Awesome Open Source
Awesome Open Source

Static Analysis Tools for PHP

Docker image providing static analysis tools for PHP. The list of available tools and the installer are actually managed in the jakzal/toolbox repository.

Build Status Docker Pulls

Supported platforms and PHP versions

Docker hub repository:

Nightly builds:




These are the latest tags for PHP versions that are no longer supported:

Available tools

Name Description PHP 7.3 PHP 7.4 PHP 8.0
analyze Visualizes metrics and source code
behat Helps to test business expectations
box Fast, zero config application bundler with PHARs
box-legacy Legacy version of box
churn Discovers good candidates for refactoring
codeception Codeception is a BDD-styled PHP testing framework
composer Dependency Manager for PHP
composer-bin-plugin Composer plugin to install bin vendors in isolated locations
composer-normalize Composer plugin to normalize composer.json files
composer-require-checker Verify that no unknown symbols are used in the sources of a package.
composer-require-checker-v2 Verify that no unknown symbols are used in the sources of a package.
composer-unused Show unused packages by scanning your code
dephpend Detect flaws in your architecture
deprecation-detector Finds usages of deprecated code
deptrac Enforces dependency rules between software layers
diffFilter Applies QA tools to run on a single pull request
ecs Sets up and runs coding standard checks
infection AST based PHP Mutation Testing Framework
larastan PHPStan extension for Laravel
local-php-security-checker Checks composer dependencies for known security vulnerabilities
parallel-lint Checks PHP file syntax
paratest Parallel testing for PHPUnit
pdepend Static Analysis Tool
phan Static Analysis Tool
phive PHAR Installation and Verification Environment
php-coupling-detector Detects code coupling issues
php-cs-fixer PHP Coding Standards Fixer
php-formatter Custom coding standards fixer
php-fuzzer A fuzzer for PHP, which can be used to find bugs in libraries by feeding them 'random' inputs
php-semver-checker Suggests a next version according to semantic versioning
phpa Checks for weak assumptions
phpat Easy to use architecture testing tool
phpbench PHP Benchmarking framework
phpca Finds usage of non-built-in extensions
phpcb PHP Code Browser
phpcbf Automatically corrects coding standard violations
phpcodesniffer-composer-install Easy installation of PHP_CodeSniffer coding standards (rulesets).
phpcov a command-line frontend for the PHP_CodeCoverage library
phpcpd Copy/Paste Detector
phpcs Detects coding standard violations
phpcs-security-audit Finds vulnerabilities and weaknesses related to security in PHP code
phpda Generates dependency graphs
phpdd Finds usage of deprecated features
phpdoc-to-typehint Automatically adds type hints and return types based on PHPDocs
phpDocumentor Documentation generator
phpinsights Analyses code quality, style, architecture and complexity
phplint Lints php files in parallel
phploc A tool for quickly measuring the size of a PHP project
phpmd A tool for finding problems in PHP code
phpmetrics Static Analysis Tool
phpmnd Helps to detect magic numbers
phpspec SpecBDD Framework
phpstan Static Analysis Tool
phpstan-beberlei-assert PHPStan extension for beberlei/assert
phpstan-deprecation-rules PHPStan rules for detecting deprecated code
phpstan-doctrine Doctrine extensions for PHPStan
phpstan-ergebnis-rules Additional rules for PHPstan
phpstan-exception-rules PHPStan rules for checked and unchecked exceptions
phpstan-larastan Separate installation of phpstan for larastan
phpstan-phpunit PHPUnit extensions and rules for PHPStan
phpstan-strict-rules Extra strict and opinionated rules for PHPStan
phpstan-symfony Symfony extension for PHPStan
phpstan-webmozart-assert PHPStan extension for webmozart/assert
phpunit The PHP testing framework
phpunit-5 The PHP testing framework (5.x version)
phpunit-7 The PHP testing framework (7.x version)
phpunit-8 The PHP testing framework (8.x version)
psalm Finds errors in PHP applications
psalm-plugin-doctrine Stubs to let Psalm understand Doctrine better
psalm-plugin-phpunit Psalm plugin for PHPUnit
psalm-plugin-symfony Psalm Plugin for Symfony
psecio-parse Scans code for potential security-related issues
rector Tool for instant code upgrades and refactoring
roave-backward-compatibility-check Tool to compare two revisions of a class API to check for BC breaks
simple-phpunit Provides utilities to report legacy tests and usage of deprecated code
twig-lint Standalone twig linter
twigcs The missing checkstyle for twig!
yaml-lint Compact command line utility for checking YAML file syntax

More tools

Some tools are not included in the docker image, to use them refer to their documentation:

Removed tools

Name Summary
composer-normalize Composer plugin to normalize composer.json files
design-pattern Detects design patterns
phpcf Finds usage of deprecated features
phpstan-localheinz-rules Additional rules for PHPstan
security-checker Checks composer dependencies for known security vulnerabilities
testability Analyses and reports testability issues of a php codebase

Running tools

Pull the image:

docker pull jakzal/phpqa

The default command will list available tools:

docker run -it --rm jakzal/phpqa

To run the selected tool inside the container, you'll need to mount the project directory on the container with -v "$(pwd):/project". Some tools like to write to the /tmp directory (like PHPStan, or Behat in some cases), therefore it's often useful to share it between docker runs, i.e. with -v "$(pwd)/tmp-phpqa:/tmp". If you want to be able to interrupt the selected tool if it takes too much time to complete, you can use the --init option. Please refer to the docker run documentation for more information.

docker run --init -it --rm -v "$(pwd):/project" -v "$(pwd)/tmp-phpqa:/tmp" -w /project jakzal/phpqa phpstan analyse src

You might want to tweak this command to your needs and create an alias for convenience:

alias phpqa='docker run --init -it --rm -v "$(pwd):/project" -v "$(pwd)/tmp-phpqa:/tmp" -w /project jakzal/phpqa:alpine'

Add it to your ~/.bashrc so it's defined every time you start a new terminal session.

Now the command becomes a lot simpler:

phpqa phpstan analyse src

GitHub actions

The image can be used with GitHub actions. Below is an example for several static analysis tools.

# .github/workflows/static-code-analysis.yml
name: Static code analysis

on: [pull_request]

    runs-on: ubuntu-latest
      - uses: actions/[email protected]
      - name: PHPStan
        uses: docker://jakzal/phpqa:php8.0-alpine
          args: phpstan analyze src/ -l 1
      - name: PHP-CS-Fixer
        uses: docker://jakzal/phpqa:php8.0-alpine
          args: php-cs-fixer --dry-run --allow-risky=yes --no-interaction --ansi fix
      - name: Deptrac
        uses: docker://jakzal/phpqa:php8.0-alpine
          args: deptrac --no-interaction --ansi --formatter-graphviz-display=0

Bitbucket Pipelines

Here is an example configuration of a bitbucket pipeline using the phpqa image:

# bitbucket-pipelines.yml
image: jakzal/phpqa:php8.0-alpine
    - step:
        name: Static analysis
          - composer
          - composer install --no-scripts --no-progress
          - phpstan analyze src/ -l 1
          - php-cs-fixer --dry-run --allow-risky=yes --no-interaction --ansi fix
          - deptrac --no-interaction --ansi --formatter-graphviz-display=0

Unfortunately, bitbucket overrides the docker entrypoint so composer needs to be explicitly invoked as in the above example.

Starter-kits / Templates


A template repository for agnostic PHP libraries. It utilizes the PHPQA image into a Makefile and configures some tools by default.


A template repository for Docker based Symfony applications. It utilizes the PHPQA image into a Dockerfile and integrates in the composed landscape.

Building the image

git clone
cd phpqa
make build-debian

To build the alpine version:

make build-alpine

Customising the image

It's often needed to customise the image with project specific extensions. To achieve that simply create a new image based on jakzal/phpqa:

FROM jakzal/phpqa:alpine

RUN apk add --no-cache libxml2-dev \
 && docker-php-ext-install soap

Next, build it:

docker build -t foo/phpqa .

Finally, use your customised image instead of the default one:

docker run --init -it --rm -v "$(pwd):/project" -w /project foo/phpqa phpmetrics .

Adding PHPStan extensions

A number of PHPStan extensions is available on the image in /tools/.composer/vendor-bin/phpstan/vendor out of the box. You can find them with the command below:

phpqa find /tools/.composer/vendor-bin/phpstan/vendor/ -iname 'rules.neon' -or -iname 'extension.neon'

Use the composer-bin-plugin to install any additional PHPStan extensions in the phpstan namespace:

FROM jakzal/phpqa:alpine

RUN composer global bin phpstan require phpstan/phpstan-phpunit

You'll be able to include them in your PHPStan configuration from the /tools/.composer/vendor-bin/phpstan/vendor path:

    - /tools/.composer/vendor-bin/phpstan/vendor/phpstan/phpstan-phpunit/extension.neon

Debugger & Code Coverage

The pcov code coverage extension, as well as the php-dbg debugger, are provided on the image out of the box.

pcov is disabled by default so it doesn't affect performance when it's not needed, and doesn't break interoperability with other coverage extensions. It can be enabled by setting pcov.enabled=1:

phpqa php -d pcov.enabled=1 ./vendor/bin/phpunit --coverage-text

Infection users will need to define initial php options:

phpqa /tools/infection run --initial-tests-php-options='-dpcov.enabled=1'


Please read the Contributing guide to learn about contributing to this project. Please note that this project is released with a Contributor Code of Conduct. By participating in this project you agree to abide by its terms.

Get A Weekly Email With Trending Projects For These Topics
No Spam. Unsubscribe easily at any time.
Php (403,016
Docker (33,372
Makefile (23,353
Docker Image (4,764
Composer (2,223
Static Analysis (928
Phpunit (563
Code Quality (396
Qa (365
Related Projects