Inspection Tools
What is the state of the codebase?
Before you even start changing code, you should first try to get a good feel for the codebase. Is it well tested? Does it have any tests at all? What is the code coverage? What is the coverage quality? Is it using modern PHP features? Does it use consistent code style? Is it up to date? Are there any security issues?
Static Analysis Tools
With PHP giving more and more typehint possibilities and the introduction of Enums, PHP static analysis tools have become more useful and prevalent. Below are just some of the more popular examples, but there are many more available.
Furthermore, you shouldn't waste time on fixing code style or avoidable wrong return type issues in code reviews. The code style should be a decision made by the team. Perhaps you're not crazy about all of them, but consistency is key here. It's better to have a consistent code style than a "perfect" one. And the more a tool can take over the grunt work of making a codebase consistent, the better. That gives you more time to focus on functionality and architecture.
PHPStan
PHPStan is a static analysis tool for PHP that aims to discover bugs and inconsistencies in your code without running it. It analyzes the code itself, looking for issues such as type inconsistencies, undeclared variables, incorrect method calls, and more. PHPStan works by parsing your PHP files to understand the structure and dependencies of your code, then applies various rules to identify problems.
It is highly configurable, and you can start at lower level of strictness and increase the level as you get more comfortable with the tool and your own code. PHPStan can be integrated into your development workflow or CI/CD pipeline to automate code checks.
Furthermore, it has some helpful extensions in case you want to dig deeper into a library such as Symfony or Doctrine.
- PHPStan
- PHPStan Pro to support the developer
Alternative to PHPStan: Psalm
It has a similar purpose as PHPStan, and I used both in the beginning, but now I prefer PHPStan, because it's more popular (= more support, in this case) and because it's maintained by someone very active in the PHP community. Psalm on the other hand is "owned" by a single company (Psalm is from the video platform Vimeo). You can of course always fork it, but I prefer to use tools that are more community driven, if all other things are equal.
Additionally to PHPStan / Psalm: PHP_CodeSniffer
PHP_CodeSniffer is a static analysis tool that checks PHP code against a set of coding standards. So this is more about formatting and code style than about finding bugs. This can be useful if you want to enforce a specific coding style across your codebase, especially when your team gets bigger and bigger.
It's not about being "nitpicky" about code style, but it's about not wasting resources on discussing code style in code reviews and about making the codebase more readable and maintainable for everyone. Don't lose computation cycles in your brain on code style.
PHPStan vs. Psalm vs. PHP_CodeSniffer
I'd say it's a personal (or team) choice which one (or two) to choose. If you're uncertain, why not try all three (PHPStan, Psalm, and PHP_CodeSniffer) and see which one you like best? A sensible default might be one of PHPStan or Psalm for finding bugs and inconsistencies and PHP_CodeSniffer for code style. (There are other tools of course, such as PHPMD, but the above should be a good foundation and you can always change later.)
Tools that fix your code
php-cs-fixer
PHP-CS-Fixer, also known as PHP Coding Standards Fixer, is a tool designed to enforce coding standards in PHP codebases. It can automatically correct code to follow predefined coding standards, such as PSR-1, PSR-2, or community- / project-specific rules (such as Symfony). Developers can use PHP-CS-Fixer to ensure consistency across a project, improve readability, and comply with industry standards. It supports a wide range of fixes, from basic syntax to complex language features, and can be integrated into development workflows or CI/CD pipelines for automated checks. PHP-CS-Fixer is highly configurable, allowing teams to tailor the ruleset to their specific needs.
Rector
Rector is an automated PHP upgrading and refactoring tool that helps developers improve their codebase with ease. It focuses on transforming PHP code to adhere to modern coding standards, upgrade legacy applications to newer versions of PHP, and apply best practices and design patterns. Rector works by analyzing your code's abstract syntax tree (AST) to understand its structure and semantics, then applies predefined rules to refactor the code. Rules can cover a wide range of improvements, from syntax upgrades and type declarations to smaller architecture changes. It streamlines the upgrade process, making it faster, more efficient, and less error-prone. With the help of Rector, you can also increase type coverage and your PHPStan level quicker.
I use Rector extensively, but I also still check all the changes before I merge it into the codebase. Sometimes there might be a specific reason I wasn't as strict on a certain rule. And sometimes I just want to understand why it did a change (and I can learn in the process).
- Rector
- Rector - The Power of Automated Refactoring (Leanpub Book)
Code Quality Tools
SymfonyInsight
SymfonyInsight (formerly SensioLabsInsight) is a quality assurance service designed for PHP and Symfony projects. It automatically analyzes your code to detect security risks, code smells, outdated libraries, and possible performance issues. It also gives you a severity level of the problems. Where PHPStan or php-cs-fixer sees all problems as a long list, SymfonyInsight lets you know if problems are potentially critical or just minor. It's at a good price point and not too hard to setup. I myself use it on and off (e.g. active for 3-6 months while I'm heavy into refactoring or cleaning up a project) - depends in which phase of a project I am. It's not as expensive as many of the other non-free tools, so you should definitely give it a go and see if this is a tool you would like to use long-term.
Dependabot
Dependabot is a tool that automates dependency updates for your projects. It can monitor your project's dependencies and automatically create pull requests to update them when new versions are available. It supports many package managers, so you can even monitor composer and npm dependencies at the same time. It can be integrated into your development workflow or CI/CD pipeline to automate dependency updates and ensure that your project always uses the latest versions of its dependencies. Dependabot is owned by GitHub (which is owned by Microsoft) and is free to use (and is pretty much directly available, if you use GitHub).
Alternative: renovate
It's similar to Dependabot, and isn't available directly in GitHub, but it's also free and has a good reputation. They've written a helpful comparison showing how they are better than Dependabot. I've not used it myself, but will take a look soon and update this page once I have.
Profiling and Performance Insights
Symfony Profiler
The Symfony Profiler is a powerful tool that provides detailed information about each request. For security reasons alone, you should only use this in development versions. But it gives great insight into the resources used (e.g. number of database queries, memory usage, etc.) and the time it took to render a page.
Tideways
Tideways offers Monitoring, Profiling, and Exception Tracking for insight into application performance. It analyzes performance continuously, enabling identification and fixing of sub-optimal areas, error notification, and prevention of user experience interruptions.
blackfire.io
blackfire.io is a profiling and performance insights tool for PHP applications. It recently has expanded into also including performance monitoring and with it increased their pricing. So since I don't know the new version of the tool, you need to check if it's worth it for you. The old version has been really good to getting insights into performance issues. But for now I will move to using the free Symfony Profiler, since I mostly work on smaller projects; 1.900 € per year for the production version is currently too pricey when I already use other tools that capture my most important needs.