This repository lists static analysis tools for all programming languages, build tools, config files and more. The focus is on tools which improve code quality such as linters and formatters. The official website, π analysis-tools.dev is based on this repository and adds rankings, user comments, and additional resources like videos for each tool.
This project would not be possible without the generous support of our sponsors.
|
|
|
If you also want to support this project, head over to our ?β
?π΄
Github sponsors page).
- Β©οΈ stands for proprietary software. All other tools are Open Source.
- βΉοΈ indicates that the community does not recommend to use this tool for new projects anymore. The icon links to the discussion issue.
β οΈ means that this tool was not updated for more than 1 year, or the repo was archived.
Pull requests are very welcome!
Also check out the sister project, 886β
99π΄
awesome-dynamic-analysis).
- ABAP
- Ada
- Assembly
- Awk
- C
- C#
- C++
- Clojure
- CoffeeScript
- ColdFusion
- Crystal
- Dart
- Delphi
- Dlang
- Elixir
- Elm
- Erlang
- F#
- Fortran
- Go
- Groovy
- Haskell
- Haxe
- Java
- JavaScript
- Julia
- Kotlin
- Lua
- MATLAB
- Nim
- Ocaml
- PHP
- PL/SQL
- Perl
- Python
- R
- Rego
- Ruby
- Rust
- SQL
- Scala
- Shell
- Swift
- Tcl
- TypeScript
- Verilog/SystemVerilog
- Vim Script
Show Other
- .env
- Ansible
- Archive
- Azure Resource Manager
- Binaries
- Build tools
- CSS/SASS/SCSS
- Config Files
- Configuration Management
- Containers
- Continuous Integration
- Deno
- Embedded
- Embedded Ruby (a.k.a. ERB, eRuby)
- Gherkin
- HTML
- JSON
- Kubernetes
- LaTeX
- Laravel
- Makefiles
- Markdown
- Metalinter
- Mobile
- Nix
- Node.js
- Packages
- Prometheus
- Protocol Buffers
- Puppet
- Rails
- Security/SAST
- Smart Contracts
- Support
- Template-Languages
- Terraform
- Translation
- Vue.js
- Webassembly
- Writing
- YAML
- git
-
π abaplint β Linter for ABAP, written in TypeScript.
-
π abapOpenChecks β Enhances the SAP Code Inspector with new and customizable checks.
-
π Codepeer Β©οΈ β Detects run-time and logic errors.
-
π Polyspace for Ada Β©οΈ β Provide code verification that proves the absence of overflow, divide-by-zero, out-of-bounds array access, and certain other run-time errors in source code.
-
π SPARK Β©οΈ β Static analysis and formal verification toolset for Ada.
710β
72π΄
STOKE)β οΈ β A programming-language agnostic stochastic optimizer for the x86_64 instruction set. It uses random search to explore the extremely high-dimensional space of all possible program transformations.
- π gawk --lint β Warns about constructs that are dubious or nonportable to other awk implementations.
-
π AstrΓ©e Β©οΈ β AstrΓ©e automatically proves the absence of runtime errors and invalid conΒcurrent behavior in C/C++ applications. It is sound for floating-point computations, very fast, and exceptionally precise. The analyzer also checks for MISRA/CERT/CWE/Adaptive Autosar coding rules and supports qualification for ISO 26262, DO-178C level A, and other safety standards. Jenkins and Eclipse plugins are available.
-
CBMC β Bounded model-checker for C programs, user-defined assertions, standard assertions, several coverage metric analyses.
-
π clang-tidy β Clang-based C++ linter tool with the (limited) ability to fix issues, too.
-
649β
92π΄
clazy) β Qt-oriented static code analyzer based on the Clang framework. clazy is a compiler plugin which allows clang to understand Qt semantics. You get more than 50 Qt related compiler warnings, ranging from unneeded memory allocations to misusage of API, including fix-its for automatic refactoring. -
69β
27π΄
CMetrics) β Measures size and complexity for C files. -
π CPAchecker β A tool for configurable software verification of C programs. The name CPAchecker was chosen to reflect that the tool is based on the CPA concepts and is used for checking software programs.
-
π cppcheck β Static analysis of C/C++ code.
-
π CppDepend Β©οΈ β Measure, query and visualize your code and avoid unexpected issues, technical debt and complexity.
-
36765β
13276π΄
cpplint) β Automated C++ checker that follows Google's style guide. -
61β
11π΄
cqmetrics) β Quality metrics for C code. -
π CScout β Complexity and quality metrics for C and C preprocessor code.
-
ESBMC β ESBMC is an open source, permissively licensed, context-bounded model checker based on satisfiability modulo theories for the verification of single- and multi-threaded C/C++ programs.
-
flawfinder β Finds possible security weaknesses.
-
264β
21π΄
flint++) β Cross-platform, zero-dependency port of flint, a lint program for C++ developed and used at Facebook. -
π Frama-C β A sound and extensible static analyzer for C code.
-
π GCC β The GCC compiler has static analysis capabilities since version 10. This option is only available if GCC was configured with analyzer support enabled. It can also output its diagnostics to a JSON file in the SARIF format (from v13).
-
π Goblint β A static analyzer for the analysis of multi-threaded C programs. Its primary focus is the detection of data races, but it also reports other runtime errors, such as buffer overflows and null-pointer dereferences.
-
π Helix QAC Β©οΈ β Enterprise-grade static analysis for embedded software. Supports MISRA, CERT, and AUTOSAR coding standards.
-
2002β
149π΄
IKOS) β A sound static analyzer for C/C++ code based on LLVM. -
π Joern β Open-source code analysis platform for C/C++ based on code property graphs
-
KLEE β A dynamic symbolic execution engine built on top of the LLVM compiler infrastructure. It can auto-generate test cases for programs such that the test cases exercise as much of the program as possible.
-
π LDRA Β©οΈ β A tool suite including static analysis (TBVISION) to various standards including MISRA C & C++, JSF++ AV, CWE, CERT C, CERT C++ & Custom Rules.
-
π MATE
β οΈ β A suite of tools for interactive program analysis with a focus on hunting for bugs in C and C++ code. MATE unifies application-specific and low-level vulnerability analysis using code property graphs (CPGs), enabling the discovery of highly application-specific vulnerabilities that depend on both implementation details and the high-level semantics of target C/C++ programs. -
π PC-lint Β©οΈ β Static analysis for C/C++. Runs natively under Windows/Linux/MacOS. Analyzes code for virtually any platform, supporting C11/C18 and C++17.
-
π Phasar β A LLVM-based static analysis framework which comes with a taint and type state analysis.
-
π Polyspace Bug Finder Β©οΈ β Identifies run-time errors, concurrency issues, security vulnerabilities, and other defects in C and C++ embedded software.
-
π Polyspace Code Prover Β©οΈ β Provide code verification that proves the absence of overflow, divide-by-zero, out-of-bounds array access, and certain other run-time errors in C and C++ source code.
-
π scan-build β Frontend to drive the Clang Static Analyzer built into Clang via a regular build.
-
splint β Annotation-assisted static program checker.
-
π SVF β A static tool that enables scalable and precise interprocedural dependence analysis for C and C++ programs.
-
π TrustInSoft Analyzer Β©οΈ β Exhaustive detection of coding errors and their associated security vulnerabilities. This encompasses a sound undefined behavior detection (buffer overflows, out-of-bounds array accesses, null-pointer dereferences, use-after-free, divide-by-zeros, uninitialized memory accesses, signed overflows, invalid pointer arithmetic, etc.), data flow and control flow verification as well as full functional verification of formal specifications. All versions of C up to C18 and C++ up to C++20 are supported. TrustInSoft Analyzer will acquire ISO 26262 qualification in Q2'2023 (TCL3). A MISRA C checker is also bundled.
-
π vera++ β Vera++ is a programmable tool for verification, analysis and transformation of C++ source code.
-
.NET Analyzers β An organization for the development of analyzers (diagnostics and code fixes) using the .NET Compiler Platform.
-
809β
52π΄
ArchUnitNET) β A C# architecture test library to specify and assert architecture rules in C# for automated testing. -
π code-cracker β An analyzer library for C# and VB that uses Roslyn to produce refactorings, code analysis, and other niceties.
-
160β
26π΄
CSharpEssentials)β οΈ β C# Essentials is a collection of Roslyn diagnostic analyzers, code fixes and refactorings that make it easy to work with C# 6 language features. -
Designite Β©οΈ β Designite supports detection of various architecture, design, and implementation smells, computation of various code quality metrics, and trend analysis.
-
π Gendarme β Gendarme inspects programs and libraries that contain code in ECMA CIL format (Mono and .NET).
-
724β
29π΄
Infer#) β InferSharp (also referred to as Infer#) is an interprocedural and scalable static code analyzer for C#. Via the capabilities of Facebook's Infer, this tool detects null pointer dereferences and resource leaks. -
869β
47π΄
Meziantou.Analyzer) β A Roslyn analyzer to enforce some good practices in C# in terms of design, usage, security, performance, and style. -
NDepend Β©οΈ β Measure, query and visualize your code and avoid unexpected issues, technical debt and complexity.
-
π Puma Scan β Puma Scan provides real time secure code analysis for common vulnerabilities (XSS, SQLi, CSRF, LDAPi, crypto, deserialization, etc.) as development teams write code in Visual Studio.
-
3002β
245π΄
Roslynator) β A collection of 190+ analyzers and 190+ refactorings for C#, powered by Roslyn. -
726β
222π΄
SonarAnalyzer.CSharp) β These Roslyn analyzers allow you to produce Clean Code that is safe, reliable, and maintainable by helping you find and correct bugs, vulnerabilities, and code smells in your codebase. -
64β
16π΄
VSDiagnostics)β οΈ β A collection of static analyzers based on Roslyn that integrates with VS. -
87β
11π΄
Wintellect.Analyzers) β .NET Compiler Platform ("Roslyn") diagnostic analyzers and code fixes.
-
π AstrΓ©e Β©οΈ β AstrΓ©e automatically proves the absence of runtime errors and invalid conΒcurrent behavior in C/C++ applications. It is sound for floating-point computations, very fast, and exceptionally precise. The analyzer also checks for MISRA/CERT/CWE/Adaptive Autosar coding rules and supports qualification for ISO 26262, DO-178C level A, and other safety standards. Jenkins and Eclipse plugins are available.
-
CBMC β Bounded model-checker for C programs, user-defined assertions, standard assertions, several coverage metric analyses.
-
π clang-tidy β Clang-based C++ linter tool with the (limited) ability to fix issues, too.
-
649β
92π΄
clazy) β Qt-oriented static code analyzer based on the Clang framework. clazy is a compiler plugin which allows clang to understand Qt semantics. You get more than 50 Qt related compiler warnings, ranging from unneeded memory allocations to misusage of API, including fix-its for automatic refactoring. -
69β
27π΄
CMetrics) β Measures size and complexity for C files. -
π cppcheck β Static analysis of C/C++ code.
-
π CppDepend Β©οΈ β Measure, query and visualize your code and avoid unexpected issues, technical debt and complexity.
-
36765β
13276π΄
cpplint) β Automated C++ checker that follows Google's style guide. -
61β
11π΄
cqmetrics) β Quality metrics for C code. -
π CScout β Complexity and quality metrics for C and C preprocessor code.
-
ESBMC β ESBMC is an open source, permissively licensed, context-bounded model checker based on satisfiability modulo theories for the verification of single- and multi-threaded C/C++ programs.
-
flawfinder β Finds possible security weaknesses.
-
264β
21π΄
flint++) β Cross-platform, zero-dependency port of flint, a lint program for C++ developed and used at Facebook. -
π Frama-C β A sound and extensible static analyzer for C code.
-
π Helix QAC Β©οΈ β Enterprise-grade static analysis for embedded software. Supports MISRA, CERT, and AUTOSAR coding standards.
-
2002β
149π΄
IKOS) β A sound static analyzer for C/C++ code based on LLVM. -
π Joern β Open-source code analysis platform for C/C++ based on code property graphs
-
KLEE β A dynamic symbolic execution engine built on top of the LLVM compiler infrastructure. It can auto-generate test cases for programs such that the test cases exercise as much of the program as possible.
-
π LDRA Β©οΈ β A tool suite including static analysis (TBVISION) to various standards including MISRA C & C++, JSF++ AV, CWE, CERT C, CERT C++ & Custom Rules.
-
π MATE
β οΈ β A suite of tools for interactive program analysis with a focus on hunting for bugs in C and C++ code. MATE unifies application-specific and low-level vulnerability analysis using code property graphs (CPGs), enabling the discovery of highly application-specific vulnerabilities that depend on both implementation details and the high-level semantics of target C/C++ programs. -
π PC-lint Β©οΈ β Static analysis for C/C++. Runs natively under Windows/Linux/MacOS. Analyzes code for virtually any platform, supporting C11/C18 and C++17.
-
π Phasar β A LLVM-based static analysis framework which comes with a taint and type state analysis.
-
π Polyspace Bug Finder Β©οΈ β Identifies run-time errors, concurrency issues, security vulnerabilities, and other defects in C and C++ embedded software.
-
π Polyspace Code Prover Β©οΈ β Provide code verification that proves the absence of overflow, divide-by-zero, out-of-bounds array access, and certain other run-time errors in C and C++ source code.
-
π scan-build β Frontend to drive the Clang Static Analyzer built into Clang via a regular build.
-
splint β Annotation-assisted static program checker.
-
π SVF β A static tool that enables scalable and precise interprocedural dependence analysis for C and C++ programs.
-
π TrustInSoft Analyzer Β©οΈ β Exhaustive detection of coding errors and their associated security vulnerabilities. This encompasses a sound undefined behavior detection (buffer overflows, out-of-bounds array accesses, null-pointer dereferences, use-after-free, divide-by-zeros, uninitialized memory accesses, signed overflows, invalid pointer arithmetic, etc.), data flow and control flow verification as well as full functional verification of formal specifications. All versions of C up to C18 and C++ up to C++20 are supported. TrustInSoft Analyzer will acquire ISO 26262 qualification in Q2'2023 (TCL3). A MISRA C checker is also bundled.
-
π vera++ β Vera++ is a programmable tool for verification, analysis and transformation of C++ source code.
1672β
290π΄
clj-kondo) β A linter for Clojure code that sparks joy. It informs you about potential errors while you are typing.
- π coffeelint
β οΈ β A style checker that helps keep CoffeeScript code clean and consistent.
- π Fixinator Β©οΈ β Static security code analysis for ColdFusion or CFML code. Designed to work within a CI pipeline or from the developers terminal.
-
π ameba β A static code analysis tool for Crystal.
-
π crystal β The Crystal compiler has built-in linting functionality.
-
π Dart Code Metrics β Additional linter for Dart. Reports code metrics, checks for anti-patterns and provides additional rules for Dart analyzer.
-
π effective_dart β Linter rules corresponding to the guidelines in Effective Dart
-
276β
81π΄
lint) β An opinionated, community-driven set of lint rules for Dart and Flutter projects. Like pedantic but stricter -
π Linter for dart β Style linter for Dart.
-
71β
6π΄
DelphiLint) β A Delphi IDE package providing on-the-fly code analysis and linting, powered by SonarDelphi. -
π Fix Insight Β©οΈ β A free IDE Plugin for static code analysis. A Pro edition includes a command line tool for automation purposes.
-
π Pascal Analyzer Β©οΈ β A static code analysis tool with numerous reports. A free Lite version is available with limited reporting.
-
π Pascal Expert Β©οΈ β IDE plugin for code analysis. Includes a subset of Pascal Analyzer reporting capabilities and is available for Delphi versions 2007 and later.
-
82β
9π΄
SonarDelphi) β Delphi static analyzer for the SonarQube code quality platform.
237β
80π΄
D-scanner) β D-Scanner is a tool for analyzing D source code.
-
4872β
414π΄
credo) β A static code analysis tool with a focus on code consistency and teaching. -
1663β
139π΄
dialyxir) β Mix tasks to simplify use of Dialyzer in Elixir projects. -
1621β
92π΄
sobelow) β Security-focused static analysis for the Phoenix Framework.
-
π elm-analyse
β οΈ β A tool that allows you to analyse your Elm code, identify deficiencies and apply best practices. -
π elm-review β Analyzes whole Elm projects, with a focus on shareable and custom rules written in Elm that add guarantees the Elm compiler doesn't give you.
-
π dialyzer β The DIALYZER, a DIscrepancy AnaLYZer for ERlang programs. Dialyzer is a static analysis tool that identifies software discrepancies, such as definite type errors, code that has become dead or unreachable because of programming error, and unnecessary tests, in single Erlang modules or entire (sets of) applications. Dialyzer starts its analysis from either debug-compiled BEAM bytecode or from Erlang source code. The file and line number of a discrepancy is reported along with an indication of what the discrepancy is about. Dialyzer bases its analysis on the concept of success typings, which allows for sound warnings (no false positives).
-
419β
87π΄
elvis) β Erlang Style Reviewer. -
100β
11π΄
Primitive Erlang Security Tool (PEST)) β A tool to do a basic scan of Erlang source code and report any function calls that may cause Erlang source code to be insecure.
- π FSharpLint β Lint tool for F#.
-
π fprettify β Auto-formatter for modern fortran source code, written in Python. Fprettify is a tool that provides consistent whitespace, indentation, and delimiter alignment in code, including the ability to change letter case and handle preprocessor directives, all while preserving revision history and tested for editor integration.
-
58β
15π΄
i-Code CNES for Fortran)β οΈ β An open source static code analysis tool for Fortran 77, Fortran 90 and Shell.
-
π aligncheck β Find inefficiently packed structs.
-
301β
32π΄
bodyclose) β Checks whether HTTP response body is closed. -
49β
15π΄
deadcode) β Finds unused code. -
314β
27π΄
dingo-hunter)β οΈ β Static analyser for finding deadlocks in Go. -
71β
2π΄
dogsled) β Finds assignments/declarations with too many blank identifiers. -
336β
26π΄
dupl)β οΈ β Reports potentially duplicated code. -
2293β
136π΄
errcheck) β Check that error return values are used. -
369β
16π΄
errwrap) β Wrap and fix Go errors with the new %w verb directive. This tool analyzes fmt.Errorf() calls and reports calls that contain a verb directive that is different than the new %w verb directive introduced in Go v1.13. It's also capable of rewriting calls to use the new %w wrap verb directive. -
49β
4π΄
flen) β Get info on length of functions in a Go package. -
3518β
267π΄
Go Meta Linter)β οΈ β Concurrently run Go lint tools and normalise their output. Usegolangci-lint
for new projects. -
π go tool vet --shadow β Reports variables that may have been unintentionally shadowed.
-
π go vet β Examines Go source code and reports suspicious.
-
331β
16π΄
go-consistent) β Analyzer that helps you to make your Go programs more consistent. -
1778β
113π΄
go-critic) β Go source code linter that maintains checks which are currently not implemented in other linters. -
π go/ast β Package ast declares the types used to represent syntax trees for Go packages.
-
57β
2π΄
goast)β οΈ β Go AST (Abstract Syntax Tree) based static analysis tool with Rego. -
102β
11π΄
gochecknoglobals) β Checks that no globals are present. -
282β
17π΄
goconst) β Finds repeated strings that could be replaced by a constant. -
1312β
80π΄
gocyclo)β οΈ β Calculate cyclomatic complexities of functions in Go source code. -
π gofmt -s β Checks if the code is properly formatted and could not be further simplified.
-
3108β
110π΄
gofumpt) β Enforce a stricter format thangofmt
, while being backwards-compatible. That is,gofumpt
is happy with a subset of the formats thatgofmt
is happy with. The tool is a fork ofgofmt
as of Go 1.19, and requires Go 1.18 or later. It can be used as a drop-in replacement to format your Go code, and running gofmt after gofumpt should produce no changes.gofumpt
will never add rules which disagree withgofmt
formatting. So we extendgofmt
rather than compete with it. -
π goimports β Checks missing or unreferenced package imports.
-
2170β
112π΄
gokart) β Golang security analysis with a focus on minimizing false positives. It is capable of tracing the source of variables and function arguments to determine whether input sources are safe. -
π GolangCI-Lint β Alternative to
Go Meta Linter
: GolangCI-Lint is a linters aggregator. -
3970β
497π΄
golint) β Prints out coding style mistakes in Go source code. -
3111β
269π΄
goreporter) β Concurrently runs many linters and normalises their output to a report. -
458β
19π΄
goroutine-inspect) β An interactive tool to analyze Golang goroutine dump. -
π gosec (gas) β Inspects source code for security problems by scanning the Go AST.
-
π gotype β Syntactic and semantic analysis similar to the Go compiler.
-
π govulncheck β Govulncheck reports known vulnerabilities that affect Go code. It uses static analysis of source code or a binary's symbol table to narrow down reports to only those that could affect the application. By default, govulncheck makes requests to the Go vulnerability database at https://vuln.go.dev. Requests to the vulnerability database contain only module paths, not code or other properties of your program.
-
390β
22π΄
ineffassign) β Detect ineffectual assignments in Go code. -
692β
17π΄
interfacer)β οΈ β Suggest narrower interfaces that can be used. -
65β
9π΄
lll)β οΈ β Report long lines. -
530β
42π΄
maligned)β οΈ β Detect structs that would take less memory if their fields were sorted. -
1335β
114π΄
misspell) β Finds commonly misspelled English words. -
125β
13π΄
nakedret) β Finds naked returns. -
83β
5π΄
nargs) β Finds unused arguments in function declarations. -
627β
24π΄
prealloc) β Finds slice declarations that could potentially be preallocated. -
7489β
398π΄
Reviewdog) β A tool for posting review comments from any linter in any code hosting service. -
π revive β Fast, configurable, extensible, flexible, and beautiful linter for Go. Drop-in replacement of golint.
-
564β
47π΄
safesql)β οΈ β Static analysis tool for Golang that protects against SQL injections. -
372β
15π΄
shisho)β οΈ β A lightweight static code analyzer designed for developers and security teams. It allows you to analyze and transform source code with an intuitive DSL similar to sed, but for code. -
π staticcheck β Go static analysis that specialises in finding bugs, simplifying code and improving performance.
-
π structcheck β Find unused struct fields.
-
798β
29π΄
structslop) β Static analyzer for Go that recommends struct field rearrangements to provide for maximum space/allocation efficiency -
π test β Show location of test failures from the stdlib testing module.
-
376β
26π΄
unconvert) β Detect redundant type conversions. -
526β
28π΄
unparam) β Find unused function parameters. -
π varcheck β Find unused global variables and constants.
-
249β
44π΄
wsl) β Enforces empty lines at the right places.
- π CodeNarc β A static analysis tool for Groovy source code, enabling monitoring and enforcement of many coding standards and best practices.
-
687β
72π΄
brittany)β οΈ β Haskell source code formatter -
1443β
194π΄
HLint) β HLint is a tool for suggesting possible improvements to Haskell code. -
π Liquid Haskell β Liquid Haskell is a refinement type checker for Haskell programs.
-
π Stan β Stan is a command-line tool for analysing Haskell projects and outputting discovered vulnerabilities in a helpful way with possible solutions for detected problems.
-
162β
24π΄
Weeder) β A tool for detecting dead exports or package imports in Haskell code.
- π Haxe Checkstyle β A static analysis tool to help developers write Haxe code that adheres to a coding standard.
-
π Checker Framework β Pluggable type-checking for Java. This is not just a bug-finder, but a verification tool that gives a guarantee of correctness. It comes with 27 pre-built type systems, and it enables users to define their own type system; the manual lists over 30 user-contributed type systems.
-
π checkstyle β Checking Java source code for adherence to a Code Standard or set of validation rules (best practices).
-
360β
139π΄
ck) β Calculates Chidamber and Kemerer object-oriented metrics by processing the source Java files. -
ckjm β Calculates Chidamber and Kemerer object-oriented metrics by processing the bytecode of compiled Java files.
-
π CogniCrypt β Checks Java source and byte code for incorrect uses of cryptographic APIs.
-
991β
348π΄
Dataflow Framework) β An industrial-strength dataflow framework for Java. The Dataflow Framework is used in the Checker Framework, Googleβs Error Prone, Uberβs NullAway, Metaβs Nullsafe, and in other contexts. It is distributed with the Checker Framework. -
DesigniteJava Β©οΈ β DesigniteJava supports detection of various architecture, design, and implementation smells along with computation of various code quality metrics.
-
π Diffblue Β©οΈ β Diffblue is a software company that provides AI-powered code analysis and testing solutions for software development teams. Its technology helps developers automate testing, find bugs, and reduce manual labor in their software development processes. The company's main product, Diffblue Cover, uses AI to generate and run unit tests for Java code, helping to catch errors and improve code quality.
-
π Doop β Doop is a declarative framework for static analysis of Java/Android programs, centered on pointer analysis algorithms. Doop provides a large variety of analyses and also the surrounding scaffolding to run an analysis end-to-end (fact generation, processing, statistics, etc.).
-
π Error Prone β Catch common Java mistakes as compile-time errors.
-
fb-contrib β A plugin for FindBugs with additional bug detectors.
-
317β
34π΄
forbidden-apis) β Detects and forbids invocations of specific method/class/field (like reading from a text stream without a charset). Maven/Gradle/Ant compatible. -
5452β
844π΄
google-java-format) β Reformats Java source code to comply with Google Java Style -
301β
34π΄
HuntBugs)β οΈ β Bytecode static analyzer tool based on Procyon Compiler Tools aimed to supersede FindBugs. -
π IntelliJ IDEA Β©οΈ β Comes bundled with a lot of inspections for Java and Kotlin and includes tools for refactoring, formatting and more.
-
π JArchitect Β©οΈ β Measure, query and visualize your code and avoid unexpected issues, technical debt and complexity.
-
π JBMC β Bounded model-checker for Java (bytecode), verifies user-defined assertions, standard assertions, several coverage metric analyses.
-
π Mariana Trench β Our security focused static analysis tool for Android and Java applications. Mariana Trench analyzes Dalvik bytecode and is built to run fast on large codebases (10s of millions of lines of code). It can find vulnerabilities as code changes, before it ever lands in your repository.
-
3543β
285π΄
NullAway) β Type-based null-pointer checker with low build-time overhead; an Error Prone plugin. -
π OWASP Dependency Check β Checks dependencies for known, publicly disclosed, vulnerabilities.
-
π qulice β Combines a few (pre-configured) static analysis tools (checkstyle, PMD, Findbugs, ...).
-
336β
39π΄
RefactorFirst) β Identifies and prioritizes God Classes and Highly Coupled classes in Java codebases you should refactor first. -
π Soot β A framework for analyzing and transforming Java and Android applications.
-
π Spoon β Spoon is a metaprogramming library to analyze and transform Java source code (incl Java 9, 10, 11, 12, 13, 14). It parses source files to build a well-designed AST with powerful analysis and transformation API. Can be integrated in Maven and Gradle.
-
π SpotBugs β SpotBugs is FindBugs' successor. A tool for static analysis to look for bugs in Java code.
-
π steady β Analyses your Java applications for open-source dependencies with known vulnerabilities, using both static analysis and testing to determine code context and usage for greater accuracy.
-
140β
39π΄
Violations Lib) β Java library for parsing report files from static code analysis. Used by a bunch of Jenkins, Maven and Gradle plugins.
-
aether
β οΈ β Lint, analyze, normalize, transform, sandbox, run, step through, and visualize user JavaScript, in node or the browser. -
π Closure Compiler β A compiler tool to increase efficiency, reduce size, and provide code warnings in JavaScript files.
-
109β
37π΄
ClosureLinter)β οΈ β Ensures that all of your project's JavaScript code follows the guidelines in the Google JavaScript Style Guide. It can also automatically fix many common errors. -
206β
28π΄
complexity-report)β οΈ β Software complexity analysis for JavaScript projects. -
π DeepScan Β©οΈ β An analyzer for JavaScript which targets runtime errors and quality issues rather than coding conventions.
-
203β
40π΄
es6-plato)β οΈ β Visualize JavaScript (ES6) source complexity. -
257β
25π΄
escomplex)β οΈ β Software complexity analysis of JavaScript-family abstract syntax trees. -
π Esprima
β οΈ β ECMAScript parsing infrastructure for multipurpose analysis. -
π flow β A static type checker for JavaScript.
-
π hegel β A static type checker for JavaScript with a bias on type inference and strong type systems.
-
π jshint βΉοΈ β Detect errors and potential problems in JavaScript code and enforce your team's coding conventions.
-
3602β
459π΄
JSLint) βΉοΈ β The JavaScript Code Quality Tool. -
π JSPrime
β οΈ β Static security analysis tool. -
π NodeJSScan β A static security code scanner for Node.js applications powered by libsast and semgrep that builds on the njsscan cli tool. It features a UI with various dashboards about an application's security status.
-
4554β
321π΄
plato)β οΈ β Visualize JavaScript source complexity. -
429β
198π΄
Polymer-analyzer) β A static analysis framework for Web Components. -
π retire.js β Scanner detecting the use of JavaScript libraries with known vulnerabilities.
-
RSLint
β οΈ β A (WIP) JavaScript linter written in Rust designed to be as fast as possible, customizable, and easy to use. -
standard β An npm module that checks for Javascript Styleguide issues.
-
π tern β A JavaScript code analyzer for deep, cross-editor language support.
-
π TypL
β οΈ β With TypL, you just write completely standard JS, and the tool figures out your types via powerful inferencing. -
7569β
285π΄
xo) β Opinionated but configurable ESLint wrapper with lots of goodies included. Enforces strict and readable code. -
25β
4π΄
yardstick)β οΈ β Javascript code metrics.
-
699β
29π΄
JET) β Static type inference system to detect bugs and type instabilities. -
136β
28π΄
StaticLint) β Static Code Analysis for Julia
-
π detekt β Static code analysis for Kotlin code.
-
π diktat β Strict coding standard for Kotlin and a linter that detects and auto-fixes code smells.
-
π ktfmt β A program that reformats Kotlin source code to comply with the common community standard for Kotlin code conventions. A ktfmt IntelliJ plugin is available from the plugin repository. To install it, go to your IDE's settings and select the Plugins category. Click the Marketplace tab, search for the ktfmt plugin, and click the Install button.
-
π ktlint β An anti-bikeshedding Kotlin linter with built-in formatter.
-
327β
48π΄
luacheck) β A tool for linting and static analysis of Lua code. -
85β
19π΄
lualint) β lualint performs luac-based static analysis of global variable usage in Lua source code. -
π Luanalysis β An IDE for statically typed Lua development.
- π mlint Β©οΈ β Check MATLAB code files for possible problems.
-
π DrNim β DrNim combines the Nim frontend with the Z3 proof engine in order to allow verify / validate software written in Nim.
-
82β
7π΄
nimfmt)β οΈ β Nim code formatter / linter / style checker
-
216β
42π΄
Sys) β A static/symbolic Tool for finding bugs in (browser) code. It uses the LLVM AST to find bugs like uninitialized memory access. -
342β
62π΄
VeriFast) β A tool for modular formal verification of correctness properties of single-threaded and multithreaded C and Java programs annotated with preconditions and postconditions written in separation logic. To express rich specifications, the programmer can define inductive datatypes, primitive recursive pure functions over these datatypes, and abstract separation logic predicates.
-
π CakeFuzzer β Web application security testing tool for CakePHP-based web applications. CakeFuzzer employs a predefined set of attacks that are randomly modified before execution. Leveraging its deep understanding of the Cake PHP framework, Cake Fuzzer launches attacks on all potential application entry points.
-
1353β
57π΄
churn-php) β Helps discover good candidates for refactoring. -
288β
5π΄
composer-dependency-analyser) β Fast detection of composer dependency issues.
- πͺ Powerful: Detects unused, shadow and misplaced composer dependencies
- β‘ Performant: Scans 15 000 files in 2s!
- βοΈ Configurable: Fine-grained ignores via PHP config
- πΈοΈ Lightweight: No composer dependencies
- π° Easy-to-use: No config needed for first try
- β¨ Compatible: PHP >= 7.2
-
526β
24π΄
dephpend) β Dependency analysis tool. -
390β
40π΄
deprecation-detector) β Finds usages of deprecated (Symfony) code. -
2574β
138π΄
deptrac) β Enforce rules for dependencies between software layers. -
111β
13π΄
DesignPatternDetector) β Detection of design patterns in PHP code. -
π EasyCodingStandard β Combine
10614β
1484π΄
PHP_CodeSniffer) and12640β
1571π΄
PHP-CS-Fixer). -
π Enlightn β A static and dynamic analysis tool for Laravel applications that provides recommendations to improve the performance, security and code reliability of Laravel apps. Contains 120 automated checks.
-
π exakat β An automated code reviewing engine for PHP.
-
4103β
428π΄
GrumPHP) β Checks code on every commit. -
5233β
394π΄
larastan) β Adds static analysis to Laravel improving developer productivity and code quality. It is a wrapper around PHPStan. -
π Mondrian
β οΈ β A set of static analysis and refactoring tools which use graph theory. -
π Nitpick CI Β©οΈ β Automated PHP code review.
-
273β
21π΄
parallel-lint) β This tool checks syntax of PHP files faster than serial check with a fancier output. -
358β
43π΄
Parse) β A Static Security Scanner. -
π pdepend β Calculates software metrics like cyclomatic complexity for PHP code.
-
?β
?π΄
phan) β A modern static analyzer from etsy. -
1013β
38π΄
PHP Architecture Tester) β Easy to use architecture testing tool for PHP. -
154β
10π΄
PHP Assumptions) β Checks for weak assumptions. -
π PHP Coding Standards Fixer β Fixes your code according to standards like PSR-1, PSR-2, and the Symfony standard.
-
π PHP Insights β Instant PHP quality checks from your console. Analysis of code quality and coding style as well as overview of code architecture and its complexity.
-
π Php Inspections (EA Extended)
β οΈ β A Static Code Analyzer for PHP. -
π PHP Refactoring Browser β Refactoring helper.
-
424β
28π΄
PHP Semantic Versioning Checker) β Suggests a next version according to semantic versioning. -
16854β
1078π΄
PHP-Parser) β A PHP parser written in PHP. -
67β
18π΄
php-speller) β PHP spell check library. -
188β
44π΄
PHP-Token-Reflection)β οΈ β Library emulating the PHP internal reflection. -
1530β
122π΄
php7cc)β οΈ β PHP 7 Compatibility Checker. -
799β
133π΄
php7mar)β οΈ β Assist developers in porting their code quickly to PHP 7. -
π PHP_CodeSniffer β Detects violations of a defined set of coding standards.
-
690β
35π΄
PHPArkitect) β PHPArkitect helps you to keep your PHP codebase coherent and solid, by permitting to add some architectural constraint check to your workflow. You can express the constraint that you want to enforce, in simple and readable PHP code. -
96β
8π΄
phpca)β οΈ β Finds usage of non-built-in extensions. -
2216β
189π΄
phpcpd)β οΈ β Copy/Paste Detector for PHP code. -
410β
47π΄
phpdcd)β οΈ β Dead Code Detector (DCD) for PHP code. -
π PhpDependencyAnalysis
β οΈ β Builds a dependency graph for a project. -
362β
37π΄
PhpDeprecationDetector) β Analyzer of PHP code to search issues with deprecated functionality in newer interpreter versions. It finds removed objects (functions, variables, constants and ini-directives), deprecated functions functionality, and usage of forbidden names or tricks (e.g. reserved identifiers in newer versions). -
225β
17π΄
phpdoc-to-typehint)β οΈ β Add scalar type hints and return types to existing PHP projects using PHPDoc annotations. -
π phpDocumentor β Analyzes PHP source code to generate documentation.
-
2320β
166π΄
phploc) β A tool for quickly measuring the size and analyzing the structure of a PHP project. -
π PHPMD β Finds possible bugs in your code.
-
PhpMetrics β Calculates and visualizes various code quality metrics.
-
545β
46π΄
phpmnd) β Helps to detect magic numbers. -
π PHPQA
β οΈ β A tool for running QA tools (phploc, phpcpd, phpcs, pdepend, phpmd, phpmetrics). -
1187β
68π΄
phpqa - jakzal) β Many tools for PHP static analysis in one container. -
328β
29π΄
phpqa - jmolivas) β PHPQA all-in-one Analyzer CLI tool. -
639β
77π΄
phpsa)β οΈ β Static analysis tool for PHP. -
π PHPStan β PHP Static Analysis Tool - discover bugs in your code without running it!
-
316β
63π΄
Progpilot) β A static analysis tool for security purposes. -
π Psalm β Static analysis tool for finding type errors in PHP applications.
-
491β
30π΄
Qafoo Quality Analyzer)β οΈ β Visualizes metrics and source code. -
π rector β Instant Upgrades and Automated Refactoring of any PHP 5.3+ code. It upgrades your code for PHP 7.4, 8.0 and beyond. Rector promises a low false-positive rate because it looks for narrowly defined AST (abstract syntax tree) patterns. The main use-case are tackling technical debt in your legacy code and removing dead code. Rector provides a set of special rules for Symfony, Doctrine, PHPUnit, and many more.
-
113β
51π΄
Reflection) β Reflection library to do Static Analysis for PHP Projects -
π Symfony Insight Β©οΈ β Detect security risks, find bugs and provide actionable metrics for PHP projects.
-
169β
7π΄
Tuli) β A static analysis engine. -
119β
33π΄
twig-lint) β twig-lint is a lint tool for your twig files. -
π WAP β Tool to detect and correct input validation vulnerabilities in PHP (4.0 or higher) web applications and predicts false positives by combining static analysis and data mining.
- π ZPA β Z PL/SQL Analyzer (ZPA) is an extensible code analyzer for PL/SQL and Oracle SQL. It can be integrated with SonarQube.
-
π Perl::Analyzer β Perl-Analyzer is a set of programs and modules that allow users to analyze and visualize Perl codebases by providing information about namespaces and their relations, dependencies, inheritance, and methods implemented, inherited, and redefined in packages, as well as calls to methods from parent packages via SUPER.
-
π Perl::Critic β Critique Perl source code for best-practices.
-
π perltidy β Perltidy is a Perl script which indents and reformats Perl scripts to make them easier to read. The formatting can be controlled with command line parameters. The default parameter settings approximately follow the suggestions in the Perl Style Guide. Besides reformatting scripts, Perltidy can be a great help in tracking down errors with missing or extra braces, parentheses, and square brackets because it is very good at localizing errors.
-
38β
9π΄
zarn) β A lightweight static security analysis tool for modern Perl Apps
-
867β
80π΄
autoflake) β Autoflake removes unused imports and unused variables from Python code. -
π autopep8 β A tool that automatically formats Python code to conform to the PEP 8 style guide. It uses the pycodestyle utility to determine what parts of the code needs to be formatted.
-
π bandit β A tool to find common security issues in Python code.
-
266β
15π΄
bellybutton) β A linting engine supporting custom project-specific rules. -
π Black β The uncompromising Python code formatter.
-
π Bowler β Safe code refactoring for modern Python. Bowler is a refactoring tool for manipulating Python at the syntax tree level. It enables safe, large scale code modifications while guaranteeing that the resulting code compiles and runs. It provides both a simple command line interface and a fluent API in Python for generating complex code modifications in code.
-
24β
12π΄
ciocheck)β οΈ β Linter, formatter and test suite helper. As a linter, it is a wrapper aroundpep8
,pydocstyle
,flake8
, andpylint
. -
227β
4π΄
cohesion)β οΈ β A tool for measuring Python class cohesion. -
π deal β Design by contract for Python. Write bug-free code. By adding a few decorators to your code, you get for free tests, static analysis, formal verification, and much more.
-
162β
17π΄
Dlint)β οΈ β A tool for ensuring Python code is secure. -
120β
19π΄
Dodgy) β Dodgy is a very basic tool to run against your codebase to search for "dodgy" looking values. It is a series of simple regular expressions designed to detect things such as accidental SCM diff checkins, or passwords or secret keys hard coded into files. -
π fixit β A framework for creating lint rules and corresponding auto-fixes for source code.
-
3310β
302π΄
flake8) β A wrapper aroundpyflakes
,pycodestyle
andmccabe
. -
π flakeheaven β flakeheaven is a python linter built around flake8 to enable inheritable and complex toml configuration.
-
79β
3π΄
InspectorTiger)β οΈ β IT, Inspector Tiger, is a modern python code review tool / framework. It comes with bunch of pre-defined handlers which warns you about improvements and possible bugs. Beside these handlers, you can write your own or use community ones. -
π jedi β Autocompletion/static analysis library for Python.
-
185β
27π΄
linty fresh) β Parse lint errors and report them to Github as comments on a pull request. -
π mccabe β Check McCabe complexity.
-
27β
6π΄
multilint)β οΈ β A wrapper aroundflake8
,isort
andmodernize
. -
mypy β A static type checker that aims to combine the benefits of duck typing and static typing, frequently used with
4576β
169π΄
MonkeyType). -
1914β
171π΄
prospector) β A wrapper aroundpylint
,pep8
,mccabe
and others. -
121β
29π΄
py-find-injection)β οΈ β Find SQL injection vulnerabilities in Python code. -
π pyanalyze β A tool for programmatically detecting common mistakes in Python code, such as references to undefined variables and type errors. It can be extended to add additional rules and perform checks specific to particular functions.
-
π PyCodeQual Β©οΈ β PyCodeQual gives you insights into complexity and bug risks. It adds automatic reviews to your pull requests.
-
π pycodestyle β (Formerly
pep8
) Check Python code against some of the style conventions in PEP 8. -
pydocstyle β Check compliance with Python docstring conventions.
-
π pyflakes β Check Python source files for errors.
-
pylint β Looks for programming errors, helps enforcing a coding standard and sniffs for some code smells. It additionally includes
pyreverse
(an UML diagram generator) andsymilar
(a similarities checker). -
π pylyzers β A static code analyzer / language server for Python, written in Rust, focused on type checking and readable output.
-
π pyre-check β A fast, scalable type checker for large Python codebases.
-
12296β
1307π΄
pyright) β Static type checker for Python, created to address gaps in existing tools like mypy. -
205β
24π΄
pyroma) β Rate how well a Python project complies with the best practices of the Python packaging ecosystem, and list issues that could be improved. -
π Pysa β A tool based on Facebook's pyre-check to identify potential security issues in Python code identified with taint analysis.
-
2164β
238π΄
PyT - Python Taint)β οΈ β A static analysis tool for detecting security vulnerabilities in Python web applications. -
π pytype β A static type analyzer for Python code.
-
π pyupgrade β A tool (and pre-commit hook) to automatically upgrade syntax for newer versions of the language.
-
109β
25π΄
QuantifiedCode)β οΈ β Automated code review & repair. It helps you to keep track of issues and metrics in your software projects, and can be easily extended to support new types of analyses. -
π radon β A Python tool that computes various metrics from the source code.
-
2453β
53π΄
refurb) β A tool for refurbishing and modernizing Python codebases. Refurb is heavily inspired by clippy, the built-in linter for Rust. -
π ruff β Fast Python linter, written in Rust. 10-100x faster than existing linters. Compatible with Python 3.10. Supports file watcher.
-
π unimport β A linter, formatter for finding and removing unused import statements.
-
3135β
140π΄
vulture) β Find unused classes, functions and variables in Python code. -
π wemake-python-styleguide β The strictest and most opinionated python linter ever.
-
1191β
57π΄
wily) β A command-line tool for archiving, exploring and graphing the complexity of Python source code. -
π xenon β Monitor code complexity using
1609β
113π΄
radon
). -
13667β
888π΄
yapf) β A formatter for Python files created by Google YAPF follows a distinctive methodology, originating from the 'clang-format' tool created by Daniel Jasper. Essentially, the program reframes the code to the most suitable formatting that abides by the style guide, even if the original code already follows the style guide. This concept is similar to the Go programming language's 'gofmt' tool, which aims to put an end to debates about formatting by having the entire codebase of a project pass through YAPF whenever changes are made, thereby maintaining a consistent style throughout the project and eliminating the need to argue about style in every code review.
-
46β
7π΄
cyclocomp) β Quantifies the cyclomatic complexity of R functions / expressions. -
π goodpractice β Analyses the source code for R packages and provides best-practice recommendations.
-
1157β
184π΄
lintr) β Static Code Analysis for R. -
π styler β Formatting of R source code files and pretty-printing of R code.
229β
28π΄
Regal) β Regal is a linter for the policy language Rego. Regal aims to catch bugs and mistakes in policy code, while at the same time helping people learn the language, best practices and idiomatic constructs.
-
π brakeman β A static analysis security vulnerability scanner for Ruby on Rails applications.
-
2657β
227π΄
bundler-audit) β Audit Gemfile.lock for gems with security vulnerabilities reported in991β
217π΄
Ruby Advisory Database). -
1318β
79π΄
cane)β οΈ β Code quality threshold checking as part of your build. -
401β
33π΄
Churn) β A Project to give the churn file, class, and method for a project for a given checkin. Over time the tool adds up the history of churns to give the number of times a file, class, or method is changing during the life of a project. -
732β
88π΄
dawnscanner) β A static analysis security scanner for ruby written web applications. It supports Sinatra, Padrino and Ruby on Rails frameworks. -
584β
110π΄
ERB Lint) β Lint your ERB or HTML files -
1783β
73π΄
Fasterer) β Common Ruby idioms checker. -
π flay β Flay analyzes code for structural similarities.
-
π flog β Flog reports the most tortured code in an easy to read pain report. The higher the score, the more pain the code is in.
-
31β
7π΄
Fukuzatsu) β A tool for measuring code complexity in Ruby class files. Its analysis generates scores based on cyclomatic complexity algorithms with no added "opinions". -
324β
58π΄
htmlbeautifier) β A normaliser/beautifier for HTML that also understands embedded Ruby. Ideal for tidying up Rails templates. -
387β
17π΄
laser)β οΈ β Static analysis and style linter for Ruby code. -
622β
97π΄
MetricFu)β οΈ β MetricFu is a set of tools to provide reports that show which parts of your code might need extra work. -
438β
19π΄
pelusa) β Static analysis Lint-type tool to improve your OO Ruby code. -
153β
18π΄
quality)β οΈ β Runs quality checks on your code using community tools, and makes sure your numbers don't get any worse over time. -
244β
20π΄
Querly)β οΈ β Pattern Based Checking Tool for Ruby. -
π Railroader
β οΈ β An open source static analysis security vulnerability scanner for Ruby on Rails applications. -
π rails_best_practices
β οΈ β A code metric tool for Rails projects -
3997β
279π΄
reek) β Code smell detector for Ruby. -
278β
37π΄
Roodi)β οΈ β Roodi stands for Ruby Object Oriented Design Inferometer. It parses your Ruby code and warns you about design issues you have based on the checks that it has configured. -
π RuboCop β A Ruby static code analyzer, based on the community Ruby style guide.
-
629β
29π΄
Rubrowser) β Ruby classes interactive dependency graph generator. -
ruby-lint
β οΈ β Static code analysis for Ruby. -
3298β
222π΄
rubycritic) β A Ruby code quality reporter. -
885β
58π΄
rufo) β An opinionated ruby formatter, intended to be used via the command line as a text-editor plugin, to autoformat files on save or on demand. -
π Saikuro
β οΈ β A Ruby cyclomatic complexity analyzer. -
π SandiMeter
β οΈ β Static analysis tool for checking Ruby code for Sandi Metz' rules. -
π Sorbet β A fast, powerful type checker designed for Ruby.
-
2623β
203π΄
Standard Ruby) β Ruby Style Guide, with linter & automatic code fixer -
1337β
86π΄
Steep) β Gradual Typing for Ruby.
-
π C2Rust β C2Rust helps you migrate C99-compliant code to Rust. The translator (or transpiler) produces unsafe Rust code that closely mirrors the input C code.
-
1578β
45π΄
cargo udeps) β Find unused dependencies in Cargo.toml. It either prints out a "unused crates" line listing the crates, or it prints out a line saying that no crates were unused. -
π cargo-audit β Audit Cargo.lock for crates with security vulnerabilities reported to the
?β
?π΄
RustSec Advisory Database). -
2222β
51π΄
cargo-bloat) β Find out what takes most of the space in your executable. supports ELF (Linux, BSD), Mach-O (macOS) and PE (Windows) binaries. -
111β
7π΄
cargo-breaking) β cargo-breaking compares a crate's public API between two different branches, shows what changed, and suggests the next version according to semver. -
555β
48π΄
cargo-call-stack) β Whole program static stack analysis The tool produces the full call graph of a program as a dot file. -
π cargo-deny β A cargo plugin for linting your dependencies. It can be used either as a command line too, a Rust crate, or a Github action for CI. It checks for valid license information, duplicate crates, security vulnerabilities, and more.
-
2482β
65π΄
cargo-expand) β Cargo subcommand to show result of macro expansion and #[derive] expansion applied to the current crate. This is a wrapper around a more verbose compiler command. -
1346β
65π΄
cargo-geiger) β A cargo plugin for analysing the usage of unsafe Rust code Provides statistical output to aid security auditing -
384β
13π΄
cargo-inspect)β οΈ β Inspect Rust code without syntactic sugar to see what the compiler does behind the curtains. -
π cargo-semver-checks β Scan your Rust crate releases for semver violations. It can be used either directly via the CLI, as a GitHub Action in CI, or via release managers like
release-plz
. It found semver violations in π more than 1 in 6 of the top 1000 most-downloaded crates on crates.io. -
615β
32π΄
cargo-show-asm) β cargo subcommand showing the assembly, LLVM-IR and MIR generated for Rust code -
311β
32π΄
cargo-spellcheck) β Checks all your documentation for spelling and grammar mistakes with hunspell (ready) and languagetool (preview) -
202β
7π΄
cargo-unused-features) β Find potential unused enabled feature flags and prune them. You can generate a simple HTML report from the json to make it easier to inspect results. It removes a feature of a dependency and then compiles the project to see if it still compiles. If it does, the feature flag can possibly be removed, but it can be a false-positive. -
π clippy β A code linter to catch common mistakes and improve your Rust code.
-
π diff.rs β Web application (WASM) to render a diff between Rust crate versions.
-
π dylint β A tool for running Rust lints from dynamic libraries. Dylint makes it easy for developers to maintain their own personal lint collections.
-
π electrolysis
β οΈ β A tool for formally verifying Rust programs by transpiling them into definitions in the Lean theorem prover. -
172β
4π΄
herbie)β οΈ β Adds warnings or errors to your crate when using a numerically unstable floating point expression. -
2000β
83π΄
kani) β The Kani Rust Verifier is a bit-precise model checker for Rust. Kani is particularly useful for verifying unsafe code blocks in Rust, where the "unsafe superpowers" are unchecked by the compiler. Kani verifies:
- Memory safety (e.g., null pointer dereferences)
- User-specified assertions (i.e., assert!(...))
- The absence of panics (e.g., unwrap() on None values)
- The absence of some types of unexpected behavior (e.g., arithmetic overflows)
-
40β
22π΄
linter-rust)β οΈ β Linting your Rust-files in Atom, using rustc and cargo. -
354β
21π΄
lockbud) β Statically detects Rust deadlocks bugs. It currently detects two common kinds of deadlock bugs: doublelock and locks in conflicting order. It will print bugs in JSON format together with the source code location and an explanation of each bug. -
974β
85π΄
MIRAI) β And abstract interpreter operating on Rust's mid-level intermediate language, and providing warnings based on taint analysis. -
129β
4π΄
prae)β οΈ β Provides a convenient macro that allows you to generate type wrappers that promise to always uphold arbitrary invariants that you specified. -
π Prusti β A static verifier for Rust, based on the Viper verification infrastructure. By default Prusti verifies absence of panics by proving that statements such as unreachable!() and panic!() are unreachable.
-
1299β
42π΄
Rudra) β Rust Memory Safety & Undefined Behavior Detection. It is capable of analyzing single Rust packages as well as all the packages on crates.io. -
3530β
258π΄
Rust Language Server)β οΈ β Supports functionality such as 'goto definition', symbol search, reformatting, and code completion, and enables renaming and refactorings. -
π rust-analyzer β Supports functionality such as 'goto definition', type inference, symbol search, reformatting, and code completion, and enables renaming and refactorings.
-
585β
25π΄
rust-audit) β Audit Rust binaries for known bugs or security vulnerabilities. This works by embedding data about the dependency tree (Cargo.lock) in JSON format into a dedicated linker section of the compiled executable. -
857β
63π΄
rustfix) β Read and apply the suggestions made by rustc (and third-party lints, like those offered by clippy). -
5829β
853π΄
rustfmt) β A tool for formatting Rust code according to style guidelines. -
2648β
70π΄
RustViz) β RustViz is a tool that generates visualizations from simple Rust programs to assist users in better understanding the Rust Lifetime and Borrowing mechanism. It generates SVG files with graphical indicators that integrate with mdbook to render visualizations of data-flow in Rust programs. -
88β
4π΄
warnalyzer) β Show unused code from multi-crate Rust projects
-
169β
3π΄
dbcritic) β dbcritic finds problems in a database schema, such as a missing primary key constraint in a table. -
π holistic β More than 1,300 rules to analyze SQL queries. Takes an SQL schema definition and the query source code to generate improvement recommendations. Detects code smells, unused indexes, unused tables, views, materialized views, and more.
-
29β
6π΄
pgspot) β Spot vulnerabilities in postgres extension scripts. Finds unsafe search_path usage and unsafe object creation in PostgreSQL extension scripts or any other PostgreSQL SQL code. -
99β
6π΄
sleek) β Sleek is a CLI tool for formatting SQL. It helps you maintain a consistent style across your SQL code, enhancing readability and productivity. The heavy lifting is done by the sqlformat crate. -
2394β
119π΄
sqlcheck) β Automatically identify anti-patterns in SQL queries. -
π SQLFluff β Multiple dialect SQL linter and formatter.
-
413β
27π΄
sqlint) β Simple SQL linter. -
π squawk β Linter for PostgreSQL, focused on migrations. Prevents unexpected downtime caused by database migrations and encourages best practices around Postgres schemas and SQL.
-
206β
72π΄
tsqllint) β T-SQL-specific linter. -
29β
8π΄
TSqlRules)β οΈ β TSQL Static Code Analysis Rules for SQL Server. -
π Visual Expert Β©οΈ β Code analysis for PowerBuilder, Oracle, and SQL Server Explores, analyzes, and documents Code
-
267β
34π΄
linter)β οΈ β Linter is a Scala static analysis compiler plugin which adds compile-time checks for various possible bugs, inefficiencies, and style problems. -
Scalastyle β Scalastyle examines your Scala code and indicates potential problems with it.
-
516β
88π΄
scapegoat) β Scala compiler plugin for static code analysis. -
π WartRemover β A flexible Scala code linting tool.
-
325β
21π΄
bashate) β Code style enforcement for bash programs. The output format aims to follow pycodestyle (pep8) default output format. -
58β
15π΄
i-Code CNES for Shell)β οΈ β An open source static code analysis tool for Shell and Fortran (77 and 90). -
13β
0π΄
kmdr) β CLI tool for learning commands from your terminal. kmdr delivers a break down of commands with every attribute explained. -
π sh β A shell parser, formatter, and interpreter with bash support; includes shfmt
-
π shellcheck β ShellCheck, a static analysis tool that gives warnings and suggestions for bash/sh shell scripts.
-
4569β
133π΄
shellharden) β A syntax highlighter and a tool to semi-automate the rewriting of scripts to ShellCheck conformance, mainly focused on quoting.
-
7573β
617π΄
SwiftFormat) β A library and command-line formatting tool for reformatting Swift code. -
π SwiftLint β A tool to enforce Swift style and conventions.
-
π Tailor
β οΈ β A static analysis and lint tool for source code written in Apple's Swift programming language.
-
Frink β A Tcl formatting and static check program (can prettify the program, minimise, obfuscate or just sanity check it).
-
π Nagelfar β A static syntax checker for Tcl.
-
66β
37π΄
tclchecker) β A static syntax analysis module (as part of66β
37π΄
TDK)).
-
1582β
209π΄
Angular ESLint) β Linter for Angular projects -
Codelyzer
β οΈ β A set of tslint rules for static code analysis of Angular 2 TypeScript projects. -
π fta β Rust-based static analysis for TypeScript projects
-
π stc β Speedy TypeScript type checker written in Rust
-
π tslint
β οΈ β TSLint has been deprecated as of 2019. Please see?β
?π΄
this issue) for more details.typescript-eslint
is now your best option for linting TypeScript. TSLint is an extensible static analysis tool that checks TypeScript code for readability, maintainability, and functionality errors. It is widely supported across modern editors & build systems and can be customized with your own lint rules, configurations, and formatters. -
π tslint-clean-code β A set of TSLint rules inspired by the Clean Code handbook.
-
701β
199π΄
tslint-microsoft-contrib)β οΈ β A set of tslint rules for static code analysis of TypeScript projects maintained by Microsoft. -
220β
18π΄
TypeScript Call Graph)β οΈ β CLI to generate an interactive graph of functions and calls from your TypeScript files -
14729β
2650π΄
TypeScript ESLint) β TypeScript language extension for eslint. -
π zod β TypeScript-first schema validation with static type inference. The goal is to eliminate duplicative type declarations. With Zod, you declare a validator once and Zod will automatically infer the static TypeScript type. It is easy to compose simpler types into complex data structures.
-
2694β
512π΄
Icarus Verilog) β A Verilog simulation and synthesis tool that operates by compiling source code written in IEEE-1364 Verilog into some target format -
420β
32π΄
svls) β A Language Server Protocol implementation for Verilog and SystemVerilog, including lint capabilities. -
25β
12π΄
verible-linter-action) β Automatic SystemVerilog linting in github actions with the help of Verible Used to lint Verilog and SystemVerilog source files and comment erroneous lines of code in Pull Requests automatically. -
π Verilator β A tool which converts Verilog to a cycle-accurate behavioral model in C++ or SystemC. Performs lint code-quality checks.
-
281β
76π΄
vscode-verilog-hdl-support) β Verilog HDL/SystemVerilog/Bluespec SystemVerilog support for VS Code. Provides syntax highlighting and Linting support from Icarus Verilog, Vivado Logical Simulation, Modelsim and Verilator
699β
33π΄
vint) β Fast and Highly Extensible Vim script Language Lint implemented by Python.
-
13342β
1414π΄
ale) β Asynchronous Lint Engine for Vim and NeoVim with support for many languages. -
π Android Studio β Based on IntelliJ IDEA, and comes bundled with tools for Android including Android Lint.
-
π AppChecker Β©οΈ β Static analysis for C/C++/C#, PHP and Java.
-
π Application Inspector Β©οΈ β Commercial Static Code Analysis which generates exploits to verify vulnerabilities.
-
4182β
351π΄
ApplicationInspector) β Creates reports of over 400 rule patterns for feature detection (e.g. the use of cryptography or version control in apps). -
π ArchUnit β Unit test your Java or Kotlin architecture.
-
π Atom-Beautify
β οΈ β Beautify HTML, CSS, JavaScript, PHP, Python, Ruby, Java, C, C++, C#, Objective-C, CoffeeScript, TypeScript, Coldfusion, SQL, and more in Atom editor. -
π autocorrect β A linter and formatter to help you to improve copywriting, correct spaces, words, punctuations between CJK (Chinese, Japanese, Korean).
-
π Axivion Bauhaus Suite Β©οΈ β Tracks down error-prone code locations, style violations, cloned or dead code, cyclic dependencies and more for C/C++, C#/.NET, Java and Ada 83/Ada 95.
-
1810β
83π΄
Bearer) β Open-Source static code analysis tool to discover, filter and prioritize security risks and vulnerabilities leading to sensitive data exposures (PII, PHI, PD). Highly configurable and easily extensible, built for security and engineering teams. -
π Better Code Hub Β©οΈ β Better Code Hub checks your GitHub codebase against 10 engineering guidelines devised by the authority in software quality, Software Improvement Group.
-
709β
84π΄
Betterscan CE) β Checks your code and infra (various Git repositories supported, cloud stacks, CLI, Web Interface platform, integrationss available) for security and quality issues. Code Scanning/SAST/Linting using many tools/Scanners deduplicated with One Report (AI optional). -
π biome β A toolchain for web projects, aimed to provide functionalities to maintain them. Biome formats and lints code in a fraction of a second. It is the successor to Rome. It is designed to eventually replace Biome is designed to eventually replace Babel, ESLint, webpack, Prettier, Jest, and others.
-
π BugProve Β©οΈ β BugProve is a firmware analysis platform featuring both static and dynamic analysis techniques to discover memory corruptions, command injections and other classes or common weaknesses in binary code. It also detects vulnerable dependencies, weak cryptographic parameters, misconfigurations, and more.
-
201β
25π΄
callGraph) β Statically generates a call graph image and displays it on screen. -
π CAST Highlight Β©οΈ β Commercial Static Code Analysis which runs locally, but uploads the results to its cloud for presentation.
-
π Checkmarx CxSAST Β©οΈ β Commercial Static Code Analysis which doesn't require pre-compilation.
-
2668β
280π΄
ClassGraph) β A classpath and module path scanner for querying or visualizing class metadata or class relatedness. -
π Clayton Β©οΈ β AI-powered code reviews for Salesforce. Secure your developments, enforce best practice and control your technical debt in real-time.
-
π coala
β οΈ β Language independent framework for creating code analysis - supports π over 60 languages by default. -
π Cobra Β©οΈ β Structural source code analyzer by NASA's Jet Propulsion Laboratory.
-
π Codacy Β©οΈ β Code Analysis to ship Better Code, Faster.
-
π Code Intelligence Β©οΈ β CI/CD-agnostic DevSecOps platform which combines industry-leading fuzzing engines for finding bugs and visualizing code coverage
-
π Codeac Β©οΈ β Automated code review tool integrates with GitHub, Bitbucket and GitLab (even self-hosted). Available for JavaScript, TypeScript, Python, Ruby, Go, PHP, Java, Docker, and more. (open-source free)
-
π codeburner β Provides a unified interface to sort and act on the issues it finds.
-
π codechecker β A defect database and viewer extension for the Clang Static Analyzer with web GUI.
-
π CodeFactor Β©οΈ β Automated Code Analysis for repos on GitHub or BitBucket.
-
π CodeFlow Β©οΈ β Automated code analysis tool to deal with technical depth. Integrates with Bitbucket and Gitlab. (free for Open Source Projects)
-
π CodeIt.Right Β©οΈ β CodeIt.Rightβ’ provides a fast, automated way to ensure that your source code adheres to (your) predefined design and style guidelines as well as best coding practices.
-
π Codemodder β Codemodder is a pluggable framework for building expressive codemods. Use Codemodder when you need more than a linter or code formatting tool. Use it to fix non-trivial security issues and other code quality problems.
-
π CodePatrol Β©οΈ β Automated SAST code reviews driven by security, supports 15+ languages and includes security training.
-
7244β
1454π΄
codeql) β Deep code analysis - semantic queries and dataflow for several languages with VSCode plugin support. -
π CodeQue β Ecosystem for structural matching JavaScript and TypeScript code. Offers search tool that understands code structure. Available as CLI tool and Visual Studio Code extension. It helps to search code faster and more accurately making you workflow more effective. Soon it will offer ESLint plugin to create your own rules in minutes to help with assuring codebase quality.
-
π CodeRush Β©οΈ β Code creation, debugging, navigation, refactoring, analysis and visualization tools that use the Roslyn engine in Visual Studio 2015 and up.
-
π CodeScan Β©οΈ β Code Quality and Security for Salesforce Developers. Made exclusively for the Salesforce platform, CodeScanβs code analysis solutions provide you with total visibility into your code health.
-
π CodeScene Β©οΈ β CodeScene is a quality visualization tool for software. Prioritize technical debt, detect delivery risks, and measure organizational aspects. Fully automated.
-
π CodeSee Β©οΈ β CodeSee is mapping and automating your app's services, directories, file dependencies, and code changes. It's like Google Map, but for code.t
-
π CodeSonar from GrammaTech Β©οΈ β Advanced, whole program, deep path, static analysis of C, C++, Java and C# with easy-to-understand explanations and code and path visualization.
-
π Codiga Β©οΈ β Automated Code Reviews and Technical Debt management platform that supports 12+ languages.
-
2142β
111π΄
Corrode)β οΈ β Semi-automatic translation from C to Rust. Could reveal bugs in the original implementation by showing Rust compiler warnings and errors. Superseded by C2Rust. -
π Coverity Β©οΈ β Synopsys Coverity supports 20 languages and over 70 frameworks including Ruby on rails, Scala, PHP, Python, JavaScript, TypeScript, Java, Fortran, C, C++, C#, VB.NET.
-
π cpp-linter-action β A Github Action for linting C/C++ code integrating clang-tidy and clang-format to collect feedback provided in the form of thread comments and/or annotations.
-
325β
18π΄
cqc)β οΈ β Check your code quality for js, jsx, vue, css, less, scss, sass and styl files. -
π DeepCode
β οΈ Β©οΈ β DeepCode was acquired by Snyk is now Snyk Code. -
π DeepSource Β©οΈ β In-depth static analysis to find issues in verticals of bug risks, security, anti-patterns, performance, documentation and style. Native integrations with GitHub, GitLab and Bitbucket. Less than 5% false positives.
-
183β
51π΄
Depends) β Analyses the comprehensive dependencies of code elements for Java, C/C++, Ruby. -
888β
110π΄
DevSkim) β Regex-based static analysis tool for Visual Studio, VS Code, and Sublime Text - C/C++, C#, PHP, ASP, Python, Ruby, Java, and others. -
1911β
172π΄
dotenet-format) β A code formatter for .NET. Preferences will be read from an.editorconfig
file, if present, otherwise a default set of preferences will be used. At this time dotnet-format is able to format C# and Visual Basic projects with a subset of supported.editorconfig
options. -
π Embold Β©οΈ β Intelligent software analytics platform that identifies design issues, code issues, duplication and metrics. Supports Java, C, C++, C#, JavaScript, TypeScript, Python, Go, Kotlin and more.
-
750β
43π΄
emerge) β Emerge is a source code and dependency visualizer that can be used to gather insights about source code structure, metrics, dependencies and complexity of software projects. After scanning the source code of a project it provides you an interactive web interface to explore and analyze your project by using graph structures. -
24459β
4418π΄
ESLint) β An extensible linter for JS, following the ECMAScript standard. -
π ezno β A JavaScript compiler and TypeScript checker written in Rust with a focus on static analysis and runtime performance. Ezno's type checker is built from scratch. The checker is fully compatible with TypeScript type annotations and can work without any type annotations at all.
-
π Find Security Bugs β The SpotBugs plugin for security audits of Java web applications and Android applications. (Also work with Kotlin, Groovy and Scala projects)
-
π Fortify Β©οΈ β A commercial static analysis platform that supports the scanning of C/C++, C#, VB.NET, VB6, ABAP/BSP, ActionScript, Apex, ASP.NET, Classic ASP, VB Script, Cobol, ColdFusion, HTML, Java, JS, JSP, MXML/Flex, Objective-C, PHP, PL/SQL, T-SQL, Python (2.6, 2.7), Ruby (1.9.3), Swift, Scala, VB, and XML.
-
π Freeplane Code Explorer β The Code Explorer mode in Freeplane is designed for analyzing the structure and dependencies of code compiled to JVM class files. It also allows displaying ArchUnit test results directly in Freeplane, if Freeplane is running and ArchUnit detects rule violations during the tests.
-
π Goodcheck β Regexp based customizable linter.
-
50β
3π΄
goone)β οΈ β Finds N+1 queries (SQL calls in a for loop) in go code -
graudit β Grep rough audit - source code auditing tool.
-
π HCL AppScan Source Β©οΈ β Commercial Static Code Analysis.
-
55β
11π΄
Hopper)β οΈ β A static analysis tool written in scala for languages that run on JVM. -
π Hound CI β Comments on style violations in GitHub pull requests. Supports Coffeescript, Go, HAML, JavaScript, Ruby, SCSS and Swift.
-
222β
42π΄
imhotep) β Comment on commits coming into your repository and check for syntactic errors and general lint warnings. -
73β
28π΄
include-gardener)β οΈ β A multi-language static analyzer for C/C++/Obj-C/Python/Ruby to create a graph (in dot or graphml format) which shows all#include
relations of a given set of files. -
π Infer β A static analyzer for Java, C and Objective-C
-
π Kiuwan Β©οΈ β Identify and remediate cyber threats in a blazingly fast, collaborative environment, with seamless integration in your SDLC. Python, C\C++, Java, C#, PHP and more.
-
π Klocwork Β©οΈ β Quality and Security Static analysis for C/C++, Java and C#.
-
π LGTM Β©οΈ β Find security vulnerabilities, variants, and critical code quality issues using CodeQL queries over source code. Automatic PR code review; free for open source. Formerly semmle. It supports public Git repositories hosted on Bitbucket Cloud, GitHub.com, GitLab.com.
-
1777β
242π΄
lizard) β Lizard is an extensible Cyclomatic Complexity Analyzer for many programming languages including C/C++ (doesn't require all the header files or Java imports). It also does copy-paste detection (code clone detection/code duplicate detection) and many other forms of static code analysis. Counts lines of code without comments, CCN (cyclomatic complexity number), token count of functions, parameter count of functions. -
π Mega-Linter β Mega-Linter can handle any type of project thanks to its 70+ embedded Linters, its advanced reporting, runnable on any CI system or locally, with assisted installation and configuration, able to apply formatting and fixes
-
π Mobb Β©οΈ β Mobb is a trusted, automatic vulnerability fixer that secures applications, reduces security backlogs, and frees developers to focus on innovation. Mobb is free for open-source projects.
-
π MOPSA β A static analyzer designed to easily reuse abstract domains across widely different languages (such as C and Python).
-
oclint
β οΈ β A static source code analysis tool to improve quality and reduce defects for C, C++ and Objective-C. -
π Offensive 360 Β©οΈ β Commercial Static Code Analysis system doesn't require building the source code or pre-compilation.
-
π OpenRewrite β OpenRewrite π fixes common static analysis issues reported through Sonar and other tools using a Maven and Gradle plugin or the Moderne CLI.
-
39β
18π΄
OpenStaticAnalyzer) β OpenStaticAnalyzer is a source code analyzer tool, which can perform deep static analysis of the source code of complex systems. -
9304β
339π΄
oxc) β The Oxidation Compiler is creating a suite of high-performance tools for the JavaScript / TypeScript language re-written in Rust. -
π parasoft Β©οΈ β Automated Software Testing Solutions for unit-, API-, and web UI testing. Complies with MISRA, OWASP, and others.
-
?β
?π΄
pfff)β οΈ β Facebook's tools for code analysis, visualizations, or style-preserving source transformation for many languages. -
π Pixee Β©οΈ β Pixeebot finds security and code quality issues in your code and creates merge-ready pull requests with recommended fixes.
-
π PMD β A source code analyzer for Java, Salesforce Apex, Javascript, PLSQL, XML, XSL and others.
-
π pre-commit β A framework for managing and maintaining multi-language pre-commit hooks.
-
π Prettier β An opinionated code formatter.
-
2601β
245π΄
Pronto) β Quick automated code review of your changes. Supports more than 40 runners for various languages, including Clang, Elixir, JavaScript, PHP, Ruby and more. -
60β
12π΄
PT.PM)β οΈ β An engine for searching patterns in the source code, based on Unified AST or UST. At present time C#, Java, PHP, PL/SQL, T-SQL, and JavaScript are supported. Patterns can be described within the code or using a DSL. -
668β
38π΄
Putout) β Pluggable and configurable code transformer with built-in eslint, babel plugins support for js, jsx typescript, flow, markdown, yaml and json. -
π PVS-Studio Β©οΈ β A π conditionally free for FOSS and individual developers) static analysis of C, C++, C# and Java code. For advertising purposes
29β
42π΄
you can propose a large FOSS project for analysis by PVS employees). Supports CWE mapping, OWASP ASVS, MISRA, AUTOSAR and SEI CERT coding standards. -
π pylama β Code audit tool for Python and JavaScript. Wraps pycodestyle, pydocstyle, PyFlakes, Mccabe, Pylint, and more
-
π Qwiet AI Β©οΈ β Identify vulnerabilities that are unique to your code base before they reach production. Leverages the Code Property Graph (CPG) to run its analyses concurrently in a single graph of graphs. Automatically finds business logic flaws in dev like hardcoded secrets and logic bombs
-
π Refactoring Essentials
β οΈ β The free Visual Studio 2015 extension for C# and VB.NET refactorings, including code best practice analyzers. -
49β
10π΄
relint) β A static file linter that allows you to write custom rules using regular expressions (RegEx). -
π ReSharper Β©οΈ β Extends Visual Studio with on-the-fly code inspections for C#, VB.NET, ASP.NET, JavaScript, TypeScript and other technologies.
-
π RIPS Β©οΈ β A static source code analyser for vulnerabilities in PHP scripts.
-
1540β
458π΄
Roslyn Analyzers) β Roslyn-based implementation of FxCop analyzers. -
π Roslyn Security Guard β Project that focuses on the identification of potential vulnerabilities such as SQL injection, cross-site scripting (XSS), CSRF, cryptography weaknesses, hardcoded passwords and many more.
-
π SafeQL β Validate and auto-generate TypeScript types from raw SQL queries in PostgreSQL. SafeQL is an ESLint plugin for writing SQL queries in a type-safe way.
-
π SAST Online Β©οΈ β Check the Android Source code thoroughly to uncover and address potential security concerns and vulnerabilities. Static application security testing (Static Code Analysis) tool Online
-
π Scrutinizer Β©οΈ β A proprietary code quality checker that can be integrated with GitHub.
-
π Security Code Scan β Security code analyzer for C# and VB.NET. Detects various security vulnerability patterns: SQLi, XSS, CSRF, XXE, Open Redirect, etc. Integrates into Visual Studio 2015 and newer. Detects various security vulnerability patterns: SQLi, XSS, CSRF, XXE, Open Redirect, etc.
-
π Semgrep β A fast, open-source, static analysis tool for finding bugs and enforcing code standards at editor, commit, and CI time. Its rules look like the code you already write; no abstract syntax trees or regex wrestling. Supports 17+ languages.
-
π Semgrep Supply Chain Β©οΈ β Quickly find and remediate high-priority security issues. Semgrep Supply Chain prioritizes the 2% of vulnerabilities that are reachable from your code.
-
780β
110π΄
ShiftLeft Scan) β Scan is a free open-source DevSecOps platform for detecting security issues in source code and dependencies. It supports a broad range of languages and CI/CD pipelines. -
269β
42π΄
shipshape)β οΈ β Static program analysis platform that allows custom analyzers to plug in through a common interface. -
π Sigrid Β©οΈ β Sigrid helps you to improve your software by measuring your system's code quality, and then compares the results against a benchmark of thousands of industry systems to give you concrete advice on areas where you can improve.
-
π Similarity Tester β A tool that finds similarities between or within files to support you encountering DRY principle violations.
-
π Snyk Code Β©οΈ β Snyk Code finds security vulnerabilities based on AI. Its speed of analysis allow us to analyse your code in real time and deliver results when you hit the save button in your IDE. Supported languages are Java, JavaScript, Python, PHP, C#, Go and TypeScript. Integrations with GitHub, BitBucket and Gitlab. It is free to try and part of the Snyk platform also covering SCA, containers and IaC.
-
π SonarCloud Β©οΈ β SonarCloud enables your team to deliver clean code consistently and efficiently with a code review tool that easily integrates into the cloud DevOps platforms and extend your CI/CD workflow. SonarCloud is free for open source projects.
-
π SonarLint β SonarLint is a free IDE extension available for IntelliJ, VS Code, Visual Studio, and Eclipse, to find and fix coding issues in real-time, flagging issues as you code, just like a spell-checker. More than a linter, it also delivers rich contextual guidance to help developers understand why there is an issue, assess the risk, and educate them on how to fix it.
-
π SonarQube β SonarQube empowers development teams with a code quality and security solution that deeply integrates into your enterprise environment; enabling you to deploy clean code consistently and reliably. SonarQube provides a free and open source Community Edition.
-
π Sonatype Β©οΈ β Reports known vulnerabilities in common dependencies and recommends updated packages to minimize breaking changes
-
π Soto Platform Β©οΈ β Suite of static analysis tools consisting of the three components Sotoarc (Architecture Analysis), Sotograph (Quality Analysis), and Sotoreport (Quality report). Helps find differences between architecture and implementation, interface violations (e.g. external access of private parts of subsystems, detection of all classes, files, packages and subsystems which are strongly coupled by cyclical relationships and more. The Sotograph product family runs on Windows and Linux.
-
π SourceMeter Β©οΈ β Static Code Analysis for C/C++, Java, C#, Python, and RPG III and RPG IV versions (including free-form).
-
486β
24π΄
sqlvet) β Performs static analysis on raw SQL queries in your Go code base to surface potential runtime errors. It checks for SQL syntax error, identifies unsafe queries that could potentially lead to SQL injections makes sure column count matches value count in INSERT statements and validates table- and column names. -
π StaticReviewer Β©οΈ β Static Reviewer executes code checks according to the most relevant Secure Coding Standards, OWASP, CWE, CVE, CVSS, MISRA, CERT, for 40+ programming languages, using 1000+ built-in validation rules for Security, Deadcode & Best Practices Available a module for Software Composition Analysis (SCA) to find vulnerabilities in open source and third party libraries.
-
91β
14π΄
Super-Linter) β Combination of multiple linters to install as a GitHub Action. -
π Svace Β©οΈ β Static code analysis tool for Java,C,C++,C#,Go.
-
π Synopsys Β©οΈ β A commercial static analysis platform that allows for scanning of multiple languages (C/C++, Android, C#, Java, JS, PHP, Python, Node.JS, Ruby, Fortran, and Swift).
-
π Teamscale Β©οΈ β Static and dynamic analysis tool supporting more than 25 languages and direct IDE integration. Free hosting for Open Source projects available on request. Free academic licenses available.
-
π TencentCodeAnalysis β Tencent Cloud Code Analysis (TCA for short, code-named CodeDog inside the company early) is a comprehensive platform for code analysis and issue tracking. TCA consist of three components, server, web and client. It integrates of a number of self-developed tools, and also supports dynamic integration of code analysis tools in various programming languages.
-
4671β
573π΄
ThreatMapper) β Vulnerability Scanner and Risk Evaluation for containers, serverless and hosts at runtime. ThreatMapper generates runtime BOMs from dependencies and operating system packages, matches against multiple threat feeds, scans for unprotected secrets, and scores issues based on severity and risk-of-exploit. -
417β
42π΄
todocheck) β Linter for integrating annotated TODOs with your issue trackers -
21790β
2146π΄
trivy) β A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts, Suitable for CI. Trivy detects vulnerabilities of OS packages (Alpine, RHEL, CentOS, etc.) and application dependencies (Bundler, Composer, npm, yarn, etc.). Checks containers and filesystems. -
π trunk Β©οΈ β Modern repositories include many technologies, each with its own set of linters. With 30+ linters and counting, Trunk makes it dead-simple to identify, install, configure, and run the right linters, static analyzers, and formatters for all your repos.
-
1933β
572π΄
TscanCode) β A fast and accurate static analysis solution for C/C++, C#, Lua codes provided by Tencent. Using GPLv3 license. -
1636β
64π΄
Undebt) β Language-independent tool for massive, automatic, programmable refactoring based on simple pattern definitions. -
π Understand Β©οΈ β Code visualization tool that provides code analysis, standards testing, metrics, graphing, dependency analysis and more for Ada, VHDL, and others.
-
π Unibeautify β Universal code beautifier with a GitHub app. Supports HTML, CSS, JavaScript, TypeScript, JSX, Vue, C++, Go, Objective-C, Java, Python, PHP, GraphQL, Markdown, and more.
-
π Upsource Β©οΈ β Code review tool with static code analysis and code-aware navigation for Java, PHP, JavaScript and Kotlin.
-
π Veracode Β©οΈ β Find flaws in binaries and bytecode without requiring source. Support all major programming languages: Java, .NET, JavaScript, Swift, Objective-C, C, C++ and more.
-
736β
220π΄
WALA) β Static analysis capabilities for Java bytecode and related languages and for JavaScript. -
2283β
127π΄
weggli) β A fast and robust semantic search tool for C and C++ codebases. It is designed to help security researchers identify interesting functionality in large codebases. -
π WhiteHat Application Security Platform Β©οΈ β WhiteHat Scout (for Developers) combined with WhiteHat Sentinel Source (for Operations) supporting WhiteHat Top 40 and OWASP Top 10.
-
282β
23π΄
Wotan)β οΈ β Pluggable TypeScript and JavaScript linter. -
π XCode Β©οΈ β XCode provides a pretty decent UI for π Clang's static code analyzer (C/C++, Obj-C).
- π GitGuardian ggshield β ggshield is a CLI application that runs in your local environment or in a CI environment to help you detect more than 350+ types of secrets, as well as other potential security vulnerabilities or policy breaks affecting your codebase.
-
π kics β Find security vulnerabilities, compliance issues, and infrastructure misconfigurations in your infrastructure-as-code. Supports Terraform, Kubernetes, Docker, AWS CloudFormation and Ansible
-
π Steampunk Spotter Β©οΈ β Ansible Playbook Scanning Tool that analyzes and offers recommendations for your playbooks.
-
19β
4π΄
alquitran) β Inspects tar archives and tries to spot portability issues in regard to POSIX 2017 pax specification and common tar implementations. This project is intended to be used by maintainers of projects who want to offer portable source code archives for as many systems as possible. Checking tar archives with alquitran before publishing them should help spotting issues before they reach distributors and users. -
π packj β Packj (pronounced package) is a command line (CLI) tool to vet open-source software packages for "risky" attributes that make them vulnerable to supply chain attacks. This is the tool behind our large-scale security analysis platform Packj.dev that continuously vets packages and provides free reports.
-
235β
7π΄
pure)β οΈ β Pure is a static analysis file format checker that checks ZIP files for dangerous compression ratios, spec deviations, malicious archive signatures, mismatching local and central directory headers, ambiguous UTF-8 filenames, directory and symlink traversals, invalid MS-DOS dates, overlapping headers, overflow, underflow, sparseness, accidental buffer bleeds etc.
- π AzSK β Secure DevOps kit for Azure (AzSK) provides security IntelliSense, Security Verification Tests (SVTs), CICD scan vulnerabilities, compliance issues, and infrastructure misconfiguration in your infrastructure-as-code. Supports Azure via ARM.
-
7297β
1046π΄
angr) β Binary code analysis tool that also supports symbolic execution. -
473β
55π΄
binbloom) β Analyzes a raw binary firmware and determines features like endianness or the loading address. The tool is compatible with all architectures. Loading address: binbloom can parse a raw binary firmware and determine its loading address. Endianness: binbloom can use heuristics to determine the endianness of a firmware. UDS Database: binbloom can parse a raw binary firmware and check if it contains an array containing UDS command IDs. -
757β
155π΄
BinSkim) β A binary static analysis tool that provides security and correctness results for Windows portable executables. -
π Black Duck Β©οΈ β Tool to analyze source code and binaries for reusable code, necessary licenses and potential security aspects.
-
4583β
331π΄
bloaty) β Ever wondered what's making your binary big? Bloaty McBloatface will show you a size profile of the binary so you can understand what's taking up space inside. Bloaty performs a deep analysis of the binary. Using custom ELF, DWARF, and Mach-O parsers, Bloaty aims to accurately attribute every byte of the binary to the symbol or compileunit that produced it. It will even disassemble the binary looking for references to anonymous data. F -
2222β
51π΄
cargo-bloat) β Find out what takes most of the space in your executable. supports ELF (Linux, BSD), Mach-O (macOS) and PE (Windows) binaries. -
1066β
115π΄
cwe_checker) β cwe_checker finds vulnerable patterns in binary executables. -
π Ghidra β A software reverse engineering (SRE) suite of tools developed by NSA's Research Directorate in support of the Cybersecurity mission
-
π Hopper Β©οΈ β macOS and Linux reverse engineering tool that lets you disassemble, decompile and debug applications. Hopper displays the code using different representations, e.g. the Control Flow Graph, and the pseudo-code of a procedure. Supports Apple Silicon.
-
π IDA Free Β©οΈ β Binary code analysis tool.
-
150β
22π΄
Jakstab) β Jakstab is an Abstract Interpretation-based, integrated disassembly and static analysis framework for designing analyses on executables and recovering reliable control flow graphs. -
π JEB Decompiler Β©οΈ β Decompile and debug binary code. Break down and analyze document files. Android Dalvik, MIPS, ARM, Intel x86, Java, WebAssembly & Ethereum Decompilers.
-
π ktool β Fully cross-platform toolkit and library for MachO+Obj-C editing/analysis. Includes a cli kit, a curses GUI, ObjC header dumping, and much more.
-
993β
162π΄
Manalyze) β A static analyzer, which checks portable executables for malicious content. -
2595β
345π΄
mcsema)β οΈ β Framework for lifting x86, amd64, aarch64, sparc32, and sparc64 program binaries to LLVM bitcode. It translates ("lifts") executable binaries from native machine code to LLVM bitcode, which is very useful for performing program analysis methods. -
494β
80π΄
Nauz File Detector) β Static Linker/Compiler/Tool detector for Windows, Linux and MacOS. -
585β
25π΄
rust-audit) β Audit Rust binaries for known bugs or security vulnerabilities. This works by embedding data about the dependency tree (Cargo.lock) in JSON format into a dedicated linker section of the compiled executable. -
π Twiggy β Analyzes a binary's call graph to profile code size. The goal is to slim down wasm binary size.
-
352β
42π΄
VMware chap) β chap analyzes un-instrumented ELF core files for leaks, memory growth, and corruption. It is sufficiently reliable that it can be used in automation to catch leaks before they are committed. As an interactive tool, it helps explain memory growth, can identify some forms of corruption, and supplements a debugger by giving the status of various memory locations. -
π zydis β Fast and lightweight x86/x86-64 disassembler library
-
1009β
44π΄
checkmake) β Linter / Analyzer for Makefiles. -
π portlint β A verifier for FreeBSD and DragonFlyBSD port directories.
-
π CSS Stats β Potentially interesting stats on stylesheets.
-
3275β
460π΄
CSScomb) β A coding style formatter for CSS. Supports own configurations to make style sheets beautiful and consistent. -
CSSLint β Does basic syntax checking and finds problematic patterns or signs of inefficiency.
-
π GraphMyCSS.com β CSS Specificity Graph Generator.
-
π Nu Html Checker β Helps you catch problems in your HTML/CSS/SVG
-
2470β
74π΄
Parker)β οΈ β Stylesheet analysis tool. -
π PostCSS β A tool for transforming styles with JS plugins. These plugins can lint your CSS, support variables and mixins, transpile future CSS syntax, inline images, and more.
-
π Project Wallace CSS Analyzer β Analytics for CSS, part of π Project Wallace.
-
1768β
534π΄
sass-lint)β οΈ β A Node-only Sass linter for both sass and scss syntax. -
3635β
469π΄
scsslint) β Linter for SCSS files. -
π Specificity Graph β CSS Specificity Graph Generator.
-
Stylelint β Linter for SCSS/CSS files.
-
π dotenv-linter β Linting dotenv files like a charm.
-
π dotenv-linter (Rust) β Lightning-fast linter for .env files. Written in Rust
-
8180β
395π΄
gixy) β A tool to analyze Nginx configuration. The main goal is to prevent misconfiguration and automate flaw detection.
-
π ansible-lint β Checks playbooks for practices and behaviour that could potentially be improved.
-
1246β
176π΄
AWS CloudFormation Guard) β Check local CloudFormation templates against policy-as-code rules and generate rules from existing templates. -
π AzSK β Secure DevOps kit for Azure (AzSK) provides security IntelliSense, Security Verification Tests (SVTs), CICD scan vulnerabilities, compliance issues, and infrastructure misconfiguration in your infrastructure-as-code. Supports Azure via ARM.
-
2369β
575π΄
cfn-lint) β AWS Labs CloudFormation linter. -
1225β
208π΄
cfn_nag) β A linter for AWS CloudFormation templates. -
π checkov β Static analysis tool for Terraform files (tf>=v0.12), preventing cloud misconfigs at build time.
-
π cookstyle β Cookstyle is a linting tool based on the RuboCop Ruby linting tool for Chef cookbooks.
-
foodcritic β A lint tool that checks Chef cookbooks for common problems.
-
π kics β Find security vulnerabilities, compliance issues, and infrastructure misconfigurations in your infrastructure-as-code. Supports Terraform, Kubernetes, Docker, AWS CloudFormation and Ansible
-
29β
27π΄
metadata-json-lint) β Tool to check the validity of Puppet metadata.json files. -
818β
206π΄
Puppet Lint)β οΈ β Check that your Puppet manifests conform to the style guide. -
π Steampunk Spotter Β©οΈ β Ansible Playbook Scanning Tool that analyzes and offers recommendations for your playbooks.
-
π terraform-compliance β A lightweight, compliance- and security focused, BDD test framework against Terraform.
-
4561β
493π΄
terrascan) β Collection of security and best practice tests for static code analysis of Terraform templates. -
4679β
346π΄
tflint) β A Terraform linter for detecting errors that can not be detected byterraform plan
. -
6600β
530π΄
tfsec) β Terraform static analysis tool that prevents potential security issues by checking cloud misconfigurations at build time and directly integrates with the HCL parser for better results. Checks for violations of AWS, Azure and GCP security best practice recommendations.
-
π anchore β Discover, analyze, and certify container images. A service that analyzes Docker images and applies user-defined acceptance policies to allow automated container image validation and certification
-
10102β
1151π΄
clair) β Vulnerability Static Analysis for Containers. -
289β
25π΄
collector)β οΈ β Run arbitrary scripts inside containers, and gather useful information. -
1123β
158π΄
dagda)β οΈ β Perform static analysis of known vulnerabilities in docker images/containers. -
80β
5π΄
Docker Label Inspector)β οΈ β Lint and validate Dockerfile labels. -
π GitGuardian ggshield β ggshield is a CLI application that runs in your local environment or in a CI environment to help you detect more than 350+ types of secrets, as well as other potential security vulnerabilities or policy breaks affecting your codebase.
-
9966β
403π΄
Haskell Dockerfile Linter) β A smarter Dockerfile linter that helps you build best practice Docker images. -
π kics β Find security vulnerabilities, compliance issues, and infrastructure misconfigurations in your infrastructure-as-code. Supports Terraform, Kubernetes, Docker, AWS CloudFormation and Ansible
-
666β
34π΄
krane) β Krane is a simple Kubernetes RBAC static analysis tool. It identifies potential security risks in K8s RBAC design and makes suggestions on how to mitigate them. Krane dashboard presents current RBAC security posture and lets you navigate through its definition. -
π OpenSCAP β Suite of automated audit tools to examine the configuration and known vulnerabilities following the NIST-certified Security Content Automation Protocol (SCAP).
-
π Qualys Container Security Β©οΈ β Container native application protection to provide visibility and control of containerized applications.
-
π sysdig Β©οΈ β A secure DevOps platform for cloud and container forensics. Built on an open source stack, Sysdig provides Docker image scanning and created Falco, the open standard for runtime threat detection for containers, Kubernetes and cloud.
-
π Vuls β Agent-less Linux vulnerability scanner based on information from NVD, OVAL, etc. It has some container image support, although is not a container specific tool.
-
π actionlint β Static checker for GitHub Actions workflow files. Provides an online version.
-
π AzSK β Secure DevOps kit for Azure (AzSK) provides security IntelliSense, Security Verification Tests (SVTs), CICD scan vulnerabilities, compliance issues, and infrastructure misconfiguration in your infrastructure-as-code. Supports Azure via ARM.
-
π Code Climate β The open and extensible static analysis platform, for everyone.
-
π Codecov Β©οΈ β Codecov is a company that provides code coverage tools for developers and engineering leaders to gain visibility into their code coverage. They offer flexible and unified reporting, seamless coverage insights, and robust coverage controls. Codecov supports over 20 languages and is CI/CD agnostic. Over 29,000 organizations and 1 million developers use Codecov. Codecov has recently joined Sentry.
-
288β
5π΄
composer-dependency-analyser) β Fast detection of composer dependency issues.
- πͺ Powerful: Detects unused, shadow and misplaced composer dependencies
- β‘ Performant: Scans 15 000 files in 2s!
- βοΈ Configurable: Fine-grained ignores via PHP config
- πΈοΈ Lightweight: No composer dependencies
- π° Easy-to-use: No config needed for first try
- β¨ Compatible: PHP >= 7.2
-
π Diffblue Β©οΈ β Diffblue is a software company that provides AI-powered code analysis and testing solutions for software development teams. Its technology helps developers automate testing, find bugs, and reduce manual labor in their software development processes. The company's main product, Diffblue Cover, uses AI to generate and run unit tests for Java code, helping to catch errors and improve code quality.
-
π exakat β An automated code reviewing engine for PHP.
-
π GitGuardian ggshield β ggshield is a CLI application that runs in your local environment or in a CI environment to help you detect more than 350+ types of secrets, as well as other potential security vulnerabilities or policy breaks affecting your codebase.
-
π Goblint β A static analyzer for the analysis of multi-threaded C programs. Its primary focus is the detection of data races, but it also reports other runtime errors, such as buffer overflows and null-pointer dereferences.
-
π Nitpick CI Β©οΈ β Automated PHP code review.
-
π PullRequest Β©οΈ β Code review as a service with built-in static analysis. Increase velocity and reduce technical debt through quality code review by expert engineers backed by best-in-class automation.
-
153β
18π΄
quality)β οΈ β Runs quality checks on your code using community tools, and makes sure your numbers don't get any worse over time. -
109β
25π΄
QuantifiedCode)β οΈ β Automated code review & repair. It helps you to keep track of issues and metrics in your software projects, and can be easily extended to support new types of analyses. -
336β
39π΄
RefactorFirst) β Identifies and prioritizes God Classes and Highly Coupled classes in Java codebases you should refactor first. -
7489β
398π΄
Reviewdog) β A tool for posting review comments from any linter in any code hosting service. -
π Symfony Insight Β©οΈ β Detect security risks, find bugs and provide actionable metrics for PHP projects.
-
140β
39π΄
Violations Lib) β Java library for parsing report files from static code analysis. Used by a bunch of Jenkins, Maven and Gradle plugins.
1506β
160π΄
deno_lint) β Official linter for Deno.
53β
25π΄
oelint-adv) β Linter for bitbake recipes used in open-embedded and YOCTO
-
584β
110π΄
ERB Lint) β Lint your ERB or HTML files -
324β
58π΄
htmlbeautifier) β A normaliser/beautifier for HTML that also understands embedded Ruby. Ideal for tidying up Rails templates.
172β
73π΄
gherkin-lint) β A linter for the Gherkin-Syntax written in Javascript.
-
1582β
209π΄
Angular ESLint) β Linter for Angular projects -
2398β
313π΄
Bootlint)β οΈ β An HTML linter for Bootstrap projects. -
584β
110π΄
ERB Lint) β Lint your ERB or HTML files -
65β
22π΄
grunt-bootlint)β οΈ β A Grunt wrapper for2398β
313π΄
Bootlint), the HTML linter for Bootstrap projects. -
41β
9π΄
gulp-bootlint)β οΈ β A gulp wrapper for2398β
313π΄
Bootlint), the HTML linter for Bootstrap projects. -
2320β
144π΄
HTML Inspector)β οΈ β HTML Inspector is a code quality tool to help you and your team write better markup. -
HTML Tidy β Corrects and cleans up HTML and XML documents by fixing markup errors and upgrading legacy code to modern standards.
-
π HTML-Validate β Offline HTML5 validator.
-
324β
58π΄
htmlbeautifier) β A normaliser/beautifier for HTML that also understands embedded Ruby. Ideal for tidying up Rails templates. -
π HTMLHint β A Static Code Analysis Tool for HTML.
-
π Nu Html Checker β Helps you catch problems in your HTML/CSS/SVG
-
429β
198π΄
Polymer-analyzer) β A static analysis framework for Web Components.
-
π jsonlint β A JSON parser and validator with a CLI. Standalone version of jsonlint.com
-
π Spectral β A flexible JSON/YAML linter, with out-of-the-box support for OpenAPI v2/v3 and AsyncAPI v2.
-
1263β
211π΄
chart-testing) β ct is the tool for testing Helm charts. It is meant to be used for linting and testing pull requests. It automatically detects charts changed against the target branch. -
536β
45π΄
clusterlint) β Clusterlint queries live Kubernetes clusters for resources, executes common and platform specific checks against these resources and provides actionable feedback to cluster operators. It is a non invasive tool that is run externally. Clusterlint does not alter the resource configurations. -
π Datree β A CLI tool to prevent Kubernetes misconfigurations by ensuring that manifests and Helm charts follow best practices as well as your organizationβs policies
-
π kics β Find security vulnerabilities, compliance issues, and infrastructure misconfigurations in your infrastructure-as-code. Supports Terraform, Kubernetes, Docker, AWS CloudFormation and Ansible
-
41β
10π΄
klint) β A tool that listens to changes in Kubernetes resources and runs linting rules against them. Identify and debug erroneous objects and nudge objects in line with the policies as both change over time. Klint helps us encode checks and proactively alert teams when they need to take action. -
666β
34π΄
krane) β Krane is a simple Kubernetes RBAC static analysis tool. It identifies potential security risks in K8s RBAC design and makes suggestions on how to mitigate them. Krane dashboard presents current RBAC security posture and lets you navigate through its definition. -
π kube-hunter β Hunt for security weaknesses in Kubernetes clusters.
-
157β
12π΄
kube-lint) β A linter for Kubernetes resources with a customizable rule set. You define a list of rules that you would like to validate against your resources and kube-lint will evaluate those rules against them. -
2792β
226π΄
kube-linter) β KubeLinter is a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure the applications represented in them adhere to best practices. -
π kube-score β Static code analysis of your Kubernetes object definitions.
-
2001β
114π΄
kubeconform) β A fast Kubernetes manifests validator with support for custom resources.
It is inspired by, contains code from and is designed to stay close to π Kubeval, but with the following improvements:
- high performance: will validate & download manifests over multiple routines, caching downloaded files in memory
- configurable list of remote, or local schemas locations, enabling validating Kubernetes custom resources (CRDs) and offline validation capabilities
- uses by default a self-updating fork of the schemas registry maintained by the kubernetes-json-schema project - which guarantees up-to-date schemas for all recent versions of Kubernetes.
-
2792β
226π΄
KubeLinter) β KubeLinter is a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure the applications represented in them adhere to best practices. -
π kubeval β Validates your Kubernetes configuration files and supports multiple Kubernetes versions.
-
ChkTeX β A linter for LaTex which catches some typographic errors LaTeX oversees.
-
π lacheck β A tool for finding common mistakes in LaTeX documents.
-
π TeXLab β A Language Server Protocol implementation for TeX/LaTeX, including lint capabilities.
-
π Enlightn β A static and dynamic analysis tool for Laravel applications that provides recommendations to improve the performance, security and code reliability of Laravel apps. Contains 120 automated checks.
-
5233β
394π΄
larastan) β Adds static analysis to Laravel improving developer productivity and code quality. It is a wrapper around PHPStan.
-
1009β
44π΄
checkmake) β Linter / Analyzer for Makefiles. -
π portlint β A verifier for FreeBSD and DragonFlyBSD port directories.
-
4542β
687π΄
markdownlint) β Node.js -based style checker and lint tool for Markdown/CommonMark files. -
π mdformat β CommonMark compliant Markdown formatter
-
1726β
228π΄
mdl) β A tool to check Markdown files and flag style issues. -
π remark-lint β Pluggable Markdown code style linter written in JavaScript.
-
π textlint β textlint is an open source text linting utility written in JavaScript.
-
24β
12π΄
ciocheck)β οΈ β Linter, formatter and test suite helper. As a linter, it is a wrapper aroundpep8
,pydocstyle
,flake8
, andpylint
. -
3310β
302π΄
flake8) β A wrapper aroundpyflakes
,pycodestyle
andmccabe
. -
π flakeheaven β flakeheaven is a python linter built around flake8 to enable inheritable and complex toml configuration.
-
3518β
267π΄
Go Meta Linter)β οΈ β Concurrently run Go lint tools and normalise their output. Usegolangci-lint
for new projects. -
3111β
269π΄
goreporter) β Concurrently runs many linters and normalises their output to a report. -
27β
6π΄
multilint)β οΈ β A wrapper aroundflake8
,isort
andmodernize
. -
1914β
171π΄
prospector) β A wrapper aroundpylint
,pep8
,mccabe
and others.
-
Android Lint β Run static analysis on Android projects.
-
π android-lint-summary
β οΈ β Combines lint errors of multiple projects into one output, check lint results of multiple sub-projects at once. -
1017β
289π΄
FlowDroid) β Static taint analysis tool for Android applications. -
π iblessing
β οΈ β iblessing is an iOS security exploiting toolkit. It can be used for reverse engineering, binary analysis and vulnerability mining. -
π Mariana Trench β Our security focused static analysis tool for Android and Java applications. Mariana Trench analyzes Dalvik bytecode and is built to run fast on large codebases (10s of millions of lines of code). It can find vulnerabilities as code changes, before it ever lands in your repository.
-
π Oversecured Β©οΈ β Enterprise vulnerability scanner for Android and iOS apps. It allows app owners and developers to secure each new version of a mobile app by integrating Oversecured into the development process.
-
72β
18π΄
paprika)β οΈ β A toolkit to detect some code smells in analyzed Android applications. -
3153β
642π΄
qark)β οΈ β Tool to look for several security related Android application vulnerabilities. -
π redex β Redex provides a framework for reading, writing, and analyzing .dex files, and a set of optimization passes that use this framework to improve the bytecode. An APK optimized by Redex should be smaller and faster.
-
428β
15π΄
deadnix) β Scan Nix files for dead code (unused variable bindings) -
π statix β Lints and suggestions for the Nix programming language. "statix check" highlights antipatterns in Nix code. "statix fix" can fix several such occurrences.
-
774β
34π΄
lockfile-lint) β Lint an npm or yarn lockfile to analyze and detect security issues -
π njsscan β A static application testing (SAST) tool that can find insecure code patterns in your node.js applications using simple pattern matcher from libsast and syntax-aware semantic code pattern search tool semgrep.
-
π NodeJSScan β A static security code scanner for Node.js applications powered by libsast and semgrep that builds on the njsscan cli tool. It features a UI with various dashboards about an application's security status.
-
standard β An npm module that checks for Javascript Styleguide issues.
288β
5π΄
composer-dependency-analyser) β Fast detection of composer dependency issues.
- πͺ Powerful: Detects unused, shadow and misplaced composer dependencies
- β‘ Performant: Scans 15 000 files in 2s!
- βοΈ Configurable: Fine-grained ignores via PHP config
- πΈοΈ Lightweight: No composer dependencies
- π° Easy-to-use: No config needed for first try
- β¨ Compatible: PHP >= 7.2
-
π lintian β Static analysis tool for Debian packages.
-
125β
112π΄
rpmlint) β Tool for checking common errors in rpm packages.
-
32β
8π΄
promformat)β οΈ β Promformat is a PromQL formatter written in Python. -
3β
6π΄
promval) β PromQL validator written in Python. It can be used to validate that PromQL expressions are written as expected.
-
π buf β Provides a CLI linter that enforces good API design choices and structure
-
526β
50π΄
protolint) β Pluggable linter and fixer to enforce Protocol Buffer style and conventions.
29β
27π΄
metadata-json-lint) β Tool to check the validity of Puppet metadata.json files.
732β
88π΄
dawnscanner) β A static analysis security scanner for ruby written web applications. It supports Sinatra, Padrino and Ruby on Rails frameworks.
-
π AzSK β Secure DevOps kit for Azure (AzSK) provides security IntelliSense, Security Verification Tests (SVTs), CICD scan vulnerabilities, compliance issues, and infrastructure misconfiguration in your infrastructure-as-code. Supports Azure via ARM.
-
π brakeman β A static analysis security vulnerability scanner for Ruby on Rails applications.
-
307β
45π΄
Credential Digger) β Credential Digger is a GitHub scanning tool that identifies hardcoded credentials (Passwords, API Keys, Secret Keys, Tokens, personal information, etc), and filtering the false positive data through a machine learning model called π Password Model. This scanner is able to detect passwords and non structured tokens with a low false positive rate. -
π Datree β A CLI tool to prevent Kubernetes misconfigurations by ensuring that manifests and Helm charts follow best practices as well as your organizationβs policies
-
3546β
439π΄
detect-secrets) β An enterprise friendly way of detecting and preventing secrets in code. It does this by running periodic diff outputs against heuristically crafted regex statements, to identify whether any new secret has been committed. This way, it avoids the overhead of digging through all git history, as well as the need to scan the entire repository every time. -
π Enlightn β A static and dynamic analysis tool for Laravel applications that provides recommendations to improve the performance, security and code reliability of Laravel apps. Contains 120 automated checks.
-
π GitGuardian ggshield β ggshield is a CLI application that runs in your local environment or in a CI environment to help you detect more than 350+ types of secrets, as well as other potential security vulnerabilities or policy breaks affecting your codebase.
-
15517β
1335π΄
Gitleaks) β A SAST tool for detecting hardcoded secrets like passwords, api keys, and tokens in git repos. -
2170β
112π΄
gokart) β Golang security analysis with a focus on minimizing false positives. It is capable of tracing the source of variables and function arguments to determine whether input sources are safe. -
π HasMySecretLeaked Β©οΈ β HasMySecretLeaked is a project from GitGuardian that aims to help individual users and organizations search across 20 million exposed secrets to verify if their developer secrets have leaked on public repositories, gists, and issues on GitHub projects.
-
π iblessing
β οΈ β iblessing is an iOS security exploiting toolkit. It can be used for reverse engineering, binary analysis and vulnerability mining. -
2000β
83π΄
kani) β The Kani Rust Verifier is a bit-precise model checker for Rust. Kani is particularly useful for verifying unsafe code blocks in Rust, where the "unsafe superpowers" are unchecked by the compiler. Kani verifies:
- Memory safety (e.g., null pointer dereferences)
- User-specified assertions (i.e., assert!(...))
- The absence of panics (e.g., unwrap() on None values)
- The absence of some types of unexpected behavior (e.g., arithmetic overflows)
-
π kics β Find security vulnerabilities, compliance issues, and infrastructure misconfigurations in your infrastructure-as-code. Supports Terraform, Kubernetes, Docker, AWS CloudFormation and Ansible
-
π ktool β Fully cross-platform toolkit and library for MachO+Obj-C editing/analysis. Includes a cli kit, a curses GUI, ObjC header dumping, and much more.
-
π kube-hunter β Hunt for security weaknesses in Kubernetes clusters.
-
774β
34π΄
lockfile-lint) β Lint an npm or yarn lockfile to analyze and detect security issues -
π LunaSec β Open Source AppSec platform that automatically notifies you the next time vulnerabilities like Log4Shell or node-ipc happen. Track your dependencies and builds in a centralized service.
-
π njsscan β A static application testing (SAST) tool that can find insecure code patterns in your node.js applications using simple pattern matcher from libsast and syntax-aware semantic code pattern search tool semgrep.
-
π NodeJSScan β A static security code scanner for Node.js applications powered by libsast and semgrep that builds on the njsscan cli tool. It features a UI with various dashboards about an application's security status.
-
π Oversecured Β©οΈ β Enterprise vulnerability scanner for Android and iOS apps. It allows app owners and developers to secure each new version of a mobile app by integrating Oversecured into the development process.
-
π PT Application Inspector Β©οΈ β Identifies code flaws and detects vulnerabilities to prevent web attacks. Demonstrates remote code execution by presenting possible exploits.
-
π Qualys Container Security Β©οΈ β Container native application protection to provide visibility and control of containerized applications.
-
109β
25π΄
QuantifiedCode)β οΈ β Automated code review & repair. It helps you to keep track of issues and metrics in your software projects, and can be easily extended to support new types of analyses. -
π Rezilion Β©οΈ β Discovers vulnerabilities for all components in your environment, filters out 85% non-exploitable vulnerabilities and creates a remediation plan and open tickets to upgrade components that violate your security policy and/or patch automatically in CI.
-
4205β
450π΄
scorecard) β Security Scorecards - Security health metrics for Open Source -
π SearchDiggity Β©οΈ β Identifies vulnerabilities in open source code projects hosted on Github, Google Code, MS CodePlex, SourceForge, and more. The tool comes with over 130 default searches that identify SQL injection, cross-site scripting (XSS), insecure remote and local file includes, hard-coded passwords, etc.
-
π Steampunk Spotter Β©οΈ β Ansible Playbook Scanning Tool that analyzes and offers recommendations for your playbooks.
-
π Symfony Insight Β©οΈ β Detect security risks, find bugs and provide actionable metrics for PHP projects.
-
6600β
530π΄
tfsec) β Terraform static analysis tool that prevents potential security issues by checking cloud misconfigurations at build time and directly integrates with the HCL parser for better results. Checks for violations of AWS, Azure and GCP security best practice recommendations. -
π trufflehog β Find credentials all over the place TruffleHog is an open source secret-scanning engine that resolves exposed secrets across your companyβs entire tech stack.
-
8148β
882π΄
Tsunami Security Scanner) β A general purpose network security scanner with an extensible plugin system for detecting high severity RCE-like vulnerabilities with high confidence. Custom detectors for finding vulnerabilities (e.g. open APIs) can be added.
-
3741β
706π΄
mythril) β A symbolic execution framework with batteries included, can be used to find and exploit vulnerabilities in smart contracts automatically. -
π MythX Β©οΈ β MythX is an easy to use analysis platform which integrates several analysis methods like fuzzing, symbolic execution and static analysis to find vulnerabilities with high precision. It can be integrated with toolchains like Remix or VSCode or called from the command-line.
-
5090β
926π΄
slither) β Static analysis framework that runs a suite of vulnerability detectors, prints visual information about contract details, and provides an API to easily write custom analyses. -
π solhint β Solhint is an open source project created by https://protofire.io. Its goal is to provide a linting utility for Solidity code.
-
π solium β Solium is a linter to identify and fix style and security issues in Solidity smart contracts.
-
21β
7π΄
LibVCS4j) β A Java library that allows existing tools to analyse the evolution of software systems by providing a common API for different version control systems and issue trackers. -
336β
39π΄
RefactorFirst) β Identifies and prioritizes God Classes and Highly Coupled classes in Java codebases you should refactor first. -
140β
39π΄
Violations Lib) β Java library for parsing report files from static code analysis. Used by a bunch of Jenkins, Maven and Gradle plugins.
-
266β
235π΄
ember-template-lint) β Linter for Ember or Handlebars templates. -
311β
102π΄
haml-lint) β Tool for writing clean and consistent HAML. -
202β
58π΄
slim-lint) β Configurable tool for analyzing Slim templates. -
π yamllint β Checks YAML files for syntax validity, key repetition and cosmetic problems such as lines length, trailing spaces, and indentation.
-
π GitGuardian ggshield β ggshield is a CLI application that runs in your local environment or in a CI environment to help you detect more than 350+ types of secrets, as well as other potential security vulnerabilities or policy breaks affecting your codebase.
-
π kics β Find security vulnerabilities, compliance issues, and infrastructure misconfigurations in your infrastructure-as-code. Supports Terraform, Kubernetes, Docker, AWS CloudFormation and Ansible
-
372β
15π΄
shisho)β οΈ β A lightweight static code analyzer designed for developers and security teams. It allows you to analyze and transform source code with an intuitive DSL similar to sed, but for code.
48β
10π΄
dennis) β A set of utilities for working with PO files to ease development and improve quality.
-
π HTML-Validate β Offline HTML5 validator.
-
π Vetur
β οΈ β Vue tooling for VS Code, powered by vls (vue language server). Vetur has support for formatting embedded HTML, CSS, SCSS, JS, TypeScript, and more. Vetur only has a "whole document formatter" and cannot format arbitrary ranges.
- π Twiggy β Analyzes a binary's call graph to profile code size. The goal is to slim down wasm binary size.
-
π After the Deadline
β οΈ β Spell, style and grammar checker. -
π alex β Catch insensitive, inconsiderate writing
-
1779β
459π΄
codespell) β Check code for common misspellings. -
π languagetool β Style and grammar checker for 25+ languages. It finds many errors that a simple spell checker cannot detect.
-
191β
24π΄
misspell-fixer)β οΈ β Quick tool for fixing common misspellings, typos in source code. -
π Misspelled Words In Context β A spell-checker that groups possible misspellings and shows them in their contexts.
-
4297β
177π΄
proselint) β A linter for English prose with a focus on writing style instead of grammar. -
π vale β A syntax-aware linter for prose built with speed and extensibility in mind.
-
4906β
189π΄
write-good) β A linter with a focus on eliminating "weasel words".
-
π Spectral β A flexible JSON/YAML linter, with out-of-the-box support for OpenAPI v2/v3 and AsyncAPI v2.
-
π yamllint β Checks YAML files for syntax validity, key repetition and cosmetic problems such as lines length, trailing spaces, and indentation.
-
π commitlint β checks if your commit messages meet the conventional commit format
-
π GitGuardian ggshield β ggshield is a CLI application that runs in your local environment or in a CI environment to help you detect more than 350+ types of secrets, as well as other potential security vulnerabilities or policy breaks affecting your codebase.
-
π HasMySecretLeaked Β©οΈ β HasMySecretLeaked is a project from GitGuardian that aims to help individual users and organizations search across 20 million exposed secrets to verify if their developer secrets have leaked on public repositories, gists, and issues on GitHub projects.
?β
?π΄
Clean code linters) β A collection of linters in github collections?β
?π΄
Code Quality Checker Tools For PHP Projects) β A collection of PHP linters in github collections5970β
360π΄
go-tools) β A collection of tools and libraries for working with Go code, including linters and static analysis338β
31π΄
linters) β An introduction to static code analysis- π OWASP Source Code Analysis Tools β List of tools maintained by the Open Web Application Security Project
2799β
248π΄
php-static-analysis-tools) β A reviewed list of useful PHP static analysis tools- Wikipedia β A list of tools for static code analysis.
To the extent possible under law, π Matthias Endler has waived all copyright and related or neighboring rights to this work. The underlying source code used to format and display that content is licensed under the MIT license.
Title image Designed by Freepik.
12976β
1333π΄
analysis-tools-dev/static-analysis)