85 C Static Analysis Tools
What is C?
C is an imperative procedural language. It was designed to be compiled to provide low-level access to memory and language constructs that map efficiently to machine instructions, all with minimal runtime support. Despite its low-level capabilities, the language was designed to encourage cross-platform programming. A standards-compliant C program written with portability in mind can be compiled for a wide variety of computer platforms and operating systems with few changes to its source code.
(More info)What are the best C analysis tools?
Mega-Linter
Mega-Linter can handle any type of project thanks to its 70+ embedded Linters, its advanced reporting, runnable on any CI system or locally, with assisted installation and configuration, able to apply formatting and fixes
- ansible
- apex
- arm
- c
- ci
- clojure
- cloudformation
- coffeescript
- configfile
- configmanagement
- container
- cpp
- css
- csharp
- dart
- dockerfile
- dotenv
- dotnet
- editorconfig
- formatter
- gherkin
- go
- graphql
- groovy
- html
- java
- javascript
- json
- jsonschema
- jsx
- kotlin
- kubernetes
- latex
- lua
- lwc
- markdown
- nodejs
- perl
- php
- powershell
- protobuf
- puppet
- python
- r
- raku
- rst
- ruby
- rust
- scala
- shell
- snakemake
- sql
- terraform
- typescript
- vbnet
- vue
- writing
- xml
- yaml
Semgrep
Free, open-source lightweight static analysis for many languages. Find and block bug variants with patterns that look like source code.
Astrée
Astrée automatically proves the absence of runtime errors and invalid concurrent behavior in C/C++ applications. It is sound for floating-point computations, very fast, and exceptionally precise. The analyzer also checks for MISRA/CERT/CWE/Adaptive Autosar coding rules and supports qualification for ISO 26262, DO-178C level A, and other safety standards. Jenkins and Eclipse plugins are available.
PVS-Studio
A ([conditionally free](https://www.viva64.com/en/b/0614/) for FOSS and individual developers) static analysis of C, C++, C# and Java code. For advertising purposes [you can propose a large FOSS project for analysis by PVS employees](https://github.com/viva64/pvs-studio-check-list). Supports CWE mapping, MISRA and CERT coding standards.
DeepCode
DeepCode finds bugs, security vulnerabilities, performance and API issues based on AI. DeepCode's speed of analysis allow us to analyse your code in real time and deliver results when you hit the save button in your IDE. Supported languages are Java, C/C++, JavaScript, Python, and TypeScript. Integrations with GitHub, BitBucket and Gitlab.
Phasar
A LLVM-based static analysis framework which comes with a taint and type state analysis.
CodeSonar from GrammaTech
Advanced, whole program, deep path, static analysis of C and C++ with easy-to-understand explanations and code and path visualization.
Polyspace Bug Finder
Identifies run-time errors, concurrency issues, security vulnerabilities, and other defects in C and C++ embedded software.
Unibeautify
Universal code beautifier with a GitHub app. Supports HTML, CSS, JavaScript, TypeScript, JSX, Vue, C++, Go, Objective-C, Java, Python, PHP, GraphQL, Markdown, and more.
Atom-Beautify
Beautify HTML, CSS, JavaScript, PHP, Python, Ruby, Java, C, C++, C#, Objective-C, CoffeeScript, TypeScript, Coldfusion, SQL, and more in Atom editor.
Axivion Bauhaus Suite
Tracks down error-prone code locations, style violations, cloned or dead code, cyclic dependencies and more for C/C++, C#/.NET, Java and Ada 83/Ada 95.
flint++
Cross-platform, zero-dependency port of flint, a lint program for C++ developed and used at Facebook.
Polyspace Code Prover
Provide code verification that proves the absence of overflow, divide-by-zero, out-of-bounds array access, and certain other run-time errors in C and C++ source code.
SmartDec Scanner
SAST tool which is capable of identifying vulnerabilities and undocumented features. The analyzer scans the source code and executables without debug info (i.e. binaries). Supports: Java/Scala/Kotlin, PHP, C#, JavaScript, TypeScript, VBScript, HTML5, Python, Perl, C/C++, Objective-C/Swift, PL/SQL, T-SQL, ABAP, 1C, Apex, Go, Ruby, Groovy, Delphi, VBA, Visual Basic 6, Solidity, Vyper, COBOL.
Application Inspector
Commercial Static Code Analysis which generates exploits to verify vulnerabilities.
ApplicationInspector
Creates reports of over 400 rule patterns for feature detection (e.g. the use of cryptography or version control in apps).
APPscreener
Static code analysis for binary and source code - Java/Scala, PHP, Javascript, C#, PL/SQL, Python, T-SQL, C/C++, ObjectiveC/Swift, Visual Basic 6.0, Ruby, Delphi, ABAP, HTML5 and Solidity.
clazy
Qt-oriented static code analyzer based on the Clang framework. clazy is a compiler plugin which allows clang to understand Qt semantics. You get more than 50 Qt related compiler warnings, ranging from unneeded memory allocations to misusage of API, including fix-its for automatic refactoring.
coala
Language independent framework for creating code analysis - supports [over 60 languages](https://coala.io/languages) by default.
Code Inspector
Code quality and technical debt management platform that supports 10+ languages.
codeburner
Provides a unified interface to sort and act on the issues it finds.
codechecker
A defect database and viewer extension for the Clang Static Analyzer with web GUI.
codeql
Deep code analysis - semantic queries and dataflow for several languages with VSCode plugin support.
Depends
Analyses the comprehensive dependencies of code elements for Java, C/C++, Ruby.
Fortify
A commercial static analysis platform that supports the scanning of C/C++, C#, VB.NET, VB6, ABAP/BSP, ActionScript, Apex, ASP.NET, Classic ASP, VB Script, Cobol, ColdFusion, HTML, Java, JS, JSP, MXML/Flex, Objective-C, PHP, PL/SQL, T-SQL, Python (2.6, 2.7), Ruby (1.9.3), Swift, Scala, VB, and XML.
include-gardener
A multi-language static analyzer for C/C++/Obj-C/Python/Ruby to create a graph (in dot or graphml format) which shows all `#include` relations of a given set of files.
oclint
A static source code analysis tool to improve quality and reduce defects for C, C++ and Objective-C.
ocular
Enables code auditors and security teams to interactively investigate their unique code bases to find business logic flaws and technical vulnerabilities that traditional SASTs cannot. This is done by enabling the analyst to write their own custom queries. Can find hard-coded secrets, authentication issues, and malicious code like rootkits and backdoors.
Pronto
Quick automated code review of your changes. Supports more than 40 runners for various languages, including Clang, Elixir, JavaScript, PHP, Ruby and more.
Security Code Scan
Security code analyzer for C# and VB.NET. Detects various security vulnerability patterns: SQLi, XSS, CSRF, XXE, Open Redirect, etc. Integrates into Visual Studio 2015 and newer. Detects various security vulnerability patterns: SQLi, XSS, CSRF, XXE, Open Redirect, etc.
SonarLint for Visual Studio
SonarLint is an extension for Visual Studio 2015 and 2017 that provides on-the-fly feedback to developers on new bugs and quality issues injected into .NET code.
TscanCode
A fast and accurate static analysis solution for C/C++, C#, Lua codes provided by Tencent. Using GPLv3 license.
Undebt
Language-independent tool for massive, automatic, programmable refactoring based on simple pattern definitions.
Veracode
Find flaws in binaries and bytecode without requiring source. Support all major programming languages: Java, .NET, JavaScript, Swift, Objective-C, C, C++ and more.
XCode
XCode provides a pretty decent UI for [Clang's](http://clang-analyzer.llvm.org/xcode.html) static code analyzer (C/C++, Obj-C).
Embold
Intelligent software analytics platform that identifies design issues, code issues, duplication and metrics. Supports Java, C, C++, C#, JavaScript, TypeScript, Python, Go, Kotlin and more.
Deprecated/unmaintained tools
shipshape
Static program analysis platform that allows custom analyzers to plug in through a common interface.
Corrode
Semi-automatic translation from C to Rust. Could reveal bugs in the original implementation by showing Rust compiler warnings and errors. Superseded by C2Rust.
❤️ Sponsor this project
We are currently looking for partners who want to sponsor hosting and development of the project.
Missing an entry? Please let us know.