static-analysis
⚙️ A curated list of static analysis (SAST) tools and linters for all programming languages, config files, build tools, and more. The focus is on tools which improve code quality.
https://github.com/analysis-tools-dev/static-analysis
Last synced: 8 days ago
JSON representation
-
Other
- ChkTeX
- lacheck
- mdformat
- textlint
- iblessing
- redex
- statix
- lintian
- HasMySecretLeaked
- SearchDiggity - site scripting (XSS), insecure remote and local file includes, hard-coded passwords, etc.
- trufflehog
- solium
- yamllint
- Vetur
- After the Deadline
- alex
- Misspelled Words In Context - checker that groups possible misspellings and shows them in their contexts.
- vale - aware linter for prose built with speed and extensibility in mind.
- Reshift
- PT Application Inspector
- lintian
- packj - source software packages for "risky" attributes that make them vulnerable to supply chain attacks. This is the tool behind our large-scale security analysis platform Packj.dev that continuously vets packages and provides free reports.
- Qualys Container Security
- LunaSec - ipc happen. Track your dependencies and builds in a centralized service.
- CSSLint
- exakat
- alquitran
- AzSK - as-code. Supports Azure via ARM.
- angr
- binbloom
- BinSkim
- bloaty - O parsers, Bloaty aims to accurately attribute every byte of the binary to the symbol or compileunit that produced it. It will even disassemble the binary looking for references to anonymous data. F
- cwe_checker
- Jakstab - based, integrated disassembly and static analysis framework for designing analyses on executables and recovering reliable control flow graphs.
- Malcat - code). Features rapid analysis, embedded file extraction, Yara signature scanning, anomaly detection, and Python scripting. Designed for malware analysts, SOC operators, incident responders, and CTF players.
- Nauz File Detector
- VMware chap - instrumented ELF core files for leaks, memory growth, and corruption. It is sufficiently reliable that it can be used in automation to catch leaks before they are committed. As an interactive tool, it helps explain memory growth, can identify some forms of corruption, and supplements a debugger by giving the status of various memory locations.
- checkmake
- CSScomb
- Nu Html Checker
- Specificity Graph
- gixy
- AWS CloudFormation Guard - as-code rules and generate rules from existing templates.
- cfn_nag
- metadata-json-lint
- terrascan
- tfsec
- clair
- Dockle - Practice Docker Image. Scans Docker images for security vulnerabilities and CIS Benchmark compliance. Checks for secrets, credential exposure, and security best practices. Provides multiple severity levels (FATAL, WARN, INFO) and supports various output formats for CI/CD integration.
- Grype
- krane
- Code Climate
- PullRequest - in static analysis. Increase velocity and reduce technical debt through quality code review by expert engineers backed by best-in-class automation.
- deno_lint
- Cloud (IaC) Security for JetBrains IDEs - time inspections of Docker & Kubernetes IaC with 50+ rules based on Docker image/build security best practices, Kubernetes Pod Security Standards, and NSA/CISA Kubernetes Hardening Guidance.
- oelint-adv - embedded and YOCTO
- Bootlint
- chart-testing
- clusterlint
- klint
- kube-lint - lint will evaluate those rules against them.
- kube-linter
- kubeconform
- markdownlint - based style checker and lint tool for Markdown/CommonMark files.
- mdsf
- Android Lint
- FlowDroid
- deadnix
- lockfile-lint
- rpmlint
- promval
- protolint
- Credential Digger - model). This scanner is able to detect passwords and non structured tokens with a low false positive rate.
- detect-secrets
- Gitleaks
- OWASP Noir
- PT Application Inspector
- Rezilion - exploitable vulnerabilities and creates a remediation plan and open tickets to upgrade components that violate your security policy and/or patch automatically in CI.
- scorecard - Security health metrics for Open Source
- Tsunami Security Scanner - like vulnerabilities with high confidence. Custom detectors for finding vulnerabilities (e.g. open APIs) can be added.
- mythril
- LibVCS4j
- ember-template-lint
- haml-lint
- slim-lint
- codespell
- misspell-fixer
- proselint
- write-good
- Ghidra
- Neurolint-CLI - based transformations.
- statix
- tflint
- mdl
- Manalyze
- ansible-lint
- promformat
- axe-core
- Pa11y - core from the command line. Supports CI/CD integration, multiple reporters, and testing against WCAG 2.1 AA standards.
- packj - source software packages for "risky" attributes that make them vulnerable to supply chain attacks. This is the tool behind our large-scale security analysis platform Packj.dev that continuously vets packages and provides free reports.
- kube-hunter
- AzSK - as-code. Supports Azure via ARM.
- Black Duck
- IDA Free
- rhabdomancer
- zydis - 64 disassembler library
- portlint
- CSS Stats
- CSSLint
- GraphMyCSS.com
- Project Wallace CSS Analyzer
- dotenv-linter
- cookstyle
- foodcritic
- terraform-compliance - and security focused, BDD test framework against Terraform.
- anchore - defined acceptance policies to allow automated container image validation and certification
- Haskell Dockerfile Linter
- actionlint
- gherkin-lint - Syntax written in Javascript.
- HTML Tidy
- HTMLHint
- kube-score
- TeXLab
- mdformat
- remark-lint
- Oversecured
- redex
- PT Application Inspector
- trufflehog
- MythX - line.
- solhint
- solium
- yamllint
- dennis
- vale - aware linter for prose built with speed and extensibility in mind.
- commitlint
-
Programming Languages
- Codepeer - time and logic errors.
- Polyspace for Ada - by-zero, out-of-bounds array access, and certain other run-time errors in source code.
- SPARK
- gawk --lint
- Astrée - point computations, very fast, and exceptionally precise. The analyzer also checks for MISRA/CERT/CWE/Adaptive Autosar coding rules and supports qualification for ISO 26262, DO-178C level A, and other safety standards. Jenkins and Eclipse plugins are available.
- GCC
- Helix QAC - grade static analysis for embedded software. Supports MISRA, CERT, and AUTOSAR coding standards.
- KLEE - generate test cases for programs such that the test cases exercise as much of the program as possible.
- PC-lint
- Polyspace Bug Finder - time errors, concurrency issues, security vulnerabilities, and other defects in C and C++ embedded software.
- Polyspace Code Prover - by-zero, out-of-bounds array access, and certain other run-time errors in C and C++ source code.
- scan-build
- vera++
- .NET Analyzers
- coffeelint
- Dart Code Metrics - patterns and provides additional rules for Dart analyzer.
- effective_dart
- Fix Insight
- Pascal Analyzer
- Pascal Expert
- elm-review
- dialyzer
- goimports
- gotype
- govulncheck
- test
- Stan - line tool for analysing Haskell projects and outputting discovered vulnerabilities in a helpful way with possible solutions for detected problems.
- Haxe Checkstyle
- Closure Compiler
- Luanalysis
- mlint
- DrNim
- nimfmt
- CakeFuzzer - based web applications. CakeFuzzer employs a predefined set of attacks that are randomly modified before execution. Leveraging its deep understanding of the Cake PHP framework, Cake Fuzzer launches attacks on all potential application entry points.
- EasyCodingStandard - CS-Fixer](https://github.com/FriendsOfPHP/PHP-CS-Fixer).
- pdepend
- phan
- PHP Coding Standards Fixer - 1, PSR-2, and the Symfony standard.
- PHP Insights
- Php Inspections (EA Extended)
- PHP_CodeSniffer
- PhpMetrics
- PHPStan - discover bugs in your code without running it!
- Psalm
- rector - positive rate because it looks for narrowly defined AST (abstract syntax tree) patterns. The main use-case are tackling technical debt in your legacy code and removing dead code. Rector provides a set of special rules for Symfony, Doctrine, PHPUnit, and many more.
- ZPA
- Perl::Critic - practices.
- perltidy
- bandit
- Bowler
- deal - free code. By adding a few decorators to your code, you get for free tests, static analysis, formal verification, and much more.
- fixit - fixes for source code.
- jedi
- mypy
- pyanalyze
- PyCodeQual
- pycodestyle
- pydocstyle
- pylint
- Pysa - check to identify potential security issues in Python code identified with taint analysis.
- pyupgrade - commit hook) to automatically upgrade syntax for newer versions of the language.
- radon
- ruff - 100x faster than existing linters. Compatible with Python 3.10. Supports file watcher.
- unimport
Programming Languages
Categories
Sub Categories
Keywords
static-analysis
45
linter
40
security
23
python
20
golang
19
go
19
php
16
static-code-analysis
15
lint
15
rust
12
formatter
11
security-tools
11
kubernetes
10
ruby
9
cli
9
static-analyzer
8
typescript
8
code-quality
8
javascript
7
java
7
devsecops
6
code-analysis
6
docker
6
eslint
6
security-audit
6
linters
6
vulnerability
5
vulnerabilities
5
security-scanner
5
containers
5
analyzer
5
compliance
5
architecture
4
quality
4
analysis
4
program-analysis
4
vulnerability-scanners
4
ast
4
nodejs
4
elixir
4
tool
4
best-practices
4
testing
4
linting
4
cargo
4
sast
4
metrics
3
checker
3
parser
3
rails
3