This repository lists static analysis tools for all programming languages, build tools, config files and more.
The official website, analysis-tools.dev is based on this repository and adds rankings, user comments, and additional resources like videos for each tool.
Static program analysis is the analysis of computer software that is performed without actually executing programs — Wikipedia
The most important thing I have done as a programmer in recent years is to aggressively pursue static code analysis. Even more valuable than the hundreds of serious bugs I have prevented with it is the change in mindset about the way I view software reliability and code quality. — John Carmack (Creator of Doom)
This project would not be possible without the generous support of our sponsors.
If you also want to support this project, head over to our Github sponsors page.
Pull requests are very welcome!
Also check out the sister project, awesome-dynamic-analysis.
Go Meta Linter: GolangCI-Lint is a linters aggregator.
pep8) Check Python code against some of the style conventions in PEP 8.
pyreverse(an UML diagram generator) and
symilar(a similarities checker).
ale - Asynchronous Lint Engine for Vim and NeoVim with support for many languages.
Android Studio - Based on IntelliJ IDEA, and comes bundled with tools for Android including Android Lint.
AppChecker :copyright: - Static analysis for C/C++/C#, PHP and Java.
Application Inspector :copyright: - Commercial Static Code Analysis which generates exploits to verify vulnerabilities.
ApplicationInspector - Creates reports of over 400 rule patterns for feature detection (e.g. the use of cryptography or version control in apps).
ArchUnit - Unit test your Java or Kotlin architecture.
Axivion Bauhaus Suite :copyright: - Tracks down error-prone code locations, style violations, cloned or dead code, cyclic dependencies and more for C/C++, C#/.NET, Java and Ada 83/Ada 95.
Better Code Hub :copyright: - Better Code Hub checks your GitHub codebase against 10 engineering guidelines devised by the authority in software quality, Software Improvement Group.
brakeman - A static analysis security vulnerability scanner for Ruby on Rails applications.
cargo-bloat - Find out what takes most of the space in your executable. supports ELF (Linux, BSD), Mach-O (macOS) and PE (Windows) binaries.
CAST Highlight :copyright: - Commercial Static Code Analysis which runs locally, but uploads the results to its cloud for presentation.
Checkmarx CxSAST :copyright: - Commercial Static Code Analysis which doesn't require pre-compilation.
ciocheck :warning: - Linter, formatter and test suite helper. As a linter, it is a wrapper around
ClassGraph - A classpath and module path scanner for querying or visualizing class metadata or class relatedness.
Clayton :copyright: - AI-powered code reviews for Salesforce. Secure your developments, enforce best practice and control your technical debt in real-time.
Cobra :copyright: - Structural source code analyzer by NASA's Jet Propulsion Laboratory.
Codacy :copyright: - Code Analysis to ship Better Code, Faster.
Code Inspector :copyright: - Code quality and technical debt management platform that supports 10+ languages.
Code Intelligence :copyright: - CI/CD-agnostic DevSecOps platform which combines industry-leading fuzzing engines for finding bugs and visualizing code coverage
codeburner :warning: - Provides a unified interface to sort and act on the issues it finds.
codechecker - A defect database and viewer extension for the Clang Static Analyzer with web GUI.
CodeFactor :copyright: - Automated Code Analysis for repos on GitHub or BitBucket.
CodeFlow :copyright: - Automated code analysis tool to deal with technical depth. Integrates with Bitbucket and Gitlab. (free for Open Source Projects)
CodeIt.Right :copyright: - CodeIt.Right™ provides a fast, automated way to ensure that your source code adheres to (your) predefined design and style guidelines as well as best coding practices.
CodePatrol :copyright: - Automated SAST code reviews driven by security, supports 15+ languages and includes security training.
codeql - Deep code analysis - semantic queries and dataflow for several languages with VSCode plugin support.
Coderrect :copyright: - Advanced static analyzer for multi-threaded software. Supports OpenMP, Pthreads, std::thread, and GPU/CUDA.
CodeRush :copyright: - Code creation, debugging, navigation, refactoring, analysis and visualization tools that use the Roslyn engine in Visual Studio 2015 and up.
CodeScan :copyright: - Code Quality and Security for Salesforce Developers. Made exclusively for the Salesforce platform, CodeScan’s code analysis solutions provide you with total visibility into your code health.
CodeScene :copyright: - CodeScene is a quality visualization tool for software. Prioritize technical debt, detect delivery risks, and measure organizational aspects. Fully automated.
CodeSonar from GrammaTech :copyright: - Advanced, whole program, deep path, static analysis of C, C++, Java and C# with easy-to-understand explanations and code and path visualization.
Corrode :warning: - Semi-automatic translation from C to Rust. Could reveal bugs in the original implementation by showing Rust compiler warnings and errors. Superseded by C2Rust.
cqc :warning: - Check your code quality for js, jsx, vue, css, less, scss, sass and styl files.
dawnscanner - A static analysis security scanner for ruby written web applications. It supports Sinatra, Padrino and Ruby on Rails frameworks.
DeepSource :copyright: - In-depth static analysis to find issues in verticals of bug risks, security, anti-patterns, performance, documentation and style. Native integrations with GitHub, GitLab and Bitbucket. Less than 5% false positives.
Depends - Analyses the comprehensive dependencies of code elements for Java, C/C++, Ruby.
DevSkim - Regex-based static analysis tool for Visual Studio, VS Code, and Sublime Text - C/C++, C#, PHP, ASP, Python, Ruby, Java, and others.
Enlightn - A static and dynamic analysis tool for Laravel applications that provides recommendations to improve the performance, security and code reliability of Laravel apps. Contains 120 automated checks.
ESLint - An extensible linter for JS, following the ECMAScript standard.
exakat - An automated code reviewing engine for PHP.
Find Security Bugs - The SpotBugs plugin for security audits of Java web applications and Android applications. (Also work with Kotlin, Groovy and Scala projects)
flake8 - A wrapper around
Fortify :copyright: - A commercial static analysis platform that supports the scanning of C/C++, C#, VB.NET, VB6, ABAP/BSP, ActionScript, Apex, ASP.NET, Classic ASP, VB Script, Cobol, ColdFusion, HTML, Java, JS, JSP, MXML/Flex, Objective-C, PHP, PL/SQL, T-SQL, Python (2.6, 2.7), Ruby (1.9.3), Swift, Scala, VB, and XML.
Go Meta Linter :warning: - Concurrently run Go lint tools and normalise their output. Use
golangci-lint for new projects.
Goodcheck - Regexp based customizable linter.
goone - Finds N+1 queries (SQL calls in a for loop) in go code
goreporter - Concurrently runs many linters and normalises their output to a report.
graudit - Grep rough audit - source code auditing tool.
HCL AppScan Source :copyright: - Commercial Static Code Analysis.
Hopper :warning: - A static analysis tool written in scala for languages that run on JVM.
imhotep :warning: - Comment on commits coming into your repository and check for syntactic errors and general lint warnings.
include-gardener :warning: - A multi-language static analyzer for C/C++/Obj-C/Python/Ruby to create a graph (in dot or graphml format) which shows all
#include relations of a given set of files.
Infer - A static analyzer for Java, C and Objective-C
Kiuwan :copyright: - Identify and remediate cyber threats in a blazingly fast, collaborative environment, with seamless integration in your SDLC. Python, C\C++, Java, C#, PHP and more.
Klocwork :copyright: - Quality and Security Static analysis for C/C++, Java and C#.
LGTM.com :copyright: - Deep code analysis for GitHub and Bitbucket to find security vulnerabilities and critical code quality issues (using Semmle QL). Automatic code review for pull requests; free for public repositories.
lizard - Lizard is an extensible Cyclomatic Complexity Analyzer for many programming languages including C/C++ (doesn't require all the header files or Java imports). It also does copy-paste detection (code clone detection/code duplicate detection) and many other forms of static code analysis. Counts lines of code without comments, CCN (cyclomatic complexity number), token count of functions, parameter count of functions.
Mega-Linter - Mega-Linter can handle any type of project thanks to its 70+ embedded Linters, its advanced reporting, runnable on any CI system or locally, with assisted installation and configuration, able to apply formatting and fixes
multilint - A wrapper around
Nitpick CI :copyright: - Automated PHP code review.
NodeJSScan - A static security code scanner for Node.js applications powered by libsast and semgrep that builds on the njsscan cli tool. It features a UI with various dashboards about an application's security status.
oclint - A static source code analysis tool to improve quality and reduce defects for C, C++ and Objective-C.
ocular :copyright: - Enables code auditors and security teams to interactively investigate their unique code bases to find business logic flaws and technical vulnerabilities that traditional SASTs cannot. This is done by enabling the analyst to write their own custom queries. Can find hard-coded secrets, authentication issues, and malicious code like rootkits and backdoors.
Offensive 360 :copyright: - Commercial Static Code Analysis system doesn't require building the source code or pre-compilation.
parasoft :copyright: - Automated Software Testing Solutions for unit-, API-, and web UI testing. Complies with MISRA, OWASP, and others.
pfff - Facebook's tools for code analysis, visualizations, or style-preserving source transformation for many languages.
Polymer-analyzer - A static analysis framework for Web Components.
pre-commit - A framework for managing and maintaining multi-language pre-commit hooks.
Prettier - An opinionated code formatter.
prospector - A wrapper around
mccabe and others.
PVS-Studio :copyright: - A (conditionally free for FOSS and individual developers) static analysis of C, C++, C# and Java code. For advertising purposes you can propose a large FOSS project for analysis by PVS employees. Supports CWE mapping, MISRA and CERT coding standards.
quality - Runs quality checks on your code using community tools, and makes sure your numbers don't get any worse over time.
QuantifiedCode :warning: - Automated code review & repair. It helps you to keep track of issues and metrics in your software projects, and can be easily extended to support new types of analyses.
Refactoring Essentials :warning: - The free Visual Studio 2015 extension for C# and VB.NET refactorings, including code best practice analyzers.
relint - A static file linter that allows you to write custom rules using regular expressions (RegEx).
Reshift :copyright: - A source code analysis tool for detecting and managing Java security vulnerabilities.
Reviewdog - A tool for posting review comments from any linter in any code hosting service.
RIPS :copyright: - A static source code analyser for vulnerabilities in PHP scripts.
Roslyn Analyzers - Roslyn-based implementation of FxCop analyzers.
Roslyn Security Guard - Project that focuses on the identification of potential vulnerabilities such as SQL injection, cross-site scripting (XSS), CSRF, cryptography weaknesses, hardcoded passwords and many more.
Scrutinizer :copyright: - A proprietary code quality checker that can be integrated with GitHub.
Security Code Scan - Security code analyzer for C# and VB.NET. Detects various security vulnerability patterns: SQLi, XSS, CSRF, XXE, Open Redirect, etc. Integrates into Visual Studio 2015 and newer. Detects various security vulnerability patterns: SQLi, XSS, CSRF, XXE, Open Redirect, etc.
Semgrep - A fast, open-source, static analysis tool for finding bugs and enforcing code standards at editor, commit, and CI time. Its rules look like the code you already write; no abstract syntax trees or regex wrestling. Supports 17+ languages.
Semmle QL and LGTM :copyright: - Find security vulnerabilities, variants, and critical code quality issues using queries over source code. Automatic PR code review; free for public GitHub/Bitbucket repo: LGTM.com.
ShiftLeft :copyright: - Identify vulnerabilities that are unique to your code base before they reach production. Leverages the Code Property Graph (CPG) to run its analyses concurrently in a single graph of graphs. Automatically finds business logic flaws in dev like hardcoded secrets and logic bombs
ShiftLeft Scan - Scan is a free open-source DevSecOps platform for detecting security issues in source code and dependencies. It supports a broad range of languages and CI/CD pipelines.
shipshape :warning: - Static program analysis platform that allows custom analyzers to plug in through a common interface.
Sider :copyright: - An automated code reviewing tool. Improving developers' productivity.
Similarity Tester - A tool that finds similarities between or within files to support you encountering DRY principle violations.
Snyk :copyright: - Vulnerability scanner for dependencies of node.js apps (free for Open Source Projects).
SonarCloud :copyright: - Multi-language cloud-based static code analysis. History, trends, security hot-spots, pull request analysis and more. Free for open source.
SonarLint for Visual Studio - SonarLint is an extension for Visual Studio 2015 and 2017 that provides on-the-fly feedback to developers on new bugs and quality issues injected into .NET code.
SonarQube - SonarQube is an open platform to manage code quality.
Sonatype :copyright: - Reports known vulnerabilities in common dependencies and recommends updated packages to minimize breaking changes
Soto Platform :copyright: - Suite of static analysis tools consisting of the three components Sotoarc (Architecture Analysis), Sotograph (Quality Analysis), and Sotoreport (Quality report). Helps find differences between architecture and implementation, interface violations (e.g. external access of private parts of subsystems, detection of all classes, files, packages and subsystems which are strongly coupled by cyclical relationships and more. The Sotograph product family runs on Windows and Linux.
SourceMeter :copyright: - Static Code Analysis for C/C++, Java, C#, Python, and RPG III and RPG IV versions (including free-form).
Super-Linter - Combination of multiple linters to install as a GitHub Action.
Symfony Insight :copyright: - Detect security risks, find bugs and provide actionable metrics for PHP projects.
Synopsys :copyright: - A commercial static analysis platform that allows for scanning of multiple languages (C/C++, Android, C#, Java, JS, PHP, Python, Node.JS, Ruby, Fortran, and Swift).
Teamscale :copyright: - Static and dynamic analysis tool supporting more than 25 languages and direct IDE integration. Free hosting for Open Source projects available on request. Free academic licenses available.
todocheck - Linter for integrating annotated TODOs with your issue trackers
trivy - A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts, Suitable for CI. Trivy detects vulnerabilities of OS packages (Alpine, RHEL, CentOS, etc.) and application dependencies (Bundler, Composer, npm, yarn, etc.). Checks containers and filesystems.
TscanCode - A fast and accurate static analysis solution for C/C++, C#, Lua codes provided by Tencent. Using GPLv3 license.
Undebt - Language-independent tool for massive, automatic, programmable refactoring based on simple pattern definitions.
Understand :copyright: - Code visualization tool that provides code analysis, standards testing, metrics, graphing, dependency analysis and more for Ada, VHDL, and others.
Violations Lib - Java library for parsing report files from static code analysis. Used by a bunch of Jenkins, Maven and Gradle plugins.
WhiteHat Application Security Platform :copyright: - WhiteHat Scout (for Developers) combined with WhiteHat Sentinel Source (for Operations) supporting WhiteHat Top 40 and OWASP Top 10.
To the extent possible under law, Matthias Endler has waived all copyright and related or neighboring rights to this work. The underlying source code used to format and display that content is licensed under the MIT license.
Title image Designed by Freepik.