Skip to content
Go to file

Static Analysis Tools for PHP

Docker image providing static analysis tools for PHP. The list of available tools and the installer are actually managed in the jakzal/toolbox repository.

Build Status Docker Build

Supported platforms and PHP versions

Docker hub repository:

Nightly builds:




These are the latest tags for PHP versions that are no longer supported:

Available tools

More tools

Some tools are not included in the docker image, to use them refer to their documentation:

Removed tools

Running tools

Pull the image:

docker pull jakzal/phpqa

The default command will list available tools:

docker run -it --rm jakzal/phpqa

To run the selected tool inside the container, you'll need to mount the project directory on the container with -v "$(pwd):/project". Some tools like to write to the /tmp directory (like PHPStan, or Behat in some cases), therefore it's often useful to share it between docker runs, i.e. with -v "$(pwd)/tmp-phpqa:/tmp". If you want to be able to interrupt the selected tool if it takes too much time to complete, you can use the --init option. Please refer to the docker run documentation for more information.

docker run --init -it --rm -v "$(pwd):/project" -v "$(pwd)/tmp-phpqa:/tmp" -w /project jakzal/phpqa phpstan analyse src

You might want to tweak this command to your needs and create an alias for convenience:

alias phpqa='docker run --init -it --rm -v "$(pwd):/project" -v "$(pwd)/tmp-phpqa:/tmp" -w /project jakzal/phpqa:alpine'

Add it to your ~/.bashrc so it's defined every time you start a new terminal session.

Now the command becomes a lot simpler:

phpqa phpstan analyse src

GitHub actions

The image can be used with GitHub actions. Below is an example for several static analysis tools.

# .github/workflows/static-code-analysis.yml
name: Static code analysis

on: [pull_request]

    runs-on: ubuntu-latest
      - uses: actions/checkout@master
      - name: PHPStan
        uses: docker://jakzal/phpqa:php7.4-alpine
          args: phpstan analyze src/ -l 1
      - name: PHP-CS-Fixer
        uses: docker://jakzal/phpqa:php7.4-alpine
          args: php-cs-fixer --dry-run --allow-risky=yes --no-interaction --ansi fix
      - name: Deptrac
        uses: docker://jakzal/phpqa:php7.4-alpine
          args: deptrac --no-interaction --ansi --formatter-graphviz-display=0

Bitbucket Pipelines

Here is an example configuration of a bitbucket pipeline using the phpqa image:

# bitbucket-pipelines.yml
image: jakzal/phpqa:php7.4-alpine
    - step:
        name: Static analysis
          - composer
          - composer install --no-scripts --no-progress
          - phpstan analyze src/ -l 1
          - php-cs-fixer --dry-run --allow-risky=yes --no-interaction --ansi fix
          - deptrac --no-interaction --ansi --formatter-graphviz-display=0

Unfortunately, bitbucket overrides the docker entrypoint so composer needs to be explicitly invoked as in the above example.

Starter-kits / Templates


A template repository for agnostic PHP libraries. It utilizes the PHPQA image into a Makefile and configures some tools by default.


A template repository for Docker based Symfony applications. It utilizes the PHPQA image into a Dockerfile and integrates in the composed landscape.

Building the image

git clone
cd phpqa
make build-latest

To build the alpine version:

make build-alpine

Customising the image

It's often needed to customise the image with project specific extensions. To achieve that simply create a new image based on jakzal/phpqa:

FROM jakzal/phpqa:alpine

RUN apk add --no-cache libxml2-dev \
 && docker-php-ext-install soap

Next, build it:

docker build -t foo/phpqa .

Finally, use your customised image instead of the default one:

docker run --init -it --rm -v "$(pwd):/project" -w /project foo/phpqa phpmetrics .

Adding PHPStan extensions

A number of PHPStan extensions is available on the image in /tools/.composer/vendor-bin/phpstan/vendor out of the box. You can find them with the command below:

phpqa find /tools/.composer/vendor-bin/phpstan/vendor/ -iname 'rules.neon' -or -iname 'extension.neon'

Use the composer-bin-plugin to install any additional PHPStan extensions in the phpstan namespace:

FROM jakzal/phpqa:alpine

RUN composer global bin phpstan require phpstan/phpstan-phpunit

You'll be able to include them in your PHPStan configuration from the /tools/.composer/vendor-bin/phpstan/vendor path:

    - /tools/.composer/vendor-bin/phpstan/vendor/phpstan/phpstan-phpunit/extension.neon

Debugger & Code Coverage

The pcov code coverage extension, as well as the php-dbg debugger, are provided on the image out of the box.

pcov is disabled by default so it doesn't affect performance when it's not needed, and doesn't break interoperability with other coverage extensions. It can be enabled by setting pcov.enabled=1:

phpqa php -d pcov.enabled=1 ./vendor/bin/phpunit --coverage-text

Infection users will need to define initial php options:

phpqa /tools/infection run --initial-tests-php-options='-dpcov.enabled=1'


Please read the Contributing guide to learn about contributing to this project. Please note that this project is released with a Contributor Code of Conduct. By participating in this project you agree to abide by its terms.

You can’t perform that action at this time.