10 BEST PHP STATIC ANALYSIS LIBRARIES

share link

by Dejaswarooba dot icon Updated: Feb 22, 2023

technology logo
technology logo

Guide Kit Guide Kit  

Here are the best PHP Static analysis libraries, which can be utilized to debug software programs that involve examining the code without running the application.  


The automatic source code analysis done without running the application is known as static analysis. Dynamic analysis refers to analysis carried out while a program is being executed. Static analysis frequently finds security flaws, performance problems, standard-compliance violations, and outdated programming structures. All static analysis tools share the fundamental idea of examining source code for coding patterns marked with a warning or other information. By customizing the static analysis tool to measure portions of the code and only report on a subset of rules, some programmers use static analysis as an objective indicator of the quality of their code.  


The top-of-the-board libraries are mentioned below to cause static analysis of PHP source code to be straightforward for developers. 

phpstan- 

  • Without running your code, PHPStan concentrates on locating problems in it.  
  • Finds entire classes of errors even before you write code tests.  
  • Brings PHP closer to compiled languages in that the validity of each line of code can be tested before running it. 

phpstanby phpstan

PHP doticonstar image 11928 doticonVersion:1.10.19doticon
License: Permissive (MIT)

PHP Static Analysis Tool - discover bugs in your code without running it!

Support
    Quality
      Security
        License
          Reuse

            phpstanby phpstan

            PHP doticon star image 11928 doticonVersion:1.10.19doticon License: Permissive (MIT)

            PHP Static Analysis Tool - discover bugs in your code without running it!
            Support
              Quality
                Security
                  License
                    Reuse

                      phan- 

                      • Prefers to minimize false positives. 
                      • Attempts to prove incorrectness rather than correctness. 
                      • Can verify type compatibility on various operations. 
                      • The most straightforward way to use Phan is via Composer.

                      phanby phan

                      PHP doticonstar image 5423 doticonVersion:5.4.2doticon
                      License: Others (Non-SPDX)

                      Phan is a static analyzer for PHP. Phan prefers to avoid false-positives and attempts to prove incorrectness rather than correctness.

                      Support
                        Quality
                          Security
                            License
                              Reuse

                                phanby phan

                                PHP doticon star image 5423 doticonVersion:5.4.2doticon License: Others (Non-SPDX)

                                Phan is a static analyzer for PHP. Phan prefers to avoid false-positives and attempts to prove incorrectness rather than correctness.
                                Support
                                  Quality
                                    Security
                                      License
                                        Reuse

                                          psalm- 

                                          • Takes care of taint analysis, type inference, and security analysis.  
                                          • Tends to find errors in PHP applications. 
                                          • It helps to maintain a wide variety of codebases. 

                                          psalmby vimeo

                                          PHP doticonstar image 5227 doticonVersion:5.12.0doticon
                                          License: Permissive (MIT)

                                          A static analysis tool for finding errors in PHP applications

                                          Support
                                            Quality
                                              Security
                                                License
                                                  Reuse

                                                    psalmby vimeo

                                                    PHP doticon star image 5227 doticonVersion:5.12.0doticon License: Permissive (MIT)

                                                    A static analysis tool for finding errors in PHP applications
                                                    Support
                                                      Quality
                                                        Security
                                                          License
                                                            Reuse

                                                              PhpMetrics- 

                                                              • Provides metrics about PHP projects and classes. 
                                                              • Generates beautiful and readable HTML reports. 
                                                              • Understandable static analysis tool. 

                                                              PhpMetricsby phpmetrics

                                                              PHP doticonstar image 2348 doticonVersion:v3.0.0rc3doticon
                                                              License: Permissive (MIT)

                                                              Beautiful and understandable static analysis tool for PHP

                                                              Support
                                                                Quality
                                                                  Security
                                                                    License
                                                                      Reuse

                                                                        PhpMetricsby phpmetrics

                                                                        PHP doticon star image 2348 doticonVersion:v3.0.0rc3doticon License: Permissive (MIT)

                                                                        Beautiful and understandable static analysis tool for PHP
                                                                        Support
                                                                          Quality
                                                                            Security
                                                                              License
                                                                                Reuse

                                                                                  noverify- 

                                                                                  • Can analyze changes in git and show only new reports. 
                                                                                  • Has PHP 7 and PHP 8 support. 
                                                                                  • It is fast and can analyze 100k LOC/s. 

                                                                                  noverifyby VKCOM

                                                                                  Go doticonstar image 638 doticonVersion:v0.5.3doticon
                                                                                  License: Permissive (MIT)

                                                                                  Pretty fast linter (code static analysis utility) for PHP

                                                                                  Support
                                                                                    Quality
                                                                                      Security
                                                                                        License
                                                                                          Reuse

                                                                                            noverifyby VKCOM

                                                                                            Go doticon star image 638 doticonVersion:v0.5.3doticon License: Permissive (MIT)

                                                                                            Pretty fast linter (code static analysis utility) for PHP
                                                                                            Support
                                                                                              Quality
                                                                                                Security
                                                                                                  License
                                                                                                    Reuse

                                                                                                      PhpDependencyAnalysis- 

                                                                                                      • Finds violation in a dependency graph. 
                                                                                                      • Extendable static code analysis for object-oriented PHP-Projects. 
                                                                                                      • Generate dependency graph from abstract classes.
                                                                                                      PHP doticonstar image 540 doticonVersion:v2.0.2doticon
                                                                                                      License: Permissive (MIT)

                                                                                                      Static code analysis to find violations in a dependency graph

                                                                                                      Support
                                                                                                        Quality
                                                                                                          Security
                                                                                                            License
                                                                                                              Reuse

                                                                                                                PhpDependencyAnalysisby mamuz

                                                                                                                PHP doticon star image 540 doticonVersion:v2.0.2doticon License: Permissive (MIT)

                                                                                                                Static code analysis to find violations in a dependency graph
                                                                                                                Support
                                                                                                                  Quality
                                                                                                                    Security
                                                                                                                      License
                                                                                                                        Reuse

                                                                                                                          Mondrian- 

                                                                                                                          • Uses graph theory for static analysis. 
                                                                                                                          • Helps to add abstraction into concrete classes. 
                                                                                                                          • The generated HTML file does not require any dependencies or a connection. 

                                                                                                                          Mondrianby Trismegiste

                                                                                                                          PHP doticonstar image 382 doticonVersion:v1.3.3doticon
                                                                                                                          no licences License: No License (null)

                                                                                                                          A static php code analysis tool using the Graph Theory

                                                                                                                          Support
                                                                                                                            Quality
                                                                                                                              Security
                                                                                                                                License
                                                                                                                                  Reuse

                                                                                                                                    Mondrianby Trismegiste

                                                                                                                                    PHP doticon star image 382 doticonVersion:v1.3.3doticonno licences License: No License

                                                                                                                                    A static php code analysis tool using the Graph Theory
                                                                                                                                    Support
                                                                                                                                      Quality
                                                                                                                                        Security
                                                                                                                                          License
                                                                                                                                            Reuse

                                                                                                                                              Exakat- 

                                                                                                                                              • Smart engine for static code analysis. 
                                                                                                                                              • Automated code review is possible. 
                                                                                                                                              • Is a great review tool and an analysis framework. 

                                                                                                                                              exakatby exakat

                                                                                                                                              PHP doticonstar image 357 doticonVersion:v-0.6.1doticon
                                                                                                                                              License: Others (Non-SPDX)

                                                                                                                                              The Exakat Engine : smart static analysis for PHP

                                                                                                                                              Support
                                                                                                                                                Quality
                                                                                                                                                  Security
                                                                                                                                                    License
                                                                                                                                                      Reuse

                                                                                                                                                        exakatby exakat

                                                                                                                                                        PHP doticon star image 357 doticonVersion:v-0.6.1doticon License: Others (Non-SPDX)

                                                                                                                                                        The Exakat Engine : smart static analysis for PHP
                                                                                                                                                        Support
                                                                                                                                                          Quality
                                                                                                                                                            Security
                                                                                                                                                              License
                                                                                                                                                                Reuse

                                                                                                                                                                  Vulny-Code-Static-Analysis- 

                                                                                                                                                                  • It is a python script-based static analysis tool. 
                                                                                                                                                                  • Works based on regular expressions or regex. 
                                                                                                                                                                  • Can detect vulnerabilities in PHP source code.
                                                                                                                                                                  PHP doticonstar image 347 doticonVersion:Currentdoticon
                                                                                                                                                                  License: Others (Non-SPDX)

                                                                                                                                                                  Python script to detect vulnerabilities inside PHP source code using static analysis, based on regex

                                                                                                                                                                  Support
                                                                                                                                                                    Quality
                                                                                                                                                                      Security
                                                                                                                                                                        License
                                                                                                                                                                          Reuse

                                                                                                                                                                            Vulny-Code-Static-Analysisby swisskyrepo

                                                                                                                                                                            PHP doticon star image 347 doticonVersion:Currentdoticon License: Others (Non-SPDX)

                                                                                                                                                                            Python script to detect vulnerabilities inside PHP source code using static analysis, based on regex
                                                                                                                                                                            Support
                                                                                                                                                                              Quality
                                                                                                                                                                                Security
                                                                                                                                                                                  License
                                                                                                                                                                                    Reuse

                                                                                                                                                                                      progpilot- 

                                                                                                                                                                                      • A tool specialized in static analysis in security. 
                                                                                                                                                                                      • Is possible to use progpilot inside PHP code. 
                                                                                                                                                                                      • The taint analysis configuration is customizable. 

                                                                                                                                                                                      progpilotby designsecurity

                                                                                                                                                                                      PHP doticonstar image 276 doticonVersion:v1.0.2doticon
                                                                                                                                                                                      License: Permissive (MIT)

                                                                                                                                                                                      A static analysis tool for security

                                                                                                                                                                                      Support
                                                                                                                                                                                        Quality
                                                                                                                                                                                          Security
                                                                                                                                                                                            License
                                                                                                                                                                                              Reuse

                                                                                                                                                                                                progpilotby designsecurity

                                                                                                                                                                                                PHP doticon star image 276 doticonVersion:v1.0.2doticon License: Permissive (MIT)

                                                                                                                                                                                                A static analysis tool for security
                                                                                                                                                                                                Support
                                                                                                                                                                                                  Quality
                                                                                                                                                                                                    Security
                                                                                                                                                                                                      License
                                                                                                                                                                                                        Reuse

                                                                                                                                                                                                          See similar Kits and Libraries