Skip to content


GitHub stars sarif GitHub release (latest SemVer) GitHub last commit GitHub commit activity GitHub contributors

phpcs documentation

PHP_CodeSniffer - GitHub

Configuration in MegaLinter

Variable Description Default value
PHP_PHPCS_ARGUMENTS User custom arguments to add in linter CLI call
Ex: -s --foo "bar"
PHP_PHPCS_COMMAND_REMOVE_ARGUMENTS User custom arguments to remove from command line before calling the linter
Ex: -s --foo "bar"
PHP_PHPCS_FILTER_REGEX_INCLUDE Custom regex including filter
Ex: (src\|lib)
Include every file
PHP_PHPCS_FILTER_REGEX_EXCLUDE Custom regex excluding filter
Ex: (test\|examples)
Exclude no file
PHP_PHPCS_CLI_LINT_MODE Override default CLI lint mode
- file: Calls the linter for each file
- list_of_files: Call the linter with the list of files as argument
- project: Call the linter from the root of the project
PHP_PHPCS_FILE_EXTENSIONS Allowed file extensions. "*" matches any extension, "" matches empty extension. Empty list excludes all files
Ex: [".py", ""]
PHP_PHPCS_FILE_NAMES_REGEX File name regex filters. Regular expression list for filtering files by their base names using regex full match. Empty list includes all files
Ex: ["Dockerfile(-.+)?", "Jenkinsfile"]
Include every file
PHP_PHPCS_PRE_COMMANDS List of bash commands to run before the linter None
PHP_PHPCS_POST_COMMANDS List of bash commands to run after the linter None
PHP_PHPCS_UNSECURED_ENV_VARIABLES List of env variables explicitly not filtered before calling PHP_PHPCS and its pre/post commands None
PHP_PHPCS_CONFIG_FILE phpcs configuration file nameUse LINTER_DEFAULT to let the linter find it phpcs.xml
PHP_PHPCS_RULES_PATH Path where to find linter configuration file Workspace folder, then MegaLinter default rules
PHP_PHPCS_DISABLE_ERRORS Run linter but consider errors as warnings false
PHP_PHPCS_DISABLE_ERRORS_IF_LESS_THAN Maximum number of errors allowed 0
PHP_PHPCS_CLI_EXECUTABLE Override CLI executable ['phpcs']

IDE Integration

Use phpcs in your favorite IDE to catch errors before MegaLinter !

IDE Extension Name Install
Atom linter-phpcs Visit Web Site
Atom atom-phpcs Visit Web Site
IDEA phpcs Visit Web Site
Sublime Text sublime-phpcs Visit Web Site
Sublime Text SublimeLinter-phpcs Visit Web Site
Visual Studio Code vscode-phpcs Install in VSCode

MegaLinter Flavours

This linter is available in the following flavours

Flavor Description Embedded linters Info
all Default MegaLinter Flavor 124 Docker Image Size (tag) Docker Pulls
cupcake MegaLinter for the most commonly used languages 83 Docker Image Size (tag) Docker Pulls
php Optimized for PHP based projects 55 Docker Image Size (tag) Docker Pulls

Behind the scenes

How are identified applicable files

  • File extensions: .php

How the linting is performed

  • phpcs is called once with the list of files as arguments (list_of_files CLI lint mode)

Example calls

phpcs myfile.php
phpcs --standard=phpcs.xml myfile.php
phpcs --standard=phpcs.xml mydir/ myfile.php

Help content

  phpcs [options] <file|directory>

Scan targets:
  <file|directory>               One or more files and/or directories to check,
                                 space separated.
  -                              Check STDIN instead of local files and
  --stdin-path=<stdinPath>       If processing STDIN, the file path that STDIN
                                 will be processed as.
  --file-list=<fileList>         Check the files and/or directories which are
                                 defined in the file to which the path is
                                 provided (one per line).
  --filter=<filter>              Check based on a predefined file filter. Use
                                 either the "GitModified" or "GitStaged" filter,
                                 or specify the path to a custom filter class.
  --ignore=<patterns>            Ignore files based on a comma-separated list of
                                 patterns matching files and/or directories.
  --extensions=<extensions>      Check files with the specified file extensions
                                 (comma-separated list). Defaults to
                                 The type of the file can be specified using:
                                 ext/type; e.g. module/php,es/js.
  -l                             Check local directory only, no recursion.

Rule Selection Options:
  --standard=<standard>          The name of, or the path to, the coding
                                 standard to use. Can be a comma-separated list
                                 specifying multiple standards. If no standard
                                 is specified, PHP_CodeSniffer will look for a
                                 [.]phpcs.xml[.dist] custom ruleset file in the
                                 current directory and those above it.
  --sniffs=<sniffs>              A comma-separated list of sniff codes to limit
                                 the scan to. All sniffs must be part of the
                                 standard in use.
  --exclude=<sniffs>             A comma-separated list of sniff codes to
                                 exclude from the scan. All sniffs must be part
                                 of the standard in use.

  -i                             Show a list of installed coding standards.
  -e                             Explain a standard by showing the names of all
                                 the sniffs it includes.
  --generator=<generator>        Show documentation for a standard. Use either
                                 the "HTML", "Markdown" or "Text" generator.

Run Options:
  -a                             Run in interactive mode, pausing after each
  --bootstrap=<bootstrap>        Run the specified file(s) before processing
                                 begins. A list of files can be provided,
                                 separated by commas.
  --cache[=<cacheFile>]          Cache results between runs. Optionally,
                                 <cacheFile> can be provided to use a specific
                                 file for caching. Otherwise, a temporary file
                                 is used.
  --no-cache                     Do not cache results between runs (default).
  --parallel=<processes>         The number of files to be checked
                                 simultaneously. Defaults to 1 (no parallel
                                 If enabled, this option only takes effect if
                                 the PHP PCNTL (Process Control) extension is

  -d <key[=value]>               Set the [key] php.ini value to [value] or set
                                 to [true] if value is omitted.
                                 Note: only php.ini settings which can be
                                 changed at runtime are supported.

Reporting Options:
  --report=<report>              Print either the "full", "xml", "checkstyle",
                                 "csv", "json", "junit", "emacs", "source",
                                 "summary", "diff", "svnblame", "gitblame",
                                 "hgblame", "notifysend" or "performance" report
                                 or specify the path to a custom report class.
                                 By default, the "full" report is displayed.
  --report-file=<reportFile>     Write the report to the specified file path.
  --report-<report>=<reportFile> Write the report specified in <report> to the
                                 specified file path.
  --report-width=<reportWidth>   How many columns wide screen reports should be.
                                 Set to "auto" to use current screen width,
                                 where supported.
  --basepath=<basepath>          Strip a path from the front of file paths
                                 inside reports.

  -w                             Include both warnings and errors (default).
  -n                             Do not include warnings. Shortcut for
  --severity=<severity>          The minimum severity required to display an
                                 error or warning. Defaults to 5.
  --error-severity=<severity>    The minimum severity required to display an
                                 error. Defaults to 5.
  --warning-severity=<severity>  The minimum severity required to display a
                                 warning. Defaults to 5.

  -s                             Show sniff error codes in all reports.
  --ignore-annotations           Ignore all "phpcs:..." annotations in code
  --colors                       Use colors in screen output.
  --no-colors                    Do not use colors in screen output (default).
  -p                             Show progress of the run.
  -q                             Quiet mode; disables progress and verbose
  -m                             Stop error messages from being recorded. This
                                 saves a lot of memory but stops many reports
                                 from being used.

Configuration Options:
  --encoding=<encoding>          The encoding of the files being checked.
                                 Defaults to "utf-8".
  --tab-width=<tabWidth>         The number of spaces each tab represents.

  Default values for a selection of options can be stored in a user-specific
  CodeSniffer.conf configuration file.
  This applies to the following options: "default_standard", "report_format",
  "tab_width", "encoding", "severity", "error_severity", "warning_severity",
  "show_warnings", "report_width", "show_progress", "quiet", "colors", "cache",
  --config-show                  Show the configuration options which are
                                 currently stored in the applicable
                                 CodeSniffer.conf file.
  --config-set <key> <value>     Save a configuration option to the
                                 CodeSniffer.conf file.
  --config-delete <key>          Delete a configuration option from the
                                 CodeSniffer.conf file.
  --runtime-set <key> <value>    Set a configuration option to be applied to the
                                 current scan run only.

Miscellaneous Options:
  -h, -?, --help                 Print this help message.
  --version                      Print version information.
  -v                             Verbose output: Print processed files.
  -vv                            Verbose output: Print ruleset and token output.
  -vvv                           Verbose output: Print sniff processing

Installation on mega-linter Docker image

  • Dockerfile commands :
# Parent descriptor install
RUN GITHUB_AUTH_TOKEN="$(cat /run/secrets/GITHUB_TOKEN)" \
    && export GITHUB_AUTH_TOKEN \
    && wget --tries=5 -q -O phive.phar \
    && wget --tries=5 -q -O phive.phar.asc \
    && PHAR_KEY_ID="0x6AF725270AB81E04D79442549D8A98B29B2D5D79" \
    && ( gpg --keyserver hkps:// --recv-keys "$PHAR_KEY_ID" \
       || gpg --keyserver hkps:// --recv-keys "$PHAR_KEY_ID" \
       || gpg --keyserver --recv-keys "$PHAR_KEY_ID" \
       || gpg --keyserver --recv-keys "$PHAR_KEY_ID" ) \
    && gpg --verify phive.phar.asc phive.phar \
    && chmod +x phive.phar \
    && mv phive.phar /usr/local/bin/phive \
    && rm phive.phar.asc \
    && update-alternatives --install /usr/bin/php php /usr/bin/php83 110

COPY --from=composer/composer:2-bin /composer /usr/bin/composer
ENV PATH="/root/.composer/vendor/bin:${PATH}"
# Linter install
RUN GITHUB_AUTH_TOKEN="$(cat /run/secrets/GITHUB_TOKEN)" && export GITHUB_AUTH_TOKEN && composer global require squizlabs/php_codesniffer bartlett/sarif-php-sdk