The top PHP static code analysis tools of 2023

The PHP community has a diverse ecosystem of static analysis tools which can make it somewhat difficult to decide which tools to use. Hopefully this post helps you decide which of these tools you’ll use.

This post separates these tools into one of two types depending on their purpose. The first section is static analysis for the purpose of identifying bugs. The later section is for maintenance of code style/formatting.

Static Code Analysis Tools

  • PHPStan is the most commonly used tool and also one of the youngest. It has been rapidly adopted since it’s release in 2016. It’ll discover bugs in your code without running the code.

  • Psalm was also released in 2016 and has grown in popularity a little more slowly. It claims more features out of the box and has a focus is on type-related bugs.

  • Scrutinizer is the most popular commercial option in use by open-source projects and has been around longer then its open-source counterparts. It’s free for open-source projects but is only available as a hosted solution.

  • Phan isn’t used by many of the projects I reviewed but is popular and well-supported. It was created at Etsy and appears to be the primary tool used by Wikipedia’s MediaWiki project. The advertised upside of using Phan is that it has a focus on minimizing false-positives. This makes it trivial to use but it might catch fewer issues compared to the other options.

Let’s look at what some popular open-source PHP project use. This table only includes repositories which have at least 1K GitHub stars, and which implement the static analysis tools as a component of their continuous integration systems.

  PHPStan Psalm Scrutinizer Phan
Symfony 27.8K   ✔️    
Composer 27.2K ✔️      
Guzzle 22.3K ✔️ ✔️    
NextCloud 21.1K   ✔️ ✔️  
Monolog 20.1K ✔️      
PHPUnit 18.8K   ✔️    
Yii2 14K     ✔️  
PHPDotEnv 12.3K ✔️ ✔️    
Slim 11.5K ✔️      
Phalcon 10.7K ✔️ ✔️  
Doctrine 9.5K ✔️ ✔️    
php-jwt 8.6K ✔️    
Assert 7.2K   ✔️    
AWS SDK 5.7K ✔️      
Elasticsearch SDK 5K ✔️      
php-amqplib 4.2K     ✔️  
Stripe SDK 3.3K ✔️      
Mediawiki 3.3K*       ✔️
Maxmind GeoIP2 2.1K ✔️      
Paratest 2K   ✔️    
Sentry SDK 1.7K ✔️ ✔️    

There’s a few other fairly popular tools worth mentioning but which were not used by the projects above during CI.

  • PHP Mess Detector: This is an older static analysis tool which offers some different functionality. Besides identifying potential bugs it also can help identifying generally poor code. It’s very mature and may be more useful for targeted project analysis.

  • Sonarqube: Sonarqube is another commercial static analysis product. It’s community edition is good at detecting bugs, vulnerabilities, and generally for improving code quality. They also provides an IDE extension, Sonarlint which works well to supplement the CI offerings.

  • PHPStorm Code Inspections: The inspection tools built into PHPStorm are impressive and can identify many potential issues without any additional tooling.

  • PHP Inspections (EA Extended): This is a plugin for IntelliJ/PHPStorm which supplements the inspections built into PHPStorm.

Style Tools

  • PHPCS is the original code standards tool for PHP and dates back to 2006. It’s primary use is to establish standards and identify violations. It does however also provide a package phpcbf which can sometimes automatically fix violations. PHPCS is extremely mature and very flexible and comes with a massive selection of pre-written “Sniffs” available to use.

  • PhpCsFixer is supported by the popular Symfony framework. This tool automatically applies any defined code styles to code when it’s run. e.g. php-cs-fixer fix src. This seems to be the leading choice for a majority of projects.

  • StyleCI is Laravel’s answer to code style. This is a hosted commercial solution which is free for open-source projects. It takes a similar approach to PhpCsFixer and can automatically apply a selected style to code. It’s different though in that it modifies code after it’s been merged into a git repository. It fixes styles quietly in the background as developers make changes by pulling the code, restyling it, and pushing it back to the main repository.

Here’s a selection of some of the most popular packages using these today.

  PHPCS PhpCsFixer Style CI
Laravel 71.9K     ✔️
Symfony 27.8K   ✔️  
Composer 27.2K   ✔️  
Guzzle 22.3K   ✔️  
NextCloud 21.1K   ✔️  
Monolog 20.1K   ✔️  
PHPUnit 18.8K   ✔️  
Wordpress 15.8K* ✔️    
Yii2 14K   ✔️  
Slim 11.5K ✔️    
Phalcon 10.7K ✔️  
Doctrine 9.5K ✔️    
php-jwt 8.6K   ✔️  
Twig 7.7K   ✔️  
Assert 7.2K   ✔️  
Predis 7.3K   ✔️  
Elasticsearch SDK 5K ✔️ ✔️  
php-amqplib 4.2K ✔️    
Stripe SDK 3.6K   ✔️  
Drupal 3.8K* ✔️    
Mediawiki 3.3K* ✔️    
Maxmind GeoIP2 2.1K ✔️ ✔️  
Paratest 2K ✔️    
Sentry SDK 1.7K   ✔️  

PhpCsFixer Utilities

PhpCsFixer isn’t the most opinionated tool. A couple of projects have cropped up that ship opinionated configurations for this tool.

  • Pint by the Laravel team.
  • PHPStyle my own opinionated configuration.

Conclusion

The most popular tools to use overall appear are PHPStan & PhpCsFixer.

However, it’s not a one size fit all solution. Psalm has some popularity and is often used alongside PHPStan. And for enforcing code standards, PhpCsFixer is the most popular, but it’s still often paired with PHPCS which has more complex configuration options.

The details in this post will probably not stay up to date for very long since the ecosystem is constantly evolving, but I found this analysis interesting when reviewing these tools for my own usage. If you have feedback or can correct me about any of the information in this post please leave me a comment.

Changelog

This post is periodically updated to keep up with the latest trends. See a list of it’s changes below.

Jan 2023

  • Updated the status of all projects on this page. Most projects gained some popularity but order stayed roughly the same.
  • PHPStan, PHP-CS-Fixer, and Scrutinizer grew in popularity.
  • Add section about php-cs-fixer utilities.

Jan 2022

Checked the status of all projects in these lists and updated stats. Psalm continues to grow in popularity, a couple projects added it since they were last checked. Otherwise, no major changes.

March 2021

First version of this released