PHPStan is a great tool. In addition to PHPStan, I also use phpnsc (name space checker) to check for missing use statements, php-cs-fixer (code style fixer) to ensure the code adheres to my code style, phpcpd (copy paste detector) to detect duplicate code, and phpmd (mess detector) to find potential problems in the code. These are all set up in my CI pipeline so that my app will fail to build if any of these 5 tools detect a problem. It has saved me from deploying buggy code several times.
If you compile your code with TypeScript and set allowJs=true, you’ll get a lot of checking for free with no changes at all to your existing JS code. TS will catch things like dead code, missing return statements, type mismatches and so on for free.
Fortify SCA supports js and typescript. I’ve been writing custom rules for it lately at work and have had great success with it. Expensive but powerful tool.