Tutorials / Guides
522 Alternatives for checkmake
aether
Lint, analyze, normalize, transform, sandbox, run, step through, and visualize user JavaScript, in node or the browser.
alquitran
Inspects tar archives and tries to spot portability issues in regard to POSIX 2017 pax specification and common tar implementations. This project is intended to be used by maintainers of projects who want to offer portable source code archives for as many systems as possible. Checking tar archives with alquitran before publishing them should help spotting issues before they reach distributors and users.
android-lint-summary
Combines lint errors of multiple projects into one output, check lint results of multiple sub-projects at once.
ArchUnitNET
A C# architecture test library to specify and assert architecture rules in C# for automated testing.
AWS CloudFormation Guard
Check local CloudFormation templates against policy-as-code rules and generate rules from existing templates.
AzSK
Secure DevOps kit for Azure (AzSK) provides security IntelliSense, Security Verification Tests (SVTs), CICD scan vulnerabilities, compliance issues, and infrastructure misconfiguration in your infrastructure-as-code. Supports Azure via ARM.
binbloom
Analyzes a raw binary firmware and determines features like endianness or the loading address. The tool is compatible with all architectures. Loading address: binbloom can parse a raw binary firmware and determine its loading address. Endianness: binbloom can use heuristics to determine the endianness of a firmware. UDS Database: binbloom can parse a raw binary firmware and check if it contains an array containing UDS command IDs.
Black Duck
Tool to analyze source code and binaries for reusable code, necessary licenses and potential security aspects.
bloaty
Ever wondered what's making your binary big? Bloaty McBloatface will show you a size profile of the binary so you can understand what's taking up space inside. Bloaty performs a deep analysis of the binary. Using custom ELF, DWARF, and Mach-O parsers, Bloaty aims to accurately attribute every byte of the binary to the symbol or compileunit that produced it. It will even disassemble the binary looking for references to anonymous data. F
Bowler
Safe code refactoring for modern Python. Bowler is a refactoring tool for manipulating Python at the syntax tree level. It enables safe, large scale code modifications while guaranteeing that the resulting code compiles and runs. It provides both a simple command line interface and a fluent API in Python for generating complex code modifications in code.
bundler-audit
Audit Gemfile.lock for gems with security vulnerabilities reported in Ruby Advisory Database.
CakeFuzzer
Web application security testing tool for CakePHP-based web applications. CakeFuzzer employs a predefined set of attacks that are randomly modified before execution. Leveraging its deep understanding of the Cake PHP framework, Cake Fuzzer launches attacks on all potential application entry points.
cargo-audit
Audit Cargo.lock for crates with security vulnerabilities reported to the RustSec Advisory Database.
cargo-bloat
Find out what takes most of the space in your executable. supports ELF (Linux, BSD), Mach-O (macOS) and PE (Windows) binaries.
cargo-breaking
cargo-breaking compares a crate's public API between two different branches, shows what changed, and suggests the next version according to semver.
cargo-call-stack
Whole program static stack analysis The tool produces the full call graph of a program as a dot file.
cargo-deny
A cargo plugin for linting your dependencies. It can be used either as a command line too, a Rust crate, or a Github action for CI. It checks for valid license information, duplicate crates, security vulnerabilities, and more.
cargo-expand
Cargo subcommand to show result of macro expansion and #[derive] expansion applied to the current crate. This is a wrapper around a more verbose compiler command.
cargo-geiger
A cargo plugin for analysing the usage of unsafe Rust code Provides statistical output to aid security auditing
cargo-inspect
Inspect Rust code without syntactic sugar to see what the compiler does behind the curtains.
cargo-semver-checks
Scan your Rust crate releases for semver violations. It can be used either directly via the CLI, as a GitHub Action in CI, or via release managers like release-plz
. It found semver violations in more than 1 in 6 of the top 1000 most-downloaded crates on crates.io.
cargo-show-asm
cargo subcommand showing the assembly, LLVM-IR and MIR generated for Rust code
cargo-spellcheck
Checks all your documentation for spelling and grammar mistakes with hunspell (ready) and languagetool (preview)
cargo udeps
Find unused dependencies in Cargo.toml. It either prints out a "unused crates" line listing the crates, or it prints out a line saying that no crates were unused.
cargo-unused-features
Find potential unused enabled feature flags and prune them. You can generate a simple HTML report from the json to make it easier to inspect results. It removes a feature of a dependency and then compiles the project to see if it still compiles. If it does, the feature flag can possibly be removed, but it can be a false-positive.
chart-testing
ct is the tool for testing Helm charts. It is meant to be used for linting and testing pull requests. It automatically detects charts changed against the target branch.
Checker Framework
Pluggable type-checking for Java. This is not just a bug-finder, but a verification tool that gives a guarantee of correctness. It comes with 27 pre-built type systems, and it enables users to define their own type system; the manual lists over 30 user-contributed type systems.
checkov
Static analysis tool for Terraform files (tf>=v0.12), preventing cloud misconfigs at build time.
checkstyle
Checking Java source code for adherence to a Code Standard or set of validation rules (best practices).
Closure Compiler
A compiler tool to increase efficiency, reduce size, and provide code warnings in JavaScript files.
ClosureLinter
Ensures that all of your project's JavaScript code follows the guidelines in the Google JavaScript Style Guide. It can also automatically fix many common errors.
clusterlint
Clusterlint queries live Kubernetes clusters for resources, executes common and platform specific checks against these resources and provides actionable feedback to cluster operators. It is a non invasive tool that is run externally. Clusterlint does not alter the resource configurations.
code-cracker
An analyzer library for C# and VB that uses Roslyn to produce refactorings, code analysis, and other niceties.
Codelyzer
A set of tslint rules for static code analysis of Angular 2 TypeScript projects.
coffeelint
A style checker that helps keep CoffeeScript code clean and consistent.
composer-dependency-analyser
Fast detection of composer dependency issues.
- 💪 Powerful: Detects unused, shadow and misplaced composer dependencies
- ⚡ Performant: Scans 15 000 files in 2s!
- ⚙️ Configurable: Fine-grained ignores via PHP config
- 🕸️ Lightweight: No composer dependencies
- 🍰 Easy-to-use: No config needed for first try
- ✨ Compatible: PHP >= 7.2
CPAchecker
A tool for configurable software verification of C programs. The name CPAchecker was chosen to reflect that the tool is based on the CPA concepts and is used for checking software programs.
Credential Digger
Credential Digger is a GitHub scanning tool that identifies hardcoded credentials (Passwords, API Keys, Secret Keys, Tokens, personal information, etc), and filtering the false positive data through a machine learning model called Password Model. This scanner is able to detect passwords and non structured tokens with a low false positive rate.
CSharpEssentials
C# Essentials is a collection of Roslyn diagnostic analyzers, code fixes and refactorings that make it easy to work with C# 6 language features.
Dart Code Metrics
Additional linter for Dart. Reports code metrics, checks for anti-patterns and provides additional rules for Dart analyzer.
Dataflow Framework
An industrial-strength dataflow framework for Java. The Dataflow Framework is used in the Checker Framework, Google’s Error Prone, Uber’s NullAway, Meta’s Nullsafe, and in other contexts. It is distributed with the Checker Framework.
Datree
A CLI tool to prevent Kubernetes misconfigurations by ensuring that manifests and Helm charts follow best practices as well as your organization’s policies
dawnscanner
A static analysis security scanner for ruby written web applications. It supports Sinatra, Padrino and Ruby on Rails frameworks.
DeepScan
An analyzer for JavaScript which targets runtime errors and quality issues rather than coding conventions.
DesigniteJava
DesigniteJava supports detection of various architecture, design, and implementation smells along with computation of various code quality metrics.
detect-secrets
An enterprise friendly way of detecting and preventing secrets in code. It does this by running periodic diff outputs against heuristically crafted regex statements, to identify whether any new secret has been committed. This way, it avoids the overhead of digging through all git history, as well as the need to scan the entire repository every time.
dialyzer
The DIALYZER, a DIscrepancy AnaLYZer for ERlang programs. Dialyzer is a static analysis tool that identifies software discrepancies, such as definite type errors, code that has become dead or unreachable because of programming error, and unnecessary tests, in single Erlang modules or entire (sets of) applications. Dialyzer starts its analysis from either debug-compiled BEAM bytecode or from Erlang source code. The file and line number of a discrepancy is reported along with an indication of what the discrepancy is about. Dialyzer bases its analysis on the concept of success typings, which allows for sound warnings (no false positives).
electrolysis
A tool for formally verifying Rust programs by transpiling them into definitions in the Lean theorem prover.
elm-analyse
A tool that allows you to analyse your Elm code, identify deficiencies and apply best practices.
elm-review
Analyzes whole Elm projects, with a focus on shareable and custom rules written in Elm that add guarantees the Elm compiler doesn't give you.
ENRE-ts
ENRE (ENtity Relationship Extractor) is a tool for extraction of code entity dependencies or relationships from source code. ENRE-ts is a ENtity Relationship Extractor for ECMAScript and TypeScript based on @babel/parser.
errwrap
Wrap and fix Go errors with the new %w verb directive. This tool analyzes fmt.Errorf() calls and reports calls that contain a verb directive that is different than the new %w verb directive introduced in Go v1.13. It's also capable of rewriting calls to use the new %w wrap verb directive.
escomplex
Software complexity analysis of JavaScript-family abstract syntax trees.
Fix Insight
A free IDE Plugin for static code analysis. A Pro edition includes a command line tool for automation purposes.
Fixinator
Static security code analysis for ColdFusion or CFML code. Designed to work within a CI pipeline or from the developers terminal.
forbidden-apis
Detects and forbids invocations of specific method/class/field (like reading from a text stream without a charset). Maven/Gradle/Ant compatible.
fprettify
Auto-formatter for modern fortran source code, written in Python. Fprettify is a tool that provides consistent whitespace, indentation, and delimiter alignment in code, including the ability to change letter case and handle preprocessor directives, all while preserving revision history and tested for editor integration.
gawk --lint
Warns about constructs that are dubious or nonportable to other awk implementations.
gixy
A tool to analyze Nginx configuration. The main goal is to prevent misconfiguration and automate flaw detection.
govulncheck
Govulncheck reports known vulnerabilities that affect Go code. It uses static analysis of source code or a binary's symbol table to narrow down reports to only those that could affect the application. By default, govulncheck makes requests to the Go vulnerability database at https://vuln.go.dev. Requests to the vulnerability database contain only module paths, not code or other properties of your program.
Haskell Dockerfile Linter
A smarter Dockerfile linter that helps you build best practice Docker images.
HasMySecretLeaked
HasMySecretLeaked is a project from GitGuardian that aims to help individual users and organizations search across 20 million exposed secrets to verify if their developer secrets have leaked on public repositories, gists, and issues on GitHub projects.
Haxe Checkstyle
A static analysis tool to help developers write Haxe code that adheres to a coding standard.
hegel
A static type checker for JavaScript with a bias on type inference and strong type systems.
i-Code CNES for Fortran
An open source static code analysis tool for Fortran 77, Fortran 90 and Shell.
i-Code CNES for Shell
An open source static code analysis tool for Shell and Fortran (77 and 90).
Icarus Verilog
A Verilog simulation and synthesis tool that operates by compiling source code written in IEEE-1364 Verilog into some target format
InspectorTiger
IT, Inspector Tiger, is a modern python code review tool / framework. It comes with bunch of pre-defined handlers which warns you about improvements and possible bugs. Beside these handlers, you can write your own or use community ones.
JArchitect
Measure, query and visualize your code and avoid unexpected issues, technical debt and complexity.
JEB Decompiler
Decompile and debug binary code. Break down and analyze document files. Android Dalvik, MIPS, ARM, Intel x86, Java, WebAssembly & Ethereum Decompilers.
jshint
Detect errors and potential problems in JavaScript code and enforce your team's coding conventions.
kani
The Kani Rust Verifier is a bit-precise model checker for Rust. Kani is particularly useful for verifying unsafe code blocks in Rust, where the "unsafe superpowers" are unchecked by the compiler. Kani verifies:
- Memory safety (e.g., null pointer dereferences)
- User-specified assertions (i.e., assert!(...))
- The absence of panics (e.g., unwrap() on None values)
- The absence of some types of unexpected behavior (e.g., arithmetic overflows)
kics
Find security vulnerabilities, compliance issues, and infrastructure misconfigurations in your infrastructure-as-code. Supports Terraform, Kubernetes, Docker, AWS CloudFormation and Ansible
klint
A tool that listens to changes in Kubernetes resources and runs linting rules against them. Identify and debug erroneous objects and nudge objects in line with the policies as both change over time. Klint helps us encode checks and proactively alert teams when they need to take action.
krane
Krane is a simple Kubernetes RBAC static analysis tool. It identifies potential security risks in K8s RBAC design and makes suggestions on how to mitigate them. Krane dashboard presents current RBAC security posture and lets you navigate through its definition.
kube-lint
A linter for Kubernetes resources with a customizable rule set. You define a list of rules that you would like to validate against your resources and kube-lint will evaluate those rules against them.
kube-linter
KubeLinter is a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure the applications represented in them adhere to best practices.
kubeconform
A fast Kubernetes manifests validator with support for custom resources.
It is inspired by, contains code from and is designed to stay close to Kubeval, but with the following improvements:
- high performance: will validate & download manifests over multiple routines, caching downloaded files in memory
- configurable list of remote, or local schemas locations, enabling validating Kubernetes custom resources (CRDs) and offline validation capabilities
- uses by default a self-updating fork of the schemas registry maintained by the kubernetes-json-schema project - which guarantees up-to-date schemas for all recent versions of Kubernetes.
KubeLinter
KubeLinter is a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure the applications represented in them adhere to best practices.
languagetool
Style and grammar checker for 25+ languages. It finds many errors that a simple spell checker cannot detect.
Mariana Trench
Our security focused static analysis tool for Android and Java applications. Mariana Trench analyzes Dalvik bytecode and is built to run fast on large codebases (10s of millions of lines of code). It can find vulnerabilities as code changes, before it ever lands in your repository.
Meziantou.Analyzer
A Roslyn analyzer to enforce some good practices in C# in terms of design, usage, security, performance, and style.
Misspelled Words In Context
A spell-checker that groups possible misspellings and shows them in their contexts.
mypy
A static type checker that aims to combine the benefits of duck typing and static typing, frequently used with MonkeyType.
mythril
A symbolic execution framework with batteries included, can be used to find and exploit vulnerabilities in smart contracts automatically.
MythX
MythX is an easy to use analysis platform which integrates several analysis methods like fuzzing, symbolic execution and static analysis to find vulnerabilities with high precision. It can be integrated with toolchains like Remix or VSCode or called from the command-line.
.NET Analyzers
An organization for the development of analyzers (diagnostics and code fixes) using the .NET Compiler Platform.
NodeJSScan
A static security code scanner for Node.js applications powered by libsast and semgrep that builds on the njsscan cli tool. It features a UI with various dashboards about an application's security status.
NullAway
Type-based null-pointer checker with low build-time overhead; an Error Prone plugin.
Oversecured
Enterprise vulnerability scanner for Android and iOS apps. It allows app owners and developers to secure each new version of a mobile app by integrating Oversecured into the development process.
packj
Packj (pronounced package) is a command line (CLI) tool to vet open-source software packages for "risky" attributes that make them vulnerable to supply chain attacks. This is the tool behind our large-scale security analysis platform Packj.dev that continuously vets packages and provides free reports.
parallel-lint
This tool checks syntax of PHP files faster than serial check with a fancier output.
Pascal Analyzer
A static code analysis tool with numerous reports. A free Lite version is available with limited reporting.
Pascal Expert
IDE plugin for code analysis. Includes a subset of Pascal Analyzer reporting capabilities and is available for Delphi versions 2007 and later.
Perl::Analyzer
Perl-Analyzer is a set of programs and modules that allow users to analyze and visualize Perl codebases by providing information about namespaces and their relations, dependencies, inheritance, and methods implemented, inherited, and redefined in packages, as well as calls to methods from parent packages via SUPER.
PHP Coding Standards Fixer
Fixes your code according to standards like PSR-1, PSR-2, and the Symfony standard.
PHP Insights
Instant PHP quality checks from your console. Analysis of code quality and coding style as well as overview of code architecture and its complexity.
PHPArkitect
PHPArkitect helps you to keep your PHP codebase coherent and solid, by permitting to add some architectural constraint check to your workflow. You can express the constraint that you want to enforce, in simple and readable PHP code.
PhpDeprecationDetector
Analyzer of PHP code to search issues with deprecated functionality in newer interpreter versions. It finds removed objects (functions, variables, constants and ini-directives), deprecated functions functionality, and usage of forbidden names or tricks (e.g. reserved identifiers in newer versions).
phpdoc-to-typehint
Add scalar type hints and return types to existing PHP projects using PHPDoc annotations.
Polyspace for Ada
Provide code verification that proves the absence of overflow, divide-by-zero, out-of-bounds array access, and certain other run-time errors in source code.
Primitive Erlang Security Tool (PEST)
A tool to do a basic scan of Erlang source code and report any function calls that may cause Erlang source code to be insecure.
promval
PromQL validator written in Python. It can be used to validate that PromQL expressions are written as expected.
pure
Pure is a static analysis file format checker that checks ZIP files for dangerous compression ratios, spec deviations, malicious archive signatures, mismatching local and central directory headers, ambiguous UTF-8 filenames, directory and symlink traversals, invalid MS-DOS dates, overlapping headers, overflow, underflow, sparseness, accidental buffer bleeds etc.
pycodestyle
(Formerly pep8
) Check Python code against some of the style conventions in PEP 8.
PyT - Python Taint
A static analysis tool for detecting security vulnerabilities in Python web applications.
Railroader
An open source static analysis security vulnerability scanner for Ruby on Rails applications.
rector
Instant Upgrades and Automated Refactoring of any PHP 5.3+ code. It upgrades your code for PHP 7.4, 8.0 and beyond. Rector promises a low false-positive rate because it looks for narrowly defined AST (abstract syntax tree) patterns. The main use-case are tackling technical debt in your legacy code and removing dead code. Rector provides a set of special rules for Symfony, Doctrine, PHPUnit, and many more.
RefactorFirst
Identifies and prioritizes God Classes and Highly Coupled classes in Java codebases you should refactor first.
retire.js
Scanner detecting the use of JavaScript libraries with known vulnerabilities.
Roslynator
A collection of 190+ analyzers and 190+ refactorings for C#, powered by Roslyn.
RSLint
A (WIP) JavaScript linter written in Rust designed to be as fast as possible, customizable, and easy to use.
rust-audit
Audit Rust binaries for known bugs or security vulnerabilities. This works by embedding data about the dependency tree (Cargo.lock) in JSON format into a dedicated linker section of the compiled executable.
RustViz
RustViz is a tool that generates visualizations from simple Rust programs to assist users in better understanding the Rust Lifetime and Borrowing mechanism. It generates SVG files with graphical indicators that integrate with mdbook to render visualizations of data-flow in Rust programs.
SearchDiggity
Identifies vulnerabilities in open source code projects hosted on Github, Google Code, MS CodePlex, SourceForge, and more. The tool comes with over 130 default searches that identify SQL injection, cross-site scripting (XSS), insecure remote and local file includes, hard-coded passwords, etc.
shellcheck
ShellCheck, a static analysis tool that gives warnings and suggestions for bash/sh shell scripts.
shellharden
A syntax highlighter and a tool to semi-automate the rewriting of scripts to ShellCheck conformance, mainly focused on quoting.
solhint
Solhint is an open source project created by https://protofire.io. Its goal is to provide a linting utility for Solidity code.
SonarAnalyzer.CSharp
These Roslyn analyzers allow you to produce Clean Code that is safe, reliable, and maintainable by helping you find and correct bugs, vulnerabilities, and code smells in your codebase.
staticcheck
Go static analysis that specialises in finding bugs, simplifying code and improving performance.
Steampunk Spotter
Ansible Playbook Scanning Tool that analyzes and offers recommendations for your playbooks.
structslop
Static analyzer for Go that recommends struct field rearrangements to provide for maximum space/allocation efficiency
terraform-compliance
A lightweight, compliance- and security focused, BDD test framework against Terraform.
terrascan
Collection of security and best practice tests for static code analysis of Terraform templates.
tfsec
Terraform static analysis tool that prevents potential security issues by checking cloud misconfigurations at build time and directly integrates with the HCL parser for better results. Checks for violations of AWS, Azure and GCP security best practice recommendations.
trufflehog
Find credentials all over the place TruffleHog is an open source secret-scanning engine that resolves exposed secrets across your company’s entire tech stack.
tslint
TSLint has been deprecated as of 2019. Please see this issue for more details. typescript-eslint
is now your best option for linting TypeScript.
TSLint is an extensible static analysis tool that checks TypeScript code for readability, maintainability, and functionality errors. It is widely supported across modern editors & build systems and can be customized with your own lint rules, configurations, and formatters.
tslint-microsoft-contrib
A set of tslint rules for static code analysis of TypeScript projects maintained by Microsoft.
Tsunami Security Scanner
A general purpose network security scanner with an extensible plugin system for detecting high severity RCE-like vulnerabilities with high confidence. Custom detectors for finding vulnerabilities (e.g. open APIs) can be added.
TypeScript Call Graph
CLI to generate an interactive graph of functions and calls from your TypeScript files
TypL
With TypL, you just write completely standard JS, and the tool figures out your types via powerful inferencing.
VeriFast
A tool for modular formal verification of correctness properties of single-threaded and multithreaded C and Java programs annotated with preconditions and postconditions written in separation logic. To express rich specifications, the programmer can define inductive datatypes, primitive recursive pure functions over these datatypes, and abstract separation logic predicates.
Violations Lib
Java library for parsing report files from static code analysis. Used by a bunch of Jenkins, Maven and Gradle plugins.
VMware chap
chap analyzes un-instrumented ELF core files for leaks, memory growth, and corruption. It is sufficiently reliable that it can be used in automation to catch leaks before they are committed. As an interactive tool, it helps explain memory growth, can identify some forms of corruption, and supplements a debugger by giving the status of various memory locations.
Wintellect.Analyzers
.NET Compiler Platform ("Roslyn") diagnostic analyzers and code fixes.
xo
Opinionated but configurable ESLint wrapper with lots of goodies included. Enforces strict and readable code.
zod
TypeScript-first schema validation with static type inference. The goal is to eliminate duplicative type declarations. With Zod, you declare a validator once and Zod will automatically infer the static TypeScript type. It is easy to compose simpler types into complex data structures.
cargo-careful
Execute Rust code carefully, with extra checking along the way. It builds the standard library with debug assertions. Here are some of the checks this enables:
get_unchecked
in slices performs bounds checks *copy
,copy_nonoverlapping
, andwrite_bytes
check that pointers are aligned and non-null and (if applicable) non-overlapping{NonNull,NonZero*,...}::new_unchecked
check that the value is valid * plenty of internal consistency checks in the collection types * mem::zeroed and the deprecated mem::uninitialized panic if the type does not allow that kind of initialization
Dr. Memory
Dr. Memory is a memory monitoring tool capable of identifying memory-related programming errors (Github).
Iroh.js
A dynamic code analysis tool for JavaScript. Iroh allows to record your code flow in realtime, intercept runtime informations and manipulate program behaviour on the fly.
Jalangi2
Jalangi2 is a popular framework for writing dynamic analyses for JavaScript.
llvm-propeller
Profile guided hot/cold function splitting to improve cache efficiency. An alternative to BOLT by Facebook
Parasoft Jtest
Jtest is an automated Java software testing and static analysis product that is made by Parasoft. The product includes technology for Data-flow analysis Unit test-case generation and execution, static analysis, regression testing, code coverage, and runtime error detection.
Pex and Moles
Pex automatically generates test suites with high code coverage using automated white box analysis.
prowler
Prowler is an Open Source security tool to perform AWS and Azure security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. It contains hundreds of controls covering CIS, PCI-DSS, ISO27001, GDPR, HIPAA, FFIEC, SOC2, AWS FTR, ENS and custom security frameworks.
WhiteHat Sentinel Dynamic
Part of the WhiteHat Application Security Platform. Dynamic application security scanner that covers the OWASP Top 10.
123 Multi-Language Tools
ApplicationInspector
Creates reports of over 400 rule patterns for feature detection (e.g. the use of cryptography or version control in apps).
Astrée
Astrée automatically proves the absence of runtime errors and invalid concurrent behavior in C/C++ applications. It is sound for floating-point computations, very fast, and exceptionally precise. The analyzer also checks for MISRA/CERT/CWE/Adaptive Autosar coding rules and supports qualification for ISO 26262, DO-178C level A, and other safety standards. Jenkins and Eclipse plugins are available.
autocorrect
A linter and formatter to help you to improve copywriting, correct spaces, words, punctuations between CJK (Chinese, Japanese, Korean).
Axivion Bauhaus Suite
Tracks down error-prone code locations, style violations, cloned or dead code, cyclic dependencies and more for C/C++, C#/.NET, Java and Ada 83/Ada 95.
Bearer
Open-Source static code analysis tool to discover, filter and prioritize security risks and vulnerabilities leading to sensitive data exposures (PII, PHI, PD). Highly configurable and easily extensible, built for security and engineering teams.
Betterscan CE
Checks your code and infra (various Git repositories supported, cloud stacks, CLI, Web Interface platform, integrationss available) for security and quality issues. Code Scanning/SAST/Linting using many tools/Scanners deduplicated with One Report (AI optional).
biome
A toolchain for web projects, aimed to provide functionalities to maintain them. Biome formats and lints code in a fraction of a second. It is the successor to Rome. It is designed to eventually replace Biome is designed to eventually replace Babel, ESLint, webpack, Prettier, Jest, and others.
BugProve
BugProve is a firmware analysis platform featuring both static and dynamic analysis techniques to discover memory corruptions, command injections and other classes or common weaknesses in binary code. It also detects vulnerable dependencies, weak cryptographic parameters, misconfigurations, and more.
CAST Highlight
Commercial Static Code Analysis which runs locally, but uploads the results to its cloud for presentation.
ClassGraph
A classpath and module path scanner for querying or visualizing class metadata or class relatedness.
clazy
Qt-oriented static code analyzer based on the Clang framework. clazy is a compiler plugin which allows clang to understand Qt semantics. You get more than 50 Qt related compiler warnings, ranging from unneeded memory allocations to misusage of API, including fix-its for automatic refactoring.
coala
Language independent framework for creating code analysis - supports over 60 languages by default.
CodeIt.Right
CodeIt.Right™ provides a fast, automated way to ensure that your source code adheres to (your) predefined design and style guidelines as well as best coding practices.
Codemodder
Codemodder is a pluggable framework for building expressive codemods. Use Codemodder when you need more than a linter or code formatting tool. Use it to fix non-trivial security issues and other code quality problems.
CodeQue
Ecosystem for structural matching JavaScript and TypeScript code. Offers search tool that understands code structure. Available as CLI tool and Visual Studio Code extension. It helps to search code faster and more accurately making you workflow more effective. Soon it will offer ESLint plugin to create your own rules in minutes to help with assuring codebase quality.
CodeSonar from GrammaTech
Advanced, whole program, deep path, static analysis of C, C++, Java and C# with easy-to-understand explanations and code and path visualization.
cpp-linter-action
A Github Action for linting C/C++ code integrating clang-tidy and clang-format to collect feedback provided in the form of thread comments and/or annotations.
dotenet-format
A code formatter for .NET. Preferences will be read from an .editorconfig
file, if present, otherwise a default set of preferences will be used. At this time dotnet-format is able to format C# and Visual Basic projects with a subset of supported .editorconfig
options.
emerge
Emerge is a source code and dependency visualizer that can be used to gather insights about source code structure, metrics, dependencies and complexity of software projects. After scanning the source code of a project it provides you an interactive web interface to explore and analyze your project by using graph structures.
ezno
A JavaScript compiler and TypeScript checker written in Rust with a focus on static analysis and runtime performance. Ezno's type checker is built from scratch. The checker is fully compatible with TypeScript type annotations and can work without any type annotations at all.
Find Security Bugs
The SpotBugs plugin for security audits of Java web applications and Android applications. (Also work with Kotlin, Groovy and Scala projects)
Hound CI
Comments on style violations in GitHub pull requests. Supports Coffeescript, Go, HAML, JavaScript, Ruby, SCSS and Swift.
lizard
Lizard is an extensible Cyclomatic Complexity Analyzer for many programming languages including C/C++ (doesn't require all the header files or Java imports). It also does copy-paste detection (code clone detection/code duplicate detection) and many other forms of static code analysis. Counts lines of code without comments, CCN (cyclomatic complexity number), token count of functions, parameter count of functions.
MATE
A suite of tools for interactive program analysis with a focus on hunting for bugs in C and C++ code. MATE unifies application-specific and low-level vulnerability analysis using code property graphs (CPGs), enabling the discovery of highly application-specific vulnerabilities that depend on both implementation details and the high-level semantics of target C/C++ programs.
Mega-Linter
Mega-Linter can handle any type of project thanks to its 70+ embedded Linters, its advanced reporting, runnable on any CI system or locally, with assisted installation and configuration, able to apply formatting and fixes
Mobb
Mobb is a trusted, automatic vulnerability fixer that secures applications, reduces security backlogs, and frees developers to focus on innovation. Mobb is free for open-source projects.
oclint
A static source code analysis tool to improve quality and reduce defects for C, C++ and Objective-C.
OpenRewrite
OpenRewrite fixes common static analysis issues reported through Sonar and other tools using a Maven and Gradle plugin or the Moderne CLI.
OpenStaticAnalyzer
OpenStaticAnalyzer is a source code analyzer tool, which can perform deep static analysis of the source code of complex systems.
oxc
The Oxidation Compiler is creating a suite of high-performance tools for the JavaScript / TypeScript language re-written in Rust.
Polyspace Bug Finder
Identifies run-time errors, concurrency issues, security vulnerabilities, and other defects in C and C++ embedded software.
Polyspace Code Prover
Provide code verification that proves the absence of overflow, divide-by-zero, out-of-bounds array access, and certain other run-time errors in C and C++ source code.
Putout
Pluggable and configurable code transformer with built-in eslint, babel plugins support for js, jsx typescript, flow, markdown, yaml and json.
pylama
Code audit tool for Python and JavaScript. Wraps pycodestyle, pydocstyle, PyFlakes, Mccabe, Pylint, and more
Refactoring Essentials
The free Visual Studio 2015 extension for C# and VB.NET refactorings, including code best practice analyzers.
ReSharper
Extends Visual Studio with on-the-fly code inspections for C#, VB.NET, ASP.NET, JavaScript, TypeScript and other technologies.
Roslyn Security Guard
Project that focuses on the identification of potential vulnerabilities such as SQL injection, cross-site scripting (XSS), CSRF, cryptography weaknesses, hardcoded passwords and many more.
SafeQL
Validate and auto-generate TypeScript types from raw SQL queries in PostgreSQL. SafeQL is an ESLint plugin for writing SQL queries in a type-safe way.
SonarQube for IDE
SonarQube for IDE (formerly SonarLint) is a free IDE extension available for IntelliJ, VS Code, Visual Studio, and Eclipse, to find and fix coding issues in real-time, flagging issues as you code, just like a spell-checker. More than a linter, it also delivers rich contextual guidance to help developers understand why there is an issue, assess the risk, and educate them on how to fix it.
Soto Platform
Suite of static analysis tools consisting of the three components Sotoarc (Architecture Analysis), Sotograph (Quality Analysis), and Sotoreport (Quality report). Helps find differences between architecture and implementation, interface violations (e.g. external access of private parts of subsystems, detection of all classes, files, packages and subsystems which are strongly coupled by cyclical relationships and more. The Sotograph product family runs on Windows and Linux.
sqlvet
Performs static analysis on raw SQL queries in your Go code base to surface potential runtime errors. It checks for SQL syntax error, identifies unsafe queries that could potentially lead to SQL injections makes sure column count matches value count in INSERT statements and validates table- and column names.
StaticReviewer
Static Reviewer executes code checks according to the most relevant Secure Coding Standards, OWASP, CWE, CVE, CVSS, MISRA, CERT, for 40+ programming languages, using 1000+ built-in validation rules for Security, Deadcode & Best Practices Available a module for Software Composition Analysis (SCA) to find vulnerabilities in open source and third party libraries.
TencentCodeAnalysis
Tencent Cloud Code Analysis (TCA for short, code-named CodeDog inside the company early) is a comprehensive platform for code analysis and issue tracking. TCA consist of three components, server, web and client. It integrates of a number of self-developed tools, and also supports dynamic integration of code analysis tools in various programming languages.
trivy
A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts, Suitable for CI. Trivy detects vulnerabilities of OS packages (Alpine, RHEL, CentOS, etc.) and application dependencies (Bundler, Composer, npm, yarn, etc.). Checks containers and filesystems.
TrustInSoft Analyzer
Exhaustive detection of coding errors and their associated security vulnerabilities. This encompasses a sound undefined behavior detection (buffer overflows, out-of-bounds array accesses, null-pointer dereferences, use-after-free, divide-by-zeros, uninitialized memory accesses, signed overflows, invalid pointer arithmetic, etc.), data flow and control flow verification as well as full functional verification of formal specifications. All versions of C up to C18 and C++ up to C++20 are supported. TrustInSoft Analyzer will acquire ISO 26262 qualification in Q2'2023 (TCL3). A MISRA C checker is also bundled.
Veracode
Find flaws in binaries and bytecode without requiring source. Support all major programming languages: Java, .NET, JavaScript, Swift, Objective-C, C, C++ and more.
WhiteHat Application Security Platform
WhiteHat Scout (for Developers) combined with WhiteHat Sentinel Source (for Operations) supporting WhiteHat Top 40 and OWASP Top 10.
allocscope
allocscope is a tool for tracking down where the most egregiously large allocations are occurring in a C, C++ or Rust codebase. It is particularly intendend to be useful for developers who want to get a handle on excessive allocations and are working in a large codebase with multiple contributors with allocations occuring in many modules or libraries.
Code Pulse
Code Pulse is a free real-time code coverage tool for penetration testing activities by OWASP and Code Dx (GitHub).
LLVM/Clang Sanitizers
Help make this list better
Suggest Tools