Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
static-analysis
⚙️ A curated list of static analysis (SAST) tools and linters for all programming languages, config files, build tools, and more. The focus is on tools which improve code quality.
https://github.com/analysis-tools-dev/static-analysis
- Github sponsors page
- awesome-dynamic-analysis
- abaplint
- abapOpenChecks
- Codepeer - time and logic errors.
- Polyspace for Ada - by-zero, out-of-bounds array access, and certain other run-time errors in source code.
- SPARK
- STOKE - language agnostic stochastic optimizer for the x86_64 instruction set. It uses random search to explore the extremely high-dimensional space of all possible program transformations.
- gawk --lint
- Astrée - point computations, very fast, and exceptionally precise. The analyzer also checks for MISRA/CERT/CWE/Adaptive Autosar coding rules and supports qualification for ISO 26262, DO-178C level A, and other safety standards. Jenkins and Eclipse plugins are available.
- CBMC - checker for C programs, user-defined assertions, standard assertions, several coverage metric analyses.
- clang-tidy - based C++ linter tool with the (limited) ability to fix issues, too.
- clazy - oriented static code analyzer based on the Clang framework. clazy is a compiler plugin which allows clang to understand Qt semantics. You get more than 50 Qt related compiler warnings, ranging from unneeded memory allocations to misusage of API, including fix-its for automatic refactoring.
- CMetrics
- CPAchecker
- cppcheck
- CppDepend
- cpplint
- cqmetrics
- CScout
- ESBMC - bounded model checker based on satisfiability modulo theories for the verification of single- and multi-threaded C/C++ programs.
- flawfinder
- flint++ - platform, zero-dependency port of flint, a lint program for C++ developed and used at Facebook.
- Frama-C
- GCC
- Goblint - threaded C programs. Its primary focus is the detection of data races, but it also reports other runtime errors, such as buffer overflows and null-pointer dereferences.
- Helix QAC - grade static analysis for embedded software. Supports MISRA, CERT, and AUTOSAR coding standards.
- IKOS
- Joern - source code analysis platform for C/C++ based on code property graphs
- KLEE - generate test cases for programs such that the test cases exercise as much of the program as possible.
- LDRA
- MATE - specific and low-level vulnerability analysis using code property graphs (CPGs), enabling the discovery of highly application-specific vulnerabilities that depend on both implementation details and the high-level semantics of target C/C++ programs.
- PC-lint
- Phasar - based static analysis framework which comes with a taint and type state analysis.
- Polyspace Bug Finder - time errors, concurrency issues, security vulnerabilities, and other defects in C and C++ embedded software.
- Polyspace Code Prover - by-zero, out-of-bounds array access, and certain other run-time errors in C and C++ source code.
- scan-build
- splint - assisted static program checker.
- SVF
- TrustInSoft Analyzer - of-bounds array accesses, null-pointer dereferences, use-after-free, divide-by-zeros, uninitialized memory accesses, signed overflows, invalid pointer arithmetic, etc.), data flow and control flow verification as well as full functional verification of formal specifications. All versions of C up to C18 and C++ up to C++20 are supported. TrustInSoft Analyzer will acquire ISO 26262 qualification in Q2'2023 (TCL3). A MISRA C checker is also bundled.
- vera++
- .NET Analyzers
- ArchUnitNET
- code-cracker
- CSharpEssentials
- Designite
- Gendarme
- Infer#
- Meziantou.Analyzer
- NDepend
- Puma Scan
- Roslynator
- SonarAnalyzer.CSharp
- VSDiagnostics
- Wintellect.Analyzers
- Astrée - point computations, very fast, and exceptionally precise. The analyzer also checks for MISRA/CERT/CWE/Adaptive Autosar coding rules and supports qualification for ISO 26262, DO-178C level A, and other safety standards. Jenkins and Eclipse plugins are available.
- CBMC - checker for C programs, user-defined assertions, standard assertions, several coverage metric analyses.
- clang-tidy - based C++ linter tool with the (limited) ability to fix issues, too.
- clazy - oriented static code analyzer based on the Clang framework. clazy is a compiler plugin which allows clang to understand Qt semantics. You get more than 50 Qt related compiler warnings, ranging from unneeded memory allocations to misusage of API, including fix-its for automatic refactoring.
- CMetrics
- cppcheck
- CppDepend
- cpplint
- cqmetrics
- CScout
- ESBMC - bounded model checker based on satisfiability modulo theories for the verification of single- and multi-threaded C/C++ programs.
- flawfinder
- flint++ - platform, zero-dependency port of flint, a lint program for C++ developed and used at Facebook.
- Frama-C
- Helix QAC - grade static analysis for embedded software. Supports MISRA, CERT, and AUTOSAR coding standards.
- IKOS
- Joern - source code analysis platform for C/C++ based on code property graphs
- KLEE - generate test cases for programs such that the test cases exercise as much of the program as possible.
- LDRA
- MATE - specific and low-level vulnerability analysis using code property graphs (CPGs), enabling the discovery of highly application-specific vulnerabilities that depend on both implementation details and the high-level semantics of target C/C++ programs.
- PC-lint
- Phasar - based static analysis framework which comes with a taint and type state analysis.
- Polyspace Bug Finder - time errors, concurrency issues, security vulnerabilities, and other defects in C and C++ embedded software.
- Polyspace Code Prover - by-zero, out-of-bounds array access, and certain other run-time errors in C and C++ source code.
- scan-build
- splint - assisted static program checker.
- SVF
- TrustInSoft Analyzer - of-bounds array accesses, null-pointer dereferences, use-after-free, divide-by-zeros, uninitialized memory accesses, signed overflows, invalid pointer arithmetic, etc.), data flow and control flow verification as well as full functional verification of formal specifications. All versions of C up to C18 and C++ up to C++20 are supported. TrustInSoft Analyzer will acquire ISO 26262 qualification in Q2'2023 (TCL3). A MISRA C checker is also bundled.
- vera++
- clj-kondo
- coffeelint
- Fixinator
- ameba
- crystal - in linting functionality.
- Dart Code Metrics - patterns and provides additional rules for Dart analyzer.
- effective_dart
- lint - driven set of lint rules for Dart and Flutter projects. Like pedantic but stricter
- Linter for dart
- DelphiLint - the-fly code analysis and linting, powered by SonarDelphi.
- Fix Insight
- Pascal Analyzer
- Pascal Expert
- SonarDelphi
- D-scanner - Scanner is a tool for analyzing D source code.
- credo
- dialyxir
- sobelow - focused static analysis for the Phoenix Framework.
- elm-analyse
- elm-review
- dialyzer
- elvis
- Primitive Erlang Security Tool (PEST)
- FSharpLint
- fprettify - formatter for modern fortran source code, written in Python.
- i-Code CNES for Fortran
- aligncheck
- bodyclose
- deadcode
- dingo-hunter
- dogsled
- dupl
- errcheck
- errwrap
- flen
- Go Meta Linter - lint` for new projects.
- go tool vet --shadow
- go vet
- go-consistent
- go-critic
- go/ast
- goast
- gochecknoglobals
- goconst
- gocyclo
- gofmt -s
- gofumpt - compatible. That is, `gofumpt` is happy with a subset of the formats that `gofmt` is happy with.
- goimports
- gokart
- GolangCI-Lint - Lint is a linters aggregator.
- golint
- goreporter
- goroutine-inspect
- gosec (gas)
- gotype
- govulncheck
- ineffassign
- interfacer
- lll
- maligned
- misspell
- nakedret
- nargs
- prealloc
- Reviewdog
- revive - in replacement of golint.
- safesql
- shisho
- staticcheck
- structcheck
- structslop
- test
- unconvert
- unparam
- varcheck
- wsl
- CodeNarc
- brittany
- HLint
- Liquid Haskell
- Stan - line tool for analysing Haskell projects and outputting discovered vulnerabilities in a helpful way with possible solutions for detected problems.
- Weeder
- Haxe Checkstyle
- Checker Framework - checking for Java. This is not just a bug-finder, but a verification tool that gives a guarantee of correctness. It comes with 27 pre-built type systems, and it enables users to define their own type system; the manual lists over 30 user-contributed type systems.
- checkstyle
- ck - oriented metrics by processing the source Java files.
- ckjm - oriented metrics by processing the bytecode of compiled Java files.
- CogniCrypt
- Dataflow Framework - strength dataflow framework for Java. The Dataflow Framework is used in the Checker Framework, Google’s Error Prone, Uber’s NullAway, Meta’s Nullsafe, and in other contexts. It is distributed with the Checker Framework.
- DesigniteJava
- Diffblue - powered code analysis and testing solutions for software development teams.
- Doop - to-end (fact generation, processing, statistics, etc.).
- Error Prone - time errors.
- fb-contrib
- forbidden-apis
- google-java-format
- HuntBugs
- IntelliJ IDEA
- JArchitect
- JBMC - checker for Java (bytecode), verifies user-defined assertions, standard assertions, several coverage metric analyses.
- Mariana Trench
- NullAway - based null-pointer checker with low build-time overhead; an [Error Prone](http://errorprone.info/) plugin.
- OWASP Dependency Check
- qulice - configured) static analysis tools (checkstyle, PMD, Findbugs, ...).
- RefactorFirst
- Soot
- Spoon - designed AST with powerful analysis and transformation API. Can be integrated in Maven and Gradle.
- SpotBugs
- steady - source dependencies with known vulnerabilities, using both static analysis and testing to determine code context and usage for greater accuracy.
- Violations Lib
- aether
- Closure Compiler
- ClosureLinter
- complexity-report
- DeepScan
- es6-plato
- escomplex - family abstract syntax trees.
- Esprima
- flow
- hegel
- jshint - tools-dev/static-analysis/issues/223>) — Detect errors and potential problems in JavaScript code and enforce your team's coding conventions.
- JSLint - tools-dev/static-analysis/issues/223>) — The JavaScript Code Quality Tool.
- JSPrime
- NodeJSScan
- plato
- Polymer-analyzer
- retire.js
- RSLint
- standard
- tern - editor language support.
- TypL
- xo
- yardstick
- JET
- StaticLint
- detekt
- diktat - fixes code smells.
- ktfmt
- ktlint - bikeshedding Kotlin linter with built-in formatter.
- luacheck
- lualint - based static analysis of global variable usage in Lua source code.
- Luanalysis
- mlint
- DrNim
- nimfmt
- Sys
- VeriFast - threaded and multithreaded C and Java programs annotated with preconditions and postconditions written in separation logic. To express rich specifications, the programmer can define inductive datatypes, primitive recursive pure functions over these datatypes, and abstract separation logic predicates.
- CakeFuzzer - based web applications. CakeFuzzer employs a predefined set of attacks that are randomly modified before execution. Leveraging its deep understanding of the Cake PHP framework, Cake Fuzzer launches attacks on all potential application entry points.
- churn-php
- composer-dependency-analyser
- dephpend
- deprecation-detector
- deptrac
- DesignPatternDetector
- EasyCodingStandard - CS-Fixer](https://github.com/FriendsOfPHP/PHP-CS-Fixer).
- Enlightn
- exakat
- GrumPHP
- larastan
- Mondrian
- Nitpick CI
- parallel-lint
- Parse
- pdepend
- phan
- PHP Architecture Tester
- PHP Assumptions
- PHP Coding Standards Fixer - 1, PSR-2, and the Symfony standard.
- PHP Insights
- Php Inspections (EA Extended)
- PHP Refactoring Browser
- PHP Semantic Versioning Checker
- PHP-Parser
- php-speller
- PHP-Token-Reflection
- php7cc
- php7mar
- PHP_CodeSniffer
- PHPArkitect
- phpca - built-in extensions.
- phpcpd
- phpdcd
- PhpDependencyAnalysis
- PhpDeprecationDetector - directives), deprecated functions functionality, and usage of forbidden names or tricks (e.g. reserved identifiers in newer versions).
- phpdoc-to-typehint
- phpDocumentor
- phploc
- PHPMD
- PhpMetrics
- phpmnd
- PHPQA
- phpqa - jakzal
- phpqa - jmolivas - in-one Analyzer CLI tool.
- phpsa
- PHPStan - discover bugs in your code without running it!
- Progpilot
- Psalm
- Qafoo Quality Analyzer
- rector - positive rate because it looks for narrowly defined AST (abstract syntax tree) patterns. The main use-case are tackling technical debt in your legacy code and removing dead code. Rector provides a set of special rules for Symfony, Doctrine, PHPUnit, and many more.
- Reflection
- Symfony Insight
- Tuli
- twig-lint - lint is a lint tool for your twig files.
- WAP
- ZPA
- Perl::Analyzer - Analyzer is a set of programs and modules that allow users to analyze and visualize Perl codebases by providing information about namespaces and their relations, dependencies, inheritance, and methods implemented, inherited, and redefined in packages, as well as calls to methods from parent packages via SUPER.
- Perl::Critic - practices.
- perltidy
- zarn
- autoflake
- autopep8
- bandit
- bellybutton - specific rules.
- Black
- Bowler
- ciocheck
- cohesion
- deal - free code. By adding a few decorators to your code, you get for free tests, static analysis, formal verification, and much more.
- Dlint
- Dodgy
- fixit - fixes for source code.
- flake8
- flakeheaven
- InspectorTiger - defined handlers which warns you about improvements and possible bugs. Beside these handlers, you can write your own or use community ones.
- jedi
- linty fresh
- mccabe
- multilint
- mypy
- prospector
- py-find-injection
- pyanalyze
- PyCodeQual
- pycodestyle
- pydocstyle
- pyflakes
- pylint
- pylyzers
- pyre-check
- pyright
- pyroma
- Pysa - check to identify potential security issues in Python code identified with taint analysis.
- PyT - Python Taint
- pytype
- pyupgrade - commit hook) to automatically upgrade syntax for newer versions of the language.
- QuantifiedCode
- radon
- refurb - in linter for Rust.
- ruff - 100x faster than existing linters. Compatible with Python 3.10. Supports file watcher.
- unimport
- vulture
- wemake-python-styleguide
- wily - line tool for archiving, exploring and graphing the complexity of Python source code.
- xenon
- yapf
- cyclocomp
- goodpractice - practice recommendations.
- lintr
- styler - printing of R code.
- Regal
- brakeman
- bundler-audit - advisory-db).
- cane
- Churn
- dawnscanner
- ERB Lint
- Fasterer
- flay
- flog
- Fukuzatsu
- htmlbeautifier
- laser
- MetricFu
- pelusa - type tool to improve your OO Ruby code.
- quality
- Querly
- Railroader
- rails_best_practices
- reek
- Roodi
- RuboCop
- Rubrowser
- ruby-lint
- rubycritic
- rufo - editor plugin, to autoformat files on save or on demand.
- Saikuro
- SandiMeter
- Sorbet
- Standard Ruby
- Steep
- C2Rust - compliant code to Rust. The translator (or transpiler) produces unsafe Rust code that closely mirrors the input C code.
- cargo udeps
- cargo-audit - db/).
- cargo-bloat - O (macOS) and PE (Windows) binaries.
- cargo-breaking - breaking compares a crate's public API between two different branches, shows what changed, and suggests the next version according to semver.
- cargo-call-stack
- cargo-deny
- cargo-expand
- cargo-geiger
- cargo-inspect
- cargo-semver-checks - plz`. It found semver violations in [more than 1 in 6 of the top 1000 most-downloaded crates](https://predr.ag/blog/semver-violations-are-common-better-tooling-is-the-answer/) on crates.io.
- cargo-show-asm - IR and MIR generated for Rust code
- cargo-spellcheck
- cargo-unused-features
- clippy
- diff.rs
- dylint
- electrolysis
- herbie
- kani - precise model checker for Rust.
- linter-rust - files in Atom, using rustc and cargo.
- lockbud
- MIRAI - level intermediate language, and providing warnings based on taint analysis.
- prae
- Prusti
- Rudra
- Rust Language Server
- rust-analyzer
- rust-audit
- rustfix - party lints, like those offered by clippy).
- rustfmt
- RustViz - flow in Rust programs.
- warnalyzer - crate Rust projects
- dbcritic
- holistic
- pgspot
- sleek
- sqlcheck - patterns in SQL queries.
- SQLFluff
- sqlint
- squawk
- tsqllint - SQL-specific linter.
- TSqlRules
- Visual Expert
- linter - time checks for various possible bugs, inefficiencies, and style problems.
- Scalastyle
- scapegoat
- WartRemover
- bashate
- i-Code CNES for Shell
- kmdr
- sh
- shellcheck
- shellharden - automate the rewriting of scripts to ShellCheck conformance, mainly focused on quoting.
- SwiftFormat - line formatting tool for reformatting Swift code.
- SwiftLint
- Tailor
- Frink
- Nagelfar
- tclchecker
- Angular ESLint
- Codelyzer
- fta - based static analysis for TypeScript projects
- stc
- tslint - eslint` is now your best option for linting TypeScript.
- tslint-clean-code
- tslint-microsoft-contrib
- TypeScript Call Graph
- TypeScript ESLint
- zod - first schema validation with static type inference. The goal is to eliminate duplicative type declarations. With Zod, you declare a validator once and Zod will automatically infer the static TypeScript type. It is easy to compose simpler types into complex data structures.
- Icarus Verilog - 1364 Verilog into some target format
- svls
- verible-linter-action
- Verilator - accurate behavioral model in C++ or SystemC. Performs lint code-quality checks.
- vscode-verilog-hdl-support
- vint
- ale
- Android Studio
- AppChecker
- Application Inspector
- ApplicationInspector
- ArchUnit
- Atom-Beautify - C, CoffeeScript, TypeScript, Coldfusion, SQL, and more in Atom editor.
- autocorrect
- Axivion Bauhaus Suite - prone code locations, style violations, cloned or dead code, cyclic dependencies and more for C/C++, C#/.NET, Java and Ada 83/Ada 95.
- Bearer - Source static code analysis tool to discover, filter and prioritize security risks and vulnerabilities leading to sensitive data exposures (PII, PHI, PD). Highly configurable and easily extensible, built for security and engineering teams.
- Better Code Hub
- Betterscan - Betterscan.io checks your code and infra (various Git repositories supported, cloud stacks, CLI, Web Interface platform, integrationss available) for security and quality issues. Code Scanning/SAST/Linting using many tools/Scanners deduplicated with One Report (AI optional). Free to use in noncommerical way, commercial requires license.
- biome
- BugProve
- callGraph
- CAST Highlight
- Checkmarx CxSAST - compilation.
- ClassGraph
- Clayton - powered code reviews for Salesforce. Secure your developments, enforce best practice and control your technical debt in real-time.
- coala - supports [over 60 languages](https://coala.io/languages) by default.
- Cobra
- Codacy
- Code Intelligence - agnostic DevSecOps platform which combines industry-leading fuzzing engines for finding bugs and visualizing code coverage
- Codeac - hosted). Available for JavaScript, TypeScript, Python, Ruby, Go, PHP, Java, Docker, and more. (open-source free)
- codeburner
- codechecker
- CodeFactor
- CodeFlow
- CodeIt.Right
- Codemodder - trivial security issues and other code quality problems.
- CodePatrol
- codeql - semantic queries and dataflow for several languages with VSCode plugin support.
- CodeQue
- CodeRush
- CodeScan
- CodeScene
- CodeSee
- CodeSonar from GrammaTech - to-understand explanations and code and path visualization.
- Codiga
- Corrode - automatic translation from C to Rust. Could reveal bugs in the original implementation by showing Rust compiler warnings and errors. Superseded by C2Rust.
- Coverity
- cpp-linter-action - tidy and clang-format to collect feedback provided in the form of thread comments and/or annotations.
- cqc
- DeepCode
- DeepSource - depth static analysis to find issues in verticals of bug risks, security, anti-patterns, performance, documentation and style. Native integrations with GitHub, GitLab and Bitbucket. Less than 5% false positives.
- Depends
- DevSkim - based static analysis tool for Visual Studio, VS Code, and Sublime Text - C/C++, C#, PHP, ASP, Python, Ruby, Java, and others.
- dotenet-format - format is able to format C# and Visual Basic projects with a subset of supported `.editorconfig` options.
- Embold
- emerge
- ESLint
- ezno
- Find Security Bugs
- Fortify - C, PHP, PL/SQL, T-SQL, Python (2.6, 2.7), Ruby (1.9.3), Swift, Scala, VB, and XML.
- Goodcheck
- goone
- graudit - source code auditing tool.
- HCL AppScan Source
- Hopper
- Hound CI
- imhotep
- include-gardener - language static analyzer for C/C++/Obj-C/Python/Ruby to create a graph (in dot or graphml format) which shows all `#include` relations of a given set of files.
- Infer - C
- Kiuwan
- Klocwork
- LGTM
- lizard - paste detection (code clone detection/code duplicate detection) and many other forms of static code analysis. Counts lines of code without comments, CCN (cyclomatic complexity number), token count of functions, parameter count of functions.
- Mega-Linter - Linter can handle any type of project thanks to its 70+ embedded Linters,
- Mobb - source projects.
- MOPSA
- oclint - C.
- Offensive 360 - compilation.
- OpenRewrite - recipes/popular-recipe-guides/common-static-analysis-issue-remediation) reported through Sonar and other tools using a Maven and Gradle plugin or the Moderne CLI.
- OpenStaticAnalyzer
- oxc - performance tools for the JavaScript / TypeScript language re-written in Rust.
- parasoft - , API-, and web UI testing. Complies with MISRA, OWASP, and others.
- pfff - preserving source transformation for many languages.
- Pixee - ready pull requests with recommended fixes.
- PMD
- pre-commit - language pre-commit hooks.
- Prettier
- Pronto
- PT.PM - SQL, and JavaScript are supported. Patterns can be described within the code or using a DSL.
- Putout - in eslint, babel plugins support for js, jsx typescript, flow, markdown, yaml and json.
- PVS-Studio - studio.com/en/order/open-source-license) for FOSS and individual developers) static analysis of C, C++, C# and Java code. For advertising purposes [you can propose a large FOSS project for analysis by PVS employees](https://github.com/viva64/pvs-studio-check-list). Supports CWE mapping, OWASP ASVS, MISRA, AUTOSAR and SEI CERT coding standards.
- pylama
- Qwiet AI
- Refactoring Essentials
- relint
- ReSharper - the-fly code inspections for C#, VB.NET, ASP.NET, JavaScript, TypeScript and other technologies.
- RIPS
- Roslyn Analyzers - based implementation of FxCop analyzers.
- Roslyn Security Guard - site scripting (XSS), CSRF, cryptography weaknesses, hardcoded passwords and many more.
- SafeQL - generate TypeScript types from raw SQL queries in PostgreSQL. SafeQL is an ESLint plugin for writing SQL queries in a type-safe way.
- SAST Online
- Scrutinizer
- Security Code Scan
- Semgrep - source, static analysis tool for finding bugs and enforcing code standards at editor, commit, and CI time. Its rules look like the code you already write; no abstract syntax trees or regex wrestling. Supports 17+ languages.
- Semgrep Supply Chain - priority security issues. Semgrep Supply Chain prioritizes the 2% of vulnerabilities that are reachable from your code.
- ShiftLeft Scan - source DevSecOps platform for detecting security issues in source code and dependencies. It supports a broad range of languages and CI/CD pipelines.
- shipshape
- Sigrid
- Similarity Tester
- Snyk Code
- SonarCloud
- SonarLint - time, flagging issues as you code, just like a spell-checker. More than a linter, it also delivers rich contextual guidance to help developers understand why there is an issue, assess the risk, and educate them on how to fix it.
- SonarQube
- Sonatype
- Soto Platform
- SourceMeter - form).
- sqlvet - and column names.
- StaticReviewer - in validation rules for Security, Deadcode & Best Practices Available a module for Software Composition Analysis (SCA) to find vulnerabilities in open source and third party libraries.
- Super-Linter
- Svace
- Synopsys
- Teamscale
- TencentCodeAnalysis - named CodeDog inside the company early) is a comprehensive platform for code analysis and issue tracking. TCA consist of three components, server, web and client. It integrates of a number of self-developed tools, and also supports dynamic integration of code analysis tools in various programming languages.
- ThreatMapper - of-exploit.
- todocheck
- trivy
- trunk - simple to identify, install, configure, and run the right linters, static analyzers, and formatters for all your repos.
- TscanCode
- Undebt - independent tool for massive, automatic, programmable refactoring based on simple pattern definitions.
- Understand
- Unibeautify - C, Java, Python, PHP, GraphQL, Markdown, and more.
- Upsource - aware navigation for Java, PHP, JavaScript and Kotlin.
- Veracode - C, C, C++ and more.
- WALA
- weggli
- WhiteHat Application Security Platform
- Wotan
- XCode - analyzer.llvm.org/xcode.html) static code analyzer (C/C++, Obj-C).
- GitGuardian ggshield
- kics - as-code. Supports Terraform, Kubernetes, Docker, AWS CloudFormation and Ansible
- Steampunk Spotter
- alquitran
- packj - source software packages for "risky" attributes that make them vulnerable to supply chain attacks. This is the tool behind our large-scale security analysis platform Packj.dev that continuously vets packages and provides free reports.
- pure - 8 filenames, directory and symlink traversals, invalid MS-DOS dates, overlapping headers, overflow, underflow, sparseness, accidental buffer bleeds etc.
- AzSK - as-code. Supports Azure via ARM.
- angr
- binbloom
- BinSkim
- Black Duck
- bloaty - O parsers, Bloaty aims to accurately attribute every byte of the binary to the symbol or compileunit that produced it. It will even disassemble the binary looking for references to anonymous data. F
- cargo-bloat - O (macOS) and PE (Windows) binaries.
- cwe_checker
- Ghidra
- Hopper
- IDA Free
- Jakstab - based, integrated disassembly and static analysis framework for designing analyses on executables and recovering reliable control flow graphs.
- JEB Decompiler
- ktool - platform toolkit and library for MachO+Obj-C editing/analysis. Includes a cli kit, a curses GUI, ObjC header dumping, and much more.
- Manalyze
- mcsema
- Nauz File Detector
- rust-audit
- Twiggy
- VMware chap - instrumented ELF core files for leaks, memory growth, and corruption. It is sufficiently reliable that it can be used in automation to catch leaks before they are committed. As an interactive tool, it helps explain memory growth, can identify some forms of corruption, and supplements a debugger by giving the status of various memory locations.
- zydis - 64 disassembler library
- checkmake
- portlint
- CSS Stats
- CSScomb
- CSSLint
- GraphMyCSS.com
- Nu Html Checker
- Parker
- PostCSS
- Project Wallace CSS Analyzer
- sass-lint - only Sass linter for both sass and scss syntax.
- scsslint
- Specificity Graph
- Stylelint
- dotenv-linter
- dotenv-linter (Rust) - fast linter for .env files. Written in Rust
- gixy
- ansible-lint
- AWS CloudFormation Guard - as-code rules and generate rules from existing templates.
- AzSK - as-code. Supports Azure via ARM.
- cfn-lint
- cfn_nag
- checkov
- cookstyle
- foodcritic
- kics - as-code. Supports Terraform, Kubernetes, Docker, AWS CloudFormation and Ansible
- metadata-json-lint
- Puppet Lint
- Steampunk Spotter
- terraform-compliance - and security focused, BDD test framework against Terraform.
- terrascan
- tflint
- tfsec
- anchore - defined acceptance policies to allow automated container image validation and certification
- clair
- collector
- dagda
- Docker Label Inspector
- GitGuardian ggshield
- Haskell Dockerfile Linter
- kics - as-code. Supports Terraform, Kubernetes, Docker, AWS CloudFormation and Ansible
- krane
- OpenSCAP - certified Security Content Automation Protocol (SCAP).
- Qualys Container Security
- sysdig
- Vuls - less Linux vulnerability scanner based on information from NVD, OVAL, etc. It has some container image support, although is not a container specific tool.
- actionlint
- AzSK - as-code. Supports Azure via ARM.
- Code Climate
- Codecov
- composer-dependency-analyser
- Diffblue - powered code analysis and testing solutions for software development teams.
- exakat
- GitGuardian ggshield
- Goblint - threaded C programs. Its primary focus is the detection of data races, but it also reports other runtime errors, such as buffer overflows and null-pointer dereferences.
- Nitpick CI
- PullRequest - in static analysis. Increase velocity and reduce technical debt through quality code review by expert engineers backed by best-in-class automation.
- quality
- QuantifiedCode
- RefactorFirst
- Reviewdog
- Symfony Insight
- Violations Lib
- deno_lint
- oelint-adv - embedded and YOCTO
- ERB Lint
- htmlbeautifier
- gherkin-lint - Syntax written in Javascript.
- Angular ESLint
- Bootlint
- ERB Lint
- grunt-bootlint
- gulp-bootlint
- HTML Inspector
- HTML Tidy
- HTML-Validate
- htmlbeautifier
- HTMLHint
- Nu Html Checker
- Polymer-analyzer
- jsonlint
- Spectral - of-the-box support for OpenAPI v2/v3 and AsyncAPI v2.
- chart-testing
- clusterlint
- Datree
- kics - as-code. Supports Terraform, Kubernetes, Docker, AWS CloudFormation and Ansible
- klint
- krane
- kube-hunter
- kube-lint - lint will evaluate those rules against them.
- kube-linter
- kube-score
- kubeconform
- Kubeval
- KubeLinter
- kubeval
- ChkTeX
- lacheck
- TeXLab
- Enlightn
- larastan
- checkmake
- portlint
- markdownlint - based style checker and lint tool for Markdown/CommonMark files.
- mdformat
- mdl
- remark-lint
- textlint
- ciocheck
- flake8
- flakeheaven
- Go Meta Linter - lint` for new projects.
- goreporter
- multilint
- prospector
- Android Lint
- android-lint-summary - projects at once.
- FlowDroid
- iblessing
- Mariana Trench
- Oversecured
- paprika
- qark
- redex
- deadnix
- statix
- lockfile-lint
- njsscan - aware semantic code pattern search tool semgrep.
- NodeJSScan
- standard
- composer-dependency-analyser
- lintian
- rpmlint
- promformat
- promval
- buf
- protolint
- metadata-json-lint
- dawnscanner
- AzSK - as-code. Supports Azure via ARM.
- brakeman
- Credential Digger - model). This scanner is able to detect passwords and non structured tokens with a low false positive rate.
- Datree
- detect-secrets
- Enlightn
- GitGuardian ggshield
- Gitleaks
- gokart
- HasMySecretLeaked
- iblessing
- kani - precise model checker for Rust.
- kics - as-code. Supports Terraform, Kubernetes, Docker, AWS CloudFormation and Ansible
- ktool - platform toolkit and library for MachO+Obj-C editing/analysis. Includes a cli kit, a curses GUI, ObjC header dumping, and much more.
- kube-hunter
- lockfile-lint
- LunaSec - ipc happen. Track your dependencies and builds in a centralized service.
- njsscan - aware semantic code pattern search tool semgrep.
- NodeJSScan
- Oversecured
- PT Application Inspector
- Qualys Container Security
- QuantifiedCode
- Rezilion - exploitable vulnerabilities and creates a remediation plan and open tickets to upgrade components that violate your security policy and/or patch automatically in CI.
- scorecard - Security health metrics for Open Source
- SearchDiggity - site scripting (XSS), insecure remote and local file includes, hard-coded passwords, etc.
- Steampunk Spotter
- Symfony Insight
- tfsec
- trufflehog
- Tsunami Security Scanner - like vulnerabilities with high confidence. Custom detectors for finding vulnerabilities (e.g. open APIs) can be added.
- mythril
- MythX - line.
- slither
- solhint
- solium
- LibVCS4j
- RefactorFirst
- Violations Lib
- ember-template-lint
- haml-lint
- slim-lint
- yamllint
- GitGuardian ggshield
- kics - as-code. Supports Terraform, Kubernetes, Docker, AWS CloudFormation and Ansible
- shisho
- dennis
- HTML-Validate
- Vetur
- Twiggy
- After the Deadline
- alex
- codespell
- languagetool
- misspell-fixer
- Misspelled Words In Context - checker that groups possible misspellings and shows them in their contexts.
- proselint
- vale - aware linter for prose built with speed and extensibility in mind.
- write-good
- Spectral - of-the-box support for OpenAPI v2/v3 and AsyncAPI v2.
- yamllint
- commitlint
- GitGuardian ggshield
- HasMySecretLeaked
- Clean code linters
- Code Quality Checker Tools For PHP Projects
- go-tools
- linters
- OWASP Source Code Analysis Tools
- php-static-analysis-tools
- Wikipedia
- 
Programming Languages
Keywords
static-analysis
50
linter
47
security
22
golang
20
php
20
go
18
static-code-analysis
18
python
17
lint
16
rust
14
formatter
10
ruby
10
security-tools
10
java
9
code-quality
9
code-analysis
8
kubernetes
8
javascript
8
typescript
7
static-analyzer
7
analyzer
7
linters
6
program-analysis
6
cli
6
best-practices
6
eslint
6
analysis
5
ast
5
cargo
5
security-scanner
5
sql
4
docker
4
elixir
4
security-audit
4
testing
4
devsecops
4
nodejs
4
compliance
4
linting
4
checker
4
metrics
4
cargo-plugin
3
eslint-plugin
3
architecture
3
style-linter
3
terraform
3
lua
3
kotlin
3
code-metrics
3
vulnerabilities
3