Skip to main content

Code Analysis

.deepsource.toml

Please make sure you read the general configuration guide first.

name

  • Type: String
  • Presence: mandatory
  • Description: Shortcode of the analyzer.
  • Example:
name = "php"

enabled

  • Type: Boolean
  • Presence: optional
  • Description: Toggle whether this analyzer should be run.
  • Example:
enabled = true

meta

  • Type: Table
  • Presence: optional
  • Description: Any supported metadata to pass to the analyzer.
  • Example:
[analyzers.meta]
  bootstrap_files = ["config/bootstrap.php"]

bootstrap_files

  • Type: Array
  • Presence: optional
  • Description: List of files that your project is using to define global constants, custom autoloader, class aliases, etc. This will help reduce the false positives.
  • Example:
bootstrap_files = ["config/bootstrap.php"]

skip_doc_coverage

  • Type: Array
  • Presence: optional
  • Description: Specify which artifacts to skip when calculating documentation coverage.
  • Available Values: class, magic and nonpublic
    • class - Ignore docstrings of class definitions
    • magic - Ignore docstrings of magic methods
    • nonpublic - Ignore docstrings for non-public(protected and private) methods
  • Default Value: [“magic”]
  • Example:
skip_doc_coverage = ["class", "magic", "nonpublic"]

cyclomatic_complexity_threshold

  • Type: String
  • Presence: optional
  • Description: Specify the acceptable risk category for your project as the threshold. All functions with complexity beyond this threshold will raise an issue. For example, setting the threshold to low will flag all functions that have a cyclomatic complexity of more than 5, while setting the threshold to critical will not flag any function.
  • Available Values: low, medium, high, very-high and critical
Risk categoryCyclomatic complexity rangeRecommended action
low1-5No action is needed.
medium6-15Review and monitor.
high16-25Review and refactor. Recommended to add detailed comments if the function absolutely needs to be kept as it is.
very-high26-50Refactor to reduce the complexity.
critical>50Must refactor this. This can make the code untestable and very difficult to understand.
  • Default Value: medium
  • Example:
[analyzers.meta]
cyclomatic_complexity_threshold = "high"

Sample config

version = 1

test_patterns = [
  "**/tests/**"
]

exclude_patterns = [
  "vendor/**",
  "**/examples/**"
]

[[analyzers]]
name = "php"
enabled = true

  [analyzers.meta]
  bootstrap_files = ["config/bootstrap.php"]
  skip_doc_coverage = ["class", "magic", "nonpublic"]
We currently support PHP 7 and 8.

Code Coverage

PHPUnit

Currently, only the Cobertura XML format is supported by DeepSource. Here are the steps to report PHP coverage data: 
# Install phpunit/phpunit pacakage from composer
composer require --dev phpunit/phpunit

# Run coverage
vendor/bin/phpunit --coverage-cobertura coverage.xml

# Install 'deepsource CLI'
curl https://deepsource.io/cli | sh

# Set DEEPSOURCE_DSN env variable from repository settings page
export DEEPSOURCE_DSN=https://sampledsn@deepsource.io

# From the root directory, run the report coverage command
./bin/deepsource report --analyzer test-coverage --key php --value-file ./coverage.xml

Code Formatters

The configuration key code_formatters replaces the legacy transformers key. Both keys are supported for backward compatibility.

php-cs-fixer

Format all incoming PHP code with PHP CS Fixer. PHP CS Fixer formats PHP code to conform to the PSRs. This section covers .deepsource.toml configuration specific to the php-cs-fixer code formatter. Please make sure to read the general configuration guide first.

name

  • Type: String
  • Presence: mandatory
  • Description: Shortcode of this code formatter.
  • Example:
[[code_formatters]]
name = "php-cs-fixer"

enabled

  • Type: Boolean
  • Presence: optional
  • Description: Toggle whether this code formatter should be run.
  • Example:
[[code_formatters]]
name = "php-cs-fixer"
enabled = true

Vulnerability Scanning

Supported target files:
  • composer.json
  • composer.lock