Automated Code Reviews for PHP

Scrutinizer has the most advanced static analysis engine that is available for PHP code. It goes beyond simple style checks for whether you make use of certain language features. We track how data flows through your application to detect security issues, bugs, unused code, and much more.

Using Scrutinizer, you also benefit from the knowledge of thousands of PHP developers that are already using our service. Based on their behavior, Scrutinizer automatically learns which issues are likely to be false-positives and filters them for you providing you more useful results.

If you like, we also allow you to run certain open-source tools like PHP Code Sniffer to execute your own checks in case you have some already.

Analysis Tools

All analysis tools run in Scrutinizer's regular build environment. As a default, we configure Scrutinizer's own PHP analysis along with a minimal configuration of PHP CodeSniffer depending on the framework you are using.

As a convention, the analysis tools are placed in a separate node called analysis, but you can use any other name, too:

build:
  nodes:
    analysis:
      tests:
        override:
          - php-scrutinizer-run
          - phpcs-run

Configuring Third-party Tools

We automatically enable the checks that we believe are most useful for your project by default. In general, we support two different modes to fine-tune the configuration for many analysis tools.

In the first mode, we manage the tool configuration for you and you can select the checks from the website config editor. This is supported for some selected analysis tools and is signaled in the configuration by a use_website_config: true flag that needs to be set for a tool. For example for PHP CodeSniffer, it looks like this:

build:
  nodes:
    analysis:
      tests:
        override:
          - command: phpcs-run
            use_website_config: true   # <- uses the website config

In the second mode, you take care of providing the tool specific configuration. This is generally possible for all tools, even those where we do not provide any wrapper script like phpcs-run. For PHP CodeSniffer, the use_website_config: true would be absent in your configuration in that case, and instead you need to provide a phpcs.xml file as part of your repository.

build:
  nodes:
    analysis:
      tests:
        override:
          - command: phpcs-run --config phpcs.xml

Configuring Scrutinizer's Checks

Scrutinizer's own checks are not configured in a separate file, but also in your regular Scrutinizer configuration. The minimal configuration for PHP looks like this:

checks:
    php: true

This configuration can also be adjusted via the the website config editor.

Analyzed Files

By default, Scrutinizer will analyze all files ending with .php in your project. If you have generated code, or dependencies embedded in your project, or would like to exclude your tests from the analysis, this can be achieved easily:

filter:
    excluded_paths:
        - tests/*

Learn more about excluding files from the analysis.