/php-static-analysis-tools

A reviewed list of useful PHP static analysis tools

OtherNOASSERTION

Static analysis tools for PHP

A curated list of static analysis tools for PHP.

Contributing

See CONTRIBUTING.

Table of Contents

Bugs finders

Tools to report issues in code that are or lead to bugs.

  • AppChecker - static analysis tool for finding bugs, weaknesses and vulnerabilities in source code
  • Code insight - A tool for analysing other project code bases.
  • AST Metrics - A blazing-fast static code analyzer that help your to identify code that needs to be refactored.
  • Churn-PHP - Discover files in need of refactoring.
  • composer-dependency-analyser - Fast detection of composer dependency issues (unused dependencies, shadow dependencies, misplaced dependencies)
  • Composer-Unused - A Composer tool to show unused Composer dependencies by scanning your code.
  • Eir - A static vulnerability analysis tool written in C#.
  • Exakat - Smart static analysis.
  • jscpd - Copy/paste detector for programming source code.
  • Mondrian - A code analysis tool using Graph Theory.
  • name-collision-detector - Detects symbol duplicates (class name collissions).
  • noverify - Pretty fast linter (code static analysis utility) for PHP.
  • Pfff - Tools for code analysis, visualizations, or style-preserving source transformation.
  • phanalist - A static analyzer for PHP. It helps you catch common mistakes in your PHP code.
  • PHP Analysis - A library for analysing and modifying PHP Source Code in Rascal (PHP AiR).
  • PHParch - PHPArch is a work in progress architectural testing library for PHP projects.
  • PHP Assumption - Finds weak assumptions in the code, suggest to turn them into stronger validations.
  • PhpCodeAnalyzer - Finds usage of non-built-in extensions.
  • PHPCodeFixer - Finds usage of deprecated functions, variables and ini directives.
  • php-compat-info - Find out the minimum version and the extensions required for a piece of code to run.
  • php7mar - PHP 7 Migration Assistant Report.
  • phpcallgraph - Generate static call graphs. Such a graph visualizes the call dependencies among methods or functions of an application..
  • PHPCPD - Spots copy/pasted code, and help enforcing DRY rule.
  • PHPDoctor - Check PHP files or directories for missing types.
  • Phan - The static analyzer by Rasmus, PHP Creator.
  • Phinder - PHP code piece finder
  • Phortress - A PHP static code analyser for potential vulnerabilities.
  • PHP Compatibility - Find code which is incompatible with a specified range of PHP versions.
  • PHP Deprecation Detector - PhpDeprecationDetector - analyzer of PHP code to search usages of deprecated functionality in newer interpreter versions.
  • PHP Code Static Analysis - PHP Code static analysis program made in nodeJS.
  • PHP Inspection - Static analysis plugin for PHPStorm.
  • PHP Integrator - Indexes PHP code and performs static analysis for Atom editor.
  • Phlint - Phlint is a tool with an aim to help maintain quality of php code by analyzing code and pointing out potential code issues.
  • PHP lint - PHP itself, able to detect syntax error from command line.
  • PHPlint - A validator and documentator for PHP 5 programs.
  • PHP-Parallel-Lint - A parallel php linting tool for PHP 5.4 or newer
  • PHP Magic Number Detector - PHP Magic Number Detector
  • PHP-malware-finder - Detect potentially malicious PHP files
  • PHP Mess Detector - Look for several potential problems within source code.
  • PHP Reaper - Scan ADOdb code for SQL Injections.
  • PHP SA - A development tool aimed at bringing complex analysis for PHP applications and libraries.
  • PHP Stan - Focuses on finding errors in code without actually running it.
  • PHP Unlocker - Detect potential, unintended DB table locks for PHP applications using ADOdb. Uses static analysis methods.
  • PHP testability - Analyses and produces a report with testability issues of a php codebase.
  • PHP vuln hunter - Scan PHP vulnerabilities automatically using static analysis methods.
  • Progpilot - A static analysis tool for security purposes.
  • Psalm - A static analysis tool for finding errors in PHP applications.
  • psecio:parse - Parse : A PHP Security Scanner.
  • Qodana PHP by JetBrains – A static analysis tool for PHP projects based on PhpStorm.
  • SonarQube - An open platform to manage code quality. It covers PHP code.
  • Side Channel Analyzer - Search for side-channel vulnerable code.
  • TaintPHP - Static Taint Analyzer.
  • Tuli - A static analysis engine.
  • Unused-scanner - Detect unused composer dependencies
  • WAP - Tool to detect and correct input validation vulnerabilities in PHP (4.0 or higher) web applications and predicts false positives.
  • PHP VarDump Check - PHP console application for finding forgotten variable dump.
  • 17eyes - PHP static analyzer written in Haskell.
  • CakeFuzzer - Ultimate web application security testing tool for CakePHP based web applications.

Coding standards

Tools to review the way PHP code was written and more.

  • Pahout - A pair programming partner for writing better PHP.
  • composer-normalize - Provides a composer plugin for normalizing composer.json.
  • EasyCodingStandard - An easy to use tool, that allows to use CodeSniffer and PHP-CS-Fixer in simple way.
  • PHPas - A tool for format and beautify the style of PHP code with my style.
  • PHPArkitect - PHPArkitect helps you to keep your PHP codebase coherent and solid, by permitting to add some architectural constraint check to your workflow.
  • PHP Code Sniffer - PHPCS checks and auto-fixes the code for a large range of coding standard.
  • PHPCheckstyle - A tool to help adhere to certain coding conventions.
  • PHP Doc Check - Uses complexity metrics to enforce documentation conventions on non-trivial functions.
  • PHP formatter - This PHP formatter aims to provide you some bulk actions for you PHP projects to ensure their consistency.
  • TLint - This is an opinionated code linter (with growing support for auto-formatting!) for Tighten flavored code conventions for Laravel and PHP.

DIY

Libraries that may be the base for a home-made static analyzer.

  • Deptrac - A static code analysis tool to enforce rules for dependencies between software layers.
  • PHP Architecture Tester - Easy to use architecture testing tool for PHP
  • PHPArkitect - A static code analysis tool to enforce architectural rules in your codebase
  • PHP-cfg - A Control Flow Graph implementation in PHP. Written by IrcMaxwell.
  • PHP coupling detector - Check that code has no unwanted coupled classes.
  • PHP Parser - Written in PHP by Nikita Popov and based on actual grammar of PHP.
  • PHP Token Reflection - Library emulating the PHP internal reflection using just the tokenized source code.
  • PHPSandbox - A full-scale PHP 5.3.2+ sandbox class that utilizes PHPParser to prevent sandboxed code from running unsafe code.
  • Reflection - Reflection library to do Static Analysis for PHP Projects.
  • Better Reflection - Reflection library with additional features such as parsing docblock type hints, uses nikic's PHP Parser under the hood.

Fixers

Tools to automatically fix the code they are provided with.

  • Rector - AST-based Instant Upgrades of PHP Applications
  • FunctionFQNReplacer - provides a way to replace relative references of functions in function calls with absolute references.
  • Phpactor - This project aims to provide heavy-lifting refactoring and introspection tools.
  • PHP BackSlasher - Tool to add all PHP internal functions and constants to its namespace by adding backslash to them.
  • php-refactoring-browser - CLI refactoring tool.
  • PHP CS Fixer - Analyzes and tries to fix coding standards issues (PSR-1 and PSR-2 compatible).
  • phpdoc to typehint - Turn phpdocs comments to actual Typehint (arguments and return).
  • php-scoper - Prefixes all PHP namespaces in a file/directory to isolate the code bundled in PHARs.
  • Transphpile - Write PHP 7, run PHP 5.6, with feature backport.
  • PHP Weaver - Analysing parameter types at runtime and generate the appropriate phpdocs.

Metrics

Tools to measure the code complexity, line of codes, etc.

  • AST Metrics - A blazing-fast static code analyzer that calculates various metrics to help identify code that needs to be refactored, and provides a beautiful graphical interface.
  • churn-php - Helps discover good candidates for refactoring.
  • Design Pattern Detector - detection of design patterns in PHP code.
  • dePHPend - dePHPend helps analyze dependencies & architecture and allows you to define constraints for both.
  • Dissect - A set of tools for lexical and syntactical analysis.
  • php-arguments-detector - Keep control over the complexity of your methods by checking that they do not have too many arguments.
  • php-smelly-code-detector - PHP code smell detector.
  • PHPLOC - Utility to measures PHP application size and count various structures.
  • PHP Metrics - Calculates all sorts of metrics, and display them in a gorgeous interface.
  • PHP Semantic Versioning Checker - Compares two source sets and determines the appropriate semantic versioning to apply.
  • PhpStats - Tool for collecting statistics, metrics, dependencies, and building various graphs for large projects to find bottlenecks.
  • PhpDependencyAnalysis - Static code analysis to provide and verify a dependency graph against a defined architecture.
  • php-wording-detector - Simple tool to analyze and split the words contained in your code to check your DDD approach.
  • Quality Analyzer - Quality Analyzer is a tool to visualize metrics and source code.

Visualization

Tools that display PHP code in graphical way

  • PHPcity - PHPCity is an implementation of city metaphor visualization and provides visualization of PHP projects which are implemented in the object-oriented fashion.

SaaS

Online services for PHP code, provide dashboards. They may use the previous tools or offer their own.

  • Bliss - Automatically reviews code in real-time and shows how much it's worth in lines of code.
  • Codacy - Codacy: Automated Code Review.
  • CodeBeaat - Decrease technical debt. Find refactoring opportunities.
  • Code Climate - Hosted static analysis for Ruby, PHP and JavaScript source code.
  • CodeScene - Prioritize technical debt in PHP, JavaScript, etc.
  • Codegrip - Smarter & Secure way to Code Review
  • Deepsource - DeepSource is a modern static analysis platform, built for engineering teams who move fast and don’t break things.
  • Insight - A SensioLabs tool to analyzes source code to find problems that degrade the overall quality of your projects.
  • Insphpect - Insphpect is an automated code review tool which identifies inflexibilities in PHP code and helps you write better software.
  • RIPS - The superior security software for PHP applications. Source code static analyser for vulnerabilities.
  • Scrutinizer - Improve code quality and find bugs before they hit production with our continuous inspection platform.
  • Sourcegraph - Understand and search across your entire codebase
  • SideCI - CI for automated code review by code analysis.
  • Laravelshift - the automated way to upgrade Laravel applications. Upgrade Laravel applications all the way from Laravel 4.2 to the latest version of Laravel.

Misc

  • HHVM - Hack Language from Facebook. Add a SCA until version 3.3.8, newer version doesn't have anymore.
  • PHP Manipulator - A library for analysing and modifying PHP Source Code.
  • PHP Parser - A NodeJS library for parsing PHP and extracting tokens and AST.
  • PHPQA - A Wrapper to a lot of PHP tools reported into a single HTML file.
  • Fixtro - A wrapper that allow to run in each precommit. It install itself all the dependencies for the runners with a lot of them (phpunit, phpmd, php-cs-fixer, etc..)
  • Coverage Checker - A tool which allows some of the tools here to be enforced on changed code only. Good for moving towards new standards
  • Composer Require Checker - A CLI tool to check whether a specific composer package uses imported symbols that aren't part of its direct composer dependencies
  • Static Analysis Results Baseliner - A tool for generating a baseline from static analysis tools.