PHPCS + PHPStan in CI (Workflow Guide)
Also Known As
PHP CodeSniffer workflow
PHPStan CI workflow
static analysis workflow
TL;DR
Running PHP_CodeSniffer for style and PHPStan for type/logic errors as separate CI steps — each catching a distinct class of problem.
Explanation
PHP_CodeSniffer (phpcs) enforces formatting rules — PSR-12 compliance, trailing whitespace, line length, brace placement. PHPStan catches logic and type errors that formatting tools miss — wrong return types, null dereferences, dead code. Run them as separate CI steps so failures are clearly attributed. Recommended CI pipeline: composer install → phpcs --standard=PSR12 src/ → phpstan analyse src/ --level=6 → phpunit. Use phpcbf (the fixer companion to phpcs) as a pre-commit hook so formatting issues never reach CI. Store PHPStan configuration in phpstan.neon, baseline in phpstan-baseline.neon for legacy code. Run both in parallel where CI supports it. Add psalm as a third layer for teams wanting maximum type safety coverage.
Common Misconception
✗ Running PHPStan and PHP CodeSniffer locally is sufficient quality assurance. Without CI enforcement both tools become opt-in — developers under time pressure skip them. CI gates that fail on any violation are the only reliable way to prevent standard drift.
Why It Matters
Running PHP_CodeSniffer and PHPStan together in CI catches both style violations and type errors before code is merged — making quality gates automatic rather than relying on reviewer memory.
Common Mistakes
- Running tools only locally — developers skip them under pressure; CI enforces them for everyone.
- Starting PHPStan at level 0 and never increasing — it provides minimal value at the lowest level.
- Not using a baseline for legacy code — a fresh PHPStan run on old code produces thousands of errors; baseline incrementally.
- Fixing PHPCS warnings by suppressing them rather than correcting the code.
Code Examples
✗ Vulnerable
# CI pipeline without static analysis:
steps:
- run: composer test # Tests only — no style or type checking
# No phpcs, no phpstan
# Type errors and style violations merge undetected
# With quality gates:
steps:
- run: vendor/bin/phpcs --standard=PSR12 src/
- run: vendor/bin/phpstan analyse --level=8 src/
- run: composer test
✓ Fixed
# CI workflow — code quality gates
# phpcs.xml
<?xml version="1.0"?>
<ruleset name="Project">
<arg name="basepath" value="."/>
<arg name="extensions" value="php"/>
<rule ref="PSR12"/>
<exclude-pattern>vendor/*</exclude-pattern>
<exclude-pattern>database/migrations/*</exclude-pattern>
</ruleset>
# phpstan.neon
parameters:
level: 6
paths:
- src
- tests
ignoreErrors:
- '#Call to an undefined method Illuminate#'
# composer.json scripts
"ci": ["@lint", "@analyse", "@test", "@audit"]
"lint": "phpcs"
"analyse": "phpstan analyse"
# .github/workflows/ci.yml
- run: composer lint
- run: composer analyse
- run: composer testReferences
Tags
🤝 Adopt this term
£79/year · your link shown here
Added
15 Mar 2026
Edited
22 Mar 2026
Views
24
🤖 AI Guestbook educational data only
|
|
Last 30 days
Agents 0
No pings yet today
No pings yesterday
Amazonbot 8
Perplexity 5
Unknown AI 2
SEMrush 2
Google 1
Ahrefs 1
Also referenced
How they use it
crawler 19
Related categories
⚡
DEV INTEL
Tools & Severity
🟡 Medium
⚙ Fix effort: Low
⚡ Quick Fix
Run phpcs for style and phpstan for logic in CI — they catch different problems; configure both in composer scripts so developers run the same checks locally that CI runs
📦 Applies To
PHP 5.0+
web
cli
🔗 Prerequisites
🔍 Detection Hints
Only one of phpcs or phpstan in CI; no local equivalent of CI quality checks; style violations reaching code review
Auto-detectable:
✓ Yes
phpcs
phpstan
php-cs-fixer
composer
⚠ Related Problems
🤖 AI Agent
Confidence: Medium
False Positives: Low
✓ Auto-fixable
Fix: Low
Context: File