Static Analysis tools for PHP

I’ve recently integrated static analysis tools into both my day job’s and CakePHP’s development process. Setting up static analysis tools is reasonably easy and can help you find problems before you even get to unit tests, or staging sites. They are also the ideal tool to help enforce coding standards, and best practices that can be checked by reading the code. There are a few different tools you can use and they all have different purposes. Depending on your project you may find all or some of them useful.

Checking PHP

There are several tools for PHP, all with different purposes and goals. Using a mix will give you the most insight into your code from a variety of angles.

  • PHP_CodeSniffer Is great for checking and enforcing coding standards. It provides a flexible system to create formatting and naming convention rules that can be output in a number of formats. There are code standards for a number of projects built-in, and if you love CakePHP, there is a CakePHP Codesniffer available.
  • PHPCpd Is a tool published by Sebastian Bergman of PHPUnit fame. It analyzes your code and looks for duplicated content. It requires the code to be exactly the same though, so you can cheat by renaming variables. However, I still feel its a valuable tool as it runs quickly and removing blatent copy + paste is valuable in projects of all sizes.
  • PHPDepend Measures your code in a number of ways and generates interesting software measurements like cyclomatic complexity, and coupling. I find the metrics it generates useful, but it is considerably slower than other tools so I don’t use it often.
  • PHPMD Is a spin-off project of PHPDepend and provides a more user-friendly interface. It also measures cyclomatic complexity, and is helpful for finding sub-optimal code sections. Much like PHPDepend, I’ve found PHPMD a bit slow at times, so I don’t often use it.
  • PHPLoc Another great tool published by Sebastian Bergman. It gives you summary information on the number of classes, methods, and constants. It also provides some averages on cyclomatic complexity. Its also considerably faster than PHPMD.

All of these tools can be installed with the pear installer. To install phploc, phpcs and phpcpd you can do the following:

Show Plain Text
  1. pear config-set auto_discover 1
  2. pear channel-discover
  4. pear install PHP_CodeSniffer
  5. pear install phpunit/phpcpd
  6. pear install phpunit/phploc

Once installed you can use them on your code:

Show Plain Text
  1. phpcs --standard=CakePHP ./
  2. phpcpd ./
  3. phploc ./

Both will output the results on your terminal, and have options for other output formats that integrate with Jenkins much easier.

Checking Javascript

For Javascript the two best tools are JsHint and JsLint . JsHint started as a more configurable version of JsLint, and has since gone on its own path. I prefer JsHint and find it easier to use and implement with an existing code base. JsLint has a number of strong opinions that you can’t toggle. This means that you’ll often have a ton of warnings to deal with when initially using it. In my opinion JsHint’s greatest features are finding missing semicolons, trailing commas and accidental global variables. Easily avoiding these common mistakes by using a tool is pretty useful. JsHint can also help you avoid the bad parts of javascript by yelling at you when you use them. Installing jshint will require a Javascript runtime, of which I find nodejs the easiest to install and use. After installing nodejs, you can install JsHint with npm

Show Plain Text
  1. npm install -g jshint

Once installed, you can use JsHint to check files for errors by calling the executable:

Show Plain Text
  1. jshint webroot/js/app.js --config app/Config/jshint.config

I find having a jshint.config file lets me declare a bunch of common options I need in a project, and avoid having to repeat the same jshint options at the top of every file. JsHint also has options to support xml output which lets you integrate it with Jenkins. If you don’t want to use the xml output you can still integrate it with jenkins as jshint will exit 1 when the checks fail. This also makes it easy to integrate with other unix tools like make.

Now that you have a few tools installed, its time to integrate them into your development process, and track your progress against your new standards. One of the easiest ways to convert the output from these tools into something more visual is to use Jenkins. And in the next article, I’ll cover using Jenkins to track output from the various tools, and create a simple makefile to run all the tools at once.


Thank you so much Mark. This is a fantastic list, and exactly what I was looking for, especially in regards to the PHP_Sniffer library.

Nate Ritter on 5/2/12

Here’s another list of PHP tools as well:

Joel Clermont on 5/3/12

Great post!

Only issue so far I can see is PHPMD complains about unused variables if they are only used in a compact() call.

sime on 5/4/12

Joel: Thanks for the list :)

Sime: Yes that’s another problem I had with it as well.

mark story on 5/5/12

Great list, thanks alot

Omar Abdallah on 5/9/12

Excelentes recomendaciones, para que veas que te leemos tambien en México y comentamos jeje, gracias y Saludos

andresn on 5/18/12

Thanks for that Mark, and particularly thanks for the CakePHP code sniff work you’ve done.

The only (minor) gripe I have with the sniffs is the “Whitespace found at end of line” error.

Eclipse automatically indents new lines even if they are going to be empty so I get a whole lot of these in my reports. Wonder if there’s a setting in Eclipse to remove whitespace automatically from a line if it only contains whitespace….

Richard@Home on 7/6/12

Could you manage to bend phpmd to allow variable names shorter than 3. Struggling with getting $id to pass

Tarique Sani on 8/1/12

Could you manage to bend phpmd to allow variable names shorter than 3. Struggling with getting $id to pass

Tarique Sani on 8/1/12

Comments are not open at this time.