DEV Community

Cover image for 7 Continuous Integration Tools for PHP Laravel Developers

7 Continuous Integration Tools for PHP Laravel Developers

markoa profile image Marko Anastasov Originally published at ・6 min read

In this article we'll cover 7 tools that can increase code quality, reduce development time, easily reveal errors and generally make your life as a PHP developer easier.

The goal is to set up various tests for our code, without having to
provision or maintain any servers. With a fast feedback cycle, we'll
be able to catch errors early and fix them before they grow.

Sounds good? Let's get started.

Code analysis tests

Code analysis consists of scanning the source for certain structures
that may point to deeper problems, such as design flaws and bad coding
practices, usually called code smells.

Some code analysis tools focus on finding out bad patterns: functions
with too many parameters, fat classes or too deeply nested structures.
While others check for style: indentation rules, name conventions, etc.

Every analysis must start with some standard to follow. These rules are,
at the end of the day, subjective but informed by previous experience.
The rules can be generally configured and customized.

PHP Mess Detector

PHP Mess Detector (phpmd) checks for code smells: awkward, overcomplicated or unused code. It's inspired by the PMD project.

phpmd ships with several rulesets than can be enabled or disabled independently.

Basic usage:


Built-in rules are:

  • cleancode: enforce clean code base rules.
  • codesize: complexity rules, excessively long classes, etc.
  • controversial: camelcase rules, globals, etc.
  • design: forbid eval, goto, exit. Also coupling and depth rules.
  • naming: long and short identifier names, method name rules.
  • unusedcode: dead code and unused variables rules.

What does it look like?

$ phpmd src text cleancode,codesize,controversial,design,naming,unusedcode
ProvisionerCommand.php:38    The variable $myvar_id is not named in camelCase.
ProvisionerCommand.php:38    Avoid variables with short names like $io. Configured minimum length is 3.
PermissionsComponent.php:53     Avoid unused private methods such as 'checkAccount'.
PagesController.php:349   Avoid excessively long variable names like $view_registration_count. Keep variable name length under 20.
ProvisionersController.php:106    The method delete uses an else expression. Else is never necessary and you can simplify the code to work without else.

If you've never done any code analysis on your project before, it is
likely to make you want to pull your hairs out. Don't worry and be
patient, after we have gotten our code in order our lives will be

Instead of setting the rules by command line, we can create an xml file
that can be checked in source control:

$ phpmd src text myrules.xml
<?xml version="1.0"?>
<ruleset name="Basic"
        First basic ruleset for code analysis...

    <!-- Import all rule sets -->
    <rule ref="rulesets/cleancode.xml" />
    <rule ref="rulesets/codesize.xml" />
    <rule ref="rulesets/controversial.xml" />
    <rule ref="rulesets/design.xml" />

    <rule ref="rulesets/naming.xml">
        <exclude name="ShortVariable" />
        <exclude name="LongVariable" />


PHP Code Sniffer

PHP Code sniffer (phpcs) is a style checker. If you've ever used a linter (jshint, pylint, checkstyle, etc) you already know what it does. phpcs can check for indentation, missing comments, naming conventions, etc.

PHP Code sniffer ships with various popular PHP styles such as PEAR, PSR2 and Zend among others. We can also make our own rules or mix and match
checks from existing ones.

The typical invocation goes:

$ phpcs FILE_OR_DIR --standard=STANDARD_NAME
$ phpcs FILE_OR_DIR --report-full --standard=PEAR
FILE: app/Providers/RouteServiceProvider.php
  2 | ERROR | [ ] Missing file doc comment
  8 | ERROR | [ ] Missing doc comment for class RouteServiceProvider
 55 | ERROR | [x] Object operator not indented correctly; expected 12 spaces but found 13
 56 | ERROR | [x] Object operator not indented correctly; expected 12 spaces but found 13
 69 | ERROR | [x] Object operator not indented correctly; expected 12 spaces but found 13
 70 | ERROR | [x] Object operator not indented correctly; expected 12 spaces but found 13
 71 | ERROR | [x] Object operator not indented correctly; expected 12 spaces but found 13

PHP Code Sniffer also includes phpcbf, a program than can automatically fix some problems.

$ phpcbf FILE_OR_DIR --report-full --standard=PEAR

FILE                                               FIXED  REMAINING
app/Providers/RouteServiceProvider.php               5      2
app/Providers/BroadcastServiceProvider.php           3      5
app/Http/Middleware/Authenticate.php                 1      4
app/Http/Middleware/RedirectIfAuthenticated.php      3      6
app/Http/Controllers/UserController.php              10     20
app/Http/Controllers/Auth/RegisterController.php     8      9
app/Services/UserService.php                         9      22
app/Exceptions/Handler.php                           3      7
app/Console/Kernel.php                               2      4

Time: 201ms; Memory: 8MB

PHP Copy Paste Detector

PHP Copy Paste Detector (phpcpd) does what it says on the tin: finds duplicate code inside your project.

Having duplicate code usually signals the need for refactoring, the repeated parts should find a new home in a shared library or component. Duplicates also force developers to make shotgun surgery: a single change must be repeated multiple times.

Basic usage:

$ phpcpd FILE_OR_DIR

We can tell phpcpd how many lines must be repeated to be considered an error:

$ phpcpd src --min-lines=40
phpcpd 4.1.0 by Sebastian Bergmann.

Found 1 clones with 45 duplicated lines in 2 files:

  - src/Controller/PagesController.php:32-77 (45 lines)

1.14% duplicated lines out of 3950 total lines of code.
Average size of duplication is 45 lines, largest clone has 45 of lines

Time: 39 ms, Memory: 6.00MB

Unit testing: PHPUnit

Unit testing ensures that our implementation does what it has been designed to do. Units are the smallest testable pieces of code, e.g. a class method, a function, an API call.

Unit tests also act as a form of living documentation, by reading what they do we can infer how the tested parts should work, what inputs do
they take and what outputs should them provide. They also validate that
code still valid after refactoring.

As new code is being written, we should also be creating tests to
validate its behavior.

PHPUnit is the most popular testing framework for PHP, to drive our test cases. If you're looking for a tutorial to get started, this one can help:

After our tests are in place, we call phpunit to get an error report:

$ phpunit
PHPUnit 7.5.2 by Sebastian Bergmann and contributors.

..F.                                                                4 / 4 (100%)

Time: 1.04 seconds, Memory: 18.00MB

There was 1 failure:

1) Tests\Unit\UserServiceTest::testItCanUpdateUser
Failed asserting that two strings are equal.
--- Expected
+++ Actual
@@ @@
-'updated name'
+'updatedx name'


Tests: 4, Assertions: 8, Failures: 1.

Browser test: Laravel Dusk

PHPUnit's biggest problem is its inability to test JavaScript on the frontend. Dusk is a browser
automation tool that overcomes this limitation by testing the application on an actual browser.

Dusk interfaces with a real Chrome browser to programatically browse sites, perform actions, select elements and do assertions.

In order to test with Dusk, we need to start our application with Laravel's artisan tool:

$ php artisan serve &
$ php artisan dusk
PHPUnit 7.5.2 by Sebastian Bergmann and contributors.

F..                                                                 3 / 3 (100%)

Time: 11.34 seconds, Memory: 20.00MB

There was 1 failure:

1) Tests\Browser\LoginTest::testUserCanLogIn
Did not see expected text [Welcome, Test Account] within element [body].
Failed asserting that false is true.


Tests: 3, Assertions: 4, Failures: 1.

Security test: Sensiolabs

With SensioLabs security checker, we can scan our project dependencies for known vulnerabilities. It scans our composer file for dependencies and runs
them down through a vulnerabilities database:

$ php security-checker security:check ../composer.lock

Symfony Security Check Report

No packages have known vulnerabilities.

Continuous Integration: Semaphore

Continuous Integration (CI) allows to test early and test often.

We can set up a CI pipeline to build the application on every push. The
pipeline ties all tools together in a single workflow, drives the tests and can optionally deploy the application.

Semaphore is a cloud-based continuous integration service that automatically scales to run tests on every git push. You can set a multi-stage CI pipeline from a single configuration file:

PHP CI pipeline on Semaphore

The point of separating the pipeline in a series of steps is to get faster feedback. For example, it makes no sense to run time-consuming, high-level browser tests if we've made a fundamental mistake in code.

To avoid setting up a pipeline from scratch, you can fork this open source project and add it on Semaphore:

GitHub logo semaphoreci-demos / semaphore-demo-php-laravel

A Semaphore demo CI/CD pipeline using PHP Laravel

CI status badge

Semaphore demo CI/CD pipeline using PHP Laravel

Example application and CI/CD pipeline showing how to run a PHP Laravel project on Semaphore 2.0.

Local project setup

To setup the project locally, your local environment needs to meet common Laravel development requirements, as per Laravel Documentation We recommend setting up using Vagrant and Homestead, as it is a turn key solution supported on all major operating systems.

Once the local environment is set up, you can run the following commands:

cp .env.example .env // and enter your DB details in the newly created .env
composer install
php artisan key:generate
php artisan migrate

CI/CD on Semaphore

Fork this repository and use it to create a project from web UI or command line:

curl | bash
sem connect <semaphore-organization-link> <semaphore-id> // found in Semaphore Dashboard
cd <project directory&gt
sem init

After that, push to the repository to trigger a workflow…

For a step-by-step explanation of the CI configuration, read the article on Semaphore blog.

Happy building!


Editor guide
matthewbdaly profile image
Matthew Daly

I'd also recommend either Psalm or PHPStan - they're static analyzers that will find potential problems with your code.

Also, Infection is really useful once you have good test coverage to validate the quality of those tests.

robdwaller profile image
Rob Waller

I need to take a look at PHP Copy and Paste thanks for reminding me.

mattsparks profile image
Matt Sparks

Nice list of tools!

david_j_eddy profile image
David J Eddy

Thank you for this, always nice to see PHP content here on

antonytuff profile image
Tonny we have such a tool that one can use to do vulnerability assessment for Laravel application

full_stackgeek profile image
Full Stack Geek

Great Writeup | Kudos to the Author | Added to my Reading List