static-analysis
⚙️ A curated list of static analysis (SAST) tools and linters for all programming languages, config files, build tools, and more. The focus is on tools which improve code quality.
https://github.com/analysis-tools-dev/static-analysis
Last synced: about 4 hours ago
JSON representation
-
Programming Languages
- Traceroute
- cargo udeps
- cargo-breaking - breaking compares a crate's public API between two different branches, shows what changed, and suggests the next version according to semver.
- cargo-call-stack
- cargo-deny
- cargo-expand
- cargo-geiger
- cargo-show-asm - IR and MIR generated for Rust code
- cargo-spellcheck
- cargo-unused-features
- kani - precise model checker for Rust.
- lockbud
- rustfix - party lints, like those offered by clippy).
- rustfmt
- RustViz - flow in Rust programs.
- dbcritic
- pgspot
- sleek
- SQLFluff
- sqlint
- bashate
- kmdr
- shellcheck
- shellharden - automate the rewriting of scripts to ShellCheck conformance, mainly focused on quoting.
- Frink
- Angular ESLint
- ENRE-ts - ts is a ENtity Relationship Extractor for ECMAScript and TypeScript based on @babel/parser.
- this issue - eslint` is now your best option for linting TypeScript.
- TypeScript Call Graph
- TypeScript ESLint
- svls
- verible-linter-action
- vscode-verilog-hdl-support
- Twiggy
- wasm-language-tools - of-the-box formatter (a.k.a. pretty printer) for WebAssembly Text Format.
- Checker Framework - checking for Java. This is not just a bug-finder, but a verification tool that gives a guarantee of correctness. It comes with 27 pre-built type systems, and it enables users to define their own type system; the manual lists over 30 user-contributed type systems.
- WAP
- fprettify - formatter for modern fortran source code, written in Python.
- PHP Semantic Versioning Checker
- wily - line tool for archiving, exploring and graphing the complexity of Python source code.
- `radon`
- Roodi
- TangleGuard
- CodeDepends
- gocyclo
- Code Pathfinder - source security suite aiming to combine structural code analysis with AI-powered vulnerability detection. Built for advanced structural search, derive insights, find vulnerabilities in code.
- clj-kondo
- fb-contrib
- deprecation-detector
- lintr
- scapegoat
- Designite
- DesigniteJava
- Dodgy
- pyre-check
- lll
- pyrefly
- JLiSA - based static analyzer for Java build upon the [LiSA](https://github.com/lisa-analyzer/lisa) framekwork.
- Pyra - level linter static analyzer for data science applications written in Python, that helps developers identify potential issues in their data science code written in Python, as an extension of [Lyra](https://github.com/caterinaurban/Lyra).
- dupl
- goast
- Rudra
- Scalastyle
- tern - editor language support.
- abaplint
- abapOpenChecks
- CPAchecker
- CScout
- Frama-C
- Goblint - threaded C programs. Its primary focus is the detection of data races, but it also reports other runtime errors, such as buffer overflows and null-pointer dereferences.
- Phasar - based static analysis framework which comes with a taint and type state analysis.
- SVF
- TrustInSoft Analyzer - of-bounds array accesses, null-pointer dereferences, use-after-free, divide-by-zeros, uninitialized memory accesses, signed overflows, invalid pointer arithmetic, etc.), data flow and control flow verification as well as full functional verification of formal specifications. All versions of C up to C18 and C++ up to C++20 are supported. TrustInSoft Analyzer will acquire ISO 26262 qualification in Q2'2023 (TCL3). A MISRA C checker is also bundled.
- code-cracker
- Gendarme
- Puma Scan
- Fixinator
- ameba
- Fortitude
- fprettify - formatter for modern fortran source code, written in Python.
- go tool vet --shadow
- go/ast
- gofmt -s
- GolangCI-Lint
- gosec (gas)
- revive - in replacement of golint.
- staticcheck
- CodeNarc
- checkstyle
- Error Prone - time errors.
- JArchitect
- JBMC - checker for Java (bytecode), verifies user-defined assertions, standard assertions, several coverage metric analyses.
- qulice - configured) static analysis tools (checkstyle, PMD, Findbugs, ...).
- Soot
- Spoon - designed AST with powerful analysis and transformation API. Can be integrated in Maven and Gradle.
- SpotBugs
- flow
- jshint - tools-dev/static-analysis/issues/223>) — Detect errors and potential problems in JavaScript code and enforce your team's coding conventions.
- retire.js
- tern - editor language support.
- detekt
- ktlint - bikeshedding Kotlin linter with built-in formatter.
- EasyCodingStandard - CS-Fixer](https://github.com/FriendsOfPHP/PHP-CS-Fixer).
- exakat
- mago
- pdepend
- PHP Refactoring Browser
- phpDocumentor
- PHPMD
- PHPQA
- PHPStan - discover bugs in your code without running it!
- Psalm
- rector - positive rate because it looks for narrowly defined AST (abstract syntax tree) patterns. The main use-case are tackling technical debt in your legacy code and removing dead code. Rector provides a set of special rules for Symfony, Doctrine, PHPUnit, and many more.
- ZPA
- autopep8
- bandit
- Black
- flakeheaven
- jedi
- mbake
- pycodestyle
- pylint
- Pysa - check to identify potential security issues in Python code identified with taint analysis.
- pyupgrade - commit hook) to automatically upgrade syntax for newer versions of the language.
- Safety
- unimport
- wemake-python-styleguide
- rco
- brakeman
- rails_best_practices
- RuboCop
- C2Rust - compliant code to Rust. The translator (or transpiler) produces unsafe Rust code that closely mirrors the input C code.
- cargo-audit - db/).
- cargo-deny
- clippy
- diff.rs
- dylint
- rust-analyzer
- squawk
- Visual Expert
- WartRemover
- SwiftLint
- Nagelfar
- Verilator - accurate behavioral model in C++ or SystemC. Performs lint code-quality checks.
-
Sponsors
Programming Languages
Categories
Sub Categories
Keywords
static-analysis
45
linter
40
security
23
python
20
go
19
golang
19
php
16
static-code-analysis
15
lint
15
rust
12
security-tools
11
formatter
11
kubernetes
10
ruby
9
cli
9
static-analyzer
8
code-quality
8
java
7
typescript
7
javascript
6
linters
6
docker
6
vulnerabilities
6
code-analysis
6
eslint
6
security-audit
6
devsecops
6
security-scanner
5
vulnerability
5
analyzer
5
containers
5
compliance
5
ast
4
nodejs
4
architecture
4
best-practices
4
quality
4
vulnerability-scanners
4
program-analysis
4
tool
4
testing
4
sast
4
linting
4
elixir
4
cargo
4
analysis
4
complexity
3
reverse-engineering
3
optimization
3
code-metrics
3