explaingit

vimeo/psalm

5,840PHPAudience · developerComplexity · 3/5Setup · moderate

TLDR

Psalm is a PHP static analysis tool that reads your code before you run it to catch type errors, undefined variables, dead code, and security vulnerabilities like SQL injection, originally built at Vimeo and now open source.

Mindmap

mindmap
  root((psalm))
    What it does
      Catches type errors
      Finds dead code
      Taint analysis
    How it works
      Reads PHP code
      No execution needed
    Setup
      Install via Composer
      CLI tool
    Use Cases
      CI code quality
      Security scanning
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Catch type mismatches and undefined variables in a PHP codebase before running the code.

USE CASE 2

Trace untrusted user input through your application to find security holes like SQL injection using taint analysis.

USE CASE 3

Add automated code quality checks to a PHP project so errors are caught earlier than code review.

USE CASE 4

Get paid support for integrating Psalm into a large existing PHP codebase.

Tech stack

PHPComposer

Getting it running

Difficulty · moderate Time to first run · 30min

Requires PHP and Composer, a psalm.xml config file is needed to tune strictness levels.

In plain English

Psalm is a tool that reads PHP code and flags problems before you ever run the program. This kind of tool is called a static analyzer because it works by examining the code itself, not by executing it. It can catch type mismatches (where a value of the wrong kind gets passed to a function), undefined variables, dead code, and a range of security issues like places where untrusted user input could flow into a database query or shell command. The security analysis feature, called taint analysis, traces a path from where data enters your application (a form submission, a URL parameter) to where it might cause harm if not properly cleaned first. Psalm reports the full path it found so developers know exactly what to fix. Psalm was originally built by engineers at Vimeo to help manage a large PHP codebase and catch errors that code review alone would miss. It became open source and is now maintained by a single developer, Daniil Gentili. The maintainer offers paid support contracts for teams that want help integrating Psalm into an existing codebase or developing custom features around it. The README is brief. It points to the project website for documentation, a live demo where you can paste PHP code and see Psalm analyze it immediately, and an installation guide. The tool is installed through PHP's standard package manager, Composer. If you are a non-technical person evaluating a PHP codebase, knowing that it uses Psalm suggests the team has invested in automated code quality checks, which is generally a sign of a more careful development process.

Copy-paste prompts

Prompt 1
I have a PHP project and want to set up Psalm for static analysis. Walk me through installing it with Composer, creating a config file, and running my first scan.
Prompt 2
Using Psalm's taint analysis, how do I trace untrusted user input from a form submission to detect potential SQL injection in my PHP app?
Prompt 3
Psalm is reporting type mismatch errors in my PHP code. Help me understand the error output and fix the underlying type issues.
Prompt 4
How do I configure Psalm to set a baseline so I can gradually fix errors in a large legacy PHP codebase without being overwhelmed on day one?
Open on GitHub → Explain another repo

← vimeo on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.