Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
static-analysis
⚙️ A curated list of static analysis (SAST) tools and linters for all programming languages, config files, build tools, and more. The focus is on tools which improve code quality.
https://github.com/analysis-tools-dev/static-analysis
Last synced: 4 days ago
JSON representation
-
Programming Languages
- flay
- flog
- ameba
- ruby-lint
- crystal - in linting functionality.
- abaplint
- abapOpenChecks
- Codepeer - time and logic errors.
- Polyspace for Ada - by-zero, out-of-bounds array access, and certain other run-time errors in source code.
- SPARK
- gawk --lint
- Astrée - point computations, very fast, and exceptionally precise. The analyzer also checks for MISRA/CERT/CWE/Adaptive Autosar coding rules and supports qualification for ISO 26262, DO-178C level A, and other safety standards. Jenkins and Eclipse plugins are available.
- CBMC - checker for C programs, user-defined assertions, standard assertions, several coverage metric analyses.
- clang-tidy - based C++ linter tool with the (limited) ability to fix issues, too.
- CPAchecker
- cppcheck
- CppDepend
- cpplint
- CScout
- ESBMC - bounded model checker based on satisfiability modulo theories for the verification of single- and multi-threaded C/C++ programs.
- flawfinder
- Frama-C
- GCC
- Helix QAC - grade static analysis for embedded software. Supports MISRA, CERT, and AUTOSAR coding standards.
- Joern - source code analysis platform for C/C++ based on code property graphs
- KLEE - generate test cases for programs such that the test cases exercise as much of the program as possible.
- LDRA
- PC-lint
- Phasar - based static analysis framework which comes with a taint and type state analysis.
- Polyspace Bug Finder - time errors, concurrency issues, security vulnerabilities, and other defects in C and C++ embedded software.
- Polyspace Code Prover - by-zero, out-of-bounds array access, and certain other run-time errors in C and C++ source code.
- scan-build
- splint - assisted static program checker.
- SVF
- TrustInSoft Analyzer - of-bounds array accesses, null-pointer dereferences, use-after-free, divide-by-zeros, uninitialized memory accesses, signed overflows, invalid pointer arithmetic, etc.), data flow and control flow verification as well as full functional verification of formal specifications. All versions of C up to C18 and C++ up to C++20 are supported. TrustInSoft Analyzer will acquire ISO 26262 qualification in Q2'2023 (TCL3). A MISRA C checker is also bundled.
- vera++
- .NET Analyzers
- code-cracker
- Designite
- Gendarme
- NDepend
- Puma Scan
- Roslynator
- clj-kondo
- coffeelint
- Fixinator
- Dart Code Metrics - patterns and provides additional rules for Dart analyzer.
- effective_dart
- Linter for dart
- Fix Insight
- Pascal Analyzer
- Pascal Expert
- elm-analyse
- elm-review
- dialyzer
- FSharpLint
- fprettify - formatter for modern fortran source code, written in Python.
- i-Code CNES for Shell
- go vet
- goimports
- go/ast
- gofmt -s
- GolangCI-Lint - Lint is a linters aggregator.
- gosec (gas)
- gotype
- govulncheck
- revive - in replacement of golint.
- safesql
- staticcheck
- CodeNarc
- test
- Stan - line tool for analysing Haskell projects and outputting discovered vulnerabilities in a helpful way with possible solutions for detected problems.
- Haxe Checkstyle
- Checker Framework - checking for Java. This is not just a bug-finder, but a verification tool that gives a guarantee of correctness. It comes with 27 pre-built type systems, and it enables users to define their own type system; the manual lists over 30 user-contributed type systems.
- checkstyle
- ckjm - oriented metrics by processing the bytecode of compiled Java files.
- CogniCrypt
- DesigniteJava
- Error Prone - time errors.
- fb-contrib
- IntelliJ IDEA
- JArchitect
- JBMC - checker for Java (bytecode), verifies user-defined assertions, standard assertions, several coverage metric analyses.
- OWASP Dependency Check
- qulice - configured) static analysis tools (checkstyle, PMD, Findbugs, ...).
- Soot
- Spoon - designed AST with powerful analysis and transformation API. Can be integrated in Maven and Gradle.
- SpotBugs
- aether
- Closure Compiler
- DeepScan
- escomplex - family abstract syntax trees.
- Esprima
- flow
- hegel
- jshint - tools-dev/static-analysis/issues/223>) — Detect errors and potential problems in JavaScript code and enforce your team's coding conventions.
- JSLint - tools-dev/static-analysis/issues/223>) — The JavaScript Code Quality Tool.
- JSPrime
- retire.js
- RSLint
- tern - editor language support.
- TypL
- detekt
- diktat - fixes code smells.
- ktlint - bikeshedding Kotlin linter with built-in formatter.
- Luanalysis
- mlint
- DrNim
- nimfmt
- CakeFuzzer - based web applications. CakeFuzzer employs a predefined set of attacks that are randomly modified before execution. Leveraging its deep understanding of the Cake PHP framework, Cake Fuzzer launches attacks on all potential application entry points.
- deptrac
- EasyCodingStandard - CS-Fixer](https://github.com/FriendsOfPHP/PHP-CS-Fixer).
- pdepend
- phan
- PHP Coding Standards Fixer - 1, PSR-2, and the Symfony standard.
- PHP Insights
- Php Inspections (EA Extended)
- PHP_CodeSniffer
- phpDocumentor
- PHPMD
- PhpMetrics
- PHPStan - discover bugs in your code without running it!
- Psalm
- rector - positive rate because it looks for narrowly defined AST (abstract syntax tree) patterns. The main use-case are tackling technical debt in your legacy code and removing dead code. Rector provides a set of special rules for Symfony, Doctrine, PHPUnit, and many more.
- WAP
- ZPA
- Perl::Critic - practices.
- perltidy
- autopep8
- bandit
- Black
- Bowler
- deal - free code. By adding a few decorators to your code, you get for free tests, static analysis, formal verification, and much more.
- fixit - fixes for source code.
- jedi
- mccabe
- mypy
- prospector
- pyanalyze
- PyCodeQual
- pycodestyle
- pydocstyle
- pyflakes
- pylint
- pyre-check
- Pysa - check to identify potential security issues in Python code identified with taint analysis.
- pyupgrade - commit hook) to automatically upgrade syntax for newer versions of the language.
- radon
- ruff - 100x faster than existing linters. Compatible with Python 3.10. Supports file watcher.
- unimport
- wemake-python-styleguide
- xenon
- lintr
- styler - printing of R code.
- Railroader
- rails_best_practices
- RuboCop
- ruby-lint
- SandiMeter
- Sorbet
- Standard Ruby
- C2Rust - compliant code to Rust. The translator (or transpiler) produces unsafe Rust code that closely mirrors the input C code.
- cargo-audit - db/).
- cargo-semver-checks - plz`. It found semver violations in [more than 1 in 6 of the top 1000 most-downloaded crates](https://predr.ag/blog/semver-violations-are-common-better-tooling-is-the-answer/) on crates.io.
- clippy
- diff.rs
- dylint
- JSLint - tools-dev/static-analysis/issues/223>) — The JavaScript Code Quality Tool.
- Prusti
- Rust Language Server
- rust-analyzer
- holistic
- SQLFluff
- squawk
- Visual Expert
- Scalastyle
- scapegoat
- WartRemover
- sh
- shellcheck
- SwiftFormat - line formatting tool for reformatting Swift code.
- SwiftLint
- Frink
- Nagelfar
- tclchecker
- Codelyzer
- fta - based static analysis for TypeScript projects
- stc
- tslint-clean-code
- zod - first schema validation with static type inference. The goal is to eliminate duplicative type declarations. With Zod, you declare a validator once and Zod will automatically infer the static TypeScript type. It is easy to compose simpler types into complex data structures.
- Verilator - accurate behavioral model in C++ or SystemC. Performs lint code-quality checks.
- clj-kondo
- crystal - in linting functionality.
- Checker Framework - checking for Java. This is not just a bug-finder, but a verification tool that gives a guarantee of correctness. It comes with 27 pre-built type systems, and it enables users to define their own type system; the manual lists over 30 user-contributed type systems.
- lintr
- Standard Ruby
- DesigniteJava
- CScout
- STOKE - language agnostic stochastic optimizer for the x86_64 instruction set. It uses random search to explore the extremely high-dimensional space of all possible program transformations.
- clazy - oriented static code analyzer based on the Clang framework. clazy is a compiler plugin which allows clang to understand Qt semantics. You get more than 50 Qt related compiler warnings, ranging from unneeded memory allocations to misusage of API, including fix-its for automatic refactoring.
- CMetrics
- cqmetrics
- ESBMC - bounded model checker based on satisfiability modulo theories for the verification of single- and multi-threaded C/C++ programs.
- goodpractice - practice recommendations.
- ENRE-cpp - cpp is a ENtity Relationship Extractor for C/C++ based on @eclipse/CDT. (Under development)
- cppcheck
- clang-tidy - based C++ linter tool with the (limited) ability to fix issues, too.
- IKOS
- TrustInSoft Analyzer - of-bounds array accesses, null-pointer dereferences, use-after-free, divide-by-zeros, uninitialized memory accesses, signed overflows, invalid pointer arithmetic, etc.), data flow and control flow verification as well as full functional verification of formal specifications. All versions of C up to C18 and C++ up to C++20 are supported. TrustInSoft Analyzer will acquire ISO 26262 qualification in Q2'2023 (TCL3). A MISRA C checker is also bundled.
- Regal
- MIRAI - level intermediate language, and providing warnings based on taint analysis.
- electrolysis
-
Other
- packj - source software packages for "risky" attributes that make them vulnerable to supply chain attacks. This is the tool behind our large-scale security analysis platform Packj.dev that continuously vets packages and provides free reports.
- Reviewdog
- RefactorFirst
- NodeJSScan
- Reshift
- brakeman
- prospector
- GitGuardian ggshield
- kics - as-code. Supports Terraform, Kubernetes, Docker, AWS CloudFormation and Ansible
- Steampunk Spotter
- packj - source software packages for "risky" attributes that make them vulnerable to supply chain attacks. This is the tool behind our large-scale security analysis platform Packj.dev that continuously vets packages and provides free reports.
- Black Duck
- Ghidra
- Hopper - code of a procedure. Supports Apple Silicon.
- IDA Free
- JEB Decompiler
- ktool - platform toolkit and library for MachO+Obj-C editing/analysis. Includes a cli kit, a curses GUI, ObjC header dumping, and much more.
- zydis - 64 disassembler library
- portlint
- CSS Stats
- GraphMyCSS.com
- PostCSS
- Project Wallace CSS Analyzer
- scsslint
- Specificity Graph
- Stylelint
- dotenv-linter
- dotenv-linter (Rust) - fast linter for .env files. Written in Rust
- ansible-lint
- cfn-lint
- checkov
- cookstyle
- foodcritic
- terraform-compliance - and security focused, BDD test framework against Terraform.
- terrascan
- tflint
- tfsec
- clair
- Haskell Dockerfile Linter
- OpenSCAP - certified Security Content Automation Protocol (SCAP).
- Qualys Container Security
- sysdig
- Vuls - less Linux vulnerability scanner based on information from NVD, OVAL, etc. It has some container image support, although is not a container specific tool.
- Code Climate
- Codecov
- exakat
- Nitpick CI
- PullRequest - in static analysis. Increase velocity and reduce technical debt through quality code review by expert engineers backed by best-in-class automation.
- HTML Tidy
- HTML-Validate
- HTMLHint
- jsonlint
- Spectral - of-the-box support for OpenAPI v2/v3 and AsyncAPI v2.
- Datree
- Oversecured
- kube-score
- Kubeval
- kubeval
- ChkTeX
- lacheck
- mdformat
- mdl
- remark-lint
- textlint
- goreporter
- iblessing
- redex
- statix
- standard
- lintian
- buf
- Gitleaks
- HasMySecretLeaked
- LunaSec - ipc happen. Track your dependencies and builds in a centralized service.
- PT Application Inspector
- SearchDiggity - site scripting (XSS), insecure remote and local file includes, hard-coded passwords, etc.
- trufflehog
- MythX - line.
- slither
- solium
- yamllint
- Vetur
- After the Deadline
- alex
- languagetool
- Misspelled Words In Context - checker that groups possible misspellings and shows them in their contexts.
- proselint
- vale - aware linter for prose built with speed and extensibility in mind.
- commitlint
- Goblint - threaded C programs. Its primary focus is the detection of data races, but it also reports other runtime errors, such as buffer overflows and null-pointer dereferences.
- RefactorFirst
- Code Climate
- slither
- Enlightn
- Qualys Container Security
- Polymer-analyzer
- Reshift
- flakeheaven
- Symfony Insight
- Mariana Trench
- CSSLint
- PT Application Inspector
- Diffblue - powered code analysis and testing solutions for software development teams.
- lintian
- LunaSec - ipc happen. Track your dependencies and builds in a centralized service.
- exakat
-
Sponsors
-
Meaning of Symbols:
-
Multiple languages
- ale
- Android Studio
- AppChecker
- Application Inspector
- ArchUnit
- Atom-Beautify - C, CoffeeScript, TypeScript, Coldfusion, SQL, and more in Atom editor.
- Axivion Bauhaus Suite - prone code locations, style violations, cloned or dead code, cyclic dependencies and more for C/C++, C#/.NET, Java and Ada 83/Ada 95.
- Better Code Hub
- biome
- BugProve
- CAST Highlight
- Checkmarx CxSAST - compilation.
- Clayton - powered code reviews for Salesforce. Secure your developments, enforce best practice and control your technical debt in real-time.
- coala - supports [over 60 languages](https://coala.io/languages) by default.
- Cobra
- Codacy
- Code Intelligence - agnostic DevSecOps platform which combines industry-leading fuzzing engines for finding bugs and visualizing code coverage
- Codeac - hosted). Available for JavaScript, TypeScript, Python, Ruby, Go, PHP, Java, Docker, and more. (open-source free)
- codechecker
- CodeFactor
- CodeFlow
- CodeIt.Right
- CodePatrol
- CodeQue
- CodeRush
- CodeScan
- CodeScene
- CodeSee
- CodeSonar from GrammaTech - to-understand explanations and code and path visualization.
- Codiga
- Synopsys
- DeepCode
- DeepSource - depth static analysis to find issues in verticals of bug risks, security, anti-patterns, performance, documentation and style. Native integrations with GitHub, GitLab and Bitbucket. Less than 5% false positives.
- Embold
- ezno
- Find Security Bugs
- Fortify - C, PHP, PL/SQL, T-SQL, Python (2.6, 2.7), Ruby (1.9.3), Swift, Scala, VB, and XML.
- Goodcheck
- graudit - source code auditing tool.
- HCL AppScan Source
- Hound CI
- Infer - C
- Kiuwan
- Klocwork
- LGTM
- MOPSA
- oclint - C.
- Offensive 360 - compilation.
- OpenRewrite - recipes/popular-recipe-guides/common-static-analysis-issue-remediation) reported through Sonar and other tools using a Maven and Gradle plugin or the Moderne CLI.
- oxc - performance tools for the JavaScript / TypeScript language re-written in Rust.
- parasoft - , API-, and web UI testing. Complies with MISRA, OWASP, and others.
- pfff - preserving source transformation for many languages.
- PMD
- pre-commit - language pre-commit hooks.
- Prettier
- PVS-Studio - studio.com/en/order/open-source-license) for FOSS and individual developers) static analysis of C, C++, C# and Java code. For advertising purposes [you can propose a large FOSS project for analysis by PVS employees](https://github.com/viva64/pvs-studio-check-list). Supports CWE mapping, OWASP ASVS, MISRA, AUTOSAR and SEI CERT coding standards.
- Qwiet AI
- Refactoring Essentials
- ReSharper - the-fly code inspections for C#, VB.NET, ASP.NET, JavaScript, TypeScript and other technologies.
- RIPS
- Rome - status) for JavaScript, TypeScript, JSON, HTML, Markdown, and CSS. It has since been succeeded by [biome](https://biomejs.dev/).
- Rome Formatter - tolerant code formatter for JS/TS written in Rust. Superceded by [biome](https://biomejs.dev/).
- Security Code Scan
- Similarity Tester
- SafeQL - generate TypeScript types from raw SQL queries in PostgreSQL. SafeQL is an ESLint plugin for writing SQL queries in a type-safe way.
- SAST Online
- Scanmycode CE (Community Edition) - Code Scanning/SAST/Linting using many tools/Scanners with One Report
- Scrutinizer
- Semgrep - source, static analysis tool for finding bugs and enforcing code standards at editor, commit, and CI time. Its rules look like the code you already write; no abstract syntax trees or regex wrestling. Supports 17+ languages.
- Semgrep Supply Chain - priority security issues. Semgrep Supply Chain prioritizes the 2% of vulnerabilities that are reachable from your code.
- Snyk Code
- SonarCloud - language cloud-based static code analysis. History, trends, security hot-spots, pull request analysis and more. Free for open source.
- SonarLint for Visual Studio - the-fly feedback to developers on new bugs and quality issues injected into .NET code.
- SonarQube
- Sonatype
- Soto Platform
- SourceMeter - form).
- StaticReviewer - in validation rules for Security, Deadcode & Best Practices Available a module for Software Composition Analysis (SCA) to find vulnerabilities in open source and third party libraries.
- Svace
- Teamscale
- TencentCodeAnalysis - named CodeDog inside the company early) is a comprehensive platform for code analysis and issue tracking. TCA consist of three components, server, web and client. It integrates of a number of self-developed tools, and also supports dynamic integration of code analysis tools in various programming languages.
- trunk - simple to identify, install, configure, and run the right linters, static analyzers, and formatters for all your repos.
- Understand
- Unibeautify - C, Java, Python, PHP, GraphQL, Markdown, and more.
- Upsource - aware navigation for Java, PHP, JavaScript and Kotlin.
- Veracode - C, C, C++ and more.
- WhiteHat Application Security Platform
- XCode - analyzer.llvm.org/xcode.html) static code analyzer (C/C++, Obj-C).
- Codacy
- DeepSource - depth static analysis to find issues in verticals of bug risks, security, anti-patterns, performance, documentation and style. Native integrations with GitHub, GitLab and Bitbucket. Less than 5% false positives.
- Hound CI
- Sonatype
- Codemodder - trivial security issues and other code quality problems.
- Sigrid
- WhiteHat Application Security Platform
- oclint - C.
- Bearer - Source static code analysis tool to discover, filter and prioritize security risks and vulnerabilities leading to sensitive data exposures (PII, PHI, PD). Highly configurable and easily extensible, built for security and engineering teams.
- DevSkim - based static analysis tool for Visual Studio, VS Code, and Sublime Text - C/C++, C#, PHP, ASP, Python, Ruby, Java, and others.
- Checkmarx CxSAST - compilation.
- Freeplane Code Explorer
- Mobb - source projects.
- Understand
-
More Collections
Categories
Sub Categories
Keywords
linter
3
static-analysis
3
code-quality
2
security
2
policy-as-code
1
open-policy-agent
1
opa
1
magnificent
1
lsp
1
linters
1
lint
1
language-server
1
nim
1
nim-lang
1
nimfmt
1
software-verification
1
program-analysis
1
abstract-interpretation
1
quality-metrics
1
metrics
1
c
1
visual-studio-extension
1
visual-studio-code-extension
1
sdl
1
vulnerability
1
vulnerabilities
1
static-code-analysis
1
security-tools
1
security-scanner
1
security-automation
1
security-audit
1
sast
1
privacy
1
owasp
1
gdpr
1
devsecops-tools
1
devsecops
1
dataflow
1
compliance
1
appsec
1
rego
1