DEV.co
Open-Source Testing · phpstan

phpstan

PHPStan is a static analysis tool for PHP that finds bugs without running code, catching type errors and logic issues before they reach production. It's actively maintained, MIT-licensed, and widely adopted across the PHP ecosystem with strong sponsorship.

Source: GitHub — github.com/phpstan/phpstan
14k
GitHub stars
954
Forks
PHP
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryphpstan/phpstan
Ownerphpstan
Primary languagePHP
LicenseMIT — OSI-approved
Stars14k
Forks954
Open issues1.1k
Latest release2.2.5 (2026-07-05)
Last updated2026-07-08
Sourcehttps://github.com/phpstan/phpstan

What phpstan is

PHPStan performs ahead-of-time type checking and semantic analysis on PHP codebases using AST traversal and type inference, eliminating whole classes of runtime errors. It integrates into CI/CD pipelines as a CLI tool and supports extensibility via custom rule definitions and PHPDoc type annotations.

Quickstart

Get the phpstan source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/phpstan/phpstan.gitcd phpstan# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Pre-deployment type safety in mature PHP applications

Catch type mismatches, undefined variables, and incorrect function calls before code reaches production. Particularly valuable in large codebases where runtime testing alone misses static errors.

Legacy PHP codebase modernization

Incrementally enforce stricter type checking across older PHP projects as you migrate toward PHP 7.4+ strict typing. Progressive error levels (0–9) allow gradual adoption without full rewrites.

CI/CD integration for continuous code quality

Integrate as a required gate in pull request checks to prevent type-related regressions. Fast execution and clear error reporting make it suitable for frequent automated runs.

Implementation considerations

  • Start at rule level 0 and progressively increase strictness; baseline unresolved errors to avoid false positive noise during onboarding.
  • Integrate PHPDoc types systematically; missing or incorrect type hints will significantly reduce effectiveness and increase false positives.
  • Configure extension list explicitly (doctrine, symfony, laravel, etc.) based on framework dependencies to reduce false positives from magic behavior.
  • Allocate time for baseline configuration and team training on PHPDoc syntax; adoption friction increases if developers don't understand type annotation.
  • Use with complementary tools (Psalm, Phan) only if team has specific needs; dual analysis adds overhead without clear ROI in most cases.

When to avoid it — and what to weigh

  • Runtime behavior validation needed — PHPStan catches static errors only. It cannot validate business logic, concurrency issues, or actual execution behavior. Pair with runtime testing for comprehensive coverage.
  • Heavy reliance on dynamic PHP (older codebases with minimal types) — Codebases without PHPDoc annotations or type hints will generate false positives. Requires upfront investment in type annotation or high error baseline noise.
  • Zero configuration / drop-in tool expectation — PHPStan requires thoughtful configuration (phpstan.neon), baseline files, and extension selection for effective deployment. Teams expecting 'install and forget' will find setup overhead.
  • Real-time IDE integration with minimal latency — While IDE plugins exist, PHPStan's analysis time can exceed IDE editor feedback expectations for large codebases. Not a replacement for language server performance.

License & commercial use

PHPStan is released under the MIT License, a permissive OSI-approved license. MIT allows unrestricted commercial use, modification, distribution, and private use with only attribution and liability waiver requirements.

MIT License explicitly permits commercial use without restriction or licensing fees. However, PHPStan Pro (premium web UI and continuous analysis features) is a separately licensed paid service (€7/month individuals, €70/month teams). Verify any custom extensions or integrations have compatible licensing before deployment.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationStrong
License clarityClear
Deployment complexityLow
DEV.co fitStrong
Assessment confidenceHigh
Security considerations

PHPStan itself is a static analysis tool that does not execute code or access runtime resources; no exploit surface. Security benefit: catches many category of bugs (null pointer dereference, type mismatches) before production. No claims of cryptographic validation or data security features. For supply-chain security, verify custom extensions (composer packages) before use. MIT license allows independent security audits.

Alternatives to consider

Psalm (Vimeo)

Similar PHP static analyzer with incremental type checking. Slightly more aggressive inference but steeper learning curve; choose if team prefers Psalm's type narrowing semantics.

Phan (Etsy, now community-maintained)

Graph-based type analyzer for PHP with faster analysis on large codebases. Less actively developed than PHPStan; suitable if speed is primary constraint and team accepts lower feature velocity.

PHP 8.1+ native typed properties + runtime type checking

Modern PHP versions provide built-in type enforcement at runtime. Not a replacement for static analysis but reduces some error categories; combine with PHPStan for defense-in-depth.

Software development agency

Build on phpstan with DEV.co software developers

Assess type safety, integration overhead, and baseline configuration effort with your team. Start at error level 0 and increase strictness incrementally. We can help design PHPStan adoption strategy for legacy codebases.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

phpstan FAQ

Can PHPStan find runtime errors in my PHP application?
No, it is a static analyzer only. It catches type errors, undefined variables, and incorrect method signatures without executing code. Business logic errors, concurrency issues, and runtime exceptions require unit/integration tests.
Does PHPStan slow down my CI/CD pipeline?
No significant impact. Typical analysis takes seconds to low minutes on medium codebases. It is fast enough for pre-commit hooks or per-PR checks; adjust error level and baseline tuning if pipeline time is critical.
What is the difference between PHPStan and PHPStan Pro?
Open-source PHPStan (free, CLI) performs static analysis and integrates into CI/CD. PHPStan Pro (€7–70/month paid service) adds a web UI for browsing errors and continuous file-watching. Core analysis is identical; Pro is optional convenience.
Can I use PHPStan in a production CI/CD gate?
Yes. It is designed for this. Add `phpstan analyze` as a required step in your pull request workflow. False positives are minimized with proper type annotations and baseline configuration; configure error levels (0–9) per project maturity.

Work with a software development agency

Need help beyond evaluating phpstan? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source testing integrations — and maintain them long-term.

Evaluate PHPStan for your PHP project.

Assess type safety, integration overhead, and baseline configuration effort with your team. Start at error level 0 and increase strictness incrementally. We can help design PHPStan adoption strategy for legacy codebases.