Phan Converter

Note

Available since version 1.0.0

Requirements

Phan requires PHP version 7.2.0 or greater, with filter, json and tokenizer extensions loaded
This SARIF converter requires at least Phan version 5.0

composer require --dev phan/phan bartlett/sarif-php-converters

Warning

As Phan v5 is not able to specify custom printer format, we have no other alternative that using the Console Tool convert command.

Step 1: Build the checkstyle output report

vendor/bin/phpan --directory /absolute/path/to/source/code --absolute-path-issue-messages --output-mode=checkstyle --output=checkstyle.xml

Warning

Be sure to specify --absolute-path-issue-messages, otherwise the Console Tool convert command will raise some warnings about file names.

Step 2: And finally, convert it to SARIF with the Console Tool

php report-converter convert phan --input-format=checkstyle --input-file=examples/phan/checkstyle.xml -v

Tip

Without verbose option (-v) the Console Tool will print a compact SARIF version.
--output-file option allows to write a copy of the report to a file. By default, the Console Tool will always print the specified report to the standard output.

The SARIF report file [*].sarif.json is automagically recognized and interpreted by PhpStorm (2024).

PHPStorm integration

With the React based component, you are able to explore a sarif report file previously generated.

For example:

sarif-web-phan