├── LICENSE.md
├── CONTRIBUTING.md
└── README.md


/LICENSE.md:
--------------------------------------------------------------------------------
1 | Content is available under the Creative Commons 3.0 License.
2 | https://creativecommons.org/licenses/by/3.0/


--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
 1 | # Contribution Guidelines
 2 | 
 3 | Pre-requisite for list inclusion : 
 4 | 
 5 | a) Must work on PHP code, but may also work on other languages
 6 | b) Must be a static analysis tool : no need to run PHP to get feedback. 
 7 | c) Must be unique, or a significant 
 8 | d) Must fit in one of the current categories. Only one category possible. 
 9 | e) Old or dead projects, software working only on dead PHP versions are excluded.
10 | 
11 | PR is the prefered way to suggest a new tool.
12 | 
13 | Thank you for your help!
14 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Static analysis tools for PHP 
  2 | 
  3 | A curated list of static analysis tools for PHP.
  4 | 
  5 | ## Contributing
  6 | See [CONTRIBUTING](https://github.com/exakat/php-static-analysis-tools/blob/master/CONTRIBUTING.md).
  7 | 
  8 | ## Table of Contents
  9 | 
 10 | * [Bugs finders](#bugs-finders)
 11 | * [Coding standards](#coding-standards)
 12 | * [DIY](#dyi)
 13 | * [Fixers](#fixers)
 14 | * [Metrics](#metrics)
 15 | * [Saas](#saas)
 16 | * [Misc](#misc)
 17 | 
 18 | 
 19 | ### Bugs finders
 20 | Tools that reports issues in the code that are or lead to bugs. 
 21 | 
 22 | * [Exakat](http://www.exakat.io/) - Smart static analysis for PHP
 23 | * [Mondrian](https://github.com/Trismegiste/Mondrian) - A code analysis tool using Graph Theory.
 24 | * [PHP Assumption](https://github.com/rskuipers/php-assumptions.git) - Finds <a href="http://rskuipers.com/entry/from-assumptions-to-assertions">weak assumptions</a> in the code, suggest to turn them into stronger validations.
 25 | * [PhpCodeAnalyzer](https://github.com/wapmorgan/PhpCodeAnalyzer.git) - finds usage of non-built-in extensions in your php code.
 26 | * [PHPCodeFixer](https://github.com/wapmorgan/PhpCodeFixer) -  finds usage of deprecated functions, variables and ini directives in your php code.
 27 | * [php7mar](https://github.com/Alexia/php7mar) - PHP 7 Migration Assistant Report.
 28 | * [phpcallgraph](http://phpcallgraph.sourceforge.net/) - PHP 7 Migration Assistant Report.
 29 | * [PHPCPD](https://github.com/sebastianbergmann/phpcpd) - phpcpd spots copy/pasted code, and help enforcing DRY rule.
 30 | * [Phan](https://github.com/etsy/phan) - The static analyzer by Rasmus. 
 31 | * [PHP Inspection](https://plugins.jetbrains.com/plugin/7622?pr=idea) - Static analysis for phpstorm. 
 32 | * [PHP lint](http://php.net/manual/en/features.commandline.options.php) - PHP itself, able to detect syntax error from command line. 
 33 | * [PHPlint](http://www.icosaedro.it/phplint/) - PHPLint is a validator and documentator for PHP 5 programs
 34 | * [PHP Mess Detector](http://phpmd.org/) - PHPMD takes a given PHP source code base and look for several potential problems within that source.
 35 | * [PHP Reaper](https://github.com/emanuil/php-reaper.git) - PHP tool to scan ADOdb code for SQL Injections
 36 | * [PHP SA](https://github.com/ovr/phpsa) - PHPSA is a development tool aimed at bringing complex analysis for PHP applications and libraries.
 37 | * [PHP vuln hunter](https://github.com/OneSourceCat/phpvulhunter) - A tool that can scan php vulnerabilities automatically using static analysis methods
 38 | * [RIPS](http://rips-scanner.sourceforge.net/) - A static source code analyser for vulnerabilities in PHP scripts
 39 | * [psecio:parse](https://github.com/psecio/parse.git) - Parse : A PHP Security Scanner
 40 | * [SonarQube](http://www.sonarqube.org/) - An open platform to manage code quality. It covers PHP code.
 41 | * [Side Channel Analyzer](https://github.com/olivo/side-channel-analyzer) - Search for <a href="https://en.wikipedia.org/wiki/Side-channel_attack">side-channel vulnerable code</a>.
 42 | * [TaintPHP](https://github.com/olivo/TaintPHP.git) - Static Taint Analysis for PHP web applications. 
 43 | * [Tuli](https://github.com/ircmaxell/Tuli) - A static analysis engine
 44 | 
 45 | ### Coding standards 
 46 | 
 47 | Tools that review the way PHP code was written and more. 
 48 | 
 49 | * [PHP Code Sniffer](https://github.com/squizlabs/PHP_CodeSniffer) - PHPCS checks the code for a large range of coding standard.
 50 | * [PHPCheckstyle](https://github.com/PHPCheckstyle/phpcheckstyle) - A tool to help adhere to certain coding conventions.
 51 | 
 52 | ### DIY
 53 | 
 54 | Libraries that may be the base for a home-made static analyzer
 55 | 
 56 | * [Deptrac](https://github.com/sensiolabs-de/deptrac.git) - Deptrac is a static code analysis tool that helps to enforce rules for dependencies between software layers.
 57 | * [PHP-cfg](https://github.com/ircmaxell/php-cfg) - A Control Flow Graph implementation in PHP. Written by IrcMaxwell. 
 58 | * [PHP coupling detector](https://github.com/akeneo/php-coupling-detector) - Check that your code has no unwanted coupled classes
 59 | * [PHP Parser](https://github.com/nikic/PHP-Parser) - A PHP parser written in PHP. Written by Nikita Popov, and based on the actual grammar of PHP.
 60 | * [PHP Token Reflection](https://github.com/Andrewsville/PHP-Token-Reflection) - Library emulating the PHP internal reflection using just the tokenized source code. 
 61 | * [PHPSandbox](https://github.com/fieryprophet/php-sandbox) - A full-scale PHP 5.3.2+ sandbox class that utilizes PHPParser to prevent sandboxed code from running unsafe code.
 62 | * [Reflection](https://github.com/phpDocumentor/Reflection.git) - Reflection library to do Static Analysis for PHP Projects
 63 | 
 64 | 
 65 | ### Fixers
 66 | 
 67 | Tools that automatically fix the code they are provided with. 
 68 | 
 69 | * [php-refactoring-browser](https://github.com/QafooLabs/php-refactoring-browser) - A command line refactoring tool for PHP. 
 70 | * [PHP CS Fixer](https://github.com/FriendsOfPHP/PHP-CS-Fixer) - Analyzes some PHP source code and tries to fix coding standards issues (PSR-1 and PSR-2 compatible)
 71 | * [https://github.com/dunglas/phpdoc-to-typehint](https://github.com/dunglas/phpdoc-to-typehint) - Turn your phpdocs comments to actual Typehint (arguments and return)
 72 | 
 73 | ### Metrics
 74 | 
 75 | Tools that measures the code : complexity, line of codes, etc. 
 76 | 
 77 | * [Dissect](https://github.com/jakubledl/dissect) - A set of tools for lexical and syntactical analysis.
 78 | * [PHPLOC](https://github.com/sebastianbergmann/phploc) - Utility that measures the size of a PHP application, and count various structures.
 79 | * [PHP Metrics](https://github.com/Halleck45/PhpMetrics) - PHP Metrics calculates all sorts of metrics, and display them in a gorgeous interface.
 80 | * [PHP Semantic Versioning Checker](https://github.com/tomzx/php-semver-checker) - Utility that check the semantic version of a given code.
 81 | * [PhpDependencyAnalysis](https://github.com/mamuz/PhpDependencyAnalysis) - Static code analysis to provide and verify a dependency graph against a defined architecture.
 82 | * [PHP semver checker](https://github.com/tomzx/php-semver-checker) - Compares two source sets and determines the appropriate semantic versioning to apply.
 83 | * [Quality Analyzer](https://github.com/Qafoo/QualityAnalyzer.git) - Quality Analyzer is a tool to visualize metrics and source code. 
 84 | 
 85 | ### Saas
 86 | 
 87 | Online services that review PHP code, provide dashboards. They may use the previous tools or offer their own.
 88 | 
 89 | * [Bliss](https://blissai.com/index.html) - "Bliss automatically reviews your code in real-time and shows you how much it's worth in lines of code".
 90 | * [Checkmarx](http://lp.checkmarx.com/php-code-analysis/) - "Get a full PHP  static security code analysis and prevent security vulnerabilities"
 91 | * [Codacy](https://www.codacy.com/) - "Codacy: Automated Code Review"
 92 | * [Code Climate](https://codeclimate.com) - "Hosted static analysis for Ruby, PHP and JavaScript source code."
 93 | * [Insight](https://insight.sensiolabs.com/) - "SensioLabsInsight is a quality assurance tool that analyzes your source code to find problems that degrade the overall quality of your projects."
 94 | * [Scrutinizer](https://scrutinizer-ci.com/) - "Improve code quality and find bugs before they hit production with our continuous inspection platform."
 95 | 
 96 | ## Misc
 97 | 
 98 | * [HHVM](http://hhvm.com/) - Hack Language from Facebook. Add a SCA until version 3.3.8, newer version doesn't have anymore.
 99 | * [PHP Manipulator](https://github.com/schmittjoh/php-manipulator) - A library for analysing and modifying PHP Source Code.
100 | 
101 | 


--------------------------------------------------------------------------------