Your first time on this page? Allow me to give some explanations.
Awesome Static Analysis & Code Quality
Static analysis tools for all programming languages, build tools, config files and more.
Here you can see meta information about this topic like the time we last updated this page, the original creator of the awesome list and a link to the original GitHub repository.
Thank you analysis-tools-dev & contributors
View Topic on GitHub:
Search for resources by name or description.
Simply type in what you are looking for and the results will be filtered on the fly.
Further filter the resources on this page by type (repository/other resource), number of stars on GitHub and time of last commit in months.
Mix tasks to simplify use of Dialyzer in Elixir projects.
Qt-oriented static code analyzer based on the Clang framework
CMetrics measures size and complexity for C files
Style guides for Google-originated open-source projects
C Quality Metrics
Flint++ is cross-platform, zero-dependency port of flint, a lint program for C++ developed and used at Facebook.
Static analyzer for C/C++ based on the theory of Abstract Interpretation.
A C# architecture test library to specify and assert architecture rules in C# for automated testing.
C# Essentials is a collection of Roslyn diagnostic analyzers, code fixes and refactorings that make it easy to work with C# 6 language features.
A collection of 500+ analyzers, refactorings and fixes for C#, powered by Roslyn.
A collection of static analyzers based on Roslyn that integrate with VS
.NET Compiler Platform ("Roslyn") diagnostic analyzers and code fixes written by Wintellect
A linter for Clojure code that sparks joy.
An opinionated, community-driven set of lint rules for Dart and Flutter projects. Like pedantic but stricter
Swiss-army knife for D source code
Security-focused static analysis for the Phoenix Framework
Erlang Style Reviewer
Primitive Erlang Security Tool
i-Code CNES is a static code analysis tool to help developpers write code compliant with CNES coding rules.
Analyzer: checks whether HTTP response body is closed and a re-use of TCP connection is not blocked.
Standalone repo of deadcode package from http://github.com/remyoudompheng/go-misc
Static analyser for finding Deadlocks in Go
dogsled is a Go static analysis tool to find assignments/declarations with too many blank identifiers.
a tool for code clone detection
errcheck checks that you checked errors.
Go tool to wrap and fix errors with the new %w verb directive
Flen provides stats on functions/methods lengths in a Golang package.
Source code analyzer that helps you to make your Go programs more consistent.
The most opinionated Go source code linter for code audit.
Check that no globals are present in Go code.
Find in Go repeated strings that could be replaced by a constant
Calculate cyclomatic complexities of functions in Go source code.
[mirror] This is a linter for Go source code.
An interactive tool to analyze Golang goroutine dump.
Detect ineffectual assignments in Go code.
A linter that suggests interface types
Line length linter
Tool to detect Go structs that would take less memory if their fields were sorted.
Correct commonly misspelled English words in source files
nakedret is a Go static analysis tool to find naked returns in functions greater than a specified function length.
nargs is a Go static analysis tool to find unused arguments in function declarations.
prealloc is a Go static analysis tool to find slice declarations that could potentially be preallocated.
Static analysis tool for Golang that protects against SQL injections
Remove unnecessary type conversions from Go source
Find unused parameters in Go
␊ Whitespace Linter - Forces you to use empty lines!
haskell source code formatter
Haskell source code suggestions
A re-implementation of weeder using HIE files
Code metrics for Java code by means of static analysis
Policeman's Forbidden API Checker
Reformats Java source code to comply with Google Java Style.
Java bytecode static analyzer
A tool to help eliminate NullPointerExceptions (NPEs) in your Java code with low build-time overhead
Automatically exported from code.google.com/p/closure-linter
Static Code Analysis for Julia
A tool for linting and static analysis of Lua code.
Nim code formatter / linter / style checker
Discover files in need of refactoring.
Keep your architecture clean.
detection of design patterns in PHP code
A PHP code-quality tool
This tool check syntax of PHP files faster than serial check with fancier output.
Parse: A Static Security Scanner
Phan is a static analyzer for PHP. Phan prefers to avoid false-positives and attempts to prove incorrectness rather than correctness.
PHP Architecture Tester - Easy to use architectural testing tool for PHP
Tool to detect assumptions
Compares two source sets and determines the appropriate semantic versioning to apply.
A PHP parser written in PHP
PHP spell check library
Library emulating the PHP internal reflection using just the tokenized source code
PHP 7 Compatibility Checker
PHP 7 Migration Assistant Report (MAR)
PhpCodeAnalyzer scans codebase and analyzes which non-built-in php extensions used
Copy/Paste Detector (CPD) for PHP code.
Dead Code Detector (DCD) for PHP code.
Add scalar type hints and return types to existing PHP projects using PHPDoc annotations
A tool for quickly measuring the size of a PHP project.
PHP Magic Number Detector
Docker image that provides static analysis tools for PHP
PHPQA all-in-one Analyzer CLI tool
Smart/Static Analyzer(sis) for PHP
A static analysis tool for security
Tool helping us to analyze software projects
A static analysis engine
Standalone twig linter.
Custom Python linting through AST expressions
A tool for measuring Python class cohesion.
Dlint is a tool for encouraging best coding practices and helping ensure Python code is secure.
IT, Inspector Tiger is a modern python code review tool / framework.
Surface lint errors during code review
Look for SQL injection attacks in python source code
Static type checker for Python
Rate your Python packages package friendliness
A Static Analysis Tool for Detecting Security Vulnerabilities in Python Web Applications
Find dead Python code
A Python application for tracking, reporting on timing and complexity in Python code
Cyclomatic complexity of R functions and expressions
Static Code Analysis for R
Code quality threshold checking as part of your build
Don't make your Rubies go fast. Make them go fasterer ™.
Static analysis and style linter for Ruby code.
Static analysis Lint-type tool to improve your OO Ruby code
Query Method Calls from Ruby Programs
Code smell detector for Ruby
a ruby code dependency graph interactive visualizer
A Ruby code quality reporter
The Ruby Formatter
🌟 Ruby Style Guide, with linter & automatic code fixer
Gradual Typing for Ruby
Find unused dependencies in Cargo.toml
Subcommand to show result of macro expansion
Pssst!... see what Rust is doing behind the curtains 🕵🤫
Checks all your documentation for spelling and grammar mistakes with hunspell (ready) and languagetool (preview)
A rustc plugin to check for numerical instability
Linting your Rust-files in Atom, using rustc and cargo.
Rust mid-level IR Abstract Interpreter
Repository for the Rust Language Server (aka RLS)
Make production Rust binaries auditable
Automatically apply the suggestions made by rustc
Format Rust code
Automatically identify anti-patterns in SQL queries
Simple SQL linter supporting ANSI and PostgreSQL syntaxes
Configurable linting for TSQL
TSQL Static Code Analysis Rules for SQL Server
Static Analysis Compiler Plugin for Scala
Scala compiler plugin for static code analysis
A command-line tool and Xcode Extension for formatting Swift code
Tcl Dev Kit (TDK)
Monorepo for all the tooling which enables ESLint to support TypeScript
A set of TSLint rules used on some Microsoft projects.
CLI to generate an interactive graph of functions and calls from your TypeScript files
Fast and Highly Extensible Vim script Language Lint implemented in Python.
copyright: - Provide code verification that proves the absence of overflow, divide-by-zero, out-of-bounds array access, and certain other run-time errors in source code.
copyright: - Static analysis and formal verification toolset for Ada.
Warns about constructs that are dubious or nonportable to other awk implementations.
copyright: - Sound static analyzer based on abstract interpretation for C/C++, detecting memory, type and concurrency defects, and MISRA violations.
copyright: - Advanced, whole program, deep path, static analysis of C and C++ with easy-to-understand explanations and code and path visualization.
warning: :copyright: - Measure, query and visualize your code and avoid unexpected issues, technical debt and complexity.
copyright: - Enterprise-grade static analysis for embedded software. Supports MISRA, CERT, and AUTOSAR coding standards.
copyright: - A tool suite including static analysis (TBVISION) to various standards including MISRA C & C++, JSF++ AV, CWE, CERT C, CERT C++ & Custom Rules.
copyright: - Identifies run-time errors, concurrency issues, security vulnerabilities, and other defects in C and C++ embedded software.
copyright: - Provide code verification that proves the absence of overflow, divide-by-zero, out-of-bounds array access, and certain other run-time errors in C and C++ source code.
Analyzes C/C++ code using LLVM at compile-time.
Vera++ is a programmable tool for verification, analysis and transformation of C++ source code.
Compute source code metrics and detect a variety of implementation, design, and architecture smells for C#.
copyright: - A free IDE Plugin for static code analysis. A Pro edition includes a command line tool for automation purposes.
copyright: - A static code analysis tool with numerous reports. A free Lite version is available with limited reporting.
copyright: - IDE plugin for code analysis. Includes a subset of Pascal Analyzer reporting capabilities and is available for Delphi versions 2007 and later.
Checks missing or unreferenced package imports.
Syntactic and semantic analysis similar to the Go compiler.
Pluggable type systems. Includes nullness types, physical units, immutability types and more. (GPL-2.0-only WITH Classpath-exception-2.0)
copyright: - DesigniteJava supports detection of various architecture, design, and implementation smells along with computation of various code quality metrics.
copyright: - Measure, query and visualize your code and avoid unexpected issues, technical debt and complexity.
copyright: - Check MATLAB code files for possible problems.
Check syntax in Vim asynchronously and fix files, with Language Server Protocol (LSP) support
A source code analyzer built for surfacing features of interest and other characteristics to answer the question 'what's in it' using static analysis with a json based rules engine. Ideal for scanning components before use or detecting feature level changes.
Find out what takes most of the space in your executable.
experimental linter/analyzer for Makefiles
Continuum Analytics linter, formatter and test suite helper.
An uber-fast, ultra-lightweight, parallelized Java classpath scanner and module scanner.
CodeQL: the libraries and queries that power security researchers around the world, as well as code scanning in GitHub Advanced Security (code scanning), LGTM.com, and LGTM Enterprise
C to Rust translator
Code Quality Checker - Check your code quality by running one command.
Dawn is a static analysis security scanner for ruby written web applications. It supports Sinatra, Padrino and Ruby on Rails frameworks.
Depends is a fast, comprehensive code dependency analysis tool
DevSkim is a set of IDE plugins and rules that provide security "linting" capabilities.
The official GitHub mirror of https://gitlab.com/pycqa/flake8
DEPRECATED: Use https://github.com/golangci/golangci-lint
A Golang tool that does static analysis, unit testing, code review and generate code quality report.
Goal-directed static analysis tool for JVM languages.
A static-analysis bot for Github
This is a small C++ based commandline-tool which analyzes include statements in C/C++ code.
Run multiple python linters easily
Tools for code analysis, visualizations, or style-preserving source transformation.
Polymer Tools Monorepo
Quick automated code review of your changes
Inspects Python source files and provides information about type and location of classes, methods etc
Quality is a tool that runs quality checks on your code using community tools, and makes sure your numbers don't get any worse over time. Just add 'rake quality' as part of your Continuous Integration.
QuantifiedCode Community Edition - Protect Your Codebase. Warning: For experimentation only, not stable. 🔬
Regular Expression based static file linter.
Automated code review tool integrated with any code analysis tools regardless of programming language
Program analysis platform
Combination of multiple linters to install as a GitHub Action
🔒🌍 Security scanner for your Terraform code
A static code analyzer for annotated TODO comments
A static code analyzer for C++, C#, Lua
A fast, straightforward, reliable tool for performing massive, automated code refactoring
Java library for parsing report files from static code analysis.
Based on IntelliJ IDEA, and comes bundled with tools for Android including Android Lint.
copyright: - Static analysis for C/C++/C#, PHP and Java.
copyright: - Commercial Static Code Analysis.
copyright: - Tracks down error-prone code locations, style violations, cloned or dead code, cyclic dependencies and more for C/C++, C#/.NET, Java and Ada 83/Ada 95.
copyright: - Better Code Hub checks your GitHub codebase against 10 engineering guidelines devised by the authority in software quality, Software Improvement Group.
copyright: - Commercial Static Code Analysis which runs locally, but uploads the results to its cloud for presentation.
Automated Code Review for Ruby, Rails, JS, PHP, Python etc. Security, Coverage & Quality.
copyright: - Code quality and technical debt management platform that supports 10+ languages.
copyright: - Automated code analysis tool to deal with technical depth. Integrates with Bitbucket and Gitlab. (free for Open Source Projects)
copyright: - CodeIt.Right™ provides a fast, automated way to ensure that your source code adheres to (your) predefined design and style guidelines as well as best coding practices.
copyright: - Automated SAST code reviews driven by security, supports 15+ languages and includes security training.
copyright: - A commercial static analysis platform that supports the scanning of C/C++, C#, VB.NET, VB6, ABAP/BSP, ActionScript, Apex, ASP.NET, Classic ASP, VB Script, Cobol, ColdFusion, HTML, Java, JS, JSP, MXML/Flex, Objective-C, PHP, PL/SQL, T-SQL, Python (2.6, 2.7), Ruby (1.9.3), Swift, Scala, VB, and XML.
copyright: - Quality and Security Static analysis for C/C++, Java and C#.
Automated Git code review for GitHub and Bitbucket pull requests for finding security vulnerabilities and code quality issues.
A verifier for FreeBSD and DragonFlyBSD port directories.
A framework for managing and maintaining multi-language pre-commit hooks
conditionally free for FOSS and individual developers) static analysis of C, C++, C# and Java code. For advertising purposes you can propose a large FOSS project for analysis by PVS employees. Supports CWE mapping, MISRA and CERT coding standards.
copyright: - An automated code reviewing tool. Improving developers' productivity.
Can find and fix known security vulnerabilities in your open source dependencies. Unlimited tests and remediation for open source projects. Limited to 200 tests/month for your private projects.
copyright: - Multilanguage cloud-based static code analysis. History, trends, security hot-spots, pull request analysis and more. Free for open source.
Raw binary firmware analysis software
A binary static analysis tool that provides security and correctness results for Windows Portable Executable and *nix ELF binary formats
Bloaty McBloatface: a size profiler for binaries
cwe_checker finds vulnerable patterns in binary executables
The Jakstab static analysis platform for binaries
A static analyzer for PE executables.
Linker/Compiler/Tool detector for Windows, Linux and MacOS.
CSS coding style formatter
Stylesheet analysis tool.
Pure Node.js Sass linting
Configurable tool for writing clean, consistent SCSS
Nginx configuration static analyzer
A set of tools to check AWS CloudFormation templates for policy compliance using a simple, policy-as-code, declarative syntax
Linting tool for CloudFormation templates
Check that your Puppet manifests conform to the style guide
Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
TFLint is a Terraform linter focused on possible errors, best practices, etc. (Terraform >= 0.12)
Vulnerability Static Analysis for Containers
A framework for Static Analysis of Docker container images
a tool to perform static analysis of known vulnerabilities, trojans, viruses, malware & other malicious threats in docker images/containers and to monitor the docker daemon and running docker containers for detecting anomalous activities
Docker Label Inspector is a tool to help ensure you're providing your Docker images with the metadata they will need out in the wilds of the internet.
Dockerfile linter, validate inline bash, written in Haskell
KubeLinter is a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure the applications represented in them adhere to best practices.
HTML linter for Bootstrap projects
A Grunt wrapper for Bootlint, the HTML linter for Bootstrap projects
A gulp wrapper for Bootlint, the HTML linter for Bootstrap projects.
A Node.js style checker and lint tool for Markdown/CommonMark files.
Markdown lint tool
FlowDroid Static Data Flow Tracker
Paprika is a powerfull toolkit to detect some code smells in analysed Android applications.
Tool to look for several security related Android application vulnerabilities
Tool for checking common errors in rpm packages
A pluggable linter and fixer to enforce Protocol Buffer style and conventions.
Scan git repos for secrets using regex and entropy 🔑
Security analysis tool for EVM bytecode. Supports smart contracts built for Ethereum, Hedera, Quorum, Vechain, Roostock, Tron and other EVM-compatible blockchains.
Static Analyzer for Solidity
A Java Library for Repository Mining
Linter for Ember or Handlebars templates