psalm

Psalm is a tool that reads PHP code and flags problems before you ever run the program. This kind of tool is called a static analyzer because it works by examining the code itself, not by executing it. It can catch type mismatches (where a value of the wrong kind gets passed to a function), undefined variables, dead code, and a range of security issues like places where untrusted user input could flow into a database query or shell command.

The security analysis feature, called taint analysis, traces a path from where data enters your application (a form submission, a URL parameter) to where it might cause harm if not properly cleaned first. Psalm reports the full path it found so developers know exactly what to fix.

Psalm was originally built by engineers at Vimeo to help manage a large PHP codebase and catch errors that code review alone would miss. It became open source and is now maintained by a single developer, Daniil Gentili. The maintainer offers paid support contracts for teams that want help integrating Psalm into an existing codebase or developing custom features around it.

The README is brief. It points to the project website for documentation, a live demo where you can paste PHP code and see Psalm analyze it immediately, and an installation guide. The tool is installed through PHP's standard package manager, Composer.

If you are a non-technical person evaluating a PHP codebase, knowing that it uses Psalm suggests the team has invested in automated code quality checks, which is generally a sign of a more careful development process.