Search by 
haspadar / sheriff
Picky standards for PHP projects
Maintainers
v0.29.0
2026-05-07 13:42 UTC
Requires
- php: ~8.3.16 || ~8.4.3 || ~8.5.0
- friendsofphp/php-cs-fixer: ^3.95
- haspadar/phpstan-rules: >=0.36 <1.0.0
- infection/infection: ^0.32.0
- kubawerlos/php-cs-fixer-custom-fixers: ^3.36
- phpmd/phpmd: ^2.15
- phpmetrics/phpmetrics: ^2.9
- phpstan/phpstan: ^2.1
- phpstan/phpstan-strict-rules: ^2.0
- phpunit/phpunit: ^12.0
- slevomat/coding-standard: ^8.28
- squizlabs/php_codesniffer: ^4.0
- symfony/process: ^7.0
- symfony/yaml: ^7.4
- vimeo/psalm: ^6.14
Suggests
- ext-xdebug: Required to generate coverage reports and run Infection
- dev-main
- v0.29.0
- v0.28.2
- v0.28.1
- v0.28.0
- v0.27.4
- v0.27.3
- v0.27.2
- v0.27.1
- v0.27.0
- v0.26.17
- v0.26.16
- v0.26.15
- v0.26.14
- v0.26.13
- v0.26.12
- v0.26.11
- v0.26.10
- v0.26.9
- v0.26.8
- v0.26.7
- v0.26.6
- v0.26.5
- v0.26.4
- v0.26.3
- v0.26.2
- v0.26.1
- v0.26.0
- v0.25.3
- v0.25.2
- v0.25.1
- v0.25.0
- v0.24.1
- v0.24.0
- v0.23.1
- v0.23.0
- v0.22.4
- v0.22.3
- v0.22.2
- v0.22.1
- v0.22.0
- v0.21.0
- v0.20.2
- v0.20.1
- v0.20.0
- v0.19.2
- v0.19.1
- v0.19.0
- v0.18.0
- v0.17.5
- v0.17.4
- v0.17.3
- v0.17.2
- v0.17.1
- v0.17.0
- v0.16.1
- v0.16.0
- v0.15.0
- v0.14.1
- v0.14.0
- v0.13.3
- v0.13.2
- v0.13.1
- v0.13.0
- v0.12.1
- v0.12.0
- v0.11.1
- v0.11.0
- v0.10.6
- v0.10.5
- v0.10.4
- v0.10.3
- v0.10.2
- v0.10.1
- v0.10.0
- v0.9.0
- v0.8.0
- v0.7.0
- v0.6.0
- v0.5.1
- v0.5.0
- v0.4.1
- v0.4.0
- v0.3.1
- v0.3.0
- v0.2.0
- v0.1.1
- v0.1.0
- dev-emphasize-readme-headlines
- dev-drop-broken-coderabbit-badge
- dev-readme-update
- dev-dev-docs-tree-patches
- dev-mutation-coverage-tree-patches
- dev-move-boolsetting-out-of-value-namespace
- dev-json-render-ops
- dev-append-tree-recursive
- dev-check-settings
- dev-tokens-check-settings
- dev-envs-chain-template
- dev-docker-helper-chain
- dev-sonar-command-chain
- dev-infection-command-chain
- dev-phpunit-command-chain
- dev-hadolint-command-chain
- dev-php-cs-fixer-chain-template
- dev-shellcheck-chain-template
- dev-sonar-chain-template
- dev-phpstan-chain-template
- dev-phpcs-chain-template
- dev-auto-digest-88c76164614b
- dev-sheriff-entrypoint
- dev-snob-ci-entrypoint
- dev-snob-cli-alias
- dev-snob-identity
- dev-update-phpstan-rules-0-48
- dev-template-pipeline
- dev-auto-digest-f1a41bcaab12
- dev-list-text-source
- dev-plain-text-sources
- dev-chain-transformations
- dev-yaml-patches
- dev-value-consumers
- dev-override-list-patch
- dev-remove-patches
- dev-append-patches
- dev-override-patches
- dev-settings-core
- dev-settings-value
- dev-switch-throws-rule
- dev-extend-scalar-overrides
- dev-phpcs-disabled-rules
- dev-test-php-cs-fixer-disabled-rules-rendering
- dev-php-cs-fixer-disabled-rules
- dev-split-exclude-by-tool-group
- dev-bump-phpstan-rules-0.42.1
- dev-auto-digest-5dc15e7dba7d
- dev-json-escape-filter
- dev-shell-quote-filter
- dev-php-options-array
- dev-ci-skip-empty
- dev-phpmetrics-skip-guard
- dev-phpstan-rules-0.36-compat
- dev-skip-empty-src
- dev-migration-rules-follow-php-versions
- dev-auto-digest-c8bba3dd3629
- dev-cover-sequential-parallel-run
- dev-cover-storage-classes
- dev-raise-test-coverage
- dev-raise-mutation-score
- dev-infection-msi-threshold
- dev-update-phpstan-rules
- dev-check-interfaces
- dev-project-config
- dev-output-muted
- dev-envs-fetch-tags
- dev-envs-integration
- dev-envs-parsing
- dev-envs-interface
- dev-dynamic-check-list
- dev-default-phpstan-rules
- dev-phpstan-rules-compliance
- dev-lazy-constructors
- dev-extract-config-paths
- dev-declare-checked-exceptions
- dev-add-phpdoc-summaries
- dev-fix-digest-loop
- dev-sonar-cloud-toggle
- dev-separate-secrets-from-env-vars
- dev-parallel-checks-with-timing
- dev-fast-full-check-groups
- dev-auto-coverage-report
- dev-local-sonar-check
- dev-no-space-declare-strict
- dev-docs-config-reference
- dev-psalm-suppress-and-conditional-handlers
- dev-conditional-formula-actions
- dev-strict-psalm
- dev-yaml-config-docs-and-cleanup
- dev-yaml-defaults
- dev-generate-config-yaml
- dev-rename-config-keys
- dev-yaml-config
- dev-phpcs-annotations-short-names
- dev-numeric-separator-threshold
- dev-remove-phpcs-length-rules
- dev-remove-strict-phpcs-rules
- dev-fix-phpcs-violations
- dev-wire-kubawerlos-fixers
- dev-expand-slevomat-rules
- dev-install-kubawerlos-fixers
- dev-warn-missing-github-secrets
- dev-document-phpstan-slevomat-rules
- dev-phpcs-namespace-from-composer
- dev-slevomat-rules
- dev-phpstan-strict-rules
- dev-require-throws-phpdoc
- dev-remove-sonar-ci-upload
- dev-codecov-branch-coverage
- dev-sonar-project-identity
- dev-sonar-project-properties
- dev-sonar-branch-coverage
- dev-sonar-global-exclusions
- dev-link-override-keys-in-readme
- dev-sonar-override-keys
- dev-sonar-config-support
- dev-fix-scope-in-piqule-fix
- dev-phpunit-php-options
- dev-remove-hits-of-code-badge
- dev-fix-coderabbit-badge
- dev-skip-composer-major-updates
- dev-stop-duplicate-drafts
- dev-readme-cleanup
- dev-centralize-dirs
- dev-append-config
- dev-composer-installed-ci-binary
- dev-use-shared-infra-image
- dev-restore-minor-php-matrix
- dev-composer-installed-autoload
- dev-honest-php-minimum
- dev-graceful-hadolint-skip
- dev-skip-checks-without-sources
- dev-code-standards-compliance
- dev-document-dev-md
- dev-warn-outdated-templates-on-check
- dev-move-gitignore-to-piqule
- dev-renovate-config-pre-push
- dev-plugin-style-pre-push
- dev-enforce-test-conventions
- dev-update-docs
- dev-always-once-sync
- dev-default-config
- dev-flat-config
- dev-default_scalar
- dev-separate-dsl-final-format
- dev-test-release-drafter
- dev-simplify-release-drafter
- dev-sync-file-permissions
- dev-piqule-fix-psalm
- dev-restore-renovate-validation
- dev-restore-renovate
- dev-separate-composer-and-docker-runtimes
- dev-piqule-single-ci
- dev-ghcr-matrix-build
- dev-ci-php-matrix
- dev-external-runtime
- dev-args-git-files
- dev-centralize-toolchain-in-docker
- dev-refactor-output
- dev-make-ci-workflow-configurable
- dev-make-templates-configurable
- dev-injectable-dsl-actions
- dev-unify-actions-with-values
- dev-remove-legacy-dsl-model
- dev-unify-formula-args-as-values
- dev-config-always-returns-list
- dev-add-join-actions
- dev-formula-action
- dev-formula-args
- dev-renovate-disable-major-toolchain
- dev-config
- dev-replacement-missing
- dev-replacement
- dev-xml-named-placeholders
- dev-php-block-placeholders
- dev-xml-placeholders
- dev-php-placeholders
- dev-pin-php-runtime
- dev-deps-phpunit12-symfony7
- dev-yaml-placeholders
- dev-json-placeholders
- dev-align-symfony-process-with-php-version
- dev-update-dockerfile
- dev-parameterize-hadolint-config
- dev-apply-placeholders-to-files
- dev-refine-file-placeholders-parsing
- dev-introduce-placeholders-abstraction
- dev-add-placeholder-default-implementation
- dev-separate-renovate-from-templates
- dev-rename-always-to-root
- dev-remove-obsolete-filesystem-layer
- dev-each-file
- dev-storage-reactions
- dev-reporting-storage-reaction
- dev-diffing-storage
- dev-storage-write-file
- dev-combined-files
- dev-mapped-files
- dev-replaced-file
- dev-prefixed-file-names
- dev-remove-io-from-file
- dev-folder-files
- dev-storage-entries
- dev-disk-storage
- dev-introduce-file
- dev-introduce-storage
- dev-rename-file-to-source
- dev-path-file-directory-separation
- dev-remove-filesystem-path
- dev-file-path
- dev-directory-path
- dev-file-name
- dev-files-namespace
- dev-placed-file
- dev-path-naming-cleanup
- dev-filesystem-renaming
- dev-executable-file-reaction
- dev-storage-is-executable
- dev-remove-legacy-sync
- dev-replace-piqule-sync-with-file-application
- dev-storage-files-refactor
- dev-storage-names-support
- dev-disk-path
- dev-rename-file-target-to-reaction
- dev-application-dry-run
- dev-composite-files
- dev-application
- dev-file-outcome-events
- dev-file-event-targets
- dev-reporting-target
- dev-targets-composite
- dev-file-skipped-event
- dev-file-updated-event
- dev-file-events
- dev-files-mapping
- dev-executable-file
- dev-storage-write-executable
- dev-forced-file
- dev-initial-file
- dev-inline-file
- dev-file-abstraction
- dev-storage-abstraction
- dev-storage-contracts
- dev-prepare-artifact-model
- dev-file-id
- dev-phpstan-ci-direct-run
- dev-xml-lint-ci-simplification
- dev-sync-template-configs
- dev-xdebug-in-dockerfile
- dev-remove-redundant-jq-check
- dev-remove-unused-pmd-cpd
- dev-add-prettier
- dev-unified-composer-commands
- dev-php-cs-fixer-cache-location
- dev-phpmetrics-config
- dev-add-xmllint
- dev-add-jq
- dev-add-phpcs
- dev-add-linter-commands
- dev-simplify-piqule-installation
- dev-unify-sync-entrypoint
- dev-unify-cli-entrypoint
- dev-chain-sync
- dev-add-skip-if-exists-sync
- dev-separate-sync-strategy
- dev-init-entrypoint
- dev-templates/once
- dev-complete-always-templates
- dev-templates/always
- dev-chore/templates-init
- dev-fix/dockerfile-location
- dev-fix/pmd-cpd-input-name
- dev-feature/managed-dockerfile
- dev-fix/project-root-resolution
- dev-fix/bin-autoload-bootstrap
- dev-chore/remove-ast-metrics
- dev-ci/phpmetrics
- dev-feature/add-phpmetrics-gate
- dev-feature/phpmetrics
- dev-refactor/split-sync-cli
- dev-feature/add-pmd-cpd
- dev-ci/ast-metrics-ci-mode
- dev-refactor/docker-remove-composer
- dev-fix/dockerfile-toolchain
- dev-refactor/piqule-config-layout
- dev-chore/ci-fix-yamllint-comments
- dev-feature/phpmd
- dev-feature/ast-metrics-ci
- dev-feature/phpmetrics-support
- dev-docs/update-readme-sync-model
- dev-docs/add-psalm-badge
- dev-feature/add-psalm
- dev-feature/phpstan
- dev-refactor/infra-piqule-layout
- dev-fix/ci-stryker-dashboard-secret
- dev-chore/ci-infection
- dev-chore/docker-hardening
- dev-ci/add-infection
- dev-fix/ci-user-controlled-run
- dev-chore/ci-pin-actions
- dev-refactor/remove-unreachable-paths
- dev-chore/path-coverage-ci
- dev-refactor/extract-tests-workflow
- dev-refactor/hadolint-remove-inputs
- dev-docs/add-readme-badges
- dev-fix/codecov-coverage-path
- dev-ci/add-codecov
- dev-fix/phpunit-version-constraint
- dev-test/unit-output
- dev-test/integration-file-and-console
- dev-refactor/target-interface-cleanup
- dev-test/disk-target-storage
- dev-test/synchronization-integration
- dev-refactor/test-suites-structure
- dev-test/dry-run-target-storage
- dev-refactor/composer-path-resolution
- dev-test/dry-run-notice-command
- dev-test/synchronization-command
- dev-refactor/cli-normalize-arguments
- dev-test/phpunit-setup
- dev-docs/readme
- dev-feature/dry-run
- dev-refactor/remove-target-states
- dev-refactor/materialization-without-project-snapshot
- dev-refactor/unify-sync-command
- dev-refactor/target-states
- dev-refactor/domain-naming-alignment
- dev-feature/hashes-snapshot-integration
- dev-refactor/hashes
- dev-refactor/rename-lock-to-snapshot
- dev-refactor/snapshot-interface
- dev-refactor/registry-lock
- dev-feat/github-workflows-templates
- dev-feature/synchronization
- dev-fix/init-lock-remember
- dev-refactor/piqule-directory-and-lock
- dev-refactor/project-piqule-directory-and-lock
- dev-refactor/remove-states
- dev-refactor/target-materialization
- dev-feature/target-state
- dev-feature/step-scenario
- dev-refactor/source-file-infrastructure
- dev-refactor/output-text-line
- dev-refactor/project-move-init-update-logic
- dev-refactor/project-state-and-source-target
- dev-refactor/run-context-cli
- dev-refactor/step-based-init
- dev-refactor/source-target-directories
- dev-refactor/filesystem-model
- dev-refactor/prepare-copytemplates-for-lock
- dev-refactor/remove-command-interface
- dev-feat/copy-templates
- dev-feat/init-command
- dev-feat/cli-entrypoint
- dev-feat/output-core
- dev-feat/output-ansi-colors
- dev-feat/command-scenarios
- dev-feat/project-structure
- dev-feat/filesystem-abstraction
- dev-feat/output-line-model
- dev-chore/disable-not-operator-successor-space
- dev-chore/introduce-templates-directory
- dev-chore/adjust-renovate-schedule
- dev-ci/refine-renovate-managers
- dev-ci/cleanup-renovate-config
- dev-ci/fix-renovate-config
- dev-ci/renovate-config-fix
- dev-ci/fix-markdownlint-regex-manager
- dev-ci/fix-registry-aliases
- dev-chore/cleanup-renovate-migration
- dev-ci/move-renovate-config
- dev-ci/fix-renovate-repositories
- dev-chore/renovate-hourly
- dev-chore/renovate-hourly-0
- dev-chore/renovate-hourly-30
- dev-chore/renovate-hourly-20
- dev-ci/hourly-renovate-schedule
- dev-ci/update-config-paths
- dev-ci/add-default-configs
- dev-ci/migrate-to-local-workflows
- dev-ci/remote-workflows
- dev-ci/renovate-docker-upgrades
- dev-ci/populate-ci-dockerfile
- dev-ci/add-hadolint-workflow
- dev-ci/docker-integration
- dev-refactor/workflows-single-ci
- dev-ci/pr-size-checker-integration
- dev-fix/renovate-with-token
- dev-fix/renovate-token
- dev-ci/renovate-integration
- dev-ci/typos-integration
- dev-ci/hadolint-integration
- dev-ci/integrate-markdownlint
- dev-ci/integrate-actionlint
- dev-feat/actionlint
- dev-feat/markdownlint-config
- dev-chore/remove-spdx
- dev-docs/update-readme-config-example
- dev-fix/composer-lock-php82
- dev-feat/php-cs-fixer-workflow
- dev-feat/composer-autoload
This package is auto-updated.
Last update: 2026-05-07 14:36:49 UTC
README
Pre-configured strict quality gate for PHP
composer require --dev haspadar/sheriff vendor/bin/sheriff sync vendor/bin/sheriff check
[OK] phpstan 2.8s
[OK] psalm 4.4s
[OK] phpunit 5.9s
[OK] phpcs 9.1s
[OK] phpmd 1.4s
[OK] php-cs-fixer 1.6s
[OK] markdownlint 2.6s
[OK] hadolint 3.1s
[OK] ...
[OK] All checks passed 9.5s
Over 1200 rules from 18 tools
| Tool | Rules |
|---|---|
| PHPStan | 123 (48 strict + 75 haspadar custom) at level 9 |
| Psalm | 331 issue types at level 1 |
| PHP_CodeSniffer | 382 sniffs (Slevomat + core) |
| PHP-CS-Fixer | 364 fixers (303 core + 61 kubawerlos) |
| PHPMD | 6 rulesets, all enabled |
| Infection | mutation testing, Covered MSI ≥ 80% |
Configure
Customization is optional. If needed, create .sheriff.yaml in the project root.
Three settings cascade across every tool that consumes them:
php.src— paths analysed by PHPStan, Psalm, PHPUnit, PHPMD, PHP_CodeSniffer, PHP Metrics, Infection, SonarCloudinfra.exclude— paths skipped by PHP_CodeSniffer, PHP-CS-Fixer, PHP Metrics, markdownlint, jsonlint, yamllint, typos, hadolint, shellcheckphp.versions— versions used in the CI matrix and consumed by PHPStan, PHP-CS-Fixer, PHPMD, Infection
Change one key, every consuming tool follows.
Use append to extend default lists:
append: php.src: - lib infra.exclude: - legacy
Use override to replace individual keys:
override: phpstan.parameters: level: 8 php.versions: ["8.3", "8.4", "8.5"] ci.pr.max_lines_changed: 400
Use php_cs_fixer.extend and phpcs.extend to inject native-syntax fragments at the end of the generated config. Useful when a built-in rule clashes with project code — for example, narrowing phpdoc_types instead of disabling it entirely:
override: php_cs_fixer.extend: " 'phpdoc_types' => ['exclude' => ['scalar']]," phpcs.extend: " <rule ref=\"Foo.Bar\"><severity>0</severity></rule>"
The value is passed through verbatim; Sheriff does not parse it. Use a YAML block scalar (| or |-) for multi-line fragments.
Use envs to export environment variables in CI workflows. Each value is a shell command evaluated at runtime:
envs: COMPOSER_ROOT_VERSION: "git describe --tags --abbrev=0 | sed 's/^v//'"
The full list of available keys and their defaults is generated to .sheriff/config.yaml on every sheriff sync.
.sheriff/ and .github/ are generated by sheriff sync and may be safely deleted.
Workflow
To change configuration:
- Edit
.sheriff.yaml - Run
vendor/bin/sheriff sync
Do not edit .sheriff/ or the GitHub workflow file .github/workflows/sheriff.yml directly — they are generated and will be overwritten.
Commands
sheriff sync— generate configuration from templatessheriff check— run checks, excluding slow ones by default (check.slow: infection, sonar)sheriff check <tool>— run specific tool-f,--full— include slow checks (default:check.full)-F,--no-full— exclude slow checks-p,--parallel— run checks concurrently (default:check.parallel)-P,--no-parallel— force sequential execution-v,--verbose— show full output from each checksheriff fix— run auto-fixable toolssheriff fix <tool>— run specific fixer
Checks
PHP
- PHPStan — level 9 with strict rules and haspadar/phpstan-rules (75 custom rules for object-oriented strictness)
- Psalm
- PHPUnit
- Infection
- PHPMD
- PHP Metrics
- PHP_CodeSniffer — with Slevomat Coding Standard rules (class structure, doc comments, attributes)
- PHP-CS-Fixer — with kubawerlos/php-cs-fixer-custom-fixers
Linters
- actionlint
- hadolint
- shellcheck
- markdownlint-cli2
- jsonlint
- yamllint
- typos
CI
- SonarCloud — requires
SONAR_TOKENenvironment variable (get token) - Pull request size limit
- Code coverage (Codecov)
Contributing
- Fork the repository
- Create a feature branch
- Ensure all checks pass
- Open a pull request
All pull requests must pass CI before merging.
License
MIT