The top PHP static code analysis tools of 2024

The PHP community has a diverse ecosystem of static analysis tools which can make it somewhat difficult to decide which tools to use. Hopefully this post helps you decide which of these tools you’ll use.

This post separates these tools into one of two types depending on their purpose. The first section is static analysis for the purpose of identifying bugs. The later section is for maintenance of code style/formatting.

Static Code Analysis Tools

  • PHPStan is the most commonly used tool and also one of the youngest. It has been rapidly adopted since it’s release in 2016. It’ll discover bugs in your code without running the code.

  • Psalm was also released in 2016 and has grown in popularity a little more slowly. It claims more features out of the box and has a focus is on type-related bugs.

  • Scrutinizer is the most popular commercial option in use by open-source projects and has been around longer then its open-source counterparts. It’s free for open-source projects but is only available as a hosted solution.

Let’s look at what some popular open-source PHP project use. This table only includes repositories which have at least 1K GitHub stars, and which implement the static analysis tools as a component of their continuous integration systems.

  PHPStan Psalm Scrutinizer
Symfony 29K   ✔️  
Composer 28K ✔️    
NextCloud 24.7K   ✔️ ✔️
Guzzle 22.8K ✔️ ✔️  
Monolog 20.7K ✔️    
PHPUnit 19.4K   ✔️  
Yii2 14.2K     ✔️
PHPDotEnv 12.8K ✔️ ✔️  
Slim 11.7K ✔️    
Phalcon 10.7K ✔️ ✔️
Doctrine 9.7K ✔️ ✔️  
php-jwt 9.1K ✔️  
CakePHP 8.7K ✔️ ✔️  
Pest 8.3K ✔️    
AWS SDK 5.9K ✔️    
Elasticsearch SDK 5.2K ✔️    
php-amqplib 4.4K     ✔️
Stripe SDK 3.5K ✔️    
Mediawiki 3.8K*      
Maxmind GeoIP2 2.3K ✔️    
Paratest 2.2K ✔️  
Sentry SDK 1.8K ✔️ ✔️  
OpenTelemetry PHP 626 ✔️ ✔️ ✔️
OpenSearch PHP 78 ✔️    

There are some other fairly popular tools worth mentioning but which were not used by enough projects to be included in the table above.

  • Phan isn’t used by many of the projects I reviewed but is popular and well-supported. It was created at Etsy and appears to be the primary tool used by Wikipedia’s MediaWiki project. The advertised upside of using Phan is that it has a focus on minimizing false-positives. This makes it trivial to use but it might catch fewer issues compared to the other options.
  • PHP Mess Detector: This is an older static analysis tool which offers some different functionality. Besides identifying potential bugs it also can help identifying generally poor code. It’s very mature and may be more useful for targeted project analysis.

  • Sonarqube: Sonarqube is a commercial static analysis product. It’s community edition is good at detecting bugs, vulnerabilities, and generally for improving code quality. They also provides an IDE extension, Sonarlint which works well to supplement the CI offerings.

  • PHPStorm Code Inspections: The inspection tools built into PHPStorm are impressive and can identify many potential issues without any additional tooling.

  • PHP Inspections (EA Extended): This is a plugin for IntelliJ/PHPStorm which supplements the inspections built into PHPStorm.

  • Qodana: This is a newer commercial product from JetBrains which is still in early access. It’s a hosted solution which can be used to analyze code and identify bugs and vulnerabilities.

Style Tools

  • PHPCS is the original code standards tool for PHP and dates back to 2006. It’s primary use is to establish standards and identify violations. It does however also provide a package phpcbf which can sometimes automatically fix violations. PHPCS is extremely mature and very flexible and comes with a massive selection of pre-written “Sniffs” available to use.

  • PhpCsFixer is supported by the popular Symfony framework. This tool automatically applies any defined code styles to code when it’s run. e.g. php-cs-fixer fix src. This seems to be the leading choice for a majority of projects.

  • StyleCI is Laravel’s answer to code style. This is a hosted commercial solution which is free for open-source projects. It takes a similar approach to PhpCsFixer and can automatically apply a selected style to code. It’s different though in that it modifies code after it’s been merged into a git repository. It fixes styles quietly in the background as developers make changes by pulling the code, restyling it, and pushing it back to the main repository.

Here’s a selection of some of the most popular packages using these today.

  PHPCS PhpCsFixer Style CI
Laravel 75.6K     ✔️
Symfony 29K   ✔️  
Composer 28K   ✔️  
NextCloud 24.7K   ✔️  
Guzzle 22.8K   ✔️  
Monolog 20.7K   ✔️  
PHPUnit 19.4K   ✔️  
Wordpress 18.4K* ✔️    
Yii2 14.2K   ✔️  
Slim 11.7K ✔️    
Phalcon 10.7K ✔️  
Doctrine 9.7K ✔️    
php-jwt 9.1K   ✔️  
Twig 8K   ✔️  
Predis 7.5K   ✔️  
Elasticsearch SDK 5.2K ✔️ ✔️  
php-amqplib 4.4K ✔️    
Stripe SDK 3.5K   ✔️  
Drupal 4K* ✔️    
Mediawiki 3.8K* ✔️    
Maxmind GeoIP2 2.3K ✔️ ✔️  
Paratest 2.2K ✔️    
Sentry SDK 1.8K   ✔️  
OpenTelemetry PHP 626 ✔️ ✔️  
OpenSearch PHP 78   ✔️  

PhpCsFixer Utilities

PhpCsFixer isn’t the most opinionated tool. A couple of projects have cropped up that ship opinionated configurations for this tool.

  • Pint by the Laravel team.
  • PHP.Style my own opinionated configuration website.

Conclusion

The most popular tools to use overall appear are PHPStan & PhpCsFixer.

However, it’s not a one size fit all solution. Psalm has some popularity and is often used alongside PHPStan. And for enforcing code standards, PhpCsFixer is the most popular, but it’s still often paired with PHPCS which has more complex configuration options.

The details in this post will probably not stay up to date for very long since the ecosystem is constantly evolving, but I found this analysis interesting when reviewing these tools for my own usage. If you have feedback or can correct me about any of the information in this post please leave me a comment.

News & Changelog

This post is periodically updated to keep up with the latest trends.

Jan 2024

  • Updated the status of all projects on this page. Added a few newer notable projects.
  • PHPStan is up one and Psalm is down on the same project. Removed Phan from the table which is still only used by MediaWiki.
  • Jetbrains is previewing a new code analysis tool, Qodana, which is now included in the list. Only one project I checked is using it so far.
  • Things to look forward to this year: PHPStan 2.0 & expanded coding style standards w/ PERCS 2.0: https://www.php-fig.org/per/coding-style/

Jan 2023

  • Updated the status of all projects on this page. Most projects gained some popularity but order stayed roughly the same.
  • PHPStan, PHP-CS-Fixer, and Scrutinizer grew in popularity.
  • Add section about php-cs-fixer utilities.

Jan 2022

Checked the status of all projects in these lists and updated stats. Psalm continues to grow in popularity, a couple projects added it since they were last checked. Otherwise, no major changes.

March 2021

First version of this post