By Bruno Skvorc

8 Must Have PHP Quality Assurance Tools

By Bruno Skvorc

Quality Assurance in PHP is a valuable but very rarely seen aspect. In a world focused on rapid deployment and a “ship now, worry later” mentality, a focus on quality is a rare sight, especially when dealing with the web. One of our authors recently directed my attention to Sebastian Bergmann’s site, PHP QA Tools.

The site is a simple list of interesting tools that can help you properly test your application, while also analyzing it and producing interesting data for you to look at. This post will be little more than a re-iteration of some of those tools with added information, use cases and advice about them – however, we’re open to expanding this list with other QA tools you throw our way that get plenty of votes in the comments below or seem interesting and/or useful enough.

1. PHPUnit

Mr. Bergmann’s own PHPUnit is, unsurprisingly, present on the list. PHPUnit is the most widely used and fully featured unit testing tool which we’ve covered extensively before – I believe it needs no further introduction.

PHPUnit can be installed globally, by running composer global require "phpunit/phpunit=4.1.*".

2. Behat

Behat, a BDD framework, is a framework which will be covered in great detail on our channel soon, but in a nutshell, it allows you to write highly readable feature tests – tests that can be easily understood by even non-technical people. They’re actual stories you write, in this form, as per their site:

Scenario: List 2 files in a directory
  Given I am in a directory "test"
  And I have a file named "foo"
  And I have a file named "bar"
  When I run "ls"
  Then I should get:

You then write classes with methods which define the specific sentences, such as:

/** @Given /^I have a file named "([^"]*)"$/ */
    public function iHaveAFileNamed($file)

in which Behat automatically passes the argument into the function based on what you placed between the quotes.

These “tests” are then writeable by non technical people with minimal training, and can in some cases decrease the management-development misunderstanding gap. Which tests should you write though? BDD or TDD?


There are several guides, videos and articles on the comparison of BDD and TDD, but what it boils down to it – “BDD is TDD done right”.

BDD is TDD done right

BDD tests your app in a more readable, and contextually specific manner. What’s more, the two aren’t mutually exclusive – BDD can use common assertion tools like those from PHPUnit. It’s very important to note the following distinction, however:

There is no code coverage in BDD!

How do you know what methods you’ve tested, and which need to be covered still? Put simply, when doing only BDD, you don’t (unless you use third party code coverage libs). But that’s just it – TDD is code oriented, while BDD is client oriented. TDD tests if your methods provide the asserted outcome, while BDD tests the functionality of your app – in other words, BDD tests if your app does what it should be doing, and considers a test passed if it doesn’t throw an exception. In BDD, some of your functions can remain untested because they’re simply irrelevant to the end result – the whole is greater than the sum of its parts – while in TDD, only the parts exist, and there is no whole. BDD is not for control freaks.

If you can, I encourage you to write both. If you can’t, I encourage you to go with BDD. It’ll be far more valuable in the long run.

Behat can be installed globally via composer global require behat/behat='~3.0.6'.

3. vfsStream

Further improving on the topic of testing, there’s vfsStream:

… a stream wrapper for a virtual file system that may be helpful in unit tests to mock the real file system.

It’s role is simple – fake a file system for mocking in your tests. The example it offers on the wiki page is self-explanatory, but perhaps the most noteworthy of features is its ability to “copy” a virtual directory structure from the actual file system. That way, you can run the test from the example on the virtual copy and treat it as the real deal (permissions are copied, too, as are files that don’t exceed a pre-set limit), without actually polluting the real file system and risk post-test-fail leftovers the original example warns against in the anti-teardown argument.


Another of Mr. Bergmann’s own tools, PHPLOC (LOC = lines of code) is a tool that measures the size of your project in lines of code, number of files, number of classes, and so on. The tool can walk through Git revisions, too, and generate retroactive reports in CSV format.

The tool can be globally installed via Composer by running composer global require 'phploc/phploc=*' and then becomes accessible to any project from any location. All you need to do is run phploc FOLDER where “FOLDER” is the folder you’d like to analyze.

The usefulness of this tool is questionable at best, but it’s a nice bragging tool and I can see it generating some very interesting graphs in the sidebar of a PHP project’s Github page. Further documentation is available on the project’s Github page.

The list also mentioned PHP_Depend, though I see it as a somewhat outdated and rather tackily designed competitor to PHPLOC, so I won’t be mentioning it here – in part also because the tool we mention next makes some under-the-radar use of it.

5. PHP Mess Detector

PHP Mess Detector will, when installed, pull in PHP_Depend as well and heavily use its generated metrics to generate its own reports. PHPMD actually looks for messy code: possible bugs, suboptimal code, overcomplicated methods, unused expressions and so on.

PHPMD can also be installed globally via Composer by running composer global require 'phpmd/phpmd=*'

PHPMD works through Rules – specific sets of instructions on what to look for in source code. There’s a wide variety of prepared ones and users can write their own.

More detailed PHPMD posts are coming soon.

6. PHP CodeSniffer

Similar to PHPMD, CodeSniffer sniffs through your code and detects violations in syntax. Unlike PHPMD, CS also covers CSS and JS.

The usual method of installation was through PEAR, though since PEAR is (luckily) on its way out, you can also install it globally through Composer: composer global require 'squizlabs/php_codesniffer=*'.

Usage is fairly simple, as described by their Github wiki, and we’ll be publishing detailed CS integration tutorials soon, too.

7. + 8. DCD + CPD

Two more of Mr. Bergmann’s tools, Dead Code Detector and Copy Paste Detector, test for unused code (methods and functions that were declared but are never used in a project) and for duplicate code respectively.

These absolutely essential tools make sure your code is DRY, clean and lean. Like some of the previously mentioned tools, these too can be installed globally via Composer:

composer global require 'sebastian/phpcpd=*'
composer global require 'sebastian/phpdcd=*'

Convenience Bundle

Executing the following set of commands will install Composer globally, and then all the tools we mentioned above, except vfsStream, which you should require manually in your composer.json file:

composer global require 'sebastian/phpcpd=*'
composer global require 'sebastian/phpdcd=*'

Composer is globally installed now.

composer global require "phpunit/phpunit=4.1.*"
composer global require behat/behat='~3.0.6'
composer global require 'phploc/phploc=*'
composer global require 'phpmd/phpmd=*'
composer global require 'squizlabs/php_codesniffer=*'
composer global require 'sebastian/phpcpd=*'
composer global require 'sebastian/phpdcd=*'

You can now use all these tools from any project, without having to manually include them.


In this post, we covered a part of the list from PHP QA Tools, focusing on actual QA tools only, and gave them some more context. Finally, we created a convenience shell provision file for your Vagrant boxes, so you can install all the QA tools globally at once.

While you probably won’t be allowed to use all these at work where speed is more important than quality, you should definitely give them a go in your passion projects – your ideas deserve them.

Do you use any of these? If not, why? Think we’re missing some? Let us know and we’ll do our best to expand the list with essential tools – but make sure they’re actual QA tools!

  • Miles Johnson

    I’d suggest PHP-VFS over vfsStream anyday. It follows the latest in PHP standards and has a greater API to work with. It’s still very young and is missing a few features (file locking, etc), but very promising.

  • Thomas

    Nice article, where we can find more or less the same tools as presents.

    Have you ever tried codeception as well? ( The approach is quite easy as it is full php tools and gets you an easy way to cover every type of tests.

  • DCD is pretty dead if I remember correctly.

    CPD is very useful though.

  • do not hesitate to try PhpMetrics, a static analysis tool that provides lot of metrics for PHP: Maintenability Index, Halstead metrics, LCOM4, Cyclomatic complexity, Myer’s Interval… :

  • Pascal Chevrel

    PhpUnit is no longer the only mature unit testing framework, Atoum is great too ( and feels much easier and modern to use in my opinion. Have you tried it?

  • WooDzu

    Yeah, Codeception and Selenium Server are missing from the list. For continues integration Jenkins or Travis CI are essential. Last point I’d add “a real human” which cannot be replaced by ANY tool for final acceptance testing.

  • stephen_orr

    I liked the article in general (and I’ve installed all of the tools), but I didn’t agree with “BDD is TDD done right”.

    BDD and TDD realistically are two sides of the same coin, and can be used together to verify that the code does as it should. It’s just two different viewpoints, and let’s face it, that’s never a bad thing!

  • Will try it out, thanks!

  • DanBangWTFRajib

    I’d add SonarQube (formerly Sonar Source) in the list. It helps to maintain code quality by informing you the #TechnicalDebt. Its not only for PHP and leverages lots of tools mentioned above.

    Among above mentioned tools, It’d replace LOC, Code_Sniffer + Mess Detector and gives much more. For more information check

    If you wan to see how much Technical debts some old projects with legacy codes have in its Nemo page.

  • Fab G

    No one mentioned ScrutinizerCI ( or SensionLabs Insight (, made my the creators of Symfond, yet?

  • Bhaumik Patel


    Is there any gui tools available for code QA?

  • Autom is not stable (sadly because of the project lead’s decision)

    • Pascal Chevrel

      That’s Atoum, not Autom :) Atoum is stable in that it is more stable than most of the software packages I use that do have a 1.0 (2.0, 3.0…) version. I also would prefer a classic public versionning system but you can choose to use the 0.0.1 tag or stay on any sha1 you want if you are afraid of regressions. The lead dev decision to not use classic versionning wouldn’t be my choice either, but I understand it and it doesn’t impact its use IMO

  • Mohd. Mahabubul ALam

    The SitePoint PHP blog has a new post today with what it calls the eight must- have PHP QA tools
    to ensure the overall quality of your codebase. These tools cover
    everything from unit testing out to ensuring code standards are met.

    The [QA Tools] site is a simple
    list of interesting tools that can help you properly test your
    application, while also analyzing it and producing interesting data for
    you to look at. This post will be little more than a re-iteration of
    some of those tools with added information, use cases and advice about
    them – however, we’re open to expanding this list with other QA tools
    you throw our way that get plenty of votes in the comments below or seem
    interesting and/or useful enough.

    Their list of eight covers a wide range of QA needs:





    PHP Mess Detector

    PHP CodeSniffer

    Dead Code Detector

    Copy Paste Detector

    For each there’s a brief description and some of the commands you’ll
    need to get it installed. Configuring them for your environment is a bit
    out of the scope of the article, though, so you’ll have to pick that up
    on your own.

  • Constantino Kusulas

    And Codeception which is the place should be in the list test QA PHP?

Get the latest in PHP, once a week, for free.