static-analysis
⚙️ A curated list of static analysis (SAST) tools and linters for all programming languages, config files, build tools, and more. The focus is on tools which improve code quality.
https://github.com/analysis-tools-dev/static-analysis
Last synced: about 15 hours ago
JSON representation
-
Programming Languages
- SwiftFormat - line formatting tool for reformatting Swift code.
- .NET Analyzers
- Bowler
- goimports
- OSV-Scanner
- PHP Coding Standards Fixer - 1, PSR-2, and the Symfony standard.
- Astrée - point computations, very fast, and exceptionally precise. The analyzer also checks for MISRA/CERT/CWE/Adaptive Autosar coding rules and supports qualification for ISO 26262, DO-178C level A, and other safety standards. Jenkins and Eclipse plugins are available.
- Helix QAC - grade static analysis for embedded software. Supports MISRA, CERT, and AUTOSAR coding standards.
- perltidy
- Codepeer - time and logic errors.
- Polyspace for Ada - by-zero, out-of-bounds array access, and certain other run-time errors in source code.
- SPARK
- gawk --lint
- cpplint
- GCC
- KLEE - generate test cases for programs such that the test cases exercise as much of the program as possible.
- PC-lint
- Polyspace Bug Finder - time errors, concurrency issues, security vulnerabilities, and other defects in C and C++ embedded software.
- Polyspace Code Prover - by-zero, out-of-bounds array access, and certain other run-time errors in C and C++ source code.
- scan-build
- vera++
- coffeelint
- Dart Code Metrics - patterns and provides additional rules for Dart analyzer.
- effective_dart
- Fix Insight
- Pascal Analyzer
- Pascal Expert
- elm-review
- dialyzer
- gotype
- govulncheck
- test
- Stan - line tool for analysing Haskell projects and outputting discovered vulnerabilities in a helpful way with possible solutions for detected problems.
- Haxe Checkstyle
- Closure Compiler
- Luanalysis
- mlint
- DrNim
- nimfmt
- CakeFuzzer - based web applications. CakeFuzzer employs a predefined set of attacks that are randomly modified before execution. Leveraging its deep understanding of the Cake PHP framework, Cake Fuzzer launches attacks on all potential application entry points.
- EasyCodingStandard - CS-Fixer](https://github.com/FriendsOfPHP/PHP-CS-Fixer).
- pdepend
- phan
- PHP Insights
- Php Inspections (EA Extended)
- PHP_CodeSniffer
- PhpMetrics
- PHPStan - discover bugs in your code without running it!
- Psalm
- rector - positive rate because it looks for narrowly defined AST (abstract syntax tree) patterns. The main use-case are tackling technical debt in your legacy code and removing dead code. Rector provides a set of special rules for Symfony, Doctrine, PHPUnit, and many more.
- ZPA
- Perl::Critic - practices.
- bandit
- deal - free code. By adding a few decorators to your code, you get for free tests, static analysis, formal verification, and much more.
- fixit - fixes for source code.
- jedi
- mypy
- pyanalyze
- PyCodeQual
- pycodestyle
- pydocstyle
- pylint
- Pysa - check to identify potential security issues in Python code identified with taint analysis.
- pyupgrade - commit hook) to automatically upgrade syntax for newer versions of the language.
- radon
- ruff - 100x faster than existing linters. Compatible with Python 3.10. Supports file watcher.
- unimport
- wemake-python-styleguide
- xenon
- styler - printing of R code.
- flay
- flog
- Railroader
- RuboCop
- ruby-lint
- SandiMeter
- Sorbet
- C2Rust - compliant code to Rust. The translator (or transpiler) produces unsafe Rust code that closely mirrors the input C code.
- cargo-audit - db/).
- cargo-semver-checks - plz`. It found semver violations in [more than 1 in 6 of the top 1000 most-downloaded crates](https://predr.ag/blog/semver-violations-are-common-better-tooling-is-the-answer/) on crates.io.
- diff.rs
- Prusti
- rust-analyzer
- holistic
- SQLFluff
- squawk
- Visual Expert
- WartRemover
- sh
- Frink
- Nagelfar
- tclchecker
- Codelyzer
- fta - based static analysis for TypeScript projects
- stc
- tslint-clean-code
- zod - first schema validation with static type inference. The goal is to eliminate duplicative type declarations. With Zod, you declare a validator once and Zod will automatically infer the static TypeScript type. It is easy to compose simpler types into complex data structures.
- DesigniteJava
- ruby-lint
- goodpractice - practice recommendations.
- electrolysis
- IKOS
- TrustInSoft Analyzer - of-bounds array accesses, null-pointer dereferences, use-after-free, divide-by-zeros, uninitialized memory accesses, signed overflows, invalid pointer arithmetic, etc.), data flow and control flow verification as well as full functional verification of formal specifications. All versions of C up to C18 and C++ up to C++20 are supported. TrustInSoft Analyzer will acquire ISO 26262 qualification in Q2'2023 (TCL3). A MISRA C checker is also bundled.
- Regal
- MIRAI - level intermediate language, and providing warnings based on taint analysis.
- sobelow - focused static analysis for the Phoenix Framework.
- rufo - editor plugin, to autoformat files on save or on demand.
- go-critic
- structslop
- yapf
- google-java-format
- GrumPHP
- PHP-Parser
- Steep
- Skunk - - Find the most complicated code without test coverage!
- Active Record Doctor
- rubycritic
- reek
- Fasterer
- TypeScript ESLint
- clazy - oriented static code analyzer based on the Clang framework. clazy is a compiler plugin which allows clang to understand Qt semantics. You get more than 50 Qt related compiler warnings, ranging from unneeded memory allocations to misusage of API, including fix-its for automatic refactoring.
- bundler-audit - advisory-db).
- xo
- STOKE - language agnostic stochastic optimizer for the x86_64 instruction set. It uses random search to explore the extremely high-dimensional space of all possible program transformations.
- rustfix - party lints, like those offered by clippy).
- rustfmt
- cargo-expand
- credo
- kmdr
- phpqa - jmolivas - in-one Analyzer CLI tool.
- Bullet
- refurb - in linter for Rust.
- vulture
- pip-audit - commit hooks, and multiple vulnerability service integrations.
- Twiggy
- golint
- errcheck
- kani - precise model checker for Rust.
- shellharden - automate the rewriting of scripts to ShellCheck conformance, mainly focused on quoting.
- cargo-show-asm - IR and MIR generated for Rust code
- cargo-geiger
- cargo udeps
- Traceroute
- DatabaseConsistency
- flake8
- VeriFast - threaded and multithreaded C and Java programs annotated with preconditions and postconditions written in separation logic. To express rich specifications, the programmer can define inductive datatypes, primitive recursive pure functions over these datatypes, and abstract separation logic predicates.
- NullAway - based null-pointer checker with low build-time overhead; an [Error Prone](http://errorprone.info/) plugin.
- FSharpLint
- cpplint
- luacheck
- RustViz - flow in Rust programs.
- linty fresh
- pyroma
- cohesion
- cargo-unused-features
- Tuli
- DesignPatternDetector
- PHP Assumptions
- twig-lint - lint is a lint tool for your twig files.
- Parse
- phploc
- dephpend
- dialyxir
- autoflake
- misspell
- Dataflow Framework - strength dataflow framework for Java. The Dataflow Framework is used in the Checker Framework, Google’s Error Prone, Uber’s NullAway, Meta’s Nullsafe, and in other contexts. It is distributed with the Checker Framework.
- PHP Insights
- PHP Architecture Tester
- composer-dependency-analyser
- Progpilot
- dawnscanner
- cargo-call-stack
- lint - driven set of lint rules for Dart and Flutter projects. Like pedantic but stricter
- churn-php
- larastan
- gofumpt - compatible. That is, `gofumpt` is happy with a subset of the formats that `gofmt` is happy with.
- lockbud
- PHPArkitect
- Meziantou.Analyzer
- sqlint
- Angular ESLint
- errwrap
- gokart
- HLint
- TypeScript Call Graph
- parallel-lint
- svls
- bodyclose
- ArchUnitNET
- goconst
- Weeder
- pyright
- unconvert
- Dlint
- bellybutton - specific rules.
- pelusa - type tool to improve your OO Ruby code.
- goroutine-inspect
- SonarAnalyzer.CSharp
- phpmnd
- nakedret
- dogsled
- go-consistent
- deadcode
- ineffassign
- unparam
- aligncheck
- prealloc
- flen
- Violations Lib
- elvis
- lualint - based static analysis of global variable usage in Lua source code.
- Wintellect.Analyzers
- D-scanner - Scanner is a tool for analyzing D source code.
- CMetrics
- cqmetrics
- ESBMC - bounded model checker based on satisfiability modulo theories for the verification of single- and multi-threaded C/C++ programs.
- wsl
- phpqa - jakzal
- bashate
- ERB::Formatter
- htmlbeautifier
- cargo-spellcheck
- dbcritic
- pgspot
- forbidden-apis
- ENRE-cpp - cpp is a ENtity Relationship Extractor for C/C++ based on @eclipse/CDT. (Under development)
- vscode-verilog-hdl-support
- gochecknoglobals
- php-speller
- verible-linter-action
- flowR - analysis/flowr/wiki/Terminology#program-slice) and [dataflow analyzer](https://en.wikipedia.org/wiki/Data-flow_analysis) for the [R](https://www.r-project.org/) programming language. Its slicer allows you to reduce a complicated program just to the parts related for a specific task (e.g., the generation of a single or collection of plots, a significance test, ...). The dataflow analysis provides you with a detailed view on the semantics of the R code which can greatly improve other analyses. To use _flowR_, check out the [Visual Studio Code extension](https://marketplace.visualstudio.com/items?itemName=code-inspect.vscode-flowr), the [RStudio Addin](https://github.com/flowr-analysis/rstudio-addin-flowr), the [Docker image](https://hub.docker.com/r/eagleoutice/flowr), or the [R package](https://github.com/flowr-analysis/flowr-r-adapter).
- zarn
- Doop - to-end (fact generation, processing, statistics, etc.).
- cyclocomp
- pyflakes
- sleek
- Roslynator
- cppcheck
- ck - oriented metrics by processing the source Java files.
- CppDepend
- lintr
- goodpractice - practice recommendations.
- prospector
- shellcheck
- clang-tidy - based C++ linter tool with the (limited) ability to fix issues, too.
- ERB Lint
- Standard Ruby
- goreporter
- deptrac
- JSLint - tools-dev/static-analysis/issues/223>) — The JavaScript Code Quality Tool.
- RefactorFirst
- KLEE - generate test cases for programs such that the test cases exercise as much of the program as possible.
- splint - assisted static program checker.
- DelphiLint - the-fly code analysis and linting, powered by SonarDelphi.
- SonarDelphi
- nargs
- DesigniteJava
- JET
- StaticLint
- Sys
- Reflection
- Fukuzatsu
- cargo-breaking - breaking compares a crate's public API between two different branches, shows what changed, and suggests the next version according to semver.
- Frink
- ENRE-ts - ts is a ENtity Relationship Extractor for ECMAScript and TypeScript based on @babel/parser.
- this issue - eslint` is now your best option for linting TypeScript.
- wasm-language-tools - of-the-box formatter (a.k.a. pretty printer) for WebAssembly Text Format.
- pytype
- Liquid Haskell
- abaplint
- abapOpenChecks
- Codepeer - time and logic errors.
- CPAchecker
- CScout
- Frama-C
- Goblint - threaded C programs. Its primary focus is the detection of data races, but it also reports other runtime errors, such as buffer overflows and null-pointer dereferences.
- Phasar - based static analysis framework which comes with a taint and type state analysis.
- SVF
- TrustInSoft Analyzer - of-bounds array accesses, null-pointer dereferences, use-after-free, divide-by-zeros, uninitialized memory accesses, signed overflows, invalid pointer arithmetic, etc.), data flow and control flow verification as well as full functional verification of formal specifications. All versions of C up to C18 and C++ up to C++20 are supported. TrustInSoft Analyzer will acquire ISO 26262 qualification in Q2'2023 (TCL3). A MISRA C checker is also bundled.
- code-cracker
- Gendarme
- Puma Scan
- clj-kondo
- Fixinator
- ameba
- Linter for dart
- fantomas
- ionide-analyzers
- Fortitude
- i-Code CNES for Fortran
- go tool vet --shadow
- go/ast
- gofmt -s
- GolangCI-Lint - Lint is a linters aggregator.
- gosec (gas)
- revive - in replacement of golint.
- staticcheck
- CodeNarc
- checkstyle
- CogniCrypt
- Error Prone - time errors.
- JArchitect
- JBMC - checker for Java (bytecode), verifies user-defined assertions, standard assertions, several coverage metric analyses.
- OWASP Dependency Check
- qulice - configured) static analysis tools (checkstyle, PMD, Findbugs, ...).
- Soot
- Spoon - designed AST with powerful analysis and transformation API. Can be integrated in Maven and Gradle.
- SpotBugs
- flow
- jshint - tools-dev/static-analysis/issues/223>) — Detect errors and potential problems in JavaScript code and enforce your team's coding conventions.
- NodeJSScan
- retire.js
- tern - editor language support.
- detekt
- diktat - fixes code smells.
- ktfmt
- ktlint - bikeshedding Kotlin linter with built-in formatter.
- EasyCodingStandard - CS-Fixer](https://github.com/FriendsOfPHP/PHP-CS-Fixer).
- exakat
- mago
- PHP Coding Standards Fixer - 1, PSR-2, and the Symfony standard.
- PHP Refactoring Browser
- phpDocumentor
- PHPMD
- PHPQA
- PHPStan - discover bugs in your code without running it!
- Psalm
- rector - positive rate because it looks for narrowly defined AST (abstract syntax tree) patterns. The main use-case are tackling technical debt in your legacy code and removing dead code. Rector provides a set of special rules for Symfony, Doctrine, PHPUnit, and many more.
- WAP
- ZPA
- Perl::Analyzer - Analyzer is a set of programs and modules that allow users to analyze and visualize Perl codebases by providing information about namespaces and their relations, dependencies, inheritance, and methods implemented, inherited, and redefined in packages, as well as calls to methods from parent packages via SUPER.
- bandit
- Black
- flakeheaven
- Griffe
- jedi
- mbake
- pycodestyle
- pylyzers
- pyre-check
- Pysa - check to identify potential security issues in Python code identified with taint analysis.
- pyupgrade - commit hook) to automatically upgrade syntax for newer versions of the language.
- radon
- Safety
- ty
- unimport
- wemake-python-styleguide
- xenon
- rco
- brakeman
- rails_best_practices
- RuboCop
- C2Rust - compliant code to Rust. The translator (or transpiler) produces unsafe Rust code that closely mirrors the input C code.
- cargo-audit - db/).
- cargo-deny
- clippy
- diff.rs
- dylint
- rust-analyzer
- SQLFluff
- squawk
- Visual Expert
- Scalastyle
- WartRemover
- SwiftLint
- Nagelfar
- Verilator - accurate behavioral model in C++ or SystemC. Performs lint code-quality checks.
-
Multiple languages
- deleaker
- Mega-Linter - Linter can handle any type of project thanks to its 70+ embedded Linters,
- Rome Formatter - tolerant code formatter for JS/TS written in Rust. Superceded by [biome](https://biomejs.dev/).
- CodeSee
- keploy - source testing platform that helps developers automate and streamline their testing process. It provides API, and integration testing agents, generating tests, mocks/stubs for APIs that actually work. Additionally, Keploy offers an AI-powered Unit Testing Agent that generates stable, useful unit tests directly in your GitHub PRs and in VSCode, helping catch errors and improve code quality.
- Android Studio
- AppChecker
- ArchUnit
- Axivion Bauhaus Suite - prone code locations, style violations, cloned or dead code, cyclic dependencies and more for C/C++, C#/.NET, Java and Ada 83/Ada 95.
- biome
- BugProve
- CAST Highlight
- Checkmarx CxSAST - compilation.
- Clayton - powered code reviews for Salesforce. Secure your developments, enforce best practice and control your technical debt in real-time.
- coala - supports [over 60 languages](https://coala.io/languages) by default.
- Cobra
- Code Intelligence - agnostic DevSecOps platform which combines industry-leading fuzzing engines for finding bugs and visualizing code coverage
- Codeac - hosted). Available for JavaScript, TypeScript, Python, Ruby, Go, PHP, Java, Docker, and more. (open-source free)
- codechecker
- CodeFlow
- CodeIt.Right
- CodePatrol
- CodeQue
- CodeRush
- CodeScan
- CodeScene
- CodeSonar from GrammaTech - to-understand explanations and code and path visualization.
- Codiga
- Synopsys
- DeepCode
- Embold
- ezno
- Find Security Bugs
- Fortify - C, PHP, PL/SQL, T-SQL, Python (2.6, 2.7), Ruby (1.9.3), Swift, Scala, VB, and XML.
- Goodcheck
- graudit - source code auditing tool.
- HCL AppScan Source
- Kiuwan
- Klocwork
- MOPSA
- Offensive 360 - compilation.
- OpenRewrite - recipes/popular-recipe-guides/common-static-analysis-issue-remediation) reported through Sonar and other tools using a Maven and Gradle plugin or the Moderne CLI.
- parasoft - , API-, and web UI testing. Complies with MISRA, OWASP, and others.
- pfff - preserving source transformation for many languages.
- PVS-Studio - studio.com/en/order/open-source-license) for FOSS and individual developers) static analysis of C, C++, C# and Java code. For advertising purposes [you can propose a large FOSS project for analysis by PVS employees](https://github.com/viva64/pvs-studio-check-list). Supports CWE mapping, OWASP ASVS, MISRA, AUTOSAR and SEI CERT coding standards.
- Qwiet AI
- Refactoring Essentials
- Rome - status) for JavaScript, TypeScript, JSON, HTML, Markdown, and CSS. It has since been succeeded by [biome](https://biomejs.dev/).
- Security Code Scan
- SafeQL - generate TypeScript types from raw SQL queries in PostgreSQL. SafeQL is an ESLint plugin for writing SQL queries in a type-safe way.
- SAST Online
- Scanmycode CE (Community Edition) - Code Scanning/SAST/Linting using many tools/Scanners with One Report
- Semgrep Supply Chain - priority security issues. Semgrep Supply Chain prioritizes the 2% of vulnerabilities that are reachable from your code.
- Similarity Tester
- SonarLint for Visual Studio - the-fly feedback to developers on new bugs and quality issues injected into .NET code.
- Soto Platform
- SourceMeter - form).
- StaticReviewer - in validation rules for Security, Deadcode & Best Practices Available a module for Software Composition Analysis (SCA) to find vulnerabilities in open source and third party libraries.
- Svace
- Teamscale
- TencentCodeAnalysis - named CodeDog inside the company early) is a comprehensive platform for code analysis and issue tracking. TCA consist of three components, server, web and client. It integrates of a number of self-developed tools, and also supports dynamic integration of code analysis tools in various programming languages.
- Understand
- Veracode - C, C, C++ and more.
- Corgea - powered SAST scanner that helps developers find and fix insecure code. It finds business logic flaws, broken authentication, API vulnerabilities, and more with little false positives. Additionally, it automatically writes security fixes for them to approve. Corgea integrates with GitHub, GitLab, Azure DevOps, IDEs and CLI. It is free to try it.
- Codemodder - trivial security issues and other code quality problems.
- Sigrid
- Freeplane Code Explorer
- Mobb - source projects.
- WhiteHat Application Security Platform
- Bearer - Source static code analysis tool to discover, filter and prioritize security risks and vulnerabilities leading to sensitive data exposures (PII, PHI, PD). Highly configurable and easily extensible, built for security and engineering teams.
- DevSkim - based static analysis tool for Visual Studio, VS Code, and Sublime Text - C/C++, C#, PHP, ASP, Python, Ruby, Java, and others.
- lizard - paste detection (code clone detection/code duplicate detection) and many other forms of static code analysis. Counts lines of code without comments, CCN (cyclomatic complexity number), token count of functions, parameter count of functions.
- trivy
- ESLint
- Roslyn Analyzers - based implementation of FxCop analyzers.
- TscanCode
- Pronto
- ThreatMapper - of-exploit.
- Putout - in eslint, babel plugins support for js, jsx typescript, flow, markdown, yaml and json.
- ApplicationInspector
- codeql - semantic queries and dataflow for several languages with VSCode plugin support.
- ClassGraph
- dotnet-format - format is able to format C# and Visual Basic projects with a subset of supported `.editorconfig` options.
- Undebt - independent tool for massive, automatic, programmable refactoring based on simple pattern definitions.
- todocheck
- ShiftLeft Scan - source DevSecOps platform for detecting security issues in source code and dependencies. It supports a broad range of languages and CI/CD pipelines.
- emerge
- Depends
- WALA
- relint
- ast-grep - grep is a powerful tool designed for managing code at scale using Abstract Syntax Trees (AST). Think of it as a hybrid of grep, eslint, and codemod, with the ability to search, lint, and rewrite code based on its structure rather than plain text.
- XCode - analyzer.llvm.org/xcode.html) static code analyzer (C/C++, Obj-C).
- DeepSource - depth static analysis to find issues in verticals of bug risks, security, anti-patterns, performance, documentation and style. Native integrations with GitHub, GitLab and Bitbucket. Less than 5% false positives.
- oxc - performance tools for the JavaScript / TypeScript language re-written in Rust.
- callGraph
- graudit - source code auditing tool.
- OpenStaticAnalyzer
- Application Inspector
- ArchUnit
- autocorrect
- Axivion Bauhaus Suite - prone code locations, style violations, cloned or dead code, cyclic dependencies and more for C/C++, C#/.NET, Java and Ada 83/Ada 95.
- Better Code Hub
- CAST Highlight
- Checkmarx CxSAST - compilation.
- Code Intelligence - agnostic DevSecOps platform which combines industry-leading fuzzing engines for finding bugs and visualizing code coverage
- codeburner
- codechecker
- CodeFactor
- CodeFlow
- CodeIt.Right
- CodeQue
- CodeRush
- CodeScan
- CodeScene
- Codety
- Coverity
- cpp-linter-action - tidy and clang-format to collect feedback provided in the form of thread comments and/or annotations.
- DerScanner - language Static Application Security Testing (SAST) platform that detects critical vulnerabilities, including hardcoded secrets, weak cryptography, backdoors, SQL injections, insecure configurations, etc.
- Embold
- Enforster AI
- Find Security Bugs
- Fortify - C, PHP, PL/SQL, T-SQL, Python (2.6, 2.7), Ruby (1.9.3), Swift, Scala, VB, and XML.
- Goodcheck
- Infer - C
- Joern - language code analysis. Code property graphs are stored in a custom graph database. This allows code to be mined using search queries formulated in a Scala-based domain-specific query language. Joern is developed with the goal of providing a useful tool for vulnerability discovery and research in static program analysis.
- Kiuwan
- Mobb - source projects.
- MOPSA
- oclint - C.
- PMD
- Precaution
- PVS-Studio - studio.com/en/order/open-source-license) for FOSS and individual developers) static analysis of C, C++, C# and Java code. For advertising purposes [you can propose a large FOSS project for analysis by PVS employees](https://github.com/viva64/pvs-studio-check-list). Supports CWE mapping, OWASP ASVS, MISRA, AUTOSAR and SEI CERT coding standards.
- pylama
- ReSharper - the-fly code inspections for C#, VB.NET, ASP.NET, JavaScript, TypeScript and other technologies.
- RIPS
- Roslyn Security Guard - site scripting (XSS), CSRF, cryptography weaknesses, hardcoded passwords and many more.
- SafeQL - generate TypeScript types from raw SQL queries in PostgreSQL. SafeQL is an ESLint plugin for writing SQL queries in a type-safe way.
- Semgrep - source, static analysis tool for finding bugs and enforcing code standards at editor, commit, and CI time. Its rules look like the code you already write; no abstract syntax trees or regex wrestling. Supports 17+ languages.
- Semgrep Supply Chain - priority security issues. Semgrep Supply Chain prioritizes the 2% of vulnerabilities that are reachable from your code.
- Sigrid
- SonarQube Cloud
- SonarQube for IDE - time, flagging issues as you code, just like a spell-checker. More than a linter, it also delivers rich contextual guidance to help developers understand why there is an issue, assess the risk, and educate them on how to fix it.
- SonarQube Server
- Svace
- Teamscale
- trunk - simple to identify, install, configure, and run the right linters, static analyzers, and formatters for all your repos.
- Understand
- Unibeautify - C, Java, Python, PHP, GraphQL, Markdown, and more.
- Upsource - aware navigation for Java, PHP, JavaScript and Kotlin.
- weggli
- WhiteHat Application Security Platform
-
Other
- Codecov
- Steampunk Spotter
- OpenSCAP - certified Security Content Automation Protocol (SCAP).
- Enlightn
- Hopper - code of a procedure. Supports Apple Silicon.
- Vetur
- textlint
- jsonlint
- Malcat - code). Features rapid analysis, embedded file extraction, Yara signature scanning, anomaly detection, and Python scripting. Designed for malware analysts, SOC operators, incident responders, and CTF players.
- sysdig
- HTML-Validate
- Diffblue - powered code analysis and testing solutions for software development teams.
- Mariana Trench
- Polymer-analyzer
- exakat
- Nitpick CI
- Symfony Insight
- flakeheaven
- GitGuardian ggshield
- kics - as-code. Supports Terraform, Kubernetes, Docker, AWS CloudFormation and Ansible
- packj - source software packages for "risky" attributes that make them vulnerable to supply chain attacks. This is the tool behind our large-scale security analysis platform Packj.dev that continuously vets packages and provides free reports.
- Black Duck
- JEB Decompiler
- ktool - platform toolkit and library for MachO+Obj-C editing/analysis. Includes a cli kit, a curses GUI, ObjC header dumping, and much more.
- zydis - 64 disassembler library
- portlint
- GraphMyCSS.com
- Project Wallace CSS Analyzer
- Specificity Graph
- dotenv-linter
- dotenv-linter (Rust) - fast linter for .env files. Written in Rust
- cookstyle
- foodcritic
- Vuls - less Linux vulnerability scanner based on information from NVD, OVAL, etc. It has some container image support, although is not a container specific tool.
- HTML Tidy
- HTMLHint
- Spectral - of-the-box support for OpenAPI v2/v3 and AsyncAPI v2.
- kube-score
- Kubeval
- kubeval
- ChkTeX
- lacheck
- mdformat
- iblessing
- redex
- statix
- lintian
- HasMySecretLeaked
- SearchDiggity - site scripting (XSS), insecure remote and local file includes, hard-coded passwords, etc.
- trufflehog
- solium
- yamllint
- After the Deadline
- alex
- Misspelled Words In Context - checker that groups possible misspellings and shows them in their contexts.
- vale - aware linter for prose built with speed and extensibility in mind.
- Reshift
- PT Application Inspector
- lintian
- Android Lint
- packj - source software packages for "risky" attributes that make them vulnerable to supply chain attacks. This is the tool behind our large-scale security analysis platform Packj.dev that continuously vets packages and provides free reports.
- Qualys Container Security
- LunaSec - ipc happen. Track your dependencies and builds in a centralized service.
- CSSLint
- exakat
- write-good
- gixy
- markdownlint - based style checker and lint tool for Markdown/CommonMark files.
- Grype
- VMware chap - instrumented ELF core files for leaks, memory growth, and corruption. It is sufficiently reliable that it can be used in automation to catch leaks before they are committed. As an interactive tool, it helps explain memory growth, can identify some forms of corruption, and supplements a debugger by giving the status of various memory locations.
- mythril
- binbloom
- proselint
- Dockle - Practice Docker Image. Scans Docker images for security vulnerabilities and CIS Benchmark compliance. Checks for secrets, credential exposure, and security best practices. Provides multiple severity levels (FATAL, WARN, INFO) and supports various output formats for CI/CD integration.
- chart-testing
- lockfile-lint
- bloaty - O parsers, Bloaty aims to accurately attribute every byte of the binary to the symbol or compileunit that produced it. It will even disassemble the binary looking for references to anonymous data. F
- scorecard - Security health metrics for Open Source
- codespell
- FlowDroid
- deno_lint
- angr
- CSScomb
- kubeconform
- protolint
- Tsunami Security Scanner - like vulnerabilities with high confidence. Custom detectors for finding vulnerabilities (e.g. open APIs) can be added.
- detect-secrets
- cwe_checker
- cfn_nag
- haml-lint
- slim-lint
- krane
- kube-linter
- AWS CloudFormation Guard - as-code rules and generate rules from existing templates.
- checkmake
- Specificity Graph
- Bootlint
- clusterlint
- klint
- deadnix
- Nauz File Detector
- Credential Digger - model). This scanner is able to detect passwords and non structured tokens with a low false positive rate.
- mdsf
- ember-template-lint
- promval
- oelint-adv - embedded and YOCTO
- metadata-json-lint
- kube-lint - lint will evaluate those rules against them.
- rpmlint
- clair
- Gitleaks
- PullRequest - in static analysis. Increase velocity and reduce technical debt through quality code review by expert engineers backed by best-in-class automation.
- Code Climate
- tfsec
- terrascan
- alquitran
- BinSkim
- Jakstab - based, integrated disassembly and static analysis framework for designing analyses on executables and recovering reliable control flow graphs.
- LibVCS4j
- misspell-fixer
- AzSK - as-code. Supports Azure via ARM.
- Black Duck
- Ghidra
- IDA Free
- rhabdomancer
- zydis - 64 disassembler library
- portlint
- CSS Stats
- GraphMyCSS.com
- Nu Html Checker
- Project Wallace CSS Analyzer
- Stylelint
- dotenv-linter
- ansible-lint
- checkov
- cookstyle
- terraform-compliance - and security focused, BDD test framework against Terraform.
- tflint
- anchore - defined acceptance policies to allow automated container image validation and certification
- actionlint
- Cloud (IaC) Security for JetBrains IDEs - time inspections of Docker & Kubernetes IaC with 50+ rules based on Docker image/build security best practices, Kubernetes Pod Security Standards, and NSA/CISA Kubernetes Hardening Guidance.
- HTMLHint
- kube-score
- TeXLab
- mdformat
- Oversecured
- redex
- OWASP Noir
- PT Application Inspector
- Rezilion - exploitable vulnerabilities and creates a remediation plan and open tickets to upgrade components that violate your security policy and/or patch automatically in CI.
- trufflehog
- MythX - line.
- slither
- solhint
- solium
- yamllint
- alex
- languagetool
- vale - aware linter for prose built with speed and extensibility in mind.
- commitlint
-
Sponsors
-
More Collections
-
Meaning of Symbols:
Programming Languages
Categories
Sub Categories
Keywords
linter
36
static-analysis
36
security
20
golang
16
go
16
php
15
static-code-analysis
15
python
14
lint
14
security-tools
10
kubernetes
10
ruby
9
rust
8
cli
8
formatter
8
eslint
6
code-quality
6
typescript
6
docker
6
static-analyzer
6
java
6
compliance
5
containers
5
javascript
5
security-audit
5
linters
5
testing
4
best-practices
4
elixir
4
analyzer
4
linting
4
nodejs
4
program-analysis
4
vulnerability
4
vulnerabilities
4
security-scanner
4
code-analysis
4
architecture
4
devsecops
4
analysis
4
cargo
4
roslyn
3
ast
3
style
3
qatools
3
checker
3
rails
3
metrics
3
quality
3
eslint-plugin
3