PHP Static Code Analysis: Tools and Best Practices

• Introduction
• Step-by-Step Guide
• Code Example
• Additional Notes
• Summary
• Conclusion
• References

Writing clean, error-free PHP code is crucial for any successful project. Static analysis tools are your allies in this endeavor, helping you catch potential problems early in the development process. This article guides you through implementing static analysis in your PHP workflow, from basic syntax checks to advanced analysis with popular tools like PHPStan, Psalm, and PHPMD.

1. Start with PHP's built-in linter:

   php -l your_script.php

   This checks for basic syntax errors.

2. Choose a static analysis tool: Popular options include:

   • PHPStan: Configurable and catches a wide range of issues.

     composer require --dev phpstan/phpstan
     ./vendor/bin/phpstan analyse src

   • Psalm: Focuses on type-related errors and potential bugs.

     composer require --dev vimeo/psalm
     ./vendor/bin/psalm

   • PHP Mess Detector (PHPMD): Highlights messy code and potential problems.

     composer require --dev phpmd/phpmd
     ./vendor/bin/phpmd src text controversial

3. Integrate into your workflow:

   • Run locally: Execute the tool manually or as part of your development process.
   • Continuous Integration: Include static analysis in your CI/CD pipeline for automated checks.

4. Configure the tool:

   • Rulesets: Adjust the strictness and types of issues you want to catch.
   • Baselines: Start with existing code by creating a baseline to ignore known issues initially.

5. Address the findings:

   • Fix errors: Resolve issues flagged by the tool to improve code quality.
   • Add type hints: Help static analyzers understand your code better and catch more potential problems.

6. Iterate and improve:

   • Regularly run the analysis and gradually increase the strictness level.
   • Use the tool to enforce coding standards and prevent new issues from being introduced.

This code snippet demonstrates how to use various PHP static analysis tools like PHP's built-in linter, PHPStan, Psalm, and PHPMD to identify potential issues in your code. It provides examples of running each tool against a PHP file containing intentional errors, such as an undefined variable and a type mismatch. The description explains that these tools can be integrated into local development workflows or CI/CD pipelines to automate code quality checks. It emphasizes the importance of configuration, starting with less strict rules and gradually increasing the strictness, and iteratively addressing the findings to improve code quality over time.

<?php
// filename: example.php

// Example of a potential issue: undefined variable
function greet($name) {
    echo "Hello, $namee!"; // Typo in variable name
}

// Example of a type mismatch:
function add(int $a, int $b): int {
    return $a . $b; // Incorrect concatenation instead of addition
}

greet("Alice");
echo add(5, 10); 
?>

1. Using PHP's built-in linter:

php -l example.php

2. Using PHPStan:

composer require --dev phpstan/phpstan

# Create a phpstan.neon configuration file (optional but recommended)
# Example content for phpstan.neon:
# parameters:
#   level: 5

./vendor/bin/phpstan analyse example.php

3. Using Psalm:

composer require --dev vimeo/psalm

./vendor/bin/psalm --show-info=false example.php

4. Using PHPMD:

composer require --dev phpmd/phpmd

./vendor/bin/phpmd example.php text controversial

Explanation:

• The example.php file contains intentional errors to demonstrate the tools.
• PHP's linter will catch the undefined variable error.
• PHPStan will catch both the undefined variable and the type mismatch.
• Psalm will also catch both errors and provide suggestions for improvement.
• PHPMD will point out the unused $name parameter in the greet function.

Integrating into your workflow:

• Locally: You can run these commands manually or create scripts to automate the process.
• CI/CD: Integrate these tools into your CI/CD pipeline to run automatically on every code push.

Configuration and Iteration:

• Refer to the documentation of each tool for configuration options, rulesets, and baselines.
• Start with a less strict configuration and gradually increase the strictness as you fix existing issues.
• Regularly run the analysis and address the findings to maintain and improve code quality over time.

• Understanding the tools: While all three tools (PHPStan, Psalm, PHPMD) aim to improve code quality, they have different strengths:

  • PHPStan excels at finding type errors and inconsistencies.
  • Psalm goes further with advanced type analysis and potential bug detection.
  • PHPMD focuses on code style and maintainability, identifying messy or overly complex code.

• Gradual adoption: Don't feel overwhelmed by the potential findings. Start with a basic configuration and gradually increase the strictness as you become more comfortable.

• False positives: Static analysis tools aren't perfect. They might flag code that's technically correct but written in an unusual way. Use your judgment to determine if a finding is a genuine issue or a false positive.

• Beyond the basics: Explore additional features offered by these tools:

  • Custom rules: Define your own rules to enforce specific coding standards or catch project-specific issues.
  • Plugin ecosystems: Extend the functionality of these tools with plugins for frameworks, libraries, and more.

• Benefits beyond bug catching: Static analysis not only helps prevent bugs but also:

  • Improves code readability and maintainability.
  • Enforces coding standards and consistency.
  • Facilitates collaboration by providing a shared understanding of code quality.

• Continuous improvement: Static analysis is an ongoing process. Regularly review the findings, adjust the configuration, and strive to write cleaner and more robust PHP code.

This article provides a concise guide to implementing static analysis in your PHP projects:

1. Basic Syntax Check:

• Start with PHP's built-in linter (php -l your_script.php) to catch syntax errors.

2. Choose a Static Analysis Tool:

• PHPStan: Configurable, detects a wide range of issues.
• Psalm: Focuses on type-related errors and potential bugs.
• PHPMD: Highlights messy code and potential problems.

3. Integrate into Workflow:

• Locally: Run manually or integrate into your development process.
• CI/CD: Automate checks by including static analysis in your pipeline.

4. Configure the Tool:

• Rulesets: Customize strictness and target specific issue types.
• Baselines: Ignore known issues in existing code by creating a baseline.

5. Address Findings:

• Fix Errors: Resolve issues flagged by the tool to improve code quality.
• Add Type Hints: Enhance analysis accuracy and catch more potential problems.

6. Iterate and Improve:

• Regularly run analysis and gradually increase strictness.
• Enforce coding standards and prevent new issues using the chosen tool.

By embracing static analysis as an integral part of your PHP development process, you can significantly enhance code quality, reduce bugs, and build more robust applications. Remember to start with the basics, gradually increase the strictness of your analysis, and continuously iterate based on the findings. With the help of powerful tools like PHPStan, Psalm, and PHPMD, you can elevate your codebase and strive for excellence in your PHP projects.

• How can I perform static code analysis in PHP? - Stack Overflow | Dec 18, 2008 ... Run php in lint mode from the command line to validate syntax without execution: php -l FILENAME Higher-level static analyzers include:
• Keep your code under control with PHP static code analysis tools | Keeping code clean is not easy. That’s why in this article, I present some useful tools which can help you with PHP static code analysis. Learn more.
• The top PHP static code analysis tools of 2024 | Jan 7, 2024 ... Static Code Analysis Tools · PHP Mess Detector: This is an older static analysis tool which offers some different functionality. · Sonarqube: ...
• Code analysis tools to help with upgrading an app to a newer PHP ... | Posted by u/santamaps - 19 votes and 16 comments
• Psalm - a static analysis tool for PHP | Psalm is a free & open-source static analysis tool that helps you identify problems in your code, so you can sleep a little better.
• 5 Great PHP Code Analysis Tools Recommended by Developers ... | The developer community has a diverse ecosystem of static PHP code analysis tools which can make it somewhat difficult to decide which ones to use...
• Static Code Analysis | OWASP Foundation | Static Code Analysis on the main website for The OWASP Foundation. OWASP is a nonprofit foundation that works to improve the security of software.
• Get Started with PHP Static Code Analysis | Get started with our guide to PHP static code analysis tools and detect problems before you even run the code.
• Recommendation - Static code analysis - Katalon Studio - Katalon ... | Do you have any recommendation for a static code analysis tool or plugin to use with Katalon Studio ?