Static Analysis With Psalm

A typo is never that serious unless it's in a software code base. A tiny mistake such as an omission of a comma can cause companies billions of dollars, destroy a NASA rocket or even interrupt service for users of a SaaS product.

Over the years there has been tremendous efforts towards development of automated tools and processes to prevent such catastrophic typos from finding their way into or making a home of our software code bases. Extensions of compiler technologies have been built to help us with automated reviews.

In this post, I write about Psalm - a PHP static analysis tool, and how you can take advantage of its powerful features in stopping bad code from creeping into your source codes.

Psalm

Psalm is a VIMEO open-source project that helps you in catching bugs early and identifying problems in your code. It helps:

  • prevent type-related runtime errors
  • enforce standard coding patterns
  • autofix bugs
  • detect PHP security vulnerabilities using taint analysis

For a quick start and installation guide, head over here.

Psalm does not just flag a line of code as problematic, it includes links that you can follow to see explanation for the decision. It looks like this:

ERROR: InvalidArgument - \namespace\file.php:8:19 - 
Argument 1 of getAttribute expects string, 
int provided (see https://psalm.dev/004)

Support For Laravel

Psalm v3 came with a new plugin framework that makes authoring integrations for third party packages much easier. That, with Barry's IDE Helper made the Laravel Plugin a reality according to Matt.

It's super easy to setup. You only need two commands after successfully installing and setting up Psalm:

composer require --dev psalm/plugin-laravel
./vendor/bin/psalm-plugin enable psalm/plugin-laravel

Under the hood, it runs the laravel IDE helper, get the stubs and feed them into Psalm. I, personally, would love it that the package existed independently of the IDE helper because a scenario in the future where issues would pile up in both repos because of some dependency mismatch or recent upgrade that stops a certain "something" from working entirely is imminent.

But, so far so good. I'm really happy with the developments and excited for what is in store for the future!