Static analysis tools for PHP

Based on https://github.com/exakat/php-static-analysis-tools

A list of static analysis tools for PHP. Without not-popular or old tools.

Table of Contents

• Bugs finders
• Coding standards
• DIY
• Fixers
• Metrics
• SaaS
• Misc

Editors' Choice

Bugs finders

• Psalm - Vimeo анализатор кода. Ошибки,phpdoc. Выглядит весьма прилично
• Phan - The static analyzer by Rasmus, PHP Creator. Анализирует разные штуки, в т.ч. аннотации. Не понимает переопределение аннотаций родительских классов в дочерних. Сильный проект.
• PHP SA - A development tool aimed at bringing complex analysis for PHP applications and libraries. Проверяет синтаксические ошибки, phpdoc, алиасы, пропущенные свойства и т.д. Не работает с php-parser 4ой версии.
• PHP Stan - Focuses on finding errors in code without actually running it.
• PHPCodeFixer - Finds usage of deprecated functions, variables and ini directives. Использовать при переезде на новую версию PHP
• PHPCPD - Spots copy/pasted code, and help enforcing DRY rule.
• PHP Magic Number Detector - Ищет куски кода, где вместо констант с числами используются числа.
• PHP Mess Detector - Находит проблемы с Cyclomatic и NPath complexity, дает рекомендации по улучшению кода
• PHP Inspection - Static analysis plugin for PHPStorm.

Coding standards

• PHP Code Sniffer - PHPCS checks the code for a large range of coding standard. EasyCodingStandard - An easy to use tool, that allows to use CodeSniffer and PHP-CS-Fixer in simple way.

DIY

• Better Reflection - Reflection library with additional features such as parsing docblock type hints, uses nikic's PHP Parser under the hood.

Fixers

• PHP CS Fixer - Analyzes and tries to fix coding standards issues (PSR-1 and PSR-2 compatible).

Metrics

• Quality Analyzer - Quality Analyzer is a tool to visualize metrics and source code. Включает в себя следующие анализаторы: source, coverage, pdepend, dependencies, phpmd, checkstyle, tests, cpd, phploc, git,gitDetailed
• churn-php - Helps discover good candidates for refactoring [score = SUM(commits) & (cyclomatic complexity) ]
• PHPLOC - Utility to measures PHP application size and count various structures.
• PHP Metrics - Calculates all sorts of metrics, and display them in a gorgeous interface.
• PhpDependencyAnalysis - Static code analysis to provide and verify a dependency graph against a defined architecture.
• dePHPend - dePHPend helps analyze dependencies & architecture and allows you to define constraints for both.

Misc

• PHPQA - A Wrapper to a lot of PHP tools reported into a single HTML file.

Whole list

Bugs finders

Tools to report issues in code that are or lead to bugs.

• Exakat - Smart static analysis.
• jscpd - Copy/paste detector for programming source code.
• Pfff - Tools for code analysis, visualizations, or style-preserving source transformation.
• PHP Analysis - A library for analysing and modifying PHP Source Code in Rascal (PHP AiR).
• PHP Assumption - Finds weak assumptions in the code, suggest to turn them into stronger validations.
• PhpCodeAnalyzer - Finds usage of non-built-in extensions.
• PHPCodeFixer - Finds usage of deprecated functions, variables and ini directives.
• php7mar - PHP 7 Migration Assistant Report.
• PHPCPD - Spots copy/pasted code, and help enforcing DRY rule.
• Phan - The static analyzer by Rasmus, PHP Creator.
• PHP Inspection - Static analysis plugin for PHPStorm.
• PHP-Parallel-Lint - A parallel php linting tool for PHP 5.3.3 or newer
• PHP Magic Number Detector - PHP Magic Number Detector
• PHP-malware-finder - Detect potentially malicious PHP files
• PHP Mess Detector - Look for several potential problems within source code.
• PHP SA - A development tool aimed at bringing complex analysis for PHP applications and libraries.
• PHP Stan - Focuses on finding errors in code without actually running it.
• PHP testability - Analyses and produces a report with testability issues of a php codebase.
• psecio:parse - Parse : A PHP Security Scanner. Не работает с php-parser 4ой версии.
• SonarQube - An open platform to manage code quality. It covers PHP code.

Coding standards

Tools to review the way PHP code was written and more.

• PHP Code Sniffer - PHPCS checks the code for a large range of coding standard.
• EasyCodingStandard - An easy to use tool, that allows to use CodeSniffer and PHP-CS-Fixer in simple way.
• PHP formatter - This PHP formatter aims to provide you some bulk actions for you PHP projects to ensure their consistency.
• Pahout - A pair programming partner for writing better PHP. PHP 7.1+ php-ast v0.1.4+

DIY

Libraries that may be the base for a home-made static analyzer.

• Deptrac - A static code analysis tool to enforce rules for dependencies between software layers.
• PHP-cfg - A Control Flow Graph implementation in PHP. Written by IrcMaxwell.
• PHP Parser - Written in PHP by Nikita Popov and based on actual grammar of PHP.
• Reflection - Reflection library to do Static Analysis for PHP Projects.
• Better Reflection - Reflection library with additional features such as parsing docblock type hints, uses nikic's PHP Parser under the hood.

Fixers

Tools to automatically fix the code they are provided with.

• PHP CS Fixer - Analyzes and tries to fix coding standards issues (PSR-1 and PSR-2 compatible).
• phpdoc to typehint - Turn phpdocs comments to actual Typehint (arguments and return).
• Rector - AST-based Instant Upgrades of PHP Applications
• FunctionFQNReplacer - provides a way to replace relative references of functions in function calls with absolute references.
• PHP BackSlasher - Tool to add all PHP internal functions and constants to its namespace by adding backslash to them.
• php-refactoring-browser - CLI refactoring tool.
• Transphpile - Write PHP 7, run PHP 5.6, with feature backport.
• PHP Weaver - Analysing parameter types at runtime and generate the appropriate phpdocs.

Metrics

Tools to measure the code complexity, line of codes, etc.

• churn-php - Helps discover good candidates for refactoring.
• PHPLOC - Utility to measures PHP application size and count various structures.
• PHP Metrics - Calculates all sorts of metrics, and display them in a gorgeous interface.
• PHP Semantic Versioning Checker - Compares two source sets and determines the appropriate semantic versioning to apply.
• PhpDependencyAnalysis - Static code analysis to provide and verify a dependency graph against a defined architecture.
• Quality Analyzer - Quality Analyzer is a tool to visualize metrics and source code.
• dePHPend - dePHPend helps analyze dependencies & architecture and allows you to define constraints for both.

SaaS

Online services for PHP code, provide dashboards. They may use the previous tools or offer their own.

• Bliss - Automatically reviews code in real-time and shows how much it's worth in lines of code.
• Checkmarx - Get a full PHP static security code analysis and prevent security vulnerabilities.
• Codacy - Codacy: Automated Code Review.
• Code Climate - Hosted static analysis for Ruby, PHP and JavaScript source code.
• Insight - A SensioLabs tool to analyzes source code to find problems that degrade the overall quality of your projects.
• RIPS - The superior security software for PHP applications. Source code static analyser for vulnerabilities.
• Scrutinizer - Improve code quality and find bugs before they hit production with our continuous inspection platform.
• SideCI - CI for automated code review by code analysis.
• Laravelshift - the automated way to upgrade Laravel applications. Upgrade Laravel applications all the way from Laravel 4.2 to the latest version of Laravel.

Misc

• devbug - Ongoing work on PHP Analysis in Rascal (PHP AiR).
• HHVM - Hack Language from Facebook. Add a SCA until version 3.3.8, newer version doesn't have anymore.
• PHP Manipulator - A library for analysing and modifying PHP Source Code.
• PHP Parser - A NodeJS library for parsing PHP and extracting tokens and AST.
• PHPQA - A Wrapper to a lot of PHP tools reported into a single HTML file.
• Fixtro - A wrapper that allow to run in each precommit. It install itself all the dependencies for the runners with a lot of them (phpunit, phpmd, php-cs-fixer, etc..)
• Coverage Checker - A tool which allows some of the tools here to be enforced on changed code only. Good for moving towards new standards
• Composer Require Checker - A CLI tool to check whether a specific composer package uses imported symbols that aren't part of its direct composer dependencies