awesome-awesomeness/html/staticanalysis.html

<!-- 🚨🚨 DON'T EDIT THIS FILE DIRECTLY. Edit `data/tools.yml` instead. 🚨🚨 -->
<p><a href="https://analysis-tools.dev/">
<img alt="Analysis Tools Website" src="https://raw.githubusercontent.com/analysis-tools-dev/assets/master/static/redesign.svg" />
</a></p>
<p>This repository lists <strong>static analysis tools</strong> for all
programming languages, build tools, config files and more. The focus is
on tools which improve code quality such as linters and formatters. The
official website, <a
href="https://analysis-tools.dev/">analysis-tools.dev</a> is based on
this repository and adds rankings, user comments, and additional
resources like videos for each tool.</p>
<p><a href="https://analysis-tools.dev"><img
src="https://img.shields.io/badge/Website-Online-2B5BAE"
alt="Website" /></a> <img
src="https://github.com/analysis-tools-dev/static-analysis/workflows/CI/badge.svg"
alt="CI" /> <a
href="https://github.com/analysis-tools-dev/static-analysis/actions/workflows/links.yml"><img
src="https://github.com/analysis-tools-dev/static-analysis/actions/workflows/links.yml/badge.svg"
alt="Links" /></a></p>
<h2 id="sponsors">Sponsors</h2>
<p>This project would not be possible without the generous support of
our sponsors.</p>
<table>
<tr>
<td>
<a href="https://bugprove.com"> <picture >
<source width="200px" media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/analysis-tools-dev/assets/master/static/sponsors/bugprove-dark.svg">
<img width="200px" alt="BugProve" src="https://raw.githubusercontent.com/analysis-tools-dev/assets/master/static/sponsors/bugprove-light.svg">
</picture> </a>
</td>
<td>
<a href="https://www.betterscan.io"> <picture >
<source width="200px" media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/analysis-tools-dev/assets/master/static/sponsors/betterscan-dark.svg">
<img width="200px" alt="Betterscan" src="https://raw.githubusercontent.com/analysis-tools-dev/assets/master/static/sponsors/betterscan-light.svg">
</picture> </a>
</td>
<td>
<a href="https://www.pixee.ai/"> <picture >
<source width="200px" media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/analysis-tools-dev/assets/master/static/sponsors/pixee-light.png">
<img width="200px" alt="Pixee" src="https://raw.githubusercontent.com/analysis-tools-dev/assets/master/static/sponsors/pixee-dark.png">
</picture> </a>
</td>
<td>
<a href="https://coderabbit.ai">
<img width="200px" src="https://raw.githubusercontent.com/analysis-tools-dev/assets/master/static/sponsors/code-rabbit.svg" />
</a>
</td>
<td>
<a href="https://semgrep.dev/">
<img width="200px" src="https://raw.githubusercontent.com/analysis-tools-dev/assets/master/static/sponsors/semgrep.svg" />
</a>
</td>
<td>
<a href="https://offensive360.com/">
<img width="200px" src="https://raw.githubusercontent.com/analysis-tools-dev/assets/master/static/sponsors/offensive360.png" />
</a>
</td>
</tr>
</table>
<p>If you also want to support this project, head over to our <a
href="https://github.com/sponsors/analysis-tools-dev">Github sponsors
page</a>.</p>
<h2 id="meaning-of-symbols">Meaning of Symbols:</h2>
<ul>
<li>:copyright: stands for proprietary software. All other tools are
Open Source.</li>
<li>:information_source: indicates that the community does not recommend
to use this tool for new projects anymore. The icon links to the
discussion issue.</li>
<li>:warning: means that this tool was not updated for more than 1 year,
or the repo was archived.</li>
</ul>
<p>Pull requests are very welcome!<br />
Also check out the sister project, <a
href="https://github.com/mre/awesome-dynamic-analysis">awesome-dynamic-analysis</a>.</p>
<h2 id="table-of-contents">Table of Contents</h2>
<h4 id="programming-languages"><a
href="#programming-languages-1">Programming Languages</a></h4>
<ul>
<li><a href="#abap">ABAP</a></li>
<li><a href="#ada">Ada</a></li>
<li><a href="#asm">Assembly</a></li>
<li><a href="#awk">Awk</a></li>
<li><a href="#c">C</a></li>
<li><a href="#csharp">C#</a></li>
<li><a href="#cpp">C++</a></li>
<li><a href="#clojure">Clojure</a></li>
<li><a href="#coffeescript">CoffeeScript</a></li>
<li><a href="#coldfusion">ColdFusion</a></li>
<li><a href="#crystal">Crystal</a></li>
<li><a href="#dart">Dart</a></li>
<li><a href="#delphi">Delphi</a></li>
<li><a href="#dlang">Dlang</a></li>
<li><a href="#elixir">Elixir</a></li>
<li><a href="#elm">Elm</a></li>
<li><a href="#erlang">Erlang</a></li>
<li><a href="#fsharp">F#</a></li>
<li><a href="#fortran">Fortran</a></li>
<li><a href="#go">Go</a></li>
<li><a href="#groovy">Groovy</a></li>
<li><a href="#haskell">Haskell</a></li>
<li><a href="#haxe">Haxe</a></li>
<li><a href="#java">Java</a></li>
<li><a href="#javascript">JavaScript</a></li>
<li><a href="#julia">Julia</a></li>
<li><a href="#kotlin">Kotlin</a></li>
<li><a href="#lua">Lua</a></li>
<li><a href="#matlab">MATLAB</a></li>
<li><a href="#nim">Nim</a></li>
<li><a href="#ocaml">Ocaml</a></li>
<li><a href="#php">PHP</a></li>
<li><a href="#plsql">PL/SQL</a></li>
<li><a href="#perl">Perl</a></li>
<li><a href="#python">Python</a></li>
<li><a href="#r">R</a></li>
<li><a href="#rego">Rego</a></li>
<li><a href="#ruby">Ruby</a></li>
<li><a href="#rust">Rust</a></li>
<li><a href="#sql">SQL</a></li>
<li><a href="#scala">Scala</a></li>
<li><a href="#shell">Shell</a></li>
<li><a href="#swift">Swift</a></li>
<li><a href="#tcl">Tcl</a></li>
<li><a href="#typescript">TypeScript</a></li>
<li><a href="#verilog">Verilog/SystemVerilog</a></li>
<li><a href="#vim-script">Vim Script</a></li>
<li><a href="#wasm">WebAssembly</a></li>
</ul>
<h4 id="multiple-languages"><a href="#multiple-languages-1">Multiple
Languages</a></h4>
<h4 id="other"><a href="#other-1">Other</a></h4>
<details>
<summary>
Show Other
</summary>
<ul>
<li><a href="#dotenv">.env</a></li>
<li><a href="#ansible">Ansible</a></li>
<li><a href="#archive">Archive</a></li>
<li><a href="#arm">Azure Resource Manager</a></li>
<li><a href="#binary">Binaries</a></li>
<li><a href="#buildtool">Build tools</a></li>
<li><a href="#css">CSS/SASS/SCSS</a></li>
<li><a href="#configfile">Config Files</a></li>
<li><a href="#configmanagement">Configuration Management</a></li>
<li><a href="#container">Containers</a></li>
<li><a href="#ci">Continuous Integration</a></li>
<li><a href="#deno">Deno</a></li>
<li><a href="#embedded">Embedded</a></li>
<li><a href="#erb">Embedded Ruby (a.k.a. ERB, eRuby)</a></li>
<li><a href="#gherkin">Gherkin</a></li>
<li><a href="#html">HTML</a></li>
<li><a href="#json">JSON</a></li>
<li><a href="#kubernetes">Kubernetes</a></li>
<li><a href="#latex">LaTeX</a></li>
<li><a href="#laravel">Laravel</a></li>
<li><a href="#make">Makefiles</a></li>
<li><a href="#markdown">Markdown</a></li>
<li><a href="#meta">Metalinter</a></li>
<li><a href="#mobile">Mobile</a></li>
<li><a href="#nix">Nix</a></li>
<li><a href="#nodejs">Node.js</a></li>
<li><a href="#package">Packages</a></li>
<li><a href="#prometheus">Prometheus</a></li>
<li><a href="#protobuf">Protocol Buffers</a></li>
<li><a href="#puppet">Puppet</a></li>
<li><a href="#rails">Rails</a></li>
<li><a href="#security">Security/SAST</a></li>
<li><a href="#smart-contracts">Smart Contracts</a></li>
<li><a href="#support">Support</a></li>
<li><a href="#template">Template-Languages</a></li>
<li><a href="#terraform">Terraform</a></li>
<li><a href="#translation">Translation</a></li>
<li><a href="#vue">Vue.js</a></li>
<li><a href="#writing">Writing</a></li>
<li><a href="#yaml">YAML</a></li>
<li><a href="#git">git</a></li>
</ul>
</details>
<hr />
<h2 id="programming-languages-1">Programming Languages</h2>
<a name="abap" />
<h2>
ABAP
</h2>
<ul>
<li><p><a href="https://abaplint.org">abaplint</a> — Linter for ABAP,
written in TypeScript.</p></li>
<li><p><a href="https://docs.abapopenchecks.org">abapOpenChecks</a> —
Enhances the SAP Code Inspector with new and customizable
checks.</p></li>
</ul>
<a name="ada" />
<h2>
Ada
</h2>
<ul>
<li><p><a
href="https://www.adacore.com/static-analysis/codepeer">Codepeer</a>
:copyright: — Detects run-time and logic errors.</p></li>
<li><p><a
href="https://www.mathworks.com/products/polyspace-ada.html">Polyspace
for Ada</a> :copyright: — Provide code verification that proves the
absence of overflow, divide-by-zero, out-of-bounds array access, and
certain other run-time errors in source code.</p></li>
<li><p><a href="https://www.adacore.com/about-spark">SPARK</a>
:copyright: — Static analysis and formal verification toolset for
Ada.</p></li>
</ul>
<a name="asm" />
<h2>
Assembly
</h2>
<ul>
<li><a href="https://github.com/StanfordPL/stoke">STOKE</a> :warning: —
A programming-language agnostic stochastic optimizer for the x86_64
instruction set. It uses random search to explore the extremely
high-dimensional space of all possible program transformations.</li>
</ul>
<a name="awk" />
<h2>
Awk
</h2>
<ul>
<li><a
href="https://www.gnu.org/software/gawk/manual/html_node/Options.html">gawk
–lint</a> — Warns about constructs that are dubious or nonportable to
other awk implementations.</li>
</ul>
<a name="c" />
<h2>
C
</h2>
<ul>
<li><p><a href="https://www.absint.com/astree/index.htm">Astrée</a>
:copyright: — Astrée automatically proves the absence of runtime errors
and invalid con­current behavior in C/C++ applications. It is sound for
floating-point computations, very fast, and exceptionally precise. The
analyzer also checks for MISRA/CERT/CWE/Adaptive Autosar coding rules
and supports qualification for ISO 26262, DO-178C level A, and other
safety standards. Jenkins and Eclipse plugins are available.</p></li>
<li><p><a href="http://www.cprover.org/cbmc">CBMC</a> — Bounded
model-checker for C programs, user-defined assertions, standard
assertions, several coverage metric analyses.</p></li>
<li><p><a href="https://clang.llvm.org/extra/clang-tidy">clang-tidy</a>
— Clang-based C++ linter tool with the (limited) ability to fix issues,
too.</p></li>
<li><p><a href="https://github.com/KDE/clazy">clazy</a> — Qt-oriented
static code analyzer based on the Clang framework. clazy is a compiler
plugin which allows clang to understand Qt semantics. You get more than
50 Qt related compiler warnings, ranging from unneeded memory
allocations to misusage of API, including fix-its for automatic
refactoring.</p></li>
<li><p><a
href="https://github.com/MetricsGrimoire/CMetrics">CMetrics</a> —
Measures size and complexity for C files.</p></li>
<li><p><a href="https://cpachecker.sosy-lab.org">CPAchecker</a> — A tool
for configurable software verification of C programs. The name
CPAchecker was chosen to reflect that the tool is based on the CPA
concepts and is used for checking software programs.</p></li>
<li><p><a href="https://cppcheck.sourceforge.io">cppcheck</a> — Static
analysis of C/C++ code.</p></li>
<li><p><a href="https://www.cppdepend.com">CppDepend</a> :copyright: —
Measure, query and visualize your code and avoid unexpected issues,
technical debt and complexity.</p></li>
<li><p><a
href="https://github.com/google/styleguide/tree/gh-pages/cpplint">cpplint</a>
— Automated C++ checker that follows Google’s style guide.</p></li>
<li><p><a href="https://github.com/dspinellis/cqmetrics">cqmetrics</a> —
Quality metrics for C code.</p></li>
<li><p><a href="https://www.spinellis.gr/cscout">CScout</a> — Complexity
and quality metrics for C and C preprocessor code.</p></li>
<li><p><a href="https://github.com/xjtu-enre/ENRE-cpp">ENRE-cpp</a> —
ENRE (ENtity Relationship Extractor) is a tool for extraction of code
entity dependencies or relationships from source code. ENRE-cpp is a
ENtity Relationship Extractor for C/C++ based on <span class="citation"
data-cites="eclipse/CDT">@eclipse/CDT</span>. (Under
development)</p></li>
<li><p><a href="http://esbmc.org">ESBMC</a> — ESBMC is an open source,
permissively licensed, context-bounded model checker based on
satisfiability modulo theories for the verification of single- and
multi-threaded C/C++ programs.</p></li>
<li><p><a href="http://dwheeler.com/flawfinder/">flawfinder</a>
:warning: — Finds possible security weaknesses.</p></li>
<li><p><a
href="https://github.com/JossWhittle/FlintPlusPlus">flint++</a>
:warning: — Cross-platform, zero-dependency port of flint, a lint
program for C++ developed and used at Facebook.</p></li>
<li><p><a href="https://www.frama-c.com">Frama-C</a> — A sound and
extensible static analyzer for C code.</p></li>
<li><p><a
href="https://gcc.gnu.org/onlinedocs/gcc/Static-Analyzer-Options.html">GCC</a>
— The GCC compiler has static analysis capabilities since version 10.
This option is only available if GCC was configured with analyzer
support enabled. It can also output its diagnostics to a JSON file in
the SARIF format (from v13).</p></li>
<li><p><a href="https://goblint.in.tum.de">Goblint</a> — A static
analyzer for the analysis of multi-threaded C programs. Its primary
focus is the detection of data races, but it also reports other runtime
errors, such as buffer overflows and null-pointer dereferences.</p></li>
<li><p><a href="https://www.perforce.com/products/helix-qac">Helix
QAC</a> :copyright: — Enterprise-grade static analysis for embedded
software. Supports MISRA, CERT, and AUTOSAR coding standards.</p></li>
<li><p><a href="https://github.com/nasa-sw-vnv/ikos">IKOS</a> — A sound
static analyzer for C/C++ code based on LLVM.</p></li>
<li><p><a href="https://joern.io">Joern</a> — Open-source code analysis
platform for C/C++ based on code property graphs</p></li>
<li><p><a href="http://klee.github.io/">KLEE</a> — A dynamic symbolic
execution engine built on top of the LLVM compiler infrastructure. It
can auto-generate test cases for programs such that the test cases
exercise as much of the program as possible.</p></li>
<li><p><a href="https://ldra.com">LDRA</a> :copyright: — A tool suite
including static analysis (TBVISION) to various standards including
MISRA C &amp; C++, JSF++ AV, CWE, CERT C, CERT C++ &amp; Custom
Rules.</p></li>
<li><p><a href="https://galoisinc.github.io/MATE/">MATE</a> :warning: —
A suite of tools for interactive program analysis with a focus on
hunting for bugs in C and C++ code. MATE unifies application-specific
and low-level vulnerability analysis using code property graphs (CPGs),
enabling the discovery of highly application-specific vulnerabilities
that depend on both implementation details and the high-level semantics
of target C/C++ programs.</p></li>
<li><p><a href="https://pclintplus.com/">PC-lint</a> :copyright: —
Static analysis for C/C++. Runs natively under Windows/Linux/MacOS.
Analyzes code for virtually any platform, supporting C11/C18 and
C++17.</p></li>
<li><p><a href="https://phasar.org">Phasar</a> — A LLVM-based static
analysis framework which comes with a taint and type state
analysis.</p></li>
<li><p><a
href="https://www.mathworks.com/products/polyspace-bug-finder.html">Polyspace
Bug Finder</a> :copyright: — Identifies run-time errors, concurrency
issues, security vulnerabilities, and other defects in C and C++
embedded software.</p></li>
<li><p><a
href="https://www.mathworks.com/products/polyspace-code-prover.html">Polyspace
Code Prover</a> :copyright: — Provide code verification that proves the
absence of overflow, divide-by-zero, out-of-bounds array access, and
certain other run-time errors in C and C++ source code.</p></li>
<li><p><a
href="https://clang-analyzer.llvm.org/scan-build.html">scan-build</a> —
Frontend to drive the Clang Static Analyzer built into Clang via a
regular build.</p></li>
<li><p><a href="http://splint.org">splint</a> — Annotation-assisted
static program checker.</p></li>
<li><p><a href="https://svf-tools.github.io/SVF">SVF</a> — A static tool
that enables scalable and precise interprocedural dependence analysis
for C and C++ programs.</p></li>
<li><p><a href="https://trust-in-soft.com">TrustInSoft Analyzer</a>
:copyright: — Exhaustive detection of coding errors and their associated
security vulnerabilities. This encompasses a sound undefined behavior
detection (buffer overflows, out-of-bounds array accesses, null-pointer
dereferences, use-after-free, divide-by-zeros, uninitialized memory
accesses, signed overflows, invalid pointer arithmetic, etc.), data flow
and control flow verification as well as full functional verification of
formal specifications. All versions of C up to C18 and C++ up to C++20
are supported. TrustInSoft Analyzer will acquire ISO 26262 qualification
in Q2’2023 (TCL3). A MISRA C checker is also bundled.</p></li>
<li><p><a
href="https://bitbucket.org/verateam/vera/wiki/Introduction">vera++</a>
:warning: — Vera++ is a programmable tool for verification, analysis and
transformation of C++ source code.</p></li>
</ul>
<a name="csharp" />
<h2>
C#
</h2>
<ul>
<li><p><a href="https://github.com/DotNetAnalyzers">.NET Analyzers</a> —
An organization for the development of analyzers (diagnostics and code
fixes) using the .NET Compiler Platform.</p></li>
<li><p><a href="https://github.com/TNG/ArchUnitNET">ArchUnitNET</a> — A
C# architecture test library to specify and assert architecture rules in
C# for automated testing.</p></li>
<li><p><a href="https://code-cracker.github.io">code-cracker</a> — An
analyzer library for C# and VB that uses Roslyn to produce refactorings,
code analysis, and other niceties.</p></li>
<li><p><a
href="https://github.com/DustinCampbell/CSharpEssentials">CSharpEssentials</a>
:warning: — C# Essentials is a collection of Roslyn diagnostic
analyzers, code fixes and refactorings that make it easy to work with C#
6 language features.</p></li>
<li><p><a href="http://www.designite-tools.com">Designite</a>
:copyright: — Designite supports detection of various architecture,
design, and implementation smells, computation of various code quality
metrics, and trend analysis.</p></li>
<li><p><a
href="https://www.mono-project.com/docs/tools+libraries/tools/gendarme">Gendarme</a>
— Gendarme inspects programs and libraries that contain code in ECMA CIL
format (Mono and .NET).</p></li>
<li><p><a href="https://github.com/microsoft/infersharp">Infer#</a>
:warning: — InferSharp (also referred to as Infer#) is an
interprocedural and scalable static code analyzer for C#. Via the
capabilities of Facebook’s Infer, this tool detects null pointer
dereferences and resource leaks.</p></li>
<li><p><a
href="https://github.com/meziantou/Meziantou.Analyzer">Meziantou.Analyzer</a>
— A Roslyn analyzer to enforce some good practices in C# in terms of
design, usage, security, performance, and style.</p></li>
<li><p><a href="http://www.ndepend.com">NDepend</a> :copyright: —
Measure, query and visualize your code and avoid unexpected issues,
technical debt and complexity.</p></li>
<li><p><a href="https://pumasecurity.io">Puma Scan</a> — Puma Scan
provides real time secure code analysis for common vulnerabilities (XSS,
SQLi, CSRF, LDAPi, crypto, deserialization, etc.) as development teams
write code in Visual Studio.</p></li>
<li><p><a href="https://github.com/JosefPihrt/Roslynator">Roslynator</a>
— A collection of 190+ analyzers and 190+ refactorings for C#, powered
by Roslyn.</p></li>
<li><p><a
href="https://github.com/SonarSource/sonar-dotnet">SonarAnalyzer.CSharp</a>
— These Roslyn analyzers allow you to produce Clean Code that is safe,
reliable, and maintainable by helping you find and correct bugs,
vulnerabilities, and code smells in your codebase.</p></li>
<li><p><a
href="https://github.com/Vannevelj/VSDiagnostics">VSDiagnostics</a>
:warning: — A collection of static analyzers based on Roslyn that
integrates with VS.</p></li>
<li><p><a
href="https://github.com/Wintellect/Wintellect.Analyzers">Wintellect.Analyzers</a>
— .NET Compiler Platform (“Roslyn”) diagnostic analyzers and code
fixes.</p></li>
</ul>
<a name="cpp" />
<h2>
C++
</h2>
<ul>
<li><p><a href="https://www.absint.com/astree/index.htm">Astrée</a>
:copyright: — Astrée automatically proves the absence of runtime errors
and invalid con­current behavior in C/C++ applications. It is sound for
floating-point computations, very fast, and exceptionally precise. The
analyzer also checks for MISRA/CERT/CWE/Adaptive Autosar coding rules
and supports qualification for ISO 26262, DO-178C level A, and other
safety standards. Jenkins and Eclipse plugins are available.</p></li>
<li><p><a href="http://www.cprover.org/cbmc">CBMC</a> — Bounded
model-checker for C programs, user-defined assertions, standard
assertions, several coverage metric analyses.</p></li>
<li><p><a href="https://clang.llvm.org/extra/clang-tidy">clang-tidy</a>
— Clang-based C++ linter tool with the (limited) ability to fix issues,
too.</p></li>
<li><p><a href="https://github.com/KDE/clazy">clazy</a> — Qt-oriented
static code analyzer based on the Clang framework. clazy is a compiler
plugin which allows clang to understand Qt semantics. You get more than
50 Qt related compiler warnings, ranging from unneeded memory
allocations to misusage of API, including fix-its for automatic
refactoring.</p></li>
<li><p><a
href="https://github.com/MetricsGrimoire/CMetrics">CMetrics</a> —
Measures size and complexity for C files.</p></li>
<li><p><a href="https://cppcheck.sourceforge.io">cppcheck</a> — Static
analysis of C/C++ code.</p></li>
<li><p><a href="https://www.cppdepend.com">CppDepend</a> :copyright: —
Measure, query and visualize your code and avoid unexpected issues,
technical debt and complexity.</p></li>
<li><p><a
href="https://github.com/google/styleguide/tree/gh-pages/cpplint">cpplint</a>
— Automated C++ checker that follows Google’s style guide.</p></li>
<li><p><a href="https://github.com/dspinellis/cqmetrics">cqmetrics</a> —
Quality metrics for C code.</p></li>
<li><p><a href="https://www.spinellis.gr/cscout">CScout</a> — Complexity
and quality metrics for C and C preprocessor code.</p></li>
<li><p><a href="https://github.com/xjtu-enre/ENRE-cpp">ENRE-cpp</a> —
ENRE (ENtity Relationship Extractor) is a tool for extraction of code
entity dependencies or relationships from source code. ENRE-cpp is a
ENtity Relationship Extractor for C/C++ based on <span class="citation"
data-cites="eclipse/CDT">@eclipse/CDT</span>. (Under
development)</p></li>
<li><p><a href="http://esbmc.org">ESBMC</a> — ESBMC is an open source,
permissively licensed, context-bounded model checker based on
satisfiability modulo theories for the verification of single- and
multi-threaded C/C++ programs.</p></li>
<li><p><a href="http://dwheeler.com/flawfinder/">flawfinder</a>
:warning: — Finds possible security weaknesses.</p></li>
<li><p><a
href="https://github.com/JossWhittle/FlintPlusPlus">flint++</a>
:warning: — Cross-platform, zero-dependency port of flint, a lint
program for C++ developed and used at Facebook.</p></li>
<li><p><a href="https://www.frama-c.com">Frama-C</a> — A sound and
extensible static analyzer for C code.</p></li>
<li><p><a href="https://www.perforce.com/products/helix-qac">Helix
QAC</a> :copyright: — Enterprise-grade static analysis for embedded
software. Supports MISRA, CERT, and AUTOSAR coding standards.</p></li>
<li><p><a href="https://github.com/nasa-sw-vnv/ikos">IKOS</a> — A sound
static analyzer for C/C++ code based on LLVM.</p></li>
<li><p><a href="https://joern.io">Joern</a> — Open-source code analysis
platform for C/C++ based on code property graphs</p></li>
<li><p><a href="http://klee.github.io/">KLEE</a> — A dynamic symbolic
execution engine built on top of the LLVM compiler infrastructure. It
can auto-generate test cases for programs such that the test cases
exercise as much of the program as possible.</p></li>
<li><p><a href="https://ldra.com">LDRA</a> :copyright: — A tool suite
including static analysis (TBVISION) to various standards including
MISRA C &amp; C++, JSF++ AV, CWE, CERT C, CERT C++ &amp; Custom
Rules.</p></li>
<li><p><a href="https://galoisinc.github.io/MATE/">MATE</a> :warning: —
A suite of tools for interactive program analysis with a focus on
hunting for bugs in C and C++ code. MATE unifies application-specific
and low-level vulnerability analysis using code property graphs (CPGs),
enabling the discovery of highly application-specific vulnerabilities
that depend on both implementation details and the high-level semantics
of target C/C++ programs.</p></li>
<li><p><a href="https://pclintplus.com/">PC-lint</a> :copyright: —
Static analysis for C/C++. Runs natively under Windows/Linux/MacOS.
Analyzes code for virtually any platform, supporting C11/C18 and
C++17.</p></li>
<li><p><a href="https://phasar.org">Phasar</a> — A LLVM-based static
analysis framework which comes with a taint and type state
analysis.</p></li>
<li><p><a
href="https://www.mathworks.com/products/polyspace-bug-finder.html">Polyspace
Bug Finder</a> :copyright: — Identifies run-time errors, concurrency
issues, security vulnerabilities, and other defects in C and C++
embedded software.</p></li>
<li><p><a
href="https://www.mathworks.com/products/polyspace-code-prover.html">Polyspace
Code Prover</a> :copyright: — Provide code verification that proves the
absence of overflow, divide-by-zero, out-of-bounds array access, and
certain other run-time errors in C and C++ source code.</p></li>
<li><p><a
href="https://clang-analyzer.llvm.org/scan-build.html">scan-build</a> —
Frontend to drive the Clang Static Analyzer built into Clang via a
regular build.</p></li>
<li><p><a href="http://splint.org">splint</a> — Annotation-assisted
static program checker.</p></li>
<li><p><a href="https://svf-tools.github.io/SVF">SVF</a> — A static tool
that enables scalable and precise interprocedural dependence analysis
for C and C++ programs.</p></li>
<li><p><a href="https://trust-in-soft.com">TrustInSoft Analyzer</a>
:copyright: — Exhaustive detection of coding errors and their associated
security vulnerabilities. This encompasses a sound undefined behavior
detection (buffer overflows, out-of-bounds array accesses, null-pointer
dereferences, use-after-free, divide-by-zeros, uninitialized memory
accesses, signed overflows, invalid pointer arithmetic, etc.), data flow
and control flow verification as well as full functional verification of
formal specifications. All versions of C up to C18 and C++ up to C++20
are supported. TrustInSoft Analyzer will acquire ISO 26262 qualification
in Q2’2023 (TCL3). A MISRA C checker is also bundled.</p></li>
<li><p><a
href="https://bitbucket.org/verateam/vera/wiki/Introduction">vera++</a>
:warning: — Vera++ is a programmable tool for verification, analysis and
transformation of C++ source code.</p></li>
</ul>
<a name="clojure" />
<h2>
Clojure
</h2>
<ul>
<li><a href="https://github.com/borkdude/clj-kondo">clj-kondo</a> — A
linter for Clojure code that sparks joy. It informs you about potential
errors while you are typing.</li>
</ul>
<a name="coffeescript" />
<h2>
CoffeeScript
</h2>
<ul>
<li><a href="https://coffeelint.github.io/">coffeelint</a> :warning: — A
style checker that helps keep CoffeeScript code clean and
consistent.</li>
</ul>
<a name="coldfusion" />
<h2>
ColdFusion
</h2>
<ul>
<li><a href="https://fixinator.app">Fixinator</a> :copyright: — Static
security code analysis for ColdFusion or CFML code. Designed to work
within a CI pipeline or from the developers terminal.</li>
</ul>
<a name="crystal" />
<h2>
Crystal
</h2>
<ul>
<li><p><a href="https://crystal-ameba.github.io">ameba</a> — A static
code analysis tool for Crystal.</p></li>
<li><p><a href="https://crystal-lang.org">crystal</a> — The Crystal
compiler has built-in linting functionality.</p></li>
</ul>
<a name="dart" />
<h2>
Dart
</h2>
<ul>
<li><p><a href="https://pub.dev/packages/dart_code_metrics">Dart Code
Metrics</a> :warning: — Additional linter for Dart. Reports code
metrics, checks for anti-patterns and provides additional rules for Dart
analyzer.</p></li>
<li><p><a
href="https://pub.dev/packages/effective_dart">effective_dart</a> —
Linter rules corresponding to the guidelines in Effective Dart</p></li>
<li><p><a href="https://github.com/passsy/dart-lint">lint</a> — An
opinionated, community-driven set of lint rules for Dart and Flutter
projects. Like pedantic but stricter</p></li>
<li><p><a href="https://dart-lang.github.io/linter">Linter for dart</a>
— Style linter for Dart.</p></li>
</ul>
<a name="delphi" />
<h2>
Delphi
</h2>
<ul>
<li><p><a
href="https://github.com/integrated-application-development/delphilint">DelphiLint</a>
— A Delphi IDE package providing on-the-fly code analysis and linting,
powered by SonarDelphi.</p></li>
<li><p><a href="https://www.tmssoftware.com/site/fixinsight.asp">Fix
Insight</a> :copyright: — A free IDE Plugin for static code analysis. A
<em>Pro</em> edition includes a command line tool for automation
purposes.</p></li>
<li><p><a href="https://peganza.com/products_pal.html">Pascal
Analyzer</a> :copyright: — A static code analysis tool with numerous
reports. A free <em>Lite</em> version is available with limited
reporting.</p></li>
<li><p><a href="https://peganza.com/products_pex.html">Pascal Expert</a>
:copyright: — IDE plugin for code analysis. Includes a subset of Pascal
Analyzer reporting capabilities and is available for Delphi versions
2007 and later.</p></li>
<li><p><a
href="https://github.com/integrated-application-development/sonar-delphi">SonarDelphi</a>
— Delphi static analyzer for the SonarQube code quality
platform.</p></li>
</ul>
<a name="dlang" />
<h2>
Dlang
</h2>
<ul>
<li><a href="https://github.com/dlang-community/D-Scanner">D-scanner</a>
— D-Scanner is a tool for analyzing D source code.</li>
</ul>
<a name="elixir" />
<h2>
Elixir
</h2>
<ul>
<li><p><a href="https://github.com/rrrene/credo">credo</a> — A static
code analysis tool with a focus on code consistency and
teaching.</p></li>
<li><p><a href="https://github.com/jeremyjh/dialyxir">dialyxir</a> — Mix
tasks to simplify use of Dialyzer in Elixir projects.</p></li>
<li><p><a href="https://github.com/nccgroup/sobelow">sobelow</a> —
Security-focused static analysis for the Phoenix Framework.</p></li>
</ul>
<a name="elm" />
<h2>
Elm
</h2>
<ul>
<li><p><a href="https://stil4m.github.io/elm-analyse">elm-analyse</a>
:warning: — A tool that allows you to analyse your Elm code, identify
deficiencies and apply best practices.</p></li>
<li><p><a
href="https://package.elm-lang.org/packages/jfmengels/elm-review/latest">elm-review</a>
— Analyzes whole Elm projects, with a focus on shareable and custom
rules written in Elm that add guarantees the Elm compiler doesn’t give
you.</p></li>
</ul>
<a name="erlang" />
<h2>
Erlang
</h2>
<ul>
<li><p><a
href="https://www.erlang.org/doc/man/dialyzer.html">dialyzer</a> — The
DIALYZER, a DIscrepancy AnaLYZer for ERlang programs. Dialyzer is a
static analysis tool that identifies software discrepancies, such as
definite type errors, code that has become dead or unreachable because
of programming error, and unnecessary tests, in single Erlang modules or
entire (sets of) applications. Dialyzer starts its analysis from either
debug-compiled BEAM bytecode or from Erlang source code. The file and
line number of a discrepancy is reported along with an indication of
what the discrepancy is about. Dialyzer bases its analysis on the
concept of success typings, which allows for sound warnings (no false
positives).</p></li>
<li><p><a href="https://github.com/inaka/elvis">elvis</a> — Erlang Style
Reviewer.</p></li>
<li><p><a href="https://github.com/okeuday/pest">Primitive Erlang
Security Tool (PEST)</a> :warning: — A tool to do a basic scan of Erlang
source code and report any function calls that may cause Erlang source
code to be insecure.</p></li>
</ul>
<a name="fsharp" />
<h2>
F#
</h2>
<ul>
<li><p><a href="https://fsprojects.github.io/fantomas/">fantomas</a> —
F# source code formatter.</p></li>
<li><p><a href="https://fsprojects.github.io/FSharpLint">FSharpLint</a>
— Lint tool for F#.</p></li>
<li><p><a
href="https://ionide.io/ionide-analyzers/">ionide-analyzers</a> — A
collection of F# analyzers, built with the
FSharp.Analyzers.SDK.</p></li>
</ul>
<a name="fortran" />
<h2>
Fortran
</h2>
<ul>
<li><p><a href="https://fortitude.readthedocs.io">Fortitude</a> —
Fortran linter, inspired by (and built on) Ruff, and based on community
best practices. Supports latest Fortran (2023) standard.</p></li>
<li><p><a href="https://pypi.python.org/pypi/fprettify">fprettify</a>
:warning: — Auto-formatter for modern fortran source code, written in
Python. Fprettify is a tool that provides consistent whitespace,
indentation, and delimiter alignment in code, including the ability to
change letter case and handle preprocessor directives, all while
preserving revision history and tested for editor integration.</p></li>
<li><p><a href="https://github.com/lequal/i-CodeCNES">i-Code CNES for
Fortran</a> — An open source static code analysis tool for Fortran 77,
Fortran 90 and Shell.</p></li>
</ul>
<a name="go" />
<h2>
Go
</h2>
<ul>
<li><p><a href="https://gitlab.com/opennota/check">aligncheck</a> — Find
inefficiently packed structs.</p></li>
<li><p><a href="https://github.com/timakin/bodyclose">bodyclose</a> —
Checks whether HTTP response body is closed.</p></li>
<li><p><a href="https://github.com/tsenart/deadcode">deadcode</a> —
Finds unused code.</p></li>
<li><p><a href="https://github.com/nickng/dingo-hunter">dingo-hunter</a>
:warning: — Static analyser for finding deadlocks in Go.</p></li>
<li><p><a href="https://github.com/alexkohler/dogsled">dogsled</a> —
Finds assignments/declarations with too many blank identifiers.</p></li>
<li><p><a href="https://github.com/mibk/dupl">dupl</a> :warning: —
Reports potentially duplicated code.</p></li>
<li><p><a href="https://github.com/kisielk/errcheck">errcheck</a> —
Check that error return values are used.</p></li>
<li><p><a href="https://github.com/fatih/errwrap">errwrap</a> — Wrap and
fix Go errors with the new %w verb directive. This tool analyzes
fmt.Errorf() calls and reports calls that contain a verb directive that
is different than the new %w verb directive introduced in Go v1.13. It’s
also capable of rewriting calls to use the new %w wrap verb
directive.</p></li>
<li><p><a href="https://github.com/lafolle/flen">flen</a> — Get info on
length of functions in a Go package.</p></li>
<li><p><a href="https://github.com/alecthomas/gometalinter">Go Meta
Linter</a> :warning: — Concurrently run Go lint tools and normalise
their output. Use <code>golangci-lint</code> for new projects.</p></li>
<li><p><a href="https://golang.org/cmd/vet#hdr-Shadowed_variables">go
tool vet –shadow</a> — Reports variables that may have been
unintentionally shadowed.</p></li>
<li><p><a href="https://golang.org/cmd/vet">go vet</a> — Examines Go
source code and reports suspicious.</p></li>
<li><p><a
href="https://github.com/Quasilyte/go-consistent">go-consistent</a> —
Analyzer that helps you to make your Go programs more
consistent.</p></li>
<li><p><a href="https://github.com/go-critic/go-critic">go-critic</a> —
Go source code linter that maintains checks which are currently not
implemented in other linters.</p></li>
<li><p><a href="https://golang.org/pkg/go/ast">go/ast</a> — Package ast
declares the types used to represent syntax trees for Go
packages.</p></li>
<li><p><a href="https://github.com/m-mizutani/goast">goast</a> :warning:
— Go AST (Abstract Syntax Tree) based static analysis tool with
Rego.</p></li>
<li><p><a
href="https://github.com/leighmcculloch/gochecknoglobals">gochecknoglobals</a>
— Checks that no globals are present.</p></li>
<li><p><a href="https://github.com/jgautheron/goconst">goconst</a> —
Finds repeated strings that could be replaced by a constant.</p></li>
<li><p><a href="https://github.com/fzipp/gocyclo">gocyclo</a> :warning:
— Calculate cyclomatic complexities of functions in Go source
code.</p></li>
<li><p><a href="https://golang.org/cmd/gofmt">gofmt -s</a> — Checks if
the code is properly formatted and could not be further
simplified.</p></li>
<li><p><a href="https://github.com/mvdan/gofumpt">gofumpt</a> — Enforce
a stricter format than <code>gofmt</code>, while being
backwards-compatible. That is, <code>gofumpt</code> is happy with a
subset of the formats that <code>gofmt</code> is happy with. The tool is
a fork of <code>gofmt</code> as of Go 1.19, and requires Go 1.18 or
later. It can be used as a drop-in replacement to format your Go code,
and running gofmt after gofumpt should produce no changes.
<code>gofumpt</code> will never add rules which disagree with
<code>gofmt</code> formatting. So we extend <code>gofmt</code> rather
than compete with it.</p></li>
<li><p><a
href="https://pkg.go.dev/golang.org/x/tools/cmd/goimports">goimports</a>
— Checks missing or unreferenced package imports.</p></li>
<li><p><a href="https://github.com/praetorian-inc/gokart">gokart</a> —
Golang security analysis with a focus on minimizing false positives. It
is capable of tracing the source of variables and function arguments to
determine whether input sources are safe.</p></li>
<li><p><a href="https://golangci-lint.run">GolangCI-Lint</a> —
Alternative to <code>Go Meta Linter</code>: GolangCI-Lint is a linters
aggregator.</p></li>
<li><p><a href="https://github.com/golang/lint">golint</a> — Prints out
coding style mistakes in Go source code.</p></li>
<li><p><a
href="https://github.com/360EntSecGroup-Skylar/goreporter">goreporter</a>
— Concurrently runs many linters and normalises their output to a
report.</p></li>
<li><p><a
href="https://github.com/linuxerwang/goroutine-inspect">goroutine-inspect</a>
— An interactive tool to analyze Golang goroutine dump.</p></li>
<li><p><a href="https://securego.io">gosec (gas)</a> — Inspects source
code for security problems by scanning the Go AST.</p></li>
<li><p><a
href="https://pkg.go.dev/golang.org/x/tools/cmd/gotype">gotype</a> —
Syntactic and semantic analysis similar to the Go compiler.</p></li>
<li><p><a href="https://go.dev/blog/vuln">govulncheck</a> — Govulncheck
reports known vulnerabilities that affect Go code. It uses static
analysis of source code or a binary’s symbol table to narrow down
reports to only those that could affect the application. By default,
govulncheck makes requests to the Go vulnerability database at
https://vuln.go.dev. Requests to the vulnerability database contain only
module paths, not code or other properties of your program.</p></li>
<li><p><a
href="https://github.com/gordonklaus/ineffassign">ineffassign</a>
:warning: — Detect ineffectual assignments in Go code.</p></li>
<li><p><a href="https://github.com/mvdan/interfacer">interfacer</a>
:warning: — Suggest narrower interfaces that can be used.</p></li>
<li><p><a href="https://github.com/walle/lll">lll</a> :warning: — Report
long lines.</p></li>
<li><p><a href="https://github.com/mdempsky/maligned">maligned</a>
:warning: — Detect structs that would take less memory if their fields
were sorted.</p></li>
<li><p><a href="https://github.com/client9/misspell">misspell</a> —
Finds commonly misspelled English words.</p></li>
<li><p><a href="https://github.com/alexkohler/nakedret">nakedret</a> —
Finds naked returns.</p></li>
<li><p><a href="https://github.com/alexkohler/nargs">nargs</a> — Finds
unused arguments in function declarations.</p></li>
<li><p><a href="https://github.com/alexkohler/prealloc">prealloc</a> —
Finds slice declarations that could potentially be
preallocated.</p></li>
<li><p><a href="https://github.com/haya14busa/reviewdog">Reviewdog</a> —
A tool for posting review comments from any linter in any code hosting
service.</p></li>
<li><p><a href="https://revive.run">revive</a> — Fast, configurable,
extensible, flexible, and beautiful linter for Go. Drop-in replacement
of golint.</p></li>
<li><p><a href="https://github.com/stripe/safesql">safesql</a> :warning:
— Static analysis tool for Golang that protects against SQL
injections.</p></li>
<li><p><a href="https://github.com/flatt-security/shisho">shisho</a>
:warning: — A lightweight static code analyzer designed for developers
and security teams. It allows you to analyze and transform source code
with an intuitive DSL similar to sed, but for code.</p></li>
<li><p><a href="https://staticcheck.io">staticcheck</a> — Go static
analysis that specialises in finding bugs, simplifying code and
improving performance.</p></li>
<li><p><a href="https://gitlab.com/opennota/check">structcheck</a> —
Find unused struct fields.</p></li>
<li><p><a href="https://github.com/orijtech/structslop">structslop</a> —
Static analyzer for Go that recommends struct field rearrangements to
provide for maximum space/allocation efficiency</p></li>
<li><p><a href="https://pkg.go.dev/testing">test</a> — Show location of
test failures from the stdlib testing module.</p></li>
<li><p><a href="https://github.com/mdempsky/unconvert">unconvert</a> —
Detect redundant type conversions.</p></li>
<li><p><a href="https://github.com/mvdan/unparam">unparam</a> — Find
unused function parameters.</p></li>
<li><p><a href="https://gitlab.com/opennota/check">varcheck</a> — Find
unused global variables and constants.</p></li>
<li><p><a href="https://github.com/bombsimon/wsl">wsl</a> — Enforces
empty lines at the right places.</p></li>
</ul>
<a name="groovy" />
<h2>
Groovy
</h2>
<ul>
<li><a href="https://codenarc.github.io/CodeNarc">CodeNarc</a> — A
static analysis tool for Groovy source code, enabling monitoring and
enforcement of many coding standards and best practices.</li>
</ul>
<a name="haskell" />
<h2>
Haskell
</h2>
<ul>
<li><p><a href="https://github.com/lspitzner/brittany">brittany</a>
:warning: — Haskell source code formatter</p></li>
<li><p><a href="https://github.com/ndmitchell/hlint">HLint</a> — HLint
is a tool for suggesting possible improvements to Haskell code.</p></li>
<li><p><a
href="https://ucsd-progsys.github.io/liquidhaskell-blog/">Liquid
Haskell</a> — Liquid Haskell is a refinement type checker for Haskell
programs.</p></li>
<li><p><a href="https://kowainik.github.io/projects/stan">Stan</a> —
Stan is a command-line tool for analysing Haskell projects and
outputting discovered vulnerabilities in a helpful way with possible
solutions for detected problems.</p></li>
<li><p><a href="https://github.com/ocharles/weeder">Weeder</a> — A tool
for detecting dead exports or package imports in Haskell code.</p></li>
</ul>
<a name="haxe" />
<h2>
Haxe
</h2>
<ul>
<li><a
href="https://haxecheckstyle.github.io/docs/haxe-checkstyle/home.html">Haxe
Checkstyle</a> — A static analysis tool to help developers write Haxe
code that adheres to a coding standard.</li>
</ul>
<a name="java" />
<h2>
Java
</h2>
<ul>
<li><p><a href="https://checkerframework.org">Checker Framework</a> —
Pluggable type-checking for Java. This is not just a bug-finder, but a
verification tool that gives a guarantee of correctness. It comes with
27 pre-built type systems, and it enables users to define their own type
system; the manual lists over 30 user-contributed type systems.</p></li>
<li><p><a href="https://checkstyle.org">checkstyle</a> — Checking Java
source code for adherence to a Code Standard or set of validation rules
(best practices).</p></li>
<li><p><a href="https://github.com/mauricioaniche/ck">ck</a> —
Calculates Chidamber and Kemerer object-oriented metrics by processing
the source Java files.</p></li>
<li><p><a href="http://www.spinellis.gr/sw/ckjm">ckjm</a> — Calculates
Chidamber and Kemerer object-oriented metrics by processing the bytecode
of compiled Java files.</p></li>
<li><p><a href="https://www.eclipse.org/cognicrypt">CogniCrypt</a> —
Checks Java source and byte code for incorrect uses of cryptographic
APIs.</p></li>
<li><p><a href="https://github.com/typetools/checker-framework">Dataflow
Framework</a> — An industrial-strength dataflow framework for Java. The
Dataflow Framework is used in the Checker Framework, Google’s Error
Prone, Uber’s NullAway, Meta’s Nullsafe, and in other contexts. It is
distributed with the Checker Framework.</p></li>
<li><p><a
href="http://www.designite-tools.com/designitejava">DesigniteJava</a>
:copyright: — DesigniteJava supports detection of various architecture,
design, and implementation smells along with computation of various code
quality metrics.</p></li>
<li><p><a href="https://www.diffblue.com/">Diffblue</a> :copyright: —
Diffblue is a software company that provides AI-powered code analysis
and testing solutions for software development teams. Its technology
helps developers automate testing, find bugs, and reduce manual labor in
their software development processes. The company’s main product,
Diffblue Cover, uses AI to generate and run unit tests for Java code,
helping to catch errors and improve code quality.</p></li>
<li><p><a
href="https://plast-lab.github.io/doop-pldi15-tutorial/">Doop</a> — Doop
is a declarative framework for static analysis of Java/Android programs,
centered on pointer analysis algorithms. Doop provides a large variety
of analyses and also the surrounding scaffolding to run an analysis
end-to-end (fact generation, processing, statistics, etc.).</p></li>
<li><p><a href="https://github.com/xjtu-enre/ENRE-java">ENRE-java</a>
:warning: — ENRE (ENtity Relationship Extractor) is a tool for
extraction of code entity dependencies or relationships from source
code. ENRE-java is a ENtity Relationship Extractor for Java projects
based on <span class="citation" data-cites="Eclipse">@Eclipse</span>
JDT/parser.</p></li>
<li><p><a href="https://errorprone.info">Error Prone</a> — Catch common
Java mistakes as compile-time errors.</p></li>
<li><p><a href="http://fb-contrib.sourceforge.net">fb-contrib</a> — A
plugin for FindBugs with additional bug detectors.</p></li>
<li><p><a
href="https://github.com/policeman-tools/forbidden-apis">forbidden-apis</a>
— Detects and forbids invocations of specific method/class/field (like
reading from a text stream without a charset). Maven/Gradle/Ant
compatible.</p></li>
<li><p><a
href="https://github.com/google/google-java-format">google-java-format</a>
— Reformats Java source code to comply with Google Java Style</p></li>
<li><p><a href="https://github.com/amaembo/huntbugs">HuntBugs</a>
:warning: — Bytecode static analyzer tool based on Procyon Compiler
Tools aimed to supersede FindBugs.</p></li>
<li><p><a href="https://www.jetbrains.com/idea">IntelliJ IDEA</a>
:copyright: — Comes bundled with a lot of inspections for Java and
Kotlin and includes tools for refactoring, formatting and more.</p></li>
<li><p><a href="https://www.jarchitect.com">JArchitect</a> :copyright: —
Measure, query and visualize your code and avoid unexpected issues,
technical debt and complexity.</p></li>
<li><p><a href="https://www.cprover.org/jbmc">JBMC</a> — Bounded
model-checker for Java (bytecode), verifies user-defined assertions,
standard assertions, several coverage metric analyses.</p></li>
<li><p><a href="https://mariana-tren.ch/">Mariana Trench</a> — Our
security focused static analysis tool for Android and Java applications.
Mariana Trench analyzes Dalvik bytecode and is built to run fast on
large codebases (10s of millions of lines of code). It can find
vulnerabilities as code changes, before it ever lands in your
repository.</p></li>
<li><p><a href="https://github.com/uber/NullAway">NullAway</a> —
Type-based null-pointer checker with low build-time overhead; an <a
href="http://errorprone.info/">Error Prone</a> plugin.</p></li>
<li><p><a href="https://owasp.org/www-project-dependency-check">OWASP
Dependency Check</a> — Checks dependencies for known, publicly
disclosed, vulnerabilities.</p></li>
<li><p><a href="https://www.qulice.com">qulice</a> — Combines a few
(pre-configured) static analysis tools (checkstyle, PMD, Findbugs,
…).</p></li>
<li><p><a
href="https://github.com/jimbethancourt/RefactorFirst">RefactorFirst</a>
— Identifies and prioritizes God Classes and Highly Coupled classes in
Java codebases you should refactor first.</p></li>
<li><p><a href="https://soot-oss.github.io/soot">Soot</a> — A framework
for analyzing and transforming Java and Android applications.</p></li>
<li><p><a href="https://spoon.gforge.inria.fr">Spoon</a> — Spoon is a
metaprogramming library to analyze and transform Java source code (incl
Java 9, 10, 11, 12, 13, 14). It parses source files to build a
well-designed AST with powerful analysis and transformation API. Can be
integrated in Maven and Gradle.</p></li>
<li><p><a href="https://spotbugs.github.io">SpotBugs</a> — SpotBugs is
FindBugs’ successor. A tool for static analysis to look for bugs in Java
code.</p></li>
<li><p><a href="https://eclipse.github.io/steady/">steady</a> :warning:
— Analyses your Java applications for open-source dependencies with
known vulnerabilities, using both static analysis and testing to
determine code context and usage for greater accuracy.</p></li>
<li><p><a
href="https://github.com/tomasbjerre/violations-lib">Violations Lib</a>
— Java library for parsing report files from static code analysis. Used
by a bunch of Jenkins, Maven and Gradle plugins.</p></li>
</ul>
<a name="javascript" />
<h2>
JavaScript
</h2>
<ul>
<li><p><a href="http://aetherjs.com">aether</a> :warning: — Lint,
analyze, normalize, transform, sandbox, run, step through, and visualize
user JavaScript, in node or the browser.</p></li>
<li><p><a href="https://developers.google.com/closure/compiler">Closure
Compiler</a> — A compiler tool to increase efficiency, reduce size, and
provide code warnings in JavaScript files.</p></li>
<li><p><a
href="https://github.com/google/closure-linter">ClosureLinter</a>
:warning: — Ensures that all of your project’s JavaScript code follows
the guidelines in the Google JavaScript Style Guide. It can also
automatically fix many common errors.</p></li>
<li><p><a
href="https://github.com/escomplex/complexity-report">complexity-report</a>
:warning: — Software complexity analysis for JavaScript
projects.</p></li>
<li><p><a href="https://deepscan.io">DeepScan</a> :copyright: — An
analyzer for JavaScript which targets runtime errors and quality issues
rather than coding conventions.</p></li>
<li><p><a href="https://github.com/the-simian/es6-plato">es6-plato</a>
:warning: — Visualize JavaScript (ES6) source complexity.</p></li>
<li><p><a
href="https://github.com/jared-stilwell/escomplex">escomplex</a>
:warning: — Software complexity analysis of JavaScript-family abstract
syntax trees.</p></li>
<li><p><a href="https://esprima.org">Esprima</a> :warning: — ECMAScript
parsing infrastructure for multipurpose analysis.</p></li>
<li><p><a href="https://flow.org">flow</a> — A static type checker for
JavaScript.</p></li>
<li><p><a href="https://hegel.js.org">hegel</a> :warning: — A static
type checker for JavaScript with a bias on type inference and strong
type systems.</p></li>
<li><p><a href="https://jshint.com/about">jshint</a> <a
href="https://github.com/analysis-tools-dev/static-analysis/issues/223">:information_source:</a>
— Detect errors and potential problems in JavaScript code and enforce
your team’s coding conventions.</p></li>
<li><p><a href="https://github.com/douglascrockford/JSLint">JSLint</a>
<a
href="https://github.com/analysis-tools-dev/static-analysis/issues/223">:information_source:</a>
— The JavaScript Code Quality Tool.</p></li>
<li><p><a href="https://dpnishant.github.io/jsprime">JSPrime</a>
:warning: — Static security analysis tool.</p></li>
<li><p><a href="https://opensecurity.in">NodeJSScan</a> — A static
security code scanner for Node.js applications powered by libsast and
semgrep that builds on the njsscan cli tool. It features a UI with
various dashboards about an application’s security status.</p></li>
<li><p><a href="https://github.com/es-analysis/plato">plato</a>
:warning: — Visualize JavaScript source complexity.</p></li>
<li><p><a
href="https://github.com/Polymer/tools/tree/master/packages/analyzer">Polymer-analyzer</a>
— A static analysis framework for Web Components.</p></li>
<li><p><a href="https://retirejs.github.io/retire.js">retire.js</a> —
Scanner detecting the use of JavaScript libraries with known
vulnerabilities.</p></li>
<li><p><a href="http://rslint.org/">RSLint</a> :warning: — A (WIP)
JavaScript linter written in Rust designed to be as fast as possible,
customizable, and easy to use.</p></li>
<li><p><a href="http://standardjs.com">standard</a> — An npm module that
checks for Javascript Styleguide issues.</p></li>
<li><p><a href="https://ternjs.net">tern</a> — A JavaScript code
analyzer for deep, cross-editor language support.</p></li>
<li><p><a href="https://typl.dev">TypL</a> :warning: — With TypL, you
just write completely standard JS, and the tool figures out your types
via powerful inferencing.</p></li>
<li><p><a href="https://github.com/xojs/xo">xo</a> — Opinionated but
configurable ESLint wrapper with lots of goodies included. Enforces
strict and readable code.</p></li>
<li><p><a href="https://github.com/calmh/yardstick">yardstick</a>
:warning: — Javascript code metrics.</p></li>
</ul>
<a name="julia" />
<h2>
Julia
</h2>
<ul>
<li><p><a href="https://github.com/aviatesk/JET.jl">JET</a> — Static
type inference system to detect bugs and type instabilities.</p></li>
<li><p><a
href="https://github.com/julia-vscode/StaticLint.jl">StaticLint</a> —
Static Code Analysis for Julia</p></li>
</ul>
<a name="kotlin" />
<h2>
Kotlin
</h2>
<ul>
<li><p><a href="https://detekt.github.io/detekt">detekt</a> — Static
code analysis for Kotlin code.</p></li>
<li><p><a href="https://diktat.saveourtool.com">diktat</a> — Strict
coding standard for Kotlin and a linter that detects and auto-fixes code
smells.</p></li>
<li><p><a href="https://facebook.github.io/ktfmt/">ktfmt</a> — A program
that reformats Kotlin source code to comply with the common community
standard for Kotlin code conventions. A ktfmt IntelliJ plugin is
available from the plugin repository. To install it, go to your IDE’s
settings and select the Plugins category. Click the Marketplace tab,
search for the ktfmt plugin, and click the Install button.</p></li>
<li><p><a href="https://ktlint.github.io">ktlint</a> — An
anti-bikeshedding Kotlin linter with built-in formatter.</p></li>
</ul>
<a name="lua" />
<h2>
Lua
</h2>
<ul>
<li><p><a href="https://github.com/lunarmodules/luacheck">luacheck</a> —
A tool for linting and static analysis of Lua code.</p></li>
<li><p><a href="https://github.com/philips/lualint">lualint</a> —
lualint performs luac-based static analysis of global variable usage in
Lua source code.</p></li>
<li><p><a
href="https://plugins.jetbrains.com/plugin/14698-luanalysis">Luanalysis</a>
:warning: — An IDE for statically typed Lua development.</p></li>
</ul>
<a name="matlab" />
<h2>
MATLAB
</h2>
<ul>
<li><a
href="https://www.mathworks.com/help/matlab/ref/mlint.html">mlint</a>
:copyright: — Check MATLAB code files for possible problems.</li>
</ul>
<a name="nim" />
<h2>
Nim
</h2>
<ul>
<li><p><a href="https://nim-lang.org/docs/drnim.html">DrNim</a> — DrNim
combines the Nim frontend with the Z3 proof engine in order to allow
verify / validate software written in Nim.</p></li>
<li><p><a href="https://github.com/FedericoCeratto/nimfmt">nimfmt</a> —
Nim code formatter / linter / style checker</p></li>
</ul>
<a name="ocaml" />
<h2>
Ocaml
</h2>
<ul>
<li><p><a href="https://github.com/PLSysSec/sys">Sys</a> — A
static/symbolic Tool for finding bugs in (browser) code. It uses the
LLVM AST to find bugs like uninitialized memory access.</p></li>
<li><p><a href="https://github.com/verifast/verifast">VeriFast</a> — A
tool for modular formal verification of correctness properties of
single-threaded and multithreaded C and Java programs annotated with
preconditions and postconditions written in separation logic. To express
rich specifications, the programmer can define inductive datatypes,
primitive recursive pure functions over these datatypes, and abstract
separation logic predicates.</p></li>
</ul>
<a name="php" />
<h2>
PHP
</h2>
<ul>
<li><p><a href="https://zigrin.com/tools/cake-fuzzer/">CakeFuzzer</a> —
Web application security testing tool for CakePHP-based web
applications. CakeFuzzer employs a predefined set of attacks that are
randomly modified before execution. Leveraging its deep understanding of
the Cake PHP framework, Cake Fuzzer launches attacks on all potential
application entry points.</p></li>
<li><p><a href="https://github.com/bmitch/churn-php">churn-php</a> —
Helps discover good candidates for refactoring.</p></li>
<li><p><a
href="https://github.com/shipmonk-rnd/composer-dependency-analyser">composer-dependency-analyser</a>
— Fast detection of composer dependency issues.</p></li>
<li><p>💪 Powerful: Detects unused, shadow and misplaced composer
dependencies</p></li>
<li><p>⚡ Performant: Scans 15 000 files in 2s!</p></li>
<li><p>⚙️ Configurable: Fine-grained ignores via PHP config</p></li>
<li><p>🕸️ Lightweight: No composer dependencies</p></li>
<li><p>🍰 Easy-to-use: No config needed for first try</p></li>
<li><p>✨ Compatible: PHP &gt;= 7.2</p></li>
<li><p><a href="https://github.com/mihaeu/dephpend">dephpend</a> —
Dependency analysis tool.</p></li>
<li><p><a
href="https://github.com/sensiolabs-de/deprecation-detector">deprecation-detector</a>
— Finds usages of deprecated (Symfony) code.</p></li>
<li><p><a href="https://github.com/sensiolabs-de/deptrac">deptrac</a> —
Enforce rules for dependencies between software layers.</p></li>
<li><p><a
href="https://github.com/Halleck45/DesignPatternDetector">DesignPatternDetector</a>
— Detection of design patterns in PHP code.</p></li>
<li><p><a
href="https://www.tomasvotruba.com/blog/2017/05/03/combine-power-of-php-code-sniffer-and-php-cs-fixer-in-3-lines">EasyCodingStandard</a>
— Combine <a
href="https://github.com/squizlabs/PHP_CodeSniffer">PHP_CodeSniffer</a>
and <a
href="https://github.com/FriendsOfPHP/PHP-CS-Fixer">PHP-CS-Fixer</a>.</p></li>
<li><p><a href="https://www.laravel-enlightn.com/">Enlightn</a>
:warning: — A static and dynamic analysis tool for Laravel applications
that provides recommendations to improve the performance, security and
code reliability of Laravel apps. Contains 120 automated
checks.</p></li>
<li><p><a href="https://www.exakat.io">exakat</a> — An automated code
reviewing engine for PHP.</p></li>
<li><p><a href="https://github.com/phpro/grumphp">GrumPHP</a> — Checks
code on every commit.</p></li>
<li><p><a href="https://github.com/larastan/larastan">larastan</a> —
Adds static analysis to Laravel improving developer productivity and
code quality. It is a wrapper around PHPStan.</p></li>
<li><p><a href="https://trismegiste.github.io/Mondrian">Mondrian</a>
:warning: — A set of static analysis and refactoring tools which use
graph theory.</p></li>
<li><p><a
href="https://github.com/php-parallel-lint/PHP-Parallel-Lint">parallel-lint</a>
— This tool checks syntax of PHP files faster than serial check with a
fancier output.</p></li>
<li><p><a href="https://github.com/psecio/parse">Parse</a> — A Static
Security Scanner.</p></li>
<li><p><a href="https://pdepend.org">pdepend</a> — Calculates software
metrics like cyclomatic complexity for PHP code.</p></li>
<li><p><a href="https://github.com/phan/phan/wiki">phan</a> — A modern
static analyzer from etsy.</p></li>
<li><p><a href="https://github.com/carlosas/phpat">PHP Architecture
Tester</a> — Easy to use architecture testing tool for PHP.</p></li>
<li><p><a href="https://github.com/rskuipers/php-assumptions">PHP
Assumptions</a> — Checks for weak assumptions.</p></li>
<li><p><a href="https://cs.symfony.com">PHP Coding Standards Fixer</a> —
Fixes your code according to standards like PSR-1, PSR-2, and the
Symfony standard.</p></li>
<li><p><a href="https://github.com/nunomaduro/phpinsights">PHP
Insights</a> — Instant PHP quality checks from your console. Analysis of
code quality and coding style as well as overview of code architecture
and its complexity.</p></li>
<li><p><a
href="https://plugins.jetbrains.com/plugin/7622-php-inspections-ea-extended-">Php
Inspections (EA Extended)</a> — A Static Code Analyzer for PHP.</p></li>
<li><p><a href="https://qafoolabs.github.io/php-refactoring-browser">PHP
Refactoring Browser</a> — Refactoring helper.</p></li>
<li><p><a href="https://github.com/tomzx/php-semver-checker">PHP
Semantic Versioning Checker</a> :warning: — Suggests a next version
according to semantic versioning.</p></li>
<li><p><a href="https://github.com/nikic/PHP-Parser">PHP-Parser</a> — A
PHP parser written in PHP.</p></li>
<li><p><a href="https://github.com/mekras/php-speller">php-speller</a> —
PHP spell check library.</p></li>
<li><p><a
href="https://github.com/Andrewsville/PHP-Token-Reflection">PHP-Token-Reflection</a>
:warning: — Library emulating the PHP internal reflection.</p></li>
<li><p><a href="https://github.com/sstalle/php7cc">php7cc</a> :warning:
— PHP 7 Compatibility Checker.</p></li>
<li><p><a href="https://github.com/Alexia/php7mar">php7mar</a> :warning:
— Assist developers in porting their code quickly to PHP 7.</p></li>
<li><p><a
href="https://pear.php.net/package/PHP_CodeSniffer">PHP_CodeSniffer</a>
:warning: — Detects violations of a defined set of coding
standards.</p></li>
<li><p><a href="https://github.com/phparkitect/arkitect">PHPArkitect</a>
— PHPArkitect helps you to keep your PHP codebase coherent and solid, by
permitting to add some architectural constraint check to your workflow.
You can express the constraint that you want to enforce, in simple and
readable PHP code.</p></li>
<li><p><a href="https://github.com/wapmorgan/PhpCodeAnalyzer">phpca</a>
:warning: — Finds usage of non-built-in extensions.</p></li>
<li><p><a href="https://github.com/sebastianbergmann/phpcpd">phpcpd</a>
:warning: — Copy/Paste Detector for PHP code.</p></li>
<li><p><a href="https://github.com/sebastianbergmann/phpdcd">phpdcd</a>
:warning: — Dead Code Detector (DCD) for PHP code.</p></li>
<li><p><a
href="https://mamuz.github.io/PhpDependencyAnalysis">PhpDependencyAnalysis</a>
:warning: — Builds a dependency graph for a project.</p></li>
<li><p><a
href="https://github.com/wapmorgan/PhpDeprecationDetector">PhpDeprecationDetector</a>
:warning: — Analyzer of PHP code to search issues with deprecated
functionality in newer interpreter versions. It finds removed objects
(functions, variables, constants and ini-directives), deprecated
functions functionality, and usage of forbidden names or tricks
(e.g. reserved identifiers in newer versions).</p></li>
<li><p><a
href="https://github.com/dunglas/phpdoc-to-typehint">phpdoc-to-typehint</a>
:warning: — Add scalar type hints and return types to existing PHP
projects using PHPDoc annotations.</p></li>
<li><p><a href="https://www.phpdoc.org">phpDocumentor</a> — Analyzes PHP
source code to generate documentation.</p></li>
<li><p><a href="https://github.com/sebastianbergmann/phploc">phploc</a>
— A tool for quickly measuring the size and analyzing the structure of a
PHP project.</p></li>
<li><p><a href="https://phpmd.org">PHPMD</a> — Finds possible bugs in
your code.</p></li>
<li><p><a href="http://www.phpmetrics.org">PhpMetrics</a> — Calculates
and visualizes various code quality metrics.</p></li>
<li><p><a href="https://github.com/povils/phpmnd">phpmnd</a> — Helps to
detect magic numbers.</p></li>
<li><p><a href="https://edgedesigncz.github.io/phpqa">PHPQA</a>
:warning: — A tool for running QA tools (phploc, phpcpd, phpcs, pdepend,
phpmd, phpmetrics).</p></li>
<li><p><a href="https://github.com/jakzal/phpqa">phpqa - jakzal</a> —
Many tools for PHP static analysis in one container.</p></li>
<li><p><a href="https://github.com/jmolivas/phpqa">phpqa - jmolivas</a>
— PHPQA all-in-one Analyzer CLI tool.</p></li>
<li><p><a href="https://github.com/ovr/phpsa">phpsa</a> :warning: —
Static analysis tool for PHP.</p></li>
<li><p><a href="https://phpstan.org">PHPStan</a> — PHP Static Analysis
Tool - discover bugs in your code without running it!</p></li>
<li><p><a
href="https://github.com/designsecurity/progpilot">Progpilot</a> — A
static analysis tool for security purposes.</p></li>
<li><p><a href="https://psalm.dev">Psalm</a> — Static analysis tool for
finding type errors in PHP applications.</p></li>
<li><p><a href="https://github.com/Qafoo/QualityAnalyzer">Qafoo Quality
Analyzer</a> :warning: — Visualizes metrics and source code.</p></li>
<li><p><a href="https://getrector.org">rector</a> — Instant Upgrades and
Automated Refactoring of any PHP 5.3+ code. It upgrades your code for
PHP 7.4, 8.0 and beyond. Rector promises a low false-positive rate
because it looks for narrowly defined AST (abstract syntax tree)
patterns. The main use-case are tackling technical debt in your legacy
code and removing dead code. Rector provides a set of special rules for
Symfony, Doctrine, PHPUnit, and many more.</p></li>
<li><p><a
href="https://github.com/phpDocumentor/Reflection">Reflection</a> —
Reflection library to do Static Analysis for PHP Projects</p></li>
<li><p><a href="https://insight.symfony.com/">Symfony Insight</a>
:copyright: — Detect security risks, find bugs and provide actionable
metrics for PHP projects.</p></li>
<li><p><a href="https://github.com/ircmaxell/Tuli">Tuli</a> — A static
analysis engine.</p></li>
<li><p><a href="https://github.com/asm89/twig-lint">twig-lint</a> —
twig-lint is a lint tool for your twig files.</p></li>
<li><p><a
href="https://securityonline.info/owasp-wap-web-application-protection-project">WAP</a>
— Tool to detect and correct input validation vulnerabilities in PHP
(4.0 or higher) web applications and predicts false positives by
combining static analysis and data mining.</p></li>
</ul>
<a name="plsql" />
<h2>
PL/SQL
</h2>
<ul>
<li><a href="https://zpa.felipebz.com">ZPA</a> — An open source parser
and code analyzer for PL/SQL and Oracle SQL code.</li>
</ul>
<a name="perl" />
<h2>
Perl
</h2>
<ul>
<li><p><a
href="https://technix.github.io/Perl-Analyzer/">Perl::Analyzer</a> —
Perl-Analyzer is a set of programs and modules that allow users to
analyze and visualize Perl codebases by providing information about
namespaces and their relations, dependencies, inheritance, and methods
implemented, inherited, and redefined in packages, as well as calls to
methods from parent packages via SUPER.</p></li>
<li><p><a href="https://metacpan.org/pod/Perl::Critic">Perl::Critic</a>
— Critique Perl source code for best-practices.</p></li>
<li><p><a href="https://perltidy.sourceforge.net/">perltidy</a> —
Perltidy is a Perl script which indents and reformats Perl scripts to
make them easier to read. The formatting can be controlled with command
line parameters. The default parameter settings approximately follow the
suggestions in the Perl Style Guide. Besides reformatting scripts,
Perltidy can be a great help in tracking down errors with missing or
extra braces, parentheses, and square brackets because it is very good
at localizing errors.</p></li>
<li><p><a href="https://github.com/htrgouvea/zarn">zarn</a> — A
lightweight static security analysis tool for modern Perl Apps</p></li>
</ul>
<a name="python" />
<h2>
Python
</h2>
<ul>
<li><p><a href="https://github.com/PyCQA/autoflake">autoflake</a> —
Autoflake removes unused imports and unused variables from Python
code.</p></li>
<li><p><a href="https://pypi.org/project/autopep8/">autopep8</a> — A
tool that automatically formats Python code to conform to the PEP 8
style guide. It uses the pycodestyle utility to determine what parts of
the code needs to be formatted.</p></li>
<li><p><a href="https://bandit.readthedocs.io/en/latest">bandit</a> — A
tool to find common security issues in Python code.</p></li>
<li><p><a
href="https://github.com/hchasestevens/bellybutton">bellybutton</a> — A
linting engine supporting custom project-specific rules.</p></li>
<li><p><a href="https://black.readthedocs.io/en/stable">Black</a> — The
uncompromising Python code formatter.</p></li>
<li><p><a href="https://pybowler.io/">Bowler</a> — Safe code refactoring
for modern Python. Bowler is a refactoring tool for manipulating Python
at the syntax tree level. It enables safe, large scale code
modifications while guaranteeing that the resulting code compiles and
runs. It provides both a simple command line interface and a fluent API
in Python for generating complex code modifications in code.</p></li>
<li><p><a href="https://github.com/ContinuumIO/ciocheck">ciocheck</a>
:warning: — Linter, formatter and test suite helper. As a linter, it is
a wrapper around <code>pep8</code>, <code>pydocstyle</code>,
<code>flake8</code>, and <code>pylint</code>.</p></li>
<li><p><a href="https://github.com/mschwager/cohesion">cohesion</a> — A
tool for measuring Python class cohesion.</p></li>
<li><p><a href="https://deal.readthedocs.io/">deal</a> — Design by
contract for Python. Write bug-free code. By adding a few decorators to
your code, you get for free tests, static analysis, formal verification,
and much more.</p></li>
<li><p><a href="https://github.com/dlint-py/dlint">Dlint</a> — A tool
for ensuring Python code is secure.</p></li>
<li><p><a href="https://github.com/landscapeio/dodgy">Dodgy</a> — Dodgy
is a very basic tool to run against your codebase to search for “dodgy”
looking values. It is a series of simple regular expressions designed to
detect things such as accidental SCM diff checkins, or passwords or
secret keys hard coded into files.</p></li>
<li><p><a href="https://github.com/xjtu-enre/ENRE-py">ENRE-py</a>
:warning: — ENRE (ENtity Relationship Extractor) is a tool for
extraction of code entity dependencies or relationships from source
code. ENRE-py is a ENtity Relationship Extractor for Python based on
Python Language Services of The Standard Library.</p></li>
<li><p><a href="https://pypi.org/project/fixit">fixit</a> — A framework
for creating lint rules and corresponding auto-fixes for source
code.</p></li>
<li><p><a href="https://github.com/PyCQA/flake8">flake8</a> — A wrapper
around <code>pyflakes</code>, <code>pycodestyle</code> and
<code>mccabe</code>.</p></li>
<li><p><a href="https://pypi.org/project/flakeheaven/">flakeheaven</a> —
flakeheaven is a python linter built around flake8 to enable inheritable
and complex toml configuration.</p></li>
<li><p><a href="https://mkdocstrings.github.io/griffe/">Griffe</a> —
Signatures for entire Python programs. Extract the structure, the frame,
the skeleton of your project, to generate API documentation or find
breaking changes in your API.</p></li>
<li><p><a href="https://github.com/thg-consulting/it">InspectorTiger</a>
:warning: — IT, Inspector Tiger, is a modern python code review tool /
framework. It comes with bunch of pre-defined handlers which warns you
about improvements and possible bugs. Beside these handlers, you can
write your own or use community ones.</p></li>
<li><p><a href="https://jedi.readthedocs.io/en/latest">jedi</a> —
Autocompletion/static analysis library for Python.</p></li>
<li><p><a href="https://github.com/lyft/linty_fresh">linty fresh</a> —
Parse lint errors and report them to Github as comments on a pull
request.</p></li>
<li><p><a href="https://pypi.org/project/mccabe">mccabe</a> :warning: —
Check McCabe complexity.</p></li>
<li><p><a href="https://github.com/adamchainz/multilint">multilint</a>
:warning: — A wrapper around <code>flake8</code>, <code>isort</code> and
<code>modernize</code>.</p></li>
<li><p><a href="http://www.mypy-lang.org">mypy</a> — A static type
checker that aims to combine the benefits of duck typing and static
typing, frequently used with <a
href="https://github.com/Instagram/MonkeyType">MonkeyType</a>.</p></li>
<li><p><a href="https://github.com/PyCQA/prospector">prospector</a> — A
wrapper around <code>pylint</code>, <code>pep8</code>,
<code>mccabe</code> and others.</p></li>
<li><p><a
href="https://github.com/uber/py-find-injection">py-find-injection</a>
:warning: — Find SQL injection vulnerabilities in Python code.</p></li>
<li><p><a
href="https://pyanalyze.readthedocs.io/en/latest/">pyanalyze</a> — A
tool for programmatically detecting common mistakes in Python code, such
as references to undefined variables and type errors. It can be extended
to add additional rules and perform checks specific to particular
functions.</p></li>
<li><p><a href="https://pycodestyle.pycqa.org/en/latest">pycodestyle</a>
— (Formerly <code>pep8</code>) Check Python code against some of the
style conventions in PEP 8.</p></li>
<li><p><a href="http://www.pydocstyle.org">pydocstyle</a> :warning: —
Check compliance with Python docstring conventions.</p></li>
<li><p><a href="https://pypi.org/project/pyflakes">pyflakes</a> — Check
Python source files for errors.</p></li>
<li><p><a href="http://pylint.pycqa.org/en/latest">pylint</a> — Looks
for programming errors, helps enforcing a coding standard and sniffs for
some code smells. It additionally includes <code>pyreverse</code> (an
UML diagram generator) and <code>symilar</code> (a similarities
checker).</p></li>
<li><p><a href="https://mtshiba.github.io/pylyzer/">pylyzers</a> — A
static code analyzer / language server for Python, written in Rust,
focused on type checking and readable output.</p></li>
<li><p><a href="https://pyre-check.org">pyre-check</a> — A fast,
scalable type checker for large Python codebases.</p></li>
<li><p><a href="https://github.com/Microsoft/pyright">pyright</a> —
Static type checker for Python, created to address gaps in existing
tools like mypy.</p></li>
<li><p><a href="https://github.com/regebro/pyroma">pyroma</a> — Rate how
well a Python project complies with the best practices of the Python
packaging ecosystem, and list issues that could be improved.</p></li>
<li><p><a href="https://pyre-check.org/docs/pysa-basics.html">Pysa</a> —
A tool based on Facebook’s pyre-check to identify potential security
issues in Python code identified with taint analysis.</p></li>
<li><p><a href="https://github.com/python-security/pyt">PyT - Python
Taint</a> :warning: — A static analysis tool for detecting security
vulnerabilities in Python web applications.</p></li>
<li><p><a href="https://google.github.io/pytype">pytype</a> — A static
type analyzer for Python code.</p></li>
<li><p><a href="https://pypi.org/project/pyupgrade-docs/">pyupgrade</a>
— A tool (and pre-commit hook) to automatically upgrade syntax for newer
versions of the language.</p></li>
<li><p><a
href="https://github.com/quantifiedcode/quantifiedcode">QuantifiedCode</a>
:warning: — Automated code review &amp; repair. It helps you to keep
track of issues and metrics in your software projects, and can be easily
extended to support new types of analyses.</p></li>
<li><p><a href="https://radon.readthedocs.io/en/latest">radon</a> — A
Python tool that computes various metrics from the source code.</p></li>
<li><p><a href="https://github.com/dosisod/refurb">refurb</a> — A tool
for refurbishing and modernizing Python codebases. Refurb is heavily
inspired by clippy, the built-in linter for Rust.</p></li>
<li><p><a href="https://astral.sh/ruff">ruff</a> — Fast Python linter,
written in Rust. 10-100x faster than existing linters. Compatible with
Python 3.10. Supports file watcher.</p></li>
<li><p><a href="https://unimport.hakancelik.dev">unimport</a> :warning:
— A linter, formatter for finding and removing unused import
statements.</p></li>
<li><p><a href="https://github.com/jendrikseipp/vulture">vulture</a> —
Find unused classes, functions and variables in Python code.</p></li>
<li><p><a
href="https://wemake-python-styleguide.rtfd.io/">wemake-python-styleguide</a>
— The strictest and most opinionated python linter ever.</p></li>
<li><p><a href="https://github.com/tonybaloney/wily">wily</a> :warning:
— A command-line tool for archiving, exploring and graphing the
complexity of Python source code.</p></li>
<li><p><a href="https://xenon.readthedocs.io">xenon</a> — Monitor code
complexity using <a
href="https://github.com/rubik/radon"><code>radon</code></a>.</p></li>
<li><p><a href="https://github.com/google/yapf">yapf</a> — A formatter
for Python files created by Google YAPF follows a distinctive
methodology, originating from the ‘clang-format’ tool created by Daniel
Jasper. Essentially, the program reframes the code to the most suitable
formatting that abides by the style guide, even if the original code
already follows the style guide. This concept is similar to the Go
programming language’s ‘gofmt’ tool, which aims to put an end to debates
about formatting by having the entire codebase of a project pass through
YAPF whenever changes are made, thereby maintaining a consistent style
throughout the project and eliminating the need to argue about style in
every code review.</p></li>
</ul>
<a name="r" />
<h2>
R
</h2>
<ul>
<li><p><a href="https://github.com/duncantl/CodeDepends">CodeDepends</a>
:warning: — Static Code Analysis for R.</p></li>
<li><p><a href="https://github.com/MangoTheCat/cyclocomp">cyclocomp</a>
— Quantifies the cyclomatic complexity of R functions /
expressions.</p></li>
<li><p><a href="https://github.com/flowr-analysis/flowr">flowR</a> — A
<a
href="https://github.com/flowr-analysis/flowr/wiki/Terminology#program-slice">program
slicer</a> and <a
href="https://en.wikipedia.org/wiki/Data-flow_analysis">dataflow
analyzer</a> for the <a href="https://www.r-project.org/">R</a>
programming language. Its slicer allows you to reduce a complicated
program just to the parts related for a specific task (e.g., the
generation of a single or collection of plots, a significance test, …).
The dataflow analysis provides you with a detailed view on the semantics
of the R code which can greatly improve other analyses. To use
<em>flowR</em>, check out the <a
href="https://marketplace.visualstudio.com/items?itemName=code-inspect.vscode-flowr">Visual
Studio Code extension</a>, the <a
href="https://github.com/flowr-analysis/rstudio-addin-flowr">RStudio
Addin</a>, the <a
href="https://hub.docker.com/r/eagleoutice/flowr">Docker image</a>, or
the <a href="https://github.com/flowr-analysis/flowr-r-adapter">R
package</a>.</p></li>
<li><p><a
href="https://docs.ropensci.org/goodpractice/">goodpractice</a> —
Analyses the source code for R packages and provides best-practice
recommendations.</p></li>
<li><p><a href="https://github.com/jimhester/lintr">lintr</a> — Static
Code Analysis for R.</p></li>
<li><p><a href="https://github.com/REditorSupport/languageserver/">R
Language Server</a> — Provides code completion, refactoring, folding,
diagnostics (with lintr), and more for R.</p></li>
<li><p><a href="https://jcrodriguez1989.github.io/rco/">rco</a> —
Performance optimizer for R code (with GUI).</p></li>
<li><p><a href="https://styler.r-lib.org">styler</a> — Formatting of R
source code files and pretty-printing of R code.</p></li>
</ul>
<a name="rego" />
<h2>
Rego
</h2>
<ul>
<li><a href="https://github.com/styrainc/regal">Regal</a> — Regal is a
linter for the policy language Rego. Regal aims to catch bugs and
mistakes in policy code, while at the same time helping people learn the
language, best practices and idiomatic constructs.</li>
</ul>
<a name="ruby" />
<h2>
Ruby
</h2>
<ul>
<li><p><a href="https://brakemanscanner.org">brakeman</a> — A static
analysis security vulnerability scanner for Ruby on Rails
applications.</p></li>
<li><p><a
href="https://github.com/rubysec/bundler-audit">bundler-audit</a> —
Audit Gemfile.lock for gems with security vulnerabilities reported in <a
href="https://github.com/rubysec/ruby-advisory-db">Ruby Advisory
Database</a>.</p></li>
<li><p><a href="https://github.com/square/cane">cane</a> :warning: —
Code quality threshold checking as part of your build.</p></li>
<li><p><a href="https://github.com/danmayer/churn">Churn</a> :warning: —
A Project to give the churn file, class, and method for a project for a
given checkin. Over time the tool adds up the history of churns to give
the number of times a file, class, or method is changing during the life
of a project.</p></li>
<li><p><a
href="https://github.com/thesp0nge/dawnscanner">dawnscanner</a> — A
static analysis security scanner for ruby written web applications. It
supports Sinatra, Padrino and Ruby on Rails frameworks.</p></li>
<li><p><a href="https://github.com/Shopify/erb-lint">ERB Lint</a> — Lint
your ERB or HTML files</p></li>
<li><p><a href="https://github.com/DamirSvrtan/fasterer">Fasterer</a> —
Common Ruby idioms checker.</p></li>
<li><p><a href="https://ruby.sadi.st/Flay.html">flay</a> — Flay analyzes
code for structural similarities.</p></li>
<li><p><a href="https://ruby.sadi.st/Flog.html">flog</a> :warning: —
Flog reports the most tortured code in an easy to read pain report. The
higher the score, the more pain the code is in.</p></li>
<li><p><a href="https://github.com/CoralineAda/fukuzatsu">Fukuzatsu</a>
— A tool for measuring code complexity in Ruby class files. Its analysis
generates scores based on cyclomatic complexity algorithms with no added
“opinions”.</p></li>
<li><p><a
href="https://github.com/threedaymonk/htmlbeautifier">htmlbeautifier</a>
— A normaliser/beautifier for HTML that also understands embedded Ruby.
Ideal for tidying up Rails templates.</p></li>
<li><p><a href="https://github.com/michaeledgar/laser">laser</a>
:warning: — Static analysis and style linter for Ruby code.</p></li>
<li><p><a href="https://github.com/metricfu/metric_fu">MetricFu</a>
:warning: — MetricFu is a set of tools to provide reports that show
which parts of your code might need extra work.</p></li>
<li><p><a href="https://github.com/codegram/pelusa">pelusa</a> — Static
analysis Lint-type tool to improve your OO Ruby code.</p></li>
<li><p><a href="https://github.com/apiology/quality">quality</a>
:warning: — Runs quality checks on your code using community tools, and
makes sure your numbers don’t get any worse over time.</p></li>
<li><p><a href="https://github.com/soutaro/querly">Querly</a> :warning:
— Pattern Based Checking Tool for Ruby.</p></li>
<li><p><a href="https://railroader.org">Railroader</a> :warning: — An
open source static analysis security vulnerability scanner for Ruby on
Rails applications.</p></li>
<li><p><a
href="https://rails-bestpractices.com">rails_best_practices</a> — A code
metric tool for Rails projects</p></li>
<li><p><a href="https://github.com/troessner/reek">reek</a> — Code smell
detector for Ruby.</p></li>
<li><p><a href="https://github.com/roodi/roodi">Roodi</a> :warning: —
Roodi stands for Ruby Object Oriented Design Inferometer. It parses your
Ruby code and warns you about design issues you have based on the checks
that it has configured.</p></li>
<li><p><a href="https://docs.rubocop.org/rubocop">RuboCop</a> — A Ruby
static code analyzer, based on the community Ruby style guide.</p></li>
<li><p><a href="https://github.com/blazeeboy/rubrowser">Rubrowser</a> —
Ruby classes interactive dependency graph generator.</p></li>
<li><p><a
href="https://gitlab.com/yorickpeterse/ruby-lint">ruby-lint</a>
:warning: — Static code analysis for Ruby.</p></li>
<li><p><a href="https://github.com/whitesmith/rubycritic">rubycritic</a>
— A Ruby code quality reporter.</p></li>
<li><p><a href="https://github.com/ruby-formatter/rufo">rufo</a> — An
opinionated ruby formatter, intended to be used via the command line as
a text-editor plugin, to autoformat files on save or on demand.</p></li>
<li><p><a href="https://metricfu.github.io/Saikuro">Saikuro</a>
:warning: — A Ruby cyclomatic complexity analyzer.</p></li>
<li><p><a href="https://rubygems.org/gems/sandi_meter">SandiMeter</a>
:warning: — Static analysis tool for checking Ruby code for Sandi Metz’
rules.</p></li>
<li><p><a href="https://sorbet.org">Sorbet</a> — A fast, powerful type
checker designed for Ruby.</p></li>
<li><p><a href="https://github.com/testdouble/standard">Standard
Ruby</a> — Ruby Style Guide, with linter &amp; automatic code
fixer</p></li>
<li><p><a href="https://github.com/soutaro/steep">Steep</a> — Gradual
Typing for Ruby.</p></li>
</ul>
<a name="rust" />
<h2>
Rust
</h2>
<ul>
<li><p><a href="https://c2rust.com">C2Rust</a> — C2Rust helps you
migrate C99-compliant code to Rust. The translator (or transpiler)
produces unsafe Rust code that closely mirrors the input C
code.</p></li>
<li><p><a href="https://github.com/est31/cargo-udeps">cargo udeps</a> —
Find unused dependencies in Cargo.toml. It either prints out a “unused
crates” line listing the crates, or it prints out a line saying that no
crates were unused.</p></li>
<li><p><a href="https://rustsec.org">cargo-audit</a> — Audit Cargo.lock
for crates with security vulnerabilities reported to the <a
href="https://github.com/RustSec/advisory-db/">RustSec Advisory
Database</a>.</p></li>
<li><p><a
href="https://github.com/RazrFalcon/cargo-bloat">cargo-bloat</a>
:warning: — Find out what takes most of the space in your executable.
supports ELF (Linux, BSD), Mach-O (macOS) and PE (Windows)
binaries.</p></li>
<li><p><a
href="https://github.com/iomentum/cargo-breaking">cargo-breaking</a> —
cargo-breaking compares a crate’s public API between two different
branches, shows what changed, and suggests the next version according to
semver.</p></li>
<li><p><a
href="https://github.com/japaric/cargo-call-stack">cargo-call-stack</a>
— Whole program static stack analysis The tool produces the full call
graph of a program as a dot file.</p></li>
<li><p><a
href="https://embarkstudios.github.io/cargo-deny">cargo-deny</a> — A
cargo plugin for linting your dependencies. It can be used either as a
command line too, a Rust crate, or a Github action for CI. It checks for
valid license information, duplicate crates, security vulnerabilities,
and more.</p></li>
<li><p><a
href="https://github.com/dtolnay/cargo-expand">cargo-expand</a> — Cargo
subcommand to show result of macro expansion and #[derive] expansion
applied to the current crate. This is a wrapper around a more verbose
compiler command.</p></li>
<li><p><a
href="https://github.com/geiger-rs/cargo-geiger">cargo-geiger</a> — A
cargo plugin for analysing the usage of unsafe Rust code Provides
statistical output to aid security auditing</p></li>
<li><p><a href="https://github.com/mre/cargo-inspect">cargo-inspect</a>
:warning: — Inspect Rust code without syntactic sugar to see what the
compiler does behind the curtains.</p></li>
<li><p><a
href="https://crates.io/crates/cargo-semver-checks">cargo-semver-checks</a>
— Scan your Rust crate releases for semver violations. It can be used
either directly via the CLI, as a GitHub Action in CI, or via release
managers like <code>release-plz</code>. It found semver violations in <a
href="https://predr.ag/blog/semver-violations-are-common-better-tooling-is-the-answer/">more
than 1 in 6 of the top 1000 most-downloaded crates</a> on
crates.io.</p></li>
<li><p><a
href="https://github.com/pacak/cargo-show-asm">cargo-show-asm</a> —
cargo subcommand showing the assembly, LLVM-IR and MIR generated for
Rust code</p></li>
<li><p><a
href="https://github.com/drahnr/cargo-spellcheck">cargo-spellcheck</a> —
Checks all your documentation for spelling and grammar mistakes with
hunspell (ready) and languagetool (preview)</p></li>
<li><p><a
href="https://github.com/TimonPost/cargo-unused-features">cargo-unused-features</a>
— Find potential unused enabled feature flags and prune them. You can
generate a simple HTML report from the json to make it easier to inspect
results. It removes a feature of a dependency and then compiles the
project to see if it still compiles. If it does, the feature flag can
possibly be removed, but it can be a false-positive.</p></li>
<li><p><a href="https://rust-lang.github.io/rust-clippy">clippy</a> — A
code linter to catch common mistakes and improve your Rust
code.</p></li>
<li><p><a href="https://diff.rs">diff.rs</a> — Web application (WASM) to
render a diff between Rust crate versions.</p></li>
<li><p><a
href="https://www.trailofbits.com/post/write-rust-lints-without-forking-clippy">dylint</a>
— A tool for running Rust lints from dynamic libraries. Dylint makes it
easy for developers to maintain their own personal lint
collections.</p></li>
<li><p><a href="https://kha.github.io/electrolysis">electrolysis</a>
:warning: — A tool for formally verifying Rust programs by transpiling
them into definitions in the Lean theorem prover.</p></li>
<li><p><a href="https://github.com/mcarton/rust-herbie-lint">herbie</a>
:warning: — Adds warnings or errors to your crate when using a
numerically unstable floating point expression.</p></li>
<li><p><a href="https://github.com/model-checking/kani">kani</a> — The
Kani Rust Verifier is a bit-precise model checker for Rust. Kani is
particularly useful for verifying unsafe code blocks in Rust, where the
“unsafe superpowers” are unchecked by the compiler. Kani
verifies:</p></li>
<li><p>Memory safety (e.g., null pointer dereferences)</p></li>
<li><p>User-specified assertions (i.e., assert!(…))</p></li>
<li><p>The absence of panics (e.g., unwrap() on None values)</p></li>
<li><p>The absence of some types of unexpected behavior (e.g.,
arithmetic overflows)</p></li>
<li><p><a
href="https://github.com/AtomLinter/linter-rust">linter-rust</a>
:warning: — Linting your Rust-files in Atom, using rustc and
cargo.</p></li>
<li><p><a href="https://github.com/BurtonQin/lockbud">lockbud</a> —
Statically detects Rust deadlocks bugs. It currently detects two common
kinds of deadlock bugs: doublelock and locks in conflicting order. It
will print bugs in JSON format together with the source code location
and an explanation of each bug.</p></li>
<li><p><a href="https://github.com/facebookexperimental/MIRAI">MIRAI</a>
— And abstract interpreter operating on Rust’s mid-level intermediate
language, and providing warnings based on taint analysis.</p></li>
<li><p><a href="https://github.com/teenjuna/prae">prae</a> :warning: —
Provides a convenient macro that allows you to generate type wrappers
that promise to always uphold arbitrary invariants that you
specified.</p></li>
<li><p><a
href="https://www.pm.inf.ethz.ch/research/prusti.html">Prusti</a>
:warning: — A static verifier for Rust, based on the Viper verification
infrastructure. By default Prusti verifies absence of panics by proving
that statements such as unreachable!() and panic!() are
unreachable.</p></li>
<li><p><a href="https://github.com/sslab-gatech/Rudra">Rudra</a>
:warning: — Rust Memory Safety &amp; Undefined Behavior Detection. It is
capable of analyzing single Rust packages as well as all the packages on
crates.io.</p></li>
<li><p><a href="https://github.com/rust-lang-nursery/rls">Rust Language
Server</a> :warning: — Supports functionality such as ‘goto definition’,
symbol search, reformatting, and code completion, and enables renaming
and refactorings.</p></li>
<li><p><a href="https://rust-analyzer.github.io">rust-analyzer</a> —
Supports functionality such as ‘goto definition’, type inference, symbol
search, reformatting, and code completion, and enables renaming and
refactorings.</p></li>
<li><p><a href="https://github.com/Shnatsel/rust-audit">rust-audit</a> —
Audit Rust binaries for known bugs or security vulnerabilities. This
works by embedding data about the dependency tree (Cargo.lock) in JSON
format into a dedicated linker section of the compiled
executable.</p></li>
<li><p><a href="https://github.com/rust-lang/rustfix">rustfix</a> — Read
and apply the suggestions made by rustc (and third-party lints, like
those offered by clippy).</p></li>
<li><p><a href="https://github.com/rust-lang/rustfmt">rustfmt</a> — A
tool for formatting Rust code according to style guidelines.</p></li>
<li><p><a href="https://github.com/rustviz/rustviz">RustViz</a> —
RustViz is a tool that generates visualizations from simple Rust
programs to assist users in better understanding the Rust Lifetime and
Borrowing mechanism. It generates SVG files with graphical indicators
that integrate with mdbook to render visualizations of data-flow in Rust
programs.</p></li>
<li><p><a href="https://github.com/est31/warnalyzer">warnalyzer</a> —
Show unused code from multi-crate Rust projects</p></li>
</ul>
<a name="sql" />
<h2>
SQL
</h2>
<ul>
<li><p><a href="https://github.com/channable/dbcritic">dbcritic</a> —
dbcritic finds problems in a database schema, such as a missing primary
key constraint in a table.</p></li>
<li><p><a href="https://holistic.dev/">holistic</a> — More than 1,300
rules to analyze SQL queries. Takes an SQL schema definition and the
query source code to generate improvement recommendations. Detects code
smells, unused indexes, unused tables, views, materialized views, and
more.</p></li>
<li><p><a href="https://github.com/timescale/pgspot">pgspot</a> — Spot
vulnerabilities in postgres extension scripts. Finds unsafe search_path
usage and unsafe object creation in PostgreSQL extension scripts or any
other PostgreSQL SQL code.</p></li>
<li><p><a href="https://github.com/nrempel/sleek">sleek</a> — Sleek is a
CLI tool for formatting SQL. It helps you maintain a consistent style
across your SQL code, enhancing readability and productivity. The heavy
lifting is done by the sqlformat crate.</p></li>
<li><p><a href="https://github.com/jarulraj/sqlcheck">sqlcheck</a>
:warning: — Automatically identify anti-patterns in SQL
queries.</p></li>
<li><p><a href="https://www.sqlfluff.com/">SQLFluff</a> — Multiple
dialect SQL linter and formatter.</p></li>
<li><p><a href="https://github.com/purcell/sqlint">sqlint</a> — Simple
SQL linter.</p></li>
<li><p><a href="https://squawkhq.com">squawk</a> — Linter for
PostgreSQL, focused on migrations. Prevents unexpected downtime caused
by database migrations and encourages best practices around Postgres
schemas and SQL.</p></li>
<li><p><a href="https://github.com/tsqllint/tsqllint">tsqllint</a> —
T-SQL-specific linter.</p></li>
<li><p><a href="https://github.com/ashleyglee/TSqlRules">TSqlRules</a>
:warning: — TSQL Static Code Analysis Rules for SQL Server.</p></li>
<li><p><a href="https://www.visual-expert.com">Visual Expert</a>
:copyright: — Code analysis for PowerBuilder, Oracle, and SQL Server
Explores, analyzes, and documents Code</p></li>
</ul>
<a name="scala" />
<h2>
Scala
</h2>
<ul>
<li><p><a href="https://github.com/HairyFotr/linter">linter</a>
:warning: — Linter is a Scala static analysis compiler plugin which adds
compile-time checks for various possible bugs, inefficiencies, and style
problems.</p></li>
<li><p><a href="http://www.scalastyle.org">Scalastyle</a> — Scalastyle
examines your Scala code and indicates potential problems with
it.</p></li>
<li><p><a href="https://github.com/sksamuel/scapegoat">scapegoat</a> —
Scala compiler plugin for static code analysis.</p></li>
<li><p><a href="https://www.wartremover.org">WartRemover</a> — A
flexible Scala code linting tool.</p></li>
</ul>
<a name="shell" />
<h2>
Shell
</h2>
<ul>
<li><p><a href="https://github.com/openstack/bashate">bashate</a> — Code
style enforcement for bash programs. The output format aims to follow
pycodestyle (pep8) default output format.</p></li>
<li><p><a href="https://github.com/lequal/i-CodeCNES">i-Code CNES for
Shell</a> — An open source static code analysis tool for Shell and
Fortran (77 and 90).</p></li>
<li><p><a href="https://github.com/ediardo/kmdr-cli">kmdr</a> — CLI tool
for learning commands from your terminal. kmdr delivers a break down of
commands with every attribute explained.</p></li>
<li><p><a href="https://pkg.go.dev/mvdan.cc/sh/v3">sh</a> — A shell
parser, formatter, and interpreter with bash support; includes
shfmt</p></li>
<li><p><a href="https://www.shellcheck.net">shellcheck</a> — ShellCheck,
a static analysis tool that gives warnings and suggestions for bash/sh
shell scripts.</p></li>
<li><p><a href="https://github.com/anordal/shellharden">shellharden</a>
— A syntax highlighter and a tool to semi-automate the rewriting of
scripts to ShellCheck conformance, mainly focused on quoting.</p></li>
</ul>
<a name="swift" />
<h2>
Swift
</h2>
<ul>
<li><p><a
href="https://github.com/nicklockwood/SwiftFormat">SwiftFormat</a> — A
library and command-line formatting tool for reformatting Swift
code.</p></li>
<li><p><a href="https://realm.github.io/SwiftLint">SwiftLint</a> — A
tool to enforce Swift style and conventions.</p></li>
<li><p><a href="https://sleekbyte.github.io/tailor">Tailor</a> :warning:
— A static analysis and lint tool for source code written in Apple’s
Swift programming language.</p></li>
</ul>
<a name="tcl" />
<h2>
Tcl
</h2>
<ul>
<li><p><a href="http://catless.ncl.ac.uk/Programs/Frink">Frink</a> — A
Tcl formatting and static check program (can prettify the program,
minimise, obfuscate or just sanity check it).</p></li>
<li><p><a href="https://sourceforge.net/projects/nagelfar">Nagelfar</a>
— A static syntax checker for Tcl.</p></li>
<li><p><a
href="https://github.com/ActiveState/tdk/blob/master/docs/3.0/TDK_3.0_Checker.txt">tclchecker</a>
— A static syntax analysis module (as part of <a
href="https://github.com/ActiveState/tdk">TDK</a>).</p></li>
</ul>
<a name="typescript" />
<h2>
TypeScript
</h2>
<ul>
<li><p><a
href="https://github.com/angular-eslint/angular-eslint#readme">Angular
ESLint</a> — Linter for Angular projects</p></li>
<li><p><a href="http://codelyzer.com">Codelyzer</a> :warning: — A set of
tslint rules for static code analysis of Angular 2 TypeScript
projects.</p></li>
<li><p><a href="https://github.com/xjtu-enre/ENRE-ts">ENRE-ts</a> — ENRE
(ENtity Relationship Extractor) is a tool for extraction of code entity
dependencies or relationships from source code. ENRE-ts is a ENtity
Relationship Extractor for ECMAScript and TypeScript based on <span
class="citation"
data-cites="babel/parser">@babel/parser</span>.</p></li>
<li><p><a href="https://ftaproject.dev/">fta</a> — Rust-based static
analysis for TypeScript projects</p></li>
<li><p><a href="https://stc.dudy.dev">stc</a> :warning: — Speedy
TypeScript type checker written in Rust</p></li>
<li><p><a href="https://palantir.github.io/tslint/">tslint</a> :warning:
— TSLint has been deprecated as of 2019. Please see <a
href="https://github.com/palantir/tslint/issues/4534">this issue</a> for
more details. <code>typescript-eslint</code> is now your best option for
linting TypeScript. TSLint is an extensible static analysis tool that
checks TypeScript code for readability, maintainability, and
functionality errors. It is widely supported across modern editors &amp;
build systems and can be customized with your own lint rules,
configurations, and formatters.</p></li>
<li><p><a
href="https://www.npmjs.com/package/tslint-clean-code">tslint-clean-code</a>
— A set of TSLint rules inspired by the Clean Code handbook.</p></li>
<li><p><a
href="https://github.com/Microsoft/tslint-microsoft-contrib">tslint-microsoft-contrib</a>
:warning: — A set of tslint rules for static code analysis of TypeScript
projects maintained by Microsoft.</p></li>
<li><p><a
href="https://github.com/whyboris/TypeScript-Call-Graph">TypeScript Call
Graph</a> — CLI to generate an interactive graph of functions and calls
from your TypeScript files</p></li>
<li><p><a
href="https://github.com/typescript-eslint/typescript-eslint">TypeScript
ESLint</a> — TypeScript language extension for eslint.</p></li>
<li><p><a href="https://zod.dev">zod</a> — TypeScript-first schema
validation with static type inference. The goal is to eliminate
duplicative type declarations. With Zod, you declare a validator once
and Zod will automatically infer the static TypeScript type. It is easy
to compose simpler types into complex data structures.</p></li>
</ul>
<a name="verilog" />
<h2>
Verilog/SystemVerilog
</h2>
<ul>
<li><p><a href="https://github.com/steveicarus/iverilog">Icarus
Verilog</a> — A Verilog simulation and synthesis tool that operates by
compiling source code written in IEEE-1364 Verilog into some target
format</p></li>
<li><p><a href="https://github.com/dalance/svls">svls</a> — A Language
Server Protocol implementation for Verilog and SystemVerilog, including
lint capabilities.</p></li>
<li><p><a
href="https://github.com/chipsalliance/verible-linter-action">verible-linter-action</a>
— Automatic SystemVerilog linting in github actions with the help of
Verible Used to lint Verilog and SystemVerilog source files and comment
erroneous lines of code in Pull Requests automatically.</p></li>
<li><p><a href="https://www.veripool.org/verilator">Verilator</a> — A
tool which converts Verilog to a cycle-accurate behavioral model in C++
or SystemC. Performs lint code-quality checks.</p></li>
<li><p><a
href="https://github.com/mshr-h/vscode-verilog-hdl-support">vscode-verilog-hdl-support</a>
— Verilog HDL/SystemVerilog/Bluespec SystemVerilog support for VS Code.
Provides syntax highlighting and Linting support from Icarus Verilog,
Vivado Logical Simulation, Modelsim and Verilator</p></li>
</ul>
<a name="vim-script" />
<h2>
Vim Script
</h2>
<ul>
<li><a href="https://github.com/Kuniwak/vint">vint</a> :warning: — Fast
and Highly Extensible Vim script Language Lint implemented by
Python.</li>
</ul>
<a name="wasm" />
<h2>
WebAssembly
</h2>
<ul>
<li><p><a href="https://rustwasm.github.io/twiggy">Twiggy</a> — Analyzes
a binary’s call graph to profile code size. The goal is to slim down
wasm binary size.</p></li>
<li><p><a
href="https://github.com/g-plane/wasm-language-tools">wasm-language-tools</a>
— WebAssembly Language Tools aims to provide and improve the editing
experience of WebAssembly Text Format. It also provides an
out-of-the-box formatter (a.k.a. pretty printer) for WebAssembly Text
Format.</p></li>
</ul>
<h2 id="multiple-languages-1">Multiple languages</h2>
<ul>
<li><p><a href="https://github.com/w0rp/ale">ale</a> — Asynchronous Lint
Engine for Vim and NeoVim with support for many languages.</p></li>
<li><p><a href="https://developer.android.com/studio">Android Studio</a>
— Based on IntelliJ IDEA, and comes bundled with tools for Android
including Android Lint.</p></li>
<li><p><a
href="https://npo-echelon.ru/en/solutions/appchecker.php">AppChecker</a>
:copyright: — Static analysis for C/C++/C#, PHP and Java.</p></li>
<li><p><a
href="https://www.ptsecurity.com/ww-en/products/ai">Application
Inspector</a> :copyright: — Commercial Static Code Analysis which
generates exploits to verify vulnerabilities.</p></li>
<li><p><a
href="https://github.com/microsoft/ApplicationInspector">ApplicationInspector</a>
— Creates reports of over 400 rule patterns for feature detection
(e.g. the use of cryptography or version control in apps).</p></li>
<li><p><a href="https://www.archunit.org">ArchUnit</a> — Unit test your
Java or Kotlin architecture.</p></li>
<li><p><a href="https://ast-grep.github.io/">ast-grep</a> — ast-grep is
a powerful tool designed for managing code at scale using Abstract
Syntax Trees (AST). Think of it as a hybrid of grep, eslint, and
codemod, with the ability to search, lint, and rewrite code based on its
structure rather than plain text. It supports multiple languages and is
designed to be extensible, allowing you to register custom
languages.</p></li>
<li><p><a
href="https://atom.io/packages/atom-beautify">Atom-Beautify</a>
:warning: — Beautify HTML, CSS, JavaScript, PHP, Python, Ruby, Java, C,
C++, C#, Objective-C, CoffeeScript, TypeScript, Coldfusion, SQL, and
more in Atom editor.</p></li>
<li><p><a href="https://huacnlee.github.io/autocorrect">autocorrect</a>
— A linter and formatter to help you to improve copywriting, correct
spaces, words, punctuations between CJK (Chinese, Japanese,
Korean).</p></li>
<li><p><a
href="https://www.axivion.com/en/products-services-9#products_bauhaussuite">Axivion
Bauhaus Suite</a> :copyright: — Tracks down error-prone code locations,
style violations, cloned or dead code, cyclic dependencies and more for
C/C++, C#/.NET, Java and Ada 83/Ada 95.</p></li>
<li><p><a href="https://github.com/bearer/bearer">Bearer</a> —
Open-Source static code analysis tool to discover, filter and prioritize
security risks and vulnerabilities leading to sensitive data exposures
(PII, PHI, PD). Highly configurable and easily extensible, built for
security and engineering teams.</p></li>
<li><p><a href="https://bettercodehub.com">Better Code Hub</a>
:copyright: — Better Code Hub checks your GitHub codebase against 10
engineering guidelines devised by the authority in software quality,
Software Improvement Group.</p></li>
<li><p><a
href="https://github.com/tcosolutions/betterscan-ce">Betterscan CE</a> —
Checks your code and infra (various Git repositories supported, cloud
stacks, CLI, Web Interface platform, integrationss available) for
security and quality issues. Code Scanning/SAST/Linting using many
tools/Scanners deduplicated with One Report (AI optional).</p></li>
<li><p><a href="https://biomejs.dev">biome</a> — A toolchain for web
projects, aimed to provide functionalities to maintain them. Biome
formats and lints code in a fraction of a second. It is the successor to
Rome. It is designed to eventually replace Biome is designed to
eventually replace Babel, ESLint, webpack, Prettier, Jest, and
others.</p></li>
<li><p><a href="https://www.bugprove.com">BugProve</a> :copyright: —
BugProve is a firmware analysis platform featuring both static and
dynamic analysis techniques to discover memory corruptions, command
injections and other classes or common weaknesses in binary code. It
also detects vulnerable dependencies, weak cryptographic parameters,
misconfigurations, and more.</p></li>
<li><p><a href="https://github.com/koknat/callGraph">callGraph</a> —
Statically generates a call graph image and displays it on
screen.</p></li>
<li><p><a href="https://www.castsoftware.com/products/highlight">CAST
Highlight</a> :copyright: — Commercial Static Code Analysis which runs
locally, but uploads the results to its cloud for presentation.</p></li>
<li><p><a
href="https://www.checkmarx.com/products/static-application-security-testing">Checkmarx
CxSAST</a> :copyright: — Commercial Static Code Analysis which doesn’t
require pre-compilation.</p></li>
<li><p><a href="https://github.com/classgraph/classgraph">ClassGraph</a>
— A classpath and module path scanner for querying or visualizing class
metadata or class relatedness.</p></li>
<li><p><a href="https://www.getclayton.com/">Clayton</a> :copyright: —
AI-powered code reviews for Salesforce. Secure your developments,
enforce best practice and control your technical debt in
real-time.</p></li>
<li><p><a href="https://github.com/coala/coala">coala</a> :warning: —
Language independent framework for creating code analysis - supports
over 60 languages by default.</p></li>
<li><p><a href="https://spinroot.com/cobra">Cobra</a> :copyright: —
Structural source code analyzer by NASA’s Jet Propulsion
Laboratory.</p></li>
<li><p><a href="https://www.codacy.com">Codacy</a> :copyright: — Code
Analysis to ship Better Code, Faster.</p></li>
<li><p><a href="https://www.code-intelligence.com">Code Intelligence</a>
:copyright: — CI/CD-agnostic DevSecOps platform which combines
industry-leading fuzzing engines for finding bugs and visualizing code
coverage</p></li>
<li><p><a
href="https://www.codeac.io/?ref=awesome-static-analysis">Codeac</a>
:copyright: — Automated code review tool integrates with GitHub,
Bitbucket and GitLab (even self-hosted). Available for JavaScript,
TypeScript, Python, Ruby, Go, PHP, Java, Docker, and more. (open-source
free)</p></li>
<li><p><a href="https://groupon.github.io/codeburner">codeburner</a> —
Provides a unified interface to sort and act on the issues it
finds.</p></li>
<li><p><a
href="https://codechecker.readthedocs.io/en/latest">codechecker</a> — A
defect database and viewer extension for the Clang Static Analyzer with
web GUI.</p></li>
<li><p><a href="https://codefactor.io">CodeFactor</a> :copyright: —
Automated Code Analysis for repos on GitHub or BitBucket.</p></li>
<li><p><a href="https://www.getcodeflow.com">CodeFlow</a> :copyright: —
Automated code analysis tool to deal with technical depth. Integrates
with Bitbucket and Gitlab. (free for Open Source Projects)</p></li>
<li><p><a
href="https://submain.com/products/codeit.right.aspx">CodeIt.Right</a>
:copyright: — CodeIt.Right™ provides a fast, automated way to ensure
that your source code adheres to (your) predefined design and style
guidelines as well as best coding practices.</p></li>
<li><p><a href="https://codemodder.io/">Codemodder</a> — Codemodder is a
pluggable framework for building expressive codemods. Use Codemodder
when you need more than a linter or code formatting tool. Use it to fix
non-trivial security issues and other code quality problems.</p></li>
<li><p><a href="https://github.com/github/codeql">codeql</a> — Deep code
analysis - semantic queries and dataflow for several languages with
VSCode plugin support.</p></li>
<li><p><a href="https://codeque.co">CodeQue</a> — Ecosystem for
structural matching JavaScript and TypeScript code. Offers search tool
that understands code structure. Available as CLI tool and Visual Studio
Code extension. It helps to search code faster and more accurately
making you workflow more effective. Soon it will offer ESLint plugin to
create your own rules in minutes to help with assuring codebase
quality.</p></li>
<li><p><a
href="https://www.devexpress.com/products/coderush">CodeRush</a>
:copyright: — Code creation, debugging, navigation, refactoring,
analysis and visualization tools that use the Roslyn engine in Visual
Studio 2015 and up.</p></li>
<li><p><a href="https://www.codescan.io/">CodeScan</a> :copyright: —
Code Quality and Security for Salesforce Developers. Made exclusively
for the Salesforce platform, CodeScan’s code analysis solutions provide
you with total visibility into your code health.</p></li>
<li><p><a href="https://codescene.com">CodeScene</a> :copyright: —
CodeScene is a quality visualization tool for software. Prioritize
technical debt, detect delivery risks, and measure organizational
aspects. Fully automated.</p></li>
<li><p><a href="https://www.codesee.io/">CodeSee</a> :copyright: —
CodeSee is mapping and automating your app’s services, directories, file
dependencies, and code changes. It’s like Google Map, but for
code.t</p></li>
<li><p><a
href="https://codesecure.com/our-products/codesonar/">CodeSonar from
GrammaTech</a> :copyright: — Advanced, whole program, deep path, static
analysis of C, C++, Java and C# with easy-to-understand explanations and
code and path visualization.</p></li>
<li><p><a href="https://www.codety.io">Codety</a> :copyright: — Codety
Scanner is a comprehensive source code scanner that embeds 5000+ static
code analysis rules, which aim to detect code issues for 20+ programming
languages and IaC tools.</p></li>
<li><p><a href="https://www.codiga.io">Codiga</a> :copyright: —
Automated Code Reviews and Technical Debt management platform that
supports 12+ languages.</p></li>
<li><p><a href="https://corgea.com/">Corgea</a> :copyright: — Corgea is
an AI-powered SAST scanner that helps developers find and fix insecure
code. It finds business logic flaws, broken authentication, API
vulnerabilities, and more with little false positives. Additionally, it
automatically writes security fixes for them to approve. Corgea
integrates with GitHub, GitLab, Azure DevOps, IDEs and CLI. It is free
to try it.</p></li>
<li><p><a href="https://github.com/jameysharp/corrode">Corrode</a>
:warning: — Semi-automatic translation from C to Rust. Could reveal bugs
in the original implementation by showing Rust compiler warnings and
errors. Superseded by C2Rust.</p></li>
<li><p><a
href="https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html">Coverity</a>
:copyright: — Synopsys Coverity supports 20 languages and over 70
frameworks including Ruby on rails, Scala, PHP, Python, JavaScript,
TypeScript, Java, Fortran, C, C++, C#, VB.NET.</p></li>
<li><p><a
href="https://cpp-linter.github.io/cpp-linter-action/">cpp-linter-action</a>
— A Github Action for linting C/C++ code integrating clang-tidy and
clang-format to collect feedback provided in the form of thread comments
and/or annotations.</p></li>
<li><p><a href="https://github.com/xcatliu/cqc">cqc</a> :warning: —
Check your code quality for js, jsx, vue, css, less, scss, sass and styl
files.</p></li>
<li><p><a href="https://snyk.io/platform/deepcode-ai/">DeepCode</a>
:warning: :copyright: — DeepCode was acquired by Snyk is now Snyk
Code.</p></li>
<li><p><a href="https://deepsource.com">DeepSource</a> :copyright: —
In-depth static analysis to find issues in verticals of bug risks,
security, anti-patterns, performance, documentation and style. Native
integrations with GitHub, GitLab and Bitbucket. Less than 5% false
positives.</p></li>
<li><p><a href="https://www.deleaker.com/">deleaker</a> :copyright: —
Deleaker is a memory leak detection tool for C++, .NET, and Delphi,
integrating with Visual Studio, Qt Creator, and RAD Studio or running as
a standalone application. It helps developers find and fix memory, GDI,
and handle leaks efficiently.</p></li>
<li><p><a
href="https://github.com/multilang-depends/depends">Depends</a> —
Analyses the comprehensive dependencies of code elements for Java,
C/C++, Ruby.</p></li>
<li><p><a href="https://derscanner.com/">DerScanner</a> :copyright: —
Multi-language Static Application Security Testing (SAST) platform that
detects critical vulnerabilities, including hardcoded secrets, weak
cryptography, backdoors, SQL injections, insecure configurations,
etc.</p></li>
<li><p><a href="https://github.com/microsoft/devskim">DevSkim</a> —
Regex-based static analysis tool for Visual Studio, VS Code, and Sublime
Text - C/C++, C#, PHP, ASP, Python, Ruby, Java, and others.</p></li>
<li><p><a href="https://github.com/dotnet/format">dotenet-format</a> — A
code formatter for .NET. Preferences will be read from an
<code>.editorconfig</code> file, if present, otherwise a default set of
preferences will be used. At this time dotnet-format is able to format
C# and Visual Basic projects with a subset of supported
<code>.editorconfig</code> options.</p></li>
<li><p><a href="https://embold.io">Embold</a> :copyright: — Intelligent
software analytics platform that identifies design issues, code issues,
duplication and metrics. Supports Java, C, C++, C#, JavaScript,
TypeScript, Python, Go, Kotlin and more.</p></li>
<li><p><a href="https://github.com/glato/emerge">emerge</a> — Emerge is
a source code and dependency visualizer that can be used to gather
insights about source code structure, metrics, dependencies and
complexity of software projects. After scanning the source code of a
project it provides you an interactive web interface to explore and
analyze your project by using graph structures.</p></li>
<li><p><a href="https://github.com/eslint/eslint">ESLint</a> — An
extensible linter for JS, following the ECMAScript standard.</p></li>
<li><p><a
href="https://kaleidawave.github.io/posts/introducing-ezno/">ezno</a> —
A JavaScript compiler and TypeScript checker written in Rust with a
focus on static analysis and runtime performance. Ezno’s type checker is
built from scratch. The checker is fully compatible with TypeScript type
annotations and can work without any type annotations at all.</p></li>
<li><p><a href="https://find-sec-bugs.github.io">Find Security Bugs</a>
— The SpotBugs plugin for security audits of Java web applications and
Android applications. (Also work with Kotlin, Groovy and Scala
projects)</p></li>
<li><p><a
href="https://www.microfocus.com/en-us/cyberres/application-security/static-code-analyzer">Fortify</a>
:copyright: — A commercial static analysis platform that supports the
scanning of C/C++, C#, VB.NET, VB6, ABAP/BSP, ActionScript, Apex,
ASP.NET, Classic ASP, VB Script, Cobol, ColdFusion, HTML, Java, JS, JSP,
MXML/Flex, Objective-C, PHP, PL/SQL, T-SQL, Python (2.6, 2.7), Ruby
(1.9.3), Swift, Scala, VB, and XML.</p></li>
<li><p><a
href="https://docs.freeplane.org/user-documentation/Code_Explorer.html">Freeplane
Code Explorer</a> — The Code Explorer mode in Freeplane is designed for
analyzing the structure and dependencies of code compiled to JVM class
files. It also allows displaying ArchUnit test results directly in
Freeplane, if Freeplane is running and ArchUnit detects rule violations
during the tests.</p></li>
<li><p><a href="https://sider.github.io/goodcheck">Goodcheck</a> —
Regexp based customizable linter.</p></li>
<li><p><a href="https://github.com/masibw/goone">goone</a> :warning: —
Finds N+1 queries (SQL calls in a for loop) in go code</p></li>
<li><p><a href="http://www.justanotherhacker.com">graudit</a> — Grep
rough audit - source code auditing tool.</p></li>
<li><p><a href="https://www.hcltechsw.com/products/appscan">HCL AppScan
Source</a> :copyright: — Commercial Static Code Analysis.</p></li>
<li><p><a href="https://github.com/cuplv/hopper">Hopper</a> :warning: —
A static analysis tool written in scala for languages that run on
JVM.</p></li>
<li><p><a href="https://houndci.com">Hound CI</a> :warning: — Comments
on style violations in GitHub pull requests. Supports Coffeescript, Go,
HAML, JavaScript, Ruby, SCSS and Swift.</p></li>
<li><p><a href="https://github.com/justinabrahms/imhotep">imhotep</a>
:warning: — Comment on commits coming into your repository and check for
syntactic errors and general lint warnings.</p></li>
<li><p><a
href="https://github.com/feddischson/include_gardener">include-gardener</a>
:warning: — A multi-language static analyzer for C/C++/Obj-C/Python/Ruby
to create a graph (in dot or graphml format) which shows all
<code>#include</code> relations of a given set of files.</p></li>
<li><p><a href="https://fbinfer.com">Infer</a> — A static analyzer for
Java, C and Objective-C</p></li>
<li><p><a href="https://keploy.io/">keploy</a> — Keploy is an
open-source testing platform that helps developers automate and
streamline their testing process. It provides API, and integration
testing agents, generating tests, mocks/stubs for APIs that actually
work. Additionally, Keploy offers an AI-powered Unit Testing Agent that
generates stable, useful unit tests directly in your GitHub PRs and in
VSCode, helping catch errors and improve code quality.</p></li>
<li><p><a href="https://www.kiuwan.com/code-security-sast">Kiuwan</a>
:copyright: — Identify and remediate cyber threats in a blazingly fast,
collaborative environment, with seamless integration in your SDLC.
Python, C++, Java, C#, PHP and more.</p></li>
<li><p><a href="https://www.perforce.com/products/klocwork">Klocwork</a>
:copyright: — Quality and Security Static analysis for C/C++, Java and
C#.</p></li>
<li><p><a href="https://lgtm.com/">LGTM</a> :copyright: — Find security
vulnerabilities, variants, and critical code quality issues using CodeQL
queries over source code. Automatic PR code review; free for open
source. Formerly semmle. It supports public Git repositories hosted on
Bitbucket Cloud, GitHub.com, GitLab.com.</p></li>
<li><p><a href="https://github.com/terryyin/lizard">lizard</a> — Lizard
is an extensible Cyclomatic Complexity Analyzer for many programming
languages including C/C++ (doesn’t require all the header files or Java
imports). It also does copy-paste detection (code clone detection/code
duplicate detection) and many other forms of static code analysis.
Counts lines of code without comments, CCN (cyclomatic complexity
number), token count of functions, parameter count of
functions.</p></li>
<li><p><a href="https://nvuillam.github.io/mega-linter/">Mega-Linter</a>
— Mega-Linter can handle any type of project thanks to its 70+ embedded
Linters, its advanced reporting, runnable on any CI system or locally,
with assisted installation and configuration, able to apply formatting
and fixes</p></li>
<li><p><a href="https://mobb.ai">Mobb</a> :copyright: — Mobb is a
trusted, automatic vulnerability fixer that secures applications,
reduces security backlogs, and frees developers to focus on innovation.
Mobb is free for open-source projects.</p></li>
<li><p><a href="https://mopsa.lip6.fr">MOPSA</a> — A static analyzer
designed to easily reuse abstract domains across widely different
languages (such as C and Python).</p></li>
<li><p><a href="http://oclint.org">oclint</a> — A static source code
analysis tool to improve quality and reduce defects for C, C++ and
Objective-C.</p></li>
<li><p><a href="https://offensive360.com/">Offensive 360</a> :copyright:
— Commercial Static Code Analysis system doesn’t require building the
source code or pre-compilation.</p></li>
<li><p><a href="https://docs.openrewrite.org/">OpenRewrite</a> —
OpenRewrite <a
href="https://docs.openrewrite.org/running-recipes/popular-recipe-guides/common-static-analysis-issue-remediation">fixes
common static analysis issues</a> reported through Sonar and other tools
using a Maven and Gradle plugin or the Moderne CLI.</p></li>
<li><p><a
href="https://github.com/sed-inf-u-szeged/OpenStaticAnalyzer">OpenStaticAnalyzer</a>
— OpenStaticAnalyzer is a source code analyzer tool, which can perform
deep static analysis of the source code of complex systems.</p></li>
<li><p><a href="https://github.com/web-infra-dev/oxc">oxc</a> — The
Oxidation Compiler is creating a suite of high-performance tools for the
JavaScript / TypeScript language re-written in Rust.</p></li>
<li><p><a href="https://www.parasoft.com/">parasoft</a> :copyright: —
Automated Software Testing Solutions for unit-, API-, and web UI
testing. Complies with MISRA, OWASP, and others.</p></li>
<li><p><a
href="https://github.com/facebookarchive/pfff/wiki/Main">pfff</a>
:warning: — Facebook’s tools for code analysis, visualizations, or
style-preserving source transformation for many languages.</p></li>
<li><p><a href="https://pixee.ai">Pixee</a> :copyright: — Pixeebot finds
security and code quality issues in your code and creates merge-ready
pull requests with recommended fixes.</p></li>
<li><p><a href="https://pmd.github.io">PMD</a> — A source code analyzer
for Java, Salesforce Apex, Javascript, PLSQL, XML, XSL and
others.</p></li>
<li><p><a href="https://pre-commit.com">pre-commit</a> — A framework for
managing and maintaining multi-language pre-commit hooks.</p></li>
<li><p><a href="https://www.securesauce.dev/">Precaution</a> —
Precaution is a static analysis security tool (SAST) designed to find
potentially critical vulnerabilities in source code prior to production.
It is available as a CLI, GitHub Action, and GitHub App.</p></li>
<li><p><a href="https://prettier.io">Prettier</a> — An opinionated code
formatter.</p></li>
<li><p><a href="https://github.com/prontolabs/pronto">Pronto</a> — Quick
automated code review of your changes. Supports more than 40 runners for
various languages, including Clang, Elixir, JavaScript, PHP, Ruby and
more.</p></li>
<li><p><a href="https://github.com/PositiveTechnologies/PT.PM">PT.PM</a>
:warning: — An engine for searching patterns in the source code, based
on Unified AST or UST. At present time C#, Java, PHP, PL/SQL, T-SQL, and
JavaScript are supported. Patterns can be described within the code or
using a DSL.</p></li>
<li><p><a href="https://github.com/coderaiser/putout">Putout</a> —
Pluggable and configurable code transformer with built-in eslint, babel
plugins support for js, jsx typescript, flow, markdown, yaml and
json.</p></li>
<li><p><a href="https://pvs-studio.com">PVS-Studio</a> :copyright: — A
(<a
href="https://pvs-studio.com/en/order/open-source-license">conditionally
free</a> for FOSS and individual developers) static analysis of C, C++,
C# and Java code. For advertising purposes <a
href="https://github.com/viva64/pvs-studio-check-list">you can propose a
large FOSS project for analysis by PVS employees</a>. Supports CWE
mapping, OWASP ASVS, MISRA, AUTOSAR and SEI CERT coding
standards.</p></li>
<li><p><a href="https://klen.github.io/pylama/">pylama</a> — Code audit
tool for Python and JavaScript. Wraps pycodestyle, pydocstyle, PyFlakes,
Mccabe, Pylint, and more</p></li>
<li><p><a href="https://qwiet.ai/">Qwiet AI</a> :copyright: — Identify
vulnerabilities that are unique to your code base before they reach
production. Leverages the Code Property Graph (CPG) to run its analyses
concurrently in a single graph of graphs. Automatically finds business
logic flaws in dev like hardcoded secrets and logic bombs</p></li>
<li><p><a
href="https://marketplace.visualstudio.com/items?itemName=SharpDevelopTeam.RefactoringEssentialsforVisualStudio">Refactoring
Essentials</a> — The free Visual Studio 2015 extension for C# and VB.NET
refactorings, including code best practice analyzers.</p></li>
<li><p><a href="https://github.com/codingjoe/relint">relint</a> — A
static file linter that allows you to write custom rules using regular
expressions (RegEx).</p></li>
<li><p><a href="https://www.jetbrains.com/resharper">ReSharper</a>
:copyright: — Extends Visual Studio with on-the-fly code inspections for
C#, VB.NET, ASP.NET, JavaScript, TypeScript and other
technologies.</p></li>
<li><p><a href="https://www.ripstech.com">RIPS</a> :copyright: — A
static source code analyser for vulnerabilities in PHP scripts.</p></li>
<li><p><a href="https://github.com/dotnet/roslyn-analyzers">Roslyn
Analyzers</a> — Roslyn-based implementation of FxCop analyzers.</p></li>
<li><p><a href="https://security-code-scan.github.io">Roslyn Security
Guard</a> — Project that focuses on the identification of potential
vulnerabilities such as SQL injection, cross-site scripting (XSS), CSRF,
cryptography weaknesses, hardcoded passwords and many more.</p></li>
<li><p><a href="https://safeql.dev">SafeQL</a> — Validate and
auto-generate TypeScript types from raw SQL queries in PostgreSQL.
SafeQL is an ESLint plugin for writing SQL queries in a type-safe
way.</p></li>
<li><p><a href="https://sast.online/">SAST Online</a> :copyright: —
Check the Android Source code thoroughly to uncover and address
potential security concerns and vulnerabilities. Static application
security testing (Static Code Analysis) tool Online</p></li>
<li><p><a href="https://scrutinizer-ci.com">Scrutinizer</a> :copyright:
— A proprietary code quality checker that can be integrated with
GitHub.</p></li>
<li><p><a href="https://security-code-scan.github.io">Security Code
Scan</a> — Security code analyzer for C# and VB.NET. Detects various
security vulnerability patterns: SQLi, XSS, CSRF, XXE, Open Redirect,
etc. Integrates into Visual Studio 2015 and newer. Detects various
security vulnerability patterns: SQLi, XSS, CSRF, XXE, Open Redirect,
etc.</p></li>
<li><p><a href="https://semgrep.dev">Semgrep</a> — A fast, open-source,
static analysis tool for finding bugs and enforcing code standards at
editor, commit, and CI time. Its rules look like the code you already
write; no abstract syntax trees or regex wrestling. Supports 17+
languages.</p></li>
<li><p><a
href="https://semgrep.dev/products/semgrep-supply-chain">Semgrep Supply
Chain</a> :copyright: — Quickly find and remediate high-priority
security issues. Semgrep Supply Chain prioritizes the 2% of
vulnerabilities that are reachable from your code.</p></li>
<li><p><a
href="https://github.com/ShiftLeftSecurity/sast-scan">ShiftLeft Scan</a>
— Scan is a free open-source DevSecOps platform for detecting security
issues in source code and dependencies. It supports a broad range of
languages and CI/CD pipelines.</p></li>
<li><p><a href="https://github.com/google/shipshape">shipshape</a>
:warning: — Static program analysis platform that allows custom
analyzers to plug in through a common interface.</p></li>
<li><p><a
href="https://www.softwareimprovementgroup.com/solutions/sigrid-software-assurance-platform/">Sigrid</a>
:copyright: — Sigrid helps you to improve your software by measuring
your system’s code quality, and then compares the results against a
benchmark of thousands of industry systems to give you concrete advice
on areas where you can improve.</p></li>
<li><p><a
href="https://dickgrune.com/Programs/similarity_tester/">Similarity
Tester</a> — A tool that finds similarities between or within files to
support you encountering DRY principle violations.</p></li>
<li><p><a href="https://snyk.io">Snyk Code</a> :copyright: — Snyk Code
finds security vulnerabilities based on AI. Its speed of analysis allow
us to analyse your code in real time and deliver results when you hit
the save button in your IDE. Supported languages are Java, JavaScript,
Python, PHP, C#, Go and TypeScript. Integrations with GitHub, BitBucket
and Gitlab. It is free to try and part of the Snyk platform also
covering SCA, containers and IaC.</p></li>
<li><p><a href="https://sonarcloud.io">SonarQube Cloud</a> :copyright: —
SonarQube Cloud enables your team to deliver clean code consistently and
efficiently with a code review tool that easily integrates into the
cloud DevOps platforms and extend your CI/CD workflow. SonarQube Cloud
provides a free plan.</p></li>
<li><p><a href="https://sonarlint.org">SonarQube for IDE</a> — SonarQube
for IDE (formerly SonarLint) is a free IDE extension available for
IntelliJ, VS Code, Visual Studio, and Eclipse, to find and fix coding
issues in real-time, flagging issues as you code, just like a
spell-checker. More than a linter, it also delivers rich contextual
guidance to help developers understand why there is an issue, assess the
risk, and educate them on how to fix it.</p></li>
<li><p><a href="https://sonarqube.org">SonarQube Server</a> — SonarQube
empowers development teams with a code quality and security solution
that deeply integrates into your enterprise environment; enabling you to
deploy clean code consistently and reliably. SonarQube provides a free
and open source Community Build.</p></li>
<li><p><a href="https://www.sonatype.com">Sonatype</a> :copyright: —
Reports known vulnerabilities in common dependencies and recommends
updated packages to minimize breaking changes</p></li>
<li><p><a href="https://www.hello2morrow.com/products/sotograph">Soto
Platform</a> :copyright: — Suite of static analysis tools consisting of
the three components Sotoarc (Architecture Analysis), Sotograph (Quality
Analysis), and Sotoreport (Quality report). Helps find differences
between architecture and implementation, interface violations
(e.g. external access of private parts of subsystems, detection of all
classes, files, packages and subsystems which are strongly coupled by
cyclical relationships and more. The Sotograph product family runs on
Windows and Linux.</p></li>
<li><p><a href="https://www.sourcemeter.com/">SourceMeter</a>
:copyright: — Static Code Analysis for C/C++, Java, C#, Python, and RPG
III and RPG IV versions (including free-form).</p></li>
<li><p><a href="https://github.com/houqp/sqlvet">sqlvet</a> — Performs
static analysis on raw SQL queries in your Go code base to surface
potential runtime errors. It checks for SQL syntax error, identifies
unsafe queries that could potentially lead to SQL injections makes sure
column count matches value count in INSERT statements and validates
table- and column names.</p></li>
<li><p><a
href="https://securityreviewer.atlassian.net/wiki/spaces/KC/pages/196633/Static+Reviewer">StaticReviewer</a>
:copyright: — Static Reviewer executes code checks according to the most
relevant Secure Coding Standards, OWASP, CWE, CVE, CVSS, MISRA, CERT,
for 40+ programming languages, using 1000+ built-in validation rules for
Security, Deadcode &amp; Best Practices Available a module for Software
Composition Analysis (SCA) to find vulnerabilities in open source and
third party libraries.</p></li>
<li><p><a href="https://github.com/github/super-linter">Super-Linter</a>
— Combination of multiple linters to install as a GitHub
Action.</p></li>
<li><p><a href="https://www.ispras.ru/en/technologies/svace/">Svace</a>
:copyright: — Static code analysis tool for Java,C,C++,C#,Go.</p></li>
<li><p><a
href="https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html">Synopsys</a>
:copyright: — A commercial static analysis platform that allows for
scanning of multiple languages (C/C++, Android, C#, Java, JS, PHP,
Python, Node.JS, Ruby, Fortran, and Swift).</p></li>
<li><p><a
href="https://www.cqse.eu/en/teamscale/overview/">Teamscale</a>
:copyright: — Static and dynamic analysis tool supporting more than 25
languages and direct IDE integration. Free hosting for Open Source
projects available on request. Free academic licenses
available.</p></li>
<li><p><a href="https://tca.tencent.com/">TencentCodeAnalysis</a> —
Tencent Cloud Code Analysis (TCA for short, code-named CodeDog inside
the company early) is a comprehensive platform for code analysis and
issue tracking. TCA consist of three components, server, web and client.
It integrates of a number of self-developed tools, and also supports
dynamic integration of code analysis tools in various programming
languages.</p></li>
<li><p><a
href="https://github.com/deepfence/ThreatMapper">ThreatMapper</a> —
Vulnerability Scanner and Risk Evaluation for containers, serverless and
hosts at runtime. ThreatMapper generates runtime BOMs from dependencies
and operating system packages, matches against multiple threat feeds,
scans for unprotected secrets, and scores issues based on severity and
risk-of-exploit.</p></li>
<li><p><a
href="https://github.com/preslavmihaylov/todocheck">todocheck</a> —
Linter for integrating annotated TODOs with your issue trackers</p></li>
<li><p><a href="https://github.com/aquasecurity/trivy">trivy</a> — A
Simple and Comprehensive Vulnerability Scanner for Containers and other
Artifacts, Suitable for CI. Trivy detects vulnerabilities of OS packages
(Alpine, RHEL, CentOS, etc.) and application dependencies (Bundler,
Composer, npm, yarn, etc.). Checks containers and filesystems.</p></li>
<li><p><a href="https://trunk.io">trunk</a> :copyright: — Modern
repositories include many technologies, each with its own set of
linters. With 30+ linters and counting, Trunk makes it dead-simple to
identify, install, configure, and run the right linters, static
analyzers, and formatters for all your repos.</p></li>
<li><p><a href="https://github.com/Tencent/TscanCode">TscanCode</a> — A
fast and accurate static analysis solution for C/C++, C#, Lua codes
provided by Tencent. Using GPLv3 license.</p></li>
<li><p><a href="https://github.com/Yelp/undebt">Undebt</a> —
Language-independent tool for massive, automatic, programmable
refactoring based on simple pattern definitions.</p></li>
<li><p><a href="https://www.scitools.com">Understand</a> :copyright: —
Code visualization tool that provides code analysis, standards testing,
metrics, graphing, dependency analysis and more for Ada, VHDL, and
others.</p></li>
<li><p><a href="https://unibeautify.com">Unibeautify</a> — Universal
code beautifier with a GitHub app. Supports HTML, CSS, JavaScript,
TypeScript, JSX, Vue, C++, Go, Objective-C, Java, Python, PHP, GraphQL,
Markdown, and more.</p></li>
<li><p><a href="https://www.jetbrains.com/upsource">Upsource</a>
:copyright: — Code review tool with static code analysis and code-aware
navigation for Java, PHP, JavaScript and Kotlin.</p></li>
<li><p><a
href="https://www.veracode.com/security/static-code-analysis">Veracode</a>
:copyright: — Find flaws in binaries and bytecode without requiring
source. Support all major programming languages: Java, .NET, JavaScript,
Swift, Objective-C, C, C++ and more.</p></li>
<li><p><a href="https://github.com/wala/WALA">WALA</a> — Static analysis
capabilities for Java bytecode and related languages and for
JavaScript.</p></li>
<li><p><a href="https://github.com/googleprojectzero/weggli">weggli</a>
— A fast and robust semantic search tool for C and C++ codebases. It is
designed to help security researchers identify interesting functionality
in large codebases.</p></li>
<li><p><a
href="https://source.whitehatsec.com/help/sentinel/sast-service-detail.html">WhiteHat
Application Security Platform</a> :copyright: — WhiteHat Scout (for
Developers) combined with WhiteHat Sentinel Source (for Operations)
supporting WhiteHat Top 40 and OWASP Top 10.</p></li>
<li><p><a href="https://github.com/fimbullinter/wotan">Wotan</a>
:warning: — Pluggable TypeScript and JavaScript linter.</p></li>
<li><p><a href="https://developer.apple.com/xcode">XCode</a> :copyright:
— XCode provides a pretty decent UI for <a
href="https://clang-analyzer.llvm.org/xcode.html">Clang’s</a> static
code analyzer (C/C++, Obj-C).</p></li>
</ul>
<h2 id="other-1">Other</h2>
<a name="dotenv" />
<h2>
.env
</h2>
<ul>
<li><a href="https://www.gitguardian.com/ggshield">GitGuardian
ggshield</a> — ggshield is a CLI application that runs in your local
environment or in a CI environment to help you detect more than 350+
types of secrets, as well as other potential security vulnerabilities or
policy breaks affecting your codebase.</li>
</ul>
<a name="ansible" />
<h2>
Ansible
</h2>
<ul>
<li><p><a href="https://kics.io/">kics</a> — Find security
vulnerabilities, compliance issues, and infrastructure misconfigurations
in your infrastructure-as-code. Supports Terraform, Kubernetes, Docker,
AWS CloudFormation and Ansible</p></li>
<li><p><a href="https://steampunk.si/spotter/">Steampunk Spotter</a>
:copyright: — Ansible Playbook Scanning Tool that analyzes and offers
recommendations for your playbooks.</p></li>
</ul>
<a name="archive" />
<h2>
Archive
</h2>
<ul>
<li><p><a href="https://github.com/ferivoz/alquitran">alquitran</a> —
Inspects tar archives and tries to spot portability issues in regard to
POSIX 2017 pax specification and common tar implementations. This
project is intended to be used by maintainers of projects who want to
offer portable source code archives for as many systems as possible.
Checking tar archives with alquitran before publishing them should help
spotting issues before they reach distributors and users.</p></li>
<li><p><a href="https://github.com/ossillate-inc/packj">packj</a>
:warning: — Packj (pronounced package) is a command line (CLI) tool to
vet open-source software packages for “risky” attributes that make them
vulnerable to supply chain attacks. This is the tool behind our
large-scale security analysis platform Packj.dev that continuously vets
packages and provides free reports.</p></li>
<li><p><a href="https://github.com/ronomon/pure">pure</a> :warning: —
Pure is a static analysis file format checker that checks ZIP files for
dangerous compression ratios, spec deviations, malicious archive
signatures, mismatching local and central directory headers, ambiguous
UTF-8 filenames, directory and symlink traversals, invalid MS-DOS dates,
overlapping headers, overflow, underflow, sparseness, accidental buffer
bleeds etc.</p></li>
</ul>
<a name="arm" />
<h2>
Azure Resource Manager
</h2>
<ul>
<li><a href="https://azsk.azurewebsites.net/">AzSK</a> — Secure DevOps
kit for Azure (AzSK) provides security IntelliSense, Security
Verification Tests (SVTs), CICD scan vulnerabilities, compliance issues,
and infrastructure misconfiguration in your infrastructure-as-code.
Supports Azure via ARM.</li>
</ul>
<a name="binary" />
<h2>
Binaries
</h2>
<ul>
<li><p><a href="https://github.com/angr/angr">angr</a> — Binary code
analysis tool that also supports symbolic execution.</p></li>
<li><p><a href="https://github.com/quarkslab/binbloom">binbloom</a> —
Analyzes a raw binary firmware and determines features like endianness
or the loading address. The tool is compatible with all architectures.
Loading address: binbloom can parse a raw binary firmware and determine
its loading address. Endianness: binbloom can use heuristics to
determine the endianness of a firmware. UDS Database: binbloom can parse
a raw binary firmware and check if it contains an array containing UDS
command IDs.</p></li>
<li><p><a href="https://github.com/Microsoft/binskim">BinSkim</a> — A
binary static analysis tool that provides security and correctness
results for Windows portable executables.</p></li>
<li><p><a href="https://www.blackducksoftware.com">Black Duck</a>
:copyright: — Tool to analyze source code and binaries for reusable
code, necessary licenses and potential security aspects.</p></li>
<li><p><a href="https://github.com/google/bloaty">bloaty</a> — Ever
wondered what’s making your binary big? Bloaty McBloatface will show you
a size profile of the binary so you can understand what’s taking up
space inside. Bloaty performs a deep analysis of the binary. Using
custom ELF, DWARF, and Mach-O parsers, Bloaty aims to accurately
attribute every byte of the binary to the symbol or compileunit that
produced it. It will even disassemble the binary looking for references
to anonymous data. F</p></li>
<li><p><a
href="https://github.com/RazrFalcon/cargo-bloat">cargo-bloat</a>
:warning: — Find out what takes most of the space in your executable.
supports ELF (Linux, BSD), Mach-O (macOS) and PE (Windows)
binaries.</p></li>
<li><p><a href="https://github.com/fkie-cad/cwe_checker">cwe_checker</a>
— cwe_checker finds vulnerable patterns in binary executables.</p></li>
<li><p><a href="https://ghidra-sre.org">Ghidra</a> — A software reverse
engineering (SRE) suite of tools developed by NSA’s Research Directorate
in support of the Cybersecurity mission</p></li>
<li><p><a href="https://www.hopperapp.com/">Hopper</a> :copyright: —
macOS and Linux reverse engineering tool that lets you disassemble,
decompile and debug applications. Hopper displays the code using
different representations, e.g. the Control Flow Graph, and the
pseudo-code of a procedure. Supports Apple Silicon.</p></li>
<li><p><a
href="https://www.hex-rays.com/products/ida/support/download_freeware">IDA
Free</a> :copyright: — Binary code analysis tool.</p></li>
<li><p><a href="https://github.com/jkinder/jakstab">Jakstab</a> —
Jakstab is an Abstract Interpretation-based, integrated disassembly and
static analysis framework for designing analyses on executables and
recovering reliable control flow graphs.</p></li>
<li><p><a href="https://www.pnfsoftware.com/">JEB Decompiler</a>
:copyright: — Decompile and debug binary code. Break down and analyze
document files. Android Dalvik, MIPS, ARM, Intel x86, Java, WebAssembly
&amp; Ethereum Decompilers.</p></li>
<li><p><a href="https://ktool.cynder.me/en/latest/ktool.html">ktool</a>
— Fully cross-platform toolkit and library for MachO+Obj-C
editing/analysis. Includes a cli kit, a curses GUI, ObjC header dumping,
and much more.</p></li>
<li><p><a href="https://github.com/JusticeRage/Manalyze">Manalyze</a>
:warning: — A static analyzer, which checks portable executables for
malicious content.</p></li>
<li><p><a href="https://github.com/lifting-bits/mcsema">mcsema</a>
:warning: — Framework for lifting x86, amd64, aarch64, sparc32, and
sparc64 program binaries to LLVM bitcode. It translates (“lifts”)
executable binaries from native machine code to LLVM bitcode, which is
very useful for performing program analysis methods.</p></li>
<li><p><a href="https://github.com/horsicq/Nauz-File-Detector">Nauz File
Detector</a> — Static Linker/Compiler/Tool detector for Windows, Linux
and MacOS.</p></li>
<li><p><a href="https://github.com/Shnatsel/rust-audit">rust-audit</a> —
Audit Rust binaries for known bugs or security vulnerabilities. This
works by embedding data about the dependency tree (Cargo.lock) in JSON
format into a dedicated linker section of the compiled
executable.</p></li>
<li><p><a href="https://rustwasm.github.io/twiggy">Twiggy</a> — Analyzes
a binary’s call graph to profile code size. The goal is to slim down
wasm binary size.</p></li>
<li><p><a href="https://github.com/vmware/chap">VMware chap</a> — chap
analyzes un-instrumented ELF core files for leaks, memory growth, and
corruption. It is sufficiently reliable that it can be used in
automation to catch leaks before they are committed. As an interactive
tool, it helps explain memory growth, can identify some forms of
corruption, and supplements a debugger by giving the status of various
memory locations.</p></li>
<li><p><a href="https://zydis.re">zydis</a> — Fast and lightweight
x86/x86-64 disassembler library</p></li>
</ul>
<a name="buildtool" />
<h2>
Build tools
</h2>
<ul>
<li><p><a href="https://github.com/mrtazz/checkmake">checkmake</a> —
Linter / Analyzer for Makefiles.</p></li>
<li><p><a
href="https://www.freebsd.org/cgi/man.cgi?query=portlint&amp;sektion=1&amp;manpath=FreeBSD+8.1-RELEASE+and+Ports">portlint</a>
— A verifier for FreeBSD and DragonFlyBSD port directories.</p></li>
</ul>
<a name="css" />
<h2>
CSS/SASS/SCSS
</h2>
<ul>
<li><p><a href="https://cssstats.com">CSS Stats</a> — Potentially
interesting stats on stylesheets.</p></li>
<li><p><a href="https://github.com/csscomb/csscomb.js">CSScomb</a> — A
coding style formatter for CSS. Supports own configurations to make
style sheets beautiful and consistent.</p></li>
<li><p><a href="http://csslint.net">CSSLint</a> — Does basic syntax
checking and finds problematic patterns or signs of
inefficiency.</p></li>
<li><p><a href="https://graphmycss.com">GraphMyCSS.com</a> — CSS
Specificity Graph Generator.</p></li>
<li><p><a href="https://validator.github.io/validator/">Nu Html
Checker</a> — Helps you catch problems in your HTML/CSS/SVG</p></li>
<li><p><a href="https://github.com/katiefenn/parker">Parker</a>
:warning: — Stylesheet analysis tool.</p></li>
<li><p><a href="https://postcss.org">PostCSS</a> — A tool for
transforming styles with JS plugins. These plugins can lint your CSS,
support variables and mixins, transpile future CSS syntax, inline
images, and more.</p></li>
<li><p><a href="https://www.projectwallace.com">Project Wallace CSS
Analyzer</a> — Analytics for CSS, part of <a
href="https://www.projectwallace.com">Project Wallace</a>.</p></li>
<li><p><a href="https://github.com/sasstools/sass-lint">sass-lint</a>
:warning: — A Node-only Sass linter for both sass and scss
syntax.</p></li>
<li><p><a href="https://github.com/brigade/scss-lint">scsslint</a>
:warning: — Linter for SCSS files.</p></li>
<li><p><a
href="https://jonassebastianohlsson.com/specificity-graph">Specificity
Graph</a> — CSS Specificity Graph Generator.</p></li>
<li><p><a href="http://stylelint.io">Stylelint</a> — Linter for SCSS/CSS
files.</p></li>
</ul>
<a name="configfile" />
<h2>
Config Files
</h2>
<ul>
<li><p><a
href="https://dotenv-linter.readthedocs.io/en/latest">dotenv-linter</a>
— Linting dotenv files like a charm.</p></li>
<li><p><a href="https://dotenv-linter.github.io/#/">dotenv-linter
(Rust)</a> — Lightning-fast linter for .env files. Written in
Rust</p></li>
<li><p><a href="https://github.com/yandex/gixy">gixy</a> — A tool to
analyze Nginx configuration. The main goal is to prevent
misconfiguration and automate flaw detection.</p></li>
</ul>
<a name="configmanagement" />
<h2>
Configuration Management
</h2>
<ul>
<li><p><a href="https://docs.ansible.com/ansible-lint">ansible-lint</a>
— Checks playbooks for practices and behaviour that could potentially be
improved.</p></li>
<li><p><a
href="https://github.com/aws-cloudformation/cloudformation-guard">AWS
CloudFormation Guard</a> — Check local CloudFormation templates against
policy-as-code rules and generate rules from existing
templates.</p></li>
<li><p><a href="https://azsk.azurewebsites.net/">AzSK</a> — Secure
DevOps kit for Azure (AzSK) provides security IntelliSense, Security
Verification Tests (SVTs), CICD scan vulnerabilities, compliance issues,
and infrastructure misconfiguration in your infrastructure-as-code.
Supports Azure via ARM.</p></li>
<li><p><a href="https://github.com/awslabs/cfn-python-lint">cfn-lint</a>
— AWS Labs CloudFormation linter.</p></li>
<li><p><a href="https://github.com/stelligent/cfn_nag">cfn_nag</a> — A
linter for AWS CloudFormation templates.</p></li>
<li><p><a href="https://www.checkov.io">checkov</a> — Static analysis
tool for Terraform files (tf&gt;=v0.12), preventing cloud misconfigs at
build time.</p></li>
<li><p><a href="https://docs.chef.io/cookstyle.html">cookstyle</a> —
Cookstyle is a linting tool based on the RuboCop Ruby linting tool for
Chef cookbooks.</p></li>
<li><p><a href="http://www.foodcritic.io">foodcritic</a> — A lint tool
that checks Chef cookbooks for common problems.</p></li>
<li><p><a href="https://kics.io/">kics</a> — Find security
vulnerabilities, compliance issues, and infrastructure misconfigurations
in your infrastructure-as-code. Supports Terraform, Kubernetes, Docker,
AWS CloudFormation and Ansible</p></li>
<li><p><a
href="https://github.com/voxpupuli/metadata-json-lint">metadata-json-lint</a>
— Tool to check the validity of Puppet metadata.json files.</p></li>
<li><p><a href="https://github.com/rodjek/puppet-lint">Puppet Lint</a>
:warning: — Check that your Puppet manifests conform to the style
guide.</p></li>
<li><p><a href="https://steampunk.si/spotter/">Steampunk Spotter</a>
:copyright: — Ansible Playbook Scanning Tool that analyzes and offers
recommendations for your playbooks.</p></li>
<li><p><a
href="https://terraform-compliance.com">terraform-compliance</a> — A
lightweight, compliance- and security focused, BDD test framework
against Terraform.</p></li>
<li><p><a
href="https://github.com/cesar-rodriguez/terrascan">terrascan</a> —
Collection of security and best practice tests for static code analysis
of Terraform templates.</p></li>
<li><p><a href="https://github.com/wata727/tflint">tflint</a> — A
Terraform linter for detecting errors that can not be detected by
<code>terraform plan</code>.</p></li>
<li><p><a href="https://github.com/tfsec/tfsec">tfsec</a> — Terraform
static analysis tool that prevents potential security issues by checking
cloud misconfigurations at build time and directly integrates with the
HCL parser for better results. Checks for violations of AWS, Azure and
GCP security best practice recommendations.</p></li>
</ul>
<a name="container" />
<h2>
Containers
</h2>
<ul>
<li><p><a href="https://anchore.io">anchore</a> — Discover, analyze, and
certify container images. A service that analyzes Docker images and
applies user-defined acceptance policies to allow automated container
image validation and certification</p></li>
<li><p><a href="https://github.com/coreos/clair">clair</a> —
Vulnerability Static Analysis for Containers.</p></li>
<li><p><a href="https://github.com/banyanops/collector">collector</a>
:warning: — Run arbitrary scripts inside containers, and gather useful
information.</p></li>
<li><p><a href="https://github.com/eliasgranderubio/dagda">dagda</a>
:warning: — Perform static analysis of known vulnerabilities in docker
images/containers.</p></li>
<li><p><a
href="https://github.com/garethr/docker-label-inspector">Docker Label
Inspector</a> :warning: — Lint and validate Dockerfile labels.</p></li>
<li><p><a href="https://www.gitguardian.com/ggshield">GitGuardian
ggshield</a> — ggshield is a CLI application that runs in your local
environment or in a CI environment to help you detect more than 350+
types of secrets, as well as other potential security vulnerabilities or
policy breaks affecting your codebase.</p></li>
<li><p><a href="https://github.com/lukasmartinelli/hadolint">Haskell
Dockerfile Linter</a> — A smarter Dockerfile linter that helps you build
best practice Docker images.</p></li>
<li><p><a href="https://kics.io/">kics</a> — Find security
vulnerabilities, compliance issues, and infrastructure misconfigurations
in your infrastructure-as-code. Supports Terraform, Kubernetes, Docker,
AWS CloudFormation and Ansible</p></li>
<li><p><a href="https://github.com/appvia/krane">krane</a> — Krane is a
simple Kubernetes RBAC static analysis tool. It identifies potential
security risks in K8s RBAC design and makes suggestions on how to
mitigate them. Krane dashboard presents current RBAC security posture
and lets you navigate through its definition.</p></li>
<li><p><a href="https://www.open-scap.org/">OpenSCAP</a> — Suite of
automated audit tools to examine the configuration and known
vulnerabilities following the NIST-certified Security Content Automation
Protocol (SCAP).</p></li>
<li><p><a href="https://www.qualys.com/apps/container-security">Qualys
Container Security</a> :copyright: — Container native application
protection to provide visibility and control of containerized
applications.</p></li>
<li><p><a href="https://sysdig.com/">sysdig</a> :copyright: — A secure
DevOps platform for cloud and container forensics. Built on an open
source stack, Sysdig provides Docker image scanning and created Falco,
the open standard for runtime threat detection for containers,
Kubernetes and cloud.</p></li>
<li><p><a href="https://vuls.io/">Vuls</a> — Agent-less Linux
vulnerability scanner based on information from NVD, OVAL, etc. It has
some container image support, although is not a container specific
tool.</p></li>
</ul>
<a name="ci" />
<h2>
Continuous Integration
</h2>
<ul>
<li><p><a href="https://rhysd.github.io/actionlint">actionlint</a> —
Static checker for GitHub Actions workflow files. Provides an online
version.</p></li>
<li><p><a href="https://azsk.azurewebsites.net/">AzSK</a> — Secure
DevOps kit for Azure (AzSK) provides security IntelliSense, Security
Verification Tests (SVTs), CICD scan vulnerabilities, compliance issues,
and infrastructure misconfiguration in your infrastructure-as-code.
Supports Azure via ARM.</p></li>
<li><p><a href="https://codeclimate.com">Code Climate</a> — The open and
extensible static analysis platform, for everyone.</p></li>
<li><p><a href="https://about.codecov.io/">Codecov</a> :copyright: —
Codecov is a company that provides code coverage tools for developers
and engineering leaders to gain visibility into their code coverage.
They offer flexible and unified reporting, seamless coverage insights,
and robust coverage controls. Codecov supports over 20 languages and is
CI/CD agnostic. Over 29,000 organizations and 1 million developers use
Codecov. Codecov has recently joined Sentry.</p></li>
<li><p><a href="https://coderabbit.ai">CodeRabbit</a> :copyright: —
AI-powered code review tool that helps developers write better code
faster. CodeRabbit provides automated code reviews, identifies security
vulnerabilities, and suggests code improvements. It integrates with
GitHub and GitLab.</p></li>
<li><p><a
href="https://github.com/shipmonk-rnd/composer-dependency-analyser">composer-dependency-analyser</a>
— Fast detection of composer dependency issues.</p></li>
<li><p>💪 Powerful: Detects unused, shadow and misplaced composer
dependencies</p></li>
<li><p>⚡ Performant: Scans 15 000 files in 2s!</p></li>
<li><p>⚙️ Configurable: Fine-grained ignores via PHP config</p></li>
<li><p>🕸️ Lightweight: No composer dependencies</p></li>
<li><p>🍰 Easy-to-use: No config needed for first try</p></li>
<li><p>✨ Compatible: PHP &gt;= 7.2</p></li>
<li><p><a href="https://www.diffblue.com/">Diffblue</a> :copyright: —
Diffblue is a software company that provides AI-powered code analysis
and testing solutions for software development teams. Its technology
helps developers automate testing, find bugs, and reduce manual labor in
their software development processes. The company’s main product,
Diffblue Cover, uses AI to generate and run unit tests for Java code,
helping to catch errors and improve code quality.</p></li>
<li><p><a href="https://www.exakat.io">exakat</a> — An automated code
reviewing engine for PHP.</p></li>
<li><p><a href="https://www.gitguardian.com/ggshield">GitGuardian
ggshield</a> — ggshield is a CLI application that runs in your local
environment or in a CI environment to help you detect more than 350+
types of secrets, as well as other potential security vulnerabilities or
policy breaks affecting your codebase.</p></li>
<li><p><a href="https://goblint.in.tum.de">Goblint</a> — A static
analyzer for the analysis of multi-threaded C programs. Its primary
focus is the detection of data races, but it also reports other runtime
errors, such as buffer overflows and null-pointer dereferences.</p></li>
<li><p><a href="https://www.pullrequest.com">PullRequest</a> :copyright:
— Code review as a service with built-in static analysis. Increase
velocity and reduce technical debt through quality code review by expert
engineers backed by best-in-class automation.</p></li>
<li><p><a href="https://github.com/apiology/quality">quality</a>
:warning: — Runs quality checks on your code using community tools, and
makes sure your numbers don’t get any worse over time.</p></li>
<li><p><a
href="https://github.com/quantifiedcode/quantifiedcode">QuantifiedCode</a>
:warning: — Automated code review &amp; repair. It helps you to keep
track of issues and metrics in your software projects, and can be easily
extended to support new types of analyses.</p></li>
<li><p><a
href="https://github.com/jimbethancourt/RefactorFirst">RefactorFirst</a>
— Identifies and prioritizes God Classes and Highly Coupled classes in
Java codebases you should refactor first.</p></li>
<li><p><a href="https://github.com/haya14busa/reviewdog">Reviewdog</a> —
A tool for posting review comments from any linter in any code hosting
service.</p></li>
<li><p><a href="https://insight.symfony.com/">Symfony Insight</a>
:copyright: — Detect security risks, find bugs and provide actionable
metrics for PHP projects.</p></li>
<li><p><a
href="https://github.com/tomasbjerre/violations-lib">Violations Lib</a>
— Java library for parsing report files from static code analysis. Used
by a bunch of Jenkins, Maven and Gradle plugins.</p></li>
</ul>
<a name="deno" />
<h2>
Deno
</h2>
<ul>
<li><a href="https://github.com/denoland/deno_lint">deno_lint</a> —
Official linter for Deno.</li>
</ul>
<a name="embedded" />
<h2>
Embedded
</h2>
<ul>
<li><a
href="https://github.com/priv-kweihmann/oelint-adv">oelint-adv</a> —
Linter for bitbake recipes used in open-embedded and YOCTO</li>
</ul>
<a name="erb" />
<h2>
Embedded Ruby (a.k.a. ERB, eRuby)
</h2>
<ul>
<li><p><a href="https://github.com/Shopify/erb-lint">ERB Lint</a> — Lint
your ERB or HTML files</p></li>
<li><p><a
href="https://github.com/threedaymonk/htmlbeautifier">htmlbeautifier</a>
— A normaliser/beautifier for HTML that also understands embedded Ruby.
Ideal for tidying up Rails templates.</p></li>
</ul>
<a name="gherkin" />
<h2>
Gherkin
</h2>
<ul>
<li><a href="https://github.com/vsiakka/gherkin-lint">gherkin-lint</a> —
A linter for the Gherkin-Syntax written in Javascript.</li>
</ul>
<a name="html" />
<h2>
HTML
</h2>
<ul>
<li><p><a
href="https://github.com/angular-eslint/angular-eslint#readme">Angular
ESLint</a> — Linter for Angular projects</p></li>
<li><p><a href="https://github.com/twbs/bootlint">Bootlint</a> :warning:
— An HTML linter for Bootstrap projects.</p></li>
<li><p><a href="https://github.com/Shopify/erb-lint">ERB Lint</a> — Lint
your ERB or HTML files</p></li>
<li><p><a
href="https://github.com/twbs/grunt-bootlint">grunt-bootlint</a>
:warning: — A Grunt wrapper for <a
href="https://github.com/twbs/bootlint">Bootlint</a>, the HTML linter
for Bootstrap projects.</p></li>
<li><p><a
href="https://github.com/tschortsch/gulp-bootlint">gulp-bootlint</a>
:warning: — A gulp wrapper for <a
href="https://github.com/twbs/bootlint">Bootlint</a>, the HTML linter
for Bootstrap projects.</p></li>
<li><p><a href="https://github.com/philipwalton/html-inspector">HTML
Inspector</a> :warning: — HTML Inspector is a code quality tool to help
you and your team write better markup.</p></li>
<li><p><a href="http://www.html-tidy.org">HTML Tidy</a> — Corrects and
cleans up HTML and XML documents by fixing markup errors and upgrading
legacy code to modern standards.</p></li>
<li><p><a href="https://html-validate.org/">HTML-Validate</a> — Offline
HTML5 validator.</p></li>
<li><p><a
href="https://github.com/threedaymonk/htmlbeautifier">htmlbeautifier</a>
— A normaliser/beautifier for HTML that also understands embedded Ruby.
Ideal for tidying up Rails templates.</p></li>
<li><p><a href="https://htmlhint.com">HTMLHint</a> — A Static Code
Analysis Tool for HTML.</p></li>
<li><p><a href="https://validator.github.io/validator/">Nu Html
Checker</a> — Helps you catch problems in your HTML/CSS/SVG</p></li>
<li><p><a
href="https://github.com/Polymer/tools/tree/master/packages/analyzer">Polymer-analyzer</a>
— A static analysis framework for Web Components.</p></li>
</ul>
<a name="json" />
<h2>
JSON
</h2>
<ul>
<li><p><a href="https://jsonlint.com/">jsonlint</a> — A JSON parser and
validator with a CLI. Standalone version of jsonlint.com</p></li>
<li><p><a href="https://stoplight.io/open-source/spectral">Spectral</a>
— A flexible JSON/YAML linter, with out-of-the-box support for OpenAPI
v2/v3 and AsyncAPI v2.</p></li>
</ul>
<a name="kubernetes" />
<h2>
Kubernetes
</h2>
<ul>
<li><p><a href="https://github.com/helm/chart-testing">chart-testing</a>
— ct is the tool for testing Helm charts. It is meant to be used for
linting and testing pull requests. It automatically detects charts
changed against the target branch.</p></li>
<li><p><a
href="https://github.com/digitalocean/clusterlint">clusterlint</a> —
Clusterlint queries live Kubernetes clusters for resources, executes
common and platform specific checks against these resources and provides
actionable feedback to cluster operators. It is a non invasive tool that
is run externally. Clusterlint does not alter the resource
configurations.</p></li>
<li><p><a href="https://datree.io/">Datree</a> — A CLI tool to prevent
Kubernetes misconfigurations by ensuring that manifests and Helm charts
follow best practices as well as your organization’s policies</p></li>
<li><p><a href="https://kics.io/">kics</a> — Find security
vulnerabilities, compliance issues, and infrastructure misconfigurations
in your infrastructure-as-code. Supports Terraform, Kubernetes, Docker,
AWS CloudFormation and Ansible</p></li>
<li><p><a href="https://github.com/uswitch/klint">klint</a> — A tool
that listens to changes in Kubernetes resources and runs linting rules
against them. Identify and debug erroneous objects and nudge objects in
line with the policies as both change over time. Klint helps us encode
checks and proactively alert teams when they need to take
action.</p></li>
<li><p><a href="https://github.com/appvia/krane">krane</a> — Krane is a
simple Kubernetes RBAC static analysis tool. It identifies potential
security risks in K8s RBAC design and makes suggestions on how to
mitigate them. Krane dashboard presents current RBAC security posture
and lets you navigate through its definition.</p></li>
<li><p><a
href="https://aquasecurity.github.io/kube-hunter/">kube-hunter</a>
:warning: — Hunt for security weaknesses in Kubernetes
clusters.</p></li>
<li><p><a href="https://github.com/viglesiasce/kube-lint">kube-lint</a>
— A linter for Kubernetes resources with a customizable rule set. You
define a list of rules that you would like to validate against your
resources and kube-lint will evaluate those rules against them.</p></li>
<li><p><a href="https://github.com/stackrox/kube-linter">kube-linter</a>
— KubeLinter is a static analysis tool that checks Kubernetes YAML files
and Helm charts to ensure the applications represented in them adhere to
best practices.</p></li>
<li><p><a href="https://kube-score.com">kube-score</a> — Static code
analysis of your Kubernetes object definitions.</p></li>
<li><p><a href="https://github.com/yannh/kubeconform">kubeconform</a> —
A fast Kubernetes manifests validator with support for custom
resources.</p></li>
</ul>
<p>It is inspired by, contains code from and is designed to stay close
to <a href="https://analysis-tools.dev/tool/kubeval">Kubeval</a>, but
with the following improvements: * high performance: will validate &amp;
download manifests over multiple routines, caching downloaded files in
memory * configurable list of remote, or local schemas locations,
enabling validating Kubernetes custom resources (CRDs) and offline
validation capabilities * uses by default a self-updating fork of the
schemas registry maintained by the kubernetes-json-schema project -
which guarantees up-to-date schemas for all recent versions of
Kubernetes.</p>
<ul>
<li><p><a href="https://github.com/stackrox/kube-linter">KubeLinter</a>
— KubeLinter is a static analysis tool that checks Kubernetes YAML files
and Helm charts to ensure the applications represented in them adhere to
best practices.</p></li>
<li><p><a href="https://kubeval.instrumenta.dev">kubeval</a> — Validates
your Kubernetes configuration files and supports multiple Kubernetes
versions.</p></li>
</ul>
<a name="latex" />
<h2>
LaTeX
</h2>
<ul>
<li><p><a href="http://www.nongnu.org/chktex">ChkTeX</a> — A linter for
LaTex which catches some typographic errors LaTeX oversees.</p></li>
<li><p><a href="https://www.ctan.org/pkg/lacheck">lacheck</a> — A tool
for finding common mistakes in LaTeX documents.</p></li>
<li><p><a href="https://texlab.netlify.app">TeXLab</a> — A Language
Server Protocol implementation for TeX/LaTeX, including lint
capabilities.</p></li>
</ul>
<a name="laravel" />
<h2>
Laravel
</h2>
<ul>
<li><p><a href="https://www.laravel-enlightn.com/">Enlightn</a>
:warning: — A static and dynamic analysis tool for Laravel applications
that provides recommendations to improve the performance, security and
code reliability of Laravel apps. Contains 120 automated
checks.</p></li>
<li><p><a href="https://github.com/larastan/larastan">larastan</a> —
Adds static analysis to Laravel improving developer productivity and
code quality. It is a wrapper around PHPStan.</p></li>
</ul>
<a name="make" />
<h2>
Makefiles
</h2>
<ul>
<li><p><a href="https://github.com/mrtazz/checkmake">checkmake</a> —
Linter / Analyzer for Makefiles.</p></li>
<li><p><a
href="https://www.freebsd.org/cgi/man.cgi?query=portlint&amp;sektion=1&amp;manpath=FreeBSD+8.1-RELEASE+and+Ports">portlint</a>
— A verifier for FreeBSD and DragonFlyBSD port directories.</p></li>
</ul>
<a name="markdown" />
<h2>
Markdown
</h2>
<ul>
<li><p><a
href="https://github.com/DavidAnson/markdownlint">markdownlint</a> —
Node.js -based style checker and lint tool for Markdown/CommonMark
files.</p></li>
<li><p><a href="https://mdformat.rtfd.io">mdformat</a> — CommonMark
compliant Markdown formatter</p></li>
<li><p><a href="https://github.com/mivok/markdownlint">mdl</a> :warning:
— A tool to check Markdown files and flag style issues.</p></li>
<li><p><a href="https://github.com/hougesen/mdsf">mdsf</a> — Format
markdown code blocks using your favorite code formatters.</p></li>
<li><p><a href="https://remark.js.org">remark-lint</a> — Pluggable
Markdown code style linter written in JavaScript.</p></li>
<li><p><a href="https://textlint.github.io/">textlint</a> — textlint is
an open source text linting utility written in JavaScript.</p></li>
</ul>
<a name="meta" />
<h2>
Metalinter
</h2>
<ul>
<li><p><a href="https://github.com/ContinuumIO/ciocheck">ciocheck</a>
:warning: — Linter, formatter and test suite helper. As a linter, it is
a wrapper around <code>pep8</code>, <code>pydocstyle</code>,
<code>flake8</code>, and <code>pylint</code>.</p></li>
<li><p><a href="https://github.com/PyCQA/flake8">flake8</a> — A wrapper
around <code>pyflakes</code>, <code>pycodestyle</code> and
<code>mccabe</code>.</p></li>
<li><p><a href="https://pypi.org/project/flakeheaven/">flakeheaven</a> —
flakeheaven is a python linter built around flake8 to enable inheritable
and complex toml configuration.</p></li>
<li><p><a href="https://github.com/alecthomas/gometalinter">Go Meta
Linter</a> :warning: — Concurrently run Go lint tools and normalise
their output. Use <code>golangci-lint</code> for new projects.</p></li>
<li><p><a
href="https://github.com/360EntSecGroup-Skylar/goreporter">goreporter</a>
— Concurrently runs many linters and normalises their output to a
report.</p></li>
<li><p><a href="https://github.com/adamchainz/multilint">multilint</a>
:warning: — A wrapper around <code>flake8</code>, <code>isort</code> and
<code>modernize</code>.</p></li>
<li><p><a href="https://github.com/PyCQA/prospector">prospector</a> — A
wrapper around <code>pylint</code>, <code>pep8</code>,
<code>mccabe</code> and others.</p></li>
</ul>
<a name="mobile" />
<h2>
Mobile
</h2>
<ul>
<li><p><a href="https://developer.android.com/studio/write/lint">Android
Lint</a> — Run static analysis on Android projects.</p></li>
<li><p><a
href="https://passy.github.io/android-lint-summary">android-lint-summary</a>
:warning: — Combines lint errors of multiple projects into one output,
check lint results of multiple sub-projects at once.</p></li>
<li><p><a
href="https://github.com/secure-software-engineering/FlowDroid">FlowDroid</a>
— Static taint analysis tool for Android applications.</p></li>
<li><p><a
href="https://www.kitploit.com/2020/08/iblessing-ios-security-exploiting.html">iblessing</a>
:warning: — iblessing is an iOS security exploiting toolkit. It can be
used for reverse engineering, binary analysis and vulnerability
mining.</p></li>
<li><p><a href="https://mariana-tren.ch/">Mariana Trench</a> — Our
security focused static analysis tool for Android and Java applications.
Mariana Trench analyzes Dalvik bytecode and is built to run fast on
large codebases (10s of millions of lines of code). It can find
vulnerabilities as code changes, before it ever lands in your
repository.</p></li>
<li><p><a href="https://oversecured.com">Oversecured</a> :copyright: —
Enterprise vulnerability scanner for Android and iOS apps. It allows app
owners and developers to secure each new version of a mobile app by
integrating Oversecured into the development process.</p></li>
<li><p><a href="https://github.com/GeoffreyHecht/paprika">paprika</a>
:warning: — A toolkit to detect some code smells in analyzed Android
applications.</p></li>
<li><p><a href="https://github.com/linkedin/qark">qark</a> :warning: —
Tool to look for several security related Android application
vulnerabilities.</p></li>
<li><p><a href="https://fbredex.com">redex</a> — Redex provides a
framework for reading, writing, and analyzing .dex files, and a set of
optimization passes that use this framework to improve the bytecode. An
APK optimized by Redex should be smaller and faster.</p></li>
</ul>
<a name="nix" />
<h2>
Nix
</h2>
<ul>
<li><p><a href="https://github.com/astro/deadnix">deadnix</a> — Scan Nix
files for dead code (unused variable bindings)</p></li>
<li><p><a href="https://git.peppe.rs/languages/statix/about/">statix</a>
— Lints and suggestions for the Nix programming language. “statix check”
highlights antipatterns in Nix code. “statix fix” can fix several such
occurrences.</p></li>
</ul>
<a name="nodejs" />
<h2>
Node.js
</h2>
<ul>
<li><p><a
href="https://github.com/lirantal/lockfile-lint">lockfile-lint</a> —
Lint an npm or yarn lockfile to analyze and detect security
issues</p></li>
<li><p><a href="https://opensecurity.in">njsscan</a> — A static
application testing (SAST) tool that can find insecure code patterns in
your node.js applications using simple pattern matcher from libsast and
syntax-aware semantic code pattern search tool semgrep.</p></li>
<li><p><a href="https://opensecurity.in">NodeJSScan</a> — A static
security code scanner for Node.js applications powered by libsast and
semgrep that builds on the njsscan cli tool. It features a UI with
various dashboards about an application’s security status.</p></li>
<li><p><a href="http://standardjs.com">standard</a> — An npm module that
checks for Javascript Styleguide issues.</p></li>
</ul>
<a name="package" />
<h2>
Packages
</h2>
<ul>
<li><p><a
href="https://github.com/shipmonk-rnd/composer-dependency-analyser">composer-dependency-analyser</a>
— Fast detection of composer dependency issues.</p></li>
<li><p>💪 Powerful: Detects unused, shadow and misplaced composer
dependencies</p></li>
<li><p>⚡ Performant: Scans 15 000 files in 2s!</p></li>
<li><p>⚙️ Configurable: Fine-grained ignores via PHP config</p></li>
<li><p>🕸️ Lightweight: No composer dependencies</p></li>
<li><p>🍰 Easy-to-use: No config needed for first try</p></li>
<li><p>✨ Compatible: PHP &gt;= 7.2</p></li>
<li><p><a href="https://wiki.debian.org/Lintian">lintian</a> — Static
analysis tool for Debian packages.</p></li>
<li><p><a
href="https://github.com/rpm-software-management/rpmlint">rpmlint</a> —
Tool for checking common errors in rpm packages.</p></li>
</ul>
<a name="prometheus" />
<h2>
Prometheus
</h2>
<ul>
<li><p><a href="https://github.com/facetoe/promformat">promformat</a>
:warning: — Promformat is a PromQL formatter written in Python.</p></li>
<li><p><a href="https://github.com/facetoe/promval">promval</a> — PromQL
validator written in Python. It can be used to validate that PromQL
expressions are written as expected.</p></li>
</ul>
<a name="protobuf" />
<h2>
Protocol Buffers
</h2>
<ul>
<li><p><a href="https://buf.build">buf</a> — Provides a CLI linter that
enforces good API design choices and structure</p></li>
<li><p><a href="https://github.com/yoheimuta/protolint">protolint</a> —
Pluggable linter and fixer to enforce Protocol Buffer style and
conventions.</p></li>
</ul>
<a name="puppet" />
<h2>
Puppet
</h2>
<ul>
<li><a
href="https://github.com/voxpupuli/metadata-json-lint">metadata-json-lint</a>
— Tool to check the validity of Puppet metadata.json files.</li>
</ul>
<a name="rails" />
<h2>
Rails
</h2>
<ul>
<li><a href="https://github.com/thesp0nge/dawnscanner">dawnscanner</a> —
A static analysis security scanner for ruby written web applications. It
supports Sinatra, Padrino and Ruby on Rails frameworks.</li>
</ul>
<a name="security" />
<h2>
Security/SAST
</h2>
<ul>
<li><p><a href="https://azsk.azurewebsites.net/">AzSK</a> — Secure
DevOps kit for Azure (AzSK) provides security IntelliSense, Security
Verification Tests (SVTs), CICD scan vulnerabilities, compliance issues,
and infrastructure misconfiguration in your infrastructure-as-code.
Supports Azure via ARM.</p></li>
<li><p><a href="https://brakemanscanner.org">brakeman</a> — A static
analysis security vulnerability scanner for Ruby on Rails
applications.</p></li>
<li><p><a href="https://github.com/SAP/credential-digger">Credential
Digger</a> — Credential Digger is a GitHub scanning tool that identifies
hardcoded credentials (Passwords, API Keys, Secret Keys, Tokens,
personal information, etc), and filtering the false positive data
through a machine learning model called <a
href="https://huggingface.co/SAPOSS/password-model">Password Model</a>.
This scanner is able to detect passwords and non structured tokens with
a low false positive rate.</p></li>
<li><p><a href="https://datree.io/">Datree</a> — A CLI tool to prevent
Kubernetes misconfigurations by ensuring that manifests and Helm charts
follow best practices as well as your organization’s policies</p></li>
<li><p><a
href="https://github.com/Yelp/detect-secrets">detect-secrets</a> — An
enterprise friendly way of detecting and preventing secrets in code. It
does this by running periodic diff outputs against heuristically crafted
regex statements, to identify whether any new secret has been committed.
This way, it avoids the overhead of digging through all git history, as
well as the need to scan the entire repository every time.</p></li>
<li><p><a href="https://www.laravel-enlightn.com/">Enlightn</a>
:warning: — A static and dynamic analysis tool for Laravel applications
that provides recommendations to improve the performance, security and
code reliability of Laravel apps. Contains 120 automated
checks.</p></li>
<li><p><a href="https://www.gitguardian.com/ggshield">GitGuardian
ggshield</a> — ggshield is a CLI application that runs in your local
environment or in a CI environment to help you detect more than 350+
types of secrets, as well as other potential security vulnerabilities or
policy breaks affecting your codebase.</p></li>
<li><p><a href="https://github.com/zricethezav/gitleaks">Gitleaks</a> —
A SAST tool for detecting hardcoded secrets like passwords, api keys,
and tokens in git repos.</p></li>
<li><p><a href="https://github.com/praetorian-inc/gokart">gokart</a> —
Golang security analysis with a focus on minimizing false positives. It
is capable of tracing the source of variables and function arguments to
determine whether input sources are safe.</p></li>
<li><p><a
href="https://gitguardian.com/hasmysecretleaked">HasMySecretLeaked</a>
:copyright: — HasMySecretLeaked is a project from GitGuardian that aims
to help individual users and organizations search across 20 million
exposed secrets to verify if their developer secrets have leaked on
public repositories, gists, and issues on GitHub projects.</p></li>
<li><p><a
href="https://www.kitploit.com/2020/08/iblessing-ios-security-exploiting.html">iblessing</a>
:warning: — iblessing is an iOS security exploiting toolkit. It can be
used for reverse engineering, binary analysis and vulnerability
mining.</p></li>
<li><p><a href="https://github.com/model-checking/kani">kani</a> — The
Kani Rust Verifier is a bit-precise model checker for Rust. Kani is
particularly useful for verifying unsafe code blocks in Rust, where the
“unsafe superpowers” are unchecked by the compiler. Kani
verifies:</p></li>
<li><p>Memory safety (e.g., null pointer dereferences)</p></li>
<li><p>User-specified assertions (i.e., assert!(…))</p></li>
<li><p>The absence of panics (e.g., unwrap() on None values)</p></li>
<li><p>The absence of some types of unexpected behavior (e.g.,
arithmetic overflows)</p></li>
<li><p><a href="https://kics.io/">kics</a> — Find security
vulnerabilities, compliance issues, and infrastructure misconfigurations
in your infrastructure-as-code. Supports Terraform, Kubernetes, Docker,
AWS CloudFormation and Ansible</p></li>
<li><p><a href="https://ktool.cynder.me/en/latest/ktool.html">ktool</a>
— Fully cross-platform toolkit and library for MachO+Obj-C
editing/analysis. Includes a cli kit, a curses GUI, ObjC header dumping,
and much more.</p></li>
<li><p><a
href="https://aquasecurity.github.io/kube-hunter/">kube-hunter</a>
:warning: — Hunt for security weaknesses in Kubernetes
clusters.</p></li>
<li><p><a
href="https://github.com/lirantal/lockfile-lint">lockfile-lint</a> —
Lint an npm or yarn lockfile to analyze and detect security
issues</p></li>
<li><p><a
href="https://github.com/marketplace/lunatrace-by-lunasec/">LunaSec</a>
:warning: — Open Source AppSec platform that automatically notifies you
the next time vulnerabilities like Log4Shell or node-ipc happen. Track
your dependencies and builds in a centralized service.</p></li>
<li><p><a href="https://opensecurity.in">njsscan</a> — A static
application testing (SAST) tool that can find insecure code patterns in
your node.js applications using simple pattern matcher from libsast and
syntax-aware semantic code pattern search tool semgrep.</p></li>
<li><p><a href="https://opensecurity.in">NodeJSScan</a> — A static
security code scanner for Node.js applications powered by libsast and
semgrep that builds on the njsscan cli tool. It features a UI with
various dashboards about an application’s security status.</p></li>
<li><p><a href="https://oversecured.com">Oversecured</a> :copyright: —
Enterprise vulnerability scanner for Android and iOS apps. It allows app
owners and developers to secure each new version of a mobile app by
integrating Oversecured into the development process.</p></li>
<li><p><a href="https://www.ptsecurity.com">PT Application Inspector</a>
:copyright: — Identifies code flaws and detects vulnerabilities to
prevent web attacks. Demonstrates remote code execution by presenting
possible exploits.</p></li>
<li><p><a href="https://www.qualys.com/apps/container-security">Qualys
Container Security</a> :copyright: — Container native application
protection to provide visibility and control of containerized
applications.</p></li>
<li><p><a
href="https://github.com/quantifiedcode/quantifiedcode">QuantifiedCode</a>
:warning: — Automated code review &amp; repair. It helps you to keep
track of issues and metrics in your software projects, and can be easily
extended to support new types of analyses.</p></li>
<li><p><a href="https://www.rezilion.com/">Rezilion</a> :copyright: —
Discovers vulnerabilities for all components in your environment,
filters out 85% non-exploitable vulnerabilities and creates a
remediation plan and open tickets to upgrade components that violate
your security policy and/or patch automatically in CI.</p></li>
<li><p><a href="https://github.com/ossf/scorecard">scorecard</a> —
Security Scorecards - Security health metrics for Open Source</p></li>
<li><p><a
href="https://resources.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/">SearchDiggity</a>
:copyright: — Identifies vulnerabilities in open source code projects
hosted on Github, Google Code, MS CodePlex, SourceForge, and more. The
tool comes with over 130 default searches that identify SQL injection,
cross-site scripting (XSS), insecure remote and local file includes,
hard-coded passwords, etc.</p></li>
<li><p><a href="https://steampunk.si/spotter/">Steampunk Spotter</a>
:copyright: — Ansible Playbook Scanning Tool that analyzes and offers
recommendations for your playbooks.</p></li>
<li><p><a href="https://insight.symfony.com/">Symfony Insight</a>
:copyright: — Detect security risks, find bugs and provide actionable
metrics for PHP projects.</p></li>
<li><p><a href="https://github.com/tfsec/tfsec">tfsec</a> — Terraform
static analysis tool that prevents potential security issues by checking
cloud misconfigurations at build time and directly integrates with the
HCL parser for better results. Checks for violations of AWS, Azure and
GCP security best practice recommendations.</p></li>
<li><p><a href="https://trufflesecurity.com">trufflehog</a> — Find
credentials all over the place TruffleHog is an open source
secret-scanning engine that resolves exposed secrets across your
company’s entire tech stack.</p></li>
<li><p><a
href="https://github.com/google/tsunami-security-scanner">Tsunami
Security Scanner</a> — A general purpose network security scanner with
an extensible plugin system for detecting high severity RCE-like
vulnerabilities with high confidence. Custom detectors for finding
vulnerabilities (e.g. open APIs) can be added.</p></li>
</ul>
<a name="smart-contracts" />
<h2>
Smart Contracts
</h2>
<ul>
<li><p><a href="https://github.com/ConsenSys/mythril">mythril</a> — A
symbolic execution framework with batteries included, can be used to
find and exploit vulnerabilities in smart contracts
automatically.</p></li>
<li><p><a href="https://mythx.io">MythX</a> :copyright: — MythX is an
easy to use analysis platform which integrates several analysis methods
like fuzzing, symbolic execution and static analysis to find
vulnerabilities with high precision. It can be integrated with
toolchains like Remix or VSCode or called from the
command-line.</p></li>
<li><p><a href="https://github.com/trailofbits/slither">slither</a> —
Static analysis framework that runs a suite of vulnerability detectors,
prints visual information about contract details, and provides an API to
easily write custom analyses.</p></li>
<li><p><a href="https://protofire.github.io/solhint">solhint</a> —
Solhint is an open source project created by https://protofire.io. Its
goal is to provide a linting utility for Solidity code.</p></li>
<li><p><a href="https://ethlint.readthedocs.io/en/latest">solium</a> —
Solium is a linter to identify and fix style and security issues in
Solidity smart contracts.</p></li>
</ul>
<a name="support" />
<h2>
Support
</h2>
<ul>
<li><p><a
href="https://github.com/uni-bremen-agst/libvcs4j">LibVCS4j</a> — A Java
library that allows existing tools to analyse the evolution of software
systems by providing a common API for different version control systems
and issue trackers.</p></li>
<li><p><a
href="https://github.com/jimbethancourt/RefactorFirst">RefactorFirst</a>
— Identifies and prioritizes God Classes and Highly Coupled classes in
Java codebases you should refactor first.</p></li>
<li><p><a
href="https://github.com/tomasbjerre/violations-lib">Violations Lib</a>
— Java library for parsing report files from static code analysis. Used
by a bunch of Jenkins, Maven and Gradle plugins.</p></li>
</ul>
<a name="template" />
<h2>
Template-Languages
</h2>
<ul>
<li><p><a
href="https://github.com/ember-template-lint/ember-template-lint">ember-template-lint</a>
— Linter for Ember or Handlebars templates.</p></li>
<li><p><a href="https://github.com/sds/haml-lint">haml-lint</a> — Tool
for writing clean and consistent HAML.</p></li>
<li><p><a href="https://github.com/sds/slim-lint">slim-lint</a> —
Configurable tool for analyzing Slim templates.</p></li>
<li><p><a href="https://yamllint.readthedocs.io">yamllint</a> — Checks
YAML files for syntax validity, key repetition and cosmetic problems
such as lines length, trailing spaces, and indentation.</p></li>
</ul>
<a name="terraform" />
<h2>
Terraform
</h2>
<ul>
<li><p><a href="https://www.gitguardian.com/ggshield">GitGuardian
ggshield</a> — ggshield is a CLI application that runs in your local
environment or in a CI environment to help you detect more than 350+
types of secrets, as well as other potential security vulnerabilities or
policy breaks affecting your codebase.</p></li>
<li><p><a href="https://kics.io/">kics</a> — Find security
vulnerabilities, compliance issues, and infrastructure misconfigurations
in your infrastructure-as-code. Supports Terraform, Kubernetes, Docker,
AWS CloudFormation and Ansible</p></li>
<li><p><a href="https://github.com/flatt-security/shisho">shisho</a>
:warning: — A lightweight static code analyzer designed for developers
and security teams. It allows you to analyze and transform source code
with an intuitive DSL similar to sed, but for code.</p></li>
</ul>
<a name="translation" />
<h2>
Translation
</h2>
<ul>
<li><a href="https://github.com/willkg/dennis">dennis</a> :warning: — A
set of utilities for working with PO files to ease development and
improve quality.</li>
</ul>
<a name="vue" />
<h2>
Vue.js
</h2>
<ul>
<li><p><a href="https://html-validate.org/">HTML-Validate</a> — Offline
HTML5 validator.</p></li>
<li><p><a
href="https://marketplace.visualstudio.com/items?itemName=octref.vetur">Vetur</a>
:warning: — Vue tooling for VS Code, powered by vls (vue language
server). Vetur has support for formatting embedded HTML, CSS, SCSS, JS,
TypeScript, and more. Vetur only has a “whole document formatter” and
cannot format arbitrary ranges.</p></li>
</ul>
<a name="writing" />
<h2>
Writing
</h2>
<ul>
<li><p><a href="https://open.afterthedeadline.com">After the
Deadline</a> :warning: — Spell, style and grammar checker.</p></li>
<li><p><a href="https://alexjs.com">alex</a> — Catch insensitive,
inconsiderate writing</p></li>
<li><p><a
href="https://github.com/codespell-project/codespell">codespell</a> —
Check code for common misspellings.</p></li>
<li><p><a href="https://languagetool.org">languagetool</a> — Style and
grammar checker for 25+ languages. It finds many errors that a simple
spell checker cannot detect.</p></li>
<li><p><a
href="https://github.com/vlajos/misspell-fixer">misspell-fixer</a>
:warning: — Quick tool for fixing common misspellings, typos in source
code.</p></li>
<li><p><a href="https://jwilk.net/software/mwic">Misspelled Words In
Context</a> — A spell-checker that groups possible misspellings and
shows them in their contexts.</p></li>
<li><p><a href="https://github.com/amperser/proselint">proselint</a> — A
linter for English prose with a focus on writing style instead of
grammar.</p></li>
<li><p><a href="https://vale.sh">vale</a> — A syntax-aware linter for
prose built with speed and extensibility in mind.</p></li>
<li><p><a href="https://github.com/btford/write-good">write-good</a> — A
linter with a focus on eliminating “weasel words”.</p></li>
</ul>
<a name="yaml" />
<h2>
YAML
</h2>
<ul>
<li><p><a href="https://stoplight.io/open-source/spectral">Spectral</a>
— A flexible JSON/YAML linter, with out-of-the-box support for OpenAPI
v2/v3 and AsyncAPI v2.</p></li>
<li><p><a href="https://yamllint.readthedocs.io">yamllint</a> — Checks
YAML files for syntax validity, key repetition and cosmetic problems
such as lines length, trailing spaces, and indentation.</p></li>
</ul>
<a name="git" />
<h2>
git
</h2>
<ul>
<li><p><a href="https://commitlint.js.org">commitlint</a> — checks if
your commit messages meet the conventional commit format</p></li>
<li><p><a href="https://www.gitguardian.com/ggshield">GitGuardian
ggshield</a> — ggshield is a CLI application that runs in your local
environment or in a CI environment to help you detect more than 350+
types of secrets, as well as other potential security vulnerabilities or
policy breaks affecting your codebase.</p></li>
<li><p><a
href="https://gitguardian.com/hasmysecretleaked">HasMySecretLeaked</a>
:copyright: — HasMySecretLeaked is a project from GitGuardian that aims
to help individual users and organizations search across 20 million
exposed secrets to verify if their developer secrets have leaked on
public repositories, gists, and issues on GitHub projects.</p></li>
</ul>
<h2 id="more-collections">More Collections</h2>
<ul>
<li><a href="https://github.com/collections/clean-code-linters">Clean
code linters</a> — A collection of linters in github collections</li>
<li><a href="https://github.com/collections/code-quality-in-php">Code
Quality Checker Tools For PHP Projects</a> — A collection of PHP linters
in github collections</li>
<li><a href="https://github.com/dominikh/go-tools">go-tools</a> — A
collection of tools and libraries for working with Go code, including
linters and static analysis</li>
<li><a href="https://github.com/mcandre/linters">linters</a> — An
introduction to static code analysis</li>
<li><a
href="https://owasp.org/www-community/Source_Code_Analysis_Tools">OWASP
Source Code Analysis Tools</a> — List of tools maintained by the Open
Web Application Security Project</li>
<li><a
href="https://github.com/exakat/php-static-analysis-tools">php-static-analysis-tools</a>
— A reviewed list of useful PHP static analysis tools</li>
<li><a
href="http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis">Wikipedia</a>
— A list of tools for static code analysis.</li>
</ul>
<h2 id="license">License</h2>
<p><a href="https://creativecommons.org/publicdomain/zero/1.0/"><img
src="https://i.creativecommons.org/p/zero/1.0/88x31.png"
alt="CC0" /></a></p>
<p>To the extent possible under law, <a
href="https://endler.dev">Matthias Endler</a> has waived all copyright
and related or neighboring rights to this work. The underlying source
code used to format and display that content is licensed under the MIT
license.</p>
<p>Title image <a href="https://www.freepik.com">Designed by
Freepik</a>. <a
href="https://github.com/mre/awesome-static-analysis">staticanalysis.md
Github</a></p>