Your first time on this page? Allow me to give some explanations.
Awesome Static Analysis & Code Quality
⚙️ A curated list of static analysis (SAST) tools for all programming languages, config files, build tools, and more.
Here you can see meta information about this topic like the time we last updated this page, the original creator of the awesome list and a link to the original GitHub repository.
Thank you analysis-tools-dev & contributors
View Topic on GitHub:
Search for resources by name or description.
Simply type in what you are looking for and the results will be filtered on the fly.
Further filter the resources on this page by type (repository/other resource), number of stars on GitHub and time of last commit in months.
Qt-oriented static code analyzer based on the Clang framework
CMetrics measures size and complexity for C files
Style guides for Google-originated open-source projects
C Quality Metrics
Flint++ is cross-platform, zero-dependency port of flint, a lint program for C++ developed and used at Facebook.
Static analyzer for C/C++ based on the theory of Abstract Interpretation.
A C# architecture test library to specify and assert architecture rules in C# for automated testing.
C# Essentials is a collection of Roslyn diagnostic analyzers, code fixes and refactorings that make it easy to work with C# 6 language features.
Infer# is an interprocedural and scalable static code analyzer for C#. Via the capabilities of Facebook's Infer, this tool detects null pointer dereferences and resource leak.
A collection of 500+ analyzers, refactorings and fixes for C#, powered by Roslyn.
A collection of static analyzers based on Roslyn that integrate with VS
.NET Compiler Platform ("Roslyn") diagnostic analyzers and code fixes written by Wintellect
A linter for Clojure code that sparks joy.
An opinionated, community-driven set of lint rules for Dart and Flutter projects. Like pedantic but stricter
Swiss-army knife for D source code
A static code analysis tool for the Elixir language with a focus on code consistency and teaching.
Mix tasks to simplify use of Dialyzer in Elixir projects.
Security-focused static analysis for the Phoenix Framework
Erlang Style Reviewer
Primitive Erlang Security Tool
i-Code CNES is a static code analysis tool to help developpers write code compliant with CNES coding rules.
Analyzer: checks whether HTTP response body is closed and a re-use of TCP connection is not blocked.
Standalone repo of deadcode package from http://github.com/remyoudompheng/go-misc
Static analyser for finding Deadlocks in Go
dogsled is a Go static analysis tool to find assignments/declarations with too many blank identifiers.
a tool for code clone detection
errcheck checks that you checked errors.
Go tool to wrap and fix errors with the new %w verb directive
Flen provides stats on functions/methods lengths in a Golang package.
Source code analyzer that helps you to make your Go programs more consistent.
The most opinionated Go source code linter for code audit.
Check that no globals are present in Go code.
Find in Go repeated strings that could be replaced by a constant
Calculate cyclomatic complexities of functions in Go source code.
[mirror] This is a linter for Go source code.
An interactive tool to analyze Golang goroutine dump.
Detect ineffectual assignments in Go code.
A linter that suggests interface types
Line length linter
Tool to detect Go structs that would take less memory if their fields were sorted.
Correct commonly misspelled English words in source files
nakedret is a Go static analysis tool to find naked returns in functions greater than a specified function length.
nargs is a Go static analysis tool to find unused arguments in function declarations.
prealloc is a Go static analysis tool to find slice declarations that could potentially be preallocated.
Static analysis tool for Golang that protects against SQL injections
Remove unnecessary type conversions from Go source
Find unused parameters in Go
␊ Whitespace Linter - Forces you to use empty lines!
haskell source code formatter
Haskell source code suggestions
A re-implementation of weeder using HIE files
Code metrics for Java code by means of static analysis
Policeman's Forbidden API Checker
Reformats Java source code to comply with Google Java Style.
Java bytecode static analyzer
A tool to help eliminate NullPointerExceptions (NPEs) in your Java code with low build-time overhead
Automatically exported from code.google.com/p/closure-linter
Static Code Analysis for Julia
A tool for linting and static analysis of Lua code.
Nim code formatter / linter / style checker
Sys: A Static/Symbolic Tool for Finding Good Bugs in Good (Browser) Code
Research prototype tool for modular formal verification of C and Java programs
Discover files in need of refactoring.
Detect flaws in your architecture, before they drag you down into the depths of dependency hell ...
Keep your architecture clean.
detection of design patterns in PHP code
A PHP code-quality tool
⚗️ Adds static analysis to Laravel improving developer productivity and code quality.
This tool check syntax of PHP files faster than serial check with fancier output.
Parse: A Static Security Scanner
Phan is a static analyzer for PHP. Phan prefers to avoid false-positives and attempts to prove incorrectness rather than correctness.
PHP Architecture Tester - Easy to use architectural testing tool for PHP
Tool to detect assumptions
Compares two source sets and determines the appropriate semantic versioning to apply.
A PHP parser written in PHP
PHP spell check library
Library emulating the PHP internal reflection using just the tokenized source code
PHP 7 Compatibility Checker
PHP 7 Migration Assistant Report (MAR)
PhpCodeAnalyzer scans codebase and analyzes which non-built-in php extensions used
Copy/Paste Detector (CPD) for PHP code.
Dead Code Detector (DCD) for PHP code.
Analyzer of PHP code to search issues with deprecated functionality in newer interpreter versions.
Add scalar type hints and return types to existing PHP projects using PHPDoc annotations
A tool for quickly measuring the size of a PHP project.
PHP Magic Number Detector
Docker image that provides static analysis tools for PHP
PHPQA all-in-one Analyzer CLI tool
Smart/Static Analyzer(sis) for PHP
A static analysis tool for security
Tool helping us to analyze software projects
A static analysis engine
Standalone twig linter.
Custom Python linting through AST expressions
A tool for measuring Python class cohesion.
Dlint is a tool for encouraging best coding practices and helping ensure Python code is secure.
IT, Inspector Tiger is a modern python code review tool / framework.
Surface lint errors during code review
Look for SQL injection attacks in python source code
Static type checker for Python
Rate your Python packages package friendliness
A Static Analysis Tool for Detecting Security Vulnerabilities in Python Web Applications
Find dead Python code
A Python application for tracking, reporting on timing and complexity in Python code
Cyclomatic complexity of R functions and expressions
Static Code Analysis for R
Code quality threshold checking as part of your build
Don't make your Rubies go fast. Make them go fasterer ™.
A tool for measuring code complexity in Ruby class files. Its analysis generates scores based on cyclomatic complexity algorithms with no added "opinions".
Static analysis and style linter for Ruby code.
Static analysis Lint-type tool to improve your OO Ruby code
Query Method Calls from Ruby Programs
Code smell detector for Ruby
a ruby code dependency graph interactive visualizer
A Ruby code quality reporter
The Ruby Formatter
🌟 Ruby Style Guide, with linter & automatic code fixer
Gradual Typing for Ruby
Find unused dependencies in Cargo.toml
Subcommand to show result of macro expansion
Pssst!... see what Rust is doing behind the curtains 🕵🤫
Checks all your documentation for spelling and grammar mistakes with hunspell (ready) and languagetool (preview)
A rustc plugin to check for numerical instability
Linting your Rust-files in Atom, using rustc and cargo.
Rust mid-level IR Abstract Interpreter
This crate provides a convenient macro that allows you to generate type wrappers that promise to always uphold arbitrary invariants that you specified.
Rust Memory Safety & Undefined Behavior Detection
Repository for the Rust Language Server (aka RLS)
Make production Rust binaries auditable
Automatically apply the suggestions made by rustc
Format Rust code
Interactively Visualizing Ownership and Borrowing
Show unused code from multi-crate Rust projects
Automatically identify anti-patterns in SQL queries
Simple SQL linter supporting ANSI and PostgreSQL syntaxes
Configurable linting for TSQL
TSQL Static Code Analysis Rules for SQL Server
Static Analysis Compiler Plugin for Scala
Scala compiler plugin for static code analysis
Code style enforcement for bash programs. Mirror of code maintained at opendev.org.
The corrective bash syntax highlighter
A command-line tool and Xcode Extension for formatting Swift code
Tcl Dev Kit (TDK)
A set of TSLint rules used on some Microsoft projects.
CLI to generate an interactive graph of functions and calls from your TypeScript files
Monorepo for all the tooling which enables ESLint to support TypeScript
Fast and Highly Extensible Vim script Language Lint implemented in Python.
copyright: - Provide code verification that proves the absence of overflow, divide-by-zero, out-of-bounds array access, and certain other run-time errors in source code.
copyright: - Static analysis and formal verification toolset for Ada.
Warns about constructs that are dubious or nonportable to other awk implementations.
copyright: - Sound static analyzer based on abstract interpretation for C/C++, detecting memory, type and concurrency defects, and MISRA violations.
warning: :copyright: - Measure, query and visualize your code and avoid unexpected issues, technical debt and complexity.
copyright: - Enterprise-grade static analysis for embedded software. Supports MISRA, CERT, and AUTOSAR coding standards.
copyright: - A tool suite including static analysis (TBVISION) to various standards including MISRA C & C++, JSF++ AV, CWE, CERT C, CERT C++ & Custom Rules.
copyright: - Identifies run-time errors, concurrency issues, security vulnerabilities, and other defects in C and C++ embedded software.
copyright: - Provide code verification that proves the absence of overflow, divide-by-zero, out-of-bounds array access, and certain other run-time errors in C and C++ source code.
Analyzes C/C++ code using LLVM at compile-time.
Vera++ is a programmable tool for verification, analysis and transformation of C++ source code.
Compute source code metrics and detect a variety of implementation, design, and architecture smells for C#.
copyright: - A free IDE Plugin for static code analysis. A Pro edition includes a command line tool for automation purposes.
copyright: - A static code analysis tool with numerous reports. A free Lite version is available with limited reporting.
copyright: - IDE plugin for code analysis. Includes a subset of Pascal Analyzer reporting capabilities and is available for Delphi versions 2007 and later.
Checks missing or unreferenced package imports.
Syntactic and semantic analysis similar to the Go compiler.
Pluggable type systems. Includes nullness types, physical units, immutability types and more. (GPL-2.0-only WITH Classpath-exception-2.0)
copyright: - DesigniteJava supports detection of various architecture, design, and implementation smells along with computation of various code quality metrics.
copyright: - Measure, query and visualize your code and avoid unexpected issues, technical debt and complexity.
copyright: - Check MATLAB code files for possible problems.
Check syntax in Vim asynchronously and fix files, with Language Server Protocol (LSP) support
A source code analyzer built for surfacing features of interest and other characteristics to answer the question 'what's in it' using static analysis with a json based rules engine. Ideal for scanning components before use or detecting feature level changes.
Find out what takes most of the space in your executable.
Continuum Analytics linter, formatter and test suite helper.
An uber-fast parallelized Java classpath scanner and module scanner.
CodeQL: the libraries and queries that power security researchers around the world, as well as code scanning in GitHub Advanced Security (code scanning), LGTM.com, and LGTM Enterprise
C to Rust translator
Code Quality Checker - Check your code quality by running one command.
Dawn is a static analysis security scanner for ruby written web applications. It supports Sinatra, Padrino and Ruby on Rails frameworks.
Depends is a fast, comprehensive code dependency analysis tool
DevSkim is a set of IDE plugins and rules that provide security "linting" capabilities.
The official GitHub mirror of https://gitlab.com/pycqa/flake8
DEPRECATED: Use https://github.com/golangci/golangci-lint
A static analysis tool for securing Go code
goone finds N+1 query in go
A Golang tool that does static analysis, unit testing, code review and generate code quality report.
Goal-directed static analysis tool for JVM languages.
A static-analysis bot for Github
This is a small C++ based commandline-tool which analyzes include statements in C/C++ code.
A simple code complexity analyser without caring about the C/C++ header files or Java imports, supports most of the popular languages.
Run multiple python linters easily
Tools for code analysis, visualizations, or style-preserving source transformation.
Polymer Tools Monorepo
Quick automated code review of your changes
Inspects Python source files and provides information about type and location of classes, methods etc
Quality is a tool that runs quality checks on your code using community tools, and makes sure your numbers don't get any worse over time. Just add 'rake quality' as part of your Continuous Integration.
QuantifiedCode Community Edition - Protect Your Codebase. Warning: For experimentation only, not stable. 🔬
Regular Expression based static file linter.
Automated code review tool integrated with any code analysis tools regardless of programming language
Program analysis platform
Combination of multiple linters to install as a GitHub Action
A static code analyzer for annotated TODO comments
A Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI
A static code analyzer for C++, C#, Lua
A fast, straightforward, reliable tool for performing massive, automated code refactoring
Java library for parsing report files from static code analysis.
T.J. Watson Libraries for Analysis
Based on IntelliJ IDEA, and comes bundled with tools for Android including Android Lint.
copyright: - Static analysis for C/C++/C#, PHP and Java.
copyright: - Tracks down error-prone code locations, style violations, cloned or dead code, cyclic dependencies and more for C/C++, C#/.NET, Java and Ada 83/Ada 95.
copyright: - Better Code Hub checks your GitHub codebase against 10 engineering guidelines devised by the authority in software quality, Software Improvement Group.
copyright: - Commercial Static Code Analysis which runs locally, but uploads the results to its cloud for presentation.
Automated Code Review for Ruby, Rails, JS, PHP, Python etc. Security, Coverage & Quality.
copyright: - Code quality and technical debt management platform that supports 10+ languages.
copyright: - Automated code analysis tool to deal with technical depth. Integrates with Bitbucket and Gitlab. (free for Open Source Projects)
copyright: - CodeIt.Right™ provides a fast, automated way to ensure that your source code adheres to (your) predefined design and style guidelines as well as best coding practices.
copyright: - Automated SAST code reviews driven by security, supports 15+ languages and includes security training.
copyright: - Advanced, whole program, deep path, static analysis of C and C++ with easy-to-understand explanations and code and path visualization.
copyright: - A commercial static analysis platform that supports the scanning of C/C++, C#, VB.NET, VB6, ABAP/BSP, ActionScript, Apex, ASP.NET, Classic ASP, VB Script, Cobol, ColdFusion, HTML, Java, JS, JSP, MXML/Flex, Objective-C, PHP, PL/SQL, T-SQL, Python (2.6, 2.7), Ruby (1.9.3), Swift, Scala, VB, and XML.
copyright: - Quality and Security Static analysis for C/C++, Java and C#.
Automated Git code review for GitHub and Bitbucket pull requests for finding security vulnerabilities and code quality issues.
A framework for managing and maintaining multi-language pre-commit hooks
conditionally free for FOSS and individual developers) static analysis of C, C++, C# and Java code. For advertising purposes you can propose a large FOSS project for analysis by PVS employees. Supports CWE mapping, MISRA and CERT coding standards.
copyright: - An automated code reviewing tool. Improving developers' productivity.
Can find and fix known security vulnerabilities in your open source dependencies. Unlimited tests and remediation for open source projects. Limited to 200 tests/month for your private projects.
copyright: - Multilanguage cloud-based static code analysis. History, trends, security hot-spots, pull request analysis and more. Free for open source.
A powerful and user-friendly binary analysis platform!
Raw binary firmware analysis software
A binary static analysis tool that provides security and correctness results for Windows Portable Executable and *nix ELF binary formats
Bloaty McBloatface: a size profiler for binaries
cwe_checker finds vulnerable patterns in binary executables