerabilities.
  • PHP Code Static Analysis - PHP Code static analysis program made in nodeJS.
  • PHP Inspection - Static analysis plugin for PHPStorm.
  • PHP Integrator - Indexes PHP code and performs static analysis for Atom editor.
  • PHP lint - PHP itself, able to detect syntax error from command line.
  • PHPlint - A validator and documentator for PHP 5 programs.
  • PHP-Parallel-Lint - A parallel php linting tool for PHP 5.3.3 or newer
  • PHP Magic Number Detector - PHP Magic Number Detector
  • PHP-malware-finder - Detect potentially malicious PHP files
  • PHP Mess Detector - Look for several potential problems within source code.
  • PHP Reaper - Scan ADOdb code for SQL Injections.
  • PHP SA - A development tool aimed at bringing complex analysis for PHP applications and libraries.
  • PHP Stan - Focuses on finding errors in code without actually running it.
  • PHP Unlocker - Detect potential, unintended DB table locks for PHP applications using ADOdb. Uses static analysis methods.
  • PHP testability - Analyses and produces a report with testability issues of a php codebase.
  • PHP vuln hunter - Scan PHP vulnerabilities automatically using static analysis methods.
  • Progpilot - A static analysis tool for security purposes.
  • Psalm - A static analysis tool for finding errors in PHP applications.
  • psecio:parse - Parse : A PHP Security Scanner.
  • SonarQube - An open platform to manage code quality. It covers PHP code.
  • Side Channel Analyzer - Search for side-channel vulnerable code.
  • TaintPHP - Static Taint Analyzer.
  • Taint'em All - A taint analysis tool for the PHP language, it makes use of Static Taint Analysis + Symbolic Execution.
  • Tuli - A static analysis engine.
  • 17eyes - PHP static analyzer written in Haskell.
  • WAP - Tool to detect and correct input validation vulnerabilities in PHP (4.0 or higher) web applications and predicts false positives.

Coding standards

Tools to review the way PHP code was written and more.

  • PHP Code Sniffer - PHPCS checks the code for a large range of coding standard.
  • EasyCodingStandard - An easy to use tool, that allows to use CodeSniffer and PHP-CS-Fixer in simple way.
  • PHPCheckstyle - A tool to help adhere to certain coding conventions.
  • PHP formatter - This PHP formatter aims to provide you some bulk actions for you PHP projects to ensure their consistency.
  • Pahout - A pair programming partner for writing better PHP.

DIY

Libraries that may be the base for a home-made static analyzer.

  • Deptrac - A static code analysis tool to enforce rules for dependencies between software layers.
  • PHP-cfg - A Control Flow Graph implementation in PHP. Written by IrcMaxwell.
  • PHP coupling detector - Check that code has no unwanted coupled classes.
  • PHP Parser - Written in PHP by Nikita Popov and based on actual grammar of PHP.
  • PHP Token Reflection - Library emulating the PHP internal reflection using just the tokenized source code.
  • PHPSandbox - A full-scale PHP 5.3.2+ sandbox class that utilizes PHPParser to prevent sandboxed code from running unsafe code.
  • Reflection - Reflection library to do Static Analysis for PHP Projects.
  • Better Reflection - Reflection library with additional features such as parsing docblock type hints, uses nikic's PHP Parser under the hood.

Fixers

Tools to automatically fix the code they are provided with.

  • Rector - AST-based Instant Upgrades of PHP Applications
  • FunctionFQNReplacer - provides a way to replace relative references of functions in function calls with absolute references.
  • PHP BackSlasher - Tool to add all PHP internal functions and constants to its namespace by adding backslash to them.
  • php-refactoring-browser - CLI refactoring tool.
  • PHP CS Fixer - Analyzes and tries to fix coding standards issues (PSR-1 and PSR-2 compatible).
  • phpdoc to typehint - Turn phpdocs comments to actual Typehint (arguments and return).
  • Transphpile - Write PHP 7, run PHP 5.6, with feature backport.
  • PHP Weaver - Analysing parameter types at runtime and generate the appropriate phpdocs.

Metrics

Tools to measure the code complexity, line of codes, etc.

  • churn-php - Helps discover good candidates for refactoring.
  • Design Pattern Detector - detection of design patterns in PHP code.
  • Dissect - A set of tools for lexical and syntactical analysis.
  • PHPLOC - Utility to measures PHP application size and count various structures.
  • PHP Metrics - Calculates all sorts of metrics, and display them in a gorgeous interface.
  • PHP Semantic Versioning Checker - Compares two source sets and determines the appropriate semantic versioning to apply.
  • PhpDependencyAnalysis - Static code analysis to provide and verify a dependency graph against a defined architecture.
  • Quality Analyzer - Quality Analyzer is a tool to visualize metrics and source code.
  • dePHPend - dePHPend helps analyze dependencies & architecture and allows you to define constraints for both.

SaaS

Online services for PHP code, provide dashboards. They may use the previous tools or offer their own.

  • Bliss - Automatically reviews code in real-time and shows how much it's worth in lines of code.
  • Checkmarx - Get a full PHP static security code analysis and prevent security vulnerabilities.
  • Codacy - Codacy: Automated Code Review.
  • Code Climate - Hosted static analysis for Ruby, PHP and JavaScript source code.
  • Insight - A SensioLabs tool to analyzes source code to find problems that degrade the overall quality of your projects.
  • RIPS - The superior security software for PHP applications. Source code static analyser for vulnerabilities.
  • Scrutinizer - Improve code quality and find bugs before they hit production with our continuous inspection platform.
  • SideCI - CI for automated code review by code analysis.
  • Laravelshift - the automated way to upgrade Laravel applications. Upgrade Laravel applications all the way from Laravel 4.2 to the latest version of Laravel.

Misc

  • devbug - Ongoing work on PHP Analysis in Rascal (PHP AiR).
  • HHVM - Hack Language from Facebook. Add a SCA until version 3.3.8, newer version doesn't have anymore.
  • PHP Manipulator - A library for analysing and modifying PHP Source Code.
  • PHP Parser - A NodeJS library for parsing PHP and extracting tokens and AST.
  • PHPQA - A Wrapper to a lot of PHP tools reported into a single HTML file.
  • Fixtro - A wrapper that allow to run in each precommit. It install itself all the dependencies for the runners with a lot of them (phpunit, phpmd, php-cs-fixer, etc..)
  • Coverage Checker - A tool which allows some of the tools here to be enforced on changed code only. Good for moving towards new standards
  • Composer Require Checker - A CLI tool to check whether a specific composer package uses imported symbols that aren't part of its direct composer dependencies