The top PHP static code analysis tools of 2022

The PHP community has a diverse ecosystem of static analysis tools which can make it somewhat difficult to decide which tools to use. Hopefully this post helps you decide which of these tools you’ll use.

This post separates these tools into one of two types depending on their purpose. The first section is static analysis for the purpose of identifying bugs. The later section is for maintenance of code style.

Static Code Analysis Tools

  • PHPStan is the most commonly used tool and also one of the youngest. It has been rapidly adopted since it’s release in 2016. It’ll discover bugs in your code without running the code.

  • Psalm was also released in 2016 and has grown in popularity a little more slowly. It claims more features out of the box and has a focus is on type-related bugs.

  • Scrutinizer is the most popular commercial option in use by open-source projects and has been around longer then its open-source counterparts. It’s free for open-source projects but is only available as a hosted solution.

  • Phan isn’t used by many of the projects I reviewed but is popular and well-supported. It was created at Etsy and appears to be the primary tool used by Wikipedia’s MediaWiki project. The advertised upside of using Phan is that it has a focus on minimizing false-positives. This makes it trivial to use but it might catch fewer issues compared to the other options.

Let’s look at what some popular open-source PHP project use. This table only includes repositories which have at least 1K GitHub stars, and which implement the static analysis tools as a component of their continuous integration systems.

  PHPStan Psalm Scrutinizer Phan
Symfony 26.3K   ✔️    
Composer 26K ✔️      
Guzzle 21.4K ✔️ ✔️    
Monolog 19.4K ✔️      
PHPUnit 18.1K   ✔️    
NextCloud 17.9K   ✔️ ✔️  
Yii2 13.9K     ✔️  
PHPDotEnv 11.7K ✔️ ✔️    
Slim 11.2K ✔️      
Phalcon 10.5K ️✔    
Doctrine 9K ✔️    
Assert 7K   ✔️    
AWS SDK 5.4K ✔️      
Elasticsearch SDK 4.8K ✔️      
php-amqplib 4K     ✔️  
Stripe SDK 3K ✔️      
Mediawiki 2.8K*       ✔️
Maxmind GeoIP2 2K ✔️      
Paratest 1.9K ✔️ ✔️    
Sentry SDK 1.6K ✔️ ✔️    

There’s a few other fairly popular tools worth mentioning but which were not used by the projects above during CI.

  • PHP Mess Detector: This is an older static analysis tool which offers some different functionality. Besides identifying potential bugs it also can help identifying generally poor code. It’s very mature and may be more useful for targeted project analysis.

  • Sonarqube: Sonarqube is another commercial static analysis product. It’s community edition is good at detecting bugs, vulnerabilities, and generally for improving code quality. They also provides an IDE extension, Sonarlint which works well to supplement the CI offerings.

  • PHPStorm Code Inspections: The inspection tools built into PHPStorm are impressive and can identify many potential issues without any additional tooling.

  • PHP Inspections (EA Extended): This is a plugin for IntelliJ/PHPStorm which supplements the inspections built into PHPStorm.

Style Tools

  • PHPCS is the original code standards tool for PHP and dates back to 2006. It’s primary use is to establish standards and identify violations. It does however also provide a package phpcbf which can sometimes automatically fix violations. PHPCS is extremely mature and very flexible and comes with a massive selection of pre-written “Sniffs” available to use.

  • PhpCsFixer is supported by the popular Symfony framework. This tool automatically applies any defined code styles to code when it’s run. e.g. php-cs-fixer fix src. This seems to be the leading choice for a majority of projects.

  • StyleCI is Laravel’s answer to code style. This is a hosted commercial solution which is free for open-source projects. It takes a similar approach to PhpCsFixer and can automatically apply a selected style to code. It’s different though in that it modifies code after it’s been merged into a git repository. It fixes styles quietly in the background as developers make changes by pulling the code, restyling it, and pushing it back to the main repository.

Here’s a selection of some of the most popular packages using these today.

  PHPCS PhpCsFixer Style CI
Laravel 67.8K     ✔️
Symfony 26.3K   ✔️  
Composer 26K   ✔️  
Guzzle 21.4K   ✔️  
Monolog 19.4K   ✔️  
PHPUnit 18.1K   ✔️  
NextCloud 17.9K   ✔️  
Wordpress 15.8K* ✔️    
Yii2 13.9K   ✔️  
Slim 11.2K ✔️    
Phalcon 10.5K ✔️ ✔️  
Doctrine 9K ✔️    
php-jwt 7.9K   ✔️  
Twig 7.4K   ✔️  
Assert 7K   ✔️  
Predis 7K   ✔️  
Elasticsearch SDK 4.8K ✔️ ✔️  
php-amqplib 4K ✔️    
Stripe SDK 3.6K   ✔️  
Drupal 3.5K* ✔️    
Mediawiki 2.8K* ✔️    
Maxmind GeoIP2 2K ✔️ ✔️  
Paratest 1.9K ✔️    
Sentry SDK 1.6K   ✔️  

Conclusion

The most popular tools to use overall appear to be PHPStan & PhpCsFixer.

However, it’s not a one size fit all solution. Psalm appears to be gaining popularity among projects and is often used alongside PHPStan. And for enforcing code standards PhpCsFixer is the most popular but it’s still often paired with PHPCS which has more complex configuration options.

The details in this post will probably not stay up to date for very long since the ecosystem is constantly evolving, but I found this analysis interesting when reviewing these tools for my own usage. If you have feedback or can correct me about any of the information in this post please leave me a comment.

Update Jan 2022

Checked the status of all projects in these lists and updated stats. Psalm continues to grow in popularity, a couple projects added it since they were last checked. Otherwise, no major changes.