Best 88 PHP static analysis tools

CodeScene prioritizes technical debt, finds social patterns and identifies hidden risks in your code.

Easy to use architecture testing tool for PHP.

Beautify HTML, CSS, JavaScript, PHP, Python, Ruby, Java, C, C++, C#, Objective-C, CoffeeScript, TypeScript, Coldfusion, SQL, and more in Atom editor.

Analyses the comprehensive dependencies of code elements for Java, C/C++, Ruby.

A modern static analyzer from etsy.

Fixes your code according to standards like PSR-1, PSR-2, and the Symfony standard.

Detect security risks, find bugs and provide actionable metrics for PHP projects.

Static analysis for C/C++/C#, PHP and Java.

Commercial Static Code Analysis which generates exploits to verify vulnerabilities.

Creates reports of over 400 rule patterns for feature detection (e.g. the use of cryptography or version control in apps).

Commercial Static Code Analysis.

Static code analysis for binary and source code - Java/Scala, PHP, Javascript, C#, PL/SQL, Python, T-SQL, C/C++, ObjectiveC/Swift, Visual Basic 6.0, Ruby, Delphi, ABAP, HTML5 and Solidity.

Tracks down error-prone code locations, style violations, cloned or dead code, cyclic dependencies and more for C/C++, C#/.NET, Java and Ada 83/Ada 95.

Commercial Static Code Analysis which runs locally, but uploads the results to its cloud for presentation.

Commercial Static Code Analysis which doesn't require pre-compilation.

Helps discover good candidates for refactoring.

Automated code review tool integrates with GitHub, Bitbucket and GitLab (even self-hosted). Available for JavaScript, TypeScript, Python, Ruby, Go, PHP, Java, Docker, and more. (open-source free)

Provides a unified interface to sort and act on the issues it finds.

Static Code Analysis for C#, C, C++, CoffeeScript, CSS, Groovy, GO, JAVA, JavaScript, Less, Python, Ruby, Scala, SCSS, TypeScript.

Automated SAST code reviews driven by security, supports 15+ languages and includes security training.

Synopsys Coverity supports 20 languages and over 70 frameworks including Ruby on rails, Scala, PHP, Python, JavaScript, TypeScript, Java, Fortran, C, C++, C#, VB.NET.

Dependency analysis tool.

Finds usages of deprecated (Symfony) code.

Detection of design patterns in PHP code.

Regex-based static analysis tool for Visual Studio, VS Code, and Sublime Text - C/C++, C#, PHP, ASP, Python, Ruby, Java, and others.

Combine [PHP_CodeSniffer](https://github.com/squizlabs/PHP_CodeSniffer) and [PHP-CS-Fixer](https://github.com/FriendsOfPHP/PHP-CS-Fixer).

An automated code reviewing engine for PHP.

A commercial static analysis platform that supports the scanning of C/C++, C#, VB.NET, VB6, ABAP/BSP, ActionScript, Apex, ASP.NET, Classic ASP, VB Script, Cobol, ColdFusion, HTML, Java, JS, JSP, MXML/Flex, Objective-C, PHP, PL/SQL, T-SQL, Python (2.6, 2.7), Ruby (1.9.3), Swift, Scala, VB, and XML.

Scan is a free open-source DevSecOps platform for detecting security issues in source code and dependencies. It supports a broad range of languages and CI/CD pipelines.

Regexp based customizable linter.

Grep rough audit - source code auditing tool.

Checks code on every commit.

Identify and remediate cyber threats in a blazingly fast, collaborative environment, with seamless integration in your SDLC. Python, C\C++, Java, C#, PHP and more.

A set of static analysis and refactoring tools which use graph theory.

This tool checks syntax of PHP files faster than serial check with a fancier output.

A Static Security Scanner.

Calculates software metrics like cyclomatic complexity for PHP code.

Facebook's tools for code analysis, visualizations, or style-preserving source transformation for many languages.

Checks for weak assumptions.

Instant PHP quality checks from your console. Analysis of code quality and coding style as well as overview of code architecture and its complexity.

A Static Code Analyzer for PHP.

Refactoring helper.

Suggests a next version according to semantic versioning.

A PHP parser written in PHP.

Library emulating the PHP internal reflection.

PHP 7 Compatibility Checker.

Assist developers in porting their code quickly to PHP 7.

Detects violations of a defined set of coding standards.

Finds usage of non-built-in extensions.

Finds usage of deprecated PHP features.

Copy/Paste Detector for PHP code.

Dead Code Detector (DCD) for PHP code.

Builds a dependency graph for a project.

Add scalar type hints and return types to existing PHP projects using PHPDoc annotations.

Analyzes PHP source code to generate documentation.

A tool for quickly measuring the size and analyzing the structure of a PHP project.

Finds possible bugs in your code.

Calculates and visualizes various code quality metrics.

Helps to detect magic numbers.

A tool for running QA tools (phploc, phpcpd, phpcs, pdepend, phpmd, phpmetrics).

Many tools for PHP static analysis in one container.

PHPQA all-in-one Analyzer CLI tool.

Static analysis tool for PHP.

PHP spell check library.

PHP Static Analysis Tool - discover bugs in your code without running it!

A framework for managing and maintaining multi-language pre-commit hooks.

A static analysis tool for security purposes.

Quick automated code review of your changes. Supports more than 40 runners for various languages, including Clang, Elixir, JavaScript, PHP, Ruby and more.

Static analysis tool for finding type errors in PHP applications.

An engine for searching patterns in the source code, based on Unified AST or UST. At present time C#, Java, PHP, PL/SQL, T-SQL, and JavaScript are supported. Patterns can be described within the code or using a DSL.

Visualizes metrics and source code.

A static source code analyser for vulnerabilities in PHP scripts.

Security code analyzer for C# and VB.NET. Detects various security vulnerability patterns: SQLi, XSS, CSRF, XXE, Open Redirect, etc. Integrates into Visual Studio 2015 and newer. Detects various security vulnerability patterns: SQLi, XSS, CSRF, XXE, Open Redirect, etc.

Find security vulnerabilities, variants, and critical code quality issues using queries over source code. Automatic PR code review; free for public GitHub/Bitbucket repo: [LGTM.com](https://LGTM.com).

Static program analysis platform that allows custom analyzers to plug in through a common interface.

SAST tool which is capable of identifying vulnerabilities and undocumented features. The analyzer scans the source code and executables without debug info (i.e. binaries). Supports: Java/Scala/Kotlin, PHP, C#, JavaScript, TypeScript, VBScript, HTML5, Python, Perl, C/C++, Objective-C/Swift, PL/SQL, T-SQL, ABAP, 1C, Apex, Go, Ruby, Groovy, Delphi, VBA, Visual Basic 6, Solidity, Vyper, COBOL.

Vulnerability scanner for dependencies of node.js apps (free for Open Source Projects).

SonarQube is an open platform to manage code quality.

A commercial static analysis platform that allows for scanning of multiple languages (C/C++, Android, C#, Java, JS, PHP, Python, Node.JS, Ruby, Fortran, and Swift).

A static analysis engine.

twig-lint is a lint tool for your twig files.

Language-independent tool for massive, automatic, programmable refactoring based on simple pattern definitions.

Universal code beautifier with a GitHub app. Supports HTML, CSS, JavaScript, TypeScript, JSX, Vue, C++, Go, Objective-C, Java, Python, PHP, GraphQL, Markdown, and more.

Code review tool with static code analysis and code-aware navigation for Java, PHP, JavaScript and Kotlin.

Find flaws in binaries and bytecode without requiring source. Support all major programming languages: Java, .NET, JavaScript, Swift, Objective-C, C, C++ and more.

Tool to detect and correct input validation vulnerabilities in PHP (4.0 or higher) web applications and predicts false positives by combining static analysis and data mining.

WhiteHat Scout (for Developers) combined with WhiteHat Sentinel Source (for Operations) supporting WhiteHat Top 40 and OWASP Top 10.

Enforce rules for dependencies between software layers.