Performant static analyzer for PHP, written in Rust. Catches common mistakes and enforces best practices with zero configuration required.

• 🚀 Fast — built in Rust, analyzes large codebases in seconds
• 🔍 14 built-in rules — covering complexity, style, design patterns, and more
• ⚙️ Zero config to start — works out of the box, configure only what you need
• 📄 Multiple output formats — text, json, and sarif (for CI pipelines)
• 🔌 Extensible — adding a custom rule takes minutes

The simplest way to install Phanalist is to use the installation script:

curl --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/denzyldick/phanalist/main/bin/init.sh | sh

It will automatically download the executable for your platform:

$ ~/phanalist -V
phanalist 1.0.0

There are also multiple other installation options.

To analyze your project sources, run:

~/phanalist

On the first run phanalist.yaml will be created with the default configuration and reused on all subsequent runs.

Additional CLI flags:

enabled_rules: []   # empty = all rules active
disable_rules: []
rules:
  E0007:
    check_constructor: true
    max_parameters: 5
  E0009:
    max_complexity: 10
  E0010:
    max_paths: 200
  E0012:
    include_namespaces:
      - "App\\Service\\"
      - "App\\Controller\\"
    exclude_namespaces: []

• enabled_rules — whitelist of rules to run (empty = all)
• disable_rules — rules to skip
• rules — per-rule configuration options

Adding a new rule is straightforward — this tutorial explains how.

Read a series of chapters on https://dev.to/denzyldick to understand the project's internals — a great, easy-to-read introduction.

1. Write your own static analyzer for PHP.
2. How I made it impossible to write spaghetti code.
3. Detecting spaghetti code in AST of a PHP source code.
4. Getting Symfony app ready for Swoole, RoadRunner, and FrankenPHP (no AI involved).
5. Improve your CI output
6. Why using unserialize in PHP is a bad idea