Static Analysis Tools for PHP

Docker image providing static analysis tools for PHP. The list of available tools and the installer are actually managed in the jakzal/toolbox repository.

Supported platforms and PHP versions

Docker hub repository: https://hub.docker.com/r/jakzal/phpqa/

Nightly builds: https://hub.docker.com/r/jakzal/phpqa-nightly/

Debian

latest, debian (Dockerfile)
1.90.0, 1.90, 1.90.0-debian, 1.90-debian (Dockerfile)
1.90.0-php8.0, 1.90-php8.0, php8.0-debian, php8.0 (Dockerfile)
1.90.0-php8.1, 1.90-php8.1, php8.1-debian, php8.1 (Dockerfile)
1.90.0-php8.2, 1.90-php8.2, php8.2-debian, php8.2 (Dockerfile)

Alpine

alpine (Dockerfile)
1.90.0-alpine, 1.90-alpine, (Dockerfile)
1.90.0-php8.0-alpine, 1.90-php8.0-alpine, php8.0-alpine (Dockerfile)
1.90.0-php8.1-alpine, 1.90-php8.1-alpine, php8.1-alpine (Dockerfile)
1.90.0-php8.2-alpine, 1.90-php8.2-alpine, php8.2-alpine (Dockerfile)

Legacy

These are the latest tags for PHP versions that are no longer supported:

1.80.0-php7.4, 1.80-php7.4, php7.4-debian, php7.4 (Dockerfile)
1.80.0-php7.4-alpine, 1.80-php7.4-alpine, php7.4-alpine (Dockerfile)
1.61.2-php7.3, 1.61-php7.3, php7.3-debian, php7.3 (debian/Dockerfile)
1.61.2-php7.3-alpine, 1.61-php7.3-alpine, php7.3-alpine (alpine/Dockerfile)
1.44.0-php7.2, 1.44-php7.2, php7.2 (7.2/debian/Dockerfile)
1.44.0-php7.2-alpine, 1.44-php7.2-alpine, php7.2-alpine (7.2/alpine/Dockerfile)
1.26.0-php7.1, 1.26-php7.1, php7.1 (7.1/debian/Dockerfile)
1.26.0-php7.1-alpine, 1.26-php7.1-alpine, php7.1-alpine (7.1/alpine/Dockerfile)

Available tools

Name	Description	PHP 8.0	PHP 8.1	PHP 8.2
behat	Helps to test business expectations	✅	✅	✅
box	Fast, zero config application bundler with PHARs	❌	✅	✅
box-3	Fast, zero config application bundler with PHARs	✅	✅	❌
churn	Discovers good candidates for refactoring	✅	✅	✅
codeception	Codeception is a BDD-styled PHP testing framework	✅	✅	✅
composer	Dependency Manager for PHP	✅	✅	✅
composer-bin-plugin	Composer plugin to install bin vendors in isolated locations	✅	✅	✅
composer-normalize	Composer plugin to normalize composer.json files	✅	✅	✅
composer-require-checker	Verify that no unknown symbols are used in the sources of a package.	❌	✅	✅
composer-require-checker-3	Verify that no unknown symbols are used in the sources of a package.	✅	✅	✅
composer-unused	Show unused packages by scanning your code	✅	✅	✅
dephpend	Detect flaws in your architecture	✅	✅	✅
deprecation-detector	Finds usages of deprecated code	✅	✅	✅
deptrac	Enforces dependency rules between software layers	❌	✅	✅
diffFilter	Applies QA tools to run on a single pull request	✅	✅	✅
ecs	Sets up and runs coding standard checks	✅	✅	✅
infection	AST based PHP Mutation Testing Framework	❌	✅	✅
larastan	PHPStan extension for Laravel	✅	✅	✅
local-php-security-checker	Checks composer dependencies for known security vulnerabilities	✅	✅	✅
parallel-lint	Checks PHP file syntax	✅	✅	✅
paratest	Parallel testing for PHPUnit	✅	✅	✅
pdepend	Static Analysis Tool	✅	✅	✅
phan	Static Analysis Tool	✅	✅	✅
phive	PHAR Installation and Verification Environment	✅	✅	✅
php-coupling-detector	Detects code coupling issues	✅	✅	✅
php-cs-fixer	PHP Coding Standards Fixer	✅	✅	✅
php-fuzzer	A fuzzer for PHP, which can be used to find bugs in libraries by feeding them 'random' inputs	✅	✅	✅
php-semver-checker	Suggests a next version according to semantic versioning	✅	✅	✅
phpa	Checks for weak assumptions	✅	✅	✅
phparkitect	Helps to put architectural constraints in a PHP code base	✅	✅	✅
phpat	Easy to use architecture testing tool	✅	✅	✅
phpbench	PHP Benchmarking framework	❌	✅	✅
phpca	Finds usage of non-built-in extensions	✅	✅	✅
phpcb	PHP Code Browser	✅	✅	✅
phpcbf	Automatically corrects coding standard violations	✅	✅	✅
phpcodesniffer-composer-install	Easy installation of PHP_CodeSniffer coding standards (rulesets).	✅	✅	✅
phpcov	a command-line frontend for the PHP_CodeCoverage library	❌	✅	✅
phpcpd	Copy/Paste Detector	✅	✅	✅
phpcs	Detects coding standard violations	✅	✅	✅
phpcs-security-audit	Finds vulnerabilities and weaknesses related to security in PHP code	✅	✅	✅
phpda	Generates dependency graphs	✅	❌	❌
phpdd	Finds usage of deprecated features	✅	✅	✅
phpDocumentor	Documentation generator	✅	✅	✅
phpinsights	Analyses code quality, style, architecture and complexity	✅	✅	✅
phplint	Lints php files in parallel	✅	✅	✅
phploc	A tool for quickly measuring the size of a PHP project	✅	✅	✅
phpmd	A tool for finding problems in PHP code	✅	✅	✅
phpmetrics	Static Analysis Tool	✅	✅	✅
phpmnd	Helps to detect magic numbers	✅	✅	✅
phpspec	SpecBDD Framework	✅	✅	❌
phpstan	Static Analysis Tool	✅	✅	✅
phpstan-banned-code	PHPStan rules for detecting calls to specific functions you don't want in your project	✅	✅	✅
phpstan-beberlei-assert	PHPStan extension for beberlei/assert	✅	✅	✅
phpstan-deprecation-rules	PHPStan rules for detecting deprecated code	✅	✅	✅
phpstan-doctrine	Doctrine extensions for PHPStan	✅	✅	✅
phpstan-ergebnis-rules	Additional rules for PHPstan	✅	✅	✅
phpstan-exception-rules	PHPStan rules for checked and unchecked exceptions	✅	✅	✅
phpstan-larastan	Separate installation of phpstan for larastan	✅	✅	✅
phpstan-phpunit	PHPUnit extensions and rules for PHPStan	✅	✅	✅
phpstan-strict-rules	Extra strict and opinionated rules for PHPStan	✅	✅	✅
phpstan-symfony	Symfony extension for PHPStan	✅	✅	✅
phpstan-webmozart-assert	PHPStan extension for webmozart/assert	✅	✅	✅
phpunit	The PHP testing framework	❌	✅	✅
phpunit-8	The PHP testing framework (8.x version)	✅	✅	✅
phpunit-9	The PHP testing framework (9.x version)	✅	✅	✅
pint	Opinionated PHP code style fixer for Laravel	✅	✅	✅
psalm	Finds errors in PHP applications	✅	✅	✅
psalm-plugin-doctrine	Stubs to let Psalm understand Doctrine better	✅	✅	✅
psalm-plugin-phpunit	Psalm plugin for PHPUnit	✅	✅	✅
psalm-plugin-symfony	Psalm Plugin for Symfony	✅	✅	✅
psecio-parse	Scans code for potential security-related issues	✅	✅	✅
rector	Tool for instant code upgrades and refactoring	✅	✅	✅
roave-backward-compatibility-check	Tool to compare two revisions of a class API to check for BC breaks	✅	✅	✅
simple-phpunit	Provides utilities to report legacy tests and usage of deprecated code	✅	✅	✅
twig-lint	Standalone cli twig 1.X linter	✅	✅	✅
twig-linter	Standalone cli twig 3.X linter	✅	✅	✅
twigcs	The missing checkstyle for twig!	✅	✅	✅
yaml-lint	Compact command line utility for checking YAML file syntax	❌	✅	✅

More tools

Some tools are not included in the docker image, to use them refer to their documentation:

exakat - a real time PHP static analyser

Removed tools

Name	Summary
analyze	Visualizes metrics and source code
box-legacy	Legacy version of box
composer-normalize	Composer plugin to normalize composer.json files
design-pattern	Detects design patterns
parallel-lint	Checks PHP file syntax
php-formatter	Custom coding standards fixer
phpcf	Finds usage of deprecated features
phpdoc-to-typehint	Automatically adds type hints and return types based on PHPDocs
phpstan-localheinz-rules	Additional rules for PHPstan
security-checker	Checks composer dependencies for known security vulnerabilities
testability	Analyses and reports testability issues of a php codebase

Running tools

Pull the image:

docker pull jakzal/phpqa

The default command will list available tools:

docker run -it --rm jakzal/phpqa

To run the selected tool inside the container, you'll need to mount the project directory on the container with -v "$(pwd):/project". Some tools like to write to the /tmp directory (like PHPStan, or Behat in some cases), therefore it's often useful to share it between docker runs, i.e. with -v "$(pwd)/tmp-phpqa:/tmp". If you want to be able to interrupt the selected tool if it takes too much time to complete, you can use the --init option. Please refer to the docker run documentation for more information.

docker run --init -it --rm -v "$(pwd):/project" -v "$(pwd)/tmp-phpqa:/tmp" -w /project jakzal/phpqa phpstan analyse src

You might want to tweak this command to your needs and create an alias for convenience:

alias phpqa='docker run --init -it --rm -v "$(pwd):/project" -v "$(pwd)/tmp-phpqa:/tmp" -w /project jakzal/phpqa:alpine'

Add it to your ~/.bashrc so it's defined every time you start a new terminal session.

Now the command becomes a lot simpler:

phpqa phpstan analyse src

Building the image

git clone https://github.com/jakzal/phpqa.git
cd phpqa
make build-debian

To build the alpine version:

make build-alpine

Cookbook

Please check out the cookbook for further tips & tricks.

Contributing

Please read the Contributing guide to learn about contributing to this project. Please note that this project is released with a Contributor Code of Conduct. By participating in this project you agree to abide by its terms.

jakzal/phpqa

jakzal

Reviews

Repository Details