Static Analysis & Code Quality

Qt-oriented static code analyzer based on the Clang framework. clazy is a compiler plugin which allows clang to understand Qt semantics. You get more than 50 Qt related compiler warnings, ranging from unneeded memory allocations to misusage of API, including fix-its for automatic refactoring.

Measures size and complexity for C files.

Automated C++ checker that follows Google's style guide.

Quality metrics for C code.

A sound static analyzer for C/C++ code based on LLVM.

A linter for Clojure code that sparks joy. It informs you about potential errors while you are typing.

A static code analysis tool for Crystal.

A C# architecture test library to specify and assert architecture rules in C# for automated testing.

A Roslyn analyzer to enforce some good practices in C# in terms of design, usage, security, performance, and style.

A collection of 190+ analyzers and 190+ refactorings for C#, powered by Roslyn.

These Roslyn analyzers allow you to produce Clean Code that is safe, reliable, and maintainable by helping you find and correct bugs, vulnerabilities, and code smells in your codebase.

.NET Compiler Platform ("Roslyn") diagnostic analyzers and code fixes.

An analyzer library for C# and VB that uses Roslyn to produce refactorings, code analysis, and other niceties.

A Delphi IDE package providing on-the-fly code analysis and linting, powered by SonarDelphi.

Delphi static analyzer for the SonarQube code quality platform.

D-Scanner is a tool for analyzing D source code.

A static code analysis tool with a focus on code consistency and teaching.

Mix tasks to simplify use of Dialyzer in Elixir projects.

Security-focused static analysis for the Phoenix Framework.

Erlang Style Reviewer.

F# source code formatter.

Lint tool for F#.

A collection of F# analyzers, built with the FSharp.Analyzers.SDK.

A collection of F# analyzers, built with the FSharp.Analyzers.SDK.

Fortran linter, inspired by (and built on) Ruff, and based on community best practices. Supports latest Fortran (2023) standard.

Find unused global variables and constants.

Checks whether HTTP response body is closed.

Finds unused code.

Finds assignments/declarations with too many blank identifiers.

Reports potentially duplicated code.

Check that error return values are used.

Wrap and fix Go errors with the new %w verb directive. This tool analyzes fmt.Errorf() calls and reports calls that contain a verb directive that is different than the new %w verb directive introduced in Go v1.13. It's also capable of rewriting calls to use the new %w wrap verb directive.

Get info on length of functions in a Go package.

Go source code linter that maintains checks which are currently not implemented in other linters.

Go AST (Abstract Syntax Tree) based static analysis tool with Rego.

Finds repeated strings that could be replaced by a constant.

Calculate cyclomatic complexities of functions in Go source code.

Enforce a stricter format than gofmt, while being backwards-compatible. That is, gofumpt is happy with a subset of the formats that gofmt is happy with. The tool is a fork of gofmt as of Go 1.19, and requires Go 1.18 or later. It can be used as a drop-in replacement to format your Go code, and running gofmt after gofumpt should produce no changes. gofumpt will never add rules which disagree with gofmt formatting. So we extend gofmt rather than compete with it.

Alternative to Go Meta Linter: GolangCI-Lint is a linters aggregator.

An interactive tool to analyze Golang goroutine dump.

Inspects source code for security problems by scanning the Go AST.

Detect ineffectual assignments in Go code.

Report long lines.

Finds commonly misspelled English words.

Finds naked returns.

Finds unused arguments in function declarations.

Static analyzer for Go that recommends struct field rearrangements to provide for maximum space/allocation efficiency

Detect redundant type conversions.

Find unused function parameters.

Enforces empty lines at the right places.

Finds slice declarations that could potentially be preallocated.

Alternative to Go Meta Linter: GolangCI-Lint is a linters aggregator.

Prints out coding style mistakes in Go source code.

Inspects source code for security problems by scanning the Go AST.

Fast, configurable, extensible, flexible, and beautiful linter for Go. Drop-in replacement of golint.

A lightweight static code analyzer designed for developers and security teams. It allows you to analyze and transform source code with an intuitive DSL similar to sed, but for code.

Go static analysis that specialises in finding bugs, simplifying code and improving performance.

Golang security analysis with a focus on minimizing false positives. It is capable of tracing the source of variables and function arguments to determine whether input sources are safe.

Tool for scanning Python packages for known vulnerabilities. Developed by the Python Packaging Authority (PyPA) and supported by Trail of Bits and Google. Scans Python environments and requirements files to identify vulnerable packages and suggests remediation. Supports GitHub Actions, pre-commit hooks, and multiple vulnerability service integrations.

Cloud (IaC) Security plugin for JetBrains IDEs. Performs real-time inspections of Docker & Kubernetes IaC with 50+ rules based on Docker image/build security best practices, Kubernetes Pod Security Standards, and NSA/CISA Kubernetes Hardening Guidance.

Vulnerability scanner for container images and filesystems. Developed by Anchore, it scans container images, directories, and archives for known vulnerabilities. Supports multiple image formats, SBOM integration, and VEX (Vulnerability Exploitability eXchange) for accurate vulnerability assessment. Works with various vulnerability databases and provides detailed reporting.

Lint an npm or yarn lockfile to analyze and detect security issues

Credential Digger is a GitHub scanning tool that identifies hardcoded credentials (Passwords, API Keys, Secret Keys, Tokens, personal information, etc), and filtering the false positive data through a machine learning model called Password Model. This scanner is able to detect passwords and non structured tokens with a low false positive rate.

An enterprise friendly way of detecting and preventing secrets in code.It does this by running periodic diff outputs against heuristically crafted regex statements, to identify whether any new secret has been committed. This way, it avoids the overhead of digging through all git history, as well as the need to scan the entire repository every time.

A SAST tool for detecting hardcoded secrets like passwords, api keys, and tokens in git repos.

The Kani Rust Verifier is a bit-precise model checker for Rust. Kani is particularly useful for verifying unsafe code blocks in Rust, where the "unsafe superpowers" are unchecked by the compiler.Kani verifies:Memory safety (e.g., null pointer dereferences)User-specified assertions (i.e., assert!(...))The absence of panics (e.g., unwrap() on None values)The absence of some types of unexpected behavior (e.g., arithmetic overflows)

Security Scorecards - Security health metrics for Open Source

A general purpose network security scanner with an extensible plugin system for detecting high severity RCE-like vulnerabilities with high confidence. Custom detectors for finding vulnerabilities (e.g. open APIs) can be added.

Container Image Linter for Security helping build the Best-Practice Docker Image. Scans Docker images for security vulnerabilities and CIS Benchmark compliance. Checks for secrets, credential exposure, and security best practices. Provides multiple severity levels (FATAL, WARN, INFO) and supports various output formats for CI/CD integration.

Hunt for security weaknesses in Kubernetes clusters.

Concurrently runs many linters and normalises their output to a report.

A static analysis tool for Groovy source code, enabling monitoring and enforcement of many coding standards and best practices.

HLint is a tool for suggesting possible improvements to Haskell code.

Liquid Haskell is a refinement type checker for Haskell programs.

A tool for detecting dead exports or package imports in Haskell code.

Calculates Chidamber and Kemerer object-oriented metrics by processing the source Java files.

Catch common Java mistakes as compile-time errors.

Detects and forbids invocations of specific method/class/field (like reading from a text stream without a charset). Maven/Gradle/Ant compatible.

Reformats Java source code to comply with the Google Java Style

Type-based null-pointer checker with low build-time overhead; an Error Prone plugin.

Identifies and prioritizes God Classes and Highly Coupled classes in Java codebases you should refactor first.

A framework for analyzing and transforming Java and Android applications.

Pluggable type-checking for Java. This is not just a bug-finder, but a verification tool that gives a guarantee of correctness. It comes with 27 pre-built type systems, and it enables users to define their own type system; the manual lists over 30 user-contributed type systems.

Checking Java source code for adherence to a Code Standard or set of validation rules (best practices).

An abstract interpretation-based static analyzer for Java build upon the LiSA framekwork.

Spoon is a metaprogramming library to analyze and transform Java source code (incl Java 9, 10, 11, 12, 13, 14). It parses source files to build a well-designed AST with powerful analysis and transformation API. Can be integrated in Maven and Gradle.

SpotBugs is FindBugs' successor. A tool for static analysis to look for bugs in Java code.

Java library for parsing report files from static code analysis. Used by a bunch of Jenkins, Maven and Gradle plugins.

Static checker for GitHub Actions workflow files. Provides an online version.

A tool for posting review comments from any linter in any code hosting service.

A static analysis framework for Web Components.

Lint your ERB or HTML files

Linter for Angular projects

A normaliser/beautifier for HTML that also understands embedded Ruby. Ideal for tidying up Rails templates.

Helps you catch problems in your HTML/CSS/SVG

Scanner detecting the use of JavaScript libraries with known vulnerabilities.

Scanner detecting the use of JavaScript libraries with known vulnerabilities.

Opinionated but configurable ESLint wrapper with lots of goodies included. Enforces strict and readable code.

Static type inference system to detect bugs and type instabilities.

Static Code Analysis for Julia

Static code analysis for Kotlin code.

A program that reformats Kotlin source code to comply with the common community standard for Kotlin code conventions. A ktfmt IntelliJ plugin is available from the plugin repository. To install it, go to your IDE's settings and select the Plugins category. Click the Marketplace tab, search for the ktfmt plugin, and click the Install button.

Static code analysis for Kotlin code.

A program that reformats Kotlin source code to comply with the common community standard for Kotlin code conventions. A ktfmt IntelliJ plugin is available from the plugin repository. To install it, go to your IDE's settings and select the Plugins category. Click the Marketplace tab, search for the ktfmt plugin, and click the Install button.

An anti-bikeshedding Kotlin linter with built-in formatter.

A tool for linting and static analysis of Lua code.

lualint performs luac-based static analysis of global variable usage in Lua source code.

A static/symbolic Tool for finding bugs in (browser) code. It uses the LLVM AST to find bugs like uninitialized memory access.

A tool for modular formal verification of correctness properties of single-threaded and multithreaded C and Java programs annotated with preconditions and postconditions written in separation logic. To express rich specifications, the programmer can define inductive datatypes, primitive recursive pure functions over these datatypes, and abstract separation logic predicates.

Helps discover good candidates for refactoring.

Dependency analysis tool.

Finds usages of deprecated (Symfony) code.

Enforce rules for dependencies between software layers.

Detection of design patterns in PHP code.

Combine PHP_CodeSniffer and PHP-CS-Fixer.

Combine PHP_CodeSniffer and PHP-CS-Fixer.

Checks code on every commit.

This tool checks syntax of PHP files faster than serial check with a fancier output.

A Static Security Scanner.

A modern static analyzer from etsy.

Easy to use architecture testing tool for PHP.

Checks for weak assumptions.

Instant PHP quality checks from your console. Analysis of code quality and coding style as well as overview of code architecture and its complexity.

A PHP parser written in PHP.

PHP spell check library.

PHPArkitect helps you to keep your PHP codebase coherent and solid, by permitting to add some architectural constraint check to your workflow. You can express the constraint that you want to enforce, in simple and readable PHP code.

Helps to detect magic numbers.

A tool for running QA tools (phploc, phpcpd, phpcs, pdepend, phpmd, phpmetrics).

Many tools for PHP static analysis in one container.

PHPQA all-in-one Analyzer CLI tool.

A static analysis tool for security purposes.

Reflection library to do Static Analysis for PHP Projects

A static analysis engine.

twig-lint is a lint tool for your twig files.

Suggests a next version according to semantic versioning.

Fast detection of composer dependency issues.Powerful: Detects unused, shadow and misplaced composer dependenciesPerformant: Scans 15 000 files in 2s!Configurable: Fine-grained ignores via PHP configLightweight: No composer dependenciesEasy-to-use: No config needed for first tryCompatible: PHP >= 7.2

Tool for checking common errors in rpm packages.

Adds static analysis to Laravel improving developer productivity and code quality. It is a wrapper around PHPStan.

Perl-Analyzer is a set of programs and modules that allow users to analyze and visualize Perl codebases by providing information about namespaces and their relations, dependencies, inheritance, and methods implemented, inherited, and redefined in packages, as well as calls to methods from parent packages via SUPER.

A lightweight static security analysis tool for modern Perl Apps

Autoflake removes unused imports and unused variables from Python code.

A linting engine supporting custom project-specific rules.

A tool for ensuring Python code is secure.

Dodgy is a very basic tool to run against your codebase to search for "dodgy" looking values. It is a series of simple regular expressions designed to detect things such as accidental SCM diff checkins, or passwords or secret keys hard coded into files.

Signatures for entire Python programs. Extract the structure, the frame, the skeleton of your project, to generate API documentation or find breaking changes in your API.

A static type checker that aims to combine the benefits of duck typing and static typing, frequently used with MonkeyType.

A static type analyzer for Python code.

A tool for refurbishing and modernizing Python codebases. Refurb is heavily inspired by clippy, the built-in linter for Rust.

Fast Python linter, written in Rust. 10-100x faster than existing linters. Compatible with Python 3.10. Supports file watcher.

Python dependency vulnerability scanner designed to enhance software supply chain security by detecting packages with known vulnerabilities. Checks Python dependencies against a database of known security vulnerabilities and provides detailed reports. Supports CI/CD integration and multiple output formats.

An extremely fast Python type checker written in Rust.

A linter, formatter for finding and removing unused import statements.

Find unused classes, functions and variables in Python code.

The strictest and most opinionated python linter ever.

A command-line tool for archiving, exploring and graphing the complexity of Python source code.

Parse lint errors and report them to Github as comments on a pull request.

A static type analyzer for Python code.

Fast Python linter, written in Rust. 10-100x faster than existing linters. Compatible with Python 3.10. Supports file watcher.

The strictest and most opinionated python linter ever.

A tool to find common security issues in Python code.

Python dependency vulnerability scanner designed to enhance software supply chain security by detecting packages with known vulnerabilities. Checks Python dependencies against a database of known security vulnerabilities and provides detailed reports. Supports CI/CD integration and multiple output formats.

A linter, formatter for finding and removing unused import statements.

A wrapper around pyflakes, pycodestyle and mccabe.

A wrapper around pylint, pep8, mccabe and others.

Static Code Analysis for R.

Quantifies the cyclomatic complexity of R functions / expressions.

A program slicer and dataflow analyzer for the R programming language. Its slicer allows you to reduce a complicated program just to the parts related for a specific task (e.g., the generation of a single or collection of plots, a significance test, ...). The dataflow analysis provides you with a detailed view on the semantics of the R code which can greatly improve other analyses. To use flowR, check out the Visual Studio Code extension, the RStudio Addin, the Docker image, or the R package.

Analyses the source code for R packages and provides best-practice recommendations.

Static Code Analysis for R.

Provides code completion, refactoring, folding, diagnostics (with lintr), and more for R.

Performance optimizer for R code (with GUI).

Formatting of R source code files and pretty-printing of R code.

Regal is a linter for the policy language Rego. Regal aims to catch bugs and mistakes in policy code, while at the same time helping people learn the language, best practices and idiomatic constructs.

Identify database issues before they hit production.

Help to kill N+1 queries and unused eager loading.

The tool to avoid various issues due to inconsistencies and inefficiencies between a database schema and application models.

A static analysis security scanner for ruby written web applications. It supports Sinatra, Padrino and Ruby on Rails frameworks.

Format ERB files with speed and precision.

A SkunkScore Calculator for Ruby Code -- Find the most complicated code without test coverage!

A Rake task gem that helps you find the unused routes and controller actions for your Rails 3+ app.

A static analysis security vulnerability scanner for Ruby on Rails applications.

Audit Gemfile.lock for gems with security vulnerabilities reported in Ruby Advisory Database.

Common Ruby idioms checker.

Static analysis Lint-type tool to improve your OO Ruby code.

A code metric tool for Rails projects

Code smell detector for Ruby.

Roodi stands for Ruby Object Oriented Design Inferometer. It parses your Ruby code and warns you about design issues you have based on the checks that it has configured.

A Ruby static code analyzer, based on the community Ruby style guide.

Ruby classes interactive dependency graph generator.

A Ruby code quality reporter.

An opinionated ruby formatter, intended to be used via the command line as a text-editor plugin, to autoformat files on save or on demand.

A fast, powerful type checker designed for Ruby.

Ruby Style Guide, with linter & automatic code fixer

Gradual Typing for Ruby.

A Ruby static code analyzer, based on the community Ruby style guide.

A tool for measuring code complexity in Ruby class files. Its analysis generates scores based on cyclomatic complexity algorithms with no added "opinions".

Find unused dependencies in Cargo.toml. It either prints out a "unused crates" line listing the crates, or it prints out a line saying that no crates were unused.

Audit Cargo.lock for crates with security vulnerabilities reported to the RustSec Advisory Database.

cargo-breaking compares a crate's public API between two different branches, shows what changed, and suggests the next version according to semver.

Whole program static stack analysis The tool produces the full call graph of a program as a dot file.

A cargo plugin for linting your dependencies. It can be used either as a command line too, a Rust crate, or a Github action for CI. It checks for valid license information, duplicate crates, security vulnerabilities, and more.

Cargo subcommand to show result of macro expansion and #[derive] expansion applied to the current crate. This is a wrapper around a more verbose compiler command.

A cargo plugin for analysing the usage of unsafe Rust code Provides statistical output to aid security auditing

cargo subcommand showing the assembly, LLVM-IR and MIR generated for Rust code

Checks all your documentation for spelling and grammar mistakes with hunspell (ready) and languagetool (preview)

A code linter to catch common mistakes and improve your Rust code.

Web application (WASM) to render a diff between Rust crate versions.

A tool for running Rust lints from dynamic libraries. Dylint makes it easy for developers to maintain their own personal lint collections.

Statically detects Rust deadlocks bugs. It currently detects two common kinds of deadlock bugs: doublelock and locks in conflicting order. It will print bugs in JSON format together with the source code location and an explanation of each bug.

Supports functionality such as 'goto definition', type inference, symbol search, reformatting, and code completion, and enables renaming and refactorings.

Read and apply the suggestions made by rustc (and third-party lints, like those offered by clippy).

A tool for formatting Rust code according to style guidelines.

RustViz is a tool that generates visualizations from simple Rust programs to assist users in better understanding the Rust Lifetime and Borrowing mechanism. It generates SVG files with graphical indicators that integrate with mdbook to render visualizations of data-flow in Rust programs.

Helps you understand and maintain a scalable software architecture. To do so, it generates a interactive, nested dependency graph out of the source code. You can choose the level of details and get the portion of your codebase that matters to you.

A code linter to catch common mistakes and improve your Rust code.

Rust Memory Safety & Undefined Behavior Detection. It is capable of analyzing single Rust packages as well as all the packages on crates.io.

Audit Rust binaries for known bugs or security vulnerabilities. This works by embedding data about the dependency tree (Cargo.lock) in JSON format into a dedicated linker section of the compiled executable.

Analyzes a binary's call graph to profile code size. The goal is to slim down wasm binary size.

Binary code analysis tool that also supports symbolic execution.

Analyzes a raw binary firmware and determines features like endianness or the loading address. The tool is compatible with all architectures.Loading address: binbloom can parse a raw binary firmware and determine its loading address. Endianness: binbloom can use heuristics to determine the endianness of a firmware. UDS Database: binbloom can parse a raw binary firmware and check if it contains an array containing UDS command IDs.

A binary static analysis tool that provides security and correctness results for Windows portable executables.

Ever wondered what's making your binary big? Bloaty McBloatface will show you a size profile of the binary so you can understand what's taking up space inside. Bloaty performs a deep analysis of the binary. Using custom ELF, DWARF, and Mach-O parsers, Bloaty aims to accurately attribute every byte of the binary to the symbol or compileunit that produced it. It will even disassemble the binary looking for references to anonymous data. F

cwe_checker finds vulnerable patterns in binary executables.

Jakstab is an Abstract Interpretation-based, integrated disassembly and static analysis framework for designing analyses on executables and recovering reliable control flow graphs.

A static analyzer, which checks portable executables for malicious content.

Static Linker/Compiler/Tool detector for Windows, Linux and MacOS.

chap analyzes un-instrumented ELF core files for leaks, memory growth, and corruption. It is sufficiently reliable that it can be used in automation to catch leaks before they are committed. As an interactive tool, it helps explain memory growth, can identify some forms of corruption, and supplements a debugger by giving the status of various memory locations.

Audit Rust binaries for known bugs or security vulnerabilities. This works by embedding data about the dependency tree (Cargo.lock) in JSON format into a dedicated linker section of the compiled executable.

dbcritic finds problems in a database schema, such as a missing primary key constraint in a table.

Spot vulnerabilities in postgres extension scripts. Finds unsafe search_path usage and unsafe object creation in PostgreSQL extension scripts or any other PostgreSQL SQL code.

Sleek is a CLI tool for formatting SQL. It helps you maintain a consistent style across your SQL code, enhancing readability and productivity. The heavy lifting is done by the sqlformat crate.

Multiple dialect SQL linter and formatter.

Simple SQL linter.

Scala compiler plugin for static code analysis.

Code style enforcement for bash programs. The output format aims to follow pycodestyle (pep8) default output format.

CLI tool for learning commands from your terminal. kmdr delivers a break down of commands with every attribute explained.

A syntax highlighter and a tool to semi-automate the rewriting of scripts to ShellCheck conformance, mainly focused on quoting.

A library and command-line formatting tool for reformatting Swift code.

A tool to enforce Swift style and conventions.

A tool to enforce Swift style and conventions.

A static syntax analysis module (as part of TDK).

ENRE (ENtity Relationship Extractor) is a tool for extraction of code entity dependencies or relationships from source code. ENRE-ts is a ENtity Relationship Extractor for ECMAScript and TypeScript based on @babel/parser.

TypeScript language extension for eslint.

CLI to generate an interactive graph of functions and calls from your TypeScript files

Linter for Angular projects

A Language Server Protocol implementation for Verilog and SystemVerilog, including lint capabilities.

Verilog HDL/SystemVerilog/Bluespec SystemVerilog support for VS Code. Provides syntax highlighting and Linting support from Icarus Verilog, Vivado Logical Simulation, Modelsim and Verilator

A tool which converts Verilog to a cycle-accurate behavioral model in C++ or SystemC. Performs lint code-quality checks.

WebAssembly Language Tools aims to provide and improve the editing experience of WebAssembly Text Format. It also provides an out-of-the-box formatter (a.k.a. pretty printer) for WebAssembly Text Format.

Asynchronous Lint Engine for Vim and NeoVim with support for many languages.

Creates reports of over 400 rule patterns for feature detection (e.g. the use of cryptography or version control in apps).

Open-Source static code analysis tool to discover, filter and prioritize security risks and vulnerabilities leading to sensitive data exposures (PII, PHI, PD). Highly configurable and easily extensible, built for security and engineering teams.

A language-agnostic linter that keeps code, documentation, and configuration in sync and enforces strict formatting and validation rules.

Statically generates a call graph image and displays it on screen.

A classpath and module path scanner for querying or visualizing class metadata or class relatedness.

Deep code analysis - semantic queries and dataflow for several languages with VSCode plugin support.

A Github Action for linting C/C++ code integrating clang-tidy and clang-format to collect feedback provided in the form of thread comments and/or annotations.

A JavaScript compiler and TypeScript checker written in Rust with a focus on static analysis and runtime performance. Ezno's type checker is built from scratch. The checker is fully compatible with TypeScript type annotations and can work without any type annotations at all.

Lizard is an extensible Cyclomatic Complexity Analyzer for many programming languages including C/C++ (doesn't require all the header files or Java imports). It also does copy-paste detection (code clone detection/code duplicate detection) and many other forms of static code analysis. Counts lines of code without comments, CCN (cyclomatic complexity number), token count of functions, parameter count of functions.

The Oxidation Compiler is creating a suite of high-performance tools for the JavaScript / TypeScript language re-written in Rust.

Facebook's tools for code analysis, visualizations, or style-preserving source transformation for many languages.

Quick automated code review of your changes. Supports more than 40 runners for various languages, including Clang, Elixir, JavaScript, PHP, Ruby and more.

Pluggable and configurable code transformer with built-in eslint, babel plugins support for js, jsx typescript, flow, markdown, yaml and json.

Code audit tool for Python and JavaScript. Wraps pycodestyle, pydocstyle, PyFlakes, Mccabe, Pylint, and more

A static file linter that allows you to write custom rules using regular expressions (RegEx).

Dependency analysis and optimization toolkit for modern JavaScript and TypeScript projects. Trace imports, identify circular dependencies, find unused code, clean node modules.

Roslyn-based implementation of FxCop analyzers.

Project that focuses on the identification of potential vulnerabilities such as SQL injection, cross-site scripting (XSS), CSRF, cryptography weaknesses, hardcoded passwords and many more.

A fast, open-source, static analysis tool for finding bugs and enforcing code standards at editor, commit, and CI time. Its rules look like the code you already write; no abstract syntax trees or regex wrestling. Supports 17+ languages.

Quickly find and remediate high-priority security issues. Semgrep Supply Chain prioritizes the 2% of vulnerabilities that are reachable from your code.

Security-focused static analyzer for Java and Kotlin web applications. Analyzes bytecode with Semgrep-style YAML rules and CodeQL-grade dataflow (with first-class Spring support) to find vulnerabilities that source-only scanners miss.

Dead code detection, security scanning, secrets detection, and code quality analysis for Python, TypeScript, and Go. Framework-aware analysis with 98% recall. Includes CI/CD GitHub Action, VS Code extension, and MCP server for AI agent integration.

A fast and accurate static analysis solution for C/C++, C#, Lua codes provided by Tencent. Using GPLv3 license.

Language-independent tool for massive, automatic, programmable refactoring based on simple pattern definitions.

Static analysis capabilities for Java bytecode and related languages and for JavaScript.

A fast and robust semantic search tool for C and C++ codebases. It is designed to help security researchers identify interesting functionality in large codebases.

A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts, Suitable for CI. Trivy detects vulnerabilities of OS packages (Alpine, RHEL, CentOS, etc.) and application dependencies (Bundler, Composer, npm, yarn, etc.). Checks containers and filesystems.

OpenStaticAnalyzer is a source code analyzer tool, which can perform deep static analysis of the source code of complex systems.

OpenRewrite fixes common static analysis issues reported through Sonar and other tools using a Maven and Gradle plugin or the Moderne CLI.

Roslyn-based implementation of FxCop analyzers.

Static analysis capabilities for Java bytecode and related languages and for JavaScript.

Performs static analysis on raw SQL queries in your Go code base to surface potential runtime errors. It checks for SQL syntax error, identifies unsafe queries that could potentially lead to SQL injections makes sure column count matches value count in INSERT statements and validates table- and column names.

Provides a unified interface to sort and act on the issues it finds.

The SpotBugs plugin for security audits of Java web applications and Android applications. (Also work with Kotlin, Groovy and Scala projects)

A static analysis tool written in scala for languages that run on JVM.

A static analyzer for Java, C and Objective-C

Mega-Linter can handle any type of project thanks to its 70+ embedded Linters, its advanced reporting, runnable on any CI system or locally, with assisted installation and configuration, able to apply formatting and fixes

A static analyzer designed to easily reuse abstract domains across widely different languages (such as C and Python).

A static source code analysis tool to improve quality and reduce defects for C, C++ and Objective-C.

OpenRewrite fixes common static analysis issues reported through Sonar and other tools using a Maven and Gradle plugin or the Moderne CLI.

A source code analyzer for Java, Salesforce Apex, Javascript, PLSQL, XML, XSL and others.

A framework for managing and maintaining multi-language pre-commit hooks.

A (conditionally free for FOSS and individual developers) static analysis of C, C++, C# and Java code. For advertising purposes you can propose a large FOSS project for analysis by PVS employees. Supports CWE mapping, OWASP ASVS, MISRA, AUTOSAR and SEI CERT coding standards.

Roslyn-based implementation of FxCop analyzers.

Project that focuses on the identification of potential vulnerabilities such as SQL injection, cross-site scripting (XSS), CSRF, cryptography weaknesses, hardcoded passwords and many more.

Security-focused static analyzer for Java and Kotlin web applications. Analyzes bytecode with Semgrep-style YAML rules and CodeQL-grade dataflow (with first-class Spring support) to find vulnerabilities that source-only scanners miss.

Regexp based customizable linter.

A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts, Suitable for CI. Trivy detects vulnerabilities of OS packages (Alpine, RHEL, CentOS, etc.) and application dependencies (Bundler, Composer, npm, yarn, etc.). Checks containers and inspects filesystems.

Analyses the comprehensive dependencies of code elements for Java, C/C++, Ruby.

Regex-based static analysis tool for Visual Studio, VS Code, and Sublime Text - C/C++, C#, PHP, ASP, Python, Ruby, Java, and others.

Linter for dangerous Postgres migration patterns in Diesel and SQLx. Prevents downtime caused by unsafe schema changes.

A code formatter for .NET. Preferences will be read from an .editorconfig file, if present, otherwise a default set of preferences will be used. At this time dotnet-format is able to format C# and Visual Basic projects with a subset of supported .editorconfig options.

An extensible linter for JS, following the ECMAScript standard.

Automated translation platform for code comments and docstrings across 20+ file types. Eliminates language barriers in international software collaboration. Supports 100+ language pairs with syntax protection. Integrates into CI/CD pipelines like Ruff. 10-20x faster with concurrent processing.

Lizard is an extensible Cyclomatic Complexity Analyzer for many programming languages including C/C++ (doesn't require all the header files or Java imports). It also does copy-paste detection (code clone detection/code duplicate detection) and many other forms of static code analysis. Counts lines of code without comments, CCN (cyclomatic complexity number), token count of functions, parameter count of functions.

Inspects tar archives and tries to spot portability issues in regard to POSIX 2017 pax specification and common tar implementations. This project is intended to be used by maintainers of projects who want to offer portable source code archives for as many systems as possible. Checking tar archives with alquitran before publishing them should help spotting issues before they reach distributors and users.

Packj (pronounced package) is a command line (CLI) tool to vet open-source software packages for "risky" attributes that make them vulnerable to supply chain attacks. This is the tool behind our large-scale security analysis platform Packj.dev that continuously vets packages and provides free reports.

Linter / Analyzer for Makefiles.

A coding style formatter for CSS. Supports own configurations to make style sheets beautiful and consistent.

CSS Specificity Graph Generator.

A tool to analyze Nginx configuration. The main goal is to prevent misconfiguration and automate flaw detection.

AWS Labs CloudFormation linter.

A linter for AWS CloudFormation templates.

Collection of security and best practice tests for static code analysis of Terraform templates.

A Terraform linter for detecting errors that can not be detected by terraform plan.

Terraform static analysis tool that prevents potential security issues by checking cloud misconfigurations at build time and directly integrates with the HCL parser for better results. Checks for violations of AWS, Azure and GCP security best practice recommendations.

Tool to check the validity of Puppet metadata.json files.

Vulnerability Static Analysis for Containers.

A smarter Dockerfile linter that helps you build best practice Docker images.

Krane is a simple Kubernetes RBAC static analysis tool.It identifies potential security risks in K8s RBAC design and makes suggestions on how to mitigate them. Krane dashboard presents current RBAC security posture and lets you navigate through its definition.

ct is the tool for testing Helm charts. It is meant to be used for linting and testing pull requests. It automatically detects charts changed against the target branch.

Clusterlint queries live Kubernetes clusters for resources, executes common and platform specific checks against these resources and provides actionable feedback to cluster operators. It is a non invasive tool that is run externally. Clusterlint does not alter the resource configurations.

A tool that listens to changes in Kubernetes resources and runs linting rules against them. Identify and debug erroneous objects and nudge objects in line with the policies as both change over time. Klint helps us encode checks and proactively alert teams when they need to take action.

A linter for Kubernetes resources with a customizable rule set. You define a list of rules that you would like to validate against your resources and kube-lint will evaluate those rules against them.

KubeLinter is a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure the applications represented in them adhere to best practices.

A fast Kubernetes manifests validator with support for custom resources.It is inspired by, contains code from and is designed to stay close to Kubeval,but with the following improvements: high performance: will validate & download manifests over multiple routines, caching downloaded files in memory configurable list of remote, or local schemas locations, enabling validating Kubernetes custom resources (CRDs) and offline validation capabilities* uses by default a self-updating fork of the schemas registry maintained by the kubernetes-json-schema project - which guarantees up-to-date schemas for all recent versions of Kubernetes.

Official linter for Deno.

Linter for bitbake recipes used in open-embedded and YOCTO

A linter for the Gherkin-Syntax written in Javascript.

Node.js -based style checker and lint tool for Markdown/CommonMark files.

A tool to check Markdown files and flag style issues.

Format markdown code blocks using your favorite code formatters.

Static taint analysis tool for Android applications.

Scan Nix files for dead code (unused variable bindings)

Lints and suggestions for the Nix programming language. "statix check" highlights antipatterns in Nix code. "statix fix" can fix several such occurrences.

Promformat is a PromQL formatter written in Python.

PromQL validator written in Python. It can be used to validate that PromQL expressions are written as expected.

Pluggable linter and fixer to enforce Protocol Buffer style and conventions.

A symbolic execution framework with batteries included, can be used to find and exploit vulnerabilities in smart contracts automatically.

Static analysis framework that runs a suite of vulnerability detectors, prints visual information about contract details, and provides an API to easily write custom analyses.

Solhint is an open source project created by https://protofire.io. Its goal is to provide a linting utility for Solidity code.

Linter for Ember or Handlebars templates.

Tool for writing clean and consistent HAML.

Configurable tool for analyzing Slim templates.

A set of utilities for working with PO files to ease development and improve quality.

Check code for common misspellings.

Quick tool for fixing common misspellings, typos in source code.

A collection of linters in github collections

A collection of PHP linters in github collections

A collection of tools and libraries for working with Go code, including linters and static analysis

An introduction to static code analysis

A reviewed list of useful PHP static analysis tools

A static analysis tool to help developers write Haxe code that adheres to a coding standard.

DrNim combines the Nim frontend with the Z3 proof engine in order to allow verify / validate software written in Nim.

DrNim combines the Nim frontend with the Z3 proof engine in order to allow verify / validate software written in Nim.

Analyzes whole Elm projects, with a focus on shareable and custom rules written in Elm that add guarantees the Elm compiler doesn't give you.

A flexible JSON/YAML linter, with out-of-the-box support for OpenAPI v2/v3 and AsyncAPI v2.