phpsa logo

phpsa

DeprecatedDeprecated

Static analysis tool for PHP.

Tutorials / Guides

  • phpsa screenshot

53 Alternatives for phpsa

CakeFuzzer

Web application security testing tool for CakePHP-based web applications. CakeFuzzer employs a predefined set of attacks that are randomly modified before execution. Leveraging its deep understanding of the Cake PHP framework, Cake Fuzzer launches attacks on all potential application entry points.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

churn-php

Helps discover good candidates for refactoring.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

composer-dependency-analyser

Fast detection of composer dependency issues.

  • 💪 Powerful: Detects unused, shadow and misplaced composer dependencies
  • ⚡ Performant: Scans 15 000 files in 2s!
  • ⚙️ Configurable: Fine-grained ignores via PHP config
  • 🕸️ Lightweight: No composer dependencies
  • 🍰 Easy-to-use: No config needed for first try
  • ✨ Compatible: PHP >= 7.2
  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

dephpend

Dependency analysis tool.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

deprecation-detector

Finds usages of deprecated (Symfony) code.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

deptrac

Enforce rules for dependencies between software layers.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

DesignPatternDetector

Detection of design patterns in PHP code.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

Enlightn

A static and dynamic analysis tool for Laravel applications that provides recommendations to improve the performance, security and code reliability of Laravel apps. Contains 120 automated checks.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

GrumPHP

Checks code on every commit.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

larastan

Adds static analysis to Laravel improving developer productivity and code quality. It is a wrapper around PHPStan.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

Mondrian

A set of static analysis and refactoring tools which use graph theory.

  • DeprecatedDeprecated
  • DeprecatedPhp
  • Deprecatedcli
  • Deprecatedlinter

parallel-lint

This tool checks syntax of PHP files faster than serial check with a fancier output.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

Parse

A Static Security Scanner.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

pdepend

Calculates software metrics like cyclomatic complexity for PHP code.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

phan

A modern static analyzer from etsy.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

PHP Architecture Tester

Easy to use architecture testing tool for PHP.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

PHP Assumptions

Checks for weak assumptions.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

PHP_CodeSniffer

Detects violations of a defined set of coding standards.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

PHP Coding Standards Fixer

Fixes your code according to standards like PSR-1, PSR-2, and the Symfony standard.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

PHP Insights

Instant PHP quality checks from your console. Analysis of code quality and coding style as well as overview of code architecture and its complexity.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

Php Inspections (EA Extended)

A Static Code Analyzer for PHP.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

PHP-Parser

A PHP parser written in PHP.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

PHP Refactoring Browser

Refactoring helper.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

PHP Semantic Versioning Checker

Suggests a next version according to semantic versioning.

  • DeprecatedDeprecated
  • DeprecatedPhp
  • Deprecatedcli
  • Deprecatedlinter

php-speller

PHP spell check library.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

PHP-Token-Reflection

Library emulating the PHP internal reflection.

  • DeprecatedDeprecated
  • DeprecatedPhp
  • Deprecatedcli
  • Deprecatedlinter

php7cc

PHP 7 Compatibility Checker.

  • DeprecatedDeprecated
  • DeprecatedPhp
  • Deprecatedcli
  • Deprecatedlinter

php7mar

Assist developers in porting their code quickly to PHP 7.

  • DeprecatedDeprecated
  • DeprecatedPhp
  • Deprecatedcli
  • Deprecatedlinter

PHPArkitect

PHPArkitect helps you to keep your PHP codebase coherent and solid, by permitting to add some architectural constraint check to your workflow. You can express the constraint that you want to enforce, in simple and readable PHP code.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

phpca

Finds usage of non-built-in extensions.

  • DeprecatedDeprecated
  • DeprecatedPhp
  • Deprecatedcli
  • Deprecatedlinter

phpcpd

Copy/Paste Detector for PHP code.

  • DeprecatedDeprecated
  • DeprecatedPhp
  • Deprecatedcli
  • Deprecatedlinter

phpdcd

Dead Code Detector (DCD) for PHP code.

  • DeprecatedDeprecated
  • DeprecatedPhp
  • Deprecatedcli
  • Deprecatedlinter

PhpDependencyAnalysis

Builds a dependency graph for a project.

  • DeprecatedDeprecated
  • DeprecatedPhp
  • Deprecatedcli
  • Deprecatedlinter

PhpDeprecationDetector

Analyzer of PHP code to search issues with deprecated functionality in newer interpreter versions. It finds removed objects (functions, variables, constants and ini-directives), deprecated functions functionality, and usage of forbidden names or tricks (e.g. reserved identifiers in newer versions).

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

phpdoc-to-typehint

Add scalar type hints and return types to existing PHP projects using PHPDoc annotations.

  • DeprecatedDeprecated
  • DeprecatedPhp
  • Deprecatedcli
  • Deprecatedlinter

phpDocumentor

Analyzes PHP source code to generate documentation.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

phploc

A tool for quickly measuring the size and analyzing the structure of a PHP project.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

PHPMD

Finds possible bugs in your code.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

PhpMetrics

Calculates and visualizes various code quality metrics.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

phpmnd

Helps to detect magic numbers.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

PHPQA

A tool for running QA tools (phploc, phpcpd, phpcs, pdepend, phpmd, phpmetrics).

  • DeprecatedDeprecated
  • DeprecatedPhp
  • Deprecatedcli
  • Deprecatedlinter

phpqa - jakzal

Many tools for PHP static analysis in one container.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

phpqa - jmolivas

PHPQA all-in-one Analyzer CLI tool.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

PHPStan

PHP Static Analysis Tool - discover bugs in your code without running it!

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

Progpilot

A static analysis tool for security purposes.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

Psalm

Static analysis tool for finding type errors in PHP applications.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

Qafoo Quality Analyzer

Visualizes metrics and source code.

  • DeprecatedDeprecated
  • DeprecatedPhp
  • Deprecatedcli
  • Deprecatedlinter

rector

Instant Upgrades and Automated Refactoring of any PHP 5.3+ code. It upgrades your code for PHP 7.4, 8.0 and beyond. Rector promises a low false-positive rate because it looks for narrowly defined AST (abstract syntax tree) patterns. The main use-case are tackling technical debt in your legacy code and removing dead code. Rector provides a set of special rules for Symfony, Doctrine, PHPUnit, and many more.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

Reflection

Reflection library to do Static Analysis for PHP Projects

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

Tuli

A static analysis engine.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

twig-lint

twig-lint is a lint tool for your twig files.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

WAP

Tool to detect and correct input validation vulnerabilities in PHP (4.0 or higher) web applications and predicts false positives by combining static analysis and data mining.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

34 Multi-Language Tools

AppChecker

Static analysis for C/C++/C#, PHP and Java.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

ApplicationInspector

Creates reports of over 400 rule patterns for feature detection (e.g. the use of cryptography or version control in apps).

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Axivion Bauhaus Suite

Tracks down error-prone code locations, style violations, cloned or dead code, cyclic dependencies and more for C/C++, C#/.NET, Java and Ada 83/Ada 95.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Betterscan CE

Sponsor

Checks your code and infra (various Git repositories supported, cloud stacks, CLI, Web Interface platform, integrationss available) for security and quality issues. Code Scanning/SAST/Linting using many tools/Scanners deduplicated with One Report (AI optional).

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

callGraph

Statically generates a call graph image and displays it on screen.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

CAST Highlight

Commercial Static Code Analysis which runs locally, but uploads the results to its cloud for presentation.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Checkmarx CxSAST

Commercial Static Code Analysis which doesn't require pre-compilation.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Coverity

Synopsys Coverity supports 20 languages and over 70 frameworks including Ruby on rails, Scala, PHP, Python, JavaScript, TypeScript, Java, Fortran, C, C++, C#, VB.NET.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Depends

Analyses the comprehensive dependencies of code elements for Java, C/C++, Ruby.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

DerScanner

Multi-language Static Application Security Testing (SAST) platform that detects critical vulnerabilities, including hardcoded secrets, weak cryptography, backdoors, SQL injections, insecure configurations, etc.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • MaintainedcliMaintainedservice
  • Maintainedlinter

emerge

Emerge is a source code and dependency visualizer that can be used to gather insights about source code structure, metrics, dependencies and complexity of software projects. After scanning the source code of a project it provides you an interactive web interface to explore and analyze your project by using graph structures.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • MaintainedcliMaintainedservice
  • Maintainedlinter

Goodcheck

Regexp based customizable linter.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

graudit

Grep rough audit - source code auditing tool.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

lizard

Lizard is an extensible Cyclomatic Complexity Analyzer for many programming languages including C/C++ (doesn't require all the header files or Java imports). It also does copy-paste detection (code clone detection/code duplicate detection) and many other forms of static code analysis. Counts lines of code without comments, CCN (cyclomatic complexity number), token count of functions, parameter count of functions.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Mega-Linter

Mega-Linter can handle any type of project thanks to its 70+ embedded Linters, its advanced reporting, runnable on any CI system or locally, with assisted installation and configuration, able to apply formatting and fixes

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

pre-commit

A framework for managing and maintaining multi-language pre-commit hooks.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Pronto

Quick automated code review of your changes. Supports more than 40 runners for various languages, including Clang, Elixir, JavaScript, PHP, Ruby and more.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

PT.PM

An engine for searching patterns in the source code, based on Unified AST or UST. At present time C#, Java, PHP, PL/SQL, T-SQL, and JavaScript are supported. Patterns can be described within the code or using a DSL.

  • DeprecatedDeprecated
  • DeprecatedMulti-Language
  • Deprecatedcli
  • Deprecatedlinter

RIPS

A static source code analyser for vulnerabilities in PHP scripts.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Semgrep

Sponsor

A fast, open-source, static analysis tool for finding bugs and enforcing code standards at editor, commit, and CI time. Its rules look like the code you already write; no abstract syntax trees or regex wrestling. Supports 17+ languages.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • MaintainedcliMaintainedservice
  • Maintainedlinter

ShiftLeft Scan

Scan is a free open-source DevSecOps platform for detecting security issues in source code and dependencies. It supports a broad range of languages and CI/CD pipelines.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • MaintainedcliMaintainedservice
  • Maintainedlinter

shipshape

Static program analysis platform that allows custom analyzers to plug in through a common interface.

  • DeprecatedDeprecated
  • DeprecatedMulti-Language
  • Deprecatedcli
  • Deprecatedlinter

Sigrid

Sigrid helps you to improve your software by measuring your system's code quality, and then compares the results against a benchmark of thousands of industry systems to give you concrete advice on areas where you can improve.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • MaintainedcliMaintainedservice
  • Maintainedlinter

SonarLint

SonarLint is a free IDE extension available for IntelliJ, VS Code, Visual Studio, and Eclipse, to find and fix coding issues in real-time, flagging issues as you code, just like a spell-checker. More than a linter, it also delivers rich contextual guidance to help developers understand why there is an issue, assess the risk, and educate them on how to fix it.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Soto Platform

Suite of static analysis tools consisting of the three components Sotoarc (Architecture Analysis), Sotograph (Quality Analysis), and Sotoreport (Quality report). Helps find differences between architecture and implementation, interface violations (e.g. external access of private parts of subsystems, detection of all classes, files, packages and subsystems which are strongly coupled by cyclical relationships and more. The Sotograph product family runs on Windows and Linux.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

StaticReviewer

Static Reviewer executes code checks according to the most relevant Secure Coding Standards, OWASP, CWE, CVE, CVSS, MISRA, CERT, for 40+ programming languages, using 1000+ built-in validation rules for Security, Deadcode & Best Practices Available a module for Software Composition Analysis (SCA) to find vulnerabilities in open source and third party libraries.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Synopsys

A commercial static analysis platform that allows for scanning of multiple languages (C/C++, Android, C#, Java, JS, PHP, Python, Node.JS, Ruby, Fortran, and Swift).

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

TencentCodeAnalysis

Tencent Cloud Code Analysis (TCA for short, code-named CodeDog inside the company early) is a comprehensive platform for code analysis and issue tracking. TCA consist of three components, server, web and client. It integrates of a number of self-developed tools, and also supports dynamic integration of code analysis tools in various programming languages.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • MaintainedcliMaintainedservice
  • Maintainedlinter

todocheck

Linter for integrating annotated TODOs with your issue trackers

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

trivy

A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts, Suitable for CI. Trivy detects vulnerabilities of OS packages (Alpine, RHEL, CentOS, etc.) and application dependencies (Bundler, Composer, npm, yarn, etc.). Checks containers and filesystems.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Undebt

Language-independent tool for massive, automatic, programmable refactoring based on simple pattern definitions.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Understand

Code visualization tool that provides code analysis, standards testing, metrics, graphing, dependency analysis and more for Ada, VHDL, and others.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Veracode

Find flaws in binaries and bytecode without requiring source. Support all major programming languages: Java, .NET, JavaScript, Swift, Objective-C, C, C++ and more.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

WhiteHat Application Security Platform

WhiteHat Scout (for Developers) combined with WhiteHat Sentinel Source (for Operations) supporting WhiteHat Top 40 and OWASP Top 10.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Our Sponsors

This website is completely open source. To fund our work, we fully rely on sponsors. Thanks to them, we can keep the site free for everybody. Please check out their offers below.

  • BugProve
  • Pixee
  • semgrep
  • Offensive 360
  • BetterScan