Weave Code
Code Weaver
Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.
Feedback
Share your thoughts, report bugs, or suggest improvements.
Subject
Message
Log in Register
Home
Packages
Phpstan Banned Code
Assessments

Phpstan Banned Code Laravel Package

ekino/phpstan-banned-code

PHPStan extension that flags banned code patterns in your project (e.g., var_dump, dd, exit/die, eval, echo/print, shell exec/backticks). Configurable via PHPStan parameters, with optional checks like preventing use imports from Tests in non-test code.

View on GitHub
Deep Wiki
Context7

Technical Evaluation

Architecture Fit

  • Seamless PHPStan Integration: Designed as a PHPStan extension, it leverages the existing static analysis pipeline without disrupting Laravel’s architecture. Works alongside other PHPStan rules (e.g., phpstan/laravel, phpstan/phpunit) via NEON configuration, enabling modular rule composition.
  • AST-Based Detection: Uses PHPStan’s Abstract Syntax Tree (AST) to identify banned constructs (e.g., Expr_FuncCall, Stmt_Echo), aligning with Laravel’s compiler-first approach (e.g., Blade templates, service containers).
  • Laravel-Specific Synergy:
    • Blocks debug helpers (dd(), dump()) that plague Laravel’s debug mode and Tinker.
    • Detects unsafe patterns like file_get_contents on sensitive paths (e.g., /config/, /storage/) via custom function lists.
    • Supports namespace-based rules (e.g., ban use Tests\* in non-test files) to enforce Laravel’s separation of concerns.
  • Compliance Alignment: Maps to Laravel’s security best practices (e.g., Laravel Security Checklist) and OWASP Top 10 (e.g., injection prevention via shell_exec bans).

Integration Feasibility

  • Low Friction Setup:
    • Option 1: Auto-install via phpstan/extension-installer (recommended for Laravel projects using PHPStan).
    • Option 2: Manual NEON config inclusion (2 lines in phpstan.neon).
    • No Laravel-Specific Hooks: Works at the PHP level, avoiding Laravel’s service provider or facade dependencies.
  • Dependency Compatibility:
    • PHP 8.1+ Required: Aligns with Laravel’s PHP 8.1+ support (LTS since v9.x). No conflicts with Laravel’s core dependencies.
    • PHPStan 2.x+: Compatible with Laravel’s PHPStan integration (e.g., phpstan/laravel package).
    • Composer Dev Dependency: Isolates to CI/dev environments, avoiding runtime overhead.
  • Configuration Override: Supports project-specific bans (e.g., add Artisan::call() to banned functions for CLI-only projects).

Technical Risk

Risk Area Assessment Mitigation
False Positives Custom function lists may flag legitimate code (e.g., dump() in a debug-only service). Solution: Use non_ignorable: false and whitelist exceptions in NEON. Test with phpstan analyze --generate-baseline to refine rules.
Performance Overhead AST analysis adds ~5–10% to PHPStan’s runtime. Solution: Run in CI only (not local dev). Use --memory-limit=512M if analyzing large codebases (e.g., 50K+ LOC).
Configuration Complexity Advanced NEON syntax (e.g., banned_code.nodes) may confuse teams unfamiliar with PHPStan. Solution: Provide team-specific templates (e.g., phpstan.neon.laravel-security). Document default rules in a README with examples.
Laravel-Specific Gaps Misses Laravel-specific patterns (e.g., Blade @debug, config('app.debug')). Solution: Extend with custom PHPStan rules (e.g., phpstan/extension-installer + phpstan/rule-level-plugin). Example: Ban {{ dd($var) }} via a custom rule.
CI Pipeline Impact Failing builds on banned code may disrupt workflows if not phased gradually. Solution: Start with --ignore-errors in CI, then enforce via branch protection rules. Use non_ignorable: false to allow baseline suppression for known issues.
Maintenance Burden Requires PHPStan expertise to update rules (e.g., adding new banned functions). Solution: Assign a TPM-owned "static analysis lead" to manage configurations. Use GitHub Actions to auto-update banned lists (e.g., from OWASP’s PHP cheat sheet).

Key Questions for the TPM

  1. Rule Prioritization:

    • Should we start with security-critical bans (e.g., eval, shell_exec) or debug-related bans (e.g., dd(), var_dump)?
    • Example: Ban exec, passthru, and system in Phase 1, then add dd()/dump() in Phase 2.

  2. CI/CD Strategy:

    • Should banned code fail builds immediately, or warn first with a baseline?
    • Example: Use non_ignorable: true for security bans, false for debug bans.

  3. Laravel-Specific Extensions:

    • Should we customize banned functions for Laravel (e.g., Artisan::call(), Blade @debug)?
    • Example: Add Artisan::call('migrate') to banned functions for production builds.

  4. Team Adoption:

    • How will we educate developers on the new rules (e.g., training, IDE plugins like PHPStan’s VS Code extension)?
    • Example: Create a Slack channel for banned-code exceptions and a wiki page with allowed alternatives (e.g., Log::debug() instead of var_dump).

  5. Scaling:

    • How will we handle large codebases (e.g., 100K+ LOC) or monorepos?
    • Example: Run PHPStan in parallel using phpstan --parallel and cache results with phpstan --cache-results.

  6. False Positive Handling:

    • What’s the process for whitelisting exceptions (e.g., var_dump in a debug-only CLI command)?
    • Example: Use // @phpstan-ignore-next-line sparingly, with code review approval for each case.

  7. Auditability:

    • Should we track banned-code violations in a dashboard (e.g., GitHub Insights, custom script)?
    • Example: Parse PHPStan output to generate a monthly report of debug/function bans.

  8. Dependency Updates:

    • How will we keep banned lists updated (e.g., new PHP functions, OWASP recommendations)?
    • Example: Schedule quarterly reviews of banned functions using composer why-not and phpstan diagnose.

Integration Approach

Stack Fit

  • PHPStan Ecosystem: Native integration with PHPStan 2.x+, which Laravel projects using phpstan/laravel or phpstan/phpunit already leverage. No conflicts with:
    • Laravel’s PHPStan presets (e.g., phpstan/laravel for framework-specific rules).
    • Other PHPStan extensions (e.g., phpstan/doctrine, phpstan/symfony).
  • Laravel-Specific Synergies:
    • Debug Mode: Blocks dd(), dump(), and exit() in production builds, aligning with Laravel’s APP_DEBUG=false best practice.
    • Artisan Commands: Can ban Artisan::call() in non-CLI contexts (e.g., web routes).
    • Blade Templates: Detects {{ dd($var) }} or @debug directives via custom rules (if extended).
  • CI/CD Tools:
    • GitHub Actions/GitLab CI: Integrates via phpstan/extension-installer or custom scripts.
    • Composer Scripts: Add to composer.json: 
      "scripts": {
  "test": "phpstan analyze --level=max --memory-limit=1G"
}
    • Parallel Testing: Use phpstan --parallel for large codebases (e.g., 50K+ LOC).

Migration Path

Phase Action Tools/Artifacts
Assessment Audit current codebase for banned patterns (e.g., grep -r "var_dump|dd|exec"). grep, phpstan analyze --generate-baseline, custom script to parse PHPStan output.
Pilot Enable in CI for a single repo (e.g., API layer) with non_ignorable: false. GitHub Actions/GitLab CI job, phpstan.neon config, baseline file (phpstan.baseline.neon).
Enforcement Roll out to all repos
Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.
Prompt
Add packages to context
No packages found.
davejamesmiller/laravel-breadcrumbs
artisanry/parsedown
christhompsontldr/phpsdk
enqueue/dsn
bunny/bunny
enqueue/test
enqueue/null
enqueue/amqp-tools
bower-asset/punycode
bower-asset/inputmask
bower-asset/jquery
bower-asset/yii2-pjax
laravel/nova
spatie/laravel-mailcoach
spatie/laravel-superseeder
laravel/liferaft
nst/json-test-suite
danielmiessler/sec-lists
jackalope/jackalope-transport
twbs/bootstrap4