CodeClarityLab / Glossary
Ctrl K
← Home ← Codex ← DEBT
Browse by Category
+ added · updated 7d
Pages
Terms of Use About Contribute 🧠Logic graph Contact
← Back to glossary

Static Analysis

General PHP 7.1+ Intermediate
debt(d7/e3/b5/t5)
d7 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'only careful code review or runtime testing' (d7). The absence of static analysis in a CI pipeline is not caught by any compiler or default linter — it requires someone to notice the pipeline configuration is missing the tool. The detection_hints note that type errors are 'only discovered at runtime' when PHPStan/Psalm are absent, and the gap is invisible until bugs surface in production. Slightly better than d9 because a CI audit or onboarding review can surface it.

e3 Effort Remediation debt — work required to fix once spotted

Closest to 'simple parameterised fix' (e3). The quick_fix is to add PHPStan at level 6+ to CI and incrementally raise the level using a baseline file. This is more than a one-line patch (requires CI config changes, possibly a phpstan.neon, and fixing or baselining existing errors) but is contained within one component (the CI/tooling layer). It does not require changes across multiple application files unless errors are fixed rather than baselined.

b5 Burden Structural debt — long-term weight of choosing wrong

Closest to 'persistent productivity tax' (b5). Applies across all three contexts (web, cli, queue-worker) and affects every developer and every PR in the project. Running at level 0 or suppressing warnings creates a persistent tax — developers must work around false confidence, or spend time fighting suppressed warnings. However it does not fundamentally reshape architecture (not b7), so b5 is appropriate.

t5 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'notable trap — a documented gotcha most devs eventually learn' (t5). The misconception field is explicit: developers believe static analysis only catches style/smells, but modern PHPStan/Psalm perform full type inference and catch logic errors. This is a well-documented gotcha that competent developers who haven't used modern PHP static analysers will commonly hold, leading them to run at low levels or skip CI integration entirely.

About DEBT scoring → scored by claude-sonnet-4-6 · 2026-05-11 · reviewed by human

Also Known As

SAST static code analysis PHPStan Psalm

TL;DR

Automated inspection of source code without execution to find type errors, security issues, dead code, and style violations.

Explanation

PHP static analysis tools include PHPStan (type inference and level-based strictness), Psalm (advanced type system, taint analysis for security), PHP_CodeSniffer (coding standards), PHP-CS-Fixer (auto-corrects style), and PHPMD (mess detector). PHPStan/Psalm can find type errors, undefined variables, null dereferences, and incorrect function signatures without running code. Taint analysis in Psalm traces user-supplied data through the application to identify injection sinks. Integrate static analysis in CI at the highest level the codebase tolerates, incrementally increasing strictness.

Diagram 

flowchart LR
    CODE[PHP Source] --> PHPSTAN[PHPStan]
    CODE --> PSALM[Psalm]
    subgraph What_They_Check
        TYPES[Type errors<br/>wrong parameter types]
        NULL[Null pointer access<br/>nullable not handled]
        DEAD[Dead code<br/>unreachable statements]
        UNDEF[Undefined variables<br/>methods properties]
    end
    PHPSTAN & PSALM --> TYPES & NULL & DEAD & UNDEF
    subgraph Levels
        L0[Level 0 - basic]
        L5[Level 5 - medium]
        L9[Level 9 - strict max]
        L0 --> L5 --> L9
    end
style PHPSTAN fill:#1f6feb,color:#fff
style PSALM fill:#6e40c9,color:#fff
style L9 fill:#238636,color:#fff

Common Misconception

Static analysis only catches style issues and code smells. Modern static analysers (PHPStan, Psalm) perform full type inference, detect null dereferences, unreachable code, incorrect method signatures, and security-relevant patterns — they catch logic errors that would only appear at runtime.

Why It Matters

Static analysis finds bugs, type errors, and security issues without executing code — it catches entire categories of problems at development time that would otherwise reach production.

Common Mistakes

  • Running PHPStan/Psalm at level 0 and thinking you have static analysis — max level catches the most issues.
  • Not running static analysis in CI — developers disable it locally and analysis never runs.
  • Ignoring analysis warnings by suppressing them rather than fixing the underlying issue.
  • Not using baseline files for legacy codebases — running analysis for the first time produces thousands of errors; baseline lets you fix incrementally.

Code Examples

✗ Vulnerable 
// PHPStan finds type error static analysis catches before runtime:
function getUser(int $id): User {
    $result = $this->db->find($id); // Returns User|null
    return $result;                  // PHPStan error: null not assignable to User
    // Fix: add null check or change return type to ?User
}
✓ Fixed 
// Static analysis — finds bugs without running code

// PHPStan — type checking, dead code, undefined variables
$ vendor/bin/phpstan analyse src/ --level=6
// Level 0 = basic | Level 9 = strictest

// Psalm — type inference + taint analysis
$ vendor/bin/psalm
$ vendor/bin/psalm --taint-analysis  // tracks user input to dangerous sinks

// PHP_CodeSniffer — coding standards
$ vendor/bin/phpcs --standard=PSR12 src/

// PHPMess Detector — complexity, unused code
$ vendor/bin/phpmd src/ text cleancode,codesize,controversial,design

// Integrate all into CI:
// Each runs on every PR — failures block merge

// PHPStan baseline — acknowledge existing issues, block new ones:
$ vendor/bin/phpstan --generate-baseline
Added 15 Mar 2026
Edited 22 Mar 2026
Views 118

Curated in Warsaw under one editorial standard. 1,506 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
1 ping T 1 ping W 1 ping T 0 pings F 0 pings S 0 pings S 1 ping M 1 ping T 0 pings W 6 pings T 8 pings F 5 pings S 16 pings S 16 pings M 0 pings T 0 pings W 0 pings T 0 pings F 1 ping S 0 pings S 0 pings M 1 ping T 1 ping W 0 pings T 1 ping F 2 pings S 1 ping S 0 pings M 0 pings T 0 pings W
Agents 0
No pings yet today
No pings yesterday
Scrapy 50 Perplexity 12 Amazonbot 8 Google 6 Bing 6 ChatGPT 5 SEMrush 5 Ahrefs 4 Unknown AI 3 Claude 2 Majestic 1 Sogou 1 Meta AI 1 PetalBot 1
Also referenced
Continuous Integration (CI) 72 Cyclomatic Complexity 59 Code Review 50
How they use it
crawler 100 crawler_json 4 pre-tracking 1
Related categories
quality 5.1k general 3k devops 2.2k
DEV INTEL Tools & Severity
🟡 Medium ⚙ Fix effort: Medium
⚡ Quick Fix
Run PHPStan at level 6+ in CI and fail the build on any error — start at level 0 and work up incrementally on existing codebases
📦 Applies To
PHP 7.1+ web cli queue-worker
🔗 Prerequisites
🔍 Detection Hints
No PHPStan or Psalm in CI pipeline; type errors only discovered at runtime
Auto-detectable: ✓ Yes phpstan psalm rector
⚠ Related Problems
🤖 AI Agent
Confidence: Medium False Positives: Medium ✓ Auto-fixable Fix: Low Context: File
✓ schema.org compliant