Phpstan Safe Rule Laravel Package

Getting Started

Install via Composer:

composer require --dev thecodingmachine/phpstan-safe-rule

Enable the rule in your phpstan.neon:

includes:
    - vendor/thecodingmachine/phpstan-safe-rule/extension.neon

Run PHPStan as usual — the rule activates immediately and flags unsafe calls like array_key_exists() without prior checks, or strlen() on potentially null values. Start with a low error level (e.g., level: 1) and gradually tighten as you fix violations.

Implementation Patterns

• CI Integration: Add to your build pipeline (e.g., GitHub Actions, GitLab CI) with a failing exit code to block unsafe code merges.
• Progressive Adoption: Use ignore patterns in phpstan.neon for legacy code (ignoreErrors: [...]) while enforcing rules for new code.
• With Safe Wrappers: Works synergistically with packages like thecodingmachine/safe — detects missing use of safe alternatives (e.g., file_get_contents() instead of Safe\file_get_contents()).
• Custom Disables: Temporarily suppress warnings with @phpstan-ignore-line for edge cases (e.g., when a null check is logically guaranteed but hard to express statically).

Gotchas and Tips

• False Positives: Some checks (e.g., func_get_args() in variadic contexts) may be overly cautious. Override specific rules in your config using parameters.rulesWithErrors, or whitelist via ignoreErrors.
• Performance: Rule is lightweight but still scales with codebase size. Run on changed files only in PR checks (e.g., via phpstan analyse --diff).
• Configuration Overlap: Avoid conflicts if you already use phpstan-strict-rules or similar — this package is complementary, not redundant. Prefer enabling only safe-specific rules here.
• Extension Points: Extend or customize rules by extending SafeRule classes (public API) and registering in your phpstan.neon.
• Silent Fallbacks: If your PHPStan setup fails silently, ensure extension.neon is included after neon/config.neon — loading order matters for rule priority.