A curated list of static analysis tools for PHP.
See CONTRIBUTING.
Tools to reports issues in code that are or lead to bugs.
- Eir - A static vulnerability analysis tool written in C#.
- Exakat - Smart static analysis.
- Mondrian - A code analysis tool using Graph Theory.
- Pfff - Tools for code analysis, visualizations, or style-preserving source transformation.
- php-analysis - PHP Analysis in Rascal (PHP AiR).
- PHP Assumption - Finds weak assumptions in the code, suggest to turn them into stronger validations.
- PhpCodeAnalyzer - Finds usage of non-built-in extensions.
- PHPCodeFixer - Finds usage of deprecated functions, variables and ini directives.
- php7mar - PHP 7 Migration Assistant Report.
- phpcallgraph - Generate static call graphs. Such a graph visualizes the call dependencies among methods or functions of an application..
- PHPCPD - Spots copy/pasted code, and help enforcing DRY rule.
- Phan - The static analyzer by Rasmus, PHP Creator.
- PHP Inspection - Static analysis plugin for PHPStorm.
- PHP lint - PHP itself, able to detect syntax error from command line.
- PHPlint - A validator and documentator for PHP 5 programs.
- PHP Mess Detector - Look for several potential problems within source code.
- PHP Reaper - Scan ADOdb code for SQL Injections.
- PHP SA - A development tool aimed at bringing complex analysis for PHP applications and libraries.
- PHP Stan - Focuses on finding errors in code without actually running it.
- PHP Unlocker - Detect potential, unintended DB table locks for PHP applications using ADOdb. Uses static analysis methods.
- PHP vuln hunter - Scan PHP vulnerabilities automatically using static analysis methods.
- Psalm - A static analysis tool for finding errors in PHP applications
- RIPS - Source code static analyser for vulnerabilities. Newer version is mixed model, free and paid.
- psecio:parse - Parse : A PHP Security Scanner
- SonarQube - An open platform to manage code quality. It covers PHP code.
- Side Channel Analyzer - Search for side-channel vulnerable code.
- TaintPHP - Static Taint Analyzer.
- Taint'em All - A taint analysis tool for the PHP language, it makes use of Static Taint Analysis + Symbolic Execution
- Tuli - A static analysis engine.
- 17eyes - PHP static analyzer written in Haskell.
Tools to review the way PHP code was written and more.
- PHP Code Sniffer - PHPCS checks the code for a large range of coding standard.
- PHPCheckstyle - A tool to help adhere to certain coding conventions.
- PHP formatter - This PHP formatter aims to provide you some bulk actions for you PHP projects to ensure their consistency.
Libraries that may be the base for a home-made static analyzer
- Deptrac - A static code analysis tool to enforce rules for dependencies between software layers.
- PHP-cfg - A Control Flow Graph implementation in PHP. Written by IrcMaxwell.
- PHP coupling detector - Check that code has no unwanted coupled classes.
- PHP Parser - Written in PHP by Nikita Popov and based on actual grammar of PHP.
- PHP Token Reflection - Library emulating the PHP internal reflection using just the tokenized source code.
- PHPSandbox - A full-scale PHP 5.3.2+ sandbox class that utilizes PHPParser to prevent sandboxed code from running unsafe code.
- Reflection - Reflection library to do Static Analysis for PHP Projects
- Better Reflection - Reflection library with additional features such as parsing docblock type hints, uses nikic's PHP Parser under the hood.
Tools to automatically fix the code they are provided with.
- php-refactoring-browser - CLI refactoring tool.
- PHP CS Fixer - Analyzes and tries to fix coding standards issues (PSR-1 and PSR-2 compatible).
- phpdoc to typehint - Turn phpdocs comments to actual Typehint (arguments and return)
- Transphpile - Write PHP 7, run PHP 5.6, with feature backport.
Tools to measures the code : complexity, line of codes, etc.
- Design Pattern Detector - detection of design patterns in PHP code
- Dissect - A set of tools for lexical and syntactical analysis.
- PHPLOC - Utility to measures PHP application size and count various structures.
- PHP Metrics - Calculates all sorts of metrics, and display them in a gorgeous interface.
- PHP Semantic Versioning Checker - Utility to check semantic version of a given code.
- PhpDependencyAnalysis - Static code analysis to provide and verify a dependency graph against a defined architecture.
- PHP semver checker - Compares two source sets and determines the appropriate semantic versioning to apply.
- Quality Analyzer - Quality Analyzer is a tool to visualize metrics and source code.
- dePHPend - dePHPend helps analyze dependencies & architecture and allows you to define constraints for both
Online services to PHP code, provide dashboards. They may use the previous tools or offer their own.
- Bliss - Automatically reviews code in real-time and shows how much it's worth in lines of code.
- Checkmarx - Get a full PHP static security code analysis and prevent security vulnerabilities.
- Codacy - Codacy: Automated Code Review.
- Code Climate - Hosted static analysis for Ruby, PHP and JavaScript source code.
- Insight - A SensioLabs tool to analyzes source code to find problems that degrade the overall quality of your projects.
- Ripstech - The superior security software for PHP applications.
- Scrutinizer - Improve code quality and find bugs before they hit production with our continuous inspection platform.
- devbug - Ongoing work on PHP Analysis in Rascal (PHP AiR).
- HHVM - Hack Language from Facebook. Add a SCA until version 3.3.8, newer version doesn't have anymore.
- PHP Analysis - A library for analysing and modifying PHP Source Code.
- PHP Manipulator - A library for analysing and modifying PHP Source Code.
- PHP Parser - A NodeJS library for parsing PHP and extracting tokens and AST.
- PHPQA - A Wrapper to a lot of PHP tools reported into a single html file.