CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

Static Analysis

general PHP 7.1+ Intermediate

Also Known As

SAST static code analysis PHPStan Psalm

TL;DR

Automated inspection of source code without execution to find type errors, security issues, dead code, and style violations.

Explanation

PHP static analysis tools include PHPStan (type inference and level-based strictness), Psalm (advanced type system, taint analysis for security), PHP_CodeSniffer (coding standards), PHP-CS-Fixer (auto-corrects style), and PHPMD (mess detector). PHPStan/Psalm can find type errors, undefined variables, null dereferences, and incorrect function signatures without running code. Taint analysis in Psalm traces user-supplied data through the application to identify injection sinks. Integrate static analysis in CI at the highest level the codebase tolerates, incrementally increasing strictness.

Diagram 

flowchart LR
    CODE[PHP Source] --> PHPSTAN[PHPStan]
    CODE --> PSALM[Psalm]
    subgraph What_They_Check
        TYPES[Type errors<br/>wrong parameter types]
        NULL[Null pointer access<br/>nullable not handled]
        DEAD[Dead code<br/>unreachable statements]
        UNDEF[Undefined variables<br/>methods properties]
    end
    PHPSTAN & PSALM --> TYPES & NULL & DEAD & UNDEF
    subgraph Levels
        L0[Level 0 - basic]
        L5[Level 5 - medium]
        L9[Level 9 - strict max]
        L0 --> L5 --> L9
    end
style PHPSTAN fill:#1f6feb,color:#fff
style PSALM fill:#6e40c9,color:#fff
style L9 fill:#238636,color:#fff

Common Misconception

Static analysis only catches style issues and code smells. Modern static analysers (PHPStan, Psalm) perform full type inference, detect null dereferences, unreachable code, incorrect method signatures, and security-relevant patterns — they catch logic errors that would only appear at runtime.

Why It Matters

Static analysis finds bugs, type errors, and security issues without executing code — it catches entire categories of problems at development time that would otherwise reach production.

Common Mistakes

  • Running PHPStan/Psalm at level 0 and thinking you have static analysis — max level catches the most issues.
  • Not running static analysis in CI — developers disable it locally and analysis never runs.
  • Ignoring analysis warnings by suppressing them rather than fixing the underlying issue.
  • Not using baseline files for legacy codebases — running analysis for the first time produces thousands of errors; baseline lets you fix incrementally.

Code Examples

✗ Vulnerable 
// PHPStan finds type error static analysis catches before runtime:
function getUser(int $id): User {
    $result = $this->db->find($id); // Returns User|null
    return $result;                  // PHPStan error: null not assignable to User
    // Fix: add null check or change return type to ?User
}
✓ Fixed 
// Static analysis — finds bugs without running code

// PHPStan — type checking, dead code, undefined variables
$ vendor/bin/phpstan analyse src/ --level=6
// Level 0 = basic | Level 9 = strictest

// Psalm — type inference + taint analysis
$ vendor/bin/psalm
$ vendor/bin/psalm --taint-analysis  // tracks user input to dangerous sinks

// PHP_CodeSniffer — coding standards
$ vendor/bin/phpcs --standard=PSR12 src/

// PHPMess Detector — complexity, unused code
$ vendor/bin/phpmd src/ text cleancode,codesize,controversial,design

// Integrate all into CI:
// Each runs on every PR — failures block merge

// PHPStan baseline — acknowledge existing issues, block new ones:
$ vendor/bin/phpstan --generate-baseline
Added 15 Mar 2026
Edited 22 Mar 2026
Views 36

Curated in Warsaw under one editorial standard. 1,444 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings W 0 pings T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 1 ping T 0 pings F 0 pings S 0 pings S 2 pings M 0 pings T 0 pings W 0 pings T 0 pings F 2 pings S 2 pings S 0 pings M 0 pings T 0 pings W 0 pings T 1 ping F 1 ping S 1 ping S 0 pings M 1 ping T 0 pings W 0 pings T
Agents 0
No pings yet today
No pings yesterday
Perplexity 11 Amazonbot 6 Google 5 Unknown AI 3 ChatGPT 2 Ahrefs 2 SEMrush 2 Majestic 1
Also referenced
Cyclomatic Complexity 35 Continuous Integration (CI) 28 Code Review 24
How they use it
crawler 30 crawler_json 1 pre-tracking 1
Related categories
quality 2.7k general 1.4k devops 1k
DEV INTEL Tools & Severity
🟡 Medium ⚙ Fix effort: Medium
⚡ Quick Fix
Run PHPStan at level 6+ in CI and fail the build on any error — start at level 0 and work up incrementally on existing codebases
📦 Applies To
PHP 7.1+ web cli queue-worker
🔗 Prerequisites
🔍 Detection Hints
No PHPStan or Psalm in CI pipeline; type errors only discovered at runtime
Auto-detectable: ✓ Yes phpstan psalm rector
⚠ Related Problems
🤖 AI Agent
Confidence: Medium False Positives: Medium ✓ Auto-fixable Fix: Low Context: File
✓ schema.org compliant