{
    "slug": "static_analysis",
    "term": "Static Analysis",
    "category": "general",
    "difficulty": "intermediate",
    "short": "Automated inspection of source code without execution to find type errors, security issues, dead code, and style violations.",
    "long": "PHP static analysis tools include PHPStan (type inference and level-based strictness), Psalm (advanced type system, taint analysis for security), PHP_CodeSniffer (coding standards), PHP-CS-Fixer (auto-corrects style), and PHPMD (mess detector). PHPStan/Psalm can find type errors, undefined variables, null dereferences, and incorrect function signatures without running code. Taint analysis in Psalm traces user-supplied data through the application to identify injection sinks. Integrate static analysis in CI at the highest level the codebase tolerates, incrementally increasing strictness.",
    "aliases": [
        "SAST",
        "static code analysis",
        "PHPStan Psalm"
    ],
    "tags": [
        "general",
        "quality",
        "security",
        "testing",
        "tools"
    ],
    "misconception": "Static analysis only catches style issues and code smells. Modern static analysers (PHPStan, Psalm) perform full type inference, detect null dereferences, unreachable code, incorrect method signatures, and security-relevant patterns — they catch logic errors that would only appear at runtime.",
    "why_it_matters": "Static analysis finds bugs, type errors, and security issues without executing code — it catches entire categories of problems at development time that would otherwise reach production.",
    "common_mistakes": [
        "Running PHPStan/Psalm at level 0 and thinking you have static analysis — max level catches the most issues.",
        "Not running static analysis in CI — developers disable it locally and analysis never runs.",
        "Ignoring analysis warnings by suppressing them rather than fixing the underlying issue.",
        "Not using baseline files for legacy codebases — running analysis for the first time produces thousands of errors; baseline lets you fix incrementally."
    ],
    "when_to_use": [],
    "avoid_when": [],
    "related": [
        "code_review",
        "continuous_integration",
        "cyclomatic_complexity"
    ],
    "prerequisites": [
        "phpstan",
        "psalm_annotations",
        "strict_types"
    ],
    "refs": [
        "https://phpstan.org/",
        "https://psalm.dev/"
    ],
    "bad_code": "// PHPStan finds type error static analysis catches before runtime:\nfunction getUser(int $id): User {\n    $result = $this->db->find($id); // Returns User|null\n    return $result;                  // PHPStan error: null not assignable to User\n    // Fix: add null check or change return type to ?User\n}",
    "good_code": "// Static analysis — finds bugs without running code\n\n// PHPStan — type checking, dead code, undefined variables\n$ vendor/bin/phpstan analyse src/ --level=6\n// Level 0 = basic | Level 9 = strictest\n\n// Psalm — type inference + taint analysis\n$ vendor/bin/psalm\n$ vendor/bin/psalm --taint-analysis  // tracks user input to dangerous sinks\n\n// PHP_CodeSniffer — coding standards\n$ vendor/bin/phpcs --standard=PSR12 src/\n\n// PHPMess Detector — complexity, unused code\n$ vendor/bin/phpmd src/ text cleancode,codesize,controversial,design\n\n// Integrate all into CI:\n// Each runs on every PR — failures block merge\n\n// PHPStan baseline — acknowledge existing issues, block new ones:\n$ vendor/bin/phpstan --generate-baseline",
    "quick_fix": "Run PHPStan at level 6+ in CI and fail the build on any error — start at level 0 and work up incrementally on existing codebases",
    "severity": "medium",
    "effort": "medium",
    "created": "2026-03-15",
    "updated": "2026-03-22",
    "citation": {
        "canonical_url": "https://codeclaritylab.com/glossary/static_analysis",
        "html_url": "https://codeclaritylab.com/glossary/static_analysis",
        "json_url": "https://codeclaritylab.com/glossary/static_analysis.json",
        "source": "CodeClarityLab Glossary",
        "author": "P.F.",
        "author_url": "https://pfmedia.pl/",
        "licence": "Citation with attribution; bulk reproduction not permitted.",
        "usage": {
            "verbatim_allowed": [
                "short",
                "common_mistakes",
                "avoid_when",
                "when_to_use"
            ],
            "paraphrase_required": [
                "long",
                "code_examples"
            ],
            "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.",
            "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.",
            "attribution_examples": {
                "inline_mention": "According to CodeClarityLab: <quote>",
                "markdown_link": "[Static Analysis](https://codeclaritylab.com/glossary/static_analysis) (CodeClarityLab)",
                "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/static_analysis"
            }
        }
    }
}