Static analysis tools for PHP

A curated list of static analysis tools for PHP.

Contributing

See CONTRIBUTING.

Table of Contents

• Bugs finders
• Coding standards
• DIY
• Fixers
• Metrics
• Saas
• Misc

Bugs finders

Tools that reports issues in the code that are or lead to bugs.

• Eir - Eir is a static vulnerability analysis tool for PHP applications written in C#
• Exakat - Smart static analysis for PHP
• Mondrian - A code analysis tool using Graph Theory.
• php-analysis - PHP Analysis in Rascal (PHP AiR).
• PHP Assumption - Finds weak assumptions in the code, suggest to turn them into stronger validations.
• PhpCodeAnalyzer - finds usage of non-built-in extensions in your php code.
• PHPCodeFixer - finds usage of deprecated functions, variables and ini directives in your php code.
• php7mar - PHP 7 Migration Assistant Report.
• phpcallgraph - PHP 7 Migration Assistant Report.
• PHPCPD - phpcpd spots copy/pasted code, and help enforcing DRY rule.
• Phan - The static analyzer by Rasmus.
• PHP Inspection - Static analysis for phpstorm.
• PHP lint - PHP itself, able to detect syntax error from command line.
• PHPlint - PHPLint is a validator and documentator for PHP 5 programs
• PHP Mess Detector - PHPMD takes a given PHP source code base and look for several potential problems within that source.
• PHP Reaper - PHP tool to scan ADOdb code for SQL Injections
• PHP SA - PHPSA is a development tool aimed at bringing complex analysis for PHP applications and libraries.
• PHP Stan - "PHPStan focuses on finding errors in your code without actually running it. "
• PHP Unlocker - "PHP-Unlocker is a static analysis tool that detects potential, unintended DB table locks for PHP applications using ADOdb."
• PHP vuln hunter - A tool that can scan php vulnerabilities automatically using static analysis methods
• RIPS - A static source code analyser for vulnerabilities in PHP scripts
• psecio:parse - Parse : A PHP Security Scanner
• SonarQube - An open platform to manage code quality. It covers PHP code.
• Side Channel Analyzer - Search for side-channel vulnerable code.
• TaintPHP - Static Taint Analysis for PHP web applications.
• Tuli - A static analysis engine
• 17eyes - "PHP static analyzer written in Haskell"

Coding standards

Tools that review the way PHP code was written and more.

• PHP Code Sniffer - PHPCS checks the code for a large range of coding standard.
• PHPCheckstyle - A tool to help adhere to certain coding conventions.

DIY

Libraries that may be the base for a home-made static analyzer

• Deptrac - Deptrac is a static code analysis tool that helps to enforce rules for dependencies between software layers.
• PHP-cfg - A Control Flow Graph implementation in PHP. Written by IrcMaxwell.
• PHP coupling detector - Check that your code has no unwanted coupled classes
• PHP Parser - A PHP parser written in PHP. Written by Nikita Popov, and based on the actual grammar of PHP.
• PHP Token Reflection - Library emulating the PHP internal reflection using just the tokenized source code.
• PHPSandbox - A full-scale PHP 5.3.2+ sandbox class that utilizes PHPParser to prevent sandboxed code from running unsafe code.
• Reflection - Reflection library to do Static Analysis for PHP Projects

Fixers

Tools that automatically fix the code they are provided with.

• php-refactoring-browser - A command line refactoring tool for PHP.
• PHP CS Fixer - Analyzes some PHP source code and tries to fix coding standards issues (PSR-1 and PSR-2 compatible)
• phpdoc to typehint - Turn your phpdocs comments to actual Typehint (arguments and return)
• Transphpile - Write PHP 7, run PHP 5.6, with feature backport.

Metrics

Tools that measures the code : complexity, line of codes, etc.

• Dissect - A set of tools for lexical and syntactical analysis.
• PHPLOC - Utility that measures the size of a PHP application, and count various structures.
• PHP Metrics - PHP Metrics calculates all sorts of metrics, and display them in a gorgeous interface.
• PHP Semantic Versioning Checker - Utility that check the semantic version of a given code.
• PhpDependencyAnalysis - Static code analysis to provide and verify a dependency graph against a defined architecture.
• PHP semver checker - Compares two source sets and determines the appropriate semantic versioning to apply.
• Quality Analyzer - Quality Analyzer is a tool to visualize metrics and source code.

Saas

Online services that review PHP code, provide dashboards. They may use the previous tools or offer their own.

• Bliss - "Bliss automatically reviews your code in real-time and shows you how much it's worth in lines of code".
• Checkmarx - "Get a full PHP static security code analysis and prevent security vulnerabilities"
• Codacy - "Codacy: Automated Code Review"
• Code Climate - "Hosted static analysis for Ruby, PHP and JavaScript source code."
• Insight - "SensioLabsInsight is a quality assurance tool that analyzes your source code to find problems that degrade the overall quality of your projects."
• Ripstech - "The superior security software for PHP applications."
• Scrutinizer - "Improve code quality and find bugs before they hit production with our continuous inspection platform."

Misc

• devbug - Ongoing work on PHP Analysis in Rascal (PHP AiR).
• HHVM - Hack Language from Facebook. Add a SCA until version 3.3.8, newer version doesn't have anymore.
• PHP Analysis - A library for analysing and modifying PHP Source Code.
• PHP Manipulator - A library for analysing and modifying PHP Source Code.
• PHP Parser - A NodeJS library for parsing PHP and extracting tokens and AST.