README

Pre-configured strict quality gate for PHP

composer require --dev haspadar/sheriff
vendor/bin/sheriff sync
vendor/bin/sheriff check

[OK]   phpstan              2.8s
[OK]   psalm                4.4s
[OK]   phpunit              5.9s
[OK]   phpcs                9.1s
[OK]   phpmd                1.4s
[OK]   php-cs-fixer         1.6s
[OK]   markdownlint         2.6s
[OK]   hadolint             3.1s
[OK]   ...
[OK]   All checks passed    9.5s

Over 1200 rules from 18 tools

Configure

Customization is optional. If needed, create .sheriff.yaml in the project root.

Three settings cascade across every tool that consumes them:

• php.src — paths analysed by PHPStan, Psalm, PHPUnit, PHPMD, PHP_CodeSniffer, PHP Metrics, Infection, SonarCloud
• infra.exclude — paths skipped by PHP_CodeSniffer, PHP-CS-Fixer, PHP Metrics, markdownlint, jsonlint, yamllint, typos, hadolint, shellcheck
• php.versions — versions used in the CI matrix and consumed by PHPStan, PHP-CS-Fixer, PHPMD, Infection

Change one key, every consuming tool follows.

Use append to extend default lists:

append:
    php.src:
        - lib
    infra.exclude:
        - legacy

Use override to replace individual keys:

override:
    phpstan.parameters:
        level: 8
    php.versions: ["8.3", "8.4", "8.5"]

Use php_cs_fixer.extend and phpcs.extend to inject native-syntax fragments at the end of the generated config. Useful when a built-in rule clashes with project code — for example, narrowing phpdoc_types instead of disabling it entirely:

override:
    php_cs_fixer.extend: "        'phpdoc_types' => ['exclude' => ['scalar']],"
    phpcs.extend: "    <rule ref=\"Foo.Bar\"><severity>0</severity></rule>"

The value is passed through verbatim; Sheriff does not parse it. Use a YAML block scalar (| or |-) for multi-line fragments.

Use envs to export environment variables in CI workflows. Each value is a shell command evaluated at runtime:

envs:
    COMPOSER_ROOT_VERSION: "git describe --tags --abbrev=0 | sed 's/^v//'"

The full list of available keys and their defaults is generated to .sheriff/config.yaml on every sheriff sync.

.sheriff/ and .github/ are generated by sheriff sync and may be safely deleted.

Workflow

To change configuration:

1. Edit .sheriff.yaml
2. Run vendor/bin/sheriff sync

Do not edit .sheriff/ or the GitHub workflow file .github/workflows/sheriff.yml directly — they are generated and will be overwritten.

Commands

• sheriff sync — generate configuration from templates
• sheriff check — run checks, excluding slow ones by default (check.slow: infection, sonar)
• sheriff check <tool> — run specific tool
• -f, --full — include slow checks (default: check.full)
• -F, --no-full — exclude slow checks
• -p, --parallel — run checks concurrently (default: check.parallel)
• -P, --no-parallel — force sequential execution
• -v, --verbose — show full output from each check
• sheriff fix — run auto-fixable tools
• sheriff fix <tool> — run specific fixer

Checks

PHP

• PHPStan — level 9 with strict rules, phpstan-phpunit (PHPUnit-aware assertions, data providers, MockObject inference) and haspadar/phpstan-rules (80 custom rules for object-oriented strictness)
• Psalm — with psalm/plugin-phpunit for PHPUnit-aware type narrowing and provider validation
• PHPUnit
• Infection
• PHPMD
• PHP Metrics
• PHP_CodeSniffer — with Slevomat Coding Standard rules (class structure, doc comments, attributes)
• PHP-CS-Fixer — with kubawerlos/php-cs-fixer-custom-fixers and PHPUnit ruleset (php_unit_*: strict asserts, dedicated assertions, data-provider naming/static/return-type, attributes; requires PHPUnit 12+)

Linters

• actionlint
• hadolint
• shellcheck
• markdownlint-cli2
• jsonlint
• yamllint
• typos

CI

• SonarCloud — requires SONAR_TOKEN environment variable (get token)
• Pull request size limit
• Code coverage (Codecov)

Contributing

1. Fork the repository
2. Create a feature branch
3. Ensure all checks pass
4. Open a pull request

All pull requests must pass CI before merging.

License

MIT