Phpstan Sarif Formatter Laravel Package

Product Decisions This Supports

• Developer Experience (DX) & Quality Assurance (QA) Roadmap:

  • PHPStan 2.x Migration Path: Enable seamless adoption of the package as teams upgrade to PHPStan 2.x, ensuring backward compatibility in SARIF reporting for static analysis.
  • Long-Term Tooling Alignment: Future-proof CI/CD pipelines by supporting the latest PHPStan versions, reducing friction when updating dependencies.
  • Cross-Version Compatibility: Maintain consistent SARIF output across PHPStan 1.x and 2.x, simplifying adoption for teams with mixed environments.

• Build vs. Buy:

  • Buy: Stronger justification for adoption due to explicit PHPStan 2.x support, reducing risk of breaking changes during major version upgrades.
  • Build: Only if requiring PHPStan 2.x-specific SARIF extensions (e.g., custom rule metadata) or deep integration with proprietary tools.

• Use Cases:

  • CI/CD Enrichment: Ensure SARIF reports remain compatible with modern CI systems (e.g., GitHub Actions, GitLab) as PHPStan evolves.
  • IDE Integration: Maintain real-time feedback in VS Code/WebStorm for teams using PHPStan 2.x without workflow disruptions.
  • Audit/Compliance: Generate consistent SARIF reports across PHPStan versions for third-party reviews or internal QA processes.

When to Consider This Package

• Adopt if:

  • Your team uses PHPStan 1.x or 2.x and needs SARIF output for CI/IDE integration.
  • You’re planning a PHPStan upgrade to 2.x and want to avoid SARIF reporting gaps.
  • Your workflow relies on SARIF-based tooling (e.g., GitHub SARIF uploads, SonarQube) and requires compatibility with the latest PHPStan.
  • You prioritize low-maintenance SARIF formatting with minimal risk of breaking changes.

• Look elsewhere if:

  • Your stack doesn’t support SARIF (e.g., legacy CI systems without SARIF parsers).
  • You need custom PHPStan 2.x-specific SARIF extensions beyond standard formatting.
  • You’re already using a dedicated SARIF tool (e.g., custom scripts) and lack resources to migrate.
  • License concerns: MIT remains permissive, but internal policies may still require review.

How to Pitch It (Stakeholders)

For Executives: *"This updated package now supports PHPStan 2.x, ensuring our SARIF-based static analysis workflows stay seamless as we modernize our stack. Key benefits:

• Zero disruption during PHPStan upgrades: SARIF reports continue working across versions.
• Future-proof CI/IDE integration: Aligns with GitHub/GitLab SARIF features and VS Code plugins.
• Cost-effective compliance: SARIF reports remain compatible for audits or SonarQube dashboards. Recommendation: Adopt as part of our PHPStan 2.x migration plan to avoid tooling gaps."*

For Engineering: *"We’ve updated the SARIF formatter to support PHPStan 2.x, meaning:

1. No breaking changes when upgrading PHPStan—your existing SARIF workflows (CI, IDEs) stay intact.
2. Future compatibility with PHPStan’s roadmap, reducing maintenance overhead.
3. Same easy setup: Just configure --error-format=sarif in PHPStan 2.x. Blockers? Only if your team is stuck on PHPStan 1.x and can’t upgrade (unlikely). Otherwise, this is a no-brainer for SARIF adoption."*