phpstan
PHPStan is a static analysis tool for PHP that finds bugs without running code, catching type errors and logic issues before they reach production. It's actively maintained, MIT-licensed, and widely adopted across the PHP ecosystem with strong sponsorship.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | phpstan/phpstan |
| Owner | phpstan |
| Primary language | PHP |
| License | MIT — OSI-approved |
| Stars | 14k |
| Forks | 954 |
| Open issues | 1.1k |
| Latest release | 2.2.5 (2026-07-05) |
| Last updated | 2026-07-08 |
| Source | https://github.com/phpstan/phpstan |
What phpstan is
PHPStan performs ahead-of-time type checking and semantic analysis on PHP codebases using AST traversal and type inference, eliminating whole classes of runtime errors. It integrates into CI/CD pipelines as a CLI tool and supports extensibility via custom rule definitions and PHPDoc type annotations.
Get the phpstan source
Clone the repository and explore it locally.
git clone https://github.com/phpstan/phpstan.gitcd phpstan# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Start at rule level 0 and progressively increase strictness; baseline unresolved errors to avoid false positive noise during onboarding.
- Integrate PHPDoc types systematically; missing or incorrect type hints will significantly reduce effectiveness and increase false positives.
- Configure extension list explicitly (doctrine, symfony, laravel, etc.) based on framework dependencies to reduce false positives from magic behavior.
- Allocate time for baseline configuration and team training on PHPDoc syntax; adoption friction increases if developers don't understand type annotation.
- Use with complementary tools (Psalm, Phan) only if team has specific needs; dual analysis adds overhead without clear ROI in most cases.
When to avoid it — and what to weigh
- Runtime behavior validation needed — PHPStan catches static errors only. It cannot validate business logic, concurrency issues, or actual execution behavior. Pair with runtime testing for comprehensive coverage.
- Heavy reliance on dynamic PHP (older codebases with minimal types) — Codebases without PHPDoc annotations or type hints will generate false positives. Requires upfront investment in type annotation or high error baseline noise.
- Zero configuration / drop-in tool expectation — PHPStan requires thoughtful configuration (phpstan.neon), baseline files, and extension selection for effective deployment. Teams expecting 'install and forget' will find setup overhead.
- Real-time IDE integration with minimal latency — While IDE plugins exist, PHPStan's analysis time can exceed IDE editor feedback expectations for large codebases. Not a replacement for language server performance.
License & commercial use
PHPStan is released under the MIT License, a permissive OSI-approved license. MIT allows unrestricted commercial use, modification, distribution, and private use with only attribution and liability waiver requirements.
MIT License explicitly permits commercial use without restriction or licensing fees. However, PHPStan Pro (premium web UI and continuous analysis features) is a separately licensed paid service (€7/month individuals, €70/month teams). Verify any custom extensions or integrations have compatible licensing before deployment.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Strong |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Strong |
| Assessment confidence | High |
PHPStan itself is a static analysis tool that does not execute code or access runtime resources; no exploit surface. Security benefit: catches many category of bugs (null pointer dereference, type mismatches) before production. No claims of cryptographic validation or data security features. For supply-chain security, verify custom extensions (composer packages) before use. MIT license allows independent security audits.
Alternatives to consider
Psalm (Vimeo)
Similar PHP static analyzer with incremental type checking. Slightly more aggressive inference but steeper learning curve; choose if team prefers Psalm's type narrowing semantics.
Phan (Etsy, now community-maintained)
Graph-based type analyzer for PHP with faster analysis on large codebases. Less actively developed than PHPStan; suitable if speed is primary constraint and team accepts lower feature velocity.
PHP 8.1+ native typed properties + runtime type checking
Modern PHP versions provide built-in type enforcement at runtime. Not a replacement for static analysis but reduces some error categories; combine with PHPStan for defense-in-depth.
Build on phpstan with DEV.co software developers
Assess type safety, integration overhead, and baseline configuration effort with your team. Start at error level 0 and increase strictness incrementally. We can help design PHPStan adoption strategy for legacy codebases.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
phpstan FAQ
Can PHPStan find runtime errors in my PHP application?
Does PHPStan slow down my CI/CD pipeline?
What is the difference between PHPStan and PHPStan Pro?
Can I use PHPStan in a production CI/CD gate?
Work with a software development agency
Need help beyond evaluating phpstan? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source testing integrations — and maintain them long-term.
Evaluate PHPStan for your PHP project.
Assess type safety, integration overhead, and baseline configuration effort with your team. Start at error level 0 and increase strictness incrementally. We can help design PHPStan adoption strategy for legacy codebases.