hummelb/awesome-static-analysis

A curated list of static analysis tools, linters and code quality checkers for various programming languages

Awesome static analysis

A collection of static analysis tools and code quality checkers for all programming languages.
Explanation: [OSS] stands for Open-Source-Software, [PROPRIETARY] stands for proprietary software.

Table of Contents

• C/C++
• C#
• Docker
• Elixir
• Go
• Groovy
• Haskell
• Haxe
• Html
• Java
• JavaScript
• Lua
• Python
• PHP
• R
• Ruby
• Rust
• Scala
• Shell
• Swift
• Meta
• Multiple Languages
• Web-Services

C/C++

• CMetrics [OSS] - Measures size and complexity for C files
• cqmetrics [OSS] - quality metrics for C code
• clang-tidy [OSS] - clang static analyser
• cppcheck [OSS] - static analysis of C/C++ code
• flawfinder [OSS] - finds possible security weaknesses
• oclint [OSS] - static analysis of C/C++ code
• splint [OSS] - static analysis of C/C++ code
• tis-interpreter [OSS] - An interpreter for finding subtle bugs in programs written in standard C

C#

• ReSharper [PROPRIETARY] - Extends Visual Studio with on-the-fly code inspections for C#, VB.NET, ASP.NET, JavaScript, TypeScript and other technologies.
• code-cracker [OSS] - An analyzer library for C# and VB that uses Roslyn to produce refactorings, code analysis, and other niceties.
• SonarLint for Visual Studio [OSS] - SonarLint is a Visual Studio 2015 extension that provides on-the-fly feedback to developers on new bugs and quality issues injected into .NET code.
• .NET Analyzers [OSS] - An organization for the development of analyzers (diagnostics, code fixes, and refactorings) using the .NET Compiler Platform.
• CSharpEssentials [OSS] - C# Essentials is a collection of Roslyn diagnostic analyzers, code fixes and refactorings that make it easy to work with C# 6 language features.
• Refactoring Essentials [OSS] - The premier free Visual Studio 2015 extension for C# and VB.NET refactorings, including code best practice analyzers to improve your projects.
• VSDiagnostics [OSS] - A collection of static analyzers based on Roslyn that integrate with VS.
• Wintellect.Analyzers [OSS] - .NET Compiler Platform ("Roslyn") diagnostic analyzers and code fixes written by Wintellect.
• Code Analysis Rule Collection [OSS] - Contains a set of diagnostics, code fixes and refactorings built on the Microsoft .NET Compiler Platform "Roslyn".

Docker

• Haskell Dockerfile Linter [OSS] - A smarter Dockerfile linter that helps you build best practice Docker images

Elixir

• credo [OSS] - A static code analysis tool with a focus on code consistency and teaching.

Go

• flen [OSS] - Get info on length of functions in a Go package
• go/ast [OSS] - Package ast declares the types used to represent syntax trees for Go packages.
• gocyclo [OSS] - Calculate cyclomatic complexities of functions in Go source code
• Go Meta Linter [OSS] - Concurrently run Go lint tools and normalise their output
• go vet [OSS] - Examines Go source code and reports suspicious constructs
• ineffassign - Detect ineffectual assignments in Go code
• safesql [OSS] - Static analysis tool for Golang that protects against SQL injections

Groovy

• CodeNarc [OSS] - a static analysis tool for Groovy source code, enabling monitoring and enforcement of many coding standards and best practices

Haskell

• HLint [OSS] - HLint is a tool for suggesting possible improvements to Haskell code.

Haxe

• Haxe Checkstyle [OSS] - A static analysis tool to help developers write Haxe code that adheres to a coding standard.

HTML

• HTMLHint [OSS] - A Static Code Analysis Tool for HTML
• HTML Inspector [OSS] - HTML Inspector is a code quality tool to help you and your team write better markup.

Java

• checkstyle [OSS] - checking Java source code for adherence to a Code Standard or set of validation rules (best practices)
• ckjm [OSS] - calculates Chidamber and Kemerer object-oriented metrics by processing the bytecode of compiled Java files
• Error-prone [OSS] - Catch common Java mistakes as compile-time errors·
• fb-contrib [OSS] - A plugin for FindBugs with additional bug detectors
• Findbugs [OSS] - FindBugs is a program to find bugs in Java programs. It looks for patterns are likely to be errors.
• PMD [OSS] - A Java source code analyzer

JavaScript

• aether [OSS] - Lint, analyze, normalize, transform, sandbox, run, step through, and visualize user JavaScript, in node or the browser.
• ClosureLinter [OSS] - ensures that all of your project's JavaScript code follows the guidelines in the Google JavaScript Style Guide. It can also automatically fix many common errors
• complexity-report [OSS] - Software complexity analysis for JavaScript projects
• escomplex [OSS] - Software complexity analysis of JavaScript-family abstract syntax trees.
• eslint [OSS] - A fully pluggable tool for identifying and reporting on patterns in JavaScript
• Esprima [OSS] - ECMAScript parsing infrastructure for multipurpose analysis
• quality [OSS] - zero configuration code and module linting
• jshint [OSS] - detect errors and potential problems in JavaScript code and enforce your team's coding conventions
• JSLint [PROPRIETARY] - The JavaScript Code Quality Tool
• plato [OSS] - Visualize JavaScript source complexity
• yardstick [OSS] - Javascript code metrics
• XO [OSS] - Enforce strict code style. Never discuss code style on a pull request again!

Lua

• luacheck [OSS] - A tool for linting and static analysis of Lua code.

Python

• flake8 [OSS] - the modular source code checker: pep8, pyflakes and co
• jedi [OSS] - autocompletion/static analysis library for Python
• Linty fresh [OSS] - Surface lint errors during code review
• mypy [OSS] - an experimental optional static type checker for Python that aims to combine the benefits of dynamic (or "duck") typing and static typing
• prospector [OSS] - output information about errors, potential problems, convention violations and complexity in Python code
• pyflakes [OSS] - A simple program which checks Python source files for errors.
• pylint [OSS] - Looks for programming errors, helps enforcing a coding standard and sniffs for some code smells

PHP

• DesignPatternDetector [OSS] - detection of design patterns in PHP code
• deptrac [OSS] - Enforce rules for dependencies between software layers.
• exakat [OSS] - An automated code reviewing engine for PHP
• GrumPHP [OSS] - checks code on every commit
• phan [OSS] - a modern static analyzer from etsy
• php7cc [OSS] - PHP 7 Compatibility Checker
• php7mar [OSS] - assist developers in porting their code quickly to PHP 7
• phpcpd [OSS] - Copy/Paste Detector (CPD) for PHP code.
• PHP_CodeSniffer [OSS] - detects violations of a defined set of coding standards
• phpdcd [OSS] - Dead Code Detector (DCD) for PHP code.
• PhpDependencyAnalysis [OSS] - builds a dependency graph for a project
• phpsa [OSS] - Static analysis tool for PHP.
• PHPMD [OSS] - finds possible bugs in your code
• PhpMetrics [OSS] - calculates code complexity metrics
• PHP Refactoring Browser [OSS] - Refactoring helper
• PHP-Token-Reflection [OSS] - Library emulating the PHP internal reflection
• PHP-Parser [OSS] - A PHP parser written in PHP
• RIPS [OSS] - A static source code analyser for vulnerabilities in PHP scripts
• Tuli [OSS] - A static analysis engine
• twig-lint [OSS] - twig-lint is a lint tool for your twig files.

R

• lintr [PROPRIETARY] - Static Code Analysis for R

Ruby

• brakeman [OSS] - A static analysis security vulnerability scanner for Ruby on Rails applications
• cane [OSS] - Code quality threshold checking as part of your build
• dawnscanner [OSS] - a static analysis security scanner for ruby written web applications. It supports Sinatra, Padrino and Ruby on Rails frameworks.
• flay [OSS] - Flay analyzes code for structural similarities.
• flog [OSS] - Flog reports the most tortured code in an easy to read pain report. The higher the score, the more pain the code is in.
• laser [OSS] - Static analysis and style linter for Ruby code.
• Mondrian [OSS] - a set of static analysis and refactoring tools for more abstraction
• pelusa [OSS] - Static analysis Lint-type tool to improve your OO Ruby code
• quality [OSS] - Runs quality checks on your code using community tools, and makes sure your numbers don't get any worse over time.
• reek [OSS] - Code smell detector for Ruby
• rubocop [OSS] - A Ruby static code analyzer, based on the community Ruby style guide.
• rubycritic [OSS] - A Ruby code quality reporter
• ruby-lint [OSS] - Static code analysis for Ruby
• SandyMeter [OSS] - Static analysis tool for checking Ruby code for Sandi Metz' rules.

Rust

• clippy [OSS] - a code linter to catch common mistakes and improve your Rust code

Scala

• linter [OSS] - Linter is a Scala static analysis compiler plugin which adds compile-time checks for various possible bugs, inefficiencies, and style problems.
• ScalaStyle [OSS] - Scalastyle examines your Scala code and indicates potential problems with it.
• scapegoat [OSS] - Scala compiler plugin for static code analysis
• WartRemover [OSS] - a flexible Scala code linting tool.

Shell

• shellcheck [OSS] - ShellCheck, a static analysis tool that gives warnings and suggestions for bash/sh shell scripts

Swift

• SwiftLint [OSS] - A tool to enforce Swift style and conventions
• Tailor [OSS] - A static analysis and lint tool for source code written in Apple's Swift programming language.

Meta

Multiple languages

• PVS-Studio [PROPRIETARY] - static analysis of C/C++ and C# code
• Coverity Save [PROPRIETARY] - Static analysis for C/C++, Java and C#
• Infer [OSS] - A static analyzer for Java, C and Objective-C
• oclint [OSS] - A static source code analysis tool to improve quality and reduce defects for C, C++ and Objective-C
• pfff [OSS] - Facebook's tools for code analysis, visualizations, or style-preserving source transformation for many languages
• shipshape [OSS] - Static program analysis platform that allows custom analyzers to plug in through a common interface
• STOKE [OSS] - a programming-language agnosti stochastic optimizer for the x86_64 instruction set. It uses random search to explore the extremely high-dimensional space of all possible program transformations
• XCode [PROPRIETARY/OSS] - XCode provides a pretty decend UI for Clang's static code analyzer (C/C++, Obj-C)

Web-Services

• Codacy [PROPRIETARY] - Code Analysis to ship Better Code, Faster.
• Code Climate [PROPRIETARY] - The open and extensible static analysis platform, for everyone.
• ConQAT [OSS] - a toolkit for rapid development and execution of software quality analyses.
• Functor Prevent [PROPRIETARY] - Static code analysis for C code.
• kiuwan [PROPRIETARY] - Software Analytics in the Cloud supporting more than 22 programming languages.
• Landscape [PROPRIETARY] - Static code analysis for Python
• Nitpick CI [PROPRIETARY] - Automated PHP code review
• QuantifiedCode [PROPRIETARY] - Automated code review & repair
• Scrutinizer [PROPRIETARY] - A proprietery code quality checker that can be integrated with GitHub
• SensioLabs Insights [PROPRIETARY] - Detect security risks, find bugs and provide actionable metrics for PHP projects
• Teamscale [PROPRIETARY] - analyze, monitor, and improve the quality of your code.

License

To the extent possible under law, Matthias Endler has waived all copyright and related or neighboring rights to this work.