diff --git a/composer.json b/composer.json
index 44beddf7..3605a8d0 100644
--- a/composer.json
+++ b/composer.json
@@ -16,14 +16,15 @@
     },
     "require-dev": {
         "wp-cli/extension-command": "^1.2 || ^2",
-        "wp-cli/wp-cli-tests": "^4"
+        "wp-cli/wp-cli-tests": "^5"
     },
     "config": {
         "process-timeout": 7200,
         "sort-packages": true,
         "allow-plugins": {
             "dealerdirect/phpcodesniffer-composer-installer": true,
-            "johnpbloch/wordpress-core-installer": true
+            "johnpbloch/wordpress-core-installer": true,
+            "phpstan/extension-installer": true
         },
         "lock": false
     },
@@ -52,12 +53,14 @@
         "behat-rerun": "rerun-behat-tests",
         "lint": "run-linter-tests",
         "phpcs": "run-phpcs-tests",
+        "phpstan": "run-phpstan-tests",
         "phpcbf": "run-phpcbf-cleanup",
         "phpunit": "run-php-unit-tests",
         "prepare-tests": "install-package-tests",
         "test": [
             "@lint",
             "@phpcs",
+            "@phpstan",
             "@phpunit",
             "@behat"
         ]
diff --git a/phpstan.neon.dist b/phpstan.neon.dist
new file mode 100644
index 00000000..f2bd30bf
--- /dev/null
+++ b/phpstan.neon.dist
@@ -0,0 +1,14 @@
+parameters:
+  level: 9
+  paths:
+    - src
+    - checksum-command.php
+  scanDirectories:
+    - vendor/wp-cli/wp-cli/php
+  scanFiles:
+    - vendor/php-stubs/wordpress-stubs/wordpress-stubs.php
+  treatPhpDocTypesAsCertain: false
+  ignoreErrors:
+    - identifier: missingType.iterableValue
+    - identifier: missingType.parameter
+    - identifier: missingType.return
diff --git a/src/Checksum_Base_Command.php b/src/Checksum_Base_Command.php
index 6579451e..954b279c 100644
--- a/src/Checksum_Base_Command.php
+++ b/src/Checksum_Base_Command.php
@@ -28,7 +28,11 @@ public static function normalize_directory_separators( $path ) {
 	 * @return mixed
 	 */
 	protected static function _read( $url ) { // phpcs:ignore PSR2.Methods.MethodDeclaration.Underscore -- Could be used in classes extending this class.
-		$headers  = array( 'Accept' => 'application/json' );
+		$headers = array( 'Accept' => 'application/json' );
+
+		/**
+		 * @var \WpOrg\Requests\Response $response
+		 */
 		$response = Utils\http_request(
 			'GET',
 			$url,
@@ -64,6 +68,9 @@ function ( $current ) use ( $path ) {
 				),
 				RecursiveIteratorIterator::CHILD_FIRST
 			);
+			/**
+			 * @var \SplFileInfo $file_info
+			 */
 			foreach ( $files as $file_info ) {
 				if ( $file_info->isFile() ) {
 					$filtered_files[] = self::normalize_directory_separators( substr( $file_info->getPathname(), strlen( $path ) ) );
diff --git a/src/Checksum_Core_Command.php b/src/Checksum_Core_Command.php
index 278ab7d2..43f5e965 100644
--- a/src/Checksum_Core_Command.php
+++ b/src/Checksum_Core_Command.php
@@ -98,7 +98,9 @@ public function __invoke( $args, $assoc_args ) {
 		}
 
 		if ( ! empty( $assoc_args['exclude'] ) ) {
-			$this->exclude_files = explode( ',', Utils\get_flag_value( $assoc_args, 'exclude', '' ) );
+			$exclude = Utils\get_flag_value( $assoc_args, 'exclude', '' );
+
+			$this->exclude_files = explode( ',', $exclude );
 		}
 
 		if ( empty( $wp_version ) ) {
@@ -110,7 +112,7 @@ public function __invoke( $args, $assoc_args ) {
 			}
 		}
 
-		$insecure   = (bool) Utils\get_flag_value( $assoc_args, 'insecure', false );
+		$insecure   = Utils\get_flag_value( $assoc_args, 'insecure', false );
 		$wp_org_api = new WpOrgApi( [ 'insecure' => $insecure ] );
 
 		try {
@@ -205,7 +207,7 @@ private static function get_wp_details() {
 			);
 		}
 
-		$version_content = file_get_contents( $versions_path, false, null, 6, 2048 );
+		$version_content = (string) file_get_contents( $versions_path, false, null, 6, 2048 );
 
 		$vars   = [ 'wp_version', 'wp_db_version', 'tinymce_version', 'wp_local_package' ];
 		$result = [];
@@ -227,7 +229,7 @@ private static function get_wp_details() {
 	 * @param string $var_name Variable name to search for.
 	 * @param string $code PHP code to search in.
 	 *
-	 * @return int|string|null
+	 * @return string|null
 	 */
 	private static function find_var( $var_name, $code ) {
 		$start = strpos( $code, '$' . $var_name . ' = ' );
diff --git a/src/Checksum_Plugin_Command.php b/src/Checksum_Plugin_Command.php
index 8dcec6a4..64509d42 100644
--- a/src/Checksum_Plugin_Command.php
+++ b/src/Checksum_Plugin_Command.php
@@ -74,11 +74,15 @@ class Checksum_Plugin_Command extends Checksum_Base_Command {
 	 */
 	public function __invoke( $args, $assoc_args ) {
 
-		$fetcher     = new Fetchers\UnfilteredPlugin();
-		$all         = (bool) Utils\get_flag_value( $assoc_args, 'all', false );
-		$strict      = (bool) Utils\get_flag_value( $assoc_args, 'strict', false );
-		$insecure    = (bool) Utils\get_flag_value( $assoc_args, 'insecure', false );
-		$plugins     = $fetcher->get_many( $all ? $this->get_all_plugin_names() : $args );
+		$fetcher  = new Fetchers\UnfilteredPlugin();
+		$all      = Utils\get_flag_value( $assoc_args, 'all', false );
+		$strict   = Utils\get_flag_value( $assoc_args, 'strict', false );
+		$insecure = Utils\get_flag_value( $assoc_args, 'insecure', false );
+		$plugins  = $fetcher->get_many( $all ? $this->get_all_plugin_names() : $args );
+
+		/**
+		 * @var string $exclude
+		 */
 		$exclude     = Utils\get_flag_value( $assoc_args, 'exclude', '' );
 		$version_arg = isset( $assoc_args['version'] ) ? $assoc_args['version'] : '';
 
@@ -112,6 +116,9 @@ public function __invoke( $args, $assoc_args ) {
 			$wp_org_api = new WpOrgApi( [ 'insecure' => $insecure ] );
 
 			try {
+				/**
+				 * @var array|false $checksums
+				 */
 				$checksums = $wp_org_api->get_plugin_checksums( $plugin->name, $version );
 			} catch ( Exception $exception ) {
 				WP_CLI::warning( $exception->getMessage() );
@@ -167,12 +174,12 @@ public function __invoke( $args, $assoc_args ) {
 	private function verify_hello_dolly_from_core( $assoc_args ) {
 		$file       = 'hello.php';
 		$wp_version = get_bloginfo( 'version', 'display' );
-		$insecure   = (bool) Utils\get_flag_value( $assoc_args, 'insecure', false );
+		$insecure   = Utils\get_flag_value( $assoc_args, 'insecure', false );
 		$wp_org_api = new WpOrgApi( [ 'insecure' => $insecure ] );
-		$locale     = '';
+		$locale     = 'en_US';
 
 		try {
-			$checksums = $wp_org_api->get_core_checksums( $wp_version, empty( $locale ) ? 'en_US' : $locale );
+			$checksums = $wp_org_api->get_core_checksums( $wp_version, $locale );
 		} catch ( Exception $exception ) {
 			WP_CLI::error( $exception );
 		}
@@ -262,7 +269,7 @@ private function get_plugin_files( $path ) {
 	 *                          integrity of.
 	 * @param array  $checksums Array of provided checksums to compare against.
 	 *
-	 * @return true|string
+	 * @return bool|string
 	 */
 	private function check_file_checksum( $path, $checksums ) {
 		if ( $this->supports_sha256()
@@ -299,7 +306,7 @@ private function supports_sha256() {
 	 * @param string $filepath Absolute path to the file to calculate the SHA-2
 	 *                         for.
 	 *
-	 * @return string
+	 * @return string|false
 	 */
 	private function get_sha256( $filepath ) {
 		return hash_file( 'sha256', $filepath );
@@ -311,7 +318,7 @@ private function get_sha256( $filepath ) {
 	 * @param string $filepath Absolute path to the file to calculate the MD5
 	 *                         for.
 	 *
-	 * @return string
+	 * @return string|false
 	 */
 	private function get_md5( $filepath ) {
 		return hash_file( 'md5', $filepath );
diff --git a/src/WP_CLI/Fetchers/UnfilteredPlugin.php b/src/WP_CLI/Fetchers/UnfilteredPlugin.php
index 794ef3c5..2cac264e 100644
--- a/src/WP_CLI/Fetchers/UnfilteredPlugin.php
+++ b/src/WP_CLI/Fetchers/UnfilteredPlugin.php
@@ -20,7 +20,7 @@ class UnfilteredPlugin extends Base {
 	/**
 	 * Get a plugin object by name.
 	 *
-	 * @param string $name
+	 * @param string|int $name
 	 *
 	 * @return object|false
 	 */