Start Free
10.6 | Analyzing source code | Languages | PHP

Was this page helpful?


On this page

Language-specific properties

Discover and update the PHP-specific properties in Administration > General Settings > Languages > PHP

Turning issues off

The best way to deactivate an individual issue you don't intend to fix is to mark it as accepted or false positive through the Sonar UI.

If you need to deactivate a rule (or all rules) for an entire file, then issue exclusions are the way to go. But if you only want to deactivate a rule across a subset of a file - all the lines of a method or a class - you can use a PHPDoc comment /* @SuppressWarnings("php:S2077") */ or an attribute #[SuppressWarnings("php:S2077")].

Analyze php.ini Files

The PHP analyzer can analyze php.ini files with some specific rules (if these rules are activated in your quality profile). php.ini files must be part of the project you are analyzing, meaning the php.ini files have to be inside the directories listed in sonar.sources. Rules targeting php.ini files can be quickly identified through the php-ini tag set on them.

Custom Rules


The PHP analyzer parses the source code, creates an Abstract Syntax Tree (AST), and then walks through the entire tree. A coding rule is a visitor that is able to visit nodes from this AST.

As soon as the coding rule visits a node, it can navigate its children and log issues if necessary.

Example plugin

To get started a sample plugin can be found here: php-custom-rules.

Writing a plugin

Custom rules for PHP can be added by writing a SonarQube Plugin and using PHP analyzer APIs. Here are the steps to follow:

Create SonarQube plugin

  • create a standard SonarQube plugin project
  • attach this plugin to the SonarQube PHP analyzer through the pom.xml:
    • add the dependency to the PHP analyzer.
    • add the following line in the sonar-packaging-maven-plugin configuration. <basePlugin>php</basePlugin>
  • implement the following extension points:
  • declare the RulesDefinition as an extension in the Plugin extension point.

Implement a rule

  • create a class that will hold the implementation of the rule, it should:
    • extend PHPVisitorCheck or PHPSubscriptionCheck
    • define the rule name, key, tags, etc. with Java annotations.
  • declare this class in the RulesDefinition.

Implementation details

Using PHPVisitorCheck

To explore a part of the AST, override a method from the PHPVisitorCheck. For example, if you want to explore "if statement" nodes, override PHPVisitorCheck#visitIfStatement method that will be called each time an ifStatementTree node is encountered in the AST.

When overriding a visit method, you must call the super method in order to allow the visitor to visit the children of the node.

Using PHPSubscriptionCheck

To explore a part of the AST, override PHPSubscriptionCheck#nodesToVisit by returning the list of the Tree#Kind of node you want to visit. For example, if you want to explore "if statement" nodes the method will return a list containing the element Tree#Kind#IF_STATEMENT.

Create Issues

From the check, the issue can be created by calling CheckContext#newIssue method.

Testing Checks

To test custom checks you can use the method PHPCheckVerifier#verify. You should end each line with an issue with a comment in the following form:

// Noncompliant {{Message}}

Comment syntax is described here.

Configuring plugins for analyzer loading optimization

By default, the loading of analyzers is optimized (see Improving performance), SonarQube will only download analyzers and third-party plugins for the detected languages before running an analysis. 

When creating custom plugins, to prevent errors when projects are analyzed, you must use the requiredForLanguages property in your plugin's pom.xml file to specify the languages your plugin supports. Without this property, your plugin will be executed unconditionally during analysis, even when its language-specific dependencies are unavailable. See Plugin basics for details on this behavior and the requiredForLanguages property.


© 2008-2024 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARLINT, SONARQUBE, SONARCLOUD, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Creative Commons License