PHPackages                             glpi-project/phpstan-glpi - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Testing &amp; Quality](/categories/testing)
4. /
5. glpi-project/phpstan-glpi

ActivePhpstan-extension[Testing &amp; Quality](/categories/testing)

glpi-project/phpstan-glpi
=========================

PHPStan rules for GLPI.

1.3.0(1w ago)0147.0k—7%3[4 PRs](https://github.com/glpi-project/phpstan-glpi/pulls)MITPHPPHP &gt;=8.2CI passing

Since Jun 24Pushed 2w ago1 watchersCompare

[ Source](https://github.com/glpi-project/phpstan-glpi)[ Packagist](https://packagist.org/packages/glpi-project/phpstan-glpi)[ RSS](/packages/glpi-project-phpstan-glpi/feed)WikiDiscussions main Synced 3d ago

READMEChangelog (5)Dependencies (17)Versions (13)Used By (0)

PHPStan GLPI extension
======================

[](#phpstan-glpi-extension)

This repository provides a PHPStan extension that can be used in both GLPI and GLPI plugins.

Installation
------------

[](#installation)

To install this PHPStan extension, run the `composer require --dev glpi-project/phpstan-glpi`.

To make this extension automatically enabled by PHPStan, you can also install the `phpstan/extension-installer` library, otherwise you will need to add it in you PHPStan configuration file in the `includes` section:

```
includes:
	- vendor/glpi-project/phpstan-glpi/rules.neon
```

See  for more information.

Configuration
-------------

[](#configuration)

The PHPStan configuration depends on your GLPI version. If your plugin is located in either the `plugins` or `marketplace` directory of GLPI, you can use the following configuration file example:

```
parameters:
    level: 0
    paths:
        - ajax
        - front
        - inc # or `src` if your PHP class files are in the `src` directory
        - hook.php
        - setup.php
    scanDirectories:
        - ../../inc
        - ../../src

    bootstrapFiles:
        - ../../stubs/glpi_constants.php
        - ../../vendor/autoload.php
```

The GLPI path and version should be detected automatically, but you can specify them in the `parameters` section of your PHPStan configuration:

```
parameters:
    glpi:
        glpiPath: "/path/to/glpi"
        glpiVersion: "11.0.0"
```

See  fore more information about the PHPStan configuration options.

Analyser improvements
---------------------

[](#analyser-improvements)

This extension will help PHPStan to resolve the GLPI global variables types. For instance, it will indicate that the `global $DB;` variable is an instance of the `DBmysql` class, so PHPStan will be able to detected bad method calls, deprecated methods usages, ...

Rules
-----

[](#rules)

### `ForbidDynamicInstantiationRule`

[](#forbiddynamicinstantiationrule)

> Since GLPI 11.0.

Instantiating an object from an unrestricted dynamic string is unsecure. Indeed, it can lead to unexpected code execution and has already been a source of security issues in GLPI.

Before instantiating an object, a check must be done to validate that the variable contains an expected class string.

```
$class = $_GET['itemtype'];

$object = new $class(); // unsafe

if (is_a($class, CommonDBTM::class, true)) {
    $object = new $class(); // safe
}
```

If the `treatPhpDocTypesAsCertain` PHPStan parameter is not set to `false`, a variable with a specific `class-string`type will be considered safe.

```
class MyClass
{
    /**
     * @var class-string $class
     */
    public function doSomething(string $class): void
    {
        $object = new $class(); // safe

        // ...
    }
}
```

### `ForbidExitRule`

[](#forbidexitrule)

> Since GLPI 11.0.

Since the introduction of the Symfony framework in GLPI 11.0, the usage of `exit()`/`die()` instructions is discouraged. Indeed, they prevents the execution of post-request/post-command routines, and this can result in unexpected behaviours.

### `ForbidHttpResponseCodeRule`

[](#forbidhttpresponsecoderule)

> Since GLPI 11.0.

Due to a PHP bug (see ), the usage of the `http_response_code()` function, to define the response code, may produce unexpected results, depending on the server environment. Therefore, its usage is discouraged.

### `ForbidHardCodedRightNameRule`

[](#forbidhardcodedrightnamerule)

> Since GLPI 12.0.

In the past, there have been issues where rights management was not handled correctly at the controller level due to the use of an obsolete hardcoded string. To avoid this type of problem, starting with GLPI 12, the use of a hardcoded string, as the first argument (`module`) of `Session::checkRight()`, `Session::checkRightsOr()`, `Session::haveRight()`, `Session::haveRightsAnd()`, or `Session::haveRightsOr()`, will be considered an error and must be replaced with the `$rightname` property of the appropriate class.

```
Session::checkRight('computer', READ); // wrong

Session::checkRight(Computer::$rightname, READ); // correct
```

### `MissingGlobalVarTypeRule`

[](#missingglobalvartyperule)

> Since GLPI 10.0.

By default, PHPStan is not able to detect the global variables types, and is therefore not able to detect any issue related to their usage. This extension will resolve the type of GLPI global variables, but cannot resolve your plugin specific global variables. To get around this limitation, we recommend that you declare each global variable type with a PHPDoc tag.

```
/** @var \Migration $migration */
global migration;
```

###  Health Score

54

—

FairBetter than 96% of packages

Maintenance98

Actively maintained with recent releases

Popularity35

Limited adoption so far

Community12

Small or concentrated contributor base

Maturity56

Maturing project, gaining track record

 Bus Factor2

2 contributors hold 50%+ of commits

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~91 days

Total

5

Last Release

10d ago

PHP version history (2 changes)1.0.0PHP &gt;=7.4

1.3.0PHP &gt;=8.2

### Community

Maintainers

![](https://www.gravatar.com/avatar/507319e852f4380d60cd24f301c28b06e6d2dab2b9d14a35ca418ef20af5dca2?d=identicon)[glpi](/maintainers/glpi)

---

Top Contributors

[![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4)](https://github.com/dependabot[bot] "dependabot[bot] (9 commits)")[![cedric-anne](https://avatars.githubusercontent.com/u/33253653?v=4)](https://github.com/cedric-anne "cedric-anne (8 commits)")[![froozeify](https://avatars.githubusercontent.com/u/2380113?v=4)](https://github.com/froozeify "froozeify (2 commits)")

###  Code Quality

TestsPHPUnit

Code StylePHP CS Fixer

### Embed Badge

![Health badge](/badges/glpi-project-phpstan-glpi/health.svg)

```
[![Health](https://phpackages.com/badges/glpi-project-phpstan-glpi/health.svg)](https://phpackages.com/packages/glpi-project-phpstan-glpi)
```

###  Alternatives

[larastan/larastan

Larastan - Discover bugs in your code without running it. A phpstan/phpstan extension for Laravel

6.5k55.4M8.4k](/packages/larastan-larastan)[phpstan/phpstan-symfony

Symfony Framework extensions and rules for PHPStan

79475.7M2.2k](/packages/phpstan-phpstan-symfony)[phpstan/phpstan-doctrine

Doctrine extensions for PHPStan

67272.8M1.4k](/packages/phpstan-phpstan-doctrine)[shipmonk/dead-code-detector

Dead code detector to find unused PHP code via PHPStan extension. Can automatically remove dead PHP code. Supports libraries like Symfony, Doctrine, PHPUnit etc. Detects dead cycles. Can detect dead code that is tested.

4853.5M91](/packages/shipmonk-dead-code-detector)[ssch/typo3-rector

Instant fixes for your TYPO3 PHP code by using Rector.

2603.2M436](/packages/ssch-typo3-rector)[spaze/phpstan-disallowed-calls

PHPStan rules to detect disallowed method &amp; function calls, constant, namespace, attribute, property &amp; superglobal usages, with powerful rules to re-allow a call or a usage in places where it should be allowed.

33422.6M550](/packages/spaze-phpstan-disallowed-calls)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
