Static code analysis tools examine the program's source code without executing it. Usually, such analysis is a part of the Continuous Integration (CI) Process. These tools aim to detect, explain, and give appropriate solutions against security vulnerabilities in code review.
While Static code analysis tools work on different frameworks, PHP static code analysis is designed to read the PHP source code. The web development community works with different PHP static analysis tools. However, some tools have been chosen for most of these developers. In this blog, we talk about the top 4 PHP Static code analysis tools.
Let’s get started!
4 Great PHP Code Analysis Tools
Over the last decade, PHP has been one of the best frameworks for custom software development projects. To smoothen SDLC and stabilize the source code, the developers run an automatic analysis tool.
Here are the top 4 PHP Analysis Tools recommended by developers:
PHPStan
PHPStan tops our list of PHP code quality tools. Though it is new in the market, it is making quite a trend.
PHPStan is a static code analysis tool that scans your whole codebase for bugs; that is, it checks for errors even in those rarely executed if statements that certainly aren't covered by tests. PHPStan runs tests on the source code before the execution of the program.
PHPStan requires PHP >= 7.2 and works best with modern object-oriented code.
To install PHPStan and analyze your code, require PHPStan in Composer:
composer require --dev phpstan/phpstan
Composer will help you install PHPStan’s executable in its bin directory that defaults to vendor/bin.
Sonarqube
Sonarqube is another widely-known PHP static code analysis tool, taking 2nd position in our list of PHP code quality tools.
Sonarqube incorporates thousands of automated code analysis rules, protecting code on multiple fronts and guiding SDLC teams toward code quality. The tools also offer an IDE extension- Sonarlint; this extension supplements the CI offerings. You can add the SonarLint extension to your favourite IDE, and SonarQube rules and analysis settings synchronize to SonarLint. It aligns software development teams around a single standard of Clean Code. Also, It offers shared and unified configurations.
You can install the SonarQube server from the Docker image.
Follow these steps for your first installation:
1. You should create volumes to persist data; that is
sonarqube_data: It contains data files (embedded H2 database, Elasticsearch indexes)
sonarqube_logs: It contains SonarQube logs about access, CE process, Elasticsearch, and web process
sonarqube_extensions: It will contain the plugins you install and the Oracle JDBC driver.
Here is the code to create the volumes:
$> docker volume create --name sonarqube_data
$> docker volume create --name sonarqube_logs
$> docker volume create --name sonarqube_extensions
2. Add JDBC driver
Usually, drivers for supported databases (except Oracle) are already provided. For the Oracle database, add the JDBC driver to the sonar_extensions volume with the code:
Start the SonarQube container (use embedded H2 database):
$ docker run --rm \
-p 9000:9000 \
-v sonarqube_extensions:/opt/sonarqube/extensions \
<image_name>
Exit once SonarQube has started properly.
Copy the Oracle JDBC driver into sonarqube_extensions/jdbc-driver/oracle.
3. Start the SonarQube container
You can start the SonarQube container from the command line (docker run) or a configuration file (docker compose). Starting the container by using the docker run.
You should run the image with your database properties that are defined using the -e environment variable flag:
$> docker run -d --name sonarqube \
-p 9000:9000 \
-e SONAR_JDBC_URL=... \
-e SONAR_JDBC_USERNAME=... \
-e SONAR_JDBC_PASSWORD=... \
-v sonarqube_data:/opt/sonarqube/data \
-v sonarqube_extensions:/opt/sonarqube/extensions \
-v sonarqube_logs:/opt/sonarqube/logs \
<image_name>
4. Starting the container by using Docker compose
If you use Docker Compose, use the following example as a reference and configure your .yml file.
version: "3"
services:
sonarqube:
image: sonarqube:community
depends_on:
- db
environment:
SONAR_JDBC_URL: jdbc:postgresql://db:5432/sonar
SONAR_JDBC_USERNAME: sonar
SONAR_JDBC_PASSWORD: sonar
volumes:
- sonarqube_data:/opt/sonarqube/data
- sonarqube_extensions:/opt/sonarqube/extensions
- sonarqube_logs:/opt/sonarqube/logs
ports:
- "9000:9000"
db:
image: postgres:12
environment:
POSTGRES_USER: sonar
POSTGRES_PASSWORD: sonar
volumes:
- postgresql:/var/lib/postgresql
- postgresql_data:/var/lib/postgresql/data
volumes:
sonarqube_data:
sonarqube_extensions:
sonarqube_logs:
postgresql:
postgresql_data:
The example here uses the latest version of the SonarQube Docker image.
Keytip: You should use Docker Engine version 20.10 and above.
PHPCheckstyle
PHPCheckstyle ranks third in our list of top 4 PHP code quality tools. It is a static code analysis tool, software developers use it to check whether PHP source code complies with standard coding rules. It automates the lengthy process of checking code of the program.
PHPCheckstyle finds bugs in the program, from class or method design problems to code layout and formatting issues. Also, it comes with plug-in options, allowing developers to integrate continuous code checks into their projects.
You can manually install it.
For manual installation, Click here. Then, unzip the distribution using the code:
$> unzip PhpCheckstyle.zip
It will create a directory, phpcheckstyle, with all files in it.
Next, follow the following steps:
1. Change directory to the PHPCheckstyle installation directory using command
$> cd phpcheckstyle
2. Execute the script using command
$> php run.php --src <php source directory/file>
3. For more options, use the command
$> php run.php --help
Pslam
Pslam is another great PHP static code analysis tool, taking 4th position in our list of 4 Great PHP Code Analysis Tools. It finds errors in PHP codebases automatically. It aims to help developers to improve their code without too much extra work.
For installing, use the PHP >= 7.4 and Composer. Check the installation code:
composer require --dev vimeo/psalm
Now, you should generate a config file:
./vendor/bin/psalm --init
Psalm scans the project and determines an appropriate error level for your program. You can now run Psalm using the following code:
./vendor/bin/psalm
Psalm will find all the issues.
Summary
Software engineers encounter PHP-based software projects across various industries that struggle to develop. PHP static analysis tools stabilize these software products. It helps them continue feature development work after running a whole assortment of tests and completing some code refactoring work.