Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?


Failed to load latest commit information.
Latest commit message
Commit time
February 11, 2016 16:27
February 11, 2016 16:27
September 12, 2022 14:54

Static analysis tools for PHP

A curated list of static analysis tools for PHP.



Table of Contents

Bugs finders

Tools to report issues in code that are or lead to bugs.

  • AppChecker - static analysis tool for finding bugs, weaknesses and vulnerabilities in source code
  • Code insight - A tool for analysing other project code bases.
  • Churn-PHP - Discover files in need of refactoring.
  • Composer-Unused - A Composer tool to show unused Composer dependencies by scanning your code.
  • Eir - A static vulnerability analysis tool written in C#.
  • Exakat - Smart static analysis.
  • jscpd - Copy/paste detector for programming source code.
  • Mondrian - A code analysis tool using Graph Theory.
  • noverify - Pretty fast linter (code static analysis utility) for PHP.
  • Pfff - Tools for code analysis, visualizations, or style-preserving source transformation.
  • PHP Analysis - A library for analysing and modifying PHP Source Code in Rascal (PHP AiR).
  • PHParch - PHPArch is a work in progress architectural testing library for PHP projects.
  • PHP Assumption - Finds weak assumptions in the code, suggest to turn them into stronger validations.
  • PhpCodeAnalyzer - Finds usage of non-built-in extensions.
  • PHPCodeFixer - Finds usage of deprecated functions, variables and ini directives.
  • php-compat-info - Find out the minimum version and the extensions required for a piece of code to run.
  • php7mar - PHP 7 Migration Assistant Report.
  • phpcallgraph - Generate static call graphs. Such a graph visualizes the call dependencies among methods or functions of an application..
  • PHPCPD - Spots copy/pasted code, and help enforcing DRY rule.
  • PHPDoctor - Check PHP files or directories for missing types.
  • Phan - The static analyzer by Rasmus, PHP Creator.
  • Phinder - PHP code piece finder
  • Phortress - A PHP static code analyser for potential vulnerabilities.
  • PHP Deprecation Detector - PhpDeprecationDetector - analyzer of PHP code to search usages of deprecated functionality in newer interpreter versions.
  • PHP Code Static Analysis - PHP Code static analysis program made in nodeJS.
  • PHP Inspection - Static analysis plugin for PHPStorm.
  • PHP Integrator - Indexes PHP code and performs static analysis for Atom editor.
  • Phlint - Phlint is a tool with an aim to help maintain quality of php code by analyzing code and pointing out potential code issues.
  • PHP lint - PHP itself, able to detect syntax error from command line.
  • PHPlint - A validator and documentator for PHP 5 programs.
  • PHP-Parallel-Lint - A parallel php linting tool for PHP 5.4 or newer
  • PHP Magic Number Detector - PHP Magic Number Detector
  • PHP-malware-finder - Detect potentially malicious PHP files
  • PHP Mess Detector - Look for several potential problems within source code.
  • PHP Reaper - Scan ADOdb code for SQL Injections.
  • PHP SA - A development tool aimed at bringing complex analysis for PHP applications and libraries.
  • PHP Stan - Focuses on finding errors in code without actually running it.
  • PHP Unlocker - Detect potential, unintended DB table locks for PHP applications using ADOdb. Uses static analysis methods.
  • PHP testability - Analyses and produces a report with testability issues of a php codebase.
  • PHP vuln hunter - Scan PHP vulnerabilities automatically using static analysis methods.
  • Progpilot - A static analysis tool for security purposes.
  • Psalm - A static analysis tool for finding errors in PHP applications.
  • psecio:parse - Parse : A PHP Security Scanner.
  • Qodana PHP by JetBrains – A static analysis tool for PHP projects based on PhpStorm.
  • SonarQube - An open platform to manage code quality. It covers PHP code.
  • Side Channel Analyzer - Search for side-channel vulnerable code.
  • TaintPHP - Static Taint Analyzer.
  • Taint'em All - A taint analysis tool for the PHP language, it makes use of Static Taint Analysis + Symbolic Execution.
  • Tuli - A static analysis engine.
  • Unused-scanner - Detect unused composer dependencies
  • WAP - Tool to detect and correct input validation vulnerabilities in PHP (4.0 or higher) web applications and predicts false positives.
  • PHP VarDump Check - PHP console application for finding forgotten variable dump.
  • 17eyes - PHP static analyzer written in Haskell.

Coding standards

Tools to review the way PHP code was written and more.

  • Pahout - A pair programming partner for writing better PHP.
  • EasyCodingStandard - An easy to use tool, that allows to use CodeSniffer and PHP-CS-Fixer in simple way.
  • PHPas - A tool for format and beautify the style of PHP code with my style.
  • PHPArkitect - PHPArkitect helps you to keep your PHP codebase coherent and solid, by permitting to add some architectural constraint check to your workflow.
  • PHP Code Sniffer - PHPCS checks the code for a large range of coding standard.
  • PHPCheckstyle - A tool to help adhere to certain coding conventions.
  • PHP Doc Check - Uses complexity metrics to enforce documentation conventions on non-trivial functions.
  • PHP formatter - This PHP formatter aims to provide you some bulk actions for you PHP projects to ensure their consistency.
  • TLint - This is an opinionated code linter (with growing support for auto-formatting!) for Tighten flavored code conventions for Laravel and PHP.


Libraries that may be the base for a home-made static analyzer.

  • Deptrac - A static code analysis tool to enforce rules for dependencies between software layers.
  • PHP Architecture Tester - Easy to use architecture testing tool for PHP
  • PHPArkitect - A static code analysis tool to enforce architectural rules in your codebase
  • PHP-cfg - A Control Flow Graph implementation in PHP. Written by IrcMaxwell.
  • PHP coupling detector - Check that code has no unwanted coupled classes.
  • PHP Parser - Written in PHP by Nikita Popov and based on actual grammar of PHP.
  • PHP Token Reflection - Library emulating the PHP internal reflection using just the tokenized source code.
  • PHPSandbox - A full-scale PHP 5.3.2+ sandbox class that utilizes PHPParser to prevent sandboxed code from running unsafe code.
  • Reflection - Reflection library to do Static Analysis for PHP Projects.
  • Better Reflection - Reflection library with additional features such as parsing docblock type hints, uses nikic's PHP Parser under the hood.


Tools to automatically fix the code they are provided with.

  • Rector - AST-based Instant Upgrades of PHP Applications
  • FunctionFQNReplacer - provides a way to replace relative references of functions in function calls with absolute references.
  • Phpactor - This project aims to provide heavy-lifting refactoring and introspection tools.
  • PHP BackSlasher - Tool to add all PHP internal functions and constants to its namespace by adding backslash to them.
  • php-refactoring-browser - CLI refactoring tool.
  • PHP CS Fixer - Analyzes and tries to fix coding standards issues (PSR-1 and PSR-2 compatible).
  • phpdoc to typehint - Turn phpdocs comments to actual Typehint (arguments and return).
  • php-scoper - Prefixes all PHP namespaces in a file/directory to isolate the code bundled in PHARs.
  • Transphpile - Write PHP 7, run PHP 5.6, with feature backport.
  • PHP Weaver - Analysing parameter types at runtime and generate the appropriate phpdocs.


Tools to measure the code complexity, line of codes, etc.

  • churn-php - Helps discover good candidates for refactoring.
  • Design Pattern Detector - detection of design patterns in PHP code.
  • dePHPend - dePHPend helps analyze dependencies & architecture and allows you to define constraints for both.
  • Dissect - A set of tools for lexical and syntactical analysis.
  • php-arguments-detector - Keep control over the complexity of your methods by checking that they do not have too many arguments.
  • PHPLOC - Utility to measures PHP application size and count various structures.
  • PHP Metrics - Calculates all sorts of metrics, and display them in a gorgeous interface.
  • PHP Semantic Versioning Checker - Compares two source sets and determines the appropriate semantic versioning to apply.
  • PhpStats - Tool for collecting statistics, metrics, dependencies, and building various graphs for large projects to find bottlenecks.
  • PhpDependencyAnalysis - Static code analysis to provide and verify a dependency graph against a defined architecture.
  • Quality Analyzer - Quality Analyzer is a tool to visualize metrics and source code.


Tools that display PHP code in graphical way

  • PHPcity - PHPCity is an implementation of city metaphor visualization and provides visualization of PHP projects which are implemented in the object-oriented fashion.


Online services for PHP code, provide dashboards. They may use the previous tools or offer their own.

  • Bliss - Automatically reviews code in real-time and shows how much it's worth in lines of code.
  • Checkmarx - Get a full PHP static security code analysis and prevent security vulnerabilities.
  • Codacy - Codacy: Automated Code Review.
  • CodeBeaat - Decrease technical debt. Find refactoring opportunities.
  • Code Climate - Hosted static analysis for Ruby, PHP and JavaScript source code.
  • CodeScene - Prioritize technical debt in PHP, JavaScript, etc.
  • Codegrip - Smarter & Secure way to Code Review
  • Deepsource - DeepSource is a modern static analysis platform, built for engineering teams who move fast and don’t break things.
  • Insight - A SensioLabs tool to analyzes source code to find problems that degrade the overall quality of your projects.
  • Insphpect - Insphpect is an automated code review tool which identifies inflexibilities in PHP code and helps you write better software.
  • RIPS - The superior security software for PHP applications. Source code static analyser for vulnerabilities.
  • Scrutinizer - Improve code quality and find bugs before they hit production with our continuous inspection platform.
  • Sourcegraph - Understand and search across your entire codebase
  • SideCI - CI for automated code review by code analysis.
  • Laravelshift - the automated way to upgrade Laravel applications. Upgrade Laravel applications all the way from Laravel 4.2 to the latest version of Laravel.


  • HHVM - Hack Language from Facebook. Add a SCA until version 3.3.8, newer version doesn't have anymore.
  • PHP Manipulator - A library for analysing and modifying PHP Source Code.
  • PHP Parser - A NodeJS library for parsing PHP and extracting tokens and AST.
  • PHPQA - A Wrapper to a lot of PHP tools reported into a single HTML file.
  • Fixtro - A wrapper that allow to run in each precommit. It install itself all the dependencies for the runners with a lot of them (phpunit, phpmd, php-cs-fixer, etc..)
  • Coverage Checker - A tool which allows some of the tools here to be enforced on changed code only. Good for moving towards new standards
  • Composer Require Checker - A CLI tool to check whether a specific composer package uses imported symbols that aren't part of its direct composer dependencies
  • - A website that lets you try some PHP static analysis command-line tools online
  • Static Analysis Results Baseliner - A tool for generating a baseline from static analysis tools.