Tutorials / Guides

  • cfn-lint screenshot

522 Alternatives for cfn-lint

abaplint

Linter for ABAP, written in TypeScript.

  • MaintainedMaintained
  • MaintainedAbap
  • MaintainedcliMaintainedserviceMaintainedide-plugin
  • Maintainedlinter

abapOpenChecks

Enhances the SAP Code Inspector with new and customizable checks.

  • MaintainedMaintained
  • MaintainedAbap
  • Maintainedcli
  • Maintainedlinter

actionlint

Static checker for GitHub Actions workflow files. Provides an online version.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

aether

Lint, analyze, normalize, transform, sandbox, run, step through, and visualize user JavaScript, in node or the browser.

After the Deadline

Spell, style and grammar checker.

  • DeprecatedDeprecated
  • DeprecatedMulti-Language
  • Deprecatedcli
  • Deprecatedlinter

alex

Catch insensitive, inconsiderate writing

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

aligncheck

Find inefficiently packed structs.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

alquitran

Inspects tar archives and tries to spot portability issues in regard to POSIX 2017 pax specification and common tar implementations. This project is intended to be used by maintainers of projects who want to offer portable source code archives for as many systems as possible. Checking tar archives with alquitran before publishing them should help spotting issues before they reach distributors and users.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

ameba

A static code analysis tool for Crystal.

anchore

Discover, analyze, and certify container images. A service that analyzes Docker images and applies user-defined acceptance policies to allow automated container image validation and certification

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Android Lint

Run static analysis on Android projects.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

android-lint-summary

Combines lint errors of multiple projects into one output, check lint results of multiple sub-projects at once.

  • DeprecatedDeprecated
  • DeprecatedMulti-Language
  • Deprecatedcli
  • Deprecatedlinter

angr

Platform agnostic binary analysis framework from UCSB.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Angular ESLint

Linter for Angular projects

ansible-lint

Checks playbooks for practices and behaviour that could potentially be improved.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

ArchUnitNET

A C# architecture test library to specify and assert architecture rules in C# for automated testing.

autoflake

Autoflake removes unused imports and unused variables from Python code.

AWS CloudFormation Guard

Check local CloudFormation templates against policy-as-code rules and generate rules from existing templates.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

AzSK

Secure DevOps kit for Azure (AzSK) provides security IntelliSense, Security Verification Tests (SVTs), CICD scan vulnerabilities, compliance issues, and infrastructure misconfiguration in your infrastructure-as-code. Supports Azure via ARM.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

bandit

A tool to find common security issues in Python code.

bashate

Code style enforcement for bash programs. The output format aims to follow pycodestyle (pep8) default output format.

bellybutton

A linting engine supporting custom project-specific rules.

binbloom

Analyzes a raw binary firmware and determines features like endianness or the loading address. The tool is compatible with all architectures. Loading address: binbloom can parse a raw binary firmware and determine its loading address. Endianness: binbloom can use heuristics to determine the endianness of a firmware. UDS Database: binbloom can parse a raw binary firmware and check if it contains an array containing UDS command IDs.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

BinSkim

A binary static analysis tool that provides security and correctness results for Windows portable executables.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Black Duck

Tool to analyze source code and binaries for reusable code, necessary licenses and potential security aspects.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

bloaty

Ever wondered what's making your binary big? Bloaty McBloatface will show you a size profile of the binary so you can understand what's taking up space inside. Bloaty performs a deep analysis of the binary. Using custom ELF, DWARF, and Mach-O parsers, Bloaty aims to accurately attribute every byte of the binary to the symbol or compileunit that produced it. It will even disassemble the binary looking for references to anonymous data. F

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

bodyclose

Checks whether HTTP response body is closed.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

Bootlint

An HTML linter for Bootstrap projects.

  • DeprecatedDeprecated
  • DeprecatedMulti-Language
  • Deprecatedcli
  • Deprecatedlinter

Bowler

Safe code refactoring for modern Python. Bowler is a refactoring tool for manipulating Python at the syntax tree level. It enables safe, large scale code modifications while guaranteeing that the resulting code compiles and runs. It provides both a simple command line interface and a fluent API in Python for generating complex code modifications in code.

brakeman

A static analysis security vulnerability scanner for Ruby on Rails applications.

  • MaintainedMaintained
  • MaintainedRuby
  • Maintainedcli
  • Maintainedlinter

buf

Provides a CLI linter that enforces good API design choices and structure

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

bundler-audit

Audit Gemfile.lock for gems with security vulnerabilities reported in Ruby Advisory Database.

  • MaintainedMaintained
  • MaintainedRuby
  • Maintainedcli
  • Maintainedlinter

C2Rust

C2Rust helps you migrate C99-compliant code to Rust. The translator (or transpiler) produces unsafe Rust code that closely mirrors the input C code.

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter

CakeFuzzer

Web application security testing tool for CakePHP-based web applications. CakeFuzzer employs a predefined set of attacks that are randomly modified before execution. Leveraging its deep understanding of the Cake PHP framework, Cake Fuzzer launches attacks on all potential application entry points.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

cane

Code quality threshold checking as part of your build.

  • DeprecatedDeprecated
  • DeprecatedRuby
  • Deprecatedcli
  • Deprecatedlinter

cargo-audit

Audit Cargo.lock for crates with security vulnerabilities reported to the RustSec Advisory Database.

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter

cargo-bloat

Find out what takes most of the space in your executable. supports ELF (Linux, BSD), Mach-O (macOS) and PE (Windows) binaries.

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter

cargo-breaking

cargo-breaking compares a crate's public API between two different branches, shows what changed, and suggests the next version according to semver.

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter

cargo-call-stack

Whole program static stack analysis The tool produces the full call graph of a program as a dot file.

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter

cargo-deny

A cargo plugin for linting your dependencies. It can be used either as a command line too, a Rust crate, or a Github action for CI. It checks for valid license information, duplicate crates, security vulnerabilities, and more.

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter

cargo-expand

Cargo subcommand to show result of macro expansion and #[derive] expansion applied to the current crate. This is a wrapper around a more verbose compiler command.

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter

cargo-geiger

A cargo plugin for analysing the usage of unsafe Rust code Provides statistical output to aid security auditing

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter

cargo-inspect

Inspect Rust code without syntactic sugar to see what the compiler does behind the curtains.

  • DeprecatedDeprecated
  • DeprecatedRust
  • Deprecatedcli
  • Deprecatedlinter

cargo-semver-checks

Scan your Rust crate releases for semver violations. It can be used either directly via the CLI, as a GitHub Action in CI, or via release managers like release-plz. It found semver violations in more than 1 in 6 of the top 1000 most-downloaded crates on crates.io.

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter

cargo-show-asm

cargo subcommand showing the assembly, LLVM-IR and MIR generated for Rust code

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter

cargo-spellcheck

Checks all your documentation for spelling and grammar mistakes with hunspell (ready) and languagetool (preview)

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter

cargo udeps

Find unused dependencies in Cargo.toml. It either prints out a "unused crates" line listing the crates, or it prints out a line saying that no crates were unused.

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter

cargo-unused-features

Find potential unused enabled feature flags and prune them. You can generate a simple HTML report from the json to make it easier to inspect results. It removes a feature of a dependency and then compiles the project to see if it still compiles. If it does, the feature flag can possibly be removed, but it can be a false-positive.

  • DeprecatedDeprecated
  • DeprecatedRust
  • Deprecatedcli
  • Deprecatedlinter

cfn_nag

A linter for AWS CloudFormation templates.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

chart-testing

ct is the tool for testing Helm charts. It is meant to be used for linting and testing pull requests. It automatically detects charts changed against the target branch.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Checker Framework

Pluggable type-checking for Java. This is not just a bug-finder, but a verification tool that gives a guarantee of correctness. It comes with 27 pre-built type systems, and it enables users to define their own type system; the manual lists over 30 user-contributed type systems.

  • MaintainedMaintained
  • MaintainedJava
  • Maintainedcli
  • Maintainedlinter

checkmake

Linter / Analyzer for Makefiles.

  • DeprecatedDeprecated
  • DeprecatedMulti-Language
  • Deprecatedcli
  • Deprecatedlinter

checkov

Static analysis tool for Terraform files (tf>=v0.12), preventing cloud misconfigs at build time.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

checkstyle

Checking Java source code for adherence to a Code Standard or set of validation rules (best practices).

  • MaintainedMaintained
  • MaintainedJava
  • Maintainedcli
  • Maintainedlinter

ChkTeX

A linter for LaTex which catches some typographic errors LaTeX oversees.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Churn

A Project to give the churn file, class, and method for a project for a given checkin. Over time the tool adds up the history of churns to give the number of times a file, class, or method is changing during the life of a project.

  • MaintainedMaintained
  • MaintainedRuby
  • Maintainedcli
  • Maintainedlinter

churn-php

Helps discover good candidates for refactoring.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

ck

Calculates Chidamber and Kemerer object-oriented metrics by processing the source Java files.

  • MaintainedMaintained
  • MaintainedJava
  • Maintainedcli
  • Maintainedlinter

ckjm

Calculates Chidamber and Kemerer object-oriented metrics by processing the bytecode of compiled Java files.

  • MaintainedMaintained
  • MaintainedJava
  • Maintainedcli
  • Maintainedlinter

clair

Vulnerability Static Analysis for Containers.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

clippy

A code linter to catch common mistakes and improve your Rust code.

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter

clj-kondo

A linter for Clojure code that sparks joy. It informs you about potential errors while you are typing.

Closure Compiler

A compiler tool to increase efficiency, reduce size, and provide code warnings in JavaScript files.

ClosureLinter

Ensures that all of your project's JavaScript code follows the guidelines in the Google JavaScript Style Guide. It can also automatically fix many common errors.

clusterlint

Clusterlint queries live Kubernetes clusters for resources, executes common and platform specific checks against these resources and provides actionable feedback to cluster operators. It is a non invasive tool that is run externally. Clusterlint does not alter the resource configurations.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

code-cracker

An analyzer library for C# and VB that uses Roslyn to produce refactorings, code analysis, and other niceties.

Codelyzer

A set of tslint rules for static code analysis of Angular 2 TypeScript projects.

CodeNarc

A static analysis tool for Groovy source code, enabling monitoring and enforcement of many coding standards and best practices.

Codepeer

Detects run-time and logic errors.

  • MaintainedMaintained
  • MaintainedAda
  • Maintainedcli
  • Maintainedlinter

codespell

Check code for common misspellings.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

coffeelint

A style checker that helps keep CoffeeScript code clean and consistent.

CogniCrypt

Checks Java source and byte code for incorrect uses of cryptographic APIs.

  • MaintainedMaintained
  • MaintainedJava
  • Maintainedcli
  • Maintainedlinter

cohesion

A tool for measuring Python class cohesion.

commitlint

checks if your commit messages meet the conventional commit format

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

complexity-report

Software complexity analysis for JavaScript projects.

composer-dependency-analyser

Fast detection of composer dependency issues.

  • 💪 Powerful: Detects unused, shadow and misplaced composer dependencies
  • ⚡ Performant: Scans 15 000 files in 2s!
  • ⚙️ Configurable: Fine-grained ignores via PHP config
  • 🕸️ Lightweight: No composer dependencies
  • 🍰 Easy-to-use: No config needed for first try
  • ✨ Compatible: PHP >= 7.2
  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

cookstyle

Cookstyle is a linting tool based on the RuboCop Ruby linting tool for Chef cookbooks.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

CPAchecker

A tool for configurable software verification of C programs. The name CPAchecker was chosen to reflect that the tool is based on the CPA concepts and is used for checking software programs.

  • MaintainedMaintained
  • MaintainedC
  • Maintainedcli
  • Maintainedlinter

Credential Digger

Credential Digger is a GitHub scanning tool that identifies hardcoded credentials (Passwords, API Keys, Secret Keys, Tokens, personal information, etc), and filtering the false positive data through a machine learning model called Password Model. This scanner is able to detect passwords and non structured tokens with a low false positive rate.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

credo

A static code analysis tool with a focus on code consistency and teaching.

crystal

The Crystal compiler has built-in linting functionality.

CSharpEssentials

C# Essentials is a collection of Roslyn diagnostic analyzers, code fixes and refactorings that make it easy to work with C# 6 language features.

CSS Stats

Potentially interesting stats on stylesheets.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

CSSLint

Does basic syntax checking and finds problematic patterns or signs of inefficiency.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

cwe_checker

cwe_checker finds vulnerable patterns in binary executables.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

cyclocomp

Quantifies the cyclomatic complexity of R functions / expressions.

  • MaintainedMaintained
  • MaintainedR
  • Maintainedcli
  • Maintainedlinter

D-scanner

D-Scanner is a tool for analyzing D source code.

dagda

Perform static analysis of known vulnerabilities in docker images/containers.

  • DeprecatedDeprecated
  • DeprecatedMulti-Language
  • Deprecatedcli
  • Deprecatedlinter

Dart Code Metrics

Additional linter for Dart. Reports code metrics, checks for anti-patterns and provides additional rules for Dart analyzer.

  • DeprecatedDeprecated
  • DeprecatedDart
  • Deprecatedcli
  • Deprecatedlinter

Dataflow Framework

An industrial-strength dataflow framework for Java. The Dataflow Framework is used in the Checker Framework, Google’s Error Prone, Uber’s NullAway, Meta’s Nullsafe, and in other contexts. It is distributed with the Checker Framework.

  • MaintainedMaintained
  • MaintainedJava
  • Maintainedcli
  • Maintainedlinter

Datree

A CLI tool to prevent Kubernetes misconfigurations by ensuring that manifests and Helm charts follow best practices as well as your organization’s policies

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

dawnscanner

A static analysis security scanner for ruby written web applications. It supports Sinatra, Padrino and Ruby on Rails frameworks.

  • MaintainedMaintained
  • MaintainedRuby
  • Maintainedcli
  • Maintainedlinter

dbcritic

dbcritic finds problems in a database schema, such as a missing primary key constraint in a table.

  • MaintainedMaintained
  • MaintainedSql
  • Maintainedcli
  • Maintainedlinter

deadcode

Finds unused code.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

deadnix

Scan Nix files for dead code (unused variable bindings)

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

deal

Design by contract for Python. Write bug-free code. By adding a few decorators to your code, you get for free tests, static analysis, formal verification, and much more.

DeepScan

An analyzer for JavaScript which targets runtime errors and quality issues rather than coding conventions.

dennis

A set of utilities for working with PO files to ease development and improve quality.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

deno_lint

Official linter for Deno.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

dephpend

Dependency analysis tool.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

deprecation-detector

Finds usages of deprecated (Symfony) code.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

deptrac

Enforce rules for dependencies between software layers.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

Designite

Designite supports detection of various architecture, design, and implementation smells, computation of various code quality metrics, and trend analysis.

DesigniteJava

DesigniteJava supports detection of various architecture, design, and implementation smells along with computation of various code quality metrics.

  • MaintainedMaintained
  • MaintainedJava
  • Maintainedcli
  • Maintainedlinter

DesignPatternDetector

Detection of design patterns in PHP code.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

detect-secrets

An enterprise friendly way of detecting and preventing secrets in code. It does this by running periodic diff outputs against heuristically crafted regex statements, to identify whether any new secret has been committed. This way, it avoids the overhead of digging through all git history, as well as the need to scan the entire repository every time.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

detekt

Static code analysis for Kotlin code.

dialyxir

Mix tasks to simplify use of Dialyzer in Elixir projects.

dialyzer

The DIALYZER, a DIscrepancy AnaLYZer for ERlang programs. Dialyzer is a static analysis tool that identifies software discrepancies, such as definite type errors, code that has become dead or unreachable because of programming error, and unnecessary tests, in single Erlang modules or entire (sets of) applications. Dialyzer starts its analysis from either debug-compiled BEAM bytecode or from Erlang source code. The file and line number of a discrepancy is reported along with an indication of what the discrepancy is about. Dialyzer bases its analysis on the concept of success typings, which allows for sound warnings (no false positives).

diff.rs

Web application (WASM) to render a diff between Rust crate versions.

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter

diktat

Strict coding standard for Kotlin and a linter that detects and auto-fixes code smells.

  • MaintainedMaintained
  • MaintainedKotlin
  • Maintainedcli
  • MaintainedlinterMaintainedformatter

dingo-hunter

Static analyser for finding deadlocks in Go.

  • DeprecatedDeprecated
  • DeprecatedGo
  • Deprecatedcli
  • Deprecatedlinter

Dlint

A tool for ensuring Python code is secure.

Docker Label Inspector

Lint and validate Dockerfile labels.

  • DeprecatedDeprecated
  • DeprecatedMulti-Language
  • Deprecatedcli
  • Deprecatedlinter

Dodgy

Dodgy is a very basic tool to run against your codebase to search for "dodgy" looking values. It is a series of simple regular expressions designed to detect things such as accidental SCM diff checkins, or passwords or secret keys hard coded into files.

dogsled

Finds assignments/declarations with too many blank identifiers.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

Doop

Doop is a declarative framework for static analysis of Java/Android programs, centered on pointer analysis algorithms. Doop provides a large variety of analyses and also the surrounding scaffolding to run an analysis end-to-end (fact generation, processing, statistics, etc.).

  • MaintainedMaintained
  • MaintainedJava
  • Maintainedcli
  • Maintainedlinter

dotenv-linter

Linting dotenv files like a charm.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

dotenv-linter (Rust)

Lightning-fast linter for .env files. Written in Rust

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

DrNim

DrNim combines the Nim frontend with the Z3 proof engine in order to allow verify / validate software written in Nim.

  • MaintainedMaintained
  • MaintainedNim
  • Maintainedcli
  • Maintainedlinter

dupl

Reports potentially duplicated code.

  • DeprecatedDeprecated
  • DeprecatedGo
  • Deprecatedcli
  • Deprecatedlinter

dylint

A tool for running Rust lints from dynamic libraries. Dylint makes it easy for developers to maintain their own personal lint collections.

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter

effective_dart

Linter rules corresponding to the guidelines in Effective Dart

  • MaintainedMaintained
  • MaintainedDart
  • Maintainedcli
  • Maintainedlinter

electrolysis

A tool for formally verifying Rust programs by transpiling them into definitions in the Lean theorem prover.

  • DeprecatedDeprecated
  • DeprecatedRust
  • Deprecatedcli
  • Deprecatedlinter

elm-analyse

A tool that allows you to analyse your Elm code, identify deficiencies and apply best practices.

  • DeprecatedDeprecated
  • DeprecatedElm
  • Deprecatedcli
  • Deprecatedlinter

elm-review

Analyzes whole Elm projects, with a focus on shareable and custom rules written in Elm that add guarantees the Elm compiler doesn't give you.

  • MaintainedMaintained
  • MaintainedElm
  • Maintainedcli
  • Maintainedlinter

elvis

Erlang Style Reviewer.

ember-template-lint

Linter for Ember or Handlebars templates.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Enlightn

A static and dynamic analysis tool for Laravel applications that provides recommendations to improve the performance, security and code reliability of Laravel apps. Contains 120 automated checks.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

ENRE-java

ENRE (ENtity Relationship Extractor) is a tool for extraction of code entity dependencies or relationships from source code. ENRE-java is a ENtity Relationship Extractor for Java projects based on @Eclipse JDT/parser.

  • MaintainedMaintained
  • MaintainedJava
  • Maintainedcli
  • Maintainedlinter

ENRE-py

ENRE (ENtity Relationship Extractor) is a tool for extraction of code entity dependencies or relationships from source code. ENRE-py is a ENtity Relationship Extractor for Python based on Python Language Services of The Standard Library.

ENRE-ts

ENRE (ENtity Relationship Extractor) is a tool for extraction of code entity dependencies or relationships from source code. ENRE-ts is a ENtity Relationship Extractor for ECMAScript and TypeScript based on @babel/parser.

ERB Lint

Lint your ERB or HTML files

  • MaintainedMaintained
  • MaintainedRuby
  • Maintainedcli
  • Maintainedlinter

errcheck

Check that error return values are used.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

Error Prone

Catch common Java mistakes as compile-time errors.

  • MaintainedMaintained
  • MaintainedJava
  • Maintainedcli
  • Maintainedlinter

errwrap

Wrap and fix Go errors with the new %w verb directive. This tool analyzes fmt.Errorf() calls and reports calls that contain a verb directive that is different than the new %w verb directive introduced in Go v1.13. It's also capable of rewriting calls to use the new %w wrap verb directive.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

es6-plato

Visualize JavaScript (ES6) source complexity.

escomplex

Software complexity analysis of JavaScript-family abstract syntax trees.

Esprima

ECMAScript parsing infrastructure for multipurpose analysis.

Fasterer

Common Ruby idioms checker.

  • MaintainedMaintained
  • MaintainedRuby
  • Maintainedcli
  • Maintainedlinter

fb-contrib

A plugin for FindBugs with additional bug detectors.

  • MaintainedMaintained
  • MaintainedJava
  • Maintainedcli
  • Maintainedlinter

Fix Insight

A free IDE Plugin for static code analysis. A Pro edition includes a command line tool for automation purposes.

Fixinator

Static security code analysis for ColdFusion or CFML code. Designed to work within a CI pipeline or from the developers terminal.

fixit

A framework for creating lint rules and corresponding auto-fixes for source code.

flay

Flay analyzes code for structural similarities.

  • MaintainedMaintained
  • MaintainedRuby
  • Maintainedcli
  • Maintainedlinter

flen

Get info on length of functions in a Go package.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

flog

Flog reports the most tortured code in an easy to read pain report. The higher the score, the more pain the code is in.

  • DeprecatedDeprecated
  • DeprecatedRuby
  • Deprecatedcli
  • Deprecatedlinter

flow

A static type checker for JavaScript.

FlowDroid

Static taint analysis tool for Android applications.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

foodcritic

A lint tool that checks Chef cookbooks for common problems.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

forbidden-apis

Detects and forbids invocations of specific method/class/field (like reading from a text stream without a charset). Maven/Gradle/Ant compatible.

  • MaintainedMaintained
  • MaintainedJava
  • Maintainedcli
  • Maintainedlinter

fprettify

Auto-formatter for modern fortran source code, written in Python. Fprettify is a tool that provides consistent whitespace, indentation, and delimiter alignment in code, including the ability to change letter case and handle preprocessor directives, all while preserving revision history and tested for editor integration.

FSharpLint

Lint tool for F#.

fta

Rust-based static analysis for TypeScript projects

Fukuzatsu

A tool for measuring code complexity in Ruby class files. Its analysis generates scores based on cyclomatic complexity algorithms with no added "opinions".

  • MaintainedMaintained
  • MaintainedRuby
  • Maintainedcli
  • Maintainedlinter

gawk --lint

Warns about constructs that are dubious or nonportable to other awk implementations.

  • MaintainedMaintained
  • MaintainedAwk
  • Maintainedcli
  • Maintainedlinter

GCC

The GCC compiler has static analysis capabilities since version 10. This option is only available if GCC was configured with analyzer support enabled. It can also output its diagnostics to a JSON file in the SARIF format (from v13).

  • MaintainedMaintained
  • MaintainedC
  • Maintainedcli
  • Maintainedlinter

gherkin-lint

A linter for the Gherkin-Syntax written in Javascript.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Ghidra

A software reverse engineering (SRE) suite of tools developed by NSA's Research Directorate in support of the Cybersecurity mission

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

GitGuardian ggshield

ggshield is a CLI application that runs in your local environment or in a CI environment to help you detect more than 350+ types of secrets, as well as other potential security vulnerabilities or policy breaks affecting your codebase.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • MaintainedcliMaintainedservice
  • Maintainedlinter

Gitleaks

A SAST tool for detecting hardcoded secrets like passwords, api keys, and tokens in git repos.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

gixy

A tool to analyze Nginx configuration. The main goal is to prevent misconfiguration and automate flaw detection.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

go/ast

Package ast declares the types used to represent syntax trees for Go packages.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

go-consistent

Analyzer that helps you to make your Go programs more consistent.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

go-critic

Go source code linter that maintains checks which are currently not implemented in other linters.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

go tool vet --shadow

Reports variables that may have been unintentionally shadowed.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

go vet

Examines Go source code and reports suspicious.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

goast

Go AST (Abstract Syntax Tree) based static analysis tool with Rego.

  • DeprecatedDeprecated
  • DeprecatedGo
  • Deprecatedcli
  • Deprecatedlinter

Goblint

A static analyzer for the analysis of multi-threaded C programs. Its primary focus is the detection of data races, but it also reports other runtime errors, such as buffer overflows and null-pointer dereferences.

  • MaintainedMaintained
  • MaintainedC
  • MaintainedcliMaintainedide-plugin
  • Maintainedlinter

gochecknoglobals

Checks that no globals are present.

  • DeprecatedDeprecated
  • DeprecatedGo
  • Deprecatedcli
  • Deprecatedlinter

goconst

Finds repeated strings that could be replaced by a constant.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

gocyclo

Calculate cyclomatic complexities of functions in Go source code.

  • DeprecatedDeprecated
  • DeprecatedGo
  • Deprecatedcli
  • Deprecatedlinter

gofmt -s

Checks if the code is properly formatted and could not be further simplified.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • MaintainedlinterMaintainedformatter

goimports

Checks missing or unreferenced package imports.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

gokart

Golang security analysis with a focus on minimizing false positives. It is capable of tracing the source of variables and function arguments to determine whether input sources are safe.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

GolangCI-Lint

Alternative to Go Meta Linter: GolangCI-Lint is a linters aggregator.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

golint

Prints out coding style mistakes in Go source code.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

goodpractice

Analyses the source code for R packages and provides best-practice recommendations.

  • MaintainedMaintained
  • MaintainedR
  • Maintainedcli
  • Maintainedlinter

goroutine-inspect

An interactive tool to analyze Golang goroutine dump.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

gosec (gas)

Inspects source code for security problems by scanning the Go AST.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

gotype

Syntactic and semantic analysis similar to the Go compiler.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

govulncheck

Govulncheck reports known vulnerabilities that affect Go code. It uses static analysis of source code or a binary's symbol table to narrow down reports to only those that could affect the application. By default, govulncheck makes requests to the Go vulnerability database at https://vuln.go.dev. Requests to the vulnerability database contain only module paths, not code or other properties of your program.

  • MaintainedMaintained
  • MaintainedGo
  • MaintainedcliMaintainedservice
  • Maintainedlinter

GraphMyCSS.com

CSS Specificity Graph Generator.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Griffe

Signatures for entire Python programs. Extract the structure, the frame, the skeleton of your project, to generate API documentation or find breaking changes in your API.

GrumPHP

Checks code on every commit.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

grunt-bootlint

A Grunt wrapper for Bootlint, the HTML linter for Bootstrap projects.

  • DeprecatedDeprecated
  • DeprecatedMulti-Language
  • Deprecatedcli
  • Deprecatedlinter

gulp-bootlint

A gulp wrapper for Bootlint, the HTML linter for Bootstrap projects.

  • DeprecatedDeprecated
  • DeprecatedMulti-Language
  • Deprecatedcli
  • Deprecatedlinter

haml-lint

Tool for writing clean and consistent HAML.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Haskell Dockerfile Linter

A smarter Dockerfile linter that helps you build best practice Docker images.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

HasMySecretLeaked

HasMySecretLeaked is a project from GitGuardian that aims to help individual users and organizations search across 20 million exposed secrets to verify if their developer secrets have leaked on public repositories, gists, and issues on GitHub projects.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • MaintainedcliMaintainedservice
  • Maintainedlinter

Haxe Checkstyle

A static analysis tool to help developers write Haxe code that adheres to a coding standard.

  • MaintainedMaintained
  • MaintainedHaxe
  • Maintainedcli
  • Maintainedlinter

hegel

A static type checker for JavaScript with a bias on type inference and strong type systems.

herbie

Adds warnings or errors to your crate when using a numerically unstable floating point expression.

  • DeprecatedDeprecated
  • DeprecatedRust
  • Deprecatedcli
  • Deprecatedlinter

HLint

HLint is a tool for suggesting possible improvements to Haskell code.

HTML Inspector

HTML Inspector is a code quality tool to help you and your team write better markup.

  • DeprecatedDeprecated
  • DeprecatedMulti-Language
  • Deprecatedcli
  • Deprecatedlinter

HTML Tidy

Corrects and cleans up HTML and XML documents by fixing markup errors and upgrading legacy code to modern standards.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

HTML-Validate

Offline HTML5 validator.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • MaintainedcliMaintainedide-plugin
  • Maintainedlinter

HTMLHint

A Static Code Analysis Tool for HTML.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

HuntBugs

Bytecode static analyzer tool based on Procyon Compiler Tools aimed to supersede FindBugs.

  • DeprecatedDeprecated
  • DeprecatedJava
  • Deprecatedcli
  • Deprecatedlinter

i-Code CNES for Fortran

An open source static code analysis tool for Fortran 77, Fortran 90 and Shell.

i-Code CNES for Shell

An open source static code analysis tool for Shell and Fortran (77 and 90).

iblessing

iblessing is an iOS security exploiting toolkit. It can be used for reverse engineering, binary analysis and vulnerability mining.

  • DeprecatedDeprecated
  • DeprecatedMulti-Language
  • Deprecatedcli
  • Deprecatedlinter

Icarus Verilog

A Verilog simulation and synthesis tool that operates by compiling source code written in IEEE-1364 Verilog into some target format

IDA Free

Binary code analysis tool.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

ineffassign

Detect ineffectual assignments in Go code.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

InspectorTiger

IT, Inspector Tiger, is a modern python code review tool / framework. It comes with bunch of pre-defined handlers which warns you about improvements and possible bugs. Beside these handlers, you can write your own or use community ones.

interfacer

Suggest narrower interfaces that can be used.

  • DeprecatedDeprecated
  • DeprecatedGo
  • Deprecatedcli
  • Deprecatedlinter

ionide-analyzers

A collection of F# analyzers, built with the FSharp.Analyzers.SDK.

Jakstab

Jakstab is an Abstract Interpretation-based, integrated disassembly and static analysis framework for designing analyses on executables and recovering reliable control flow graphs.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

JArchitect

Measure, query and visualize your code and avoid unexpected issues, technical debt and complexity.

  • MaintainedMaintained
  • MaintainedJava
  • Maintainedcli
  • Maintainedlinter

JBMC

Bounded model-checker for Java (bytecode), verifies user-defined assertions, standard assertions, several coverage metric analyses.

  • MaintainedMaintained
  • MaintainedJava
  • Maintainedcli
  • Maintainedlinter

JEB Decompiler

Decompile and debug binary code. Break down and analyze document files. Android Dalvik, MIPS, ARM, Intel x86, Java, WebAssembly & Ethereum Decompilers.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

jedi

Autocompletion/static analysis library for Python.

JET

Static type inference system to detect bugs and type instabilities.

jshint

Detect errors and potential problems in JavaScript code and enforce your team's coding conventions.

JSLint

The JavaScript Code Quality Tool.

jsonlint

A JSON parser and validator with a CLI. Standalone version of jsonlint.com

  • MaintainedMaintained
  • MaintainedMulti-Language
  • MaintainedcliMaintainedservice
  • Maintainedlinter

JSPrime

Static security analysis tool.

kani

The Kani Rust Verifier is a bit-precise model checker for Rust. Kani is particularly useful for verifying unsafe code blocks in Rust, where the "unsafe superpowers" are unchecked by the compiler. Kani verifies:

  • Memory safety (e.g., null pointer dereferences)
  • User-specified assertions (i.e., assert!(...))
  • The absence of panics (e.g., unwrap() on None values)
  • The absence of some types of unexpected behavior (e.g., arithmetic overflows)
  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter

kics

Find security vulnerabilities, compliance issues, and infrastructure misconfigurations in your infrastructure-as-code. Supports Terraform, Kubernetes, Docker, AWS CloudFormation and Ansible

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

klint

A tool that listens to changes in Kubernetes resources and runs linting rules against them. Identify and debug erroneous objects and nudge objects in line with the policies as both change over time. Klint helps us encode checks and proactively alert teams when they need to take action.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

kmdr

CLI tool for learning commands from your terminal. kmdr delivers a break down of commands with every attribute explained.

krane

Krane is a simple Kubernetes RBAC static analysis tool. It identifies potential security risks in K8s RBAC design and makes suggestions on how to mitigate them. Krane dashboard presents current RBAC security posture and lets you navigate through its definition.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

ktlint

An anti-bikeshedding Kotlin linter with built-in formatter.

  • MaintainedMaintained
  • MaintainedKotlin
  • Maintainedcli
  • MaintainedlinterMaintainedformatter

ktool

Fully cross-platform toolkit and library for MachO+Obj-C editing/analysis. Includes a cli kit, a curses GUI, ObjC header dumping, and much more.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

kube-hunter

Hunt for security weaknesses in Kubernetes clusters.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

kube-lint

A linter for Kubernetes resources with a customizable rule set. You define a list of rules that you would like to validate against your resources and kube-lint will evaluate those rules against them.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

kube-linter

KubeLinter is a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure the applications represented in them adhere to best practices.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

kube-score

Static code analysis of your Kubernetes object definitions.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

kubeconform

A fast Kubernetes manifests validator with support for custom resources.

It is inspired by, contains code from and is designed to stay close to Kubeval, but with the following improvements:

  • high performance: will validate & download manifests over multiple routines, caching downloaded files in memory
  • configurable list of remote, or local schemas locations, enabling validating Kubernetes custom resources (CRDs) and offline validation capabilities
  • uses by default a self-updating fork of the schemas registry maintained by the kubernetes-json-schema project - which guarantees up-to-date schemas for all recent versions of Kubernetes.
  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

KubeLinter

KubeLinter is a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure the applications represented in them adhere to best practices.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

kubeval

Validates your Kubernetes configuration files and supports multiple Kubernetes versions.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

lacheck

A tool for finding common mistakes in LaTeX documents.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

languagetool

Style and grammar checker for 25+ languages. It finds many errors that a simple spell checker cannot detect.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

larastan

Adds static analysis to Laravel improving developer productivity and code quality. It is a wrapper around PHPStan.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

laser

Static analysis and style linter for Ruby code.

  • DeprecatedDeprecated
  • DeprecatedRuby
  • Deprecatedcli
  • Deprecatedlinter

LibVCS4j

A Java library that allows existing tools to analyse the evolution of software systems by providing a common API for different version control systems and issue trackers.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

lint

An opinionated, community-driven set of lint rules for Dart and Flutter projects. Like pedantic but stricter

  • DeprecatedDeprecated
  • DeprecatedDart
  • Deprecatedcli
  • Deprecatedlinter

linter

Linter is a Scala static analysis compiler plugin which adds compile-time checks for various possible bugs, inefficiencies, and style problems.

Linter for dart

Style linter for Dart.

  • MaintainedMaintained
  • MaintainedDart
  • Maintainedcli
  • Maintainedlinter

linter-rust

Linting your Rust-files in Atom, using rustc and cargo.

  • DeprecatedDeprecated
  • DeprecatedRust
  • Deprecatedcli
  • Deprecatedlinter

lintian

Static analysis tool for Debian packages.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

lintr

Static Code Analysis for R.

  • MaintainedMaintained
  • MaintainedR
  • Maintainedcli
  • Maintainedlinter

linty fresh

Parse lint errors and report them to Github as comments on a pull request.

Liquid Haskell

Liquid Haskell is a refinement type checker for Haskell programs.

lll

Report long lines.

  • DeprecatedDeprecated
  • DeprecatedGo
  • Deprecatedcli
  • Deprecatedlinter

lockbud

Statically detects Rust deadlocks bugs. It currently detects two common kinds of deadlock bugs: doublelock and locks in conflicting order. It will print bugs in JSON format together with the source code location and an explanation of each bug.

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter

lockfile-lint

Lint an npm or yarn lockfile to analyze and detect security issues

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

luacheck

A tool for linting and static analysis of Lua code.

  • MaintainedMaintained
  • MaintainedLua
  • Maintainedcli
  • Maintainedlinter

lualint

lualint performs luac-based static analysis of global variable usage in Lua source code.

  • MaintainedMaintained
  • MaintainedLua
  • Maintainedcli
  • Maintainedlinter

maligned

Detect structs that would take less memory if their fields were sorted.

  • DeprecatedDeprecated
  • DeprecatedGo
  • Deprecatedcli
  • Deprecatedlinter

Manalyze

A static analyzer, which checks portable executables for malicious content.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Mariana Trench

Our security focused static analysis tool for Android and Java applications. Mariana Trench analyzes Dalvik bytecode and is built to run fast on large codebases (10s of millions of lines of code). It can find vulnerabilities as code changes, before it ever lands in your repository.

  • MaintainedMaintained
  • MaintainedJava
  • Maintainedcli
  • Maintainedlinter

markdownlint

Node.js -based style checker and lint tool for Markdown/CommonMark files.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

mccabe

Check McCabe complexity.

mcsema

Framework for lifting x86, amd64, aarch64, sparc32, and sparc64 program binaries to LLVM bitcode. It translates ("lifts") executable binaries from native machine code to LLVM bitcode, which is very useful for performing program analysis methods.

  • DeprecatedDeprecated
  • DeprecatedMulti-Language
  • Deprecatedcli
  • Deprecatedlinter

mdl

A tool to check Markdown files and flag style issues.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

metadata-json-lint

Tool to check the validity of Puppet metadata.json files.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

MetricFu

MetricFu is a set of tools to provide reports that show which parts of your code might need extra work.

  • DeprecatedDeprecated
  • DeprecatedRuby
  • Deprecatedcli
  • Deprecatedlinter

Meziantou.Analyzer

A Roslyn analyzer to enforce some good practices in C# in terms of design, usage, security, performance, and style.

MIRAI

And abstract interpreter operating on Rust's mid-level intermediate language, and providing warnings based on taint analysis.

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter

misspell

Finds commonly misspelled English words.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

misspell-fixer

Quick tool for fixing common misspellings, typos in source code.

  • DeprecatedDeprecated
  • DeprecatedMulti-Language
  • Deprecatedcli
  • Deprecatedlinter

Misspelled Words In Context

A spell-checker that groups possible misspellings and shows them in their contexts.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

mlint

Check MATLAB code files for possible problems.

Mondrian

A set of static analysis and refactoring tools which use graph theory.

  • DeprecatedDeprecated
  • DeprecatedPhp
  • Deprecatedcli
  • Deprecatedlinter

mypy

A static type checker that aims to combine the benefits of duck typing and static typing, frequently used with MonkeyType.

mythril

A symbolic execution framework with batteries included, can be used to find and exploit vulnerabilities in smart contracts automatically.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

MythX

MythX is an easy to use analysis platform which integrates several analysis methods like fuzzing, symbolic execution and static analysis to find vulnerabilities with high precision. It can be integrated with toolchains like Remix or VSCode or called from the command-line.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • MaintainedcliMaintainedserviceMaintainedide-plugin
  • Maintainedlinter

Nagelfar

A static syntax checker for Tcl.

  • MaintainedMaintained
  • MaintainedTcl
  • Maintainedcli
  • Maintainedlinter

nakedret

Finds naked returns.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

nargs

Finds unused arguments in function declarations.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

Nauz File Detector

Static Linker/Compiler/Tool detector for Windows, Linux and MacOS.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

NDepend

Measure, query and visualize your code and avoid unexpected issues, technical debt and complexity.

.NET Analyzers

An organization for the development of analyzers (diagnostics and code fixes) using the .NET Compiler Platform.

nimfmt

Nim code formatter / linter / style checker

  • MaintainedMaintained
  • MaintainedNim
  • Maintainedcli
  • Maintainedlinter

njsscan

A static application testing (SAST) tool that can find insecure code patterns in your node.js applications using simple pattern matcher from libsast and syntax-aware semantic code pattern search tool semgrep.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

NodeJSScan

A static security code scanner for Node.js applications powered by libsast and semgrep that builds on the njsscan cli tool. It features a UI with various dashboards about an application's security status.

Nu Html Checker

Helps you catch problems in your HTML/CSS/SVG

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

NullAway

Type-based null-pointer checker with low build-time overhead; an Error Prone plugin.

  • MaintainedMaintained
  • MaintainedJava
  • Maintainedcli
  • Maintainedlinter

oelint-adv

Linter for bitbake recipes used in open-embedded and YOCTO

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

OpenSCAP

Suite of automated audit tools to examine the configuration and known vulnerabilities following the NIST-certified Security Content Automation Protocol (SCAP).

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Oversecured

Enterprise vulnerability scanner for Android and iOS apps. It allows app owners and developers to secure each new version of a mobile app by integrating Oversecured into the development process.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

OWASP Dependency Check

Checks dependencies for known, publicly disclosed, vulnerabilities.

  • MaintainedMaintained
  • MaintainedJava
  • Maintainedcli
  • Maintainedlinter

packj

Packj (pronounced package) is a command line (CLI) tool to vet open-source software packages for "risky" attributes that make them vulnerable to supply chain attacks. This is the tool behind our large-scale security analysis platform Packj.dev that continuously vets packages and provides free reports.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

paprika

A toolkit to detect some code smells in analyzed Android applications.

  • DeprecatedDeprecated
  • DeprecatedMulti-Language
  • Deprecatedcli
  • Deprecatedlinter

parallel-lint

This tool checks syntax of PHP files faster than serial check with a fancier output.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

Parker

Stylesheet analysis tool.

  • DeprecatedDeprecated
  • DeprecatedMulti-Language
  • Deprecatedcli
  • Deprecatedlinter

Parse

A Static Security Scanner.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

Pascal Analyzer

A static code analysis tool with numerous reports. A free Lite version is available with limited reporting.

Pascal Expert

IDE plugin for code analysis. Includes a subset of Pascal Analyzer reporting capabilities and is available for Delphi versions 2007 and later.

pdepend

Calculates software metrics like cyclomatic complexity for PHP code.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

pelusa

Static analysis Lint-type tool to improve your OO Ruby code.

  • MaintainedMaintained
  • MaintainedRuby
  • Maintainedcli
  • Maintainedlinter

Perl::Analyzer

Perl-Analyzer is a set of programs and modules that allow users to analyze and visualize Perl codebases by providing information about namespaces and their relations, dependencies, inheritance, and methods implemented, inherited, and redefined in packages, as well as calls to methods from parent packages via SUPER.

  • MaintainedMaintained
  • MaintainedPerl
  • MaintainedcliMaintainedserviceMaintainedide-plugin
  • Maintainedlinter

Perl::Critic

Critique Perl source code for best-practices.

  • MaintainedMaintained
  • MaintainedPerl
  • Maintainedcli
  • Maintainedlinter

pgspot

Spot vulnerabilities in postgres extension scripts. Finds unsafe search_path usage and unsafe object creation in PostgreSQL extension scripts or any other PostgreSQL SQL code.

  • MaintainedMaintained
  • MaintainedSql
  • Maintainedcli
  • Maintainedlinter

phan

A modern static analyzer from etsy.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

PHP Architecture Tester

Easy to use architecture testing tool for PHP.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

PHP Assumptions

Checks for weak assumptions.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

PHP_CodeSniffer

Detects violations of a defined set of coding standards.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

PHP Coding Standards Fixer

Fixes your code according to standards like PSR-1, PSR-2, and the Symfony standard.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

PHP Insights

Instant PHP quality checks from your console. Analysis of code quality and coding style as well as overview of code architecture and its complexity.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

Php Inspections (EA Extended)

A Static Code Analyzer for PHP.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

PHP-Parser

A PHP parser written in PHP.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

PHP Refactoring Browser

Refactoring helper.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

PHP Semantic Versioning Checker

Suggests a next version according to semantic versioning.

  • DeprecatedDeprecated
  • DeprecatedPhp
  • Deprecatedcli
  • Deprecatedlinter

php-speller

PHP spell check library.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

PHP-Token-Reflection

Library emulating the PHP internal reflection.

  • DeprecatedDeprecated
  • DeprecatedPhp
  • Deprecatedcli
  • Deprecatedlinter

php7cc

PHP 7 Compatibility Checker.

  • DeprecatedDeprecated
  • DeprecatedPhp
  • Deprecatedcli
  • Deprecatedlinter

php7mar

Assist developers in porting their code quickly to PHP 7.

  • DeprecatedDeprecated
  • DeprecatedPhp
  • Deprecatedcli
  • Deprecatedlinter

PHPArkitect

PHPArkitect helps you to keep your PHP codebase coherent and solid, by permitting to add some architectural constraint check to your workflow. You can express the constraint that you want to enforce, in simple and readable PHP code.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

phpca

Finds usage of non-built-in extensions.

  • DeprecatedDeprecated
  • DeprecatedPhp
  • Deprecatedcli
  • Deprecatedlinter

phpcpd

Copy/Paste Detector for PHP code.

  • DeprecatedDeprecated
  • DeprecatedPhp
  • Deprecatedcli
  • Deprecatedlinter

phpdcd

Dead Code Detector (DCD) for PHP code.

  • DeprecatedDeprecated
  • DeprecatedPhp
  • Deprecatedcli
  • Deprecatedlinter

PhpDependencyAnalysis

Builds a dependency graph for a project.

  • DeprecatedDeprecated
  • DeprecatedPhp
  • Deprecatedcli
  • Deprecatedlinter

PhpDeprecationDetector

Analyzer of PHP code to search issues with deprecated functionality in newer interpreter versions. It finds removed objects (functions, variables, constants and ini-directives), deprecated functions functionality, and usage of forbidden names or tricks (e.g. reserved identifiers in newer versions).

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

phpdoc-to-typehint

Add scalar type hints and return types to existing PHP projects using PHPDoc annotations.

  • DeprecatedDeprecated
  • DeprecatedPhp
  • Deprecatedcli
  • Deprecatedlinter

phpDocumentor

Analyzes PHP source code to generate documentation.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

phploc

A tool for quickly measuring the size and analyzing the structure of a PHP project.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

PHPMD

Finds possible bugs in your code.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

PhpMetrics

Calculates and visualizes various code quality metrics.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

phpmnd

Helps to detect magic numbers.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

PHPQA

A tool for running QA tools (phploc, phpcpd, phpcs, pdepend, phpmd, phpmetrics).

  • DeprecatedDeprecated
  • DeprecatedPhp
  • Deprecatedcli
  • Deprecatedlinter

phpqa - jakzal

Many tools for PHP static analysis in one container.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

phpqa - jmolivas

PHPQA all-in-one Analyzer CLI tool.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

phpsa

Static analysis tool for PHP.

  • DeprecatedDeprecated
  • DeprecatedPhp
  • Deprecatedcli
  • Deprecatedlinter

PHPStan

PHP Static Analysis Tool - discover bugs in your code without running it!

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

plato

Visualize JavaScript source complexity.

Polymer-analyzer

A static analysis framework for Web Components.

Polyspace for Ada

Provide code verification that proves the absence of overflow, divide-by-zero, out-of-bounds array access, and certain other run-time errors in source code.

  • MaintainedMaintained
  • MaintainedAda
  • Maintainedcli
  • Maintainedlinter

portlint

A verifier for FreeBSD and DragonFlyBSD port directories.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

PostCSS

A tool for transforming styles with JS plugins. These plugins can lint your CSS, support variables and mixins, transpile future CSS syntax, inline images, and more.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

prae

Provides a convenient macro that allows you to generate type wrappers that promise to always uphold arbitrary invariants that you specified.

  • DeprecatedDeprecated
  • DeprecatedRust
  • Deprecatedcli
  • Deprecatedlinter

prealloc

Finds slice declarations that could potentially be preallocated.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

Primitive Erlang Security Tool (PEST)

A tool to do a basic scan of Erlang source code and report any function calls that may cause Erlang source code to be insecure.

Progpilot

A static analysis tool for security purposes.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

Project Wallace CSS Analyzer

Analytics for CSS, part of Project Wallace.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

promval

PromQL validator written in Python. It can be used to validate that PromQL expressions are written as expected.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

proselint

A linter for English prose with a focus on writing style instead of grammar.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

protolint

Pluggable linter and fixer to enforce Protocol Buffer style and conventions.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Prusti

A static verifier for Rust, based on the Viper verification infrastructure. By default Prusti verifies absence of panics by proving that statements such as unreachable!() and panic!() are unreachable.

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter

Psalm

Static analysis tool for finding type errors in PHP applications.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

Puppet Lint

Check that your Puppet manifests conform to the style guide.

  • DeprecatedDeprecated
  • DeprecatedMulti-Language
  • Deprecatedcli
  • Deprecatedlinter

pure

Pure is a static analysis file format checker that checks ZIP files for dangerous compression ratios, spec deviations, malicious archive signatures, mismatching local and central directory headers, ambiguous UTF-8 filenames, directory and symlink traversals, invalid MS-DOS dates, overlapping headers, overflow, underflow, sparseness, accidental buffer bleeds etc.

  • DeprecatedDeprecated
  • DeprecatedMulti-Language
  • Deprecatedcli
  • Deprecatedlinter

py-find-injection

Find SQL injection vulnerabilities in Python code.

pyanalyze

A tool for programmatically detecting common mistakes in Python code, such as references to undefined variables and type errors. It can be extended to add additional rules and perform checks specific to particular functions.

pycodestyle

(Formerly pep8) Check Python code against some of the style conventions in PEP 8.

pydocstyle

Check compliance with Python docstring conventions.

pyflakes

Check Python source files for errors.

pylint

Looks for programming errors, helps enforcing a coding standard and sniffs for some code smells. It additionally includes pyreverse (an UML diagram generator) and symilar (a similarities checker).

pylyzers

A static code analyzer / language server for Python, written in Rust, focused on type checking and readable output.

pyre-check

A fast, scalable type checker for large Python codebases.

pyright

Static type checker for Python, created to address gaps in existing tools like mypy.

pyroma

Rate how well a Python project complies with the best practices of the Python packaging ecosystem, and list issues that could be improved.

Pysa

A tool based on Facebook's pyre-check to identify potential security issues in Python code identified with taint analysis.

PyT - Python Taint

A static analysis tool for detecting security vulnerabilities in Python web applications.

pytype

A static type analyzer for Python code.

pyupgrade

A tool (and pre-commit hook) to automatically upgrade syntax for newer versions of the language.

Qafoo Quality Analyzer

Visualizes metrics and source code.

  • DeprecatedDeprecated
  • DeprecatedPhp
  • Deprecatedcli
  • Deprecatedlinter

qark

Tool to look for several security related Android application vulnerabilities.

  • DeprecatedDeprecated
  • DeprecatedMulti-Language
  • Deprecatedcli
  • Deprecatedlinter

quality

Runs quality checks on your code using community tools, and makes sure your numbers don't get any worse over time.

  • DeprecatedDeprecated
  • DeprecatedRuby
  • Deprecatedcli
  • Deprecatedlinter

Querly

Pattern Based Checking Tool for Ruby.

  • DeprecatedDeprecated
  • DeprecatedRuby
  • Deprecatedcli
  • Deprecatedlinter

qulice

Combines a few (pre-configured) static analysis tools (checkstyle, PMD, Findbugs, ...).

  • MaintainedMaintained
  • MaintainedJava
  • Maintainedcli
  • Maintainedlinter

radon

A Python tool that computes various metrics from the source code.

Railroader

An open source static analysis security vulnerability scanner for Ruby on Rails applications.

  • DeprecatedDeprecated
  • DeprecatedRuby
  • Deprecatedcli
  • Deprecatedlinter

rails_best_practices

A code metric tool for Rails projects

  • DeprecatedDeprecated
  • DeprecatedRuby
  • Deprecatedcli
  • Deprecatedlinter

rector

Instant Upgrades and Automated Refactoring of any PHP 5.3+ code. It upgrades your code for PHP 7.4, 8.0 and beyond. Rector promises a low false-positive rate because it looks for narrowly defined AST (abstract syntax tree) patterns. The main use-case are tackling technical debt in your legacy code and removing dead code. Rector provides a set of special rules for Symfony, Doctrine, PHPUnit, and many more.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

redex

Redex provides a framework for reading, writing, and analyzing .dex files, and a set of optimization passes that use this framework to improve the bytecode. An APK optimized by Redex should be smaller and faster.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

reek

Code smell detector for Ruby.

  • MaintainedMaintained
  • MaintainedRuby
  • Maintainedcli
  • Maintainedlinter

RefactorFirst

Identifies and prioritizes God Classes and Highly Coupled classes in Java codebases you should refactor first.

  • MaintainedMaintained
  • MaintainedJava
  • Maintainedcli
  • Maintainedlinter

Reflection

Reflection library to do Static Analysis for PHP Projects

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

refurb

A tool for refurbishing and modernizing Python codebases. Refurb is heavily inspired by clippy, the built-in linter for Rust.

Regal

Regal is a linter for the policy language Rego. Regal aims to catch bugs and mistakes in policy code, while at the same time helping people learn the language, best practices and idiomatic constructs.

  • MaintainedMaintained
  • MaintainedRego
  • Maintainedcli
  • Maintainedlinter

remark-lint

Pluggable Markdown code style linter written in JavaScript.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

retire.js

Scanner detecting the use of JavaScript libraries with known vulnerabilities.

Reviewdog

A tool for posting review comments from any linter in any code hosting service.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

revive

Fast, configurable, extensible, flexible, and beautiful linter for Go. Drop-in replacement of golint.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

Roodi

Roodi stands for Ruby Object Oriented Design Inferometer. It parses your Ruby code and warns you about design issues you have based on the checks that it has configured.

  • DeprecatedDeprecated
  • DeprecatedRuby
  • Deprecatedcli
  • Deprecatedlinter

Roslynator

A collection of 190+ analyzers and 190+ refactorings for C#, powered by Roslyn.

rpmlint

Tool for checking common errors in rpm packages.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

RSLint

A (WIP) JavaScript linter written in Rust designed to be as fast as possible, customizable, and easy to use.

RuboCop

A Ruby static code analyzer, based on the community Ruby style guide.

  • MaintainedMaintained
  • MaintainedRuby
  • Maintainedcli
  • Maintainedlinter

Rubrowser

Ruby classes interactive dependency graph generator.

  • MaintainedMaintained
  • MaintainedRuby
  • Maintainedcli
  • Maintainedlinter

ruby-lint

Static code analysis for Ruby.

  • DeprecatedDeprecated
  • DeprecatedRuby
  • Deprecatedcli
  • Deprecatedlinter

rubycritic

A Ruby code quality reporter.

  • MaintainedMaintained
  • MaintainedRuby
  • Maintainedcli
  • Maintainedlinter

Rudra

Rust Memory Safety & Undefined Behavior Detection. It is capable of analyzing single Rust packages as well as all the packages on crates.io.

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter

ruff

Fast Python linter, written in Rust. 10-100x faster than existing linters. Compatible with Python 3.10. Supports file watcher.

rust-audit

Audit Rust binaries for known bugs or security vulnerabilities. This works by embedding data about the dependency tree (Cargo.lock) in JSON format into a dedicated linker section of the compiled executable.

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter

rustfix

Read and apply the suggestions made by rustc (and third-party lints, like those offered by clippy).

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter

RustViz

RustViz is a tool that generates visualizations from simple Rust programs to assist users in better understanding the Rust Lifetime and Borrowing mechanism. It generates SVG files with graphical indicators that integrate with mdbook to render visualizations of data-flow in Rust programs.

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter

safesql

Static analysis tool for Golang that protects against SQL injections.

  • DeprecatedDeprecated
  • DeprecatedGo
  • Deprecatedcli
  • Deprecatedlinter

Saikuro

A Ruby cyclomatic complexity analyzer.

  • DeprecatedDeprecated
  • DeprecatedRuby
  • Deprecatedcli
  • Deprecatedlinter

SandiMeter

Static analysis tool for checking Ruby code for Sandi Metz' rules.

  • DeprecatedDeprecated
  • DeprecatedRuby
  • Deprecatedcli
  • Deprecatedlinter

sass-lint

A Node-only Sass linter for both sass and scss syntax.

  • DeprecatedDeprecated
  • DeprecatedMulti-Language
  • Deprecatedcli
  • Deprecatedlinter

Scalastyle

Scalastyle examines your Scala code and indicates potential problems with it.

scapegoat

Scala compiler plugin for static code analysis.

scorecard

Security Scorecards - Security health metrics for Open Source

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

scsslint

Linter for SCSS files.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

SearchDiggity

Identifies vulnerabilities in open source code projects hosted on Github, Google Code, MS CodePlex, SourceForge, and more. The tool comes with over 130 default searches that identify SQL injection, cross-site scripting (XSS), insecure remote and local file includes, hard-coded passwords, etc.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

sh

A shell parser, formatter, and interpreter with bash support; includes shfmt

shellcheck

ShellCheck, a static analysis tool that gives warnings and suggestions for bash/sh shell scripts.

shellharden

A syntax highlighter and a tool to semi-automate the rewriting of scripts to ShellCheck conformance, mainly focused on quoting.

shisho

A lightweight static code analyzer designed for developers and security teams. It allows you to analyze and transform source code with an intuitive DSL similar to sed, but for code.

  • DeprecatedDeprecated
  • DeprecatedGo
  • DeprecatedcliDeprecatedservice
  • Deprecatedlinter

slim-lint

Configurable tool for analyzing Slim templates.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

sobelow

Security-focused static analysis for the Phoenix Framework.

solhint

Solhint is an open source project created by https://protofire.io. Its goal is to provide a linting utility for Solidity code.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

solium

Solium is a linter to identify and fix style and security issues in Solidity smart contracts.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

SonarAnalyzer.CSharp

These Roslyn analyzers allow you to produce Clean Code that is safe, reliable, and maintainable by helping you find and correct bugs, vulnerabilities, and code smells in your codebase.

SonarDelphi

Delphi static analyzer for the SonarQube code quality platform.

Soot

A framework for analyzing and transforming Java and Android applications.

  • MaintainedMaintained
  • MaintainedJava
  • Maintainedcli
  • Maintainedlinter

Sorbet

A fast, powerful type checker designed for Ruby.

  • MaintainedMaintained
  • MaintainedRuby
  • Maintainedcli
  • Maintainedlinter

SPARK

Static analysis and formal verification toolset for Ada.

  • MaintainedMaintained
  • MaintainedAda
  • Maintainedcli
  • Maintainedlinter

Specificity Graph

CSS Specificity Graph Generator.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Spectral

A flexible JSON/YAML linter, with out-of-the-box support for OpenAPI v2/v3 and AsyncAPI v2.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

SpotBugs

SpotBugs is FindBugs' successor. A tool for static analysis to look for bugs in Java code.

  • MaintainedMaintained
  • MaintainedJava
  • Maintainedcli
  • Maintainedlinter

sqlcheck

Automatically identify anti-patterns in SQL queries.

  • MaintainedMaintained
  • MaintainedSql
  • Maintainedcli
  • Maintainedlinter

SQLFluff

Multiple dialect SQL linter and formatter.

  • MaintainedMaintained
  • MaintainedSql
  • Maintainedcli
  • MaintainedlinterMaintainedformatter

sqlint

Simple SQL linter.

  • MaintainedMaintained
  • MaintainedSql
  • Maintainedcli
  • Maintainedlinter

squawk

Linter for PostgreSQL, focused on migrations. Prevents unexpected downtime caused by database migrations and encourages best practices around Postgres schemas and SQL.

  • MaintainedMaintained
  • MaintainedSql
  • Maintainedcli
  • Maintainedlinter

Stan

Stan is a command-line tool for analysing Haskell projects and outputting discovered vulnerabilities in a helpful way with possible solutions for detected problems.

standard

An npm module that checks for Javascript Styleguide issues.

Standard Ruby

Ruby Style Guide, with linter & automatic code fixer

  • MaintainedMaintained
  • MaintainedRuby
  • Maintainedcli
  • Maintainedlinter

staticcheck

Go static analysis that specialises in finding bugs, simplifying code and improving performance.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

StaticLint

Static Code Analysis for Julia

statix

Lints and suggestions for the Nix programming language. "statix check" highlights antipatterns in Nix code. "statix fix" can fix several such occurrences.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

stc

Speedy TypeScript type checker written in Rust

steady

Analyses your Java applications for open-source dependencies with known vulnerabilities, using both static analysis and testing to determine code context and usage for greater accuracy.

  • MaintainedMaintained
  • MaintainedJava
  • Maintainedcli
  • Maintainedlinter

Steampunk Spotter

Ansible Playbook Scanning Tool that analyzes and offers recommendations for your playbooks.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • MaintainedcliMaintainedguiMaintainedserviceMaintainedide-plugin
  • MaintainedlinterMaintainedformatter

Steep

Gradual Typing for Ruby.

  • MaintainedMaintained
  • MaintainedRuby
  • Maintainedcli
  • Maintainedlinter

structcheck

Find unused struct fields.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

structslop

Static analyzer for Go that recommends struct field rearrangements to provide for maximum space/allocation efficiency

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • MaintainedlinterMaintainedformatter

Stylelint

Linter for SCSS/CSS files.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

svls

A Language Server Protocol implementation for Verilog and SystemVerilog, including lint capabilities.

SwiftLint

A tool to enforce Swift style and conventions.

  • MaintainedMaintained
  • MaintainedSwift
  • MaintainedcliMaintainedide-plugin
  • Maintainedlinter

Sys

A static/symbolic Tool for finding bugs in (browser) code. It uses the LLVM AST to find bugs like uninitialized memory access.

Tailor

A static analysis and lint tool for source code written in Apple's Swift programming language.

tclchecker

A static syntax analysis module (as part of TDK).

  • MaintainedMaintained
  • MaintainedTcl
  • Maintainedcli
  • Maintainedlinter

tern

A JavaScript code analyzer for deep, cross-editor language support.

terraform-compliance

A lightweight, compliance- and security focused, BDD test framework against Terraform.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

terrascan

Collection of security and best practice tests for static code analysis of Terraform templates.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

test

Show location of test failures from the stdlib testing module.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

TeXLab

A Language Server Protocol implementation for TeX/LaTeX, including lint capabilities.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

textlint

textlint is an open source text linting utility written in JavaScript.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

tflint

A Terraform linter for detecting errors that can not be detected by terraform plan.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

tfsec

Terraform static analysis tool that prevents potential security issues by checking cloud misconfigurations at build time and directly integrates with the HCL parser for better results. Checks for violations of AWS, Azure and GCP security best practice recommendations.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

trufflehog

Find credentials all over the place TruffleHog is an open source secret-scanning engine that resolves exposed secrets across your company’s entire tech stack.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

tslint

TSLint has been deprecated as of 2019. Please see this issue for more details. typescript-eslint is now your best option for linting TypeScript. TSLint is an extensible static analysis tool that checks TypeScript code for readability, maintainability, and functionality errors. It is widely supported across modern editors & build systems and can be customized with your own lint rules, configurations, and formatters.

tslint-clean-code

A set of TSLint rules inspired by the Clean Code handbook.

tslint-microsoft-contrib

A set of tslint rules for static code analysis of TypeScript projects maintained by Microsoft.

tsqllint

T-SQL-specific linter.

  • MaintainedMaintained
  • MaintainedSql
  • Maintainedcli
  • Maintainedlinter

TSqlRules

TSQL Static Code Analysis Rules for SQL Server.

  • DeprecatedDeprecated
  • DeprecatedSql
  • Deprecatedcli
  • Deprecatedlinter

Tsunami Security Scanner

A general purpose network security scanner with an extensible plugin system for detecting high severity RCE-like vulnerabilities with high confidence. Custom detectors for finding vulnerabilities (e.g. open APIs) can be added.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Tuli

A static analysis engine.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

twig-lint

twig-lint is a lint tool for your twig files.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

Twiggy

Analyzes a binary's call graph to profile code size. The goal is to slim down wasm binary size.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

TypeScript Call Graph

CLI to generate an interactive graph of functions and calls from your TypeScript files

TypeScript ESLint

TypeScript language extension for eslint.

TypL

With TypL, you just write completely standard JS, and the tool figures out your types via powerful inferencing.

unconvert

Detect redundant type conversions.

  • DeprecatedDeprecated
  • DeprecatedGo
  • Deprecatedcli
  • Deprecatedlinter

unimport

A linter, formatter for finding and removing unused import statements.

  • MaintainedMaintained
  • MaintainedPython
  • Maintainedcli
  • MaintainedlinterMaintainedformatter

unparam

Find unused function parameters.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

vale

A syntax-aware linter for prose built with speed and extensibility in mind.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

varcheck

Find unused global variables and constants.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

VeriFast

A tool for modular formal verification of correctness properties of single-threaded and multithreaded C and Java programs annotated with preconditions and postconditions written in separation logic. To express rich specifications, the programmer can define inductive datatypes, primitive recursive pure functions over these datatypes, and abstract separation logic predicates.

Verilator

A tool which converts Verilog to a cycle-accurate behavioral model in C++ or SystemC. Performs lint code-quality checks.

Vetur

Vue tooling for VS Code, powered by vls (vue language server). Vetur has support for formatting embedded HTML, CSS, SCSS, JS, TypeScript, and more. Vetur only has a "whole document formatter" and cannot format arbitrary ranges.

  • DeprecatedDeprecated
  • DeprecatedMulti-Language
  • DeprecatedcliDeprecatedide-plugin
  • DeprecatedlinterDeprecatedformatter

Violations Lib

Java library for parsing report files from static code analysis. Used by a bunch of Jenkins, Maven and Gradle plugins.

  • MaintainedMaintained
  • MaintainedJava
  • Maintainedcli
  • Maintainedlinter

VMware chap

chap analyzes un-instrumented ELF core files for leaks, memory growth, and corruption. It is sufficiently reliable that it can be used in automation to catch leaks before they are committed. As an interactive tool, it helps explain memory growth, can identify some forms of corruption, and supplements a debugger by giving the status of various memory locations.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

VSDiagnostics

A collection of static analyzers based on Roslyn that integrates with VS.

Vuls

Agent-less Linux vulnerability scanner based on information from NVD, OVAL, etc. It has some container image support, although is not a container specific tool.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

vulture

Find unused classes, functions and variables in Python code.

WAP

Tool to detect and correct input validation vulnerabilities in PHP (4.0 or higher) web applications and predicts false positives by combining static analysis and data mining.

  • MaintainedMaintained
  • MaintainedPhp
  • Maintainedcli
  • Maintainedlinter

warnalyzer

Show unused code from multi-crate Rust projects

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter

WartRemover

A flexible Scala code linting tool.

Weeder

A tool for detecting dead exports or package imports in Haskell code.

wemake-python-styleguide

The strictest and most opinionated python linter ever.

wily

A command-line tool for archiving, exploring and graphing the complexity of Python source code.

Wintellect.Analyzers

.NET Compiler Platform ("Roslyn") diagnostic analyzers and code fixes.

write-good

A linter with a focus on eliminating "weasel words".

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

wsl

Enforces empty lines at the right places.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

xenon

Monitor code complexity using radon.

xo

Opinionated but configurable ESLint wrapper with lots of goodies included. Enforces strict and readable code.

yamllint

Checks YAML files for syntax validity, key repetition and cosmetic problems such as lines length, trailing spaces, and indentation.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

yardstick

Javascript code metrics.

zarn

A lightweight static security analysis tool for modern Perl Apps

  • MaintainedMaintained
  • MaintainedPerl
  • Maintainedcli
  • Maintainedlinter

zod

TypeScript-first schema validation with static type inference. The goal is to eliminate duplicative type declarations. With Zod, you declare a validator once and Zod will automatically infer the static TypeScript type. It is easy to compose simpler types into complex data structures.

ZPA

An open source parser and code analyzer for PL/SQL and Oracle SQL code.

zydis

Fast and lightweight x86/x86-64 disassembler library

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

AppScan Standard

HCL's AppScan is a dynamic application security testing suite (previously by IBM)

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

BOLT

Binary Optimization and Layout Tool - A linux command-line utility used for optimizing performance of binaries with profile guided permutation of linking to improve cache efficiency

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

cadvisor

Analyzes resource usage and performance characteristics of running containers.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

cargo-careful

Execute Rust code carefully, with extra checking along the way. It builds the standard library with debug assertions. Here are some of the checks this enables:

  • get_unchecked in slices performs bounds checks * copy, copy_nonoverlapping, and write_bytes check that pointers are aligned and non-null and (if applicable) non-overlapping {NonNull,NonZero*,...}::new_unchecked check that the value is valid * plenty of internal consistency checks in the collection types * mem::zeroed and the deprecated mem::uninitialized panic if the type does not allow that kind of initialization
  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter

CrossHair

Symbolic execution engine for testing Python contracts.

Dr. Memory

Dr. Memory is a memory monitoring tool capable of identifying memory-related programming errors (Github).

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

DynamoRIO

Is a runtime code manipulation system that supports code transformations on any part of a program, while it executes.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

DynaPyt

DynaPyt is a framework for writing dynamic analyses for Python. The analyses can also modify runtime values to alter the execution.

hyperfine

A command-line benchmarking tool It features statistical analysis across multiple runs, support for arbitrary shell commands, constant feedback about the benchmark progress and current estimates, warmup runs, a simple and expressive syntax, and more.

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter

icontract

Design-by-contract library supporting behavioral subtyping There is also a wider tooling around the icontract library such as a linter (pyicontract-lint) and a plug-in for Sphinx (sphinx-icontract).

Iroh.js

A dynamic code analysis tool for JavaScript. Iroh allows to record your code flow in realtime, intercept runtime informations and manipulate program behaviour on the fly.

Jalangi2

Jalangi2 is a popular framework for writing dynamic analyses for JavaScript.

Java PathFinder

An extensible software model checking framework for Java bytecode programs.

  • MaintainedMaintained
  • MaintainedJava
  • Maintainedcli
  • Maintainedlinter

llvm-propeller

Profile guided hot/cold function splitting to improve cache efficiency. An alternative to BOLT by Facebook

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

loom

Concurrency permutation testing tool for Rust. It runs a test many times, permuting the possible concurrent executions of that test.

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter

Microsoft IntelliTest

Generate a candidate suite of tests for your .NET code.

MIRI

An interpreter for Rust's mid-level intermediate representation, which can detect certain classes of undefined behavior like out-of-bounds memory accesses and use-after-free.

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter

Parasoft Jtest

Jtest is an automated Java software testing and static analysis product that is made by Parasoft. The product includes technology for Data-flow analysis Unit test-case generation and execution, static analysis, regression testing, code coverage, and runtime error detection.

  • MaintainedMaintained
  • MaintainedJava
  • Maintainedcli
  • Maintainedlinter

Pex and Moles

Pex automatically generates test suites with high code coverage using automated white box analysis.

Pin Tools

A dynamic binary instrumentation tool and a platform for creating analysis tools.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

poop

Performance Optimizer Observation Platform This command line tool uses Linux's perf_event_open functionality to compare the performance of multiple commands with a colorful terminal user interface. It is similar to hyperfine.

  • MaintainedMaintained
  • MaintainedZig
  • Maintainedcli
  • Maintainedlinter

prowler

Prowler is an Open Source security tool to perform AWS and Azure security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. It contains hundreds of controls covering CIS, PCI-DSS, ISO27001, GDPR, HIPAA, FFIEC, SOC2, AWS FTR, ENS and custom security frameworks.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

puffin

Instrumentation profiler for Rust.

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter

rust-san

How-to sanitize your Rust code with built-in Rust dynamic analyzers

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter

souper

optimize LLVM IR with SMT solvers

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

statsviz

Instant live visualization of your Go application runtime statistics in the browser. It plots heap usage, MSpans/MCaches, Object counts, Goroutines and GC/CPU fraction.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

stuck

provides a visualization for quickly identifying common bottlenecks in running, asynchronous, and concurrent applications.

  • MaintainedMaintained
  • MaintainedRust
  • Maintainedcli
  • Maintainedlinter

suture

A Ruby gem that helps you refactor your legacy code by the result of some old behavior with a new version.

  • MaintainedMaintained
  • MaintainedRuby
  • Maintainedcli
  • Maintainedlinter

TRITON

Dynamic Binary Analysis for x86 binaries.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

typo

Runtime Type Checking for Python 3.

VB Watch

Profiler, Protector and Debugger for VB6. Profiler measures performance and test coverage. Protector implements robust error handling. Debugger helps monitor your executables.

Wasabi

Wasabi is a framework for writing dynamic analyses for WebAssembly, written in JavaScript.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

WhiteHat Sentinel Dynamic

Part of the WhiteHat Application Security Platform. Dynamic application security scanner that covers the OWASP Top 10.

  • MaintainedMaintained
  • MaintainedSql
  • Maintainedcli
  • Maintainedlinter

123 Multi-Language Tools

AppChecker

Static analysis for C/C++/C#, PHP and Java.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

ApplicationInspector

Creates reports of over 400 rule patterns for feature detection (e.g. the use of cryptography or version control in apps).

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

ArchUnit

Unit test your Java or Kotlin architecture.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Astrée

Astrée automatically proves the absence of runtime errors and invalid con­current behavior in C/C++ applications. It is sound for floating-point computations, very fast, and exceptionally precise. The analyzer also checks for MISRA/CERT/CWE/Adaptive Autosar coding rules and supports qualification for ISO 26262, DO-178C level A, and other safety standards. Jenkins and Eclipse plugins are available.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

autocorrect

A linter and formatter to help you to improve copywriting, correct spaces, words, punctuations between CJK (Chinese, Japanese, Korean).

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • MaintainedlinterMaintainedformatter

Axivion Bauhaus Suite

Tracks down error-prone code locations, style violations, cloned or dead code, cyclic dependencies and more for C/C++, C#/.NET, Java and Ada 83/Ada 95.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Bearer

Open-Source static code analysis tool to discover, filter and prioritize security risks and vulnerabilities leading to sensitive data exposures (PII, PHI, PD). Highly configurable and easily extensible, built for security and engineering teams.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Betterscan CE

Sponsor

Checks your code and infra (various Git repositories supported, cloud stacks, CLI, Web Interface platform, integrationss available) for security and quality issues. Code Scanning/SAST/Linting using many tools/Scanners deduplicated with One Report (AI optional).

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

biome

A toolchain for web projects, aimed to provide functionalities to maintain them. Biome formats and lints code in a fraction of a second. It is the successor to Rome. It is designed to eventually replace Biome is designed to eventually replace Babel, ESLint, webpack, Prettier, Jest, and others.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

BugProve

Sponsor

BugProve is a firmware analysis platform featuring both static and dynamic analysis techniques to discover memory corruptions, command injections and other classes or common weaknesses in binary code. It also detects vulnerable dependencies, weak cryptographic parameters, misconfigurations, and more.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

callGraph

Statically generates a call graph image and displays it on screen.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

CAST Highlight

Commercial Static Code Analysis which runs locally, but uploads the results to its cloud for presentation.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

CBMC

Bounded model-checker for C programs, user-defined assertions, standard assertions, several coverage metric analyses.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Checkmarx CxSAST

Commercial Static Code Analysis which doesn't require pre-compilation.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

clang-tidy

Clang-based C++ linter tool with the (limited) ability to fix issues, too.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

ClassGraph

A classpath and module path scanner for querying or visualizing class metadata or class relatedness.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

clazy

Qt-oriented static code analyzer based on the Clang framework. clazy is a compiler plugin which allows clang to understand Qt semantics. You get more than 50 Qt related compiler warnings, ranging from unneeded memory allocations to misusage of API, including fix-its for automatic refactoring.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

CMetrics

Measures size and complexity for C files.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

coala

Language independent framework for creating code analysis - supports over 60 languages by default.

  • DeprecatedDeprecated
  • DeprecatedMulti-Language
  • Deprecatedcli
  • Deprecatedlinter

Cobra

Structural source code analyzer by NASA's Jet Propulsion Laboratory.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

codechecker

A defect database and viewer extension for the Clang Static Analyzer with web GUI.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

CodeIt.Right

CodeIt.Right™ provides a fast, automated way to ensure that your source code adheres to (your) predefined design and style guidelines as well as best coding practices.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Codemodder

Codemodder is a pluggable framework for building expressive codemods. Use Codemodder when you need more than a linter or code formatting tool. Use it to fix non-trivial security issues and other code quality problems.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

CodeQue

Ecosystem for structural matching JavaScript and TypeScript code. Offers search tool that understands code structure. Available as CLI tool and Visual Studio Code extension. It helps to search code faster and more accurately making you workflow more effective. Soon it will offer ESLint plugin to create your own rules in minutes to help with assuring codebase quality.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • MaintainedcliMaintainedide-plugin
  • Maintainedlinter

CodeRush

Code creation, debugging, navigation, refactoring, analysis and visualization tools that use the Roslyn engine in Visual Studio 2015 and up.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

CodeSonar from GrammaTech

Advanced, whole program, deep path, static analysis of C, C++, Java and C# with easy-to-understand explanations and code and path visualization.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Corrode

Semi-automatic translation from C to Rust. Could reveal bugs in the original implementation by showing Rust compiler warnings and errors. Superseded by C2Rust.

  • DeprecatedDeprecated
  • DeprecatedMulti-Language
  • Deprecatedcli
  • Deprecatedlinter

Coverity

Synopsys Coverity supports 20 languages and over 70 frameworks including Ruby on rails, Scala, PHP, Python, JavaScript, TypeScript, Java, Fortran, C, C++, C#, VB.NET.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

cpp-linter-action

A Github Action for linting C/C++ code integrating clang-tidy and clang-format to collect feedback provided in the form of thread comments and/or annotations.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

cppcheck

Static analysis of C/C++ code.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

CppDepend

Measure, query and visualize your code and avoid unexpected issues, technical debt and complexity.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

cpplint

Automated C++ checker that follows Google's style guide.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

cqc

Check your code quality for js, jsx, vue, css, less, scss, sass and styl files.

  • DeprecatedDeprecated
  • DeprecatedMulti-Language
  • Deprecatedcli
  • Deprecatedlinter

cqmetrics

Quality metrics for C code.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

CScout

Complexity and quality metrics for C and C preprocessor code.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Depends

Analyses the comprehensive dependencies of code elements for Java, C/C++, Ruby.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

DerScanner

Multi-language Static Application Security Testing (SAST) platform that detects critical vulnerabilities, including hardcoded secrets, weak cryptography, backdoors, SQL injections, insecure configurations, etc.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • MaintainedcliMaintainedservice
  • Maintainedlinter

dotenet-format

A code formatter for .NET. Preferences will be read from an .editorconfig file, if present, otherwise a default set of preferences will be used. At this time dotnet-format is able to format C# and Visual Basic projects with a subset of supported .editorconfig options.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

emerge

Emerge is a source code and dependency visualizer that can be used to gather insights about source code structure, metrics, dependencies and complexity of software projects. After scanning the source code of a project it provides you an interactive web interface to explore and analyze your project by using graph structures.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • MaintainedcliMaintainedservice
  • Maintainedlinter

ENRE-cpp

ENRE (ENtity Relationship Extractor) is a tool for extraction of code entity dependencies or relationships from source code. ENRE-cpp is a ENtity Relationship Extractor for C/C++ based on @eclipse/CDT. (Under development)

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

ESBMC

ESBMC is an open source, permissively licensed, context-bounded model checker based on satisfiability modulo theories for the verification of single- and multi-threaded C/C++ programs.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

ESLint

An extensible linter for JS, following the ECMAScript standard.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

ezno

A JavaScript compiler and TypeScript checker written in Rust with a focus on static analysis and runtime performance. Ezno's type checker is built from scratch. The checker is fully compatible with TypeScript type annotations and can work without any type annotations at all.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Find Security Bugs

The SpotBugs plugin for security audits of Java web applications and Android applications. (Also work with Kotlin, Groovy and Scala projects)

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

flawfinder

Finds possible security weaknesses.

  • DeprecatedDeprecated
  • DeprecatedMulti-Language
  • Deprecatedcli
  • Deprecatedlinter

flint++

Cross-platform, zero-dependency port of flint, a lint program for C++ developed and used at Facebook.

  • DeprecatedDeprecated
  • DeprecatedMulti-Language
  • Deprecatedcli
  • Deprecatedlinter

Frama-C

A sound and extensible static analyzer for C code.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Goodcheck

Regexp based customizable linter.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

goone

Finds N+1 queries (SQL calls in a for loop) in go code

  • DeprecatedDeprecated
  • DeprecatedMulti-Language
  • Deprecatedcli
  • Deprecatedlinter

graudit

Grep rough audit - source code auditing tool.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Helix QAC

Enterprise-grade static analysis for embedded software. Supports MISRA, CERT, and AUTOSAR coding standards.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Hopper

A static analysis tool written in scala for languages that run on JVM.

  • DeprecatedDeprecated
  • DeprecatedMulti-Language
  • Deprecatedcli
  • Deprecatedlinter

Hound CI

Comments on style violations in GitHub pull requests. Supports Coffeescript, Go, HAML, JavaScript, Ruby, SCSS and Swift.

  • DeprecatedDeprecated
  • DeprecatedMulti-Language
  • Deprecatedcli
  • Deprecatedlinter

IKOS

A sound static analyzer for C/C++ code based on LLVM.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Infer

A static analyzer for Java, C and Objective-C

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Joern

Open-source code analysis platform for C/C++ based on code property graphs

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

KLEE

Symbolic virtual machine built on top of the LLVM compiler infrastructure.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

LDRA

A tool suite including dynamic analysis and test to various standards can ensure test coverage to 100% op-code, branch & decsion coverage.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

lizard

Lizard is an extensible Cyclomatic Complexity Analyzer for many programming languages including C/C++ (doesn't require all the header files or Java imports). It also does copy-paste detection (code clone detection/code duplicate detection) and many other forms of static code analysis. Counts lines of code without comments, CCN (cyclomatic complexity number), token count of functions, parameter count of functions.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

MATE

A suite of tools for interactive program analysis with a focus on hunting for bugs in C and C++ code. MATE unifies application-specific and low-level vulnerability analysis using code property graphs (CPGs), enabling the discovery of highly application-specific vulnerabilities that depend on both implementation details and the high-level semantics of target C/C++ programs.

  • DeprecatedDeprecated
  • DeprecatedMulti-Language
  • Deprecatedcli
  • Deprecatedlinter

Mega-Linter

Mega-Linter can handle any type of project thanks to its 70+ embedded Linters, its advanced reporting, runnable on any CI system or locally, with assisted installation and configuration, able to apply formatting and fixes

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Mobb

Mobb is a trusted, automatic vulnerability fixer that secures applications, reduces security backlogs, and frees developers to focus on innovation. Mobb is free for open-source projects.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • MaintainedcliMaintainedservice
  • MaintainedlinterMaintainedformatter

MOPSA

A static analyzer designed to easily reuse abstract domains across widely different languages (such as C and Python).

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

oclint

A static source code analysis tool to improve quality and reduce defects for C, C++ and Objective-C.

  • DeprecatedDeprecated
  • DeprecatedMulti-Language
  • Deprecatedcli
  • Deprecatedlinter

OpenRewrite

OpenRewrite fixes common static analysis issues reported through Sonar and other tools using a Maven and Gradle plugin or the Moderne CLI.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • MaintainedlinterMaintainedformatter

OpenStaticAnalyzer

OpenStaticAnalyzer is a source code analyzer tool, which can perform deep static analysis of the source code of complex systems.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

oxc

The Oxidation Compiler is creating a suite of high-performance tools for the JavaScript / TypeScript language re-written in Rust.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • MaintainedlinterMaintainedformatter

PC-lint

Static analysis for C/C++. Runs natively under Windows/Linux/MacOS. Analyzes code for virtually any platform, supporting C11/C18 and C++17.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Phasar

A LLVM-based static analysis framework which comes with a taint and type state analysis.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

PMD

A source code analyzer for Java, Salesforce Apex, Javascript, PLSQL, XML, XSL and others.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Polyspace Bug Finder

Identifies run-time errors, concurrency issues, security vulnerabilities, and other defects in C and C++ embedded software.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Polyspace Code Prover

Provide code verification that proves the absence of overflow, divide-by-zero, out-of-bounds array access, and certain other run-time errors in C and C++ source code.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

pre-commit

A framework for managing and maintaining multi-language pre-commit hooks.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Precaution

Precaution is a static analysis security tool (SAST) designed to find potentially critical vulnerabilities in source code prior to production. It is available as a CLI, GitHub Action, and GitHub App.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • MaintainedcliMaintainedservice
  • Maintainedlinter

Pronto

Quick automated code review of your changes. Supports more than 40 runners for various languages, including Clang, Elixir, JavaScript, PHP, Ruby and more.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

PT.PM

An engine for searching patterns in the source code, based on Unified AST or UST. At present time C#, Java, PHP, PL/SQL, T-SQL, and JavaScript are supported. Patterns can be described within the code or using a DSL.

  • DeprecatedDeprecated
  • DeprecatedMulti-Language
  • Deprecatedcli
  • Deprecatedlinter

Putout

Pluggable and configurable code transformer with built-in eslint, babel plugins support for js, jsx typescript, flow, markdown, yaml and json.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

pylama

Code audit tool for Python and JavaScript. Wraps pycodestyle, pydocstyle, PyFlakes, Mccabe, Pylint, and more

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Refactoring Essentials

The free Visual Studio 2015 extension for C# and VB.NET refactorings, including code best practice analyzers.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

relint

A static file linter that allows you to write custom rules using regular expressions (RegEx).

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

ReSharper

Extends Visual Studio with on-the-fly code inspections for C#, VB.NET, ASP.NET, JavaScript, TypeScript and other technologies.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

RIPS

A static source code analyser for vulnerabilities in PHP scripts.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Roslyn Analyzers

Roslyn-based implementation of FxCop analyzers.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Roslyn Security Guard

Project that focuses on the identification of potential vulnerabilities such as SQL injection, cross-site scripting (XSS), CSRF, cryptography weaknesses, hardcoded passwords and many more.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

SafeQL

Validate and auto-generate TypeScript types from raw SQL queries in PostgreSQL. SafeQL is an ESLint plugin for writing SQL queries in a type-safe way.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

scan-build

Frontend to drive the Clang Static Analyzer built into Clang via a regular build.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Semgrep

Sponsor

A fast, open-source, static analysis tool for finding bugs and enforcing code standards at editor, commit, and CI time. Its rules look like the code you already write; no abstract syntax trees or regex wrestling. Supports 17+ languages.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • MaintainedcliMaintainedservice
  • Maintainedlinter

ShiftLeft Scan

Scan is a free open-source DevSecOps platform for detecting security issues in source code and dependencies. It supports a broad range of languages and CI/CD pipelines.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • MaintainedcliMaintainedservice
  • Maintainedlinter

shipshape

Static program analysis platform that allows custom analyzers to plug in through a common interface.

  • DeprecatedDeprecated
  • DeprecatedMulti-Language
  • Deprecatedcli
  • Deprecatedlinter

Sigrid

Sigrid helps you to improve your software by measuring your system's code quality, and then compares the results against a benchmark of thousands of industry systems to give you concrete advice on areas where you can improve.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • MaintainedcliMaintainedservice
  • Maintainedlinter

SonarLint

SonarLint is a free IDE extension available for IntelliJ, VS Code, Visual Studio, and Eclipse, to find and fix coding issues in real-time, flagging issues as you code, just like a spell-checker. More than a linter, it also delivers rich contextual guidance to help developers understand why there is an issue, assess the risk, and educate them on how to fix it.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Soto Platform

Suite of static analysis tools consisting of the three components Sotoarc (Architecture Analysis), Sotograph (Quality Analysis), and Sotoreport (Quality report). Helps find differences between architecture and implementation, interface violations (e.g. external access of private parts of subsystems, detection of all classes, files, packages and subsystems which are strongly coupled by cyclical relationships and more. The Sotograph product family runs on Windows and Linux.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

SourceMeter

Static Code Analysis for C/C++, Java, C#, Python, and RPG III and RPG IV versions (including free-form).

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

splint

Annotation-assisted static program checker.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

sqlvet

Performs static analysis on raw SQL queries in your Go code base to surface potential runtime errors. It checks for SQL syntax error, identifies unsafe queries that could potentially lead to SQL injections makes sure column count matches value count in INSERT statements and validates table- and column names.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

StaticReviewer

Static Reviewer executes code checks according to the most relevant Secure Coding Standards, OWASP, CWE, CVE, CVSS, MISRA, CERT, for 40+ programming languages, using 1000+ built-in validation rules for Security, Deadcode & Best Practices Available a module for Software Composition Analysis (SCA) to find vulnerabilities in open source and third party libraries.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Super-Linter

Combination of multiple linters to install as a GitHub Action.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Svace

Static code analysis tool for Java,C,C++,C#,Go.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

SVF

A static tool that enables scalable and precise interprocedural dependence analysis for C and C++ programs.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Synopsys

A commercial static analysis platform that allows for scanning of multiple languages (C/C++, Android, C#, Java, JS, PHP, Python, Node.JS, Ruby, Fortran, and Swift).

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

TencentCodeAnalysis

Tencent Cloud Code Analysis (TCA for short, code-named CodeDog inside the company early) is a comprehensive platform for code analysis and issue tracking. TCA consist of three components, server, web and client. It integrates of a number of self-developed tools, and also supports dynamic integration of code analysis tools in various programming languages.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • MaintainedcliMaintainedservice
  • Maintainedlinter

todocheck

Linter for integrating annotated TODOs with your issue trackers

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

trivy

A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts, Suitable for CI. Trivy detects vulnerabilities of OS packages (Alpine, RHEL, CentOS, etc.) and application dependencies (Bundler, Composer, npm, yarn, etc.). Checks containers and filesystems.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

trunk

Modern repositories include many technologies, each with its own set of linters. With 30+ linters and counting, Trunk makes it dead-simple to identify, install, configure, and run the right linters, static analyzers, and formatters for all your repos.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • MaintainedlinterMaintainedformatter

TrustInSoft Analyzer

Exhaustive detection of coding errors and their associated security vulnerabilities. This encompasses a sound undefined behavior detection (buffer overflows, out-of-bounds array accesses, null-pointer dereferences, use-after-free, divide-by-zeros, uninitialized memory accesses, signed overflows, invalid pointer arithmetic, etc.), data flow and control flow verification as well as full functional verification of formal specifications. All versions of C up to C18 and C++ up to C++20 are supported. TrustInSoft Analyzer will acquire ISO 26262 qualification in Q2'2023 (TCL3). A MISRA C checker is also bundled.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

TscanCode

A fast and accurate static analysis solution for C/C++, C#, Lua codes provided by Tencent. Using GPLv3 license.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Undebt

Language-independent tool for massive, automatic, programmable refactoring based on simple pattern definitions.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Understand

Code visualization tool that provides code analysis, standards testing, metrics, graphing, dependency analysis and more for Ada, VHDL, and others.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Veracode

Find flaws in binaries and bytecode without requiring source. Support all major programming languages: Java, .NET, JavaScript, Swift, Objective-C, C, C++ and more.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

WALA

Static analysis capabilities for Java bytecode and related languages and for JavaScript.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

weggli

A fast and robust semantic search tool for C and C++ codebases. It is designed to help security researchers identify interesting functionality in large codebases.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

WhiteHat Application Security Platform

WhiteHat Scout (for Developers) combined with WhiteHat Sentinel Source (for Operations) supporting WhiteHat Top 40 and OWASP Top 10.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Wotan

Pluggable TypeScript and JavaScript linter.

  • DeprecatedDeprecated
  • DeprecatedMulti-Language
  • Deprecatedcli
  • Deprecatedlinter

XCode

XCode provides a pretty decent UI for Clang's static code analyzer (C/C++, Obj-C).

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

allocscope

allocscope is a tool for tracking down where the most egregiously large allocations are occurring in a C, C++ or Rust codebase. It is particularly intendend to be useful for developers who want to get a handle on excessive allocations and are working in a large codebase with multiple contributors with allocations occuring in many modules or libraries.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

bytehound

A memory profiler for Linux. Can be used to analyze memory leaks, see where exactly the memory is being consumed, identify temporary allocations and investigate excessive memory fragmentation.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

CASR

Crash Analysis and Severity Report.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

CHAP

Analyzes un-instrumented ELF core files for leaks, memory growth, and corruption. It helps explain memory growth, can identify some forms of corruption, and supplements a debugger by giving the status of various memory locations.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Code Pulse

Code Pulse is a free real-time code coverage tool for penetration testing activities by OWASP and Code Dx (GitHub).

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

LLVM/Clang Sanitizers

<ul> <li><a href="https://github.com/google/sanitizers/wiki/AddressSanitizer">AddressSanitizer</a> - A memory error detector for C/C++</li> <li><a href="https://github.com/google/sanitizers/wiki/MemorySanitizer">MemorySanitizer</a> - A detector of uninitialized memory reads in C/C++ programs.</li> <li><a href="https://github.com/google/sanitizers/wiki/ThreadSanitizerCppManual">ThreadSanitizer</a> - A data race detector for C/C++</li> </ul>
  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Sydr

Continuous Hybrid Fuzzing and Dynamic Analysis for Security Development Lifecycle.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • MaintainedlinterMaintainedfuzzer

tis-interpreter

An interpreter for finding subtle bugs in programs written in standard C.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Valgrind

An instrumentation framework for building dynamic analysis tools.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Our Sponsors

This website is completely open source. To fund our work, we fully rely on sponsors. Thanks to them, we can keep the site free for everybody. Please check out their offers below.

  • BugProve
  • Pixee
  • semgrep
  • Offensive 360
  • BetterScan