Static Analysis Tools for PHP

Docker image providing static analysis tools for PHP.

Docker hub repository: https://hub.docker.com/r/jakzal/phpqa/

Nightly builds: https://hub.docker.com/r/jakzal/phpqa-nightly/

Available tools

• composer - Dependency Manager for PHP
• composer-bin-plugin - Composer plugin to install bin vendors in isolated locations
• box - An application for building and managing Phars
• analyze - Visualizes metrics and source code
• behat - Helps to test business expectations
• churn - Discovers good candidates for refactoring
• dephpend - Detect flaws in your architecture
• deprecation-detector - Finds usages of deprecated code
• deptrac - Enforces dependency rules
• design-pattern - Detects design patterns
• ecs - EasyCodingStandard sets up and runs coding standard checks with 0-knowledge of PHP-CS-Fixer and PHP_CodeSniffer
• infection - AST based PHP Mutation Testing Framework
• parallel-lint - Checks PHP file syntax
• pdepend - Static Analysis Tool
• phan - Static Analysis Tool
• php-coupling-detector - Detects code coupling issues
• php-cs-fixer - PHP Coding Standards Fixer
• php-formatter - Custom coding standards fixer
• php-semver-checker - Suggests a next version according to semantic versioning
• phpDocumentor - Documentation generator
• phpa - Checks for weak assumptions
• phpca - Finds usage of non-built-in extensions
• phpcb - PHP Code Browser
• phpcbf - Automatically corrects coding standard violations
• phpcf - Finds usage of deprecated features
• phpcov - a command-line frontend for the PHP_CodeCoverage library
• phpcpd - Copy/Paste Detector
• phpcs - Detects coding standard violations
• phpda - Generates dependency graphs
• phpdoc-to-typehint - Automatically adds type hints and return types based on PHPDocs
• phplint - A tool that can speed up linting of php files by running several lint processes at once
• phploc - A tool for quickly measuring the size of a PHP project
• phpmd - A tool for finding problems in PHP code
• phpmetrics - Static Analysis Tool
• phpmnd - Helps to detect magic numbers
• phpspec - SpecBDD Framework
• phpstan - Static Analysis Tool
• phpunit - The PHP testing framework
• psalm - Finds errors in PHP applications
• psecio-parse - Parse scanner is a static scanning tool to review your PHP code for potential security-related issues
• security-checker - Checks composer dependencies for known security vulnerabilities
• testability - Analyses and reports testability issues of a php codebase

Running tools

Pull the image:

docker pull jakzal/phpqa

The default command will list available tools:

docker run -it --rm jakzal/phpqa

To run the selected tool inside the container, you'll need to mount the project directory on the container with -v $(pwd):/project. Some tools like to write to the /tmp directory (like PHPStan, or Behat in some cases), therefore it's often useful to share it between docker runs, i.e. with -v $(pwd)/tmp-phpqa:/tmp. If you want to be able to interrupt the selected tool if it takes too much time to complete, you can use the --init option. Please refer to the docker run documentation for more information.

docker run --init -it --rm -v $(pwd):/project -v $(pwd)/tmp-phpqa:/tmp -w /project jakzal/phpqa phpstan analyse src

You'll probably want to tweak this command for your needs and create an alias for convenience:

alias phpqa='docker run --init -it --rm -v $(pwd):/project -v $(pwd)/tmp-phpqa:/tmp -w /project jakzal/phpqa:alpine'

Add it to your ~/.bashrc so it's defined every time you start a new terminal session.

Now the command becomes a lot simpler:

phpqa phpstan analyse src

Building the image

git clone https://github.com/jakzal/phpqa.git
cd phpqa
make build-latest

To build the alpine version:

make build-alpine

Customising the image

It's often needed to customise the image with project specific extensions. To achieve that simply create a new image based on jakzal/phpqa:

FROM jakzal/phpqa:alpine

RUN apk add --no-cache libxml2-dev \
 && docker-php-ext-install soap

Next, build it:

docker build -t foo/phpqa .

Finally, use your customised image instead of the default one:

docker run --init -it --rm -v $(pwd):/project -w /project foo/phpqa phpmetrics .

Adding PHPStan extensions

Use the composer-bin-plugin to install any PHPStan extensions in the phpstan namespace:

FROM jakzal/phpqa:alpine

RUN global bin phpstan require phpstan/phpstan-phpunit

You'll be able to include them in your PHPStan configuration from the /root/.composer/vendor-bin/phpstan/vendor path:

includes:
    - /root/.composer/vendor-bin/phpstan/vendor/phpstan/phpstan-phpunit/extension.neon

Debugger & Code Coverage

The php-dbg debugger is provided by default. No additional extensions (like XDebug) are required to calculate code coverage:

phpqa phpdbg -qrr ./vendor/bin/phpunit --coverage-text

Contributing

Please read the Contributing guide to learn about contributing to this project. Please note that this project is released with a Contributor Code of Conduct. By participating in this project you agree to abide by its terms.