php-review
Revue de code PHP avec vérification des bonnes pratiques, sécurité et normes PSR. Génère un rapport détaillé des points d'amélioration.
Description & Examples
php-review
Automated PHP code review plugin that checks best practices, security issues, and PSR standard compliance. Generates a structured report highlighting improvement points ranked by severity.
What it does
This plugin provides a skill and a slash command to trigger a thorough review of PHP files or entire directories. It checks coding standards (PSR-1, PSR-2, PSR-12), detects common security vulnerabilities (SQL injection, XSS, insecure deserialization), and flags architectural anti-patterns like God classes or direct database access in controllers.
When to use it
Use this plugin before opening a pull request on a PHP codebase, or as part of an onboarding review when joining a legacy project. It is especially useful for teams adopting modern PHP (8.x) practices who want to progressively migrate away from older patterns.
Components
bolt
php-review
Skill
php-review
Performs a comprehensive code review of PHP files, checking for security issues, PSR compliance, and architectural quality. Produces a prioritised list of findings with explanations and suggested fixes.
Usage
Trigger this skill by describing what you want reviewed:
"Review the PHP files in src/Controller"
"Check this PHP class for security issues"
"Audit the entire src/ directory for PSR-12 compliance"
What is checked
Security
- SQL injection via string concatenation in queries
- Cross-site scripting (unescaped output)
- Insecure use of
eval(),exec(),shell_exec() - Hardcoded credentials or API keys
- Insecure deserialization with
unserialize() - Missing CSRF protection on state-changing endpoints
Code Quality
- PSR-1, PSR-2, PSR-12 naming and formatting conventions
- Proper use of type declarations (parameter types, return types, property types)
- Nullable types and union types consistency (PHP 8.x)
- Dead code, unused variables, unused imports
Architecture
- Fat controllers — business logic that belongs in services
- Direct database access outside repository classes
- Circular dependencies between namespaces
- Missing interfaces for injectable services
Output format
The skill produces a report structured as:
## PHP Review — src/Controller/UserController.php
### Critical
- [SEC-001] Potential SQL injection at line 42: ...
### Warnings
- [PSR-012] Method name does not follow camelCase convention at line 17
### Suggestions
- [ARCH-003] Consider extracting email validation to a dedicated ValueObject
Configuration
You can focus the review by specifying a scope in your request:
security— only report security findingspsr— only report PSR standard violationsarchitecture— only report structural concernsall(default) — full report
terminal
/php-review
Command
/php-review
Slash command that triggers a PHP code review on a specified path. Accepts a file path, directory, or glob pattern as its argument and delegates to the php-review skill.
Usage
/php-review <path>
/php-review src/Controller/UserController.php
/php-review src/Service/
/php-review src/**/*.php
Arguments
| Argument | Description |
|---|---|
<path> |
File, directory, or glob pattern to review. Defaults to the current working directory if omitted. |
Examples
Review a single controller:
/php-review src/Controller/OrderController.php
Review all service classes:
/php-review src/Service/
Review the whole project source:
/php-review src/
Behaviour
- Resolves the path relative to the project root
- Collects all
.phpfiles matching the argument - Runs the
php-reviewskill on each file - Aggregates results into a single report grouped by severity
- Prints a summary line:
X critical, Y warnings, Z suggestions
Notes
- Large directories may take a moment to process
- Binary or generated PHP files (e.g., compiled Blade templates) are skipped automatically
- Use the
php-reviewskill directly for more control over scope filters