Static Analysis Tools for PHP

Docker image providing static analysis tools for PHP. The list of available tools and the installer are actually managed in the jakzal/toolbox repository.

Supported platforms and PHP versions

Docker hub repository: https://hub.docker.com/r/jakzal/phpqa/

Nightly builds: https://hub.docker.com/r/jakzal/phpqa-nightly/

Debian

• latest, debian (debian/Dockerfile)
• 1.64.0, 1.64, 1.64.0-debian, 1.64-debian (debian/Dockerfile)
• 1.64.0-php7.4, 1.64-php7.4, php7.4-debian, php7.4 (debian/Dockerfile)
• 1.64.0-php8.0, 1.64-php8.0, php8.0-debian, php8.0 (debian/Dockerfile)

Alpine

• alpine (alpine/Dockerfile)
• 1.64.0-alpine, 1.64-alpine, (alpine/Dockerfile)
• 1.64.0-php7.4-alpine, 1.64-php7.4-alpine, php7.4-alpine (alpine/Dockerfile)
• 1.64.0-php8.0-alpine, 1.64-php8.0-alpine, php8.0-alpine (alpine/Dockerfile)

Legacy

These are the latest tags for PHP versions that are no longer supported:

• 1.61.2-php7.3, 1.61-php7.3, php7.3-debian, php7.3 (debian/Dockerfile)
• 1.61.2-php7.3-alpine, 1.61-php7.3-alpine, php7.3-alpine (alpine/Dockerfile)
• 1.44.0-php7.2, 1.44-php7.2, php7.2 (7.2/debian/Dockerfile)
• 1.44.0-php7.2-alpine, 1.44-php7.2-alpine, php7.2-alpine (7.2/alpine/Dockerfile)
• 1.26.0-php7.1, 1.26-php7.1, php7.1 (7.1/debian/Dockerfile)
• 1.26.0-php7.1-alpine, 1.26-php7.1-alpine, php7.1-alpine (7.1/alpine/Dockerfile)

Available tools

Name	Description	PHP 7.4	PHP 8.0	PHP 8.1
analyze	Visualizes metrics and source code	✅	❌	❌
behat	Helps to test business expectations	✅	✅	✅
box	Fast, zero config application bundler with PHARs	✅	✅	✅
box-legacy	Legacy version of box	✅	✅	✅
churn	Discovers good candidates for refactoring	✅	✅	✅
codeception	Codeception is a BDD-styled PHP testing framework	✅	✅	✅
composer	Dependency Manager for PHP	✅	✅	✅
composer-bin-plugin	Composer plugin to install bin vendors in isolated locations	✅	✅	✅
composer-normalize	Composer plugin to normalize composer.json files	✅	✅	✅
composer-require-checker	Verify that no unknown symbols are used in the sources of a package.	❌	✅	✅
composer-require-checker-3	Verify that no unknown symbols are used in the sources of a package.	✅	✅	✅
composer-unused	Show unused packages by scanning your code	✅	✅	✅
dephpend	Detect flaws in your architecture	✅	✅	✅
deprecation-detector	Finds usages of deprecated code	✅	✅	✅
deptrac	Enforces dependency rules between software layers	✅	✅	✅
diffFilter	Applies QA tools to run on a single pull request	✅	✅	✅
ecs	Sets up and runs coding standard checks	✅	✅	✅
infection	AST based PHP Mutation Testing Framework	✅	✅	✅
larastan	PHPStan extension for Laravel	✅	✅	✅
local-php-security-checker	Checks composer dependencies for known security vulnerabilities	✅	✅	✅
parallel-lint	Checks PHP file syntax	✅	✅	✅
paratest	Parallel testing for PHPUnit	✅	✅	✅
pdepend	Static Analysis Tool	✅	✅	✅
phan	Static Analysis Tool	✅	✅	✅
phive	PHAR Installation and Verification Environment	✅	✅	✅
php-coupling-detector	Detects code coupling issues	✅	✅	✅
php-cs-fixer	PHP Coding Standards Fixer	✅	✅	✅
php-formatter	Custom coding standards fixer	✅	❌	❌
php-fuzzer	A fuzzer for PHP, which can be used to find bugs in libraries by feeding them 'random' inputs	✅	✅	✅
php-semver-checker	Suggests a next version according to semantic versioning	✅	✅	✅
phpa	Checks for weak assumptions	✅	✅	✅
phpat	Easy to use architecture testing tool	✅	✅	✅
phpbench	PHP Benchmarking framework	✅	✅	✅
phpca	Finds usage of non-built-in extensions	✅	✅	✅
phpcb	PHP Code Browser	✅	✅	✅
phpcbf	Automatically corrects coding standard violations	✅	✅	✅
phpcodesniffer-composer-install	Easy installation of PHP_CodeSniffer coding standards (rulesets).	✅	✅	✅
phpcov	a command-line frontend for the PHP_CodeCoverage library	✅	✅	✅
phpcpd	Copy/Paste Detector	✅	✅	✅
phpcs	Detects coding standard violations	✅	✅	✅
phpcs-security-audit	Finds vulnerabilities and weaknesses related to security in PHP code	✅	✅	✅
phpda	Generates dependency graphs	✅	✅	❌
phpdd	Finds usage of deprecated features	✅	✅	✅
phpdoc-to-typehint	Automatically adds type hints and return types based on PHPDocs	✅	✅	✅
phpDocumentor	Documentation generator	✅	✅	✅
phpinsights	Analyses code quality, style, architecture and complexity	✅	✅	✅
phplint	Lints php files in parallel	✅	✅	✅
phploc	A tool for quickly measuring the size of a PHP project	✅	✅	✅
phpmd	A tool for finding problems in PHP code	✅	✅	✅
phpmetrics	Static Analysis Tool	✅	✅	✅
phpmnd	Helps to detect magic numbers	✅	✅	✅
phpspec	SpecBDD Framework	✅	✅	❌
phpstan	Static Analysis Tool	✅	✅	✅
phpstan-beberlei-assert	PHPStan extension for beberlei/assert	✅	✅	✅
phpstan-deprecation-rules	PHPStan rules for detecting deprecated code	✅	✅	✅
phpstan-doctrine	Doctrine extensions for PHPStan	✅	✅	✅
phpstan-ergebnis-rules	Additional rules for PHPstan	✅	✅	✅
phpstan-exception-rules	PHPStan rules for checked and unchecked exceptions	✅	✅	✅
phpstan-larastan	Separate installation of phpstan for larastan	✅	✅	✅
phpstan-phpunit	PHPUnit extensions and rules for PHPStan	✅	✅	✅
phpstan-strict-rules	Extra strict and opinionated rules for PHPStan	✅	✅	✅
phpstan-symfony	Symfony extension for PHPStan	✅	✅	✅
phpstan-webmozart-assert	PHPStan extension for webmozart/assert	✅	✅	✅
phpunit	The PHP testing framework	✅	✅	✅
phpunit-5	The PHP testing framework (5.x version)	✅	❌	❌
phpunit-7	The PHP testing framework (7.x version)	✅	❌	❌
phpunit-8	The PHP testing framework (8.x version)	✅	✅	✅
psalm	Finds errors in PHP applications	✅	✅	✅
psalm-plugin-doctrine	Stubs to let Psalm understand Doctrine better	✅	✅	✅
psalm-plugin-phpunit	Psalm plugin for PHPUnit	✅	✅	✅
psalm-plugin-symfony	Psalm Plugin for Symfony	✅	✅	✅
psecio-parse	Scans code for potential security-related issues	✅	✅	✅
rector	Tool for instant code upgrades and refactoring	✅	✅	✅
roave-backward-compatibility-check	Tool to compare two revisions of a class API to check for BC breaks	✅	❌	❌
simple-phpunit	Provides utilities to report legacy tests and usage of deprecated code	✅	✅	✅
twig-lint	Standalone twig linter	✅	✅	✅
twigcs	The missing checkstyle for twig!	✅	✅	✅
yaml-lint	Compact command line utility for checking YAML file syntax	✅	✅	✅

More tools

Some tools are not included in the docker image, to use them refer to their documentation:

• exakat - a real time PHP static analyser

Removed tools

Name	Summary
composer-normalize	Composer plugin to normalize composer.json files
design-pattern	Detects design patterns
parallel-lint	Checks PHP file syntax
phpcf	Finds usage of deprecated features
phpstan-localheinz-rules	Additional rules for PHPstan
security-checker	Checks composer dependencies for known security vulnerabilities
testability	Analyses and reports testability issues of a php codebase

Running tools

Pull the image:

docker pull jakzal/phpqa

The default command will list available tools:

docker run -it --rm jakzal/phpqa

To run the selected tool inside the container, you'll need to mount the project directory on the container with -v "$(pwd):/project". Some tools like to write to the /tmp directory (like PHPStan, or Behat in some cases), therefore it's often useful to share it between docker runs, i.e. with -v "$(pwd)/tmp-phpqa:/tmp". If you want to be able to interrupt the selected tool if it takes too much time to complete, you can use the --init option. Please refer to the docker run documentation for more information.

docker run --init -it --rm -v "$(pwd):/project" -v "$(pwd)/tmp-phpqa:/tmp" -w /project jakzal/phpqa phpstan analyse src

You might want to tweak this command to your needs and create an alias for convenience:

alias phpqa='docker run --init -it --rm -v "$(pwd):/project" -v "$(pwd)/tmp-phpqa:/tmp" -w /project jakzal/phpqa:alpine'

Add it to your ~/.bashrc so it's defined every time you start a new terminal session.

Now the command becomes a lot simpler:

phpqa phpstan analyse src

GitHub actions

The image can be used with GitHub actions. Below is an example for several static analysis tools.

# .github/workflows/static-code-analysis.yml
name: Static code analysis

on: [pull_request]

jobs:
  static-code-analysis:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@master
      - name: PHPStan
        uses: docker://jakzal/phpqa:php8.0-alpine
        with:
          args: phpstan analyze src/ -l 1
      - name: PHP-CS-Fixer
        uses: docker://jakzal/phpqa:php8.0-alpine
        with:
          args: php-cs-fixer --dry-run --allow-risky=yes --no-interaction --ansi fix
      - name: Deptrac
        uses: docker://jakzal/phpqa:php8.0-alpine
        with:
          args: deptrac --no-interaction --ansi --formatter-graphviz-display=0

Bitbucket Pipelines

Here is an example configuration of a bitbucket pipeline using the phpqa image:

# bitbucket-pipelines.yml
image: jakzal/phpqa:php8.0-alpine
pipelines:
  default:
    - step:
        name: Static analysis
        caches:
          - composer
        script:
          - composer install --no-scripts --no-progress
          - phpstan analyze src/ -l 1
          - php-cs-fixer --dry-run --allow-risky=yes --no-interaction --ansi fix
          - deptrac --no-interaction --ansi --formatter-graphviz-display=0

Unfortunately, bitbucket overrides the docker entrypoint so composer needs to be explicitly invoked as in the above example.

Starter-kits / Templates

ro0NL/php-package-starter-kit

A template repository for agnostic PHP libraries. It utilizes the PHPQA image into a Makefile and configures some tools by default.

ro0NL/symfony-docker

A template repository for Docker based Symfony applications. It utilizes the PHPQA image into a Dockerfile and integrates in the composed landscape.

Building the image

git clone https://github.com/jakzal/phpqa.git
cd phpqa
make build-debian

To build the alpine version:

make build-alpine

Customising the image

It's often needed to customise the image with project specific extensions. To achieve that simply create a new image based on jakzal/phpqa:

FROM jakzal/phpqa:alpine

RUN apk add --no-cache libxml2-dev \
 && docker-php-ext-install soap

Next, build it:

docker build -t foo/phpqa .

Finally, use your customised image instead of the default one:

docker run --init -it --rm -v "$(pwd):/project" -w /project foo/phpqa phpmetrics .

Adding PHPStan extensions

A number of PHPStan extensions is available on the image in /tools/.composer/vendor-bin/phpstan/vendor out of the box. You can find them with the command below:

phpqa find /tools/.composer/vendor-bin/phpstan/vendor/ -iname 'rules.neon' -or -iname 'extension.neon'

Use the composer-bin-plugin to install any additional PHPStan extensions in the phpstan namespace:

FROM jakzal/phpqa:alpine

RUN composer global bin phpstan require phpstan/phpstan-phpunit

You'll be able to include them in your PHPStan configuration from the /tools/.composer/vendor-bin/phpstan/vendor path:

includes:
    - /tools/.composer/vendor-bin/phpstan/vendor/phpstan/phpstan-phpunit/extension.neon

Debugger & Code Coverage

The pcov code coverage extension, as well as the php-dbg debugger, are provided on the image out of the box.

pcov is disabled by default so it doesn't affect performance when it's not needed, and doesn't break interoperability with other coverage extensions. It can be enabled by setting pcov.enabled=1:

phpqa php -d pcov.enabled=1 ./vendor/bin/phpunit --coverage-text

Infection users will need to define initial php options:

phpqa /tools/infection run --initial-tests-php-options='-dpcov.enabled=1'

Contributing

Please read the Contributing guide to learn about contributing to this project. Please note that this project is released with a Contributor Code of Conduct. By participating in this project you agree to abide by its terms.