Skip to content

v0.1.1

Choose a tag to compare

View all tags
@mattyhansen mattyhansen released this 24 May 08:48
· 91 commits to main since this release
v0.1.1
70d6601

gruff-php 0.1.1

An onboarding-focused follow-up to 0.1.0. The headline additions are an init command, an interactive prompt when you run a scan without a config, expanded docs, and a lockfile security audit in CI.

gruff-php is a heuristic PHP code-quality scanner that reports findings for the terminal, CI, GitHub annotations, SARIF, HTML, or a local dashboard. Pair it with PHPStan, PHPUnit, PHP-CS-Fixer, or Psalm - it doesn't replace type checking or tests.

What you get

  • 120 rules across 11 pillars: size, complexity, maintainability, dead-code, naming, documentation, modernisation, security, sensitive-data, test-quality, design. Run list-rules to see them all.
  • Commands: analyse, summary, report, dashboard, list-rules, init.
  • analyse output formats: text, json, html, markdown, github, hotspot, sarif.
  • YAML config at .gruff-php.yaml, with strict unknown-key rejection.
  • Baselines to suppress known findings without disabling rules.
  • Branch review: --diff, --diff-vs=<base>, --changed-only.
  • Optional Infection mutation analysis, with baselines and budgets.

New in 0.1.1

  • init writes a .gruff-php.yaml from registry defaults, with an ignore list covering agent harness dirs, generated reports, fixtures, and vendored copies. --force keeps any existing ignore list and is required to overwrite a legacy .gruff.yaml. --project-root <dir> writes somewhere other than the current directory.
  • If you run analyse, summary, report, or dashboard in a terminal with no config, it now offers to run init for you. The prompt only fires after option validation, so a bad command no longer leaves a stray config file. Prompt text goes to STDERR, so JSON, SARIF, and HTML on STDOUT stay parseable.
  • Three test-quality rules now run by default: multiple-aaa-cycles (minCycles 3), mocking-domain-object, and testdox-readability (minWords 2).
  • summary now tells you how to baseline - analyse --generate-baseline to record current findings as known debt, or --no-baseline to audit without one.
  • composer audit:dependencies runs inside composer check and CI verify, failing the build on known security advisories. New helper scripts dependency-install.sh and dependency-update.sh wrap the Composer commands; the release preflight script is now stricter.
  • README rewritten. New docs/ guides cover the rule catalogue, CI integration, configuration, output formats, dashboard, naming conventions, and releasing.
Assets 2
Loading