Why Static Code Scanning Matters for PHP and How to Do It

What Is Static Scanning?

Static scanning (also called static analysis) examines source code without executing it, using lexical analysis, syntax analysis, and abstract syntax tree (AST) techniques to verify compliance with standards, security, reliability, and maintainability criteria.

Why PHP Projects Need Static Scanning

Weak typing and lack of type declarations (PHP 7 introduced type hints).

Interpretive language with just‑in‑time compilation.

Rich package ecosystem and deep recursive dependencies.

“Weak‑type (generic return) mistakenly treats an array as an object.”

“Missing return‑type declaration leads to treating an object as an array.”

“Class inheritance can override member visibility levels.”

Version compatibility issues

Legacy code often runs on older PHP versions, causing syntax or function incompatibilities that only surface in production.

“PHP’s runtime compilation brings speed but also hidden risks.”

Small PHP projects can be updated by simply overwriting files, which is fast but can hide subtle compilation‑time hazards.

PHP is described as a 风一样的美男子 – fast to write but with weak type constraints, high risk, and heavy reliance on arrays, lacking strong object‑oriented design.

PHP 7 introduced parameter and return type declarations, improving code safety.

“PHP 7.4 class member type declarations.”

“PHP parsing interactive example.” In the three‑code snippet shown, why does a.php miss an error while b.php catches it?

Evolution of PHP Package Management

Since 2012, Composer has become the dominant dependency manager for PHP projects.

Risks Behind Large PHP Projects

A Laravel blog can generate ~5,900 PHP files and 470 k lines of code, making manual review infeasible; automated syntax checking and type inference become essential.

Tool Selection – PHPStan

PHPStan is a static analysis tool for PHP with a VS Code extension, though it may feel sluggish.

Tool Selection – PHPSA

PHPSA is similar to PHPStan and enjoys many forks and followers.

Tool Selection – Phan

Phan has the most followers, also offers a VS Code plugin, and works by parsing the AST generated after lexical and syntax analysis.

Building Your Own Analyzer with PHP‑Parser

The author of Phan also created PHP‑Parser, which converts PHP syntax trees into array structures.

Phan relies on the php-ast extension; after installing the extension, the tool can be installed.

Simple Scanning with Phan

The following screenshots illustrate a basic Phan scan script for a small PHP project.

Project‑Level Scanning with Phan

For Composer‑based projects, Phan can be run at the project level to generate detailed error reports.

Release Practice Incorporating Static Scanning

The release pipeline is split into pre‑release and production stages. Pre‑release includes build, admission, deployment, integration testing, and verification; static scanning is placed in the integration testing step.

“Integration testing covers unit tests, API tests, static code scanning, security testing, and performance testing.”

Code can be synchronized to a dedicated static‑scan cluster, allowing shared scanning resources across many projects and keeping the build system isolated.

PHP as an Art Form

PHP started as a simple, easy‑to‑use language but has accumulated quirks and risks; like a toy that can be upgraded into a sophisticated vehicle, mastering PHP can turn it into an art.