Awesome

Static Analysis Tools for PHP

Docker image providing static analysis tools for PHP. The list of available tools and the installer are actually managed in the jakzal/toolbox repository.

Supported platforms and PHP versions

Docker hub repository: https://hub.docker.com/r/jakzal/phpqa/

Nightly builds: https://hub.docker.com/r/jakzal/phpqa-nightly/

Debian

latest, debian (Dockerfile)
1.98.1, 1.98, 1.98.1-debian, 1.98-debian (Dockerfile)
1.98.1-php8.1, 1.98-php8.1, php8.1-debian, php8.1 (Dockerfile)
1.98.1-php8.2, 1.98-php8.2, php8.2-debian, php8.2 (Dockerfile)
1.98.1-php8.3, 1.98-php8.3, php8.3-debian, php8.3 (Dockerfile)

Alpine

alpine (Dockerfile)
1.98.1-alpine, 1.98-alpine, (Dockerfile)
1.98.1-php8.1-alpine, 1.98-php8.1-alpine, php8.1-alpine (Dockerfile)
1.98.1-php8.2-alpine, 1.98-php8.2-alpine, php8.2-alpine (Dockerfile)
1.98.1-php8.3-alpine, 1.98-php8.3-alpine, php8.3-alpine (Dockerfile)

Updated daily: latest, debian, alpine, php8.4, php8.4-alpine, etc. Updated on patch version change: 1.61, 1.61-php8.4, 1.61-php8.4-alpine, etc. Never updated: 1.61.0, 1.61.0-php8.4, 1.61.0-php8.4-alpine, etc.

Legacy

These are the latest tags for PHP versions that are no longer supported:

1.92.7-php8.0, 1.93-php8.0, php8.0-debian, php8.0 (Dockerfile)
1.92.7-php8.0-alpine, 1.93-php8.0-alpine, php8.0-alpine (Dockerfile)
1.80.0-php7.4, 1.80-php7.4, php7.4-debian, php7.4 (Dockerfile)
1.80.0-php7.4-alpine, 1.80-php7.4-alpine, php7.4-alpine (Dockerfile)
1.61.2-php7.3, 1.61-php7.3, php7.3-debian, php7.3 (debian/Dockerfile)
1.61.2-php7.3-alpine, 1.61-php7.3-alpine, php7.3-alpine (alpine/Dockerfile)
1.44.0-php7.2, 1.44-php7.2, php7.2 (7.2/debian/Dockerfile)
1.44.0-php7.2-alpine, 1.44-php7.2-alpine, php7.2-alpine (7.2/alpine/Dockerfile)
1.26.0-php7.1, 1.26-php7.1, php7.1 (7.1/debian/Dockerfile)
1.26.0-php7.1-alpine, 1.26-php7.1-alpine, php7.1-alpine (7.1/alpine/Dockerfile)

Available tools

Name	Description	PHP 8.1	PHP 8.2	PHP 8.3
behat	Helps to test business expectations	✅	✅	✅
box	Fast, zero config application bundler with PHARs	❌	✅	✅
box-3	Fast, zero config application bundler with PHARs	✅	❌	✅
churn	Discovers good candidates for refactoring	✅	✅	✅
codeception	Codeception is a BDD-styled PHP testing framework	✅	✅	✅
composer	Dependency Manager for PHP	✅	✅	✅
composer-bin-plugin	Composer plugin to install bin vendors in isolated locations	✅	✅	✅
composer-normalize	Composer plugin to normalize composer.json files	✅	✅	✅
composer-require-checker	Verify that no unknown symbols are used in the sources of a package.	❌	✅	✅
composer-require-checker-3	Verify that no unknown symbols are used in the sources of a package.	✅	✅	✅
composer-unused	Show unused packages by scanning your code	✅	✅	✅
dephpend	Detect flaws in your architecture	✅	✅	✅
deprecation-detector	Finds usages of deprecated code	✅	✅	✅
deptrac	Enforces dependency rules between software layers	✅	✅	✅
diffFilter	Applies QA tools to run on a single pull request	✅	✅	✅
ecs	Sets up and runs coding standard checks	✅	✅	✅
infection	AST based PHP Mutation Testing Framework	✅	✅	✅
larastan	PHPStan extension for Laravel	✅	✅	✅
local-php-security-checker	Checks composer dependencies for known security vulnerabilities	✅	✅	✅
parallel-lint	Checks PHP file syntax	✅	✅	✅
paratest	Parallel testing for PHPUnit	✅	✅	✅
pdepend	Static Analysis Tool	✅	✅	✅
pest	The elegant PHP Testing Framework	✅	✅	✅
phan	Static Analysis Tool	✅	✅	✅
phive	PHAR Installation and Verification Environment	✅	✅	✅
php-coupling-detector	Detects code coupling issues	❌	❌	❌
php-cs-fixer	PHP Coding Standards Fixer	✅	✅	✅
php-fuzzer	A fuzzer for PHP, which can be used to find bugs in libraries by feeding them 'random' inputs	✅	✅	✅
php-semver-checker	Suggests a next version according to semantic versioning	✅	✅	✅
phpa	Checks for weak assumptions	✅	✅	✅
phparkitect	Helps to put architectural constraints in a PHP code base	✅	✅	✅
phpat	Easy to use architecture testing tool	✅	✅	✅
phpbench	PHP Benchmarking framework	✅	✅	✅
phpca	Finds usage of non-built-in extensions	✅	✅	✅
phpcb	PHP Code Browser	✅	✅	✅
phpcbf	Automatically corrects coding standard violations	✅	✅	✅
phpcodesniffer-composer-install	Easy installation of PHP_CodeSniffer coding standards (rulesets).	✅	✅	✅
phpcov	a command-line frontend for the PHP_CodeCoverage library	❌	✅	✅
phpcpd	Copy/Paste Detector	✅	✅	✅
phpcs	Detects coding standard violations	✅	✅	✅
phpcs-security-audit	Finds vulnerabilities and weaknesses related to security in PHP code	✅	✅	✅
phpdd	Finds usage of deprecated features	✅	✅	✅
phpDocumentor	Documentation generator	✅	✅	✅
phpinsights	Analyses code quality, style, architecture and complexity	✅	✅	✅
phplint	Lints php files in parallel	✅	✅	✅
phploc	A tool for quickly measuring the size of a PHP project	✅	✅	✅
phpmd	A tool for finding problems in PHP code	✅	✅	✅
phpmetrics	Static Analysis Tool	✅	✅	✅
phpmnd	Helps to detect magic numbers	✅	✅	✅
phpspec	SpecBDD Framework	✅	❌	❌
phpstan	Static Analysis Tool	✅	✅	✅
phpstan-banned-code	PHPStan rules for detecting calls to specific functions you don't want in your project	✅	✅	✅
phpstan-beberlei-assert	PHPStan extension for beberlei/assert	✅	✅	✅
phpstan-deprecation-rules	PHPStan rules for detecting deprecated code	✅	✅	✅
phpstan-doctrine	Doctrine extensions for PHPStan	✅	✅	✅
phpstan-ergebnis-rules	Additional rules for PHPstan	✅	✅	✅
phpstan-exception-rules	PHPStan rules for checked and unchecked exceptions	✅	✅	✅
phpstan-larastan	Separate installation of phpstan for larastan	✅	✅	✅
phpstan-phpunit	PHPUnit extensions and rules for PHPStan	✅	✅	✅
phpstan-strict-rules	Extra strict and opinionated rules for PHPStan	✅	✅	✅
phpstan-symfony	Symfony extension for PHPStan	✅	✅	✅
phpstan-webmozart-assert	PHPStan extension for webmozart/assert	✅	✅	✅
phpunit	The PHP testing framework	❌	✅	✅
phpunit-10	The PHP testing framework (10.x version)	✅	✅	✅
phpunit-8	The PHP testing framework (8.x version)	✅	✅	✅
phpunit-9	The PHP testing framework (9.x version)	✅	✅	✅
pint	Opinionated PHP code style fixer for Laravel	✅	✅	✅
psalm	Finds errors in PHP applications	✅	✅	✅
psalm-plugin-doctrine	Stubs to let Psalm understand Doctrine better	✅	✅	✅
psalm-plugin-phpunit	Psalm plugin for PHPUnit	✅	✅	✅
psalm-plugin-symfony	Psalm Plugin for Symfony	✅	✅	✅
psecio-parse	Scans code for potential security-related issues	✅	✅	✅
rector	Tool for instant code upgrades and refactoring	✅	✅	✅
roave-backward-compatibility-check	Tool to compare two revisions of a class API to check for BC breaks	✅	✅	✅
simple-phpunit	Provides utilities to report legacy tests and usage of deprecated code	✅	✅	✅
twig-cs-fixer	Automatically corrects twig files following the official coding standard rules	✅	✅	✅
twig-lint	Standalone cli twig 1.X linter	✅	✅	✅
twig-linter	Standalone cli twig 3.X linter	✅	✅	✅
twigcs	The missing checkstyle for twig!	✅	✅	✅
yaml-lint	Compact command line utility for checking YAML file syntax	❌	✅	✅

Each tool is installed in the latest stable version if possible. Any Docker image has the latest available and installable version at the time of image creation.

More tools

Some tools are not included in the docker image, to use them refer to their documentation:

exakat - a real time PHP static analyser

Removed tools

Name	Summary
analyze	Visualizes metrics and source code
box-legacy	Legacy version of box
composer-normalize	Composer plugin to normalize composer.json files
design-pattern	Detects design patterns
parallel-lint	Checks PHP file syntax
php-formatter	Custom coding standards fixer
phpcf	Finds usage of deprecated features
phpda	Generates dependency graphs
phpdoc-to-typehint	Automatically adds type hints and return types based on PHPDocs
phpstan-localheinz-rules	Additional rules for PHPstan
security-checker	Checks composer dependencies for known security vulnerabilities
testability	Analyses and reports testability issues of a php codebase

Running tools

Pull the image:

docker pull jakzal/phpqa

The default command will list available tools:

docker run -it --rm jakzal/phpqa

To run the selected tool inside the container, you'll need to mount the project directory on the container with -v "$(pwd):/project". Some tools like to write to the /tmp directory (like PHPStan, or Behat in some cases), therefore it's often useful to share it between docker runs, i.e. with -v "$(pwd)/tmp-phpqa:/tmp". If you want to be able to interrupt the selected tool if it takes too much time to complete, you can use the --init option. Please refer to the docker run documentation for more information.

docker run --init -it --rm -v "$(pwd):/project" -v "$(pwd)/tmp-phpqa:/tmp" -w /project jakzal/phpqa phpstan analyse src

You might want to tweak this command to your needs and create an alias for convenience:

alias phpqa='docker run --init -it --rm -v "$(pwd):/project" -v "$(pwd)/tmp-phpqa:/tmp" -w /project jakzal/phpqa:alpine'

Add it to your ~/.bashrc so it's defined every time you start a new terminal session.

Now the command becomes a lot simpler:

phpqa phpstan analyse src

Building the image

git clone https://github.com/jakzal/phpqa.git
cd phpqa
make build-debian

To build the alpine version:

make build-alpine

Cookbook

Please check out the cookbook for further tips & tricks.

Contributing

Please read the Contributing guide to learn about contributing to this project. Please note that this project is released with a Contributor Code of Conduct. By participating in this project you agree to abide by its terms.