The PHP community has a diverse ecosystem of static analysis tools which can make it somewhat difficult to decide which tools to use. Hopefully this post helps you decide which of these tools you’ll use.
This post separates these tools into one of two types depending on their purpose. The first section is static analysis for the purpose of identifying bugs. The later section is for maintenance of code style/formatting.
Static Code Analysis Tools
-
PHPStan is the most commonly used tool and also one of the youngest. It has been rapidly adopted since it’s release in 2016. It’ll discover bugs in your code without running the code.
-
Psalm was also released in 2016 and has grown in popularity a little more slowly. It claims more features out of the box and has a focus is on type-related bugs.
-
Scrutinizer is the most popular commercial option in use by open-source projects and has been around longer then its open-source counterparts. It’s free for open-source projects but is only available as a hosted solution.
Let’s look at what some popular open-source PHP project use. This table only includes repositories which have at least 1K GitHub stars, and which implement the static analysis tools as a component of their continuous integration systems.
| ⭐ | PHPStan | Psalm | Scrutinizer | |
|---|---|---|---|---|
| Laravel | 33K | ✔️ | ||
| Symfony | 29.9K | ✔️ | ||
| Composer | 28.8K | ✔️ | ||
| NextCloud | 28.5K | ✔️ | ✔️ | |
| Guzzle | 23.3K | ✔️ | ✔️ | |
| Monolog | 21.1K | ✔️ | ||
| PHPUnit | 19.8K | ✔️ | ||
| PHP-Parser | 17.1K | ✔️ | ||
| Carbon | 16.6K | ✔️ | ✔️ | |
| Yii2 | 14.3K | ✔️ | ||
| PhpSpreadsheet | 13.5K | ✔️ | ||
| Flysystem | 13.4K | ✔️ | ✔️ | |
| PHPDotEnv | 13.3K | ✔️ | ✔️ | |
| Slim | 12K | ✔️ | ✔️ | |
| EmailValidator | 11.5K | ✔️ | ||
| Phalcon | 10.8K | ️ | ✔️ | |
| Doctrine | 10K | ✔️ | ||
| Pest | 9.9K | ✔️ | ||
| php-jwt | 9.5K | ✔️ | ️ | |
| CakePHP | 8.7K | ✔️ | ✔️ | |
| Twig | 8.2K | ✔️ | ||
| Predis | 7.6K | ✔️ | ||
| AWS SDK | 6.1K | ✔️ | ||
| Elasticsearch SDK | 5.3K | ✔️ | ||
| php-amqplib | 4.5K | ✔️ | ||
| Stripe SDK | 3.8K | ✔️ | ||
| Mediawiki | 4.4K+ | |||
| Maxmind GeoIP2 | 2.4K | ✔️ | ||
| Paratest | 2.3K | ✔️ | ️ | |
| Sentry SDK | 1.8K | ✔️ | ✔️ | |
| OpenTelemetry PHP | 776 | ✔️ | ✔️ | ✔️ |
| OpenSearch PHP | 115 | ✔️ |
There are some other fairly popular tools worth mentioning but which were not used by enough projects to be included in the table above.
-
Phan isn’t used by any of the projects here besides MediaWiki that I could find. It was created originally at Etsy and appears to be the primary tool used by Wikipedia’s MediaWiki project. The advertised upside of using Phan is that it has a focus on minimizing false-positives. This makes it trivial to use, but it might catch fewer issues compared to others.
-
PHPStorm Code Inspections: The inspection tools built into PHPStorm are impressive and can identify many potential issues without any additional tooling.
-
PHP Mess Detector: This is an older static analysis tool which offers some different functionality. Besides identifying potential bugs it also can help identifying generally poor code. It’s very mature and may be more useful for targeted project analysis.
-
Sonarqube: Sonarqube is a commercial static analysis product. It’s community edition is good at detecting bugs, vulnerabilities, and generally for improving code quality. They also provides an IDE extension, Sonarlint which works well to supplement the CI offerings.
-
PHP Inspections (EA Extended): This is a plugin for IntelliJ/PHPStorm which supplements the inspections built into PHPStorm.
-
Qodana: This is a newer commercial product from JetBrains which is still in early access. It’s a hosted solution which can be used to analyze code and identify bugs and vulnerabilities.
Style Tools
-
PHPCS is the original code standards tool for PHP and dates back to 2006. It’s primary use is to establish standards and identify violations. It does however also provide a package
phpcbfwhich can sometimes automatically fix violations. PHPCS is extremely mature and very flexible and comes with a massive selection of pre-written “Sniffs” available to use. -
PhpCsFixer is supported by the popular Symfony framework. This tool automatically applies any defined code styles to code when it’s run. e.g.
php-cs-fixer fix src. This seems to be the leading choice for a majority of projects.
Some other interesting style tools I found that weren’t heavily in use while reviewing these projects
- Composer Normalize Action Tool to keep your composer file formatted consistently
Here’s a selection of some popular packages today.
| ⭐ | PhpCsFixer | PHPCS | |
|---|---|---|---|
| Laravel | 33K | ✔️ | |
| Symfony | 29.9K | ✔️ | |
| Composer | 28.8K | ✔️ | |
| NextCloud | 28.5K | ✔️ | |
| Guzzle | 23.3K | ✔️ | |
| Monolog | 21.1K | ✔️ | |
| PHPUnit | 19.8K | ✔️ | |
| Wordpress | 18.4K+ | ✔️ | |
| PHP-Parser | 17.1K | ✔️ | |
| Carbon | 16.6K | ✔️ | |
| Yii2 | 14.3K | ✔️ | |
| PhpSpreadsheet | 13.5K | ✔️ | ✔️ |
| Flysystem | 13.4K | ✔️ | |
| Slim | 12K | ✔️ | |
| Phalcon | 10.8K | ✔️ | ✔️ |
| Doctrine | 10K | ✔️ | |
| php-jwt | 9.5K | ✔️ | |
| CakePHP | 8.7K | ✔️ | |
| Twig | 8K | ✔️ | |
| Predis | 7.6K | ✔️ | |
| php-amqplib | 4.5K | ✔️ | |
| Stripe SDK | 3.8K | ✔️ | |
| Drupal | 4.1K+ | ✔️ | |
| Mediawiki | 4.4K+ | ✔️ | |
| Maxmind GeoIP2 | 2.4K | ✔️ | |
| Paratest | 2.2K | ✔️ | |
| Sentry SDK | 1.8K | ✔️ | |
| OpenTelemetry PHP | 776 | ✔️ | ✔️ |
| OpenSearch PHP | 115 | ✔️ |
PhpCsFixer Utilities
PhpCsFixer isn’t the most opinionated tool. A couple of projects have cropped up that ship opinionated configurations for this tool.
- Pint opinionated php-sc-fixer by the Laravel team.
- Styleci a hosted version fixer by the Laravel team. It fixes styles quietly in the background as developers make changes by pulling the code, restyling it, and pushing it back to the main repository.
- PHP.Style my own opinionated configuration.
Conclusion
The most popular tools to use overall appear are PHPStan & PhpCsFixer.
However, it’s not a one size fit all solution. Psalm has strong popularity and is often used alongside PHPStan. And for enforcing code standards, PhpCsFixer is the most popular, but it’s still often paired with PHPCS which has more complex configuration options.
I found this analysis interesting when reviewing these tools for my own usage. If you have feedback or can correct me about any of the information in this post please leave me a comment.
News & Changelog
This post is periodically updated to keep up with the latest trends.
Jan 2025
- Audited the status of all projects
- Removed style ci from style tools table
- PHPStan picked up a few new projects this year and continues growing in popularity
- PHPStan released 2.0 version in november. First major release in a while.
- PHPCS picked up a few new projects from this sample group and is still going strong though PhpCsFixer remains the more popular choice overall.
- Added a few popular projects.
Jan 2024
- Updated the status of all projects on this page. Added a few newer notable projects.
- PHPStan is up one and Psalm is down on the same project. Removed Phan from the table which is still only used by MediaWiki.
- Jetbrains is previewing a new code analysis tool, Qodana, which is now included in the list. Only one project I checked is using it so far.
- Things to look forward to this year: PHPStan 2.0 & expanded coding style standards w/ PERCS 2.0: https://www.php-fig.org/per/coding-style/
Jan 2023
- Updated the status of all projects on this page. Most projects gained some popularity but order stayed roughly the same.
- PHPStan, PHP-CS-Fixer, and Scrutinizer grew in popularity.
- Add section about php-cs-fixer utilities.
Jan 2022
Checked the status of all projects in these lists and updated stats. Psalm continues to grow in popularity, a couple projects added it since they were last checked. Otherwise, no major changes.
March 2021
First version of this post