How do I install **ekino/phpstan-banned-code** in a Laravel project?

Run `composer require --dev ekino/phpstan-banned-code` and include the extension via `extension-installer` or manually add `includes: [vendor/ekino/phpstan-banned-code/extension.neon]` to your `phpstan.neon`. It’s a dev dependency, so it won’t affect production.

Which Laravel versions and PHPStan versions does this package support?

This package works with **Laravel 9+** (PHP 8.1+) and **PHPStan 2.x+**. It’s compatible with Laravel’s built-in PHPStan integration (e.g., `phpstan/laravel`) and won’t conflict with other PHPStan extensions.

Can I block specific functions like `dd()` or `exec()` without banning everything?

Yes. Configure banned functions in `phpstan.neon` under `banned_code.nodes` with `type: Expr_FuncCall` and list them (e.g., `functions: [dd, exec]`). Start with security-critical functions like `shell_exec` or `eval` to avoid false positives.

How do I prevent `use` statements from the `Tests` namespace in non-test files?

Set `use_from_tests: true` in your PHPStan config. This rule is optional and helps enforce Laravel’s separation of concerns by blocking accidental test imports in production or service code.

Will this package break my CI pipeline if I enable strict rules?

To avoid disruptions, start with `non_ignorable: false` and use `--generate-baseline` to whitelist known issues. Gradually enforce rules by setting `non_ignorable: true` for security-critical bans (e.g., `eval`, `shell_exec`) first.

Does this package detect Laravel-specific debug patterns like `{{ dd($var) }}` in Blade templates?

No, it focuses on PHP code. For Blade-specific bans, combine this with a custom PHPStan rule (e.g., via `phpstan/extension-installer`) or pre-process Blade files with a tool like `laravel-blade-compiler`.

How do I handle false positives, like `dump()` in a debug-only service?

Use `non_ignorable: false` to allow baseline suppression, then whitelist exceptions in your NEON config. For example, add `ignore: [path/to/debug-service.php]` under the relevant rule. Test with `phpstan analyze --generate-baseline` to refine rules.

Can I customize banned functions for different Laravel environments (e.g., ban `Artisan::call()` in production)?

Yes. Override the `functions` list in your `phpstan.neon` per environment. For example, add `Artisan::call` to banned functions in a production-specific config and exclude it in local/dev setups.

What’s the performance impact of running this in CI?

AST analysis adds ~5–10% runtime to PHPStan. To optimize, run only in CI (not locally) and increase memory limits for large codebases (`--memory-limit=512M`). For monorepos, scope analysis to Laravel-specific directories.

Are there alternatives to this package for Laravel security checks?

For Laravel-specific security, consider `phpstan/laravel` (for framework rules) or `roave/security-advisories` (for dependency vulnerabilities). This package complements them by focusing on **code-level bans** (e.g., `eval`, `shell_exec`) rather than framework or dependency issues.

Weave Code

Code Weaver

Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.

Phpstan Banned Code Laravel Package

ekino/phpstan-banned-code

PHPStan extension that flags banned code patterns in your project (e.g., var_dump, dd, exit/die, eval, echo/print, shell exec/backticks). Configurable via PHPStan parameters, with optional checks like preventing use imports from Tests in non-test code.

View on GitHub

Deep Wiki

Context7

Detect banned code through PHPStan

Frequently asked questions about Phpstan Banned Code

How do I install **ekino/phpstan-banned-code** in a Laravel project?: Run `composer require --dev ekino/phpstan-banned-code` and include the extension via `extension-installer` or manually add `includes: [vendor/ekino/phpstan-banned-code/extension.neon]` to your `phpstan.neon`. It’s a dev dependency, so it won’t affect production.
Which Laravel versions and PHPStan versions does this package support?: This package works with **Laravel 9+** (PHP 8.1+) and **PHPStan 2.x+**. It’s compatible with Laravel’s built-in PHPStan integration (e.g., `phpstan/laravel`) and won’t conflict with other PHPStan extensions.
Can I block specific functions like `dd()` or `exec()` without banning everything?: Yes. Configure banned functions in `phpstan.neon` under `banned_code.nodes` with `type: Expr_FuncCall` and list them (e.g., `functions: [dd, exec]`). Start with security-critical functions like `shell_exec` or `eval` to avoid false positives.
How do I prevent `use` statements from the `Tests` namespace in non-test files?: Set `use_from_tests: true` in your PHPStan config. This rule is optional and helps enforce Laravel’s separation of concerns by blocking accidental test imports in production or service code.
Will this package break my CI pipeline if I enable strict rules?: To avoid disruptions, start with `non_ignorable: false` and use `--generate-baseline` to whitelist known issues. Gradually enforce rules by setting `non_ignorable: true` for security-critical bans (e.g., `eval`, `shell_exec`) first.
Does this package detect Laravel-specific debug patterns like `{{ dd($var) }}` in Blade templates?: No, it focuses on PHP code. For Blade-specific bans, combine this with a custom PHPStan rule (e.g., via `phpstan/extension-installer`) or pre-process Blade files with a tool like `laravel-blade-compiler`.
How do I handle false positives, like `dump()` in a debug-only service?: Use `non_ignorable: false` to allow baseline suppression, then whitelist exceptions in your NEON config. For example, add `ignore: [path/to/debug-service.php]` under the relevant rule. Test with `phpstan analyze --generate-baseline` to refine rules.
Can I customize banned functions for different Laravel environments (e.g., ban `Artisan::call()` in production)?: Yes. Override the `functions` list in your `phpstan.neon` per environment. For example, add `Artisan::call` to banned functions in a production-specific config and exclude it in local/dev setups.
What’s the performance impact of running this in CI?: AST analysis adds ~5–10% runtime to PHPStan. To optimize, run only in CI (not locally) and increase memory limits for large codebases (`--memory-limit=512M`). For monorepos, scope analysis to Laravel-specific directories.
Are there alternatives to this package for Laravel security checks?: For Laravel-specific security, consider `phpstan/laravel` (for framework rules) or `roave/security-advisories` (for dependency vulnerabilities). This package complements them by focusing on **code-level bans** (e.g., `eval`, `shell_exec`) rather than framework or dependency issues.

Popularity trends

Recorded values over time (once-a-day snapshots). May 8, 2026 – Jun 6, 2026

GitHub · stars

GitHub · forks

GitHub · watchers

Packagist · monthly downloads

View on GitHub

Stars

298

Favorites

300

Forks

Score

23.9

Score breakdown

Sum of components, capped 0–100. Halved if archived.

Stars

input: 298

+1.5
Forks

input: 24

+0.7
Open issues + PRs

input: 7

+0.7
Releases

input: 15

+4.5
Recency

input: 85

+15.3
Issue opportunity

input: 4

+0.6
Laravel News mentions

input: 0

+0.0
Dependents

input: 0

+0.0

Total 23.4

Opportunity

46.1

Opportunity score breakdown

Hidden gem signal × 0.65 + contribution need × 0.35, scaled by health factor.

Hidden gem

log(monthly_downloads / (stars + 1)) × 25

70.3
Contribution need

open_issues + open_prs: 7

6.4
Health factor

archived + recency + open issues

×0.96

Total 46.1

License

MIT

Last release

Mar 13, 2026

Watchers

Downloads

193K/mo

Dependents

Open issues

Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.

Add packages to context

No packages found.

hamzi/corewatch

minionfactory/raw-hydrator

hexters/coinpayment

rjcodes/rjcms

act-training/laravel-permissions-manager

alimarchal/laravel-chart-of-accounts

babenkoivan/elastic-scout-driver

mkwebdesign/filament-watchdog-v5

renatomarinho/laravel-page-speed

zedmagdy/filament-business-hours

renatovdemoura/blade-elements-ui

devgeek/beacon-admin

benjamin-rqt/data-watcher-bundle

atriumphp/atrium

sandermuller/package-boost-laravel

sandermuller/boost-skills

redaxo/core

yusufgenc/filament-api-forge

l3aro/rating-star-for-filament

leek/filament-subtenant-scope