├── LICENSE.md
├── CONTRIBUTING.md
└── README.md


/LICENSE.md:
--------------------------------------------------------------------------------
1 | Content is available under the Creative Commons 3.0 License.
2 | https://creativecommons.org/licenses/by/3.0/


--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
 1 | # Contribution Guidelines
 2 | 
 3 | Pre-requisite for list inclusion : 
 4 | 
 5 | a) Must work on PHP code, but may also work on other languages
 6 | b) Must be a static analysis tool : no need to run PHP to get feedback. 
 7 | c) Must be unique, or a significant 
 8 | d) Must fit in one of the current categories. Only one category possible. 
 9 | e) Old or dead projects, software working only on dead PHP versions are excluded.
10 | 
11 | PR is the prefered way to suggest a new tool.
12 | 
13 | Thank you for your help!
14 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Static analysis tools for PHP
  2 | 
  3 | A curated list of static analysis tools for PHP.
  4 | 
  5 | ## Contributing
  6 | 
  7 | See [CONTRIBUTING](https://github.com/exakat/php-static-analysis-tools/blob/master/CONTRIBUTING.md).
  8 | 
  9 | ## Table of Contents
 10 | 
 11 | * [Bugs finders](#bugs-finders)
 12 | * [Coding standards](#coding-standards)
 13 | * [DIY](#diy)
 14 | * [Fixers](#fixers)
 15 | * [Metrics](#metrics)
 16 | * [SaaS](#saas)
 17 | * [Misc](#misc)
 18 | 
 19 | ### Bugs finders
 20 | 
 21 | Tools to report issues in code that are or lead to bugs.
 22 | 
 23 | * [AppChecker](https://npo-echelon.ru/en/solutions/appchecker.php) - static analysis tool for finding bugs, weaknesses and vulnerabilities in source code
 24 | * [Code insight](https://github.com/console-helpers/code-insight) - A tool for analysing other project code bases.
 25 | * [AST Metrics](https://github.com/Halleck45/ast-metrics) - A blazing-fast static code analyzer that help your to identify code that needs to be refactored.
 26 | * [Churn-PHP](https://github.com/bmitch/churn-php.git) - Discover files in need of refactoring.
 27 | * [composer-dependency-analyser](https://github.com/shipmonk-rnd/composer-dependency-analyser) - Fast detection of composer dependency issues (unused dependencies, shadow dependencies, misplaced dependencies)
 28 | * [Composer-Unused](https://github.com/composer-unused/composer-unused.git) - A Composer tool to show unused Composer dependencies by scanning your code.
 29 | * [Eir](https://github.com/Lixody/Eir) - A static vulnerability analysis tool written in C#.
 30 | * [Exakat](http://www.exakat.io/) - Smart static analysis.
 31 | * [jscpd](https://github.com/kucherenko/jscpd) - Copy/paste detector for programming source code. 
 32 | * [Mondrian](https://github.com/Trismegiste/Mondrian) - A code analysis tool using Graph Theory.
 33 | * [name-collision-detector](https://github.com/shipmonk-rnd/name-collision-detector) - Detects symbol duplicates (class name collissions).
 34 | * [noverify](https://github.com/VKCOM/noverify) - Pretty fast linter (code static analysis utility) for PHP.
 35 | * [Pfff](https://github.com/facebook/pfff) - Tools for code analysis, visualizations, or style-preserving source transformation.
 36 | * [phanalist](https://github.com/denzyldick/phanalist.git) - A static analyzer for PHP. It helps you catch common mistakes in your PHP code.
 37 | * [PHP Analysis](https://github.com/cwi-swat/php-analysis) - A library for analysing and modifying PHP Source Code in Rascal (PHP AiR).
 38 | * [PHParch](https://github.com/j6s/phparch.git) - PHPArch is a work in progress architectural testing library for PHP projects. 
 39 | * [PHP Assumption](https://github.com/rskuipers/php-assumptions.git) - Finds <a href="http://rskuipers.com/entry/from-assumptions-to-assertions">weak assumptions</a> in the code, suggest to turn them into stronger validations.
 40 | * [PhpCodeAnalyzer](https://github.com/wapmorgan/PhpCodeAnalyzer.git) - Finds usage of non-built-in extensions.
 41 | * [PHPCodeFixer](https://github.com/wapmorgan/PhpCodeFixer) -  Finds usage of deprecated functions, variables and ini directives.
 42 | * [php-compat-info](https://github.com/llaville/php-compat-info) - Find out the minimum version and the extensions required for a piece of code to run.
 43 | * [php7mar](https://github.com/Alexia/php7mar) - PHP 7 Migration Assistant Report.
 44 | * [phpcallgraph](http://phpcallgraph.sourceforge.net/) - Generate static call graphs. Such a graph visualizes the call dependencies among methods or functions of an application..
 45 | * [PHPCPD](https://github.com/sebastianbergmann/phpcpd) - Spots copy/pasted code, and help enforcing DRY rule.
 46 | * [PHPDoctor](https://github.com/voku/PHPDoctor) - Check PHP files or directories for missing types.
 47 | * [Phan](https://github.com/etsy/phan) - The static analyzer by Rasmus, PHP Creator.
 48 | * [Phinder](https://github.com/sider/phinder.git) - PHP code piece finder
 49 | * [Phortress](https://github.com/lowjoel/phortress) - A PHP static code analyser for potential vulnerabilities.
 50 | * [PHP Compatibility](https://github.com/PHPCompatibility/PHPCompatibility/) - Find code which is incompatible with a specified range of PHP versions.
 51 | * [PHP Deprecation Detector](https://github.com/wapmorgan/PhpDeprecationDetector) - PhpDeprecationDetector - analyzer of PHP code to search usages of deprecated functionality in newer interpreter versions.
 52 | * [PHP Code Static Analysis](https://github.com/joaaoleite/code-static-analysis) - PHP Code static analysis program made in nodeJS.
 53 | * [PHP Inspection](https://plugins.jetbrains.com/plugin/7622?pr=idea) - Static analysis plugin for PHPStorm.
 54 | * [PHP Integrator](https://github.com/php-integrator) - Indexes PHP code and performs static analysis for Atom editor.
 55 | * [Phlint](https://gitlab.com/phlint/phlint) - Phlint is a tool with an aim to help maintain quality of php code by analyzing code and pointing out potential code issues.
 56 | * [PHP lint](http://php.net/manual/en/features.commandline.options.php) - PHP itself, able to detect syntax error from command line.
 57 | * [PHPlint](http://www.icosaedro.it/phplint/) - A validator and documentator for PHP 5 programs.
 58 | * [PHP-Parallel-Lint](https://github.com/php-parallel-lint/PHP-Parallel-Lint) - A parallel php linting tool for PHP 5.4 or newer
 59 | * [PHP Magic Number Detector](https://github.com/povils/phpmnd) - PHP Magic Number Detector
 60 | * [PHP-malware-finder](https://github.com/nbs-system/php-malware-finder) - Detect potentially malicious PHP files
 61 | * [PHP Mess Detector](http://phpmd.org/) - Look for several potential problems within source code.
 62 | * [PHP Reaper](https://github.com/emanuil/php-reaper.git) - Scan ADOdb code for SQL Injections.
 63 | * [PHP SA](https://github.com/ovr/phpsa) - A development tool aimed at bringing complex analysis for PHP applications and libraries.
 64 | * [PHP Stan](https://github.com/phpstan/phpstan) - Focuses on finding errors in code without actually running it.
 65 | * [PHP Unlocker](http://emanuilslavov.com/php-unlocker/) - Detect potential, unintended DB table locks for PHP applications using ADOdb. Uses static analysis methods.
 66 | * [PHP testability](https://github.com/edsonmedina/php_testability) - Analyses and produces a report with testability issues of a php codebase.
 67 | * [PHP vuln hunter](https://github.com/OneSourceCat/phpvulhunter) - Scan PHP vulnerabilities automatically using static analysis methods.
 68 | * [Progpilot](https://github.com/designsecurity/progpilot) - A static analysis tool for security purposes.
 69 | * [Psalm](https://getpsalm.org/) - A static analysis tool for finding errors in PHP applications.
 70 | * [psecio:parse](https://github.com/psecio/parse.git) - Parse : A PHP Security Scanner.
 71 | * [Qodana PHP by JetBrains](https://www.jetbrains.com/help/qodana/qodana-php.html) – A static analysis tool for PHP projects based on PhpStorm.
 72 | * [SonarQube](http://www.sonarqube.org/) - An open platform to manage code quality. It covers PHP code.
 73 | * [Side Channel Analyzer](https://github.com/olivo/side-channel-analyzer) - Search for side-channel vulnerable code.
 74 | * [TaintPHP](https://github.com/olivo/TaintPHP.git) - Static Taint Analyzer.
 75 | * [Tuli](https://github.com/ircmaxell/Tuli) - A static analysis engine.
 76 | * [Unused-scanner](https://github.com/Insolita/unused-scanner.git) - Detect unused composer dependencies
 77 | * [WAP](https://www.owasp.org/index.php/OWASP_WAP-Web_Application_Protection) - Tool to detect and correct input validation vulnerabilities in PHP (4.0 or higher) web applications and predicts false positives. 
 78 | * [PHP VarDump Check](https://github.com/php-parallel-lint/PHP-Var-Dump-Check) - PHP console application for finding forgotten variable dump.
 79 | * [17eyes](https://github.com/17eyes/17eyes) - PHP static analyzer written in Haskell.
 80 | * [CakeFuzzer](https://zigrin.com/tools/cake-fuzzer) - Ultimate web application security testing tool for CakePHP based web applications.
 81 | 
 82 | ### Coding standards
 83 | 
 84 | Tools to review the way PHP code was written and more.
 85 | 
 86 | * [Pahout](https://github.com/wata727/pahout) - A pair programming partner for writing better PHP.
 87 | * [composer-normalize](https://github.com/ergebnis/composer-normalize) - Provides a composer plugin for normalizing composer.json.
 88 | * [EasyCodingStandard](https://github.com/Symplify/EasyCodingStandard) - An easy to use tool, that allows to use CodeSniffer and PHP-CS-Fixer in simple way.
 89 | * [editorconfig-checker](https://github.com/editorconfig-checker/editorconfig-checker.php) - A tool to verify that your files are in harmony with your .editorconfig
 90 | * [PHPas](https://github.com/BaseMax/PHPAS.git) - A tool for format and beautify the style of PHP code with my style.
 91 | * [PHPArkitect](https://github.com/phparkitect/arkitect) - PHPArkitect helps you to keep your PHP codebase coherent and solid, by permitting to add some architectural constraint check to your workflow. 
 92 | * [PHP Code Sniffer](https://github.com/PHPCSStandards/PHP_CodeSniffer) - PHPCS checks and auto-fixes the code for a large range of coding standard.
 93 | * [PHPCheckstyle](https://github.com/PHPCheckstyle/phpcheckstyle) - A tool to help adhere to certain coding conventions.
 94 | * [PHP Doc Check](https://github.com/NielsdeBlaauw/php-doc-check) - Uses complexity metrics to enforce documentation conventions on non-trivial functions.
 95 | * [PHP formatter](https://github.com/mmoreram/php-formatter) - This PHP formatter aims to provide you some bulk actions for you PHP projects to ensure their consistency.
 96 | * [TLint](https://github.com/tighten/tlint) - This is an opinionated code linter (with growing support for auto-formatting!) for Tighten flavored code conventions for Laravel and PHP.
 97 | 
 98 | ### DIY
 99 | 
100 | Libraries that may be the base for a home-made static analyzer.
101 | 
102 | * [Deptrac](https://github.com/sensiolabs-de/deptrac.git) - A static code analysis tool to enforce rules for dependencies between software layers.
103 | * [PHP Architecture Tester](https://github.com/carlosas/phpat) - Easy to use architecture testing tool for PHP
104 | * [PHPArkitect](https://github.com/phparkitect/arkitect) - A static code analysis tool to enforce architectural rules in your codebase
105 | * [PHP-cfg](https://github.com/ircmaxell/php-cfg) - A Control Flow Graph implementation in PHP. Written by IrcMaxwell.
106 | * [PHP coupling detector](https://github.com/akeneo/php-coupling-detector) - Check that code has no unwanted coupled classes.
107 | * [PHP Parser](https://github.com/nikic/PHP-Parser) - Written in PHP by Nikita Popov and based on actual grammar of PHP.
108 | * [PHP Token Reflection](https://github.com/Andrewsville/PHP-Token-Reflection) - Library emulating the PHP internal reflection using just the tokenized source code.
109 | * [PHPSandbox](https://github.com/fieryprophet/php-sandbox) - A full-scale PHP 5.3.2+ sandbox class that utilizes PHPParser to prevent sandboxed code from running unsafe code.
110 | * [Reflection](https://github.com/phpDocumentor/Reflection.git) - Reflection library to do Static Analysis for PHP Projects.
111 | * [Better Reflection](https://github.com/Roave/BetterReflection) - Reflection library with additional features such as parsing docblock type hints, uses nikic's PHP Parser under the hood.
112 | 
113 | ### Fixers
114 | 
115 | Tools to automatically fix the code they are provided with.
116 | 
117 | * [Rector](https://github.com/rectorphp/rector) - AST-based Instant Upgrades of PHP Applications
118 | * [FunctionFQNReplacer](https://github.com/Roave/FunctionFQNReplacer) - provides a way to replace relative references of functions in function calls with absolute references.
119 | * [Mago](https://mago.carthage.software/#/) - Mago: The Oxidized PHP Toolchain
120 | * [Phpactor](https://github.com/phpactor/phpactor) - This project aims to provide heavy-lifting refactoring and introspection tools.
121 | * [PHP BackSlasher](https://github.com/nilportugues/php-backslasher) - Tool to add all PHP internal functions and constants to its namespace by adding backslash to them.
122 | * [php-refactoring-browser](https://github.com/QafooLabs/php-refactoring-browser) - CLI refactoring tool.
123 | * [PHP CS Fixer](https://github.com/FriendsOfPHP/PHP-CS-Fixer) - Analyzes and tries to fix coding standards issues (PSR-1 and PSR-2 compatible).
124 | * [phpdoc to typehint](https://github.com/dunglas/phpdoc-to-typehint) - Turn phpdocs comments to actual Typehint (arguments and return).
125 | * [php-scoper](https://github.com/humbug/php-scoper) -  Prefixes all PHP namespaces in a file/directory to isolate the code bundled in PHARs.
126 | * [Transphpile](https://github.com/jaytaph/Transphpile) - Write PHP 7, run PHP 5.6, with feature backport.
127 | * [PHP Weaver](https://github.com/troelskn/phpweaver) - Analysing parameter types at runtime and generate the appropriate phpdocs.
128 | 
129 | ### Metrics
130 | 
131 | Tools to measure the code complexity, line of codes, etc.
132 | 
133 | * [AST Metrics](https://github.com/Halleck45/ast-metrics) - A blazing-fast static code analyzer that calculates various metrics to help identify code that needs to be refactored, and provides a beautiful graphical interface.
134 | * [churn-php](https://github.com/bmitch/churn-php) - Helps discover good candidates for refactoring.
135 | * [Design Pattern Detector](https://github.com/Halleck45/DesignPatternDetector.git) - detection of design patterns in PHP code.
136 | * [dePHPend](https://github.com/mihaeu/dephpend) - dePHPend helps analyze dependencies & architecture and allows you to define constraints for both.
137 | * [Dissect](https://github.com/jakubledl/dissect) - A set of tools for lexical and syntactical analysis.
138 | * [php-arguments-detector](https://github.com/DeGraciaMathieu/php-arguments-detector) - Keep control over the complexity of your methods by checking that they do not have too many arguments.
139 | * [php-smelly-code-detector](https://github.com/DeGraciaMathieu/php-smelly-code-detector) - PHP code smell detector.
140 | * [php-class-dependencies-analyzer](https://github.com/DeGraciaMathieu/php-class-dependencies-analyzer) - This tool allows you to monitor the dependencies and instability of your classes
141 | * [PHPLOC](https://github.com/sebastianbergmann/phploc) - Utility to measures PHP application size and count various structures.
142 | * [PHP Metrics](https://github.com/Halleck45/PhpMetrics) - Calculates all sorts of metrics, and display them in a gorgeous interface.
143 | * [PHP Semantic Versioning Checker](https://github.com/tomzx/php-semver-checker) - Compares two source sets and determines the appropriate semantic versioning to apply.
144 | * [PhpStats](https://github.com/i582/phpstats) - Tool for collecting statistics, metrics, dependencies, and building various graphs for large projects to find bottlenecks.
145 | * [PhpDependencyAnalysis](https://github.com/mamuz/PhpDependencyAnalysis) - Static code analysis to provide and verify a dependency graph against a defined architecture.
146 | * [php-wording-detector](https://github.com/DeGraciaMathieu/php-wording-detector) - Simple tool to analyze and split the words contained in your code to check your DDD approach.
147 | * [Quality Analyzer](https://github.com/Qafoo/QualityAnalyzer.git) - Quality Analyzer is a tool to visualize metrics and source code.
148 | 
149 | ### Visualization
150 | 
151 | Tools that display PHP code in graphical way
152 | 
153 | * [PHPcity](https://github.com/adrianhuna/PHPCity) - PHPCity is an implementation of city metaphor visualization and provides visualization of PHP projects which are implemented in the object-oriented fashion.
154 | 
155 | ### SaaS
156 | 
157 | Online services for PHP code, provide dashboards. They may use the previous tools or offer their own.
158 | 
159 | 
160 | * [Bliss](https://blissai.com/index.html) - Automatically reviews code in real-time and shows how much it's worth in lines of code.
161 | * [Codacy](https://www.codacy.com/) - Codacy: Automated Code Review.
162 | * [CodeBeaat](https://codebeat.co/) - Decrease technical debt. Find refactoring opportunities.
163 | * [Code Climate](https://codeclimate.com) - Hosted static analysis for Ruby, PHP and JavaScript source code.
164 | * [CodeScene](https://codescene.io/) - Prioritize technical debt in PHP, JavaScript, etc.
165 | * [Codegrip](https://www.codegrip.tech/) - Smarter & Secure way to Code Review 
166 | * [Deepsource](https://deepsource.io/) - DeepSource is a modern static analysis platform, built for engineering teams who move fast and don’t break things.
167 | * [Insight](https://insight.symfony.com/) - A SensioLabs tool to analyzes source code to find problems that degrade the overall quality of your projects.
168 | * [Insphpect](https://insphpect.com/) - Insphpect is an automated code review tool which identifies inflexibilities in PHP code and helps you write better software.
169 | * [RIPS](https://www.ripstech.com/) - The superior security software for PHP applications. Source code static analyser for vulnerabilities.
170 | * [Scrutinizer](https://scrutinizer-ci.com/) - Improve code quality and find bugs before they hit production with our continuous inspection platform.
171 | * [Sourcegraph](https://about.sourcegraph.com/) - Understand and search across your entire codebase
172 | * [SideCI](https://sideci.com/) - CI for automated code review by code analysis.
173 | * [Laravelshift](https://laravelshift.com/) - the automated way to upgrade Laravel applications. Upgrade Laravel applications all the way from Laravel 4.2 to the latest version of Laravel.
174 | 
175 | ## Misc
176 | 
177 | * [HHVM](http://hhvm.com/) - Hack Language from Facebook. Add a SCA until version 3.3.8, newer version doesn't have anymore.
178 | * [PHP Manipulator](https://github.com/schmittjoh/php-manipulator) - A library for analysing and modifying PHP Source Code.
179 | * [PHP Parser](https://github.com/glayzzle/php-parser) - A NodeJS library for parsing PHP and extracting tokens and AST.
180 | * [PHPQA](https://edgedesigncz.github.io/phpqa/) - A Wrapper to a lot of PHP tools reported into a single HTML file.
181 | * [Fixtro](https://github.com/karlosagudo/fixtro) - A wrapper that allow to run in each precommit. It install itself all the dependencies for the runners with a lot of them (phpunit, phpmd, php-cs-fixer, etc..)
182 | * [Coverage Checker](https://github.com/exussum12/coverageChecker) - A tool which allows some of the tools here to be enforced on changed code only. Good for moving towards new standards
183 | * [Composer Require Checker](https://github.com/maglnet/ComposerRequireChecker) - A CLI tool to check whether a specific composer package uses imported symbols that aren't part of its direct composer dependencies
184 | * [Static Analysis Results Baseliner](https://github.com/DaveLiddament/sarb) - A tool for generating a baseline from static analysis tools. 
185 | 


--------------------------------------------------------------------------------