A PHP code checker is any tool that inspects your PHP source for problems without necessarily running it — and the term covers three very different jobs: checking syntax, checking correctness and types, and checking for security vulnerabilities. Knowing which kind you need matters, because a php checker that catches undefined variables will not catch a SQL injection, and a security scanner will not enforce your coding standard. This guide maps the categories and names the tools that do each job.
The three things "checking PHP" can mean
When someone reaches for a php code checker online, they usually want one of three things, and mixing them up leads to a false sense of safety.
Syntax checking confirms the code parses. PHP has this built in — php -l file.php (lint mode) tells you whether a file is syntactically valid. It catches missing semicolons and unbalanced braces, nothing more. Useful as a fast pre-commit gate, useless for anything deeper.
Static analysis checks correctness without running the code: undefined variables, type mismatches, calls to methods that do not exist, unreachable code, and subtle bugs. This is where PHPStan and Psalm live, and it is the biggest bang for your buck in day-to-day quality.
Security analysis specifically hunts for vulnerabilities: user input reaching a database query unsanitized, unsafe deserialization, command injection. This requires taint tracking, and — this is the part people miss — general static analyzers do not all do it by default.
The core tools, and what each actually does
The PHP ecosystem has a handful of mature checkers. Here is the honest division of labor.
PHPStan is the most popular PHP static analyzer. It finds type errors, undefined methods and properties, unreachable code, and a wide range of correctness bugs without executing your code. It works in configurable "levels," from lenient to strict, so you can adopt it on a legacy codebase gradually. Critically, PHPStan does not have built-in taint analysis or dedicated security-vulnerability detection — it is a correctness tool first. Treating a clean PHPStan run as "secure" is a mistake.
Psalm (from Vimeo) is the other heavyweight static analyzer, with very strong type inference. Its differentiator for security work is taint analysis: Psalm can track untrusted input from a source ($_GET, $_POST) to a dangerous sink (a database query, echo, shell_exec) and flag when tainted data arrives unsanitized. If you want one tool that does both correctness and a real security pass, Psalm with taint mode enabled is the natural pick.
PHP_CodeSniffer enforces coding standards — PSR-12, indentation, naming — and reports style violations. It also ships a companion, phpcbf, that automatically fixes many of them, which is the closest thing to the "php code checker and fixer" people search for. It is a style tool, not a bug or security tool; do not expect it to find vulnerabilities.
Semgrep is a language-agnostic pattern scanner with a strong PHP ruleset, widely used for security-focused checks and custom rules. It is a good complement when you want to codify "never call this function this way" across the codebase.
For teams coming from other stacks, the mental model maps cleanly: PHPStan/Psalm are to PHP what a python code checker and fixer combination like mypy plus ruff is to Python — correctness and style analyzers you run in CI, distinct from a dedicated security scanner.
Running them
The toolchain is straightforward to wire up. Install via Composer and run in CI:
composer require --dev phpstan/phpstan
vendor/bin/phpstan analyse src --level 6
For Psalm with security taint analysis:
composer require --dev vimeo/psalm
vendor/bin/psalm --init
vendor/bin/psalm --taint-analysis
And the built-in syntax lint, handy as a fast gate over changed files:
php -l src/Controller/UserController.php
The pragmatic combination for most teams is PHPStan for correctness, Psalm's taint mode (or Semgrep) for security, and PHP_CodeSniffer with phpcbf for style and auto-fix. Run all three in CI on every pull request so problems surface in the diff, not in a quarterly review.
What a code checker will not catch
Static PHP checkers are strong at code-level issues, but they have the same blind spots as static analysis everywhere. They will not find business-logic flaws — an authorization check that is simply missing looks like ordinary code. They cannot see runtime configuration, so an app with a hardened codebase but display_errors on in production, or a .env file served by a misconfigured web root, sails through clean. And they only see your own code plus whatever they are pointed at.
That last gap matters a lot in PHP, because Composer pulls in third-party packages that carry their own known vulnerabilities. A PHP code checker analyzing your source will not tell you that a Composer dependency has a published CVE. That is a job for software composition analysis: an SCA tool such as Safeguard reads your composer.lock, flags dependencies with known vulnerabilities, and — with reachability — tells you which of them your code actually calls. Pair source checking with dependency scanning; neither covers the other's ground.
A practical setup
- Use
php -las a fast syntax gate on changed files. - Run PHPStan for correctness, adopting it level by level on legacy code.
- Add Psalm with taint analysis (or Semgrep) for actual security findings — do not assume a correctness tool covers security.
- Use PHP_CodeSniffer plus
phpcbffor style enforcement and auto-fixing. - Add SCA to cover the Composer dependencies your source checker cannot see.
- Wire all of it into CI so checks run on every pull request.
Get that stack in place and "check my PHP" stops being a single vague step and becomes a layered set of tools that each catch what the others miss.
FAQ
What is a PHP code checker?
It is any tool that inspects PHP source for problems. The term spans three categories: syntax checkers (php -l), static analyzers for correctness (PHPStan, Psalm), and security scanners that track untrusted input to dangerous operations. Choosing the right category for your goal matters, because a correctness checker will not find security flaws.
Does PHPStan find security vulnerabilities?
Not by default. PHPStan is a correctness-focused static analyzer that finds type errors, undefined methods, and logic bugs, but it does not include built-in taint analysis or dedicated vulnerability detection. For PHP security analysis, use Psalm's taint mode or a dedicated security scanner alongside it.
Is there a PHP code checker and fixer?
Yes. PHP_CodeSniffer reports coding-standard violations and its companion phpcbf automatically fixes many of them. Note that this fixes style issues, not security bugs. For correctness, PHPStan and Psalm report issues but generally require manual fixes.
Can a PHP code checker find vulnerabilities in Composer dependencies?
No. Source-code checkers analyze your own code, not third-party packages. To find known CVEs in your Composer dependencies, use software composition analysis that reads composer.lock, ideally with reachability so you learn which vulnerable dependency functions your code actually invokes.