Awesome static analysis for PHP

A curated list of static analysis tools for PHP.

• Awesome PHP - #Code Analysis
• Awesome static analysis - #PHP
• Static analysis tools for PHP

Table of Contents

• Standalone
  • Bugs finders
    • Bugs finders(Specialized)
    • Bugs finders(Security)
  • Coding standards
  • Compatibility
    • Compatibility Fixers
  • Fixers
  • Metrics
    • API documentation generator
    • Benchmark
• Tools package
• DIY(Libraries)
• Online
• SaaS
• Misc

Standalone

Bugs finders

• php -l - Syntax check only (lint)

  Windows:

  for /r . %%f in (*.php,*.inc,*.html) do php -l "%%f"

  Linux:

  $ find ./ -name "*.php" | xargs -n1 php -l

  • PHP Parallel Lint - This tool check syntax of PHP files faster than serial check with fancier output.
  • PHPLint - A tool that can speed up linting of php files by running several lint processes at once.

Name	Run	Target	phar	Depend	Notes
Phan	PHP7+ php-ast		YES	nikic/php-ast
PHPStan	PHP7+	PHP5.6+	NO	nikic/php-parser
PHPMD	PHP5.3+		YES	pdepend/pdepend	cleancode,codesize controversial,design naming,unusedcode
PHPSA	PHP5.5+	PHP5.2+	YES	nikic/php-parser
php-nag	PHP5.4+	PHP5.2+	YES	nikic/php-parser	Deprecated functions, Fall through, etc ...
Tuli	PHP5.5+		NO	ircmaxell/php-types	Latest commit on 24 Oct 2015
magniffer			NO	nikic/php-parser	Latest commit on 16 Dec 2015
PHPLinter			NO		Latest commit on 16 Aug 2012

• 17eyes - Written in Haskell.
• Yasca - Including PHPLint.
• SonarSource
  • SonarQube - Open platform to manage code quality.
  • SonarLint - An extension to your favorite IDE.
  • SonarLint for Command Line - CLI tool.
• Php Inspections (EA Extended) - PhpStorm plugin.

Bugs finders(Specialized)

Name	phar	Depend	Notes
PHPCPD	YES		Copy/Pasted Detector(CPD).
PHPDCD	YES		Dead Code Detector(DCD).
Pattern Detector	NO	halleck45/phpmetrics	Design Pattern Detector.
PhpCodeAnalyzer	NO		Finds usage of non-built-in extensions.
PHP Assumption	NO	nikic/php-parser	Finds weak assumptions.
PHP Unlocker	NO	nikic/php-parser	Scan ADOdb code for unintended table locks.
twig-lint	YES		Standalone Twig linter.

Bugs finders(Security)

Name	UI	Depend	Notes
phpvulhunter	Browser	nikic/php-parser	Vulnerabilities
RIPS	Browser		Vulnerabilities (OOP not supported)
psecio/parse	CLI	nikic/php-parser	A PHP Security Scanner.
VisualCodeGrepper	GUI		Written in VisualBasic.
Eir	CLI	nikic/php-parser	Written in C#.
PHP Reaper	CLI	nikic/php-parser	Scan ADOdb code for SQL Injections.
TaintPHP	CLI	nikic/php-parser	Static Taint Analysis.
Side Channel Analyzer	CLI	olivo/TaintPHP	Search for Side-channel attack
phantm	CLI		Latest commit on 8 Oct 2012
Pixy	CLI		Latest commit on 20 Dec 2014

• XSS code sniffer - Taint extension.
• versionscan - Security check for PHP Version.
• Scanner for PHP.ini - Security check for php.ini.
• Security Advisories Checker (Web Service / API, Online Checker) - Security check for composer.lock.
  • PHP Security Advisories Database
    • SensioLabs Security Checker - CLI tool.
    • Roave Security Advisories - The checks are executed when running composer command.
• WPScan - WordPress vulnerability scanner.

Coding standards

• PHP CS Fixer - The PSR-1 and PSR-2 Coding Standards fixer.
• PHP_CodeSniffer - phpcs(Checker), phpcbf(Fixer).
• PHPCheckstyle

Compatibility

Name	phar	Depend	Notes
PHPCompatibility		squizlabs/PHP_CodeSniffer	Required PHP_CodeSniffer.
PHPCodeFixer	NO		Deprecated functions, variables and ini directives.
PHP Migration	YES	nikic/php-parser	PHP version migration and compatibility checking.
php7cc	YES	nikic/php-parser	PHP7 Compatibility Checker.
php7mar	NO		PHP7 Migration Assistant Report.

Compatibility Fixers

• Transphpile: A PHP 7 to PHP 5.6 transpiler
• PHP 5.4 Short Array Syntax Converter - array() to [].
• Namespacer - PHP Class converter to namepaces.(Namespacing Old Classes)

Fixers

• PHP Refactoring Browser
• PHPDoc to Type Hint
• PHP Transpiler - PHP minifier.

Metrics

• PHPLOC - line of codes.

• PHP Metrics

• Mondrian

• PhpDependencyAnalysis

• PHP Depend

• Dissect

• dePHPend

• phpCallGraph

API documentation generator

• phpDocumentor
• ApiGen
• Sami
• phpDox
• Doxygen
  • doxygen-php-filters

UML

• phUML - Require Graphviz
• php-plantumlwriter - Require PlantUML
• PHP_UML

Benchmark

• PhpBench
• Ubench
• Athletic

Tools package

• GrumPHP - Checks code on every commit.
• Qafoo Quality Analyzer - Quality Analyzer is a tool to visualize metrics and source code.
• PHPQA CLI - A tool for running QA tools(phploc, phpcpd, phpcs, pdepend, phpmd, phpmetrics).

DIY(Libraries)

• php-ast - Extension exposing PHP7 AST(abstract syntax tree).
• PHP Parser - A PHP parser written in PHP.
  • Deptrac
  • Better Reflection
  • PHP Manipulator
  • PHPSandbox
  • PHP-CFG
    • PHP-Types
  • phpDocumentor/Reflection
• PHP Token Reflection
• PHP Coupling Detector
• php-parser - A NodeJS library.

Online

• devbug - PHP Static Code Analysis.
• 3v4l.org - run code in 150+ php & hhvm versions

SaaS

• PHPCI
• Scrutinizer
• SensioLabsInsight
• Code Climate - PHP Code Sniffer, PHP Mess Detector, Phan.
• Codacy
• Checkmarx - PHP Code Security Analysis.
• RIPS - Automated Security Analysis for PHP Code.
• Bliss

Misc

• Box - An application for building and managing Phars.
• PHP Semantic Versioning Checker
• PHP_CodeCoverage
• PHP_CodeBrowser - Generates a browsable representation of PHP code where sections with violations found by quality assurance tools such as PHP_CodeSniffer or PHPMD are highlighted.
• HHVM (Tools)
• hussar - PHP static analysis with HHVM.
• PHP Analysis - PHP Analysis in Rascal (PHP AiR).
• PHPPHP - A PHP VM implementation in PHP.
• php.js - PHP VM in JavaScript.