PHPCS
Visit →WordPress/PHP coding standards enforcement.
CATCHES: nonces, escaping, sanitization, prepared queries
MISSES: logic-level issues
PLATFORMS: PHP/WordPress
FREE: Yes
// AUTOMATED TOOLS
Automated checks are necessary. They are not sufficient.
These tools together catch roughly 30% of the real problems in AI-generated code. Add them all. Then get a human to check the rest.
PHPStan
Visit →PHP static analysis for type safety.
CATCHES: type mismatches, undefined vars, incorrect return types
MISSES: runtime/logic issues
PLATFORMS: PHP
FREE: Yes
Snyk
Visit →Dependency CVE scanning.
CATCHES: known CVEs in composer/npm/pip packages
MISSES: your own code
PLATFORMS: composer, npm, pip
FREE: Yes (free tier)
Socket
Visit →Supply chain security for npm/composer.
CATCHES: malicious package behavior before CVEs exist
MISSES: your own code logic
PLATFORMS: npm, composer
FREE: Yes (free tier)
SonarCloud
Visit →Broad multi-language static analysis.
CATCHES: code quality issues across JS/TS/Java/PHP. Can be noisy.
MISSES: design-level decisions
PLATFORMS: Multi-language
FREE: Free for public repos
Codacy
Visit →Automated code review with GitHub PR comments.
CATCHES: code quality across multiple languages
MISSES: logic-level security issues
PLATFORMS: Multi-language
FREE: Free for open source
DeepSource
Visit →Low false-positive code quality.
CATCHES: code quality issues, strong on JS/TS/Python/Go
MISSES: domain-specific security patterns
PLATFORMS: JS/TS/Python/Go
FREE: Free for open source
WHAT NONE OF THEM CATCH
No automated tool catches design-level security decisions. Rate limiting defaulting to off. Unauthenticated encryption. SSRF through an admin-configured URL. These require a human who understands the domain.
Find a human reviewer →RECOMMENDED STACKS
WORDPRESS PLUGIN:
PHPCS + PHPStan + Snyk + Socket + SonarCloud or Codacy
NODE.JS:
ESLint + Snyk + Socket + SonarCloud or DeepSource
NEXT.JS:
ESLint (built-in) + TypeScript strict + Snyk + Socket + SonarCloud or DeepSource
ASTRO:
ESLint + Snyk + Socket + DeepSource or SonarCloud
ALL PROJECTS (BASELINE):
At minimum, one dependency scanner and one static analyzer