Coder

PHP CodeSniffer library for automated Drupal code reviews and coding standard fixes.

coder

354 sites

development api

coding standards code quality static analysis code review development tools phpcs php codesniffer best practices linting drupal standards

Overview

Coder is a development tool that provides automated code quality analysis for Drupal projects. It defines rules for PHP_CodeSniffer to enforce Drupal coding standards and best practices.

Unlike traditional Drupal modules that provide UI functionality, Coder operates as a command-line tool integrated into your development workflow. It scans PHP, YAML, JavaScript, and other code files to identify violations of Drupal's official coding standards and suggests or automatically applies fixes.

The library includes two main rulesets: 'Drupal' which enforces the official Drupal Coding Standards, and 'DrupalPractice' which checks for best practices in Drupal module and theme development. Together, these rulesets contain over 100 individual sniffs covering commenting, naming conventions, whitespace, security, and more.

Features

Enforces official Drupal Coding Standards with 65+ sniffs covering commenting, classes, naming conventions, semantics, whitespace, files, formatting, info files, functions, control structures, arrays, attributes, and scope
DrupalPractice standard with 39+ sniffs for best practices including object usage, function calls, general practices, function definitions, commenting, info files, constants, variables, and YAML validation
Automatic code fixing with phpcbf (PHP Code Beautifier and Fixer) for many violations
Support for multiple file types: .php, .module, .inc, .install, .test, .profile, .theme, .info, .info.yml, .txt, .md, .yml
Detects deprecated functions and insecure code patterns
Validates Drupal hook documentation and function signatures
Checks for proper use of translation functions (t(), st())
Validates .info.yml file structure and required keys
Integrates with popular IDEs: PhpStorm, VSCode, Atom, Eclipse, Vim, Sublime Text, and more
Configurable via phpcs.xml.dist for project-specific settings
Variable analysis to detect unused or undefined variables
Leverages external standards: PEAR, PSR-2, PSR-12, Squiz, and SlevomatCodingStandard

Use Cases

Pre-commit Code Quality Check

Run phpcs before committing code to ensure all changes meet Drupal coding standards. Configure a Git pre-commit hook to automatically run: ./vendor/bin/phpcs --standard=Drupal --extensions=php,module,inc,install,test,profile,theme path/to/changed/files

Continuous Integration Pipeline

Add Coder to your CI/CD pipeline to automatically fail builds when code quality violations are detected. Create a phpcs.xml.dist in your repository and run ./vendor/bin/phpcs in your CI script to ensure all team members maintain consistent code quality.

Automatic Code Formatting

Use phpcbf (PHP Code Beautifier and Fixer) to automatically fix many coding standard violations: ./vendor/bin/phpcbf --standard=Drupal --extensions=php,module web/modules/custom. This saves time by auto-correcting whitespace, indentation, and many other formatting issues.

Drupal.org Contribution Preparation

Before submitting patches or merge requests to Drupal.org projects, run both Drupal and DrupalPractice standards to ensure your contribution meets community standards and has a higher chance of acceptance.

Legacy Code Remediation

When working with legacy Drupal code, use Coder to identify and systematically fix coding standard violations. Start by generating a report of all issues, then use phpcbf for automatic fixes and manually address remaining issues.

Team Code Review Automation

Integrate Coder into your team's code review process. Reviewers can focus on logic and architecture while Coder handles style and standards enforcement, reducing review time and ensuring consistency.

Tips

Create a phpcs.xml.dist file in your project root to share consistent settings with your team and use in CI pipelines
Use ./vendor/bin/phpcbf with the same options as phpcs to automatically fix many violations
Add --colors flag for colorized terminal output: ./vendor/bin/phpcs --colors --standard=Drupal path/to/code
Use -s flag to show sniff names in the output, helpful for configuring exclusions: ./vendor/bin/phpcs -s --standard=Drupal path/to/code
Run both standards together: ./vendor/bin/phpcs --standard=Drupal,DrupalPractice --extensions=php,module,inc,install,test,profile,theme,info,txt,md,yml web/modules/custom
Use --report=summary for a quick overview of violations by file, or --report=diff to see fixable changes
Configure your IDE's PHP_CodeSniffer integration to get real-time feedback while coding
For new projects, enforce zero tolerance from the start; for legacy projects, use a baseline approach to prevent new violations while gradually fixing existing ones

Dependencies

PHP CodeSniffer Required PHPCS Variable Analysis Required Slevomat Coding Standard Required Symfony YAML Required PHPCS Composer Installer Required

Related Projects

PHP_CodeSniffer

Coder provides standards for PHP_CodeSniffer, leveraging its parsing engine and reporting capabilities

ESLint

For JavaScript linting, Coder recommends using ESLint with Drupal ESLint configuration as JavaScript support has been removed from Coder

Continuous Integration

Integrates with CI/CD pipelines (GitLab CI, GitHub Actions, Jenkins) for automated code quality checks

IDE Integration

Works with PhpStorm, VSCode, Atom, Eclipse, Komodo, Netbeans, Sublime Text, and Vim through their respective PHP_CodeSniffer plugins

Technical Details

Standards not found after installation

Run ./vendor/bin/phpcs -i to verify Drupal and DrupalPractice are listed. If not, ensure dealerdirect/phpcodesniffer-composer-installer is properly installed and Composer plugins are allowed in your composer.json.

Too many errors to fix at once

Create a phpcs.xml.dist with rule exclusions to temporarily suppress rules you can't address immediately. Use <exclude name='Rulename'/> to disable specific sniffs and address them incrementally.

Errors in third-party code

Add exclude-pattern entries to your phpcs.xml.dist for vendor directories, contrib modules, or other code you don't control: <exclude-pattern>*/vendor/*</exclude-pattern>

Template files showing false positives

Some sniffs are automatically excluded from .tpl.php files. For custom template logic, you may need to add additional exclusions in your configuration.

Performance issues on large codebases

Use the --parallel option to run checks across multiple CPU cores: ./vendor/bin/phpcs --parallel=8 --standard=Drupal path/to/code

Coder includes security-focused sniffs like PregSecuritySniff for regex security and InsecureUnserializeSniff for detecting dangerous unserialize() calls
The RemoteAddressSniff checks for proper handling of remote IP addresses to prevent IP spoofing vulnerabilities
DrupalPractice.FunctionCalls.CurlSslVerifierSniff detects when CURL SSL verification is improperly disabled
While Coder catches many security issues, it should complement (not replace) dedicated security scanning tools and manual security reviews