Github url

static-analysis

by analysis-tools-dev

analysis-tools-dev /static-analysis

Static analysis tools for all programming languages, build tools, config files and more.

7.4K Stars 853 Forks Last release: Not found 657 Commits 0 Releases

Available items

No Items, yet!

The developer of this repository has not created any items for sale yet. Need a bug fixed? Help with integration? A different license? Create a request here:

Analysis Tools

This repository lists static analysis tools for all programming languages, build tools, config files and more.
The official website, analysis-tools.dev is based on this repository and adds rankings and user comments for each tool.

Static program analysis is the analysis of computer software that is performed without actually executing programs — Wikipedia

The most important thing I have done as a programmer in recent years is to aggressively pursue static code analysis. Even more valuable than the hundreds of serious bugs I have prevented with it is the change in mindset about the way I view software reliability and code quality. — John Carmack (Creator of Doom)

CI

Meaning of symbols:

  • :copyright: stands for proprietary software. All other tools are Open Source.
  • :information_source: indicates that the community does not recommend to use this tool for new projects anymore. The icon links to the discussion issue.
  • :warning: means that this tool was not updated for more than 6 months, or the repo was archived.

Pull requests are very welcome! Also check out the sister project, awesome-dynamic-analysis.

Table of Contents

Programming Languages

Show languages
#### [Multiple languages](https://github.com/analysis-tools-dev/static-analysis/blob/master/#multiple-languages-1)

Other


Programming Languages

ABAP

  • stars abaplint - Linter for ABAP, written in TypeScript.
  • stars abapOpenChecks - Enhances the SAP Code Inspector with new and customizable checks.

Ada

  • Codepeer :copyright: - Detects run-time and logic errors.
  • Polyspace for Ada :copyright: - Provide code verification that proves the absence of overflow, divide-by-zero, out-of-bounds array access, and certain other run-time errors in source code.
  • SPARK :copyright: - Static analysis and formal verification toolset for Ada.
  • Understand :copyright: - IDE that provides code analysis, standards testing, metrics, graphing, dependency analysis and more for Ada and VHDL.

Assembly

  • stars STOKE - A programming-language agnostic stochastic optimizer for the x86_64 instruction set. It uses random search to explore the extremely high-dimensional space of all possible program transformations.

Awk

  • gawk --lint - Warns about constructs that are dubious or nonportable to other awk implementations.

C

  • Astrée :copyright: - Sound static analyzer based on abstract interpretation for C/C++, detecting memory, type and concurrency defects, and MISRA violations.
  • stars CBMC - Bounded model-checker for C programs, user-defined assertions, standard assertions, several coverage metric analyses.
  • clang-tidy - clang static analyser.
  • stars CMetrics - Measures size and complexity for C files.
  • CodeSonar from GrammaTech :copyright: - Advanced, whole program, deep path, static analysis of C and C++ with easy-to-understand explanations and code and path visualization.
  • stars cppcheck - Static analysis of C/C++ code.
  • CppDepend :warning: :copyright: - Measure, query and visualize your code and avoid unexpected issues, technical debt and complexity.
  • cpplint - Automated C++ checker that follows Google's style guide.
  • stars cqmetrics - Quality metrics for C code.
  • stars CScout - Complexity and quality metrics for for C and C preprocessor code.
  • stars flawfinder - Finds possible security weaknesses.
  • stars flint++ - Cross-platform, zero-dependency port of flint, a lint program for C++ developed and used at Facebook.
  • Frama-C - A sound and extensible static analyzer for C code.
  • Helix QAC :copyright: - Enterprise-grade static analysis for embedded software. Supports MISRA, CERT, and AUTOSAR coding standards.
  • stars IKOS - A sound static analyzer for C/C++ code based on LLVM.
  • stars include-gardener - A multi-language static analyzer for C/C++/Obj-C/Python/Ruby to create a graph (in dot or graphml format) which shows all
    #include
    relations of a given set of files.
  • LDRA :copyright: - A tool suite including static analysis (TBVISION) to various standards including MISRA C & C++, JSF++ AV, CWE, CERT C, CERT C++ & Custom Rules.
  • stars Phasar - A LLVM-based static analysis framework which comes with a taint and type state analysis.
  • Polyspace Bug Finder :copyright: - Identifies run-time errors, concurrency issues, security vulnerabilities, and other defects in C and C++ embedded software.
  • Polyspace Code Prover :copyright: - Provide code verification that proves the absence of overflow, divide-by-zero, out-of-bounds array access, and certain other run-time errors in C and C++ source code.
  • scan-build - Analyzes C/C++ code using LLVM at compile-time.
  • stars splint - Annotation-assisted static program checker.
  • stars SVF - A static tool that enables scalable and precise interprocedural dependence analysis for C and C++ programs.
  • vera++ - Vera++ is a programmable tool for verification, analysis and transformation of C++ source code.

C#

  • .NET Analyzers - An organization for the development of analyzers (diagnostics and code fixes) using the .NET Compiler Platform.
  • Code Analysis Rule Collection :warning: - Contains a set of diagnostics, code fixes and refactorings built on the Microsoft .NET Compiler Platform "Roslyn".
  • stars code-cracker - An analyzer library for C# and VB that uses Roslyn to produce refactorings, code analysis, and other niceties.
  • stars CSharpEssentials - C# Essentials is a collection of Roslyn diagnostic analyzers, code fixes and refactorings that make it easy to work with C# 6 language features.
  • Designite :copyright: - Designite supports detection of various architecture, design, and implementation smells, computation of various code quality metrics, and trend analysis.
  • stars Gendarme - Gendarme inspects programs and libraries that contain code in ECMA CIL format (Mono and .NET).
  • NDepend :copyright: - Measure, query and visualize your code and avoid unexpected issues, technical debt and complexity.
  • stars Roslynator - A collection of 190+ analyzers and 190+ refactorings for C#, powered by Roslyn.
  • stars VSDiagnostics - A collection of static analyzers based on Roslyn that integrates with VS.
  • stars Wintellect.Analyzers - .NET Compiler Platform ("Roslyn") diagnostic analyzers and code fixes.

C++

  • Astrée :copyright: - Sound static analyzer based on abstract interpretation for C/C++, detecting memory, type and concurrency defects, and MISRA violations.
  • stars CBMC - Bounded model-checker for C programs, user-defined assertions, standard assertions, several coverage metric analyses.
  • clang-tidy - clang static analyser.
  • stars CMetrics - Measures size and complexity for C files.
  • CodeSonar from GrammaTech :copyright: - Advanced, whole program, deep path, static analysis of C and C++ with easy-to-understand explanations and code and path visualization.
  • stars cppcheck - Static analysis of C/C++ code.
  • CppDepend :warning: :copyright: - Measure, query and visualize your code and avoid unexpected issues, technical debt and complexity.
  • cpplint - Automated C++ checker that follows Google's style guide.
  • stars cqmetrics - Quality metrics for C code.
  • stars CScout - Complexity and quality metrics for for C and C preprocessor code.
  • stars flawfinder - Finds possible security weaknesses.
  • stars flint++ - Cross-platform, zero-dependency port of flint, a lint program for C++ developed and used at Facebook.
  • Frama-C - A sound and extensible static analyzer for C code.
  • Helix QAC :copyright: - Enterprise-grade static analysis for embedded software. Supports MISRA, CERT, and AUTOSAR coding standards.
  • stars IKOS - A sound static analyzer for C/C++ code based on LLVM.
  • stars include-gardener - A multi-language static analyzer for C/C++/Obj-C/Python/Ruby to create a graph (in dot or graphml format) which shows all
    #include
    relations of a given set of files.
  • LDRA :copyright: - A tool suite including static analysis (TBVISION) to various standards including MISRA C & C++, JSF++ AV, CWE, CERT C, CERT C++ & Custom Rules.
  • stars Phasar - A LLVM-based static analysis framework which comes with a taint and type state analysis.
  • Polyspace Bug Finder :copyright: - Identifies run-time errors, concurrency issues, security vulnerabilities, and other defects in C and C++ embedded software.
  • Polyspace Code Prover :copyright: - Provide code verification that proves the absence of overflow, divide-by-zero, out-of-bounds array access, and certain other run-time errors in C and C++ source code.
  • scan-build - Analyzes C/C++ code using LLVM at compile-time.
  • stars splint - Annotation-assisted static program checker.
  • stars SVF - A static tool that enables scalable and precise interprocedural dependence analysis for C and C++ programs.
  • vera++ - Vera++ is a programmable tool for verification, analysis and transformation of C++ source code.

CoffeeScript

  • stars coffeelint - A style checker that helps keep CoffeeScript code clean and consistent.

Crystal

  • stars ameba - A static code analysis tool for Crystal.
  • stars crystal - The Crystal compiler has built-in linting functionality.

Dart

Delphi

  • Fix Insight :copyright: - A free IDE Plugin for static code analysis. A Pro edition includes a command line tool for automation purposes.
  • Pascal Analyzer :copyright: - A static code analysis tool with numerous reports. A free Lite version is available with limited reporting.
  • Pascal Expert :copyright: - IDE plugin for code analysis. Includes a subset of Pascal Analyzer reporting capabilities and is available for Delphi versions 2007 and later.

Dlang

  • stars D-scanner - D-Scanner is a tool for analyzing D source code.

Elixir

  • stars credo - A static code analysis tool with a focus on code consistency and teaching.
  • stars sobelow - Security-focused static analysis for the Phoenix Framework.

Elm

  • stars elm-analyse - A tool that allows you to analyse your Elm code, identify deficiencies and apply best practices.

Erlang

F#

Fortran

Go

  • aligncheck - Find inefficiently packed structs.
  • stars bodyclose - Checks whether HTTP response body is closed.
  • stars deadcode - Finds unused code.
  • stars dingo-hunter - Static analyser for finding deadlocks in Go.
  • stars dogsled - Finds assignments/declarations with too many blank identifiers.
  • stars dupl - Reports potentially duplicated code.
  • stars errcheck - Check that error return values are used.
  • stars flen - Get info on length of functions in a Go package.
  • go tool vet --shadow - Reports variables that may have been unintentionally shadowed.
  • go vet - Examines Go source code and reports suspicious.
  • stars go-consistent - Analyzer that helps you to make your Go programs more consistent.
  • stars go-critic - Go source code linter that maintains checks which are currently not implemented in other linters.
  • go/ast - Package ast declares the types used to represent syntax trees for Go packages.
  • stars gochecknoglobals - Checks that no globals are present.
  • stars goconst - Finds repeated strings that could be replaced by a constant.
  • stars gocyclo - Calculate cyclomatic complexities of functions in Go source code.
  • gofmt -s - Checks if the code is properly formatted and could not be further simplified.
  • goimports - Checks missing or unreferenced package imports.
  • stars GolangCI-Lint - Alternative to
    Go Meta Linter
    : GolangCI-Lint is a linters aggregator.
  • stars golint - Prints out coding style mistakes in Go source code.
  • stars goroutine-inspect - An interactive tool to analyze Golang goroutine dump.
  • stars gosec (gas) - Inspects source code for security problems by scanning the Go AST.
  • gotype - Syntactic and semantic analysis similar to the Go compiler.
  • stars ineffassign - Detect ineffectual assignments in Go code.
  • stars interfacer :warning: - Suggest narrower interfaces that can be used.
  • stars lll - Report long lines.
  • stars maligned - Detect structs that would take less memory if their fields were sorted.
  • stars misspell - Finds commonly misspelled English words.
  • stars nakedret - Finds naked returns.
  • stars nargs - Finds unused arguments in function declarations.
  • stars prealloc - Finds slice declarations that could potentially be preallocated.
  • stars revive - Fast, configurable, extensible, flexible, and beautiful linter for Go. Drop-in replacement of golint.
  • stars safesql - Static analysis tool for Golang that protects against SQL injections.
  • stars staticcheck - Go static analysis that specialises in finding bugs, simplifying code and improving performance.
  • structcheck - Find unused struct fields.
  • test - Show location of test failures from the stdlib testing module.
  • stars unconvert - Detect redundant type conversions.
  • stars unimport - Finds unnecessary import aliases.
  • stars unparam - Find unused function parameters.
  • varcheck - Find unused global variables and constants.
  • stars wsl - Enforces empty lines at the right places.

Groovy

  • stars CodeNarc - A static analysis tool for Groovy source code, enabling monitoring and enforcement of many coding standards and best practices.

Haskell

  • stars HLint - HLint is a tool for suggesting possible improvements to Haskell code.
  • stars Weeder - A tool for detecting dead exports or package imports in Haskell code.

Haxe

  • stars Haxe Checkstyle - A static analysis tool to help developers write Haxe code that adheres to a coding standard.

Java

  • stars Checker Framework - Pluggable type-checking for Java.
  • stars checkstyle - Checking Java source code for adherence to a Code Standard or set of validation rules (best practices).
  • stars ck - Calculates Chidamber and Kemerer object-oriented metrics by processing the source Java files.
  • stars ckjm - Calculates Chidamber and Kemerer object-oriented metrics by processing the bytecode of compiled Java files.
  • stars CogniCrypt - Checks Java source and byte code for incorrect uses of cryptographic APIs.
  • DesigniteJava :copyright: - DesigniteJava supports detection of various architecture, design, and implementation smells along with computation of various code quality metrics.
  • stars Error-prone - Catch common Java mistakes as compile-time errors.
  • stars fb-contrib - A plugin for FindBugs with additional bug detectors.
  • stars forbidden-apis - Detects and forbids invocations of specific method/class/field (like reading from a text stream without a charset). Maven/Gradle/Ant compatible.
  • stars google-java-format - Google Style Reformat.
  • stars HuntBugs :warning: - Bytecode static analyzer tool based on Procyon Compiler Tools aimed to supersede FindBugs.
  • JArchitect :copyright: - Measure, query and visualize your code and avoid unexpected issues, technical debt and complexity.
  • JBMC - Bounded model-checker for Java (bytecode), verifies user-defined assertions, standard assertions, several coverage metric analyses.
  • stars NullAway - Type-based null-pointer checker with low build-time overhead; an Error Prone plugin.
  • stars OWASP Dependency Check - Checks dependencies for known, publicly disclosed, vulnerabilities.
  • stars qulice - Combines a few (pre-configured) static analysis tools (checkstyle, PMD, Findbugs, ...).
  • stars Soot - A framework for analyzing and transforming Java and Android applications.
  • stars Spoon - Spoon is a metaprogramming library to analyze and transform Java source code (incl Java 9, 10, 11, 12, 13, 14). It parses source files to build a well-designed AST with powerful analysis and transformation API. Can be integrated in Maven and Gradle.
  • stars SpotBugs - SpotBugs is FindBugs' successor. A tool for static analysis to look for bugs in Java code.

JavaScript

  • stars aether - Lint, analyze, normalize, transform, sandbox, run, step through, and visualize user JavaScript, in node or the browser.
  • stars Closure Compiler - A compiler tool to increase efficiency, reduce size, and provide code warnings in JavaScript files.
  • stars ClosureLinter :warning: - Ensures that all of your project's JavaScript code follows the guidelines in the Google JavaScript Style Guide. It can also automatically fix many common errors.
  • stars complexity-report :warning: - Software complexity analysis for JavaScript projects.
  • DeepScan :copyright: - An analyzer for JavaScript which targets runtime errors and quality issues rather than coding conventions.
  • stars escomplex - Software complexity analysis of JavaScript-family abstract syntax trees.
  • stars eslint - A fully pluggable tool for identifying and reporting on patterns in JavaScript.
  • stars Esprima - ECMAScript parsing infrastructure for multipurpose analysis.
  • stars flow - A static type checker for JavaScript.
  • stars hegel - A static type checker for JavaScript with a bias on type inference and strong type systems.
  • stars jshint :information_source: - Detect errors and potential problems in JavaScript code and enforce your team's coding conventions.
  • stars JSLint :information_source: - The JavaScript Code Quality Tool.
  • stars JSPrime :warning: - Static security analysis tool.
  • stars plato :warning: - Visualize JavaScript source complexity.
  • stars quality :warning: - Zero configuration code and module linting.
  • stars retire.js - Scanner detecting the use of JavaScript libraries with known vulnerabilities.
  • stars tern - A JavaScript code analyzer for deep, cross-editor language support.
  • stars xo - Opinionated but configurable ESLint wrapper with lots of goodies included. Enforces strict and readable code.
  • stars yardstick :warning: - Javascript code metrics.

Kotlin

  • stars detekt - Static code analysis for Kotlin code.

Lua

  • stars luacheck - A tool for linting and static analysis of Lua code.

MATLAB

  • mlint :copyright: - Check MATLAB code files for possible problems.

PHP

  • stars churn-php :warning: - Helps discover good candidates for refactoring.

  • stars dephpend - Dependency analysis tool.

  • stars deprecation-detector - Finds usages of deprecated (Symfony) code.

  • stars deptrac - Enforce rules for dependencies between software layers.

  • stars DesignPatternDetector - Detection of design patterns in PHP code.

  • stars EasyCodingStandard - Combine PHP_CodeSniffer and PHP-CS-Fixer.

  • stars GrumPHP - Checks code on every commit.

  • stars Mondrian - A set of static analysis and refactoring tools which use graph theory.

  • stars parallel-lint - This tool checks syntax of PHP files faster than serial check with a fancier output.

  • stars Parse - A Static Security Scanner.

  • stars pdepend - Calculates software metrics like cyclomatic complexity for PHP code.

  • stars phan - A modern static analyzer from etsy.

  • stars PHP Architecture Tester - Easy to use architecture testing tool for PHP.

  • stars PHP Assumptions - Checks for weak assumptions.

  • stars PHP Coding Standards Fixer - Fixes your code according to standards like PSR-1, PSR-2, and the Symfony standard.

  • stars PHP Insights - Instant PHP quality checks from your console. Analysis of code quality and coding style as well as overview of code architecture and its complexity.

  • stars Php Inspections (EA Extended) - A Static Code Analyzer for PHP.

  • stars PHP Refactoring Browser - Refactoring helper.

  • stars PHP Semantic Versioning Checker - Suggests a next version according to semantic versioning.

  • stars PHP-Parser - A PHP parser written in PHP.

  • stars php-speller - PHP spell check library.

  • stars PHP-Token-Reflection - Library emulating the PHP internal reflection.

  • stars php7cc :warning: - PHP 7 Compatibility Checker.

  • stars php7mar :warning: - Assist developers in porting their code quickly to PHP 7.

  • stars PHP_CodeSniffer - Detects violations of a defined set of coding standards.

  • stars phpca - Finds usage of non-built-in extensions.

  • stars phpcf - Finds usage of deprecated PHP features.

  • stars phpcpd - Copy/Paste Detector for PHP code.

  • stars phpdcd :warning: - Dead Code Detector (DCD) for PHP code.

  • stars PhpDependencyAnalysis - Builds a dependency graph for a project.

  • stars phpdoc-to-typehint - Add scalar type hints and return types to existing PHP projects using PHPDoc annotations.

  • stars phpDocumentor - Analyzes PHP source code to generate documentation.

  • stars phploc - A tool for quickly measuring the size and analyzing the structure of a PHP project.

  • stars PHPMD - Finds possible bugs in your code.

  • stars PhpMetrics - Calculates and visualizes various code quality metrics.

  • stars phpmnd - Helps to detect magic numbers.

  • stars PHPQA - A tool for running QA tools (phploc, phpcpd, phpcs, pdepend, phpmd, phpmetrics).

  • stars phpqa - jakzal - Many tools for PHP static analysis in one container.

  • stars phpqa - jmolivas - PHPQA all-in-one Analyzer CLI tool.

  • stars phpsa - Static analysis tool for PHP.

  • stars PHPStan - PHP Static Analysis Tool - discover bugs in your code without running it!

  • stars Progpilot - A static analysis tool for security purposes.

  • stars Psalm - Static analysis tool for finding type errors in PHP applications.

  • stars Qafoo Quality Analyzer - Visualizes metrics and source code.

  • stars Tuli - A static analysis engine.

  • stars twig-lint - twig-lint is a lint tool for your twig files.

  • WAP - Tool to detect and correct input validation vulnerabilities in PHP (4.0 or higher) web applications and predicts false positives by combining static analysis and data mining.

Perl

  • Perl::Critic - Critique Perl source code for best-practices.

Python

  • stars bandit - A tool to find common security issues in Python code.
  • stars bellybutton - A linting engine supporting custom project-specific rules.
  • stars cohesion - A tool for measuring Python class cohesion.
  • stars Dlint - A tool for ensuring Python code is secure.
  • stars include-gardener - A multi-language static analyzer for C/C++/Obj-C/Python/Ruby to create a graph (in dot or graphml format) which shows all
    #include
    relations of a given set of files.
  • stars jedi - Autocompletion/static analysis library for Python.
  • stars linty fresh - Parse lint errors and report them to Github as comments on a pull request.
  • stars mccabe - Check McCabe complexity.
  • stars mypy - A static type checker that aims to combine the benefits of duck typing and static typing, frequently used with MonkeyType.
  • stars py-find-injection :warning: - Find SQL injection vulnerabilities in Python code.
  • stars pycodestyle - (Formerly
    pep8
    ) Check Python code against some of the style conventions in PEP 8.
  • stars pydocstyle - Check compliance with Python docstring conventions.
  • stars pyflakes - Check Python source files for errors.
  • stars pylint - Looks for programming errors, helps enforcing a coding standard and sniffs for some code smells. It additionally includes
    pyreverse
    (an UML diagram generator) and
    symilar
    (a similarities checker).
  • stars pyre-check - A fast, scalable type checker for large Python codebases.
  • stars pyright - Static type checker for Python, created to address gaps in existing tools like mypy.
  • stars pyroma - Rate how well a Python project complies with the best practices of the Python packaging ecosystem, and list issues that could be improved.
  • stars PyT - Python Taint :warning: - A static analysis tool for detecting security vulnerabilities in Python web applications.
  • stars pytype - A static type analyzer for Python code.
  • stars radon - A Python tool that computes various metrics from the source code.
  • stars vulture - Find unused classes, functions and variables in Python code.
  • stars wemake-python-styleguide - The strictest and most opinionated python linter ever.
  • stars wily - A command-line tool for archiving, exploring and graphing the complexity of Python source code.
  • stars xenon - Monitor code complexity using [
    radon
    ](https://github.com/rubik/radon).

R

  • stars cyclocomp - Quantifies the cyclomatic complexity of R functions / expressions.
  • stars goodpractice - Analyses the source code for R packages and provides best-practice recommendations.
  • stars lintr - Static Code Analysis for R.

RPG

  • SourceMeter :copyright: - Static Code Analysis for RPG III and RPG IV versions (including free-form).

Ruby

  • stars brakeman - A static analysis security vulnerability scanner for Ruby on Rails applications.
  • stars cane - Code quality threshold checking as part of your build.
  • stars flay - Flay analyzes code for structural similarities.
  • stars flog - Flog reports the most tortured code in an easy to read pain report. The higher the score, the more pain the code is in.
  • stars include-gardener - A multi-language static analyzer for C/C++/Obj-C/Python/Ruby to create a graph (in dot or graphml format) which shows all
    #include
    relations of a given set of files.
  • stars laser :warning: - Static analysis and style linter for Ruby code.
  • stars pelusa - Static analysis Lint-type tool to improve your OO Ruby code.
  • stars Querly - Pattern Based Checking Tool for Ruby.
  • stars Railroader - An open source static analysis security vulnerability scanner for Ruby on Rails applications.
  • stars reek - Code smell detector for Ruby.
  • stars RuboCop - A Ruby static code analyzer, based on the community Ruby style guide.
  • stars Rubrowser - Ruby classes interactive dependency graph generator.
  • ruby-lint :warning: - Static code analysis for Ruby.
  • stars rubycritic - A Ruby code quality reporter.
  • stars SandiMeter :warning: - Static analysis tool for checking Ruby code for Sandi Metz' rules.
  • stars Sorbet - A fast, powerful type checker designed for Ruby.

Rust

  • stars cargo-audit - Audit Cargo.lock for crates with security vulnerabilities reported to the RustSec Advisory Database.
  • stars cargo-inspect - Inspect Rust code without syntactic sugar to see what the compiler does behind the curtains.
  • stars clippy - A code linter to catch common mistakes and improve your Rust code.
  • stars electrolysis - A tool for formally verifying Rust programs by transpiling them into definitions in the Lean theorem prover.
  • stars herbie - Adds warnings or errors to your crate when using a numerically unstable floating point expression.
  • stars linter-rust - Linting your Rust-files in Atom, using rustc and cargo.
  • stars MIRAI - And abstract interpreter operating on Rust's mid-level intermediate language, and providing warnings based on taint analysis.
  • stars Rust Language Server - Supports functionality such as 'goto definition', symbol search, reformatting, and code completion, and enables renaming and refactorings.
  • stars rustfix - Read and apply the suggestions made by rustc (and third-party lints, like those offered by clippy).

SQL

  • stars sqlcheck - Automatically identify anti-patterns in SQL queries.
  • stars sqlint - Simple SQL linter.
  • stars tsqllint - T-SQL-specific linter.
  • stars TSqlRules - TSQL Static Code Analysis Rules for SQL Server.

Scala

  • stars linter - Linter is a Scala static analysis compiler plugin which adds compile-time checks for various possible bugs, inefficiencies, and style problems.
  • stars Scalastyle - Scalastyle examines your Scala code and indicates potential problems with it.
  • stars scapegoat - Scala compiler plugin for static code analysis.
  • stars WartRemover - A flexible Scala code linting tool.

Shell

  • stars i-Code CNES for Shell - An open source static code analysis tool for Shell and Fortran (77 and 90).
  • stars shellcheck - ShellCheck, a static analysis tool that gives warnings and suggestions for bash/sh shell scripts.

Solidity

  • stars slither - Static analysis framework that runs a suite of vulnerability detectors, prints visual information about contract details, and provides an API to easily write custom analyses.
  • stars solhint - Solhint is an open source project created by https://protofire.io. Its goal is to provide a linting utility for Solidity code.
  • stars solium - Solium is a linter to identify and fix style and security issues in Solidity smart contracts.

Swift

  • stars SwiftLint - A tool to enforce Swift style and conventions.
  • stars Tailor :warning: - A static analysis and lint tool for source code written in Apple's Swift programming language.

Tcl

  • Frink - A Tcl formatting and static check program (can prettify the program, minimise, obfuscate or just sanity check it).
  • Nagelfar - A static syntax checker for Tcl.
  • tclchecker - A static syntax analysis module (as part of TDK).

TypeScript

  • stars Codelyzer - A set of tslint rules for static code analysis of Angular 2 TypeScript projects.
  • stars ESLint - An extensible linter for the TypeScript language.
  • stars tslint-clean-code - A set of TSLint rules inspired by the Clean Code handbook.
  • stars tslint-microsoft-contrib - A set of tslint rules for static code analysis of TypeScript projects maintained by Microsoft.

VBScript

  • Test Design Studio :copyright: - A full IDE with static code analysis for Micro Focus Unified Functional Testing VBScript-based automated tests.

Multiple languages

  • AppChecker :copyright: - Static analysis for C/C++/C#, PHP and Java.
  • Application Inspector :copyright: - Commercial Static Code Analysis which generates exploits to verify vulnerabilities.
  • stars ApplicationInspector - Creates reports of over 400 rule patterns for feature detection (e.g. the use of cryptography or version control in apps).
  • AppScan Source :copyright: - Commercial Static Code Analysis.
  • APPscreener :copyright: - Static code analysis for binary and source code - Java/Scala, PHP, Javascript, C#, PL/SQL, Python, T-SQL, C/C++, ObjectiveC/Swift, Visual Basic 6.0, Ruby, Delphi, ABAP, HTML5 and Solidity.
  • stars ArchUnit - Unit test your Java or Kotlin architecture.
  • stars Atom-Beautify - Beautify HTML, CSS, JavaScript, PHP, Python, Ruby, Java, C, C++, C#, Objective-C, CoffeeScript, TypeScript, Coldfusion, SQL, and more in Atom editor.
  • Axivion Bauhaus Suite :copyright: - Tracks down error-prone code locations, style violations, cloned or dead code, cyclic dependencies and more for C/C++, C#/.NET, Java and Ada 83/Ada 95.
  • stars Black - The uncompromising Python code formatter.
  • CAST Highlight :copyright: - Commercial Static Code Analysis which runs locally, but uploads the results to its cloud for presentation.
  • Checkmarx CxSAST :copyright: - Commercial Static Code Analysis which doesn't require pre-compilation.
  • stars ciocheck - Linter, formatter and test suite helper. As a linter, it is a wrapper around
    pep8
    ,
    pydocstyle
    ,
    flake8
    , and
    pylint
    .
  • stars ClassGraph - A classpath and module path scanner for querying or visualizing class metadata or class relatedness.
  • stars coala - Language independent framework for creating code analysis - supports over 60 languages by default.
  • Cobra :copyright: - Structural source code analyzer by NASA's Jet Propulsion Laboratory.
  • Codeac :copyright: - Automated code review tool integrates with GitHub, Bitbucket and GitLab (even self-hosted). Available for JavaScript, TypeScript, Python, Ruby, Go, PHP, Java, Docker, and more. (open-source free)
  • stars codeburner - Provides a unified interface to sort and act on the issues it finds.
  • stars codechecker - A defect database and viewer extension for the Clang Static Analyzer with web GUI.
  • CodeFactor :copyright: - Static Code Analysis for C#, C, C++, CoffeeScript, CSS, Groovy, GO, JAVA, JavaScript, Less, Python, Ruby, Scala, SCSS, TypeScript.
  • CodeIt.Right :copyright: - CodeIt.Right™ provides a fast, automated way to ensure that your source code adheres to (your) predefined design and style guidelines as well as best coding practices.
  • CodePatrol :copyright: - Automated SAST code reviews driven by security, supports 15+ languages and includes security training.
  • CodeRush :copyright: - Code creation, debugging, navigation, refactoring, analysis and visualization tools that use the Roslyn engine in Visual Studio 2015 and up.
  • CodeScene :copyright: - CodeScene prioritizes technical debt, finds social patterns and identifies hidden risks in your code.
  • stars Corrode - Semi-automatic translation from C to Rust. Could reveal bugs in the original implementation by showing Rust compiler warnings and errors.
  • Coverity :copyright: - Synopsys Coverity supports 20 languages and over 70 frameworks including Ruby on rails, Scala, PHP, Python, JavaScript, TypeScript, Java, Fortran, C, C++, C#, VB.NET.
  • stars cqc - Check your code quality for js, jsx, vue, css, less, scss, sass and styl files.
  • stars CSScomb - A coding style formatter for CSS. Supports own configurations to make style sheets beautiful and consistent.
  • stars dawnscanner - A static analysis security scanner for ruby written web applications. It supports Sinatra, Padrino and Ruby on Rails frameworks.
  • DeepCode :copyright: - DeepCode finds bugs, security vulnerabilities, performance and API issues based on AI. DeepCode's speed of analysis allow us to analyse your code in real time and deliver results when you hit the save button in your IDE. Supported languages are Java, C/C++, JavaScript, Python, and TypeScript. Integrations with GitHub, BitBucket and Gitlab.
  • DeepSource :copyright: - In-depth static analysis to monitor source code quality and security. Supports Python and Go and can detect 600+ types of issues in verticals of bug risks, security, anti-patterns, performance, documentation and style. Native integration with GitHub.
  • stars Depends - Analyses the comprehensive dependencies of code elements for Java, C/C++, Ruby.
  • stars DevSkim - Regex-based static analysis tool for Visual Studio, VS Code, and Sublime Text - C/C++, C#, PHP, ASP, Python, Ruby, Java, and others.
  • Embold :copyright: - Intelligent software analytics platform that identifies design issues, code issues, duplication and metrics. Supports Java, C, C++, C#, JavaScript, TypeScript, Python, Go, Kotlin and more.
  • stars exakat - An automated code reviewing engine for PHP.
  • stars Find Security Bugs - The SpotBugs plugin for security audits of Java web applications and Android applications. (Also work with Kotlin, Groovy and Scala projects)
  • stars flake8 - A wrapper around
    pyflakes
    ,
    pycodestyle
    and
    mccabe
    .
  • Fortify :copyright: - A commercial static analysis platform that supports the scanning of C/C++, C#, VB.NET, VB6, ABAP/BSP, ActionScript, Apex, ASP.NET, Classic ASP, VB Script, Cobol, ColdFusion, HTML, Java, JS, JSP, MXML/Flex, Objective-C, PHP, PL/SQL, T-SQL, Python (2.6, 2.7), Ruby (1.9.3), Swift, Scala, VB, and XML.
  • stars Go Meta Linter :warning: - Concurrently run Go lint tools and normalise their output. Use
    golangci-lint
    for new projects.
  • stars Goodcheck - Regexp based customizable linter.
  • stars goreporter - Concurrently runs many linters and normalises their output to a report.
  • stars graudit - Grep rough audit - source code auditing tool.
  • stars Hopper :warning: - A static analysis tool written in scala for languages that run on JVM.
  • stars Hound CI - Comments on style violations in GitHub pull requests. Supports Coffeescript, Go, HAML, JavaScript, Ruby, SCSS and Swift.
  • stars imhotep - Comment on commits coming into your repository and check for syntactic errors and general lint warnings.
  • stars Infer - A static analyzer for Java, C and Objective-C
  • stars InsiderSec - A open source Static Application Security Testing tool (SAST) written in GoLang for Java (Maven and Android), Kotlin (Android), Swift (iOS), .NET Full Framework, C# and Javascript (Node.js).
  • Kiuwan :copyright: - Identify and remediate cyber threats in a blazingly fast, collaborative environment, with seamless integration in your SDLC. Python, C\C++, Java, C#, PHP and more.
  • Klocwork :copyright: - Quality and Security Static analysis for C/C++, Java and C#.
  • stars ktlint - An anti-bikeshedding Kotlin linter with built-in formatter.
  • LGTM.com :copyright: - Deep code analysis for GitHub and Bitbucket to find security vulnerabilities and critical code quality issues (using Semmle QL). Automatic code review for pull requests; free for public repositories.
  • stars multilint - A wrapper around
    flake8
    ,
    isort
    and
    modernize
    .
  • Nitpick CI :copyright: - Automated PHP code review.
  • stars NodeJSScan - NodeJsScan is a static security code scanner for Node.js applications.
  • stars oclint - A static source code analysis tool to improve quality and reduce defects for C, C++ and Objective-C.
  • stars pfff :warning: - Facebook's tools for code analysis, visualizations, or style-preserving source transformation for many languages.
  • stars PMD - A source code analyzer for Java, Javascript, PLSQL, XML, XSL and others.
  • Polymer-analyzer - A static analysis framework for Web Components.
  • stars pre-commit - A framework for managing and maintaining multi-language pre-commit hooks.
  • stars Prettier - An opinionated code formatter.
  • stars Pronto - Quick automated code review of your changes. Supports more than 40 runners for various languages, including Clang, Elixir, JavaScript, PHP, Ruby and more.
  • stars prospector - A wrapper around
    pylint
    ,
    pep8
    ,
    mccabe
    and others.
  • stars PT.PM :warning: - An engine for searching patterns in the source code, based on Unified AST or UST. At present time C#, Java, PHP, PL/SQL, T-SQL, and JavaScript are supported. Patterns can be described within the code or using a DSL.
  • PullRequest :copyright: - Code review as a service with built-in static analysis.
  • stars Puma Scan - Puma Scan provides real time secure code analysis for common vulnerabilities (XSS, SQLi, CSRF, LDAPi, crypto, deserialization, etc.) as development teams write code in Visual Studio.
  • PVS-Studio :copyright: - A (conditionally free for FOSS and individual developers) static analysis of C, C++, C# and Java code. For advertising purposes you can propose a large FOSS project for analysis by PVS employees. Supports CWE mapping, MISRA and CERT coding standards.
  • stars quality - Runs quality checks on your code using community tools, and makes sure your numbers don't get any worse over time.
  • Qualys Container Security :copyright: - Container native application protection to provide visibility and control of containerized applications.
  • stars QuantifiedCode :warning: - Automated code review & repair.
  • stars Refactoring Essentials - The free Visual Studio 2015 extension for C# and VB.NET refactorings, including code best practice analyzers.
  • stars relint - A static file linter that allows you to write custom rules using regular expressions (RegEx).
  • ReSharper :copyright: - Extends Visual Studio with on-the-fly code inspections for C#, VB.NET, ASP.NET, JavaScript, TypeScript and other technologies.
  • stars Reviewdog - A tool for posting review comments from any linter in any code hosting service.
  • RIPS :copyright: - A static source code analyser for vulnerabilities in PHP scripts.
  • stars Roslyn Analyzers - Roslyn-based implementation of FxCop analyzers.
  • stars Roslyn Security Guard - Project that focuses on the identification of potential vulnerabilities such as SQL injection, cross-site scripting (XSS), CSRF, cryptography weaknesses, hardcoded passwords and many more.
  • stars Security Code Scan - Security code analyzer for C# and VB.NET. Detects various security vulnerability patterns: SQLi, XSS, CSRF, XXE, Open Redirect, etc. Integrates into Visual Studio 2015 and newer. Detects various security vulnerability patterns: SQLi, XSS, CSRF, XXE, Open Redirect, etc.
  • stars Semgrep - Free, open-source lightweight static analysis for many languages. Find and block bug variants with patterns that look like source code.
  • Semmle QL and LGTM :copyright: - Find security vulnerabilities, variants, and critical code quality issues using queries over source code. Automatic PR code review; free for public GitHub/Bitbucket repo: LGTM.com.
  • SensioLabs Insight :copyright: - Detect security risks, find bugs and provide actionable metrics for PHP projects.
  • stars shipshape :warning: - Static program analysis platform that allows custom analyzers to plug in through a common interface.
  • Sider :copyright: - An automated code reviewing tool. Improving developers' productivity.
  • SmartDec Scanner :copyright: - SAST tool which is capable of identifying vulnerabilities and undocumented features. The analyzer scans the source code and executables without debug info (i.e. binaries). Supports: Java/Scala/Kotlin, PHP, C#, JavaScript, TypeScript, VBScript, HTML5, Python, Perl, C/C++, Objective-C/Swift, PL/SQL, T-SQL, ABAP, 1C, Apex, Go, Ruby, Groovy, Delphi, VBA, Visual Basic 6, Solidity, Vyper, COBOL.
  • Snyk :copyright: - Vulnerability scanner for dependencies of node.js apps (free for Open Source Projects).
  • SonarCloud :copyright: - Multilanguage cloud-based static code analysis. History, trends, security hot-spots, pull request analysis and more. Free for open source.
  • stars SonarLint for Visual Studio - SonarLint is an extension for Visual Studio 2015 and 2017 that provides on-the-fly feedback to developers on new bugs and quality issues injected into .NET code.
  • stars SonarQube - SonarQube is an open platform to manage code quality.
  • stars Spectral - A flexible JSON/YAML linter, with out of the box support for OpenAPI v2/v3 and AsyncAPI v2.
  • stars standard - An npm module that checks for Javascript Styleguide issues.
  • stars styler - Formatting of R source code files and pretty-printing of R code.
  • stars Super-Linter - Combination of multiple linters to install as a GitHub Action.
  • stars SwiftFormat - A library and command-line formatting tool for reformatting Swift code.
  • Synopsys :copyright: - A commercial static analysis platform that allows for scanning of multiple languages (C/C++, Android, C#, Java, JS, PHP, Python, Node.JS, Ruby, Fortran, and Swift).
  • Teamscale :copyright: - Static and dynamic analysis tool supporting more than 25 languages and direct IDE integration. Free hosting for Open Source projects available on request. Free academic licenses available.
  • stars TscanCode - A fast and accurate static analysis solution for C/C++, C#, Lua codes provided by Tencent. Using GPLv3 license.
  • stars Undebt - Language-independent tool for massive, automatic, programmable refactoring based on simple pattern definitions.
  • stars Unibeautify - Universal code beautifier with a GitHub app. Supports HTML, CSS, JavaScript, TypeScript, JSX, Vue, C++, Go, Objective-C, Java, Python, PHP, GraphQL, Markdown, and more.
  • Upsource :copyright: - Code review tool with static code analysis and code-aware navigation for Java, PHP, JavaScript and Kotlin.
  • Veracode :copyright: - Find flaws in binaries and bytecode without requiring source. Support all major programming languages: Java, .NET, JavaScript, Swift, Objective-C, C, C++ and more.
  • stars Violations Lib - Java library for parsing report files from static code analysis. Used by a bunch of Jenkins, Maven and Gradle plugins.
  • stars WALA - Static analysis capabilities for Java bytecode and related languages and for JavaScript.
  • WhiteHat Application Security Platform :copyright: - WhiteHat Scout (for Developers) combined with WhiteHat Sentinel Source (for Operations) supporting WhiteHat Top 40 and OWASP Top 10.
  • stars Wotan - Pluggable TypeScript and JavaScript linter.
  • Xanitizer :copyright: - Xanitizer finds security vulnerabilities in Java/Scala web applications.
  • XCode :copyright: - XCode provides a pretty decent UI for Clang's static code analyzer (C/C++, Obj-C).
  • stars yamllint - Checks YAML files for syntax validity, key repetition and cosmetic problems such as lines length, trailing spaces, and indentation.

Other

Binaries

  • stars BinSkim - A binary static analysis tool that provides security and correctness results for Windows portable executables.
  • stars cwe_checker - cwe_checker finds vulnerable patterns in binary executables.
  • stars Jakstab - Jakstab is an Abstract Interpretation-based, integrated disassembly and static analysis framework for designing analyses on executables and recovering reliable control flow graphs.
  • stars Manalyze - A static analyzer, which checks portable executables for malicious content.
  • stars Twiggy - Analyzes a binary's call graph to profile code size. The goal is to slim down binaries.

Build tools

  • stars checkmake - Linter / Analyzer for Makefiles.

CSS/SASS/SCSS

Config Files

  • stars dotenv-linter - Linting dotenv files like a charm.
  • stars gixy - A tool to analyze Nginx configuration. The main goal is to prevent misconfiguration and automate flaw detection.

Configuration Management

  • stars ansible-lint - Checks playbooks for practices and behaviour that could potentially be improved.
  • stars cfn-lint - AWS Labs CloudFormation linter.
  • stars cfn_nag - A linter for AWS CloudFormation templates.
  • stars checkov - Static analysis tool for Terraform files (tf>=v0.12), preventing cloud misconfigs at build time.
  • stars cookstyle - Cookstyle is a linting tool based on the RuboCop Ruby linting tool for Chef cookbooks.
  • stars foodcritic - A lint tool that checks Chef cookbooks for common problems.
  • stars Puppet Lint - Check that your Puppet manifests conform to the style guide.
  • stars terraform-compliance - A lightweight, compliance- and security focused, BDD test framework against Terraform.
  • stars terrascan - Collection of security and best practice tests for static code analysis of Terraform templates.
  • stars tflint - A Terraform linter for detecting errors that can not be detected by
    terraform plan
    .

Containers

  • stars anchore - Discover, analyze, and certify container images.
  • stars clair - Vulnerability Static Analysis for Containers.
  • stars collector - Run arbitrary scripts inside containers, and gather useful information.
  • stars dagda - Perform static analysis of known vulnerabilities in docker images/containers.
  • stars Docker Label Inspector - Lint and validate Dockerfile labels.
  • stars Haskell Dockerfile Linter - A smarter Dockerfile linter that helpsyou build best practice Docker images.
  • stars kube-score - Static code analysis of your Kubernetes object definitions.
  • stars kubeval - Validates your Kubernetes configuration files and supports multiple Kubernetes versions.

Deno

Gherkin

  • stars gherkin-lint - A linter for the Gherkin-Syntax written in Javascript.

HTML

  • stars Bootlint - An HTML linter for Bootstrap projects.
  • stars grunt-bootlint - A Grunt wrapper for Bootlint, the HTML linter for Bootstrap projects.
  • stars gulp-bootlint - A gulp wrapper for Bootlint, the HTML linter for Bootstrap projects.
  • stars HTML Inspector :warning: - HTML Inspector is a code quality tool to help you and your team write better markup.
  • stars HTML Tidy - Corrects and cleans up HTML and XML documents by fixing markup errors and upgrading legacy code to modern standards.
  • stars HTMLHint - A Static Code Analysis Tool for HTML.

IDE Plugins

  • stars ale - Asynchronous Lint Engine for Vim and NeoVim with support for many languages.
  • Android Studio - Based on IntelliJ IDEA, and comes bundled with tools for Android including Android Lint.
  • Attackflow Extension :copyright: - Attackflow plugin for Visual Studio, which enables developers to find critical security bugs at real time in the source code without any prior knowledge.
  • stars DevSkim - Inline, realtime security analysis. Works with multiple programming languages and IDEs (VS, VS Code, Sublime Text, ...).
  • IntelliJ IDEA :copyright: - Comes bundled with a lot of inspections for Java and Kotlin and includes tools for refactoring, formatting and more.
  • stars vint - Fast and Highly Extensible Vim script Language Lint implemented by Python.

LaTeX

  • ChkTeX - A linter for LaTex which catches some typographic errors LaTeX oversees.
  • lacheck - A tool for finding common mistakes in LaTeX documents.
  • stars TeXLab - A Language Server Protocol implementation for TeX/LaTeX, including lint capabilities.

Makefiles

  • portlint - A verifier for FreeBSD and DragonFlyBSD port directories.

Markdown

  • stars markdownlint - Node.js -based style checker and lint tool for Markdown/CommonMark files.
  • stars mdl - A tool to check Markdown files and flag style issues.
  • stars remark-lint - Pluggable Markdown code style linter written in JavaScript.

Mobile

  • Android Lint - Run static analysis on Android projects.
  • stars android-lint-summary - Combines lint errors of multiple projects into one output, check lint results of multiple sub-projects at once.
  • stars FlowDroid - Static taint analysis tool for Android applications.
  • stars paprika - A toolkit to detect some code smells in analyzed Android applications.
  • stars qark - Tool to look for several security related Android application vulnerabilities.

Packages

  • stars lintian - Static analysis tool for Debian packages.
  • stars rpmlint - Tool for checking common errors in rpm packages.

Protocol Buffers

  • stars protolint - Pluggable linter and fixer to enforce Protocol Buffer style and conventions.

Supporting Tools

  • stars LibVCS4j - A Java library that allows existing tools to analyse the evolution of software systems by providing a common API for different version control systems and issue trackers.

Template-Languages

Translation

  • stars dennis - A set of utilities for working with PO files to ease development and improve quality.

Web services

  • Codacy :copyright: - Code Analysis to ship Better Code, Faster.
  • Code Climate :copyright: - The open and extensible static analysis platform, for everyone.
  • Code Inspector :copyright: - Code quality and technical debt management platform that supports 10+ languages.
  • CodeFactor :copyright: - Automated Code Analysis for repos on GitHub or BitBucket.
  • CodeFlow :copyright: - Automated code analysis tool to deal with technical depth. Integrates with Bitbucket and Gitlab. (free for Open Source Projects)
  • kiuwan :copyright: - Software Analytics in the Cloud supporting more than 22 programming languages.
  • Landscape :warning: :copyright: - Static code analysis for Python.
  • Reshift :copyright: - A source code analysis tool for detecting and managing Java security vulnerabilities.
  • Scrutinizer :copyright: - A proprietary code quality checker that can be integrated with GitHub.

Writing

  • After the Deadline :warning: - Spell, style and grammar checker.
  • stars codespell - Check code for common misspellings.
  • stars languagetool - Style and grammar checker for 25+ languages. It finds many errors that a simple spell checker cannot detect.
  • stars misspell-fixer - Quick tool for fixing common misspellings, typos in source code.
  • stars Misspelled Words In Context - A spell-checker that groups possible misspellings and shows them in their contexts.
  • stars proselint - A linter for English prose with a focus on writing style instead of grammar.
  • stars vale - A customizable, syntax-aware linter for prose.
  • stars write-good - A linter with a focus on eliminating "weasel words".

More collections

  • go-tools - A collection of tools and libraries for working with Go code, including linters and static analysis
  • linters - An introduction to static code analysis
  • php-static-analysis-tools - A reviewed list of useful PHP static analysis tools
  • Tools for C/C++ - A list of static analysis tools for C/C++
  • Wikipedia - A list of tools for static code analysis.

License

CC0

To the extent possible under law, Matthias Endler has waived all copyright and related or neighboring rights to this work. Title image Designed by Freepik.

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.