Awesome static analysis for PHP

A curated list of static analysis tools for PHP.

• Awesome PHP - #Code Analysis
• Awesome static analysis - #PHP
• Static analysis tools for PHP

Table of Contents

• Standalone
  • Bugs finders
    • Bugs finders(Specialized)
    • Bugs finders(Security)
  • Coding standards
  • Compatibility
    • Compatibility Fixers
  • Fixers
  • Metrics
    • API documentation generator
    • Benchmark
• Tools package
• DIY(Libraries)
• Online
• SaaS
• Misc

Standalone

Bugs finders

• php -l - Syntax check only (lint)

  Windows:

  for /r . %%f in (*.php,*.inc,*.html) do php -l "%%f"
  

  Linux:

  $ find ./ -name "*.php" | xargs -n1 php -l
  

  • PHP Parallel Lint - This tool check syntax of PHP files faster than serial check with fancier output.
  • PHPLint - A tool that can speed up linting of php files by running several lint processes at once.

• 17eyes - Written in Haskell.
• Yasca - Including PHPLint.
• SonarSource
  • SonarQube - Open platform to manage code quality.
  • SonarLint - An extension to your favorite IDE.
  • SonarLint for Command Line - CLI tool.
• Php Inspections (EA Extended) - PhpStorm plugin.

Bugs finders(Specialized)

Bugs finders(Security)

• XSS code sniffer - Taint extension.
• versionscan - Security check for PHP Version.
• Scanner for PHP.ini - Security check for php.ini.
• Security Advisories Checker (Web Service / API, Online Checker) - Security check for composer.lock.
  • PHP Security Advisories Database
    • SensioLabs Security Checker - CLI tool.
    • Roave Security Advisories - The checks are executed when running composer command.
• WPScan - WordPress vulnerability scanner.

Coding standards

• PHP CS Fixer - The PSR-1 and PSR-2 Coding Standards fixer.
• PHP_CodeSniffer - phpcs(Checker), phpcbf(Fixer).
• PHPCheckstyle

Compatibility

Compatibility Fixers

• Transphpile: A PHP 7 to PHP 5.6 transpiler
• PHP 5.4 Short Array Syntax Converter - array() to [].
• Namespacer - PHP Class converter to namepaces.(Namespacing Old Classes)

Fixers

• PHP Refactoring Browser
• PHPDoc to Type Hint
• PHP Transpiler - PHP minifier.

Metrics

• PHPLOC - line of codes.

• PHP Metrics

• Mondrian

• PhpDependencyAnalysis

• PHP Depend

• Dissect

• dePHPend

• phpCallGraph

API documentation generator

• phpDocumentor
• ApiGen
• Sami
• phpDox
• Doxygen
  • doxygen-php-filters

UML

• phUML - Require Graphviz
• php-plantumlwriter - Require PlantUML
• PHP_UML

Benchmark

• PhpBench
• Ubench
• ~~Athletic~~

Tools package

• GrumPHP - Checks code on every commit.
• Qafoo Quality Analyzer - Quality Analyzer is a tool to visualize metrics and source code.
• PHPQA CLI - A tool for running QA tools(phploc, phpcpd, phpcs, pdepend, phpmd, phpmetrics).

DIY(Libraries)

• php-ast - Extension exposing PHP7 AST(abstract syntax tree).
• PHP Parser - A PHP parser written in PHP.
  • Deptrac
  • Better Reflection
  • PHP Manipulator
  • PHPSandbox
  • PHP-CFG
    • PHP-Types
  • phpDocumentor/Reflection
• PHP Token Reflection
• PHP Coupling Detector
• php-parser - A NodeJS library.

Online

• devbug - PHP Static Code Analysis.
• 3v4l.org - run code in 150+ php & hhvm versions

SaaS

• PHPCI
• Scrutinizer
• SensioLabsInsight
• Code Climate - PHP Code Sniffer, PHP Mess Detector, Phan.
• Codacy
• Checkmarx - PHP Code Security Analysis.
• RIPS - Automated Security Analysis for PHP Code.
• Bliss

Misc

• Box - An application for building and managing Phars.
• PHP Semantic Versioning Checker
• PHP_CodeCoverage
• PHP_CodeBrowser - Generates a browsable representation of PHP code where sections with violations found by quality assurance tools such as PHP_CodeSniffer or PHPMD are highlighted.
• HHVM (Tools)
• hussar - PHP static analysis with HHVM.
• PHP Analysis - PHP Analysis in Rascal (PHP AiR).
• PHPPHP - A PHP VM implementation in PHP.
• php.js - PHP VM in JavaScript.