Static analysis tools for PHP in a single docker image

As part of my job I often perform application reviews and code quality analysis for clients who wish to have their code base looked at by an independent company. Running static analysis tools is usually a starting point to the review as it gives a general overview of a state of the project. I also like to run those tools as part of an introduction to an inherited code base.

For an easy access to the most popular static analysis tools for PHP I recently created a docker image - phpqa. Currently it comes with the following tools:

• analyze - Visualizes metrics and source code
• box - An application for building and managing Phars
• composer - Dependency Manager for PHP
• dephpend - Detect flaws in your architecture
• deprecation-detector - Finds usages of deprecated code
• deptrac - Enforces dependency rules
• design-pattern - Dettects design patterns
• parallel-lint - Checks PHP file syntax
• pdepend - Static Analysis Tool
• phan - Static Analysis Tool
• phpca - Finds usage of non-built-in extensions
• phpcf - Finds usage of deprecated features
• php-coupling-detector - Detects code coupling issues
• php-cs-fixer - PHP Coding Standards Fixer
• php-formatter - Custom coding standards fixer
• php-semver-checker - Suggests a next version according to semantic versioning
• phpDocumentor - Documentation generator
• phpa - Checks for weak assumptions
• phpcb - PHP Code Browser
• phpcbf - Automatically corrects coding standard violations
• phpcpd - Copy/Paste Detector
• phpcs - Detects coding standard violations
• phpda - Generates dependency graphs
• phpdoc-to-typehint - Automatically adds type hints and return types based on PHPDocs
• phploc - A tool for quickly measuring the size of a PHP project
• phpmd - A tool for finding problems in PHP code
• phpmetrics - Static Analysis Tool
• phpmnd - Helps to detect magic numbers
• phpstan - Static Analysis Tool
• psalm - Finds errors in PHP applications

To start using the image pull it first:

docker pull jakzal/phpqa:alpine

Note that you can choose between Debian and Alpine based images (latest and alpine tags).

Now you're ready to run any of the tools included:

docker run -it --rm -v $(pwd):/project -w /project jakzal/phpqa:alpine phpstan analyse src

The command above will run a docker container and mount the current working directory as a /project.

In most cases I prefer to use an alias:

alias phpqa="docker run -it --rm -v $(pwd):/project -w /project jakzal/phpqa:alpine"

It simplifies the command:

phpqa phpstan analyse src

Depending on the requirements of the project being reviewed, it's often needed to customise the image further with additional PHP extensions or other kinds of dependencies. In such scenarios I simply create a new image based off jakzal/phpqa (see the docs for more).

To learn more about the phpqa image or follow its development, check out the following project pages:

• https://hub.docker.com/r/jakzal/phpqa/
• https://github.com/jakzal/phpqa

Happy analysing!