static-analysis
⚙️ A curated list of static analysis (SAST) tools and linters for all programming languages, config files, build tools, and more. The focus is on tools which improve code quality.
https://github.com/analysis-tools-dev/static-analysis
Last synced: 3 days ago
JSON representation
-
Programming Languages
- sobelow - focused static analysis for the Phoenix Framework.
- elvis
- fantomas
- FSharpLint
- ionide-analyzers
- Fortitude
- aligncheck
- bodyclose
- deadcode
- dogsled
- errcheck
- errwrap
- flen
- go-consistent
- go-critic
- gochecknoglobals
- goconst
- gofumpt - compatible. That is, `gofumpt` is happy with a subset of the formats that `gofmt` is happy with.
- gokart
- golint
- goreporter
- goroutine-inspect
- ineffassign
- misspell
- nakedret
- nargs
- OSV-Scanner
- prealloc
- structslop
- unconvert
- unparam
- wsl
- CodeNarc
- HLint
- Liquid Haskell
- Weeder
- ck - oriented metrics by processing the source Java files.
- Dataflow Framework - strength dataflow framework for Java. The Dataflow Framework is used in the Checker Framework, Google’s Error Prone, Uber’s NullAway, Meta’s Nullsafe, and in other contexts. It is distributed with the Checker Framework.
- DesigniteJava
- Doop - to-end (fact generation, processing, statistics, etc.).
- forbidden-apis
- google-java-format
- NullAway - based null-pointer checker with low build-time overhead; an [Error Prone](http://errorprone.info/) plugin.
- RefactorFirst
- Soot
- Violations Lib
- JSLint - tools-dev/static-analysis/issues/223>) — The JavaScript Code Quality Tool.
- retire.js
- xo
- JET
- StaticLint
- detekt
- ktfmt
- luacheck
- lualint - based static analysis of global variable usage in Lua source code.
- Sys
- VeriFast - threaded and multithreaded C and Java programs annotated with preconditions and postconditions written in separation logic. To express rich specifications, the programmer can define inductive datatypes, primitive recursive pure functions over these datatypes, and abstract separation logic predicates.
- churn-php
- composer-dependency-analyser
- dephpend
- deptrac
- DesignPatternDetector
- GrumPHP
- larastan
- mago
- parallel-lint
- Parse
- PHP Architecture Tester
- PHP Assumptions
- PHP Insights
- PHP Refactoring Browser
- PHP-Parser
- php-speller
- PHPArkitect
- phploc
- phpmnd
- PHPQA
- phpqa - jakzal
- phpqa - jmolivas - in-one Analyzer CLI tool.
- Progpilot
- Reflection
- Tuli
- twig-lint - lint is a lint tool for your twig files.
- Perl::Analyzer - Analyzer is a set of programs and modules that allow users to analyze and visualize Perl codebases by providing information about namespaces and their relations, dependencies, inheritance, and methods implemented, inherited, and redefined in packages, as well as calls to methods from parent packages via SUPER.
- zarn
- autoflake
- bellybutton - specific rules.
- cohesion
- Dlint
- flake8
- Griffe
- linty fresh
- mbake
- pip-audit - commit hooks, and multiple vulnerability service integrations.
- prospector
- pyflakes
- pylyzers
- pyright
- pyroma
- pytype
- refurb - in linter for Rust.
- Safety
- ty
- vulture
- yapf
- cyclocomp
- flowR - analysis/flowr/wiki/Terminology#program-slice) and [dataflow analyzer](https://en.wikipedia.org/wiki/Data-flow_analysis) for the [R](https://www.r-project.org/) programming language. Its slicer allows you to reduce a complicated program just to the parts related for a specific task (e.g., the generation of a single or collection of plots, a significance test, ...). The dataflow analysis provides you with a detailed view on the semantics of the R code which can greatly improve other analyses. To use _flowR_, check out the [Visual Studio Code extension](https://marketplace.visualstudio.com/items?itemName=code-inspect.vscode-flowr), the [RStudio Addin](https://github.com/flowr-analysis/rstudio-addin-flowr), the [Docker image](https://hub.docker.com/r/eagleoutice/flowr), or the [R package](https://github.com/flowr-analysis/flowr-r-adapter).
- goodpractice - practice recommendations.
- rco
- Active Record Doctor
- Bullet
- bundler-audit - advisory-db).
- DatabaseConsistency
- dawnscanner
- ERB Lint
- ERB::Formatter
- Fasterer
- Fukuzatsu
- htmlbeautifier
- pelusa - type tool to improve your OO Ruby code.
- reek
- rubycritic
- rufo - editor plugin, to autoformat files on save or on demand.
- Skunk - - Find the most complicated code without test coverage!
- Standard Ruby
- Steep
- Traceroute
- cargo udeps
- cargo-breaking - breaking compares a crate's public API between two different branches, shows what changed, and suggests the next version according to semver.
- cargo-call-stack
- cargo-deny
- cargo-expand
- cargo-geiger
- cargo-show-asm - IR and MIR generated for Rust code
- cargo-spellcheck
- cargo-unused-features
- kani - precise model checker for Rust.
- lockbud
- rustfix - party lints, like those offered by clippy).
- rustfmt
- RustViz - flow in Rust programs.
- dbcritic
- pgspot
- sleek
- SQLFluff
- sqlint
- bashate
- kmdr
- shellcheck
- shellharden - automate the rewriting of scripts to ShellCheck conformance, mainly focused on quoting.
- Frink
- Angular ESLint
- ENRE-ts - ts is a ENtity Relationship Extractor for ECMAScript and TypeScript based on @babel/parser.
- this issue - eslint` is now your best option for linting TypeScript.
- TypeScript Call Graph
- TypeScript ESLint
- svls
- verible-linter-action
- vscode-verilog-hdl-support
- Twiggy
- wasm-language-tools - of-the-box formatter (a.k.a. pretty printer) for WebAssembly Text Format.
- Checker Framework - checking for Java. This is not just a bug-finder, but a verification tool that gives a guarantee of correctness. It comes with 27 pre-built type systems, and it enables users to define their own type system; the manual lists over 30 user-contributed type systems.
- WAP
- fprettify - formatter for modern fortran source code, written in Python.
- PHP Semantic Versioning Checker
- wily - line tool for archiving, exploring and graphing the complexity of Python source code.
- `radon`
- Roodi
- TangleGuard
- CodeDepends
- gocyclo
- Code Pathfinder - source security suite aiming to combine structural code analysis with AI-powered vulnerability detection. Built for advanced structural search, derive insights, find vulnerabilities in code.
- clj-kondo
- fb-contrib
- deprecation-detector
- lintr
- scapegoat
- Designite
- DesigniteJava
- Dodgy
- pyre-check
- lll
- pyrefly
- JLiSA - based static analyzer for Java build upon the [LiSA](https://github.com/lisa-analyzer/lisa) framekwork.
- Pyra - level linter static analyzer for data science applications written in Python, that helps developers identify potential issues in their data science code written in Python, as an extension of [Lyra](https://github.com/caterinaurban/Lyra).
- dupl
- goast
- Rudra
- Scalastyle
- tern - editor language support.
-
Sponsors
Programming Languages
Categories
Sub Categories
Keywords
static-analysis
45
linter
40
security
23
python
20
go
19
golang
19
php
16
static-code-analysis
15
lint
15
rust
12
security-tools
11
formatter
11
kubernetes
10
ruby
9
cli
9
static-analyzer
8
code-quality
8
java
7
typescript
7
javascript
6
linters
6
docker
6
vulnerabilities
6
code-analysis
6
eslint
6
security-audit
6
devsecops
6
security-scanner
5
vulnerability
5
analyzer
5
containers
5
compliance
5
ast
4
nodejs
4
architecture
4
best-practices
4
quality
4
vulnerability-scanners
4
program-analysis
4
tool
4
testing
4
sast
4
linting
4
elixir
4
cargo
4
analysis
4
complexity
3
reverse-engineering
3
optimization
3
code-metrics
3