Static Analysis

Introduction

Static analysis is a powerful technique for analyzing your code without actually executing it. It helps identify potential errors, inconsistencies, and code smells early in the development process, leading to more robust and maintainable PHP applications.

In this Booster, we leverage two leading static analysis tools: PHPStan and Psalm. Let's explore how they work and how to integrate them into your PHP projects.

PHPStan: Your Code's Guardian Angel

PHPStan focuses on finding errors in your code, such as:

  • Undefined variables and methods
  • Type mismatches
  • Incorrect function calls
  • Dead code

Usage - PHPStan

Use the following command, which is also defined as a Composer script:

composer phpstan
  • In your IDE: Install the PHPStan plugin for your IDE to get real-time feedback and inline error highlighting.
  • For SonarQube Integration: If you're using SonarQube, you can generate a report compatible with SonarQube using:
    composer phpstan:sonar
    
  • If you're using DDEV, you can run these commands within your DDEV environment:
    ddev composer phpstan
    ddev composer phpstan:sonar
    

Configuration

  • The phpstan.neon.dist file in your project root provides the base configuration for PHPStan. You can customize it further by creating a phpstan.neon file to override or extend the default settings.
  • Key configuration options:
    • parameters.level: Sets the analysis level (0-9, higher levels are stricter).
    • paths: Specifies which directories or files to analyze.
    • includes: Includes additional configuration files.
    • rules: Defines custom rules or excludes specific checks.

Psalm: Type Safety at its Finest

Psalm takes static analysis a step further by focusing on type safety. It helps you:

  • Enforce strict typing in your code
  • Identify potential type-related errors
  • Improve code readability and maintainability

Usage - Psalm

Use the following command, which is also defined as a Composer script:

composer psalm
  • In your IDE: Install the Psalm plugin for your IDE to get instant type checking and suggestions as you code
  • For SonarQube Integration: Generate a SonarQube-compatible report with
composer psalm:sonar

If you're using DDEV, you can run these commands within your DDEV environment:

ddev composer psalm
ddev composer psalm:sonar

Configuration

  • The psalm.xml file in your project root configures Psalm. Customize it to match your project's specific needs and coding style.
  • Key configuration options:
    • issueHandler: Configure which issue types to report and their severity levels
    • stubs: Include external type definitions for third-party libraries
    • plugins: Extend Psalm's functionality with plugins

Conclusion

Static analysis tools like PHPStan and Psalm are invaluable assets for PHP developers. By integrating them into your PHP projects, you can catch errors early, enforce best practices, and ensure your codebase is robust and maintainable.

Additional Resources