PHP Development Tools

PHP Development Tools

On June 10, 2021, Ben Ramsey presented "Good Developer Experiences" at the virtual PHP meet-up for GTA-PHP, York Region PHP, and for Laravel Toronto. I am lead organizer for these groups.

The videos for this presentation:
* part one
* part two

Ben's slidedeck for his presentation ( included about 70 links to PHP tools. Thank you Ben for putting this list together!

As I was going to look at each link anyways, and to put the links in a more convenient place, I compiled Ben's links here. I sprinkled a few of my own in there.

Ben's presentation looked at Captain Hook. I originally mis-understood this FOSS as using web hooks. Oh no, this is about Git Hooks. Very interesting repo!

Simple, modern and intuitive unit testing framework for PHP. It is completely standalone, everything is available and works out of the box.

An open source Behavior-Driven Development framework for PHP. It is a tool to support you in delivering software that matters through continuous communication, deliberate discovery and test-automation.

bitExpert's Captainhook Infection
This package provides an action for Captain Hook which will invoke InfectionPHP for all changed files of a commit. Running Infection only against the changed files will result in a faster execution of Infection which is ideal when running it as a pre-commit hook.

Captain Hook
CaptainHook is an easy to use and very flexible git hook library for php developers.

It enables you to configure your git hook actions in a simple json file.

You can use CaptainHook to validate or prepare your commit messages, ensure code quality or run unit tests before you commit or push changes to git. You can automatically clear local caches or install the latest composer dependencies after pulling the latest changes.

CaptainHook makes it easy to share hooks within your team and even can make sure that everybody in your team activates the hooks locally.

You can run cli commands, use some built in validators, or write your own PHP classes that get executed by CaptainHook.

Code Scrawl
Generate documentation for code in multiple languages. A documentation generation framework with some built-in extensions for exporting comments and code, and importing into markdown.

Codeception collects and shares best practices and solutions for testing PHP web applications. With a flexible set of included modules tests are easy to write, easy to use and easy to maintain.

composer outdated-D
The outdated command shows a list of installed packages that have updates available, including their current and latest versions. This is basically an alias for composer show -lo.

composer validate
You should always run the validate command before you commit your composer.json file, and before you tag a release. It will check if your composer.json is valid.

See what packages have changed after you run composer update by comparing composer.lock to the the git HEAD.

Provides a composer plugin for normalizing composer.json.

A Composer tool to show unused Composer dependencies by scanning your code.

Composer Require Checker
A CLI tool to analyze composer dependencies and verify that no unknown symbols are used in the sources of a package. This will prevent you from using "soft" dependencies that are not defined within your composer.json require section.

"Soft" (or transitive) dependencies are code that you did not explicitly define to be there, but use it nonetheless. The opposite is a "hard" (or direct) dependency.

Your code most certainly uses external dependencies. Imagine that you found a library to access a remote API. You require thatvendor/api-lib for your software and use it in your code. This library is a hard dependency.

Then you see that another remote API is available, but no library exists. The use case is simple, so you look around and find that guzzlehttp/guzzle (or any other HTTP client library) is already installed, and you use it right away to fetch some info. Guzzle just became a soft dependency.

Then some day, when you update your dependencies, your access to the second API breaks. Why? Turns out that the reason guzzlehttp/guzzle was installed is that it is a dependency of thatvendor/api-lib you included, and their developers decided to update from an earlier major version to the latest and greatest, simply stating in their changelog: "Version 3.1.0 uses the lates major version of Guzzle - no breaking changes expected."

And you think: What about my broken code?

Composer-require-checker parses your code and your composer.json-file to see whether your code uses symbols that are not declared as a required library, i.e. that are soft dependencies. If you rely on components that are already installed, but you didn't explicitly request them, this tool will complain about them, and you should require them explicitly, making them hard dependencies. This will prevent unexpected updates.

In the situation above you wouldn't get the latest update of thatvendor/api-lib, but your code would continue to work if you also required guzzlehttp/guzzle before the update.

The tool will also check for usage of PHP functions that are only available if an extension is installed, and will complain if that extension isn't explicitly required.

Danger PHP
Danger runs during your CI process, and gives teams the chance to automate common code review chores. This project ports Danger to PHP. This project is still in the early phase. Feel free to try it out and contribute!

Currently only Github and Gitlab are supported as Platform

Detect flaws in your architecture before they drag you down into the depths of dependency hell. Over the course of a project, we usually keep adding more and more dependencies. Often hidden behind singletons or service locators, these dependencies can quickly become a maintenance (and testing!) nightmare.

dePHPend analyses your app and attempts to find everything you depend on.

With this information you can:
* get a quick overview of how an application is structured
* start refactoring where it's needed the most
* track architecture violations (maybe your view shouldn't be telling the model what to do?)
* find out why your changes are breaking tests

Deptrac is a static code analysis tool for PHP that helps you communicate, visualize and enforce architectural decisions in your projects. You can freely define your architectural layers over classes and which rules should apply to them.

For example, you can use Deptrac to ensure that bundles/modules/extensions in your project are truly independent of each other to make them easier to reuse.

Deptrac can be used in a CI pipeline to make sure a pull request does not violate any of the architectural rules you defined. With the optional Graphviz formatter you can visualize your layers, rules and violations.

doctrine orm:validate-schema
For performance reasons Doctrine ORM has to skip some of the necessary validation of metadata mappings. You have to execute this validation in your development workflow to verify the associations are correctly defined.

HTTP API Testing Framework. Dredd is a language-agnostic command-line tool for validating API description document against backend implementation of the API.

Dredd reads your API description and step by step validates whether your API implementation replies with responses as they are described in the documentation. Supported API description formats:
* API Blueprint
* OpenAPI 2 (formerly known as Swagger)
* OpenAPI 3 (experimental, contributions welcome!)

Exakat is a real time customizable static analyzer engine for all PHP 5.2 to PHP 8.0-dev Applications for better Quality, Security, Performance and Documentation

Sick and tired of defending code quality over and over again? GrumPHP will do it for you. This composer plugin will register some git hooks in your package repository. When somebody commits changes, GrumPHP will run some tests on the committed code. If the tests fail, you won't be able to commit your changes. This handy tool will not only improve your codebase, it will also teach your co-workers to write better code following the best practices you've determined as a team.

Infection is a PHP mutation testing framework based on AST (Abstract Syntax Tree) mutations. It works as a CLI tool and can be executed from your project’s root.

Mutation Testing is a fault-based testing technique which provides a testing criterion called the Mutation Score Indicator (MSI). The MSI can be used to measure the effectiveness of a test set in terms of its ability to detect faults.

Mutation testing involves modifying a program in small ways. Each mutated version is called a Mutant. To assess the quality of a given test set, these mutants are executed against the input test set to see if the seeded faults can be detected. If mutated program produces failing tests, this is called a killed mutant. If tests are green with mutated code, then we have an escaped mutant.

Test suites are measured by the percentage of mutants that they kill. New tests can be designed to kill additional mutants.

Mutants are based on well-defined Mutators (mutation operators) that either mimic typical programming errors (such as using the wrong operator or variable name) or force the creation of valuable tests (such as dividing each expression by zero)

This project is a Github Action that allows maintainers of open-source projects that follow SemVer to automate the automation of releases.

A Liberating Dev Tool For All Your Projects. Free yourself from the mind-forged manacles of lesser dev tools. Save time, headaches, frustration and do more real work.

PHPStan wrapper for Laravel. Larastan focuses on finding errors in your code without actually running it. It catches whole classes of bugs even before you write tests for the code.
* Adds static typing to Laravel to improve developer productivity and code quality
* Supports most of Laravel's beautiful magic
* Discovers bugs in your code without running it

Latte syntax checker
This library helps to find erros in latte template files, it can be used in CI tools.

This library offers a simple CLI tool to show the licenses used by composer dependencies in your project. These licenses can be be verified against a list of allowed licenses to offer a way for your continuous integration pipeline to block merging when a non-verified license is being introduced to the codebase.

Every project needs documentation which is usually accompanied by code snippets that show how a component is integrated. The problem is how does the project ensure that this code runs and that the code is up to date? Then this is your tool.

Markdown Link Linter
Simple command line tool that aims to detect invalid links in markdown files.

Easy installation of PHP extensions in official PHP Docker images.

This repository contains a script that can be used to easily install a PHP extension inside the official PHP Docker images.

The script will install all the required APT/APK packages; at the end of the script execution, the no-more needed packages will be removed so that the image will be much smaller.

Neon Checker
This library helps to find errors in neon files, it can be used in CI tools.

Nette Object Notation (NEON)
NEON is a human-readable structured data format. In Nette, it is used for configuration files. It is also used for structured data such as settings, language translations, etc.

NEON stands for Nette Object Notation. It is less complex and ungainly than XML or JSON, but provides similar capabilities. It is very similar to YAML. The main advantage is that NEON has so-called entities. Allows tabs for indentation.

NEON is built from the ground up to be simple to use.

Parse: A PHP Security Scanner
The Parse scanner is a static scanning tool to review your PHP code for potential security-related issues. A static scanner means that the code is not executed and tested via a web interface (that's dynamic testing). Instead, the scanner looks through your code and checks for certain markers and notifies you when any are found.

For example, you really shouldn't be using eval in your code anywhere if you can help it. When the scanner runs, it will parse down each of your files and look for any eval() calls. If it finds any, it adds that match to the file and reports it in the results.

Pest is a Testing Framework with a focus on simplicity. It was carefully crafted to bring the joy of testing to PHP.

Phan is a static analyzer for PHP that prefers to minimize false-positives. Phan attempts to prove incorrectness rather than correctness.

Phan looks for common issues and will verify type compatibility on various operations when type information is available or can be deduced. Phan has a good (but not comprehensive) understanding of flow control and can track values in a few use cases (e.g. arrays, integers, and strings).

Phinx: SImple PHP Database Migrations
Most database migration tools are framework dependent, complicated, confusing to install/configure and a pain in the ass to write migrations for. In less than 5 minutes you can install Phinx, create and execute your first migration.

Phinx supports migrations written in both PHP and SQL. Use the PHP syntax to make your migrations portable between different database vendors or hand-code advanced queries. It's your choice.

The PHAR Installation and Verification Environment (PHIVE)

Adding all the required tools like PHPUnit, PHPMD and phpDox in their matching versions to a project used to be a lot of repetitive work: Started by finding the download URL, figuring out what the actually correct and matching version is followed by verifying the SHA1 and GPG signatures and making the archive executable. And of course you’d have to repeat this very thing for every tool needed.

Alternatively, you could have used composer. Only to clutter your project’s dependencies with the ones of your tools. And fight their potential dependency conflicts.

Now you can rely on PHIVE to install and manage your project’s tooling needs without all the hassle and without cluttered dependencies.

The list of command line options provided by the PHP binary can be queried at any time by running PHP with the -h switch. In

PHP Architecture Tester
PHP Architecture Tester is a static analysis tool to verify architectural requirements.

It provides a natural language abstraction to define your own architectural rules and test them against your software. You can also integrate phpat easily into your toolchain.

There are four groups of supported assertions: Dependency, Inheritance, Composition and Mixin.

PHP Copy/Paste Detector
phpcpd is a Copy/Paste Detector (CPD) for PHP code.

PHP CS Fixer
The PHP Coding Standards Fixer (PHP CS Fixer) tool fixes your code to follow standards; whether you want to follow PHP coding standards as defined in the PSR-1, PSR-2, etc., or other community driven ones like the Symfony one. You can also define your (team's) style through configuration.

It can modernize your code (like converting the pow function to the ** operator on PHP 5.6) and (micro) optimize it.

If you are already using a linter to identify coding standards problems in your code, you know that fixing them by hand is tedious, especially on large projects. This tool does not only detect them, but also fixes them for you.

PHP Extensions Finder
PHP Extensions Finder for Composer finds which PHP extensions are required by source code.

PHP Insights
PHP Insights was carefully crafted to simplify the analysis of your code directly from your terminal, and is the perfect starting point to analyze the code quality of your PHP projects.

PHP Magic Number Detector
Detect magic numbers in your PHP code. By default 0 and 1 are not considered to be magic numbers.

A magic number is a numeric literal that is not defined as a constant, but which may change at a later stage, and therefore can be hard to update. It's considered a bad programming practice to use numbers directly in any source code without an explanation. In most cases this makes programs harder to read, understand, and maintain.

PHP Mess Detector
PHPMD is a spin-off project of PHP Depend and aims to be a PHP equivalent of the well known Java tool PMD. PHPMD can be seen as a user friendly and easy to configure frontend for the raw metrics measured by PHP Depend.

What PHPMD does is: It takes a given PHP source code base and look for several potential problems within that source. These problems can be things like:
* Possible bugs
* Suboptimal code
* Overcomplicated expressions
* Unused parameters, methods, properties

PHPMD is a mature project and provides a diverse set of pre defined rules (though may be not as many its Java brother PMD) to detect code smells and possible errors within the analyzed source code. Checkout the rules section to learn more about all implemented rules.

PHP Parallel Lint
his application checks syntax of PHP files in parallel. It can output in plain text, colored text, json and checksyntax formats. Additionally blame can be used to show commits that introduced the breakage.

PHP Quality Assuance
Looking for ways to make your PHP code even better? Find the projects that can help you.

PHP Security Advisories Database
The PHP Security Advisories Database references known security vulnerabilities in various PHP projects and libraries. This database must not serve as the primary source of information for security issues, it is not authoritative for any referenced software, but it allows to centralize information for convenience and easy consumption.

PHP VarDump Check
PHP console application for find forgotten variable dump. Support PHP build in method print_r, var_dump and var_export method and also method from Tracy debugger, Ladybug, Symfony, Laravel, Doctrine and Zend Framework.

PHP Bench
PHPBench is a benchmark runner for PHP analogous to PHPUnit but for performance rather than correctness.

Features include:
* Revolutions: Repeat your code many times to determine average execution time.
* Iterations: Sample your revolutions many times and review aggregated statistical data.
* Process Isolation: Each iteration is executed in a separate process.
* Reporting: Customizable reports and various output formats (e.g. console, CSV, Markdown, HTML).
* Report storage and comparison: Store benchmarks locally to be used as a baseline reference, or to reference them later.
* Memory Usage: Keep an eye on the amount of memory used by benchmarking subjects.
* Assertions: Assert that code is performing within acceptable limits, or that it has not regressed from a previously recorded baseline.

PHP Compatibility
This is a set of sniffs for PHP CodeSniffer that checks for PHP cross-version compatibility. It will allow you to analyse your code for compatibility with higher and lower versions of PHP.

PHP CS Extra
PHPCSExtra is a collection of sniffs and standards for use with PHP_CodeSniffer.

phpDocumentor is the de-facto documentation application for PHP projects. Your project can benefit too from more than 20 years of experience and setting the standard for documenting PHP Applications.

PHP Documentation Generator. phpDox is "the" documentation generator for PHP projects. This includes, but is not limited to, API documentation.

PHPStan finds bugs in your code without writing tests.

Phpsu: Synchronisation Utility
Phpsu: Synchronisation Utility: File and Database

PHPUnit is a programmer-oriented testing framework for PHP. It is an instance of the xUnit architecture for unit testing frameworks.

PHP_CodeSniffer is a set of two PHP scripts; the main phpcs script that tokenizes PHP, JavaScript and CSS files to detect violations of a defined coding standard, and a second phpcbf script to automatically correct coding standard violations. PHP_CodeSniffer is an essential development tool that ensures your code remains clean and consistent.

Opinionated code formatter. There is a PHP plugin. Works in many editors.

Psalm is a free & open-source static analysis tool that helps you identify problems in your PHP code, so you can sleep a little better.

Psalm helps people maintain a wide variety of codebases – large and small, ancient and modern. On its strictest setting it can help you prevent almost all type-related runtime errors, and enables you to take advantage of safe coding patterns popular in other languages.

Psalm also fixes bugs automatically, allowing you to improve your code without breaking a sweat.

Psalm is a Vimeo open source project.

ramsey/composer-install is a GitHub Action to streamline installation of Composer dependencies in workflows. It installs your Composer dependencies and caches them for improved build times.

This Composer plugin provides the composer repl command.

REPL stands for read-eval-print loop. It's a language shell that reads user input, evaluates the input using a programming language (in this case, PHP), and prints the output to the screen. Then, it returns to the read state (that's the loop part).

PsySH is the REPL providing the magic behind ramsey/composer-repl. PsySH is a language shell for PHP. It's similar to irb for Ruby, IPython for Python, and JShell for Java. In addition to acting as a language shell, PsySH can also function as an interactive debugger and development console. Laravel Tinker, Drush for Drupal, WP-CLI shell for WordPress, CakePHP console, and Yii shell are a few of the projects using PsySH.

PHP library for creating and validating commit messages according to the Conventional Commits specification. It also includes a CaptainHook plugin.

I created this Composer plugin because I got tired of making changes to development tools and scripts in my repositories, only to find I liked the change so much, I now needed to apply it to all my repositories. This is an effort to consolidate and simplify.

These tools might not be for you, and that's okay.

Maybe these tools help a lot, but you have different needs. That's also okay. You may create your own devtools, requiring ramsey/devtools-lib (the library code behind this plugin), to extend and add to these tools, creating your own Composer plugin.

Rector instantly upgrades and refactors the PHP code of your application.

* Instant Upgrades
Rector now supports upgrades from PHP 5.3 to 8.0 and major open-source projects like Symfony, PHPUnit, Nette, Laravel, CakePHP, Doctrine and Typo3 out of the box. Do you want to be constantly on the latest PHP/framework version without effort? Use Rector to handle instant upgrades for you.

* Automated Refactoring
Do you have code quality you need, but struggle to keep it with new developers in your team? Do you want see smart code-reviews even when every senior developers sleeps? Add Rector to your CI and let it continuously refactor your code and keep the code quality high.

A tool that can be used to verify BC breaks between two versions of a PHP library.

* your project uses git
* your project uses composer.json to define its dependencies
* all source paths are covered by an "autoload" section in composer.json
* changes need to be committed to git to be covered. You can implement your own logic to extract sources and dependencies from a project though

This package ensures that your application doesn't have installed dependencies with known security vulnerabilities.

This library is a PHPStan plugin that disallows:
* declaration of float properties
* float method parameters
* float method return types
* assignment of float values to variables or properties

The reason for this restriction is that rounding errors coming from floating point arithmetic operations are not acceptable in certain business logic scenario, such as dealing with money, evaluating exam results, rocket science, etc.

An example of such problems can be seen with the following typical example: var_dump((0.7 + 0.1) === 0.8); // output: bool(false)

This can mean no trouble at all, or a lot of trouble, depending on how many numbers you are running through your system, so it is advisable to avoid float for domains where rounding can potentially lead to trouble.

float is still perfectly acceptable in many programming contexts, and this ruleset should only be applied where it is critical not to introduce rounding errors.

This library is a PHPUnit plugin that detects memory leaks in tested code or tests. It utilizes memory_get_usage() to make sure the code being executed properly cleans up after itself.

This package enforces type checks during composer installation in downstream consumers of your package. This only applies to usages of classes, properties, methods and functions declared within packages that directly depend on roave/you-are-using-it-wrong.

Issues that the static analyser finds that do not relate to these namespaces will not be reported.

roave/you-are-using-it-wrong comes with a zero-configuration out-of-the-box setup.

By default, it hooks into composer install and composer update, preventing a successful command execution if there are type errors in usages of protected namespaces.

The usage of this plugin is highly endorsed for authors of new PHP libraries who appreciate the advantages of static types.

This project is built with the hope that libraries with larger user-bases will raise awareness of type safety (or current lack thereof) in the PHP ecosystem.

As annoying as it might sound, it is not uncommon for library maintainers to respond to support questions caused by lack of type checks in downstream projects. In addition to that, relying more on static types over runtime checks, it is possible to reduce code size and maintenance burden by strengthening the API boundaries of a library.

Robo is a task runner you always have been looking for. It allows you to write fully customizable tasks in common OOP PHP style. Robo has comprehensive list of built-in common tasks for development, testing, and deployment. Use Robo to:
* automate your common tasks
* start workers
* run parallel tasks
* execute commands
* run tests
* watch filesystem changes

Slevomat Coding Standard for PHP_CodeSniffer provides sniffs that fall into three categories:

* Functional - improving the safety and behaviour of code
* Cleaning - detecting dead code
* Formatting - rules for consistent code looks

symfony check:security
Symfony CLI command to check whether your project’s dependencies contain any known security vulnerability.

A good security practice is to execute this command regularly to be able to update or replace compromised dependencies as soon as possible. The security check is done locally by fetching the public PHP security advisories database, so your composer.lock file is not sent on the network.

The easiest way to use any coding standard.

* Use PHP_CodeSniffer || PHP-CS-Fixer - anything you like
* 2nd run under few seconds with un-changed file cache
* Skipping files for specific checkers; Prepared sets - PSR12, Symfony, Common, Array, Symplify and more...
* Prefixed version in case of conflicts on install

UpToDocs scans a Markdown file for PHP code blocks, and executes each one in a separate process. Include this in your CI workflows, to make sure your documentation is always up to date with your code.