Skip to content
A reviewed list of useful PHP static analysis tools
Branch: master
Clone or download
Type Name Latest commit message Commit time
Failed to load latest commit information. Initial commit Feb 11, 2016 Initial commit Feb 11, 2016 Merge branch 'master' of Mar 7, 2019

Static analysis tools for PHP

A curated list of static analysis tools for PHP.



Table of Contents

Bugs finders

Tools to report issues in code that are or lead to bugs.

  • AppChecker - static analysis tool for finding bugs, weaknesses and vulnerabilities in source code
  • Code insight - A tool for analysing other project code bases.
  • Churn-PHP - Discover files in need of refactoring.
  • Eir - A static vulnerability analysis tool written in C#.
  • Exakat - Smart static analysis.
  • jscpd - Copy/paste detector for programming source code.
  • Mondrian - A code analysis tool using Graph Theory.
  • noverify - Pretty fast linter (code static analysis utility) for PHP.
  • Pfff - Tools for code analysis, visualizations, or style-preserving source transformation.
  • PHP Analysis - A library for analysing and modifying PHP Source Code in Rascal (PHP AiR).
  • PHParch - PHPArch is a work in progress architectural testing library for PHP projects.
  • PHP Assumption - Finds weak assumptions in the code, suggest to turn them into stronger validations.
  • PhpCodeAnalyzer - Finds usage of non-built-in extensions.
  • PHPCodeFixer - Finds usage of deprecated functions, variables and ini directives.
  • php7mar - PHP 7 Migration Assistant Report.
  • phpcallgraph - Generate static call graphs. Such a graph visualizes the call dependencies among methods or functions of an application..
  • PHPCPD - Spots copy/pasted code, and help enforcing DRY rule.
  • Phan - The static analyzer by Rasmus, PHP Creator.
  • Phinder - PHP code piece finder
  • Phortress - A PHP static code analyser for potential vulnerabilities.
  • PHP Code Static Analysis - PHP Code static analysis program made in nodeJS.
  • PHP Inspection - Static analysis plugin for PHPStorm.
  • PHP Integrator - Indexes PHP code and performs static analysis for Atom editor.
  • Phlint - Phlint is a tool with an aim to help maintain quality of php code by analyzing code and pointing out potential code issues.
  • PHP lint - PHP itself, able to detect syntax error from command line.
  • PHPlint - A validator and documentator for PHP 5 programs.
  • PHP-Parallel-Lint - A parallel php linting tool for PHP 5.3.3 or newer
  • PHP Magic Number Detector - PHP Magic Number Detector
  • PHP-malware-finder - Detect potentially malicious PHP files
  • PHP Mess Detector - Look for several potential problems within source code.
  • PHP Reaper - Scan ADOdb code for SQL Injections.
  • PHP SA - A development tool aimed at bringing complex analysis for PHP applications and libraries.
  • PHP Stan - Focuses on finding errors in code without actually running it.
  • PHP Unlocker - Detect potential, unintended DB table locks for PHP applications using ADOdb. Uses static analysis methods.
  • PHP testability - Analyses and produces a report with testability issues of a php codebase.
  • PHP vuln hunter - Scan PHP vulnerabilities automatically using static analysis methods.
  • Progpilot - A static analysis tool for security purposes.
  • Psalm - A static analysis tool for finding errors in PHP applications.
  • psecio:parse - Parse : A PHP Security Scanner.
  • SonarQube - An open platform to manage code quality. It covers PHP code.
  • Side Channel Analyzer - Search for side-channel vulnerable code.
  • TaintPHP - Static Taint Analyzer.
  • Taint'em All - A taint analysis tool for the PHP language, it makes use of Static Taint Analysis + Symbolic Execution.
  • Tuli - A static analysis engine.
  • Unused-scanner - Detect unused composer dependencies
  • WAP - Tool to detect and correct input validation vulnerabilities in PHP (4.0 or higher) web applications and predicts false positives.
  • PHP VarDump Check - PHP console application for finding forgotten variable dump.
  • 17eyes - PHP static analyzer written in Haskell.

Coding standards

Tools to review the way PHP code was written and more.

  • PHP Code Sniffer - PHPCS checks the code for a large range of coding standard.
  • EasyCodingStandard - An easy to use tool, that allows to use CodeSniffer and PHP-CS-Fixer in simple way.
  • PHPCheckstyle - A tool to help adhere to certain coding conventions.
  • PHP formatter - This PHP formatter aims to provide you some bulk actions for you PHP projects to ensure their consistency.
  • Pahout - A pair programming partner for writing better PHP.
  • PHP Doc Check - Uses complexity metrics to enforce documentation conventions on non-trivial functions.


Libraries that may be the base for a home-made static analyzer.

  • Deptrac - A static code analysis tool to enforce rules for dependencies between software layers.
  • PHP-cfg - A Control Flow Graph implementation in PHP. Written by IrcMaxwell.
  • PHP coupling detector - Check that code has no unwanted coupled classes.
  • PHP Parser - Written in PHP by Nikita Popov and based on actual grammar of PHP.
  • PHP Token Reflection - Library emulating the PHP internal reflection using just the tokenized source code.
  • PHPSandbox - A full-scale PHP 5.3.2+ sandbox class that utilizes PHPParser to prevent sandboxed code from running unsafe code.
  • Reflection - Reflection library to do Static Analysis for PHP Projects.
  • Better Reflection - Reflection library with additional features such as parsing docblock type hints, uses nikic's PHP Parser under the hood.


Tools to automatically fix the code they are provided with.

  • Rector - AST-based Instant Upgrades of PHP Applications
  • FunctionFQNReplacer - provides a way to replace relative references of functions in function calls with absolute references.
  • PHP BackSlasher - Tool to add all PHP internal functions and constants to its namespace by adding backslash to them.
  • php-refactoring-browser - CLI refactoring tool.
  • PHP CS Fixer - Analyzes and tries to fix coding standards issues (PSR-1 and PSR-2 compatible).
  • phpdoc to typehint - Turn phpdocs comments to actual Typehint (arguments and return).
  • php-scoper - Prefixes all PHP namespaces in a file/directory to isolate the code bundled in PHARs.
  • Transphpile - Write PHP 7, run PHP 5.6, with feature backport.
  • PHP Weaver - Analysing parameter types at runtime and generate the appropriate phpdocs.


Tools to measure the code complexity, line of codes, etc.

  • churn-php - Helps discover good candidates for refactoring.
  • Design Pattern Detector - detection of design patterns in PHP code.
  • dePHPend - dePHPend helps analyze dependencies & architecture and allows you to define constraints for both.
  • Dissect - A set of tools for lexical and syntactical analysis.
  • PHPLOC - Utility to measures PHP application size and count various structures.
  • PHP Metrics - Calculates all sorts of metrics, and display them in a gorgeous interface.
  • PHP Semantic Versioning Checker - Compares two source sets and determines the appropriate semantic versioning to apply.
  • PhpDependencyAnalysis - Static code analysis to provide and verify a dependency graph against a defined architecture.
  • Quality Analyzer - Quality Analyzer is a tool to visualize metrics and source code.


Tools that display PHP code in graphical way

  • PHPcity - PHPCity is an implementation of city metaphor visualization and provides visualization of PHP projects which are implemented in the object-oriented fashion.


Online services for PHP code, provide dashboards. They may use the previous tools or offer their own.

  • Bliss - Automatically reviews code in real-time and shows how much it's worth in lines of code.
  • Checkmarx - Get a full PHP static security code analysis and prevent security vulnerabilities.
  • Codacy - Codacy: Automated Code Review.
  • Code Climate - Hosted static analysis for Ruby, PHP and JavaScript source code.
  • CodeScene - Prioritize technical debt in PHP, JavaScript, etc.
  • Insight - A SensioLabs tool to analyzes source code to find problems that degrade the overall quality of your projects.
  • RIPS - The superior security software for PHP applications. Source code static analyser for vulnerabilities.
  • Scrutinizer - Improve code quality and find bugs before they hit production with our continuous inspection platform.
  • SideCI - CI for automated code review by code analysis.
  • Laravelshift - the automated way to upgrade Laravel applications. Upgrade Laravel applications all the way from Laravel 4.2 to the latest version of Laravel.


  • devbug - Ongoing work on PHP Analysis in Rascal (PHP AiR).
  • HHVM - Hack Language from Facebook. Add a SCA until version 3.3.8, newer version doesn't have anymore.
  • PHP Manipulator - A library for analysing and modifying PHP Source Code.
  • PHP Parser - A NodeJS library for parsing PHP and extracting tokens and AST.
  • PHPQA - A Wrapper to a lot of PHP tools reported into a single HTML file.
  • Fixtro - A wrapper that allow to run in each precommit. It install itself all the dependencies for the runners with a lot of them (phpunit, phpmd, php-cs-fixer, etc..)
  • Coverage Checker - A tool which allows some of the tools here to be enforced on changed code only. Good for moving towards new standards
  • Composer Require Checker - A CLI tool to check whether a specific composer package uses imported symbols that aren't part of its direct composer dependencies
  • - A website that lets you try some PHP static analysis command-line tools online
You can’t perform that action at this time.