Weave Code
Phpstan Banned Code Laravel Package
ekino/phpstan-banned-code
PHPStan extension to ban unwanted code in your project. Detects calls like var_dump, dd, eval, exit/die, echo/print, shell exec/backticks, and even “use” imports from Tests in non-test files. Configurable rules for CI enforcement.
ekino/phpstan-banned-code is a PHPStan extension that flags disallowed code patterns during static analysis—ideal for keeping debug calls, unsafe functions, and non-standard constructs out of production. Add it to CI to fail builds when banned nodes or function calls are detected, with flexible configuration via your PHPStan .neon.
Features
- Detect banned function calls (e.g.,
var_dump,dd,exec,shell_exec,phpinfo) - Ban specific AST nodes like echo, eval, print, exit/die, and backticks
- Optional rule to prevent
use ...imports from Tests in non-test files - Configurable behavior and a non-ignorable mode to avoid baseline suppression
Frequently asked questions about Phpstan Banned Code
- How do I install and enable this package in a Laravel project?
- Run `composer require --dev ekino/phpstan-banned-code` and include the extension by adding `includes: [vendor/ekino/phpstan-banned-code/extension.neon]` to your PHPStan config. If using the extension-installer, no extra steps are needed.
- Which Laravel versions and PHPStan versions does this package support?
- This package works with Laravel 8.x–11.x and PHP 8.0–9.0. It supports PHPStan 2.x (and 1.x via compatibility layer). Always pin PHPStan’s version in `composer.json` to avoid breaking changes.
- Can I block `dd()` or `var_dump()` only in production and allow them in tests?
- Yes. Configure `non_ignorable: false` and use PHPStan’s baseline feature to exclude test files. Alternatively, whitelist test directories in your PHPStan config to skip banned-code checks there.
- How do I prevent `use` statements from test classes in non-test files?
- Enable the `use_from_tests` rule in your PHPStan config. Set `use_from_tests: true` and optionally refine it with `paths` to exclude specific directories like `app/Console`.
- Will this package slow down my CI pipeline significantly?
- No. The AST-based analysis adds less than 5% overhead to PHPStan scans. Run it in CI (not locally) or parallelize with other tools like Psalm to mitigate any impact.
- How can I customize which functions or nodes are banned?
- Edit the `extension.neon` config to include or exclude specific nodes (e.g., `Stmt_Echo`, `Expr_Eval`) or functions (e.g., `exec`, `shell_exec`). The README provides a full list of configurable types and functions.
- Does this work with Laravel’s testing frameworks like PestPHP or PHPUnit?
- Yes. The package integrates with Laravel’s testing frameworks but requires explicit configuration. Use `use_from_tests: true` and exclude test directories from banned-code checks to avoid false positives.
- How do I handle false positives during migration to this package?
- Start with a minimal config (e.g., ban only `dd`, `exit`, and `eval`). Use PHPStan’s baseline feature to ignore known violations temporarily, then refine rules incrementally.
- Are there alternatives to this package for banning code in Laravel?
- Yes. Alternatives include custom PHPStan rules, `phpstan/extension-installer` with third-party rules, or tools like `depfu` for dependency analysis. However, this package is specialized for banned-code enforcement with Laravel-specific defaults.
- Can I enforce this package in a pre-commit hook or GitHub Actions?
- Absolutely. Add it to your CI pipeline with `phpstan analyze --level=max --error-format=github`. For pre-commit hooks, use tools like `husky` with a script to fail builds on banned-code violations.
Weaver
How can I help you explore Laravel packages today?