static-analysis
⚙️ A curated list of static analysis (SAST) tools and linters for all programming languages, config files, build tools, and more. The focus is on tools which improve code quality.
https://github.com/analysis-tools-dev/static-analysis
Last synced: 2 days ago
JSON representation
-
Programming Languages
- flay
- flog
- ruby-lint
- Codepeer - time and logic errors.
- Polyspace for Ada - by-zero, out-of-bounds array access, and certain other run-time errors in source code.
- SPARK
- gawk --lint
- cpplint
- GCC
- Helix QAC - grade static analysis for embedded software. Supports MISRA, CERT, and AUTOSAR coding standards.
- KLEE - generate test cases for programs such that the test cases exercise as much of the program as possible.
- Astrée - point computations, very fast, and exceptionally precise. The analyzer also checks for MISRA/CERT/CWE/Adaptive Autosar coding rules and supports qualification for ISO 26262, DO-178C level A, and other safety standards. Jenkins and Eclipse plugins are available.
- PC-lint
- Polyspace Bug Finder - time errors, concurrency issues, security vulnerabilities, and other defects in C and C++ embedded software.
- Polyspace Code Prover - by-zero, out-of-bounds array access, and certain other run-time errors in C and C++ source code.
- scan-build
- vera++
- .NET Analyzers
- coffeelint
- Dart Code Metrics - patterns and provides additional rules for Dart analyzer.
- effective_dart
- Fix Insight
- Pascal Analyzer
- Pascal Expert
- elm-review
- dialyzer
- goimports
- gotype
- govulncheck
- test
- Stan - line tool for analysing Haskell projects and outputting discovered vulnerabilities in a helpful way with possible solutions for detected problems.
- Haxe Checkstyle
- Closure Compiler
- Luanalysis
- mlint
- DrNim
- nimfmt
- CakeFuzzer - based web applications. CakeFuzzer employs a predefined set of attacks that are randomly modified before execution. Leveraging its deep understanding of the Cake PHP framework, Cake Fuzzer launches attacks on all potential application entry points.
- EasyCodingStandard - CS-Fixer](https://github.com/FriendsOfPHP/PHP-CS-Fixer).
- pdepend
- phan
- PHP Coding Standards Fixer - 1, PSR-2, and the Symfony standard.
- PHP Insights
- Php Inspections (EA Extended)
- PHP_CodeSniffer
- PhpMetrics
- PHPStan - discover bugs in your code without running it!
- Psalm
- rector - positive rate because it looks for narrowly defined AST (abstract syntax tree) patterns. The main use-case are tackling technical debt in your legacy code and removing dead code. Rector provides a set of special rules for Symfony, Doctrine, PHPUnit, and many more.
- ZPA
- Perl::Critic - practices.
- perltidy
- bandit
- Bowler
- deal - free code. By adding a few decorators to your code, you get for free tests, static analysis, formal verification, and much more.
- fixit - fixes for source code.
- jedi
- mypy
- pyanalyze
- PyCodeQual
- pycodestyle
- pydocstyle
- pylint
- Pysa - check to identify potential security issues in Python code identified with taint analysis.
- pyupgrade - commit hook) to automatically upgrade syntax for newer versions of the language.
- radon
- ruff - 100x faster than existing linters. Compatible with Python 3.10. Supports file watcher.
- unimport
- wemake-python-styleguide
- xenon
- styler - printing of R code.
- Railroader
- RuboCop
- ruby-lint
- SandiMeter
- Sorbet
- C2Rust - compliant code to Rust. The translator (or transpiler) produces unsafe Rust code that closely mirrors the input C code.
- cargo-audit - db/).
- cargo-semver-checks - plz`. It found semver violations in [more than 1 in 6 of the top 1000 most-downloaded crates](https://predr.ag/blog/semver-violations-are-common-better-tooling-is-the-answer/) on crates.io.
- diff.rs
- Prusti
- rust-analyzer
- holistic
- SQLFluff
- squawk
- Visual Expert
- WartRemover
- sh
- SwiftFormat - line formatting tool for reformatting Swift code.
- Frink
- Nagelfar
- tclchecker
- Codelyzer
- fta - based static analysis for TypeScript projects
- stc
- tslint-clean-code
- zod - first schema validation with static type inference. The goal is to eliminate duplicative type declarations. With Zod, you declare a validator once and Zod will automatically infer the static TypeScript type. It is easy to compose simpler types into complex data structures.
- DesigniteJava
- STOKE - language agnostic stochastic optimizer for the x86_64 instruction set. It uses random search to explore the extremely high-dimensional space of all possible program transformations.
- clazy - oriented static code analyzer based on the Clang framework. clazy is a compiler plugin which allows clang to understand Qt semantics. You get more than 50 Qt related compiler warnings, ranging from unneeded memory allocations to misusage of API, including fix-its for automatic refactoring.
- CMetrics
- cqmetrics
- ESBMC - bounded model checker based on satisfiability modulo theories for the verification of single- and multi-threaded C/C++ programs.
- goodpractice - practice recommendations.
- ENRE-cpp - cpp is a ENtity Relationship Extractor for C/C++ based on @eclipse/CDT. (Under development)
- IKOS
- TrustInSoft Analyzer - of-bounds array accesses, null-pointer dereferences, use-after-free, divide-by-zeros, uninitialized memory accesses, signed overflows, invalid pointer arithmetic, etc.), data flow and control flow verification as well as full functional verification of formal specifications. All versions of C up to C18 and C++ up to C++20 are supported. TrustInSoft Analyzer will acquire ISO 26262 qualification in Q2'2023 (TCL3). A MISRA C checker is also bundled.
- Regal
- MIRAI - level intermediate language, and providing warnings based on taint analysis.
- clang-tidy - based C++ linter tool with the (limited) ability to fix issues, too.
- cpplint
- electrolysis
- cppcheck
- CppDepend
-
Other
- packj - source software packages for "risky" attributes that make them vulnerable to supply chain attacks. This is the tool behind our large-scale security analysis platform Packj.dev that continuously vets packages and provides free reports.
- GitGuardian ggshield
- kics - as-code. Supports Terraform, Kubernetes, Docker, AWS CloudFormation and Ansible
- Steampunk Spotter
- packj - source software packages for "risky" attributes that make them vulnerable to supply chain attacks. This is the tool behind our large-scale security analysis platform Packj.dev that continuously vets packages and provides free reports.
- Black Duck
- Hopper - code of a procedure. Supports Apple Silicon.
- JEB Decompiler
- ktool - platform toolkit and library for MachO+Obj-C editing/analysis. Includes a cli kit, a curses GUI, ObjC header dumping, and much more.
- zydis - 64 disassembler library
- portlint
- GraphMyCSS.com
- Project Wallace CSS Analyzer
- Specificity Graph
- dotenv-linter
- dotenv-linter (Rust) - fast linter for .env files. Written in Rust
- cookstyle
- foodcritic
- OpenSCAP - certified Security Content Automation Protocol (SCAP).
- sysdig
- Vuls - less Linux vulnerability scanner based on information from NVD, OVAL, etc. It has some container image support, although is not a container specific tool.
- Codecov
- HTML Tidy
- HTML-Validate
- HTMLHint
- jsonlint
- Spectral - of-the-box support for OpenAPI v2/v3 and AsyncAPI v2.
- kube-score
- Kubeval
- kubeval
- ChkTeX
- lacheck
- mdformat
- textlint
- iblessing
- redex
- statix
- lintian
- Nitpick CI
- exakat
- HasMySecretLeaked
- SearchDiggity - site scripting (XSS), insecure remote and local file includes, hard-coded passwords, etc.
- trufflehog
- solium
- yamllint
- Vetur
- After the Deadline
- alex
- Misspelled Words In Context - checker that groups possible misspellings and shows them in their contexts.
- vale - aware linter for prose built with speed and extensibility in mind.
- Enlightn
- Qualys Container Security
- Polymer-analyzer
- Reshift
- flakeheaven
- Symfony Insight
- Mariana Trench
- CSSLint
- PT Application Inspector
- Diffblue - powered code analysis and testing solutions for software development teams.
- lintian
- LunaSec - ipc happen. Track your dependencies and builds in a centralized service.
- exakat
-
Sponsors
-
Multiple languages
- Android Studio
- AppChecker
- ArchUnit
- Axivion Bauhaus Suite - prone code locations, style violations, cloned or dead code, cyclic dependencies and more for C/C++, C#/.NET, Java and Ada 83/Ada 95.
- biome
- BugProve
- CAST Highlight
- Checkmarx CxSAST - compilation.
- Clayton - powered code reviews for Salesforce. Secure your developments, enforce best practice and control your technical debt in real-time.
- coala - supports [over 60 languages](https://coala.io/languages) by default.
- Cobra
- Code Intelligence - agnostic DevSecOps platform which combines industry-leading fuzzing engines for finding bugs and visualizing code coverage
- Codeac - hosted). Available for JavaScript, TypeScript, Python, Ruby, Go, PHP, Java, Docker, and more. (open-source free)
- codechecker
- CodeFlow
- CodeIt.Right
- CodePatrol
- CodeQue
- CodeRush
- CodeScan
- CodeScene
- CodeSee
- CodeSonar from GrammaTech - to-understand explanations and code and path visualization.
- Codiga
- DeepCode
- Embold
- ezno
- Find Security Bugs
- Fortify - C, PHP, PL/SQL, T-SQL, Python (2.6, 2.7), Ruby (1.9.3), Swift, Scala, VB, and XML.
- Goodcheck
- graudit - source code auditing tool.
- HCL AppScan Source
- Kiuwan
- Klocwork
- MOPSA
- Synopsys
- Offensive 360 - compilation.
- OpenRewrite - recipes/popular-recipe-guides/common-static-analysis-issue-remediation) reported through Sonar and other tools using a Maven and Gradle plugin or the Moderne CLI.
- parasoft - , API-, and web UI testing. Complies with MISRA, OWASP, and others.
- pfff - preserving source transformation for many languages.
- PVS-Studio - studio.com/en/order/open-source-license) for FOSS and individual developers) static analysis of C, C++, C# and Java code. For advertising purposes [you can propose a large FOSS project for analysis by PVS employees](https://github.com/viva64/pvs-studio-check-list). Supports CWE mapping, OWASP ASVS, MISRA, AUTOSAR and SEI CERT coding standards.
- Qwiet AI
- Refactoring Essentials
- Rome - status) for JavaScript, TypeScript, JSON, HTML, Markdown, and CSS. It has since been succeeded by [biome](https://biomejs.dev/).
- Rome Formatter - tolerant code formatter for JS/TS written in Rust. Superceded by [biome](https://biomejs.dev/).
- SafeQL - generate TypeScript types from raw SQL queries in PostgreSQL. SafeQL is an ESLint plugin for writing SQL queries in a type-safe way.
- SAST Online
- Scanmycode CE (Community Edition) - Code Scanning/SAST/Linting using many tools/Scanners with One Report
- Security Code Scan
- Semgrep Supply Chain - priority security issues. Semgrep Supply Chain prioritizes the 2% of vulnerabilities that are reachable from your code.
- Similarity Tester
- SonarLint for Visual Studio - the-fly feedback to developers on new bugs and quality issues injected into .NET code.
- Soto Platform
- SourceMeter - form).
- StaticReviewer - in validation rules for Security, Deadcode & Best Practices Available a module for Software Composition Analysis (SCA) to find vulnerabilities in open source and third party libraries.
- Svace
- Teamscale
- TencentCodeAnalysis - named CodeDog inside the company early) is a comprehensive platform for code analysis and issue tracking. TCA consist of three components, server, web and client. It integrates of a number of self-developed tools, and also supports dynamic integration of code analysis tools in various programming languages.
- Understand
- Veracode - C, C, C++ and more.
- Codemodder - trivial security issues and other code quality problems.
- Sigrid
- WhiteHat Application Security Platform
- Bearer - Source static code analysis tool to discover, filter and prioritize security risks and vulnerabilities leading to sensitive data exposures (PII, PHI, PD). Highly configurable and easily extensible, built for security and engineering teams.
- DevSkim - based static analysis tool for Visual Studio, VS Code, and Sublime Text - C/C++, C#, PHP, ASP, Python, Ruby, Java, and others.
- Freeplane Code Explorer
- Mobb - source projects.
-
More Collections
-
Meaning of Symbols:
Categories
Sub Categories
Keywords
linter
4
static-analysis
3
security
2
code-quality
2
owasp
1
gdpr
1
devsecops-tools
1
devsecops
1
dataflow
1
compliance
1
appsec
1
rego
1
policy-as-code
1
open-policy-agent
1
opa
1
magnificent
1
lsp
1
language-server
1
software-verification
1
program-analysis
1
abstract-interpretation
1
nimfmt
1
nim-lang
1
dynamic-code-analysis
1
dynamic-analysis
1
dynamic
1
dast
1
analysis
1
quality-metrics
1
metrics
1
c
1
lint
1
cpp
1
visual-studio-extension
1
visual-studio-code-extension
1
sdl
1
vulnerability
1
vulnerabilities
1
static-code-analysis
1
security-tools
1
security-scanner
1
security-automation
1
security-audit
1
sast
1
privacy
1
nim
1