How do I install **ekino/phpstan-banned-code** in a Laravel project?

Run `composer require --dev ekino/phpstan-banned-code` and include the extension via `extension-installer` or manually add `includes: [vendor/ekino/phpstan-banned-code/extension.neon]` to your `phpstan.neon`. It’s a dev dependency, so it won’t affect production.

Which Laravel versions and PHPStan versions does this package support?

This package works with **Laravel 9+** (PHP 8.1+) and **PHPStan 2.x+**. It’s compatible with Laravel’s built-in PHPStan integration (e.g., `phpstan/laravel`) and won’t conflict with other PHPStan extensions.

Can I block specific functions like `dd()` or `exec()` without banning everything?

Yes. Configure banned functions in `phpstan.neon` under `banned_code.nodes` with `type: Expr_FuncCall` and list them (e.g., `functions: [dd, exec]`). Start with security-critical functions like `shell_exec` or `eval` to avoid false positives.

How do I prevent `use` statements from the `Tests` namespace in non-test files?

Set `use_from_tests: true` in your PHPStan config. This rule is optional and helps enforce Laravel’s separation of concerns by blocking accidental test imports in production or service code.

Will this package break my CI pipeline if I enable strict rules?

To avoid disruptions, start with `non_ignorable: false` and use `--generate-baseline` to whitelist known issues. Gradually enforce rules by setting `non_ignorable: true` for security-critical bans (e.g., `eval`, `shell_exec`) first.

Does this package detect Laravel-specific debug patterns like `{{ dd($var) }}` in Blade templates?

No, it focuses on PHP code. For Blade-specific bans, combine this with a custom PHPStan rule (e.g., via `phpstan/extension-installer`) or pre-process Blade files with a tool like `laravel-blade-compiler`.

How do I handle false positives, like `dump()` in a debug-only service?

Use `non_ignorable: false` to allow baseline suppression, then whitelist exceptions in your NEON config. For example, add `ignore: [path/to/debug-service.php]` under the relevant rule. Test with `phpstan analyze --generate-baseline` to refine rules.

Can I customize banned functions for different Laravel environments (e.g., ban `Artisan::call()` in production)?

Yes. Override the `functions` list in your `phpstan.neon` per environment. For example, add `Artisan::call` to banned functions in a production-specific config and exclude it in local/dev setups.

What’s the performance impact of running this in CI?

AST analysis adds ~5–10% runtime to PHPStan. To optimize, run only in CI (not locally) and increase memory limits for large codebases (`--memory-limit=512M`). For monorepos, scope analysis to Laravel-specific directories.

Are there alternatives to this package for Laravel security checks?

For Laravel-specific security, consider `phpstan/laravel` (for framework rules) or `roave/security-advisories` (for dependency vulnerabilities). This package complements them by focusing on **code-level bans** (e.g., `eval`, `shell_exec`) rather than framework or dependency issues.

Weave Code

Code Weaver

Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.

Phpstan Banned Code Laravel Package

ekino/phpstan-banned-code

PHPStan extension that flags banned code patterns in your project (e.g., var_dump, dd, exit/die, eval, echo/print, shell exec/backticks). Configurable via PHPStan parameters, with optional checks like preventing use imports from Tests in non-test code.

View on GitHub

Deep Wiki

Context7

ekino/phpstan-banned-code is a PHPStan extension that flags usage of forbidden language constructs and functions in your codebase, helping you enforce coding standards and keep debug or unsafe calls out of production. Integrate it into CI to automatically fail builds when banned code is detected.

Configure banned AST node types and specific functions via PHPStan parameters, and optionally prevent importing use statements from your Tests\ namespace in non-test files.

Detects calls like var_dump, dd, exec, shell_exec, phpinfo, etc.
Supports banning constructs: echo, eval, exit/die, print, backticks
Configurable via banned_code.nodes with node type + optional function list
Optional rule to block use ... from Tests in non-test code
Can emit non-ignorable errors to avoid baseline masking

Frequently asked questions about Phpstan Banned Code

How do I install **ekino/phpstan-banned-code** in a Laravel project?: Run `composer require --dev ekino/phpstan-banned-code` and include the extension via `extension-installer` or manually add `includes: [vendor/ekino/phpstan-banned-code/extension.neon]` to your `phpstan.neon`. It’s a dev dependency, so it won’t affect production.
Which Laravel versions and PHPStan versions does this package support?: This package works with **Laravel 9+** (PHP 8.1+) and **PHPStan 2.x+**. It’s compatible with Laravel’s built-in PHPStan integration (e.g., `phpstan/laravel`) and won’t conflict with other PHPStan extensions.
Can I block specific functions like `dd()` or `exec()` without banning everything?: Yes. Configure banned functions in `phpstan.neon` under `banned_code.nodes` with `type: Expr_FuncCall` and list them (e.g., `functions: [dd, exec]`). Start with security-critical functions like `shell_exec` or `eval` to avoid false positives.
How do I prevent `use` statements from the `Tests` namespace in non-test files?: Set `use_from_tests: true` in your PHPStan config. This rule is optional and helps enforce Laravel’s separation of concerns by blocking accidental test imports in production or service code.
Will this package break my CI pipeline if I enable strict rules?: To avoid disruptions, start with `non_ignorable: false` and use `--generate-baseline` to whitelist known issues. Gradually enforce rules by setting `non_ignorable: true` for security-critical bans (e.g., `eval`, `shell_exec`) first.
Does this package detect Laravel-specific debug patterns like `{{ dd($var) }}` in Blade templates?: No, it focuses on PHP code. For Blade-specific bans, combine this with a custom PHPStan rule (e.g., via `phpstan/extension-installer`) or pre-process Blade files with a tool like `laravel-blade-compiler`.
How do I handle false positives, like `dump()` in a debug-only service?: Use `non_ignorable: false` to allow baseline suppression, then whitelist exceptions in your NEON config. For example, add `ignore: [path/to/debug-service.php]` under the relevant rule. Test with `phpstan analyze --generate-baseline` to refine rules.
Can I customize banned functions for different Laravel environments (e.g., ban `Artisan::call()` in production)?: Yes. Override the `functions` list in your `phpstan.neon` per environment. For example, add `Artisan::call` to banned functions in a production-specific config and exclude it in local/dev setups.
What’s the performance impact of running this in CI?: AST analysis adds ~5–10% runtime to PHPStan. To optimize, run only in CI (not locally) and increase memory limits for large codebases (`--memory-limit=512M`). For monorepos, scope analysis to Laravel-specific directories.
Are there alternatives to this package for Laravel security checks?: For Laravel-specific security, consider `phpstan/laravel` (for framework rules) or `roave/security-advisories` (for dependency vulnerabilities). This package complements them by focusing on **code-level bans** (e.g., `eval`, `shell_exec`) rather than framework or dependency issues.

View on GitHub

Stars

296

Favorites

292

Forks

Score

28.0

License

MIT

Last release

Mar 13, 2026

Watchers

Downloads

206K/mo

Dependents

Open issues

Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.

Add packages to context

No packages found.

davejamesmiller/laravel-breadcrumbs

artisanry/parsedown

christhompsontldr/phpsdk

enqueue/dsn

bunny/bunny

enqueue/test

enqueue/null

enqueue/amqp-tools

milesj/emojibase

bower-asset/punycode

bower-asset/inputmask

bower-asset/jquery

bower-asset/yii2-pjax

laravel/nova

spatie/laravel-mailcoach

spatie/laravel-superseeder

laravel/liferaft

nst/json-test-suite

danielmiessler/sec-lists

jackalope/jackalope-transport