Hello everyone,,
I'm looking for a tool, that can not just staticaly alnalyze code but also discover performance botlenecks and security holes.

I found three of them:

SensioLabsInsight - includes also checking Twig tempalates and is more or less focused on Symfony2 world.

CodeClimate - checks also JS and Ruby

Scrutinizer

CodeClimate and Scrutinizer are quiet expensive compared to SensioLabsInsight.

There are already similar questions like "Is there a good/robust PHP Lint or code quality tool?" or "Is there a tool for PHP that displays code quality metrics in a consice manner?" but I would rather use a tool that is not just aimed on static analysis.

I'm curious if any of you have personal experience and used any of the tools in a real project where you could say that it really helped you to spot potentionaly vulnerable code or basically any kind of useful information that can't be detected with just static analysis.

    For security, there were a couple of tools mentioned in this old thread: https://board.phpbuilder.com/d/10394333-is-there-a-tool-to-scan-ones-php-code-for-security-problems

    As for performance bottlenecks, those will depend not just on your code, but also on your data structures, your data, your hardware, and the usage patterns of your audience. Best practices while coding mean that you add data indexes to the right tables, where you consider the maximum number of records possible for a given bit of code, etc. A good coder must stay vigilant and maintain good "situational awareness" (for lack of a better term). That said, my experience says that you can't avoid all the performance bottlenecks, and post-facto analysis will always be required to chase down the bottlenecks in any successful site. I'd even say that locating bottlenecks is something of a dark art.

      13 days later
      Write a Reply...