A reviewed list of useful PHP static analysis tools


Static analysis tools for PHP

A curated list of static analysis tools for PHP.



Table of Contents

Bugs finders

Tools to reports issues in code that are or lead to bugs.

  • Code insight - A tool for analysing other project code bases.
  • Eir - A static vulnerability analysis tool written in C#.
  • Exakat - Smart static analysis.
  • Garcon - A static code analyser for vulnerabilities in PHP scripts. Currently supports SQL injection, command line injection and persistent XSS.
  • Mondrian - A code analysis tool using Graph Theory.
  • Pfff - Tools for code analysis, visualizations, or style-preserving source transformation.
  • php-analysis - PHP Analysis in Rascal (PHP AiR).
  • PHP Assumption - Finds weak assumptions in the code, suggest to turn them into stronger validations.
  • PhpCodeAnalyzer - Finds usage of non-built-in extensions.
  • PHPCodeFixer - Finds usage of deprecated functions, variables and ini directives.
  • php7mar - PHP 7 Migration Assistant Report.
  • phpcallgraph - Generate static call graphs. Such a graph visualizes the call dependencies among methods or functions of an application..
  • PHPCPD - Spots copy/pasted code, and help enforcing DRY rule.
  • Phan - The static analyzer by Rasmus, PHP Creator.
  • Phortress - A PHP static code analyser for potential vulnerabilities.
  • PHP Code Static Analysis - PHP Code static analysis program made in nodeJS
  • PHP Inspection - Static analysis plugin for PHPStorm.
  • PHP Integrator - Indexes PHP code and performs static analysis for Atom editor.
  • PHP lint - PHP itself, able to detect syntax error from command line.
  • PHPlint - A validator and documentator for PHP 5 programs.
  • PHP-Parallel-Lint - A parallel php linting tool for PHP 5.3.3 or newer.
  • PHP Mess Detector - Look for several potential problems within source code.
  • PHP Reaper - Scan ADOdb code for SQL Injections.
  • PHP SA - A development tool aimed at bringing complex analysis for PHP applications and libraries.
  • PHP Stan - Focuses on finding errors in code without actually running it.
  • PHP Unlocker - Detect potential, unintended DB table locks for PHP applications using ADOdb. Uses static analysis methods.
  • PHP testability - Analyses and produces a report with testability issues of a php codebase.
  • PHP vuln hunter - Scan PHP vulnerabilities automatically using static analysis methods.
  • Psalm - A static analysis tool for finding errors in PHP applications
  • RIPS - Source code static analyser for vulnerabilities. Newer version is mixed model, free and paid.
  • psecio:parse - Parse : A PHP Security Scanner
  • SonarQube - An open platform to manage code quality. It covers PHP code.
  • Side Channel Analyzer - Search for side-channel vulnerable code.
  • TaintPHP - Static Taint Analyzer.
  • Taint'em All - A taint analysis tool for the PHP language, it makes use of Static Taint Analysis + Symbolic Execution
  • Tuli - A static analysis engine.
  • 17eyes - PHP static analyzer written in Haskell.

Coding standards

Tools to review the way PHP code was written and more.

  • PHP Code Sniffer - PHPCS checks the code for a large range of coding standard.
  • PHPCheckstyle - A tool to help adhere to certain coding conventions.
  • PHP formatter - This PHP formatter aims to provide you some bulk actions for you PHP projects to ensure their consistency.


Libraries that may be the base for a home-made static analyzer

  • Deptrac - A static code analysis tool to enforce rules for dependencies between software layers.
  • PHP-cfg - A Control Flow Graph implementation in PHP. Written by IrcMaxwell.
  • PHP coupling detector - Check that code has no unwanted coupled classes.
  • PHP Parser - Written in PHP by Nikita Popov and based on actual grammar of PHP.
  • PHP Token Reflection - Library emulating the PHP internal reflection using just the tokenized source code.
  • PHPSandbox - A full-scale PHP 5.3.2+ sandbox class that utilizes PHPParser to prevent sandboxed code from running unsafe code.
  • Reflection - Reflection library to do Static Analysis for PHP Projects
  • Better Reflection - Reflection library with additional features such as parsing docblock type hints, uses nikic's PHP Parser under the hood.


Tools to automatically fix the code they are provided with.


Tools to measures the code : complexity, line of codes, etc.

  • Design Pattern Detector - detection of design patterns in PHP code
  • Dissect - A set of tools for lexical and syntactical analysis.
  • PHPLOC - Utility to measures PHP application size and count various structures.
  • PHP Metrics - Calculates all sorts of metrics, and display them in a gorgeous interface.
  • PHP Semantic Versioning Checker - Utility to check semantic version of a given code.
  • PhpDependencyAnalysis - Static code analysis to provide and verify a dependency graph against a defined architecture.
  • PHP semver checker - Compares two source sets and determines the appropriate semantic versioning to apply.
  • Quality Analyzer - Quality Analyzer is a tool to visualize metrics and source code.
  • dePHPend - dePHPend helps analyze dependencies & architecture and allows you to define constraints for both


Online services to PHP code, provide dashboards. They may use the previous tools or offer their own.

  • AppChecker - Appchecker
  • Bliss - Automatically reviews code in real-time and shows how much it's worth in lines of code.
  • Checkmarx - Get a full PHP static security code analysis and prevent security vulnerabilities.
  • Codacy - Codacy: Automated Code Review.
  • Code Climate - Hosted static analysis for Ruby, PHP and JavaScript source code.
  • Insight - A SensioLabs tool to analyzes source code to find problems that degrade the overall quality of your projects.
  • Ripstech - The superior security software for PHP applications.
  • Scrutinizer - Improve code quality and find bugs before they hit production with our continuous inspection platform.


  • devbug - Ongoing work on PHP Analysis in Rascal (PHP AiR).
  • HHVM - Hack Language from Facebook. Add a SCA until version 3.3.8, newer version doesn't have anymore.
  • PHP Analysis - A library for analysing and modifying PHP Source Code.
  • PHP Manipulator - A library for analysing and modifying PHP Source Code.
  • PHP Parser - A NodeJS library for parsing PHP and extracting tokens and AST.
  • PHPQA - A Wrapper to a lot of PHP tools reported into a single html file.