Home

Awesome

Static Analysis Tools for PHP

Docker image providing static analysis tools for PHP. The list of available tools and the installer are actually managed in the jakzal/toolbox repository.

Build Status Docker Pulls

Supported platforms and PHP versions

Docker hub repository: https://hub.docker.com/r/jakzal/phpqa/

Nightly builds: https://hub.docker.com/r/jakzal/phpqa-nightly/

Debian

Alpine

Updated daily: latest, debian, alpine, php8.4, php8.4-alpine, etc. Updated on patch version change: 1.61, 1.61-php8.4, 1.61-php8.4-alpine, etc. Never updated: 1.61.0, 1.61.0-php8.4, 1.61.0-php8.4-alpine, etc.

Legacy

These are the latest tags for PHP versions that are no longer supported:

Available tools

NameDescriptionPHP 8.1PHP 8.2PHP 8.3
behatHelps to test business expectations
boxFast, zero config application bundler with PHARs
box-3Fast, zero config application bundler with PHARs
churnDiscovers good candidates for refactoring
codeceptionCodeception is a BDD-styled PHP testing framework
composerDependency Manager for PHP
composer-bin-pluginComposer plugin to install bin vendors in isolated locations
composer-normalizeComposer plugin to normalize composer.json files
composer-require-checkerVerify that no unknown symbols are used in the sources of a package.
composer-require-checker-3Verify that no unknown symbols are used in the sources of a package.
composer-unusedShow unused packages by scanning your code
dephpendDetect flaws in your architecture
deprecation-detectorFinds usages of deprecated code
deptracEnforces dependency rules between software layers
diffFilterApplies QA tools to run on a single pull request
ecsSets up and runs coding standard checks
infectionAST based PHP Mutation Testing Framework
larastanPHPStan extension for Laravel
local-php-security-checkerChecks composer dependencies for known security vulnerabilities
parallel-lintChecks PHP file syntax
paratestParallel testing for PHPUnit
pdependStatic Analysis Tool
pestThe elegant PHP Testing Framework
phanStatic Analysis Tool
phivePHAR Installation and Verification Environment
php-coupling-detectorDetects code coupling issues
php-cs-fixerPHP Coding Standards Fixer
php-fuzzerA fuzzer for PHP, which can be used to find bugs in libraries by feeding them 'random' inputs
php-semver-checkerSuggests a next version according to semantic versioning
phpaChecks for weak assumptions
phparkitectHelps to put architectural constraints in a PHP code base
phpatEasy to use architecture testing tool
phpbenchPHP Benchmarking framework
phpcaFinds usage of non-built-in extensions
phpcbPHP Code Browser
phpcbfAutomatically corrects coding standard violations
phpcodesniffer-composer-installEasy installation of PHP_CodeSniffer coding standards (rulesets).
phpcova command-line frontend for the PHP_CodeCoverage library
phpcpdCopy/Paste Detector
phpcsDetects coding standard violations
phpcs-security-auditFinds vulnerabilities and weaknesses related to security in PHP code
phpddFinds usage of deprecated features
phpDocumentorDocumentation generator
phpinsightsAnalyses code quality, style, architecture and complexity
phplintLints php files in parallel
phplocA tool for quickly measuring the size of a PHP project
phpmdA tool for finding problems in PHP code
phpmetricsStatic Analysis Tool
phpmndHelps to detect magic numbers
phpspecSpecBDD Framework
phpstanStatic Analysis Tool
phpstan-banned-codePHPStan rules for detecting calls to specific functions you don't want in your project
phpstan-beberlei-assertPHPStan extension for beberlei/assert
phpstan-deprecation-rulesPHPStan rules for detecting deprecated code
phpstan-doctrineDoctrine extensions for PHPStan
phpstan-ergebnis-rulesAdditional rules for PHPstan
phpstan-exception-rulesPHPStan rules for checked and unchecked exceptions
phpstan-larastanSeparate installation of phpstan for larastan
phpstan-phpunitPHPUnit extensions and rules for PHPStan
phpstan-strict-rulesExtra strict and opinionated rules for PHPStan
phpstan-symfonySymfony extension for PHPStan
phpstan-webmozart-assertPHPStan extension for webmozart/assert
phpunitThe PHP testing framework
phpunit-10The PHP testing framework (10.x version)
phpunit-8The PHP testing framework (8.x version)
phpunit-9The PHP testing framework (9.x version)
pintOpinionated PHP code style fixer for Laravel
psalmFinds errors in PHP applications
psalm-plugin-doctrineStubs to let Psalm understand Doctrine better
psalm-plugin-phpunitPsalm plugin for PHPUnit
psalm-plugin-symfonyPsalm Plugin for Symfony
psecio-parseScans code for potential security-related issues
rectorTool for instant code upgrades and refactoring
roave-backward-compatibility-checkTool to compare two revisions of a class API to check for BC breaks
simple-phpunitProvides utilities to report legacy tests and usage of deprecated code
twig-cs-fixerAutomatically corrects twig files following the official coding standard rules
twig-lintStandalone cli twig 1.X linter
twig-linterStandalone cli twig 3.X linter
twigcsThe missing checkstyle for twig!
yaml-lintCompact command line utility for checking YAML file syntax

Each tool is installed in the latest stable version if possible. Any Docker image has the latest available and installable version at the time of image creation.

More tools

Some tools are not included in the docker image, to use them refer to their documentation:

Removed tools

NameSummary
analyzeVisualizes metrics and source code
box-legacyLegacy version of box
composer-normalizeComposer plugin to normalize composer.json files
design-patternDetects design patterns
parallel-lintChecks PHP file syntax
php-formatterCustom coding standards fixer
phpcfFinds usage of deprecated features
phpdaGenerates dependency graphs
phpdoc-to-typehintAutomatically adds type hints and return types based on PHPDocs
phpstan-localheinz-rulesAdditional rules for PHPstan
security-checkerChecks composer dependencies for known security vulnerabilities
testabilityAnalyses and reports testability issues of a php codebase

Running tools

Pull the image:

docker pull jakzal/phpqa

The default command will list available tools:

docker run -it --rm jakzal/phpqa

To run the selected tool inside the container, you'll need to mount the project directory on the container with -v "$(pwd):/project". Some tools like to write to the /tmp directory (like PHPStan, or Behat in some cases), therefore it's often useful to share it between docker runs, i.e. with -v "$(pwd)/tmp-phpqa:/tmp". If you want to be able to interrupt the selected tool if it takes too much time to complete, you can use the --init option. Please refer to the docker run documentation for more information.

docker run --init -it --rm -v "$(pwd):/project" -v "$(pwd)/tmp-phpqa:/tmp" -w /project jakzal/phpqa phpstan analyse src

You might want to tweak this command to your needs and create an alias for convenience:

alias phpqa='docker run --init -it --rm -v "$(pwd):/project" -v "$(pwd)/tmp-phpqa:/tmp" -w /project jakzal/phpqa:alpine'

Add it to your ~/.bashrc so it's defined every time you start a new terminal session.

Now the command becomes a lot simpler:

phpqa phpstan analyse src

Building the image

git clone https://github.com/jakzal/phpqa.git
cd phpqa
make build-debian

To build the alpine version:

make build-alpine

Cookbook

Please check out the cookbook for further tips & tricks.

Contributing

Please read the Contributing guide to learn about contributing to this project. Please note that this project is released with a Contributor Code of Conduct. By participating in this project you agree to abide by its terms.