static-analysis
⚙️ A curated list of static analysis (SAST) tools and linters for all programming languages, config files, build tools, and more. The focus is on tools which improve code quality.
https://github.com/analysis-tools-dev/static-analysis
Last synced: about 2 hours ago
JSON representation
-
Programming Languages
- flay
- flog
- ruby-lint
- Codepeer - time and logic errors.
- Polyspace for Ada - by-zero, out-of-bounds array access, and certain other run-time errors in source code.
- SPARK
- gawk --lint
- cpplint
- GCC
- Helix QAC - grade static analysis for embedded software. Supports MISRA, CERT, and AUTOSAR coding standards.
- KLEE - generate test cases for programs such that the test cases exercise as much of the program as possible.
- Astrée - point computations, very fast, and exceptionally precise. The analyzer also checks for MISRA/CERT/CWE/Adaptive Autosar coding rules and supports qualification for ISO 26262, DO-178C level A, and other safety standards. Jenkins and Eclipse plugins are available.
- PC-lint
- Polyspace Bug Finder - time errors, concurrency issues, security vulnerabilities, and other defects in C and C++ embedded software.
- Polyspace Code Prover - by-zero, out-of-bounds array access, and certain other run-time errors in C and C++ source code.
- scan-build
- vera++
- .NET Analyzers
- coffeelint
- Dart Code Metrics - patterns and provides additional rules for Dart analyzer.
- effective_dart
- Fix Insight
- Pascal Analyzer
- Pascal Expert
- elm-review
- dialyzer
- goimports
- gotype
- govulncheck
- test
- Stan - line tool for analysing Haskell projects and outputting discovered vulnerabilities in a helpful way with possible solutions for detected problems.
- Haxe Checkstyle
- Closure Compiler
- Luanalysis
- mlint
- DrNim
- nimfmt
- CakeFuzzer - based web applications. CakeFuzzer employs a predefined set of attacks that are randomly modified before execution. Leveraging its deep understanding of the Cake PHP framework, Cake Fuzzer launches attacks on all potential application entry points.
- EasyCodingStandard - CS-Fixer](https://github.com/FriendsOfPHP/PHP-CS-Fixer).
- pdepend
- phan
- PHP Coding Standards Fixer - 1, PSR-2, and the Symfony standard.
- PHP Insights
- Php Inspections (EA Extended)
- PHP_CodeSniffer
- PhpMetrics
- PHPStan - discover bugs in your code without running it!
- Psalm
- rector - positive rate because it looks for narrowly defined AST (abstract syntax tree) patterns. The main use-case are tackling technical debt in your legacy code and removing dead code. Rector provides a set of special rules for Symfony, Doctrine, PHPUnit, and many more.
- ZPA
- Perl::Critic - practices.
- perltidy
- bandit
- Bowler
- deal - free code. By adding a few decorators to your code, you get for free tests, static analysis, formal verification, and much more.
- fixit - fixes for source code.
- jedi
- mypy
- pyanalyze
- PyCodeQual
- pycodestyle
- pydocstyle
- pylint
- Pysa - check to identify potential security issues in Python code identified with taint analysis.
- pyupgrade - commit hook) to automatically upgrade syntax for newer versions of the language.
- radon
- ruff - 100x faster than existing linters. Compatible with Python 3.10. Supports file watcher.
- unimport
- wemake-python-styleguide
- xenon
- styler - printing of R code.
- Railroader
- RuboCop
- ruby-lint
- SandiMeter
- Sorbet
- C2Rust - compliant code to Rust. The translator (or transpiler) produces unsafe Rust code that closely mirrors the input C code.
- cargo-audit - db/).
- cargo-semver-checks - plz`. It found semver violations in [more than 1 in 6 of the top 1000 most-downloaded crates](https://predr.ag/blog/semver-violations-are-common-better-tooling-is-the-answer/) on crates.io.
- diff.rs
- Prusti
- rust-analyzer
- holistic
- SQLFluff
- squawk
- Visual Expert
- WartRemover
- sh
- SwiftFormat - line formatting tool for reformatting Swift code.
- Frink
- Nagelfar
- tclchecker
- Codelyzer
- fta - based static analysis for TypeScript projects
- stc
- tslint-clean-code
- zod - first schema validation with static type inference. The goal is to eliminate duplicative type declarations. With Zod, you declare a validator once and Zod will automatically infer the static TypeScript type. It is easy to compose simpler types into complex data structures.
- DesigniteJava
- STOKE - language agnostic stochastic optimizer for the x86_64 instruction set. It uses random search to explore the extremely high-dimensional space of all possible program transformations.
- clazy - oriented static code analyzer based on the Clang framework. clazy is a compiler plugin which allows clang to understand Qt semantics. You get more than 50 Qt related compiler warnings, ranging from unneeded memory allocations to misusage of API, including fix-its for automatic refactoring.
- CMetrics
- cqmetrics
- ESBMC - bounded model checker based on satisfiability modulo theories for the verification of single- and multi-threaded C/C++ programs.
- goodpractice - practice recommendations.
- ENRE-cpp - cpp is a ENtity Relationship Extractor for C/C++ based on @eclipse/CDT. (Under development)
- IKOS
- TrustInSoft Analyzer - of-bounds array accesses, null-pointer dereferences, use-after-free, divide-by-zeros, uninitialized memory accesses, signed overflows, invalid pointer arithmetic, etc.), data flow and control flow verification as well as full functional verification of formal specifications. All versions of C up to C18 and C++ up to C++20 are supported. TrustInSoft Analyzer will acquire ISO 26262 qualification in Q2'2023 (TCL3). A MISRA C checker is also bundled.
- Regal
- MIRAI - level intermediate language, and providing warnings based on taint analysis.
- clang-tidy - based C++ linter tool with the (limited) ability to fix issues, too.
- cpplint
- electrolysis
- cppcheck
- CppDepend
- abaplint
- abapOpenChecks
- Codepeer - time and logic errors.
- CPAchecker
- CScout
- Frama-C
- Goblint - threaded C programs. Its primary focus is the detection of data races, but it also reports other runtime errors, such as buffer overflows and null-pointer dereferences.
- KLEE - generate test cases for programs such that the test cases exercise as much of the program as possible.
- Phasar - based static analysis framework which comes with a taint and type state analysis.
- splint - assisted static program checker.
- SVF
- TrustInSoft Analyzer - of-bounds array accesses, null-pointer dereferences, use-after-free, divide-by-zeros, uninitialized memory accesses, signed overflows, invalid pointer arithmetic, etc.), data flow and control flow verification as well as full functional verification of formal specifications. All versions of C up to C18 and C++ up to C++20 are supported. TrustInSoft Analyzer will acquire ISO 26262 qualification in Q2'2023 (TCL3). A MISRA C checker is also bundled.
- ArchUnitNET
- code-cracker
- Gendarme
- Meziantou.Analyzer
- Puma Scan
- Roslynator
- SonarAnalyzer.CSharp
- Wintellect.Analyzers
- clj-kondo
- Fixinator
- ameba
- lint - driven set of lint rules for Dart and Flutter projects. Like pedantic but stricter
- Linter for dart
- DelphiLint - the-fly code analysis and linting, powered by SonarDelphi.
- SonarDelphi
- D-scanner - Scanner is a tool for analyzing D source code.
- credo
- dialyxir
- sobelow - focused static analysis for the Phoenix Framework.
- dialyzer
- elvis
- fantomas
- FSharpLint
- ionide-analyzers
- Fortitude
- i-Code CNES for Fortran
- aligncheck
- bodyclose
- deadcode
- dogsled
- errcheck
- errwrap
- flen
- go tool vet --shadow
- go-consistent
- go-critic
- go/ast
- gochecknoglobals
- goconst
- gofmt -s
- gofumpt - compatible. That is, `gofumpt` is happy with a subset of the formats that `gofmt` is happy with.
- gokart
- GolangCI-Lint - Lint is a linters aggregator.
- golint
- goreporter
- goroutine-inspect
- gosec (gas)
- ineffassign
- misspell
- nakedret
- nargs
- OSV-Scanner
- prealloc
- revive - in replacement of golint.
- staticcheck
- structslop
- unconvert
- unparam
- wsl
- CodeNarc
- HLint
- Liquid Haskell
- Weeder
- checkstyle
- ck - oriented metrics by processing the source Java files.
- CogniCrypt
- Dataflow Framework - strength dataflow framework for Java. The Dataflow Framework is used in the Checker Framework, Google’s Error Prone, Uber’s NullAway, Meta’s Nullsafe, and in other contexts. It is distributed with the Checker Framework.
- DesigniteJava
- Doop - to-end (fact generation, processing, statistics, etc.).
- Error Prone - time errors.
- forbidden-apis
- google-java-format
- IntelliJ IDEA
- JArchitect
- JBMC - checker for Java (bytecode), verifies user-defined assertions, standard assertions, several coverage metric analyses.
- NullAway - based null-pointer checker with low build-time overhead; an [Error Prone](http://errorprone.info/) plugin.
- OWASP Dependency Check
- qulice - configured) static analysis tools (checkstyle, PMD, Findbugs, ...).
- RefactorFirst
- Soot
- Spoon - designed AST with powerful analysis and transformation API. Can be integrated in Maven and Gradle.
- SpotBugs
- Violations Lib
- flow
- jshint - tools-dev/static-analysis/issues/223>) — Detect errors and potential problems in JavaScript code and enforce your team's coding conventions.
- JSLint - tools-dev/static-analysis/issues/223>) — The JavaScript Code Quality Tool.
- NodeJSScan
- retire.js
- tern - editor language support.
- xo
- JET
- StaticLint
- detekt
- diktat - fixes code smells.
- ktfmt
- ktlint - bikeshedding Kotlin linter with built-in formatter.
- luacheck
- lualint - based static analysis of global variable usage in Lua source code.
- Sys
- VeriFast - threaded and multithreaded C and Java programs annotated with preconditions and postconditions written in separation logic. To express rich specifications, the programmer can define inductive datatypes, primitive recursive pure functions over these datatypes, and abstract separation logic predicates.
- churn-php
- composer-dependency-analyser
- dephpend
- deptrac
- DesignPatternDetector
- EasyCodingStandard - CS-Fixer](https://github.com/FriendsOfPHP/PHP-CS-Fixer).
- exakat
- GrumPHP
- larastan
- mago
- parallel-lint
- Parse
- PHP Architecture Tester
- PHP Assumptions
- PHP Coding Standards Fixer - 1, PSR-2, and the Symfony standard.
- PHP Insights
- PHP Refactoring Browser
- PHP-Parser
- php-speller
- PHPArkitect
- phpDocumentor
- phploc
- PHPMD
- phpmnd
- PHPQA
- phpqa - jakzal
- phpqa - jmolivas - in-one Analyzer CLI tool.
- PHPStan - discover bugs in your code without running it!
- Progpilot
- Psalm
- rector - positive rate because it looks for narrowly defined AST (abstract syntax tree) patterns. The main use-case are tackling technical debt in your legacy code and removing dead code. Rector provides a set of special rules for Symfony, Doctrine, PHPUnit, and many more.
- Reflection
- Tuli
- twig-lint - lint is a lint tool for your twig files.
- WAP
- ZPA
- Perl::Analyzer - Analyzer is a set of programs and modules that allow users to analyze and visualize Perl codebases by providing information about namespaces and their relations, dependencies, inheritance, and methods implemented, inherited, and redefined in packages, as well as calls to methods from parent packages via SUPER.
- zarn
- autoflake
- bandit
- bellybutton - specific rules.
- Black
- cohesion
- Dlint
- flake8
- flakeheaven
- Griffe
- jedi
- linty fresh
- mbake
- pip-audit - commit hooks, and multiple vulnerability service integrations.
- prospector
- pycodestyle
- pyflakes
- pylyzers
- pyre-check
- pyright
- pyroma
- Pysa - check to identify potential security issues in Python code identified with taint analysis.
- pytype
- pyupgrade - commit hook) to automatically upgrade syntax for newer versions of the language.
- radon
- refurb - in linter for Rust.
- Safety
- ty
- unimport
- vulture
- wemake-python-styleguide
- xenon
- yapf
- cyclocomp
- flowR - analysis/flowr/wiki/Terminology#program-slice) and [dataflow analyzer](https://en.wikipedia.org/wiki/Data-flow_analysis) for the [R](https://www.r-project.org/) programming language. Its slicer allows you to reduce a complicated program just to the parts related for a specific task (e.g., the generation of a single or collection of plots, a significance test, ...). The dataflow analysis provides you with a detailed view on the semantics of the R code which can greatly improve other analyses. To use _flowR_, check out the [Visual Studio Code extension](https://marketplace.visualstudio.com/items?itemName=code-inspect.vscode-flowr), the [RStudio Addin](https://github.com/flowr-analysis/rstudio-addin-flowr), the [Docker image](https://hub.docker.com/r/eagleoutice/flowr), or the [R package](https://github.com/flowr-analysis/flowr-r-adapter).
- goodpractice - practice recommendations.
- lintr
- rco
- Active Record Doctor
- brakeman
- Bullet
- bundler-audit - advisory-db).
- DatabaseConsistency
- dawnscanner
- ERB Lint
- ERB::Formatter
- Fasterer
- Fukuzatsu
- htmlbeautifier
- pelusa - type tool to improve your OO Ruby code.
- rails_best_practices
- reek
- RuboCop
- rubycritic
- rufo - editor plugin, to autoformat files on save or on demand.
- Skunk - - Find the most complicated code without test coverage!
- Sorbet
- Standard Ruby
- Steep
- Traceroute
- C2Rust - compliant code to Rust. The translator (or transpiler) produces unsafe Rust code that closely mirrors the input C code.
- cargo udeps
- cargo-audit - db/).
- cargo-breaking - breaking compares a crate's public API between two different branches, shows what changed, and suggests the next version according to semver.
- cargo-call-stack
- cargo-deny
- cargo-expand
- cargo-geiger
- cargo-show-asm - IR and MIR generated for Rust code
- cargo-spellcheck
- cargo-unused-features
- clippy
- diff.rs
- dylint
- kani - precise model checker for Rust.
- lockbud
- rust-analyzer
- rustfix - party lints, like those offered by clippy).
- rustfmt
- RustViz - flow in Rust programs.
- dbcritic
- pgspot
- sleek
- SQLFluff
- sqlint
- squawk
- Visual Expert
- Scalastyle
- WartRemover
- bashate
- kmdr
- shellcheck
- shellharden - automate the rewriting of scripts to ShellCheck conformance, mainly focused on quoting.
- SwiftLint
- Frink
- Nagelfar
- Angular ESLint
- ENRE-ts - ts is a ENtity Relationship Extractor for ECMAScript and TypeScript based on @babel/parser.
- this issue - eslint` is now your best option for linting TypeScript.
- TypeScript Call Graph
- TypeScript ESLint
- svls
- verible-linter-action
- Verilator - accurate behavioral model in C++ or SystemC. Performs lint code-quality checks.
- vscode-verilog-hdl-support
- Twiggy
- wasm-language-tools - of-the-box formatter (a.k.a. pretty printer) for WebAssembly Text Format.
-
Other
- packj - source software packages for "risky" attributes that make them vulnerable to supply chain attacks. This is the tool behind our large-scale security analysis platform Packj.dev that continuously vets packages and provides free reports.
- GitGuardian ggshield
- kics - as-code. Supports Terraform, Kubernetes, Docker, AWS CloudFormation and Ansible
- Steampunk Spotter
- packj - source software packages for "risky" attributes that make them vulnerable to supply chain attacks. This is the tool behind our large-scale security analysis platform Packj.dev that continuously vets packages and provides free reports.
- Black Duck
- Hopper - code of a procedure. Supports Apple Silicon.
- JEB Decompiler
- ktool - platform toolkit and library for MachO+Obj-C editing/analysis. Includes a cli kit, a curses GUI, ObjC header dumping, and much more.
- zydis - 64 disassembler library
- portlint
- GraphMyCSS.com
- Project Wallace CSS Analyzer
- Specificity Graph
- dotenv-linter
- dotenv-linter (Rust) - fast linter for .env files. Written in Rust
- cookstyle
- foodcritic
- OpenSCAP - certified Security Content Automation Protocol (SCAP).
- sysdig
- Vuls - less Linux vulnerability scanner based on information from NVD, OVAL, etc. It has some container image support, although is not a container specific tool.
- Codecov
- HTML Tidy
- HTML-Validate
- HTMLHint
- jsonlint
- Spectral - of-the-box support for OpenAPI v2/v3 and AsyncAPI v2.
- kube-score
- Kubeval
- kubeval
- ChkTeX
- lacheck
- mdformat
- textlint
- iblessing
- redex
- statix
- lintian
- Nitpick CI
- exakat
- HasMySecretLeaked
- SearchDiggity - site scripting (XSS), insecure remote and local file includes, hard-coded passwords, etc.
- trufflehog
- solium
- yamllint
- Vetur
- After the Deadline
- alex
- Misspelled Words In Context - checker that groups possible misspellings and shows them in their contexts.
- vale - aware linter for prose built with speed and extensibility in mind.
- Enlightn
- Qualys Container Security
- Polymer-analyzer
- Reshift
- flakeheaven
- Symfony Insight
- Mariana Trench
- CSSLint
- PT Application Inspector
- Diffblue - powered code analysis and testing solutions for software development teams.
- lintian
- LunaSec - ipc happen. Track your dependencies and builds in a centralized service.
- exakat
- alquitran
- AzSK - as-code. Supports Azure via ARM.
- angr
- binbloom
- BinSkim
- Black Duck
- bloaty - O parsers, Bloaty aims to accurately attribute every byte of the binary to the symbol or compileunit that produced it. It will even disassemble the binary looking for references to anonymous data. F
- cwe_checker
- Ghidra
- IDA Free
- Jakstab - based, integrated disassembly and static analysis framework for designing analyses on executables and recovering reliable control flow graphs.
- Malcat - code). Features rapid analysis, embedded file extraction, Yara signature scanning, anomaly detection, and Python scripting. Designed for malware analysts, SOC operators, incident responders, and CTF players.
- Nauz File Detector
- rhabdomancer
- VMware chap - instrumented ELF core files for leaks, memory growth, and corruption. It is sufficiently reliable that it can be used in automation to catch leaks before they are committed. As an interactive tool, it helps explain memory growth, can identify some forms of corruption, and supplements a debugger by giving the status of various memory locations.
- zydis - 64 disassembler library
- checkmake
- portlint
- CSS Stats
- CSScomb
- GraphMyCSS.com
- Nu Html Checker
- Project Wallace CSS Analyzer
- Specificity Graph
- Stylelint
- dotenv-linter
- gixy
- ansible-lint
- AWS CloudFormation Guard - as-code rules and generate rules from existing templates.
- cfn-lint
- cfn_nag
- checkov
- cookstyle
- metadata-json-lint
- terraform-compliance - and security focused, BDD test framework against Terraform.
- terrascan
- tflint
- tfsec
- anchore - defined acceptance policies to allow automated container image validation and certification
- clair
- Dockle - Practice Docker Image. Scans Docker images for security vulnerabilities and CIS Benchmark compliance. Checks for secrets, credential exposure, and security best practices. Provides multiple severity levels (FATAL, WARN, INFO) and supports various output formats for CI/CD integration.
- Grype
- krane
- actionlint
- Code Climate
- PullRequest - in static analysis. Increase velocity and reduce technical debt through quality code review by expert engineers backed by best-in-class automation.
- deno_lint
- Cloud (IaC) Security for JetBrains IDEs - time inspections of Docker & Kubernetes IaC with 50+ rules based on Docker image/build security best practices, Kubernetes Pod Security Standards, and NSA/CISA Kubernetes Hardening Guidance.
- oelint-adv - embedded and YOCTO
- Bootlint
- HTMLHint
- chart-testing
- clusterlint
- klint
- kube-lint - lint will evaluate those rules against them.
- kube-linter
- kube-score
- kubeconform
- TeXLab
- markdownlint - based style checker and lint tool for Markdown/CommonMark files.
- mdformat
- mdsf
- Android Lint
- FlowDroid
- Oversecured
- redex
- deadnix
- lockfile-lint
- rpmlint
- promval
- protolint
- Credential Digger - model). This scanner is able to detect passwords and non structured tokens with a low false positive rate.
- detect-secrets
- Gitleaks
- OWASP Noir
- PT Application Inspector
- Rezilion - exploitable vulnerabilities and creates a remediation plan and open tickets to upgrade components that violate your security policy and/or patch automatically in CI.
- scorecard - Security health metrics for Open Source
- trufflehog
- Tsunami Security Scanner - like vulnerabilities with high confidence. Custom detectors for finding vulnerabilities (e.g. open APIs) can be added.
- mythril
- MythX - line.
- slither
- solhint
- solium
- LibVCS4j
- ember-template-lint
- haml-lint
- slim-lint
- yamllint
- alex
- codespell
- languagetool
- misspell-fixer
- proselint
- vale - aware linter for prose built with speed and extensibility in mind.
- write-good
- commitlint
-
Sponsors
-
Multiple languages
- Android Studio
- AppChecker
- ArchUnit
- Axivion Bauhaus Suite - prone code locations, style violations, cloned or dead code, cyclic dependencies and more for C/C++, C#/.NET, Java and Ada 83/Ada 95.
- biome
- BugProve
- CAST Highlight
- Checkmarx CxSAST - compilation.
- Clayton - powered code reviews for Salesforce. Secure your developments, enforce best practice and control your technical debt in real-time.
- coala - supports [over 60 languages](https://coala.io/languages) by default.
- Cobra
- Code Intelligence - agnostic DevSecOps platform which combines industry-leading fuzzing engines for finding bugs and visualizing code coverage
- Codeac - hosted). Available for JavaScript, TypeScript, Python, Ruby, Go, PHP, Java, Docker, and more. (open-source free)
- codechecker
- CodeFlow
- CodeIt.Right
- CodePatrol
- CodeQue
- CodeRush
- CodeScan
- CodeScene
- CodeSee
- CodeSonar from GrammaTech - to-understand explanations and code and path visualization.
- Codiga
- DeepCode
- Embold
- ezno
- Find Security Bugs
- Fortify - C, PHP, PL/SQL, T-SQL, Python (2.6, 2.7), Ruby (1.9.3), Swift, Scala, VB, and XML.
- Goodcheck
- graudit - source code auditing tool.
- HCL AppScan Source
- Kiuwan
- Klocwork
- MOPSA
- Synopsys
- Offensive 360 - compilation.
- OpenRewrite - recipes/popular-recipe-guides/common-static-analysis-issue-remediation) reported through Sonar and other tools using a Maven and Gradle plugin or the Moderne CLI.
- parasoft - , API-, and web UI testing. Complies with MISRA, OWASP, and others.
- pfff - preserving source transformation for many languages.
- PVS-Studio - studio.com/en/order/open-source-license) for FOSS and individual developers) static analysis of C, C++, C# and Java code. For advertising purposes [you can propose a large FOSS project for analysis by PVS employees](https://github.com/viva64/pvs-studio-check-list). Supports CWE mapping, OWASP ASVS, MISRA, AUTOSAR and SEI CERT coding standards.
- Qwiet AI
- Refactoring Essentials
- Rome - status) for JavaScript, TypeScript, JSON, HTML, Markdown, and CSS. It has since been succeeded by [biome](https://biomejs.dev/).
- Rome Formatter - tolerant code formatter for JS/TS written in Rust. Superceded by [biome](https://biomejs.dev/).
- SafeQL - generate TypeScript types from raw SQL queries in PostgreSQL. SafeQL is an ESLint plugin for writing SQL queries in a type-safe way.
- SAST Online
- Scanmycode CE (Community Edition) - Code Scanning/SAST/Linting using many tools/Scanners with One Report
- Security Code Scan
- Semgrep Supply Chain - priority security issues. Semgrep Supply Chain prioritizes the 2% of vulnerabilities that are reachable from your code.
- Similarity Tester
- SonarLint for Visual Studio - the-fly feedback to developers on new bugs and quality issues injected into .NET code.
- Soto Platform
- SourceMeter - form).
- StaticReviewer - in validation rules for Security, Deadcode & Best Practices Available a module for Software Composition Analysis (SCA) to find vulnerabilities in open source and third party libraries.
- Svace
- Teamscale
- TencentCodeAnalysis - named CodeDog inside the company early) is a comprehensive platform for code analysis and issue tracking. TCA consist of three components, server, web and client. It integrates of a number of self-developed tools, and also supports dynamic integration of code analysis tools in various programming languages.
- Understand
- Veracode - C, C, C++ and more.
- Codemodder - trivial security issues and other code quality problems.
- Sigrid
- WhiteHat Application Security Platform
- Bearer - Source static code analysis tool to discover, filter and prioritize security risks and vulnerabilities leading to sensitive data exposures (PII, PHI, PD). Highly configurable and easily extensible, built for security and engineering teams.
- DevSkim - based static analysis tool for Visual Studio, VS Code, and Sublime Text - C/C++, C#, PHP, ASP, Python, Ruby, Java, and others.
- Freeplane Code Explorer
- Mobb - source projects.
- Application Inspector
- ApplicationInspector
- ArchUnit
- ast-grep - grep is a powerful tool designed for managing code at scale using Abstract Syntax Trees (AST). Think of it as a hybrid of grep, eslint, and codemod, with the ability to search, lint, and rewrite code based on its structure rather than plain text.
- autocorrect
- Axivion Bauhaus Suite - prone code locations, style violations, cloned or dead code, cyclic dependencies and more for C/C++, C#/.NET, Java and Ada 83/Ada 95.
- Better Code Hub
- callGraph
- CAST Highlight
- Checkmarx CxSAST - compilation.
- ClassGraph
- Codacy
- Code Intelligence - agnostic DevSecOps platform which combines industry-leading fuzzing engines for finding bugs and visualizing code coverage
- codeburner
- codechecker
- CodeFactor
- CodeFlow
- CodeIt.Right
- codeql - semantic queries and dataflow for several languages with VSCode plugin support.
- CodeQue
- CodeRush
- CodeScan
- CodeScene
- Codety
- Corgea - powered SAST scanner that helps developers find and fix insecure code. It finds business logic flaws, broken authentication, API vulnerabilities, and more with little false positives. Additionally, it automatically writes security fixes for them to approve. Corgea integrates with GitHub, GitLab, Azure DevOps, IDEs and CLI. It is free to try it.
- Coverity
- cpp-linter-action - tidy and clang-format to collect feedback provided in the form of thread comments and/or annotations.
- DeepSource - depth static analysis to find issues in verticals of bug risks, security, anti-patterns, performance, documentation and style. Native integrations with GitHub, GitLab and Bitbucket. Less than 5% false positives.
- deleaker
- Depends
- DerScanner - language Static Application Security Testing (SAST) platform that detects critical vulnerabilities, including hardcoded secrets, weak cryptography, backdoors, SQL injections, insecure configurations, etc.
- dotnet-format - format is able to format C# and Visual Basic projects with a subset of supported `.editorconfig` options.
- Embold
- emerge
- Enforster AI
- ESLint
- Find Security Bugs
- Fortify - C, PHP, PL/SQL, T-SQL, Python (2.6, 2.7), Ruby (1.9.3), Swift, Scala, VB, and XML.
- Goodcheck
- graudit - source code auditing tool.
- Infer - C
- Joern - language code analysis. Code property graphs are stored in a custom graph database. This allows code to be mined using search queries formulated in a Scala-based domain-specific query language. Joern is developed with the goal of providing a useful tool for vulnerability discovery and research in static program analysis.
- keploy - source testing platform that helps developers automate and streamline their testing process. It provides API, and integration testing agents, generating tests, mocks/stubs for APIs that actually work. Additionally, Keploy offers an AI-powered Unit Testing Agent that generates stable, useful unit tests directly in your GitHub PRs and in VSCode, helping catch errors and improve code quality.
- Kiuwan
- LGTM
- lizard - paste detection (code clone detection/code duplicate detection) and many other forms of static code analysis. Counts lines of code without comments, CCN (cyclomatic complexity number), token count of functions, parameter count of functions.
- Mega-Linter - Linter can handle any type of project thanks to its 70+ embedded Linters,
- Mobb - source projects.
- MOPSA
- oclint - C.
- OpenStaticAnalyzer
- oxc - performance tools for the JavaScript / TypeScript language re-written in Rust.
- Pixee - ready pull requests with recommended fixes.
- PMD
- Precaution
- Prettier
- Pronto
- Putout - in eslint, babel plugins support for js, jsx typescript, flow, markdown, yaml and json.
- PVS-Studio - studio.com/en/order/open-source-license) for FOSS and individual developers) static analysis of C, C++, C# and Java code. For advertising purposes [you can propose a large FOSS project for analysis by PVS employees](https://github.com/viva64/pvs-studio-check-list). Supports CWE mapping, OWASP ASVS, MISRA, AUTOSAR and SEI CERT coding standards.
- pylama
- relint
- ReSharper - the-fly code inspections for C#, VB.NET, ASP.NET, JavaScript, TypeScript and other technologies.
- RIPS
- Roslyn Analyzers - based implementation of FxCop analyzers.
- Roslyn Security Guard - site scripting (XSS), CSRF, cryptography weaknesses, hardcoded passwords and many more.
- SafeQL - generate TypeScript types from raw SQL queries in PostgreSQL. SafeQL is an ESLint plugin for writing SQL queries in a type-safe way.
- Semgrep - source, static analysis tool for finding bugs and enforcing code standards at editor, commit, and CI time. Its rules look like the code you already write; no abstract syntax trees or regex wrestling. Supports 17+ languages.
- Semgrep Supply Chain - priority security issues. Semgrep Supply Chain prioritizes the 2% of vulnerabilities that are reachable from your code.
- ShiftLeft Scan - source DevSecOps platform for detecting security issues in source code and dependencies. It supports a broad range of languages and CI/CD pipelines.
- Sigrid
- SonarQube Cloud
- SonarQube for IDE - time, flagging issues as you code, just like a spell-checker. More than a linter, it also delivers rich contextual guidance to help developers understand why there is an issue, assess the risk, and educate them on how to fix it.
- SonarQube Server
- Svace
- Teamscale
- ThreatMapper - of-exploit.
- todocheck
- trivy
- trunk - simple to identify, install, configure, and run the right linters, static analyzers, and formatters for all your repos.
- TscanCode
- Undebt - independent tool for massive, automatic, programmable refactoring based on simple pattern definitions.
- Understand
- Unibeautify - C, Java, Python, PHP, GraphQL, Markdown, and more.
- Upsource - aware navigation for Java, PHP, JavaScript and Kotlin.
- WALA
- weggli
- WhiteHat Application Security Platform
- XCode - analyzer.llvm.org/xcode.html) static code analyzer (C/C++, Obj-C).
-
More Collections
-
Meaning of Symbols:
Programming Languages
Categories
Sub Categories
Keywords
linter
36
static-analysis
36
security
20
golang
16
go
16
php
15
static-code-analysis
15
python
14
lint
14
security-tools
10
kubernetes
10
ruby
9
rust
8
cli
8
formatter
8
eslint
6
code-quality
6
typescript
6
docker
6
static-analyzer
6
java
6
compliance
5
containers
5
javascript
5
security-audit
5
linters
5
testing
4
best-practices
4
elixir
4
analyzer
4
linting
4
nodejs
4
program-analysis
4
vulnerability
4
vulnerabilities
4
security-scanner
4
code-analysis
4
architecture
4
devsecops
4
analysis
4
cargo
4
roslyn
3
ast
3
style
3
qatools
3
checker
3
rails
3
metrics
3
quality
3
eslint-plugin
3