Psalm PHP Static Analysis

Psalm is a free and open-source static analysis tool for PHP that detects type errors, logic bugs, and security issues in PHP code without executing it. Developed by Matthew Brown (muglug) starting in 2016 and originally maintained by Vimeo (where it was created to analyze Vimeo's large PHP codebase), Psalm is one of the leading PHP quality tools alongside PHPStan. Key features: type inference: Psalm performs deep type analysis, tracking types through variables, function calls, return values, and control flow. It understands PHPDoc annotations and PHP 7+ native type declarations, and performs sophisticated type narrowing after conditional checks (e.g., narrowing a nullable type to non-null after a null check). Issue types: Psalm detects over 100 distinct issue types, including PossiblyNullReference, PossiblyUndefinedVariable, TypeDoesNotContainType, InvalidReturnStatement, MixedAssignment, and more. Each issue type can be individually suppressed or elevated to error level. Error levels: Psalm uses a 1-8 error level system (1 = strictest, 8 = most lenient), allowing gradual adoption. At lower levels, only definite errors are reported; at higher levels, more potential issues are surfaced. Baseline: generates a baseline of existing errors to prevent new issues from being introduced without fixing all legacy code at once. Taint analysis: Psalm includes a powerful taint analysis engine that traces data flow from user input (superglobals like $_GET, $_POST) to sensitive sinks (SQL queries, shell commands, HTML output), detecting SQL injection, XSS, path traversal, and other security vulnerabilities. Refactoring: supports automated code fixes for many detected issues. Plugins: extensible plugin system for custom checks and type providers. Integration: CI/CD, IDE plugins (VS Code, PhpStorm). MIT.