diff --git a/.github/workflows/php-static-analysis.yml b/.github/workflows/php-static-analysis.yml
new file mode 100644
index 0000000000000..2c1d4a4c95c0d
--- /dev/null
+++ b/.github/workflows/php-static-analysis.yml
@@ -0,0 +1,97 @@
+name: PHPStan Static Analysis
+
+on:
+  # PHPStan testing was introduced in 7.0.0.
+  push:
+    branches:
+      - trunk
+      - '[7-9].[0-9]'
+    tags:
+      - '[7-9].[0-9]'
+      - '[7-9]+.[0-9].[0-9]+'
+  pull_request:
+    branches:
+      - trunk
+      - '[7-9].[0-9]'
+    paths:
+      # This workflow only scans PHP files.
+      - '**.php'
+      # These files configure Composer. Changes could affect the outcome.
+      - 'composer.*'
+      # These files configure PHPStan. Changes could affect the outcome.
+      - 'phpstan.neon.dist'
+      - 'tests/phpstan/base.neon'
+      - 'tests/phpstan/baseline.php'
+      # Confirm any changes to relevant workflow files.
+      - '.github/workflows/php-static-analysis.yml'
+      - '.github/workflows/reusable-php-static-analysis.yml'
+  workflow_dispatch:
+
+# Cancels all previous workflow runs for pull requests that have not completed.
+concurrency:
+  # The concurrency group contains the workflow name and the branch name for pull requests
+  # or the commit hash for any other events.
+  group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
+  cancel-in-progress: true
+
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
+jobs:
+  # Runs PHPStan Static Analysis.
+  phpstan:
+    name: PHP static analysis
+    uses: ./.github/workflows/reusable-php-static-analysis.yml
+    permissions:
+      contents: read
+    if: ${{ github.repository == 'WordPress/wordpress-develop' || ( github.event_name == 'pull_request' && github.actor != 'dependabot[bot]' ) }}
+
+  slack-notifications:
+    name: Slack Notifications
+    uses: ./.github/workflows/slack-notifications.yml
+    permissions:
+      actions: read
+      contents: read
+    needs: [ phpstan ]
+    if: ${{ github.repository == 'WordPress/wordpress-develop' && github.event_name != 'pull_request' && always() }}
+    with:
+      calling_status: ${{ contains( needs.*.result, 'cancelled' ) && 'cancelled' || contains( needs.*.result, 'failure' ) && 'failure' || 'success' }}
+    secrets:
+      SLACK_GHA_SUCCESS_WEBHOOK: ${{ secrets.SLACK_GHA_SUCCESS_WEBHOOK }}
+      SLACK_GHA_CANCELLED_WEBHOOK: ${{ secrets.SLACK_GHA_CANCELLED_WEBHOOK }}
+      SLACK_GHA_FIXED_WEBHOOK: ${{ secrets.SLACK_GHA_FIXED_WEBHOOK }}
+      SLACK_GHA_FAILURE_WEBHOOK: ${{ secrets.SLACK_GHA_FAILURE_WEBHOOK }}
+
+  failed-workflow:
+    name: Failed workflow tasks
+    runs-on: ubuntu-24.04
+    permissions:
+      actions: write
+    needs: [ slack-notifications ]
+    if: |
+      always() &&
+      github.repository == 'WordPress/wordpress-develop' &&
+      github.event_name != 'pull_request' &&
+      github.run_attempt < 2 &&
+      (
+        contains( needs.*.result, 'cancelled' ) ||
+        contains( needs.*.result, 'failure' )
+      )
+
+    steps:
+      - name: Dispatch workflow run
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          retries: 2
+          retry-exempt-status-codes: 418
+          script: |
+            github.rest.actions.createWorkflowDispatch({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              workflow_id: 'failed-workflow.yml',
+              ref: 'trunk',
+              inputs: {
+                run_id: `${context.runId}`,
+              }
+            });
diff --git a/.github/workflows/reusable-php-static-analysis.yml b/.github/workflows/reusable-php-static-analysis.yml
new file mode 100644
index 0000000000000..6773008ec449d
--- /dev/null
+++ b/.github/workflows/reusable-php-static-analysis.yml
@@ -0,0 +1,121 @@
+##
+# A reusable workflow that runs PHP Static Analysis tests.
+##
+name: PHP Static Analysis
+
+on:
+  workflow_call:
+    inputs:
+      php-version:
+        description: 'The PHP version to use.'
+        required: false
+        type: 'string'
+        default: 'latest'
+
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
+jobs:
+  # Runs PHP static analysis tests.
+  #
+  # Violations are reported inline with annotations.
+  #
+  # Performs the following steps:
+  # - Checks out the repository.
+  # - Sets up PHP.
+  # - Logs debug information.
+  # - Installs Composer dependencies.
+  # - Configures caching for PHP static analysis scans.
+  # - Make Composer packages available globally.
+  # - Runs PHPStan static analysis (with Pull Request annotations).
+  # - Saves the PHPStan result cache.
+  # - Ensures version-controlled files are not modified or deleted.
+  phpstan:
+    name: Run PHP static analysis
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+    timeout-minutes: 20
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          show-progress: ${{ runner.debug == '1' && 'true' || 'false' }}
+          persist-credentials: false
+
+      - name: Set up Node.js
+        uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
+        with:
+          node-version-file: '.nvmrc'
+          cache: npm
+
+      - name: Set up PHP
+        uses: shivammathur/setup-php@20529878ed81ef8e78ddf08b480401e6101a850f # v2.35.3
+        with:
+          php-version: ${{ inputs.php-version }}
+          coverage: none
+          tools: cs2pr
+
+      # This date is used to ensure that the Composer cache is cleared at least once every week.
+      # http://man7.org/linux/man-pages/man1/date.1.html
+      - name: "Get last Monday's date"
+        id: get-date
+        run: echo "date=$(/bin/date -u --date='last Mon' "+%F")" >> "$GITHUB_OUTPUT"
+
+      - name: General debug information
+        run: |
+          npm --version
+          node --version
+          composer --version
+
+      # Since Composer dependencies are installed using `composer update` and no lock file is in version control,
+      # passing a custom cache suffix ensures that the cache is flushed at least once per week.
+      - name: Install Composer dependencies
+        uses: ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520 # v3.1.1
+        with:
+          custom-cache-suffix: ${{ steps.get-date.outputs.date }}
+
+      - name: Make Composer packages available globally
+        run: echo "${PWD}/vendor/bin" >> "$GITHUB_PATH"
+
+      - name: Get Gutenberg ref
+        id: gutenberg-ref
+        run: echo "ref=$(node -e 'console.log(require("./package.json").gutenberg.ref)')" >> "$GITHUB_OUTPUT"
+
+      - name: Cache Gutenberg
+        uses: actions/cache@v4
+        with:
+          path: |
+            gutenberg
+            .gutenberg-hash
+          key: gutenberg-${{ steps.gutenberg-ref.outputs.ref }}-${{ hashFiles('tools/gutenberg/*') }}
+
+      - name: Install npm dependencies
+        run: npm ci --ignore-scripts
+
+      - name: Build WordPress
+        run: npm run build:dev
+
+      - name: Cache PHP Static Analysis scan cache
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+        with:
+          path: .cache # This is defined in the base.neon file.
+          key: "phpstan-result-cache-${{ github.run_id }}"
+          restore-keys: |
+            phpstan-result-cache-
+
+      - name: Run PHP static analysis tests
+        id: phpstan
+        run: phpstan analyse -vvv --error-format=checkstyle | cs2pr
+
+      - name: "Save result cache"
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+        if: ${{ !cancelled() }}
+        with:
+          path: .cache
+          key: "phpstan-result-cache-${{ github.run_id }}"
+
+      - name: Ensure version-controlled files are not modified or deleted
+        run: git diff --exit-code
diff --git a/.gitignore b/.gitignore
index 3997df4c9d603..2705dadd54b2b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -23,6 +23,7 @@ wp-tests-config.php
 /gutenberg
 /tests/phpunit/build
 /wp-cli.local.yml
+/phpstan.neon
 /jsdoc
 /composer.lock
 /vendor
diff --git a/composer.json b/composer.json
index 2c5b20f7879a9..2c5923e9e3257 100644
--- a/composer.json
+++ b/composer.json
@@ -23,6 +23,7 @@
 		"squizlabs/php_codesniffer": "3.13.5",
 		"wp-coding-standards/wpcs": "~3.3.0",
 		"phpcompatibility/phpcompatibility-wp": "~2.1.3",
+		"phpstan/phpstan": "~2.1.33",
 		"yoast/phpunit-polyfills": "^1.1.0"
 	},
 	"config": {
@@ -32,6 +33,7 @@
 		"lock": false
 	},
 	"scripts": {
+		"phpstan": "@php ./vendor/bin/phpstan analyse --memory-limit=2G",
 		"compat": "@php ./vendor/squizlabs/php_codesniffer/bin/phpcs --standard=phpcompat.xml.dist --report=summary,source",
 		"format": "@php ./vendor/squizlabs/php_codesniffer/bin/phpcbf --report=summary,source",
 		"lint": "@php ./vendor/squizlabs/php_codesniffer/bin/phpcs --report=summary,source",
diff --git a/package.json b/package.json
index 766e241ff8d6d..fcd29cb1b49ad 100644
--- a/package.json
+++ b/package.json
@@ -130,6 +130,7 @@
 		"test:coverage": "npm run test:php -- --coverage-html ./coverage/html/ --coverage-php ./coverage/php/report.php --coverage-text=./coverage/text/report.txt",
 		"test:e2e": "wp-scripts test-playwright --config tests/e2e/playwright.config.js",
 		"test:visual": "wp-scripts test-playwright --config tests/visual-regression/playwright.config.js",
+		"typecheck:php": "node ./tools/local-env/scripts/docker.js run --rm php composer phpstan",
 		"gutenberg:checkout": "node tools/gutenberg/checkout-gutenberg.js",
 		"gutenberg:build": "node tools/gutenberg/build-gutenberg.js",
 		"gutenberg:copy": "node tools/gutenberg/copy-gutenberg-build.js",
diff --git a/phpcs.xml.dist b/phpcs.xml.dist
index a8387b3604c9b..efb679fb6c13b 100644
--- a/phpcs.xml.dist
+++ b/phpcs.xml.dist
@@ -81,6 +81,9 @@
 	<exclude-pattern>/tests/phpunit/build*</exclude-pattern>
 	<exclude-pattern>/tests/phpunit/data/*</exclude-pattern>
 
+	<!-- PHPStan bootstrap, stubs, and baseline. -->
+	<exclude-pattern>/tests/phpstan/*</exclude-pattern>
+
 	<exclude-pattern>/tools/*</exclude-pattern>
 
 	<!-- Drop-in plugins. -->
diff --git a/phpstan.neon.dist b/phpstan.neon.dist
new file mode 100644
index 0000000000000..e74e6ec1a441b
--- /dev/null
+++ b/phpstan.neon.dist
@@ -0,0 +1,36 @@
+# PHPStan configuration for WordPress Core.
+#
+# To overload this configuration, copy this file to phpstan.neon and adjust as needed.
+#
+# https://phpstan.org/config-reference
+
+includes:
+	# The base configuration file for using PHPStan with the WordPress core codebase.
+	- tests/phpstan/base.neon
+
+	# The baseline file includes preexisting errors in the codebase that should be ignored.
+	# https://phpstan.org/user-guide/baseline
+	- tests/phpstan/baseline.php
+
+parameters:
+	# https://phpstan.org/user-guide/rule-levels
+	level: 0
+	reportUnmatchedIgnoredErrors: true
+
+	ignoreErrors:
+		# Level 0:
+		- # Inner functions aren't supported by PHPStan.
+			message: '#Function wxr_[a-z_]+ not found#'
+			path: src/wp-admin/includes/export.php
+		-
+			identifier: function.inner
+			path: src/wp-admin/includes/export.php
+			count: 13
+		-
+			identifier: function.inner
+			path: src/wp-admin/includes/file.php
+			count: 1
+		-
+			identifier: function.inner
+			path: src/wp-includes/canonical.php
+			count: 1
diff --git a/src/wp-admin/includes/class-wp-filesystem-ssh2.php b/src/wp-admin/includes/class-wp-filesystem-ssh2.php
index 9e0cb885b0bcc..30bd38c3cf2f2 100644
--- a/src/wp-admin/includes/class-wp-filesystem-ssh2.php
+++ b/src/wp-admin/includes/class-wp-filesystem-ssh2.php
@@ -672,6 +672,7 @@ public function size( $file ) {
 	 *                      Default 0.
 	 */
 	public function touch( $file, $time = 0, $atime = 0 ) {
+		// @phpstan-ignore-next-line
 		// Not implemented.
 	}
 
diff --git a/src/wp-admin/press-this.php b/src/wp-admin/press-this.php
index c91df1c96b84b..45021964364a3 100644
--- a/src/wp-admin/press-this.php
+++ b/src/wp-admin/press-this.php
@@ -22,8 +22,8 @@ function wp_load_press_this() {
 			403
 		);
 	} elseif ( is_plugin_active( $plugin_file ) ) {
-		include WP_PLUGIN_DIR . '/press-this/class-wp-press-this-plugin.php';
-		$wp_press_this = new WP_Press_This_Plugin();
+		include WP_PLUGIN_DIR . '/press-this/class-wp-press-this-plugin.php'; // @phpstan-ignore include.fileNotFound
+		$wp_press_this = new WP_Press_This_Plugin(); // @phpstan-ignore class.notFound
 		$wp_press_this->html();
 	} elseif ( current_user_can( 'activate_plugins' ) ) {
 		if ( file_exists( WP_PLUGIN_DIR . '/' . $plugin_file ) ) {
diff --git a/src/wp-content/themes/twentyfourteen/inc/featured-content.php b/src/wp-content/themes/twentyfourteen/inc/featured-content.php
index b98ab983919df..3193aa8b93549 100644
--- a/src/wp-content/themes/twentyfourteen/inc/featured-content.php
+++ b/src/wp-content/themes/twentyfourteen/inc/featured-content.php
@@ -212,7 +212,7 @@ public static function delete_transient() {
 	 * @since Twenty Fourteen 1.0
 	 *
 	 * @param WP_Query $query WP_Query object.
-	 * @return WP_Query Possibly-modified WP_Query.
+	 * @return void
 	 */
 	public static function pre_get_posts( $query ) {
 
diff --git a/src/wp-content/themes/twentytwenty/inc/template-tags.php b/src/wp-content/themes/twentytwenty/inc/template-tags.php
index fdf51ccee9624..e15ae6652bbec 100644
--- a/src/wp-content/themes/twentytwenty/inc/template-tags.php
+++ b/src/wp-content/themes/twentytwenty/inc/template-tags.php
@@ -29,7 +29,7 @@
  *
  * @param array $args    Arguments for displaying the site logo either as an image or text.
  * @param bool  $display Display or return the HTML.
- * @return string Compiled HTML based on our arguments.
+ * @return string|void Compiled HTML based on our arguments.
  */
 function twentytwenty_site_logo( $args = array(), $display = true ) {
 	$logo       = get_custom_logo();
@@ -107,7 +107,7 @@ function twentytwenty_site_logo( $args = array(), $display = true ) {
  * @since Twenty Twenty 1.0
  *
  * @param bool $display Display or return the HTML.
- * @return string The HTML to display.
+ * @return string|void The HTML to display.
  */
 function twentytwenty_site_description( $display = true ) {
 	$description = get_bloginfo( 'description' );
@@ -249,7 +249,7 @@ function twentytwenty_edit_post_link( $link, $post_id, $text ) {
  *
  * @param int    $post_id  The ID of the post.
  * @param string $location The location where the meta is shown.
- * @return string Post meta HTML.
+ * @return string|void Post meta HTML.
  */
 function twentytwenty_get_post_meta( $post_id = null, $location = 'single-top' ) {
 
diff --git a/src/wp-content/themes/twentytwentyone/classes/class-twenty-twenty-one-customize.php b/src/wp-content/themes/twentytwentyone/classes/class-twenty-twenty-one-customize.php
index 53db8dffb216f..d4bc16e20171d 100644
--- a/src/wp-content/themes/twentytwentyone/classes/class-twenty-twenty-one-customize.php
+++ b/src/wp-content/themes/twentytwentyone/classes/class-twenty-twenty-one-customize.php
@@ -35,8 +35,12 @@ public function __construct() {
 		public function register( $wp_customize ) {
 
 			// Change site-title & description to postMessage.
-			$wp_customize->get_setting( 'blogname' )->transport        = 'postMessage'; // @phpstan-ignore-line. Assume that this setting exists.
-			$wp_customize->get_setting( 'blogdescription' )->transport = 'postMessage'; // @phpstan-ignore-line. Assume that this setting exists.
+			foreach ( array( 'blogname', 'blogdescription' ) as $setting_id ) {
+				$setting = $wp_customize->get_setting( $setting_id );
+				if ( $setting ) {
+					$setting->transport = 'postMessage';
+				}
+			}
 
 			// Add partial for blogname.
 			$wp_customize->selective_refresh->add_partial(
diff --git a/src/wp-content/themes/twentytwentyone/classes/class-twenty-twenty-one-dark-mode.php b/src/wp-content/themes/twentytwentyone/classes/class-twenty-twenty-one-dark-mode.php
index d5672c4054f3c..6644e7d02eeab 100644
--- a/src/wp-content/themes/twentytwentyone/classes/class-twenty-twenty-one-dark-mode.php
+++ b/src/wp-content/themes/twentytwentyone/classes/class-twenty-twenty-one-dark-mode.php
@@ -98,7 +98,7 @@ public function enqueue_scripts() {
 		if ( is_rtl() ) {
 			$url = get_template_directory_uri() . '/assets/css/style-dark-mode-rtl.css';
 		}
-		wp_enqueue_style( 'tt1-dark-mode', $url, array( 'twenty-twenty-one-style' ), wp_get_theme()->get( 'Version' ) ); // @phpstan-ignore-line. Version is always a string.
+		wp_enqueue_style( 'tt1-dark-mode', $url, array( 'twenty-twenty-one-style' ), wp_get_theme()->get( 'Version' ) );
 	}
 
 	/**
diff --git a/src/wp-content/themes/twentytwentyone/classes/class-twenty-twenty-one-svg-icons.php b/src/wp-content/themes/twentytwentyone/classes/class-twenty-twenty-one-svg-icons.php
index 398ef82bbd7c8..e32d050b4e455 100644
--- a/src/wp-content/themes/twentytwentyone/classes/class-twenty-twenty-one-svg-icons.php
+++ b/src/wp-content/themes/twentytwentyone/classes/class-twenty-twenty-one-svg-icons.php
@@ -189,10 +189,9 @@ public static function get_svg( $group, $icon, $size ) {
 		if ( array_key_exists( $icon, $arr ) ) {
 			$repl = sprintf( '<svg class="svg-icon" width="%d" height="%d" aria-hidden="true" role="img" focusable="false" ', $size, $size );
 
-			$svg = preg_replace( '/^<svg /', $repl, trim( $arr[ $icon ] ) ); // Add extra attributes to SVG code.
+			$svg = (string) preg_replace( '/^<svg /', $repl, trim( $arr[ $icon ] ) ); // Add extra attributes to SVG code.
 		}
 
-		// @phpstan-ignore-next-line.
 		return $svg;
 	}
 
diff --git a/src/wp-content/themes/twentytwentyone/inc/template-functions.php b/src/wp-content/themes/twentytwentyone/inc/template-functions.php
index 7639331c37286..529564c295319 100644
--- a/src/wp-content/themes/twentytwentyone/inc/template-functions.php
+++ b/src/wp-content/themes/twentytwentyone/inc/template-functions.php
@@ -339,12 +339,12 @@ function twenty_twenty_one_get_non_latin_css( $type = 'front-end' ) {
 	}
 
 	// Return the specified styles.
-	return twenty_twenty_one_generate_css( // @phpstan-ignore-line.
+	return twenty_twenty_one_generate_css(
 		implode( ',', $elements[ $type ] ),
 		'font-family',
 		implode( ',', $font_family[ $locale ] ),
-		null,
-		null,
+		'',
+		'',
 		false
 	);
 }
diff --git a/src/wp-includes/class-wp-scripts.php b/src/wp-includes/class-wp-scripts.php
index bb17c08bb52cb..486dca3009489 100644
--- a/src/wp-includes/class-wp-scripts.php
+++ b/src/wp-includes/class-wp-scripts.php
@@ -1186,7 +1186,7 @@ private function get_highest_fetchpriority_with_dependents( string $handle, arra
 				}
 			}
 		}
-		$stored_results[ $handle ] = $priorities[ $highest_priority_index ]; // @phpstan-ignore parameterByRef.type (We know the index is valid and that this will be a string.)
+		$stored_results[ $handle ] = $priorities[ $highest_priority_index ];
 		return $priorities[ $highest_priority_index ];
 	}
 
diff --git a/src/wp-includes/class-wp-theme-json.php b/src/wp-includes/class-wp-theme-json.php
index c7929dad9e689..646c10b084aae 100644
--- a/src/wp-includes/class-wp-theme-json.php
+++ b/src/wp-includes/class-wp-theme-json.php
@@ -3541,7 +3541,7 @@ public function get_svg_filters( $origins ) {
 	 * @param array      $theme_json The theme.json like structure to inspect.
 	 * @param array      $path       Path to inspect.
 	 * @param bool|array $override   Data to compute whether to override the preset.
-	 * @return bool
+	 * @return bool|null True if the preset should override the defaults, false if not. Null if the override parameter is invalid.
 	 */
 	protected static function should_override_preset( $theme_json, $path, $override ) {
 		_deprecated_function( __METHOD__, '6.0.0', 'get_metadata_boolean' );
@@ -3576,6 +3576,8 @@ protected static function should_override_preset( $theme_json, $path, $override
 
 			return true;
 		}
+
+		return null;
 	}
 
 	/**
diff --git a/src/wp-includes/class-wp-theme.php b/src/wp-includes/class-wp-theme.php
index c894f6dd72f40..a5f2459d490c7 100644
--- a/src/wp-includes/class-wp-theme.php
+++ b/src/wp-includes/class-wp-theme.php
@@ -866,6 +866,14 @@ public function cache_delete() {
 	 *
 	 * @param string $header Theme header. Name, Description, Author, Version, ThemeURI, AuthorURI, Status, Tags.
 	 * @return string|array|false String or array (for Tags header) on success, false on failure.
+	 *
+	 * @phpstan-return (
+	 *     $header is 'Tags'
+	 *         ? string[]|false
+	 *         : ( $header is 'Name'|'ThemeURI'|'Description'|'Author'|'AuthorURI'|'Version'|'Template'|'Status'|'TextDomain'|'DomainPath'|'RequiresWP'|'RequiresPHP'|'UpdateURI'
+	 *             ? string|false
+	 *             : false )
+	 * )
 	 */
 	public function get( $header ) {
 		if ( ! isset( $this->headers[ $header ] ) ) {
diff --git a/src/wp-includes/functions.php b/src/wp-includes/functions.php
index 6f0a8f5e7f302..26483a20fefe9 100644
--- a/src/wp-includes/functions.php
+++ b/src/wp-includes/functions.php
@@ -3765,6 +3765,9 @@ function wp_nonce_ays( $action ) {
  *                                  is a WP_Error.
  *     @type bool   $exit           Whether to exit the process after completion. Default true.
  * }
+ * @return never|void Returns false if `$args['exit']` is false, otherwise exits.
+ *
+ * @phpstan-return ( $args['exit'] is false ? void : never )
  */
 function wp_die( $message = '', $title = '', $args = array() ) {
 	global $wp_query;
diff --git a/src/wp-includes/html-api/class-wp-html-processor.php b/src/wp-includes/html-api/class-wp-html-processor.php
index 55f955f2c1a9a..2dfba365343da 100644
--- a/src/wp-includes/html-api/class-wp-html-processor.php
+++ b/src/wp-includes/html-api/class-wp-html-processor.php
@@ -139,6 +139,7 @@
  *
  * @see WP_HTML_Tag_Processor
  * @see https://html.spec.whatwg.org/
+ * @phpstan-consistent-constructor
  */
 class WP_HTML_Processor extends WP_HTML_Tag_Processor {
 	/**
@@ -583,6 +584,7 @@ private function create_fragment_at_current_node( string $html ) {
 	 * @since 6.7.0
 	 *
 	 * @param string $message Explains support is missing in order to parse the current node.
+	 * @return never
 	 */
 	private function bail( string $message ) {
 		$here  = $this->bookmarks[ $this->state->current_token->bookmark_name ];
diff --git a/src/wp-includes/media.php b/src/wp-includes/media.php
index 5d350b1a18951..10845a592be47 100644
--- a/src/wp-includes/media.php
+++ b/src/wp-includes/media.php
@@ -4116,7 +4116,7 @@ function get_taxonomies_for_attachments( $output = 'names' ) {
  *              false otherwise.
  */
 function is_gd_image( $image ) {
-	if ( $image instanceof GdImage
+	if ( $image instanceof GdImage // @phpstan-ignore class.notFound (Only available with PHP8+.)
 		|| is_resource( $image ) && 'gd' === get_resource_type( $image )
 	) {
 		return true;
diff --git a/src/wp-includes/style-engine/class-wp-style-engine-css-rules-store.php b/src/wp-includes/style-engine/class-wp-style-engine-css-rules-store.php
index 4a82f28b8a41e..220980c8dc6b6 100644
--- a/src/wp-includes/style-engine/class-wp-style-engine-css-rules-store.php
+++ b/src/wp-includes/style-engine/class-wp-style-engine-css-rules-store.php
@@ -13,6 +13,8 @@
  * Holds, sanitizes, processes, and prints CSS declarations for the style engine.
  *
  * @since 6.1.0
+ *
+ * @phpstan-consistent-constructor
  */
 #[AllowDynamicProperties]
 class WP_Style_Engine_CSS_Rules_Store {
diff --git a/src/wp-includes/template.php b/src/wp-includes/template.php
index 81b35fadf4883..6ec1934f866ec 100644
--- a/src/wp-includes/template.php
+++ b/src/wp-includes/template.php
@@ -796,7 +796,7 @@ function load_template( $_template_file, $load_once = true, $args = array() ) {
 	}
 
 	if ( isset( $s ) ) {
-		$s = esc_attr( $s );
+		$s = esc_attr( $s ); // @phpstan-ignore variable.undefined (It's extracted from query vars.)
 	}
 
 	/**
@@ -976,7 +976,7 @@ static function ( int $level, string $message, ?string $file = null, ?int $line
 			}
 
 			// Display a caught exception as an error since it prevents any of the output buffer filters from applying.
-			if ( $did_just_catch ) { // @phpstan-ignore if.alwaysFalse (The variable is set in the catch block below.)
+			if ( $did_just_catch ) {
 				$level = E_USER_ERROR;
 			}
 
diff --git a/tests/phpstan/README.md b/tests/phpstan/README.md
new file mode 100644
index 0000000000000..967c4a9d0195d
--- /dev/null
+++ b/tests/phpstan/README.md
@@ -0,0 +1,83 @@
+# PHPStan
+
+PHPStan is a static analysis tool for PHP that checks your code for errors without needing to execute the specific lines or write extra tests.
+
+## Running the tests
+
+PHPStan requires PHP and Composer dependencies to be installed.
+
+If you don't already have an environment ready, you can set one up by following [these instructions](https://github.com/WordPress/wordpress-develop/blob/master/README.md).
+
+Then you can launch the tests by running:
+
+```bash
+npm run typecheck:php
+```
+
+which will run PHPStan in the Docker container.
+
+Additional flags supported by PHPStan can be passed by passing `--` followed by the flags themselves. For example, 
+
+```bash
+# to increase the memory limit from the default 2G to 4G:
+npm run typecheck:php -- --memory-limit=4G
+
+# to analyze only a specific file:
+npm run typecheck:php -- src/wp-includes/template.php
+
+# To scan with verbose debugging output:
+npm run typecheck:php -- -vvv --debug
+```
+
+If you are not using the Docker environment, you can run PHPStan via Composer directly:
+
+```bash
+composer run phpstan
+
+composer run phpstan -- --memory-limit=4G
+composer run phpstan -- src/wp-includes/template.php
+composer run phpstan -- -vvv --debug
+```
+
+For available flags, see https://phpstan.org/user-guide/command-line-usage.
+
+## The PHPStan configuration
+
+The PHPStan configuration file is located at [`phpstan.neon.dist`](../../phpstan.neon.dist).
+
+You can create a local copy at `phpstan.neon` to override the default configuration.
+
+For more information about configuring PHPStan, see the [PHPStan documentation's Config reference](https://phpstan.org/config-reference).
+
+## Ignoring and baselining errors
+
+As we adopt PHPStan iteratively, you may be faced with false positives due to legacy code, or code that is not worth changing at this time.
+
+PHPStan errors can be ignored in the following ways:
+
+- Using the `@phpstan-ignore {error-identifier} (Reason for ignoring)` annotation in the code itself. This should be used to suppress false positives with a specific line of code.
+
+- Adding the error pattern to the `ignoreErrors` section of the `phpstan.neon.dist` configuration file. This should be used to handle conflicts with WordPress Coding Standards or similar project decisions, or to allowlist legacy code that is not worth refactoring solely to satisfy the tests.
+
+- Adding an error to the "tech debt" baseline. This should be used for code that needs to be addressed eventually - by fixing, refactoring, or ignoring via one of the above methods - but is not worth addressing right now.
+
+	Baselines are a useful triage tool for handling PHPStan errors in legacy code, as they allow us to enforce stricter code quality checks on new code, while gradually chipping away at the existing issues over time. **Avoid adding PHPStan errors from new code whenever possible, and use baselines as a last resort.**
+
+	The baseline file is located at `tests/phpstan/baseline.php` and generated by running PHPStan with the `--generate-baseline` flag:
+
+	```bash
+	npm run typecheck:php -- --generate-baseline=tests/phpstan/baseline.php
+
+	# or, with Composer directly:
+	composer run phpstan -- --generate-baseline=tests/phpstan/baseline.php
+	```
+
+	This will regenerate the baseline file with any new errors added to the existing ones. You can then commit the updated baseline file.
+
+## Performance and troubleshooting
+
+PHPStan can be resource-intensive, especially on large codebases like WordPress. If you encounter memory limit issues, you can increase the memory limit by passing the `--memory-limit` flag as shown [above](#running-the-tests).
+
+PHPStan caches analysis results to speed up subsequent runs. You can see information about the results cache by running `analyse` with the `-vv` or `-vvv` flag.
+
+Sometimes, due to the lack of type information in legacy code, PHPStan may still struggle to analyze certain parts of the codebase. In such cases, you can use the `--debug` flag to disable caching and see which files are causing issues.
diff --git a/tests/phpstan/base.neon b/tests/phpstan/base.neon
new file mode 100644
index 0000000000000..91d0d29b6fbf4
--- /dev/null
+++ b/tests/phpstan/base.neon
@@ -0,0 +1,143 @@
+# Base PHPStan configuration for WordPress Core.
+#
+# This is kept separate from the main PHPStan configuration file to allow for easy overloading while baseline errors are being fixed.
+#
+# https://phpstan.org/config-reference
+
+parameters:
+	# Cache is stored locally, so it's available for CI.
+	tmpDir: ../../.cache
+
+	# The Minimum PHP Version
+	phpVersion:
+		min: 70400
+		max: 80500
+
+	# If it's not enforced by PHP we can't assume users are passing valid values.
+	treatPhpDocTypesAsCertain: false
+
+	# These config options are explained in https://phpstan.org/config-reference
+	checkFunctionNameCase: true
+	inferPrivatePropertyTypeFromConstructor: true
+
+	# Constants whose values may differ depending on the install.
+	dynamicConstantNames:
+		- ALLOW_SUBDIRECTORY_INSTALL
+		- AUTH_SALT
+		- AUTOMATIC_UPDATER_DISABLED
+		- COOKIEPATH
+		- CUSTOM_TAGS
+		- DISALLOW_FILE_EDIT
+		- DISALLOW_UNFILTERED_HTML
+		- EMPTY_TRASH_DAYS
+		- ENFORCE_GZIP
+		- FORCE_SSL_LOGIN
+		- MEDIA_TRASH
+		- MULTISITE
+		- NOBLOGREDIRECT
+		- SAVEQUERIES
+		- SCRIPT_DEBUG
+		- SECRET_KEY
+		- SECRET_SALT
+		- SHORTINIT
+		- SITECOOKIEPATH
+		- UPLOADBLOGSDIR
+		- WP_ALLOW_MULTISITE
+		- WP_CACHE
+		- WP_DEBUG
+		- WP_DEBUG_DISPLAY
+		- WP_DEBUG_LOG
+		- WP_LANG_DIR
+		- WP_NETWORK_ADMIN
+		- WP_POST_REVISIONS
+		- WP_SITEURL
+		- WP_USE_THEMES
+		- WP_USER_ADMIN
+		- WPLANG
+		- WPMU_ACCEL_REDIRECT
+		- WPMU_PLUGIN_DIR
+		- WPMU_SENDFILE
+
+	# What directories and files should be scanned.
+	paths:
+		- ../../src/wp-admin
+		- ../../src/wp-includes
+		- ../../src/wp-content/themes/twentyeleven
+		- ../../src/wp-content/themes/twentyfifteen
+		- ../../src/wp-content/themes/twentyfourteen
+		- ../../src/wp-content/themes/twentynineteen
+		- ../../src/wp-content/themes/twentyseventeen
+		- ../../src/wp-content/themes/twentysixteen
+		- ../../src/wp-content/themes/twentyten
+		- ../../src/wp-content/themes/twentythirteen
+		- ../../src/wp-content/themes/twentytwelve
+		- ../../src/wp-content/themes/twentytwenty
+		- ../../src/wp-content/themes/twentytwentyfive
+		- ../../src/wp-content/themes/twentytwentyfour
+		- ../../src/wp-content/themes/twentytwentyone
+		- ../../src/wp-content/themes/twentytwentythree
+		- ../../src/wp-content/themes/twentytwentytwo
+		- ../../src/index.php
+		- ../../src/wp-activate.php
+		- ../../src/wp-blog-header.php
+		- ../../src/wp-comments-post.php
+		- ../../src/wp-cron.php
+		- ../../src/wp-links-opml.php
+		- ../../src/wp-load.php
+		- ../../src/wp-login.php
+		- ../../src/wp-mail.php
+		- ../../src/wp-settings.php
+		- ../../src/wp-signup.php
+		- ../../src/wp-trackback.php
+		- ../../src/xmlrpc.php
+	bootstrapFiles:
+		- bootstrap.php
+	scanFiles:
+		- ../../wp-config-sample.php
+		- ../../src/wp-admin/includes/ms.php
+	scanDirectories:
+		- ../../src/wp-includes
+		- ../../src/wp-admin
+	excludePaths:
+		analyseAndScan:
+			- ../../src/wp-admin/includes/noop.php
+		analyse:
+			# These files are deprecated.
+			- ../../src/wp-admin/includes/deprecated.php
+			- ../../src/wp-admin/includes/ms-deprecated.php
+			- ../../src/wp-includes/deprecated.php
+			- ../../src/wp-includes/ms-deprecated.php
+			- ../../src/wp-includes/pluggable-deprecated.php
+			# These files are sourced by wordpress/gutenberg in `tools/release/sync-stable-blocks.js`.
+			- ../../src/wp-includes/blocks
+			# Third-party libraries.
+			- ../../src/wp-admin/includes/class-ftp-pure.php
+			- ../../src/wp-admin/includes/class-ftp-sockets.php
+			- ../../src/wp-admin/includes/class-ftp.php
+			- ../../src/wp-admin/includes/class-pclzip.php
+			- ../../src/wp-includes/atomlib.php
+			- ../../src/wp-includes/class-avif-info.php
+			- ../../src/wp-includes/class-IXR.php
+			- ../../src/wp-includes/class-json.php
+			- ../../src/wp-includes/class-phpass.php
+			- ../../src/wp-includes/class-pop3.php
+			- ../../src/wp-includes/class-requests.php
+			- ../../src/wp-includes/class-simplepie.php
+			- ../../src/wp-includes/class-snoopy.php
+			- ../../src/wp-includes/class-wp-feed-cache.php
+			- ../../src/wp-includes/class-wp-http-ixr-client.php
+			- ../../src/wp-includes/class-wp-http-requests-hooks.php
+			- ../../src/wp-includes/class-wp-http-requests-response.php
+			- ../../src/wp-includes/class-wp-simplepie-file.php
+			- ../../src/wp-includes/class-wp-simplepie-sanitize-kses.php
+			- ../../src/wp-includes/class-wp-text-diff-renderer-inline.php
+			- ../../src/wp-includes/class-wp-text-diff-renderer-table.php
+			- ../../src/wp-includes/rss.php
+			- ../../src/wp-includes/ID3
+			- ../../src/wp-includes/IXR
+			- ../../src/wp-includes/PHPMailer
+			- ../../src/wp-includes/pomo
+			- ../../src/wp-includes/Requests
+			- ../../src/wp-includes/SimplePie
+			- ../../src/wp-includes/sodium_compat
+			- ../../src/wp-includes/Text
diff --git a/tests/phpstan/baseline.php b/tests/phpstan/baseline.php
new file mode 100644
index 0000000000000..646cbdbef630c
--- /dev/null
+++ b/tests/phpstan/baseline.php
@@ -0,0 +1,3 @@
+<?php declare(strict_types = 1);
+
+return [];
diff --git a/tests/phpstan/bootstrap.php b/tests/phpstan/bootstrap.php
new file mode 100644
index 0000000000000..c87a26babf83d
--- /dev/null
+++ b/tests/phpstan/bootstrap.php
@@ -0,0 +1,95 @@
+<?php
+/**
+ * Defines default WordPress constants for discovery.
+ *
+ * Mocks the constant initiation that would normally happen in wp-includes/wp-settings.php.
+ */
+
+// wp_initial_constants()
+define( 'KB_IN_BYTES', 1024 );
+define( 'MB_IN_BYTES', 1024 * KB_IN_BYTES );
+define( 'GB_IN_BYTES', 1024 * MB_IN_BYTES );
+define( 'TB_IN_BYTES', 1024 * GB_IN_BYTES );
+define( 'PB_IN_BYTES', 1024 * TB_IN_BYTES );
+define( 'EB_IN_BYTES', 1024 * PB_IN_BYTES );
+define( 'ZB_IN_BYTES', 1024 * EB_IN_BYTES );
+define( 'YB_IN_BYTES', 1024 * ZB_IN_BYTES );
+define( 'WP_START_TIMESTAMP', microtime( true ) );
+define( 'WP_MEMORY_LIMIT', '' );
+define( 'WP_MAX_MEMORY_LIMIT', '' );
+define( 'WP_DEVELOPMENT_MODE', '' );
+define( 'WP_DEBUG', false );
+define( 'WP_DEBUG_DISPLAY', false );
+define( 'WP_DEBUG_LOG', false );
+define( 'WP_CACHE', false );
+define( 'SCRIPT_DEBUG', false );
+define( 'MEDIA_TRASH', false );
+define( 'SHORTINIT', false );
+define( 'WP_FEATURE_BETTER_PASSWORDS', true );
+define( 'MINUTE_IN_SECONDS', 60 );
+define( 'HOUR_IN_SECONDS', 60 * MINUTE_IN_SECONDS );
+define( 'DAY_IN_SECONDS', 24 * HOUR_IN_SECONDS );
+define( 'WEEK_IN_SECONDS', 7 * DAY_IN_SECONDS );
+define( 'MONTH_IN_SECONDS', 30 * DAY_IN_SECONDS );
+define( 'YEAR_IN_SECONDS', 365 * DAY_IN_SECONDS );
+
+// wp_set_lang_dir()
+define( 'WP_LANG_DIR', '' );
+
+// wp_plugin_directory_constants()
+define( 'WP_CONTENT_URL', '' );
+define( 'WP_PLUGIN_DIR', '' );
+define( 'WP_PLUGIN_URL', '' );
+define( 'PLUGINDIR', '' );
+define( 'WPMU_PLUGIN_DIR', '' );
+define( 'WPMU_PLUGIN_URL', '' );
+define( 'MUPLUGINDIR', '' );
+
+// ms_cookie_constants()
+define( 'COOKIEPATH', '' );
+define( 'SITECOOKIEPATH', '' );
+define( 'ADMIN_COOKIE_PATH', '' );
+define( 'COOKIE_DOMAIN', '' );
+
+// wp_cookie_constants()
+define( 'COOKIEHASH', '' );
+define( 'USER_COOKIE', '' );
+define( 'PASS_COOKIE', '' );
+define( 'AUTH_COOKIE', '' );
+define( 'SECURE_AUTH_COOKIE', '' );
+define( 'LOGGED_IN_COOKIE', '' );
+define( 'TEST_COOKIE', '' );
+define( 'PLUGINS_COOKIE_PATH', '' );
+define( 'RECOVERY_MODE_COOKIE', '' );
+
+// wp_ssl_constants()
+define( 'FORCE_SSL_LOGIN', false );
+define( 'FORCE_SSL_ADMIN', false );
+
+// wp_functionality_constants()
+define( 'AUTOSAVE_INTERVAL', MINUTE_IN_SECONDS );
+define( 'EMPTY_TRASH_DAYS', 1 );
+define( 'WP_POST_REVISIONS', true );
+define( 'WP_CRON_LOCK_TIMEOUT', MINUTE_IN_SECONDS );
+
+// wp_templating_constants()
+define( 'TEMPLATEPATH', '' );
+define( 'STYLESHEETPATH', '' );
+define( 'WP_DEFAULT_THEME', '' );
+
+// ms_file_constants()
+define( 'WPMU_SENDFILE', false );
+define( 'WPMU_ACCEL_REDIRECT', false );
+
+// ms_load_current_site_and_network()
+define( 'NOBLOGREDIRECT', '' );
+
+// ms_upload_constants()
+define( 'UPLOADBLOGSDIR', '' );
+define( 'BLOGUPLOADDIR', '' );
+
+// Misc constants not part of the default lifecycle.
+define( 'FS_CONNECT_TIMEOUT', 1 );
+define( 'FS_TIMEOUT', 1 );
+define( 'FS_CHMOD_DIR', 1 );
+define( 'FS_CHMOD_FILE', 1 );