Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

Static Analysis Tools for PHP

Docker image providing static analysis tools for PHP. The list of available tools and the installer are actually managed in the jakzal/toolbox repository.

Build Status Docker Pulls

Supported platforms and PHP versions

Docker hub repository:

Nightly builds:


  • latest, debian (Dockerfile)
  • 1.88.4, 1.88, 1.88.4-debian, 1.88-debian (Dockerfile)
  • 1.88.4-php8.0, 1.88-php8.0, php8.0-debian, php8.0 (Dockerfile)
  • 1.88.4-php8.1, 1.88-php8.1, php8.1-debian, php8.1 (Dockerfile)
  • 1.88.4-php8.2, 1.88-php8.2, php8.2-debian, php8.2 (Dockerfile)


  • alpine (Dockerfile)
  • 1.88.4-alpine, 1.88-alpine, (Dockerfile)
  • 1.88.4-php8.0-alpine, 1.88-php8.0-alpine, php8.0-alpine (Dockerfile)
  • 1.88.4-php8.1-alpine, 1.88-php8.1-alpine, php8.1-alpine (Dockerfile)
  • 1.88.4-php8.2-alpine, 1.88-php8.2-alpine, php8.2-alpine (Dockerfile)


These are the latest tags for PHP versions that are no longer supported:

Available tools

Name Description PHP 8.0 PHP 8.1 PHP 8.2
behat Helps to test business expectations
box Fast, zero config application bundler with PHARs
box-3 Fast, zero config application bundler with PHARs
churn Discovers good candidates for refactoring
codeception Codeception is a BDD-styled PHP testing framework
composer Dependency Manager for PHP
composer-bin-plugin Composer plugin to install bin vendors in isolated locations
composer-normalize Composer plugin to normalize composer.json files
composer-require-checker Verify that no unknown symbols are used in the sources of a package.
composer-require-checker-3 Verify that no unknown symbols are used in the sources of a package.
composer-unused Show unused packages by scanning your code
dephpend Detect flaws in your architecture
deprecation-detector Finds usages of deprecated code
deptrac Enforces dependency rules between software layers
diffFilter Applies QA tools to run on a single pull request
ecs Sets up and runs coding standard checks
infection AST based PHP Mutation Testing Framework
larastan PHPStan extension for Laravel
local-php-security-checker Checks composer dependencies for known security vulnerabilities
parallel-lint Checks PHP file syntax
paratest Parallel testing for PHPUnit
pdepend Static Analysis Tool
phan Static Analysis Tool
phive PHAR Installation and Verification Environment
php-coupling-detector Detects code coupling issues
php-cs-fixer PHP Coding Standards Fixer
php-fuzzer A fuzzer for PHP, which can be used to find bugs in libraries by feeding them 'random' inputs
php-semver-checker Suggests a next version according to semantic versioning
phpa Checks for weak assumptions
phparkitect Helps to put architectural constraints in a PHP code base
phpat Easy to use architecture testing tool
phpbench PHP Benchmarking framework
phpca Finds usage of non-built-in extensions
phpcb PHP Code Browser
phpcbf Automatically corrects coding standard violations
phpcodesniffer-composer-install Easy installation of PHP_CodeSniffer coding standards (rulesets).
phpcov a command-line frontend for the PHP_CodeCoverage library
phpcpd Copy/Paste Detector
phpcs Detects coding standard violations
phpcs-security-audit Finds vulnerabilities and weaknesses related to security in PHP code
phpda Generates dependency graphs
phpdd Finds usage of deprecated features
phpDocumentor Documentation generator
phpinsights Analyses code quality, style, architecture and complexity
phplint Lints php files in parallel
phploc A tool for quickly measuring the size of a PHP project
phpmd A tool for finding problems in PHP code
phpmetrics Static Analysis Tool
phpmnd Helps to detect magic numbers
phpspec SpecBDD Framework
phpstan Static Analysis Tool
phpstan-banned-code PHPStan rules for detecting calls to specific functions you don't want in your project
phpstan-beberlei-assert PHPStan extension for beberlei/assert
phpstan-deprecation-rules PHPStan rules for detecting deprecated code
phpstan-doctrine Doctrine extensions for PHPStan
phpstan-ergebnis-rules Additional rules for PHPstan
phpstan-exception-rules PHPStan rules for checked and unchecked exceptions
phpstan-larastan Separate installation of phpstan for larastan
phpstan-phpunit PHPUnit extensions and rules for PHPStan
phpstan-strict-rules Extra strict and opinionated rules for PHPStan
phpstan-symfony Symfony extension for PHPStan
phpstan-webmozart-assert PHPStan extension for webmozart/assert
phpunit The PHP testing framework
phpunit-8 The PHP testing framework (8.x version)
phpunit-9 The PHP testing framework (9.x version)
pint Opinionated PHP code style fixer for Laravel
psalm Finds errors in PHP applications
psalm-plugin-doctrine Stubs to let Psalm understand Doctrine better
psalm-plugin-phpunit Psalm plugin for PHPUnit
psalm-plugin-symfony Psalm Plugin for Symfony
psecio-parse Scans code for potential security-related issues
rector Tool for instant code upgrades and refactoring
roave-backward-compatibility-check Tool to compare two revisions of a class API to check for BC breaks
simple-phpunit Provides utilities to report legacy tests and usage of deprecated code
twig-lint Standalone cli twig 1.X linter
twig-linter Standalone cli twig 3.X linter
twigcs The missing checkstyle for twig!
yaml-lint Compact command line utility for checking YAML file syntax

More tools

Some tools are not included in the docker image, to use them refer to their documentation:

Removed tools

Name Summary
analyze Visualizes metrics and source code
box-legacy Legacy version of box
composer-normalize Composer plugin to normalize composer.json files
design-pattern Detects design patterns
parallel-lint Checks PHP file syntax
php-formatter Custom coding standards fixer
phpcf Finds usage of deprecated features
phpdoc-to-typehint Automatically adds type hints and return types based on PHPDocs
phpstan-localheinz-rules Additional rules for PHPstan
security-checker Checks composer dependencies for known security vulnerabilities
testability Analyses and reports testability issues of a php codebase

Running tools

Pull the image:

docker pull jakzal/phpqa

The default command will list available tools:

docker run -it --rm jakzal/phpqa

To run the selected tool inside the container, you'll need to mount the project directory on the container with -v "$(pwd):/project". Some tools like to write to the /tmp directory (like PHPStan, or Behat in some cases), therefore it's often useful to share it between docker runs, i.e. with -v "$(pwd)/tmp-phpqa:/tmp". If you want to be able to interrupt the selected tool if it takes too much time to complete, you can use the --init option. Please refer to the docker run documentation for more information.

docker run --init -it --rm -v "$(pwd):/project" -v "$(pwd)/tmp-phpqa:/tmp" -w /project jakzal/phpqa phpstan analyse src

You might want to tweak this command to your needs and create an alias for convenience:

alias phpqa='docker run --init -it --rm -v "$(pwd):/project" -v "$(pwd)/tmp-phpqa:/tmp" -w /project jakzal/phpqa:alpine'

Add it to your ~/.bashrc so it's defined every time you start a new terminal session.

Now the command becomes a lot simpler:

phpqa phpstan analyse src

Building the image

git clone
cd phpqa
make build-debian

To build the alpine version:

make build-alpine


Please check out the cookbook for further tips & tricks.


Please read the Contributing guide to learn about contributing to this project. Please note that this project is released with a Contributor Code of Conduct. By participating in this project you agree to abide by its terms.