Static Analysis tools are quite important nowadays in the software development area for several reasons. They are pretty useful tools that help you detect potential vulnerabilities, bugs, and coding errors in your source code before it's interpreted or compiled depending on the language you're working on. In the last few months, I've been working on a project that requires to upgrade from PHP 5.3 to PHP 8.2, so I've been using plenty of tools to help me with the upgrade, being static analysis tools part of the equipment. Today, I'm going to share with you 5 of the most important and useful open-source static analysis tools for PHP that you can immediately start running in your environment to help you out with security, code quality improvement, and compliance with standards.
Psalm is a static analysis tool for PHP code. It is designed to analyze your PHP code and provide insights about potential errors, bugs, and other issues without executing the code. Psalm operates at the level of the source code and performs static analysis by examining the code structure, syntax, and type information. Psalm has been designed to be extensible, allowing you to customize its behavior depending on your project's needs. You can define custom rules, add plugins and adjust the analysis settings to suit your codebase.
Psalm has a very active and growing community of developers who contribute to its development, report issues, and provide support to fellow users. This community engagement is a good sign of how reliable is Psalm. This tool integrates pretty well with various popular development tools and frameworks, such as PhpStorm and VSCode. This tool has been recommended by prominent PHP developers, communities, and organizations around the world. It has been frequently used in open-source PHP projects, so it encourages others to explore and use it as well.
PHPStan is a static analysis tool for PHP code. It helps you find bugs and potential issues in your PHP code by performing static analysis, without executing it and focusing on detecting problems based on your code's structure, syntax, and type annotations. This tool analyzes the code using a combination of its own internal rules and PHPDoc annotations. It doesn't require writing additional code or writing additional tests. Instead, it provides immediate feedback during the development process, helping developers catch errors early on and write more robust code.
PHPStan supports features such as generics, union types, intersection types, nullable types, and many more, allowing it to handle legacy and modern PHP code effectively. It can be just like Psalm, integrated with other PHP frameworks making it quite easy to adopt within your projects. PHPStan is a very valuable tool for PHP developers to improve code quality, catch potential issues and enhance the overall reliability of your PHP application.
PHP_CodeSniffer is a very popular tool used for enforcing coding standards in PHP projects. It analyzes your PHP code and reports any violations of predefined standards, helping developers ensure consistent and readable code. It works by basically parsing your PHP code and checking it against a set of rules defined in coding standard rulesets. These rulesets can be based on popular coding standards such as PSR-1, PSR-2, and PSR-12 or customized according to specific project requirements. The tool detects deviations from the coding standards and provides detailed reports indicating the specific lines and nature of the deviation.
Some of the coding standards that PHP_CodeSniffer can enforce include:
- Line length
- Naming conventions
- Commenting style
- Whitespace usage
It will definitely help you to maintain a unified code style within your project, making the code easier to read, understand and maintain.
PHP Phan is a static analysis tool for PHP code that helps you identify potential errors, bugs, and issues in your PHP codebase by performing static analysis without actually running the code. Phan provides feedback on a wide range of issues, including type errors, undefined variables or functions, incorrect method calls, unreachable code, and many more. One of the main features of PHP Phan is its ability to perform type checking and infer types within the codebase.
PHP Phan is highly customizable and extensible, allowing developers to define their own type annotations and PHPDoc annotations to optimize the accuracy of the analysis.
PHP-CS-Fixer is a powerful tool used for automatically fixing coding style issues in PHP code. It analyzes PHP code files and applies predefined coding style rules to correct deviations and align your code with the specified coding standards. This tool supports a wide range of coding style rules, including indentation spacing, line breaks, capitalization, braces placement, naming conventions, and more. It supports popular coding standards such as PSR-1, PSR-2, and PSR-12.
There's a great collection of tools in this repository at Github here. It's quite useful if your main goal is to upgrade and optimize a project as it lists a lot of tools in different categories to optimize your code such as:
- Bugs finders
- Coding standards
Unfortunately, most of them until the date are not maintained anymore or their functionality has been already replaced by another of the tools listed in this article. However, depending on how old your code is, they might be useful too.
You can totally combine these tools if you want to, for example, you may start with PHPStan, fix the error that it describes, and then run Psalm on your codebase to see if it catches something else.
All of the provided static analysis tools in this article are way too valuable in promoting your code quality, improving the performance of your code, and ensuring compliance with today's standards. All of them can be used in CI/CD pipelines, so you can automate the analysis process to write better code, reducing all of the possible risks and delivering high-quality software to your clients. If you know about another open-source static analysis tool that you can use for PHP, please let us know in the comment section down below.