Static Analysis Tools for PHP
Docker image providing static analysis tools for PHP.
The list of available tools and the installer are actually managed in the
Supported platforms and PHP versions
Docker hub repository: https://hub.docker.com/r/jakzal/phpqa/
Nightly builds: https://hub.docker.com/r/jakzal/phpqa-nightly/
These are the latest tags for PHP versions that are no longer supported:
- composer - Dependency Manager for PHP
- composer-bin-plugin - Composer plugin to install bin vendors in isolated locations
- box - Fast, zero config application bundler with PHARs
- box-legacy - Legacy version of box
- analyze - Visualizes metrics and source code
- behat - Helps to test business expectations
- churn - Discovers good candidates for refactoring
- composer-normalize - Composer plugin to normalize composer.json files
- composer-unused - Show unused packages by scanning your code
- dephpend - Detect flaws in your architecture
- deprecation-detector - Finds usages of deprecated code
- deptrac - Enforces dependency rules between software layers
- diffFilter - Applies QA tools to run on a single pull request
- ecs - Sets up and runs coding standard checks
- infection - AST based PHP Mutation Testing Framework
- parallel-lint - Checks PHP file syntax
- paratest - Parallel testing for PHPUnit
- pdepend - Static Analysis Tool
- phan - Static Analysis Tool
- php-coupling-detector - Detects code coupling issues
- php-cs-fixer - PHP Coding Standards Fixer
- php-formatter - Custom coding standards fixer
- php-semver-checker - Suggests a next version according to semantic versioning
- phpDocumentor - Documentation generator
- phpbench - PHP Benchmarking framework
- phpa - Checks for weak assumptions
- phpat - Easy to use architecture testing tool
- phpca - Finds usage of non-built-in extensions
- phpcb - PHP Code Browser
- phpcbf - Automatically corrects coding standard violations
- phpcf - Finds usage of deprecated features
- phpcov - a command-line frontend for the PHP_CodeCoverage library
- phpcpd - Copy/Paste Detector
- phpcs - Detects coding standard violations
- phpda - Generates dependency graphs
- phpdoc-to-typehint - Automatically adds type hints and return types based on PHPDocs
- phpinsights - Analyses code quality, style, architecture and complexity
- phplint - Lints php files in parallel
- phploc - A tool for quickly measuring the size of a PHP project
- phpmd - A tool for finding problems in PHP code
- phpmetrics - Static Analysis Tool
- phpmnd - Helps to detect magic numbers
- phpspec - SpecBDD Framework
- phpstan - Static Analysis Tool
- phpstan-deprecation-rules - PHPStan rules for detecting deprecated code
- phpstan-ergebnis-rules - Additional rules for PHPstan
- phpstan-strict-rules - Extra strict and opinionated rules for PHPStan
- phpstan-doctrine - Doctrine extensions for PHPStan
- phpstan-phpunit - PHPUnit extensions and rules for PHPStan
- phpstan-symfony - Symfony extension for PHPStan
- phpstan-beberlei-assert - PHPStan extension for beberlei/assert
- phpstan-webmozart-assert - PHPStan extension for webmozart/assert
- phpstan-exception-rules - PHPStan rules for checked and unchecked exceptions
- phpunit - The PHP testing framework
- phpunit-8 - The PHP testing framework (8.x version)
- phpunit-7 - The PHP testing framework (7.x version)
- phpunit-5 - The PHP testing framework (5.x version)
- psalm - Finds errors in PHP applications
- doctrine-psalm-plugin - Stubs to let Psalm understand Doctrine better
- psecio-parse - Scans code for potential security-related issues
- rector - Tool for instant code upgrades and refactoring
- roave-backward-compatibility-check - Tool to compare two revisions of a class API to check for BC breaks
- security-checker - Checks composer dependencies for known security vulnerabilities
- simple-phpunit - Provides utilities to report legacy tests and usage of deprecated code
- twig-lint - Standalone twig linter
- twigcs - The missing checkstyle for twig!
- larastan - PHPStan extension for Laravel
- yaml-lint - Compact command line utility for checking YAML file syntax
Some tools are not included in the docker image, to use them refer to their documentation:
- exakat - a real time PHP static analyser
- design-pattern - Detects design patterns
- testability - Analyses and reports testability issues of a php codebase
- phpstan-localheinz-rules - Additional rules for PHPstan
- composer-normalize - Composer plugin to normalize composer.json files
Pull the image:
docker pull jakzal/phpqa
The default command will list available tools:
docker run -it --rm jakzal/phpqa
To run the selected tool inside the container, you'll need to mount
the project directory on the container with
Some tools like to write to the
/tmp directory (like PHPStan, or Behat in some cases), therefore it's often useful
to share it between docker runs, i.e. with
If you want to be able to interrupt the selected tool if it takes too much time to complete, you can use the
--init option. Please refer to the docker run documentation for more information.
docker run --init -it --rm -v "$(pwd):/project" -v "$(pwd)/tmp-phpqa:/tmp" -w /project jakzal/phpqa phpstan analyse src
You might want to tweak this command to your needs and create an alias for convenience:
alias phpqa='docker run --init -it --rm -v "$(pwd):/project" -v "$(pwd)/tmp-phpqa:/tmp" -w /project jakzal/phpqa:alpine'
Add it to your
~/.bashrc so it's defined every time you start a new terminal session.
Now the command becomes a lot simpler:
phpqa phpstan analyse src
The image can be used with GitHub actions. Below is an example for several static analysis tools.
# .github/workflows/static-code-analysis.yml name: Static code analysis on: [pull_request] jobs: static-code-analysis: runs-on: ubuntu-latest steps: - uses: actions/checkout@master - name: PHPStan uses: docker://jakzal/phpqa:php7.4-alpine with: args: phpstan analyze src/ -l 1 - name: PHP-CS-Fixer uses: docker://jakzal/phpqa:php7.4-alpine with: args: php-cs-fixer --dry-run --allow-risky=yes --no-interaction --ansi fix - name: Deptrac uses: docker://jakzal/phpqa:php7.4-alpine with: args: deptrac --no-interaction --ansi --formatter-graphviz-display=0
Here is an example configuration of a bitbucket pipeline using the phpqa image:
# bitbucket-pipelines.yml image: jakzal/phpqa:php7.4-alpine pipelines: default: - step: name: Static analysis caches: - composer script: - composer install --no-scripts --no-progress - phpstan analyze src/ -l 1 - php-cs-fixer --dry-run --allow-risky=yes --no-interaction --ansi fix - deptrac --no-interaction --ansi --formatter-graphviz-display=0
Unfortunately, bitbucket overrides the docker entrypoint so composer needs to be explicitly invoked as in the above example.
Starter-kits / Templates
A template repository for agnostic PHP libraries. It utilizes the PHPQA image into a
Makefile and configures some
tools by default.
A template repository for Docker based Symfony applications. It utilizes the PHPQA image into
Dockerfile and integrates in the composed landscape.
Building the image
git clone https://github.com/jakzal/phpqa.git cd phpqa make build-latest
To build the alpine version:
Customising the image
It's often needed to customise the image with project specific extensions.
To achieve that simply create a new image based on
FROM jakzal/phpqa:alpine RUN apk add --no-cache libxml2-dev \ && docker-php-ext-install soap
Next, build it:
docker build -t foo/phpqa .
Finally, use your customised image instead of the default one:
docker run --init -it --rm -v "$(pwd):/project" -w /project foo/phpqa phpmetrics .
Adding PHPStan extensions
A number of PHPStan extensions is available on the image in
/tools/.composer/vendor-bin/phpstan/vendor out of the box.
You can find them with the command below:
phpqa find /tools/.composer/vendor-bin/phpstan/vendor/ -iname 'rules.neon' -or -iname 'extension.neon'
Use the composer-bin-plugin to install any additional PHPStan extensions in the
FROM jakzal/phpqa:alpine RUN composer global bin phpstan require phpstan/phpstan-phpunit
You'll be able to include them in your PHPStan configuration from the
includes: - /tools/.composer/vendor-bin/phpstan/vendor/phpstan/phpstan-phpunit/extension.neon
Debugger & Code Coverage
pcov is disabled by default so it doesn't affect performance when it's not needed,
and doesn't break interoperability with other coverage extensions.
It can be enabled by setting
phpqa php -d pcov.enabled=1 ./vendor/bin/phpunit --coverage-text
Infection users will need to define initial php options:
phpqa /tools/infection run --initial-tests-php-options='-dpcov.enabled=1'
Please read the Contributing guide to learn about contributing to this project. Please note that this project is released with a Contributor Code of Conduct. By participating in this project you agree to abide by its terms.