statix

Linter for ABAP, written in TypeScript.

Enhances the SAP Code Inspector with new and customizable checks.

Static checker for GitHub Actions workflow files. Provides an online version.

Lint, analyze, normalize, transform, sandbox, run, step through, and visualize user JavaScript, in node or the browser.

Spell, style and grammar checker.

Catch insensitive, inconsiderate writing

Find inefficiently packed structs.

Inspects tar archives and tries to spot portability issues in regard to POSIX 2017 pax specification and common tar implementations. This project is intended to be used by maintainers of projects who want to offer portable source code archives for as many systems as possible. Checking tar archives with alquitran before publishing them should help spotting issues before they reach distributors and users.

A static code analysis tool for Crystal.

Discover, analyze, and certify container images. A service that analyzes Docker images and applies user-defined acceptance policies to allow automated container image validation and certification

Run static analysis on Android projects.

Combines lint errors of multiple projects into one output, check lint results of multiple sub-projects at once.

Platform agnostic binary analysis framework from UCSB.

Linter for Angular projects

Checks playbooks for practices and behaviour that could potentially be improved.

A C# architecture test library to specify and assert architecture rules in C# for automated testing.

Autoflake removes unused imports and unused variables from Python code.

Check local CloudFormation templates against policy-as-code rules and generate rules from existing templates.

Secure DevOps kit for Azure (AzSK) provides security IntelliSense, Security Verification Tests (SVTs), CICD scan vulnerabilities, compliance issues, and infrastructure misconfiguration in your infrastructure-as-code. Supports Azure via ARM.

A tool to find common security issues in Python code.

Code style enforcement for bash programs. The output format aims to follow pycodestyle (pep8) default output format.

A linting engine supporting custom project-specific rules.

Analyzes a raw binary firmware and determines features like endianness or the loading address. The tool is compatible with all architectures. Loading address: binbloom can parse a raw binary firmware and determine its loading address. Endianness: binbloom can use heuristics to determine the endianness of a firmware. UDS Database: binbloom can parse a raw binary firmware and check if it contains an array containing UDS command IDs.

A binary static analysis tool that provides security and correctness results for Windows portable executables.

Tool to analyze source code and binaries for reusable code, necessary licenses and potential security aspects.

Ever wondered what's making your binary big? Bloaty McBloatface will show you a size profile of the binary so you can understand what's taking up space inside. Bloaty performs a deep analysis of the binary. Using custom ELF, DWARF, and Mach-O parsers, Bloaty aims to accurately attribute every byte of the binary to the symbol or compileunit that produced it. It will even disassemble the binary looking for references to anonymous data. F

Checks whether HTTP response body is closed.

An HTML linter for Bootstrap projects.

Safe code refactoring for modern Python. Bowler is a refactoring tool for manipulating Python at the syntax tree level. It enables safe, large scale code modifications while guaranteeing that the resulting code compiles and runs. It provides both a simple command line interface and a fluent API in Python for generating complex code modifications in code.

A static analysis security vulnerability scanner for Ruby on Rails applications.

Provides a CLI linter that enforces good API design choices and structure

Audit Gemfile.lock for gems with security vulnerabilities reported in Ruby Advisory Database.

C2Rust helps you migrate C99-compliant code to Rust. The translator (or transpiler) produces unsafe Rust code that closely mirrors the input C code.

Web application security testing tool for CakePHP-based web applications. CakeFuzzer employs a predefined set of attacks that are randomly modified before execution. Leveraging its deep understanding of the Cake PHP framework, Cake Fuzzer launches attacks on all potential application entry points.

Code quality threshold checking as part of your build.

Audit Cargo.lock for crates with security vulnerabilities reported to the RustSec Advisory Database.

Find out what takes most of the space in your executable. supports ELF (Linux, BSD), Mach-O (macOS) and PE (Windows) binaries.

cargo-breaking compares a crate's public API between two different branches, shows what changed, and suggests the next version according to semver.

Whole program static stack analysis The tool produces the full call graph of a program as a dot file.

A cargo plugin for linting your dependencies. It can be used either as a command line too, a Rust crate, or a Github action for CI. It checks for valid license information, duplicate crates, security vulnerabilities, and more.

Cargo subcommand to show result of macro expansion and #[derive] expansion applied to the current crate. This is a wrapper around a more verbose compiler command.

A cargo plugin for analysing the usage of unsafe Rust code Provides statistical output to aid security auditing

Inspect Rust code without syntactic sugar to see what the compiler does behind the curtains.

Scan your Rust crate releases for semver violations. It can be used either directly via the CLI, as a GitHub Action in CI, or via release managers like release-plz. It found semver violations in more than 1 in 6 of the top 1000 most-downloaded crates on crates.io.

cargo subcommand showing the assembly, LLVM-IR and MIR generated for Rust code

Checks all your documentation for spelling and grammar mistakes with hunspell (ready) and languagetool (preview)

Find unused dependencies in Cargo.toml. It either prints out a "unused crates" line listing the crates, or it prints out a line saying that no crates were unused.

Find potential unused enabled feature flags and prune them. You can generate a simple HTML report from the json to make it easier to inspect results. It removes a feature of a dependency and then compiles the project to see if it still compiles. If it does, the feature flag can possibly be removed, but it can be a false-positive.

AWS Labs CloudFormation linter.

A linter for AWS CloudFormation templates.

ct is the tool for testing Helm charts. It is meant to be used for linting and testing pull requests. It automatically detects charts changed against the target branch.

Pluggable type-checking for Java. This is not just a bug-finder, but a verification tool that gives a guarantee of correctness. It comes with 27 pre-built type systems, and it enables users to define their own type system; the manual lists over 30 user-contributed type systems.

Linter / Analyzer for Makefiles.

Static analysis tool for Terraform files (tf>=v0.12), preventing cloud misconfigs at build time.

Checking Java source code for adherence to a Code Standard or set of validation rules (best practices).

A linter for LaTex which catches some typographic errors LaTeX oversees.

A Project to give the churn file, class, and method for a project for a given checkin. Over time the tool adds up the history of churns to give the number of times a file, class, or method is changing during the life of a project.

Helps discover good candidates for refactoring.

Calculates Chidamber and Kemerer object-oriented metrics by processing the source Java files.

Calculates Chidamber and Kemerer object-oriented metrics by processing the bytecode of compiled Java files.

Vulnerability Static Analysis for Containers.

A code linter to catch common mistakes and improve your Rust code.

A linter for Clojure code that sparks joy. It informs you about potential errors while you are typing.

A compiler tool to increase efficiency, reduce size, and provide code warnings in JavaScript files.

Ensures that all of your project's JavaScript code follows the guidelines in the Google JavaScript Style Guide. It can also automatically fix many common errors.

Clusterlint queries live Kubernetes clusters for resources, executes common and platform specific checks against these resources and provides actionable feedback to cluster operators. It is a non invasive tool that is run externally. Clusterlint does not alter the resource configurations.

An analyzer library for C# and VB that uses Roslyn to produce refactorings, code analysis, and other niceties.

Static Code Analysis for R.

A set of tslint rules for static code analysis of Angular 2 TypeScript projects.

A static analysis tool for Groovy source code, enabling monitoring and enforcement of many coding standards and best practices.

Detects run-time and logic errors.

Check code for common misspellings.

A style checker that helps keep CoffeeScript code clean and consistent.

Checks Java source and byte code for incorrect uses of cryptographic APIs.

A tool for measuring Python class cohesion.

checks if your commit messages meet the conventional commit format

Software complexity analysis for JavaScript projects.

Fast detection of composer dependency issues.

• 💪 Powerful: Detects unused, shadow and misplaced composer dependencies
• ⚡ Performant: Scans 15 000 files in 2s!
• ⚙️ Configurable: Fine-grained ignores via PHP config
• 🕸️ Lightweight: No composer dependencies
• 🍰 Easy-to-use: No config needed for first try
• ✨ Compatible: PHP >= 7.2

Cookstyle is a linting tool based on the RuboCop Ruby linting tool for Chef cookbooks.

A tool for configurable software verification of C programs. The name CPAchecker was chosen to reflect that the tool is based on the CPA concepts and is used for checking software programs.

Credential Digger is a GitHub scanning tool that identifies hardcoded credentials (Passwords, API Keys, Secret Keys, Tokens, personal information, etc), and filtering the false positive data through a machine learning model called Password Model. This scanner is able to detect passwords and non structured tokens with a low false positive rate.

A static code analysis tool with a focus on code consistency and teaching.

The Crystal compiler has built-in linting functionality.

C# Essentials is a collection of Roslyn diagnostic analyzers, code fixes and refactorings that make it easy to work with C# 6 language features.

Potentially interesting stats on stylesheets.

Does basic syntax checking and finds problematic patterns or signs of inefficiency.

cwe_checker finds vulnerable patterns in binary executables.

Quantifies the cyclomatic complexity of R functions / expressions.

D-Scanner is a tool for analyzing D source code.

Perform static analysis of known vulnerabilities in docker images/containers.

Additional linter for Dart. Reports code metrics, checks for anti-patterns and provides additional rules for Dart analyzer.

An industrial-strength dataflow framework for Java. The Dataflow Framework is used in the Checker Framework, Google’s Error Prone, Uber’s NullAway, Meta’s Nullsafe, and in other contexts. It is distributed with the Checker Framework.

A CLI tool to prevent Kubernetes misconfigurations by ensuring that manifests and Helm charts follow best practices as well as your organization’s policies

A static analysis security scanner for ruby written web applications. It supports Sinatra, Padrino and Ruby on Rails frameworks.

dbcritic finds problems in a database schema, such as a missing primary key constraint in a table.

Finds unused code.

Scan Nix files for dead code (unused variable bindings)

Design by contract for Python. Write bug-free code. By adding a few decorators to your code, you get for free tests, static analysis, formal verification, and much more.

An analyzer for JavaScript which targets runtime errors and quality issues rather than coding conventions.

A set of utilities for working with PO files to ease development and improve quality.

Official linter for Deno.

Dependency analysis tool.

Finds usages of deprecated (Symfony) code.

Enforce rules for dependencies between software layers.

Designite supports detection of various architecture, design, and implementation smells, computation of various code quality metrics, and trend analysis.

DesigniteJava supports detection of various architecture, design, and implementation smells along with computation of various code quality metrics.

Detection of design patterns in PHP code.

An enterprise friendly way of detecting and preventing secrets in code. It does this by running periodic diff outputs against heuristically crafted regex statements, to identify whether any new secret has been committed. This way, it avoids the overhead of digging through all git history, as well as the need to scan the entire repository every time.

Static code analysis for Kotlin code.

Mix tasks to simplify use of Dialyzer in Elixir projects.

The DIALYZER, a DIscrepancy AnaLYZer for ERlang programs. Dialyzer is a static analysis tool that identifies software discrepancies, such as definite type errors, code that has become dead or unreachable because of programming error, and unnecessary tests, in single Erlang modules or entire (sets of) applications. Dialyzer starts its analysis from either debug-compiled BEAM bytecode or from Erlang source code. The file and line number of a discrepancy is reported along with an indication of what the discrepancy is about. Dialyzer bases its analysis on the concept of success typings, which allows for sound warnings (no false positives).

Web application (WASM) to render a diff between Rust crate versions.

Strict coding standard for Kotlin and a linter that detects and auto-fixes code smells.

Static analyser for finding deadlocks in Go.

A tool for ensuring Python code is secure.

Lint and validate Dockerfile labels.

Dodgy is a very basic tool to run against your codebase to search for "dodgy" looking values. It is a series of simple regular expressions designed to detect things such as accidental SCM diff checkins, or passwords or secret keys hard coded into files.

Finds assignments/declarations with too many blank identifiers.

Doop is a declarative framework for static analysis of Java/Android programs, centered on pointer analysis algorithms. Doop provides a large variety of analyses and also the surrounding scaffolding to run an analysis end-to-end (fact generation, processing, statistics, etc.).

Linting dotenv files like a charm.

Lightning-fast linter for .env files. Written in Rust

DrNim combines the Nim frontend with the Z3 proof engine in order to allow verify / validate software written in Nim.

Reports potentially duplicated code.

A tool for running Rust lints from dynamic libraries. Dylint makes it easy for developers to maintain their own personal lint collections.

Combine PHP_CodeSniffer and PHP-CS-Fixer.

Linter rules corresponding to the guidelines in Effective Dart

A tool for formally verifying Rust programs by transpiling them into definitions in the Lean theorem prover.

A tool that allows you to analyse your Elm code, identify deficiencies and apply best practices.

Analyzes whole Elm projects, with a focus on shareable and custom rules written in Elm that add guarantees the Elm compiler doesn't give you.

Erlang Style Reviewer.

Linter for Ember or Handlebars templates.

A static and dynamic analysis tool for Laravel applications that provides recommendations to improve the performance, security and code reliability of Laravel apps. Contains 120 automated checks.

ENRE (ENtity Relationship Extractor) is a tool for extraction of code entity dependencies or relationships from source code. ENRE-java is a ENtity Relationship Extractor for Java projects based on @Eclipse JDT/parser.

ENRE (ENtity Relationship Extractor) is a tool for extraction of code entity dependencies or relationships from source code. ENRE-py is a ENtity Relationship Extractor for Python based on Python Language Services of The Standard Library.

ENRE (ENtity Relationship Extractor) is a tool for extraction of code entity dependencies or relationships from source code. ENRE-ts is a ENtity Relationship Extractor for ECMAScript and TypeScript based on @babel/parser.

Lint your ERB or HTML files

Check that error return values are used.

Catch common Java mistakes as compile-time errors.

Wrap and fix Go errors with the new %w verb directive. This tool analyzes fmt.Errorf() calls and reports calls that contain a verb directive that is different than the new %w verb directive introduced in Go v1.13. It's also capable of rewriting calls to use the new %w wrap verb directive.

Visualize JavaScript (ES6) source complexity.

Software complexity analysis of JavaScript-family abstract syntax trees.

ECMAScript parsing infrastructure for multipurpose analysis.

Common Ruby idioms checker.

A plugin for FindBugs with additional bug detectors.

A free IDE Plugin for static code analysis. A Pro edition includes a command line tool for automation purposes.

Static security code analysis for ColdFusion or CFML code. Designed to work within a CI pipeline or from the developers terminal.

A framework for creating lint rules and corresponding auto-fixes for source code.

Flay analyzes code for structural similarities.

Get info on length of functions in a Go package.

Flog reports the most tortured code in an easy to read pain report. The higher the score, the more pain the code is in.

A static type checker for JavaScript.

Static taint analysis tool for Android applications.

A program slicer and dataflow analyzer for the R programming language. Its slicer allows you to reduce a complicated program just to the parts related for a specific task (e.g., the generation of a single or collection of plots, a significance test, ...). The dataflow analysis provides you with a detailed view on the semantics of the R code which can greatly improve other analyses. To use flowR, check out the Visual Studio Code extension, the RStudio Addin, the Docker image, or the R package.

A lint tool that checks Chef cookbooks for common problems.

Detects and forbids invocations of specific method/class/field (like reading from a text stream without a charset). Maven/Gradle/Ant compatible.

Fortran linter, inspired by (and built on) Ruff, and based on community best practices. Supports latest Fortran (2023) standard.

Auto-formatter for modern fortran source code, written in Python. Fprettify is a tool that provides consistent whitespace, indentation, and delimiter alignment in code, including the ability to change letter case and handle preprocessor directives, all while preserving revision history and tested for editor integration.

Lint tool for F#.

Rust-based static analysis for TypeScript projects

A tool for measuring code complexity in Ruby class files. Its analysis generates scores based on cyclomatic complexity algorithms with no added "opinions".

Warns about constructs that are dubious or nonportable to other awk implementations.

The GCC compiler has static analysis capabilities since version 10. This option is only available if GCC was configured with analyzer support enabled. It can also output its diagnostics to a JSON file in the SARIF format (from v13).

A linter for the Gherkin-Syntax written in Javascript.

A software reverse engineering (SRE) suite of tools developed by NSA's Research Directorate in support of the Cybersecurity mission

ggshield is a CLI application that runs in your local environment or in a CI environment to help you detect more than 350+ types of secrets, as well as other potential security vulnerabilities or policy breaks affecting your codebase.

A SAST tool for detecting hardcoded secrets like passwords, api keys, and tokens in git repos.

A tool to analyze Nginx configuration. The main goal is to prevent misconfiguration and automate flaw detection.

Package ast declares the types used to represent syntax trees for Go packages.

Analyzer that helps you to make your Go programs more consistent.

Go source code linter that maintains checks which are currently not implemented in other linters.

Reports variables that may have been unintentionally shadowed.

Examines Go source code and reports suspicious.

Go AST (Abstract Syntax Tree) based static analysis tool with Rego.

A static analyzer for the analysis of multi-threaded C programs. Its primary focus is the detection of data races, but it also reports other runtime errors, such as buffer overflows and null-pointer dereferences.

Checks that no globals are present.

Finds repeated strings that could be replaced by a constant.

Calculate cyclomatic complexities of functions in Go source code.

Checks if the code is properly formatted and could not be further simplified.

Checks missing or unreferenced package imports.

Golang security analysis with a focus on minimizing false positives. It is capable of tracing the source of variables and function arguments to determine whether input sources are safe.

Alternative to Go Meta Linter: GolangCI-Lint is a linters aggregator.

Prints out coding style mistakes in Go source code.

Analyses the source code for R packages and provides best-practice recommendations.

An interactive tool to analyze Golang goroutine dump.

Inspects source code for security problems by scanning the Go AST.

Syntactic and semantic analysis similar to the Go compiler.

Govulncheck reports known vulnerabilities that affect Go code. It uses static analysis of source code or a binary's symbol table to narrow down reports to only those that could affect the application. By default, govulncheck makes requests to the Go vulnerability database at https://vuln.go.dev. Requests to the vulnerability database contain only module paths, not code or other properties of your program.

CSS Specificity Graph Generator.

Signatures for entire Python programs. Extract the structure, the frame, the skeleton of your project, to generate API documentation or find breaking changes in your API.

Checks code on every commit.

A Grunt wrapper for Bootlint, the HTML linter for Bootstrap projects.

A gulp wrapper for Bootlint, the HTML linter for Bootstrap projects.

Tool for writing clean and consistent HAML.

A smarter Dockerfile linter that helps you build best practice Docker images.

HasMySecretLeaked is a project from GitGuardian that aims to help individual users and organizations search across 20 million exposed secrets to verify if their developer secrets have leaked on public repositories, gists, and issues on GitHub projects.

A static analysis tool to help developers write Haxe code that adheres to a coding standard.

A static type checker for JavaScript with a bias on type inference and strong type systems.

Adds warnings or errors to your crate when using a numerically unstable floating point expression.

HLint is a tool for suggesting possible improvements to Haskell code.

HTML Inspector is a code quality tool to help you and your team write better markup.

Corrects and cleans up HTML and XML documents by fixing markup errors and upgrading legacy code to modern standards.

Offline HTML5 validator.

A Static Code Analysis Tool for HTML.

Bytecode static analyzer tool based on Procyon Compiler Tools aimed to supersede FindBugs.

An open source static code analysis tool for Fortran 77, Fortran 90 and Shell.

An open source static code analysis tool for Shell and Fortran (77 and 90).

iblessing is an iOS security exploiting toolkit. It can be used for reverse engineering, binary analysis and vulnerability mining.

A Verilog simulation and synthesis tool that operates by compiling source code written in IEEE-1364 Verilog into some target format

Binary code analysis tool.

Detect ineffectual assignments in Go code.

IT, Inspector Tiger, is a modern python code review tool / framework. It comes with bunch of pre-defined handlers which warns you about improvements and possible bugs. Beside these handlers, you can write your own or use community ones.

Suggest narrower interfaces that can be used.

A collection of F# analyzers, built with the FSharp.Analyzers.SDK.

Jakstab is an Abstract Interpretation-based, integrated disassembly and static analysis framework for designing analyses on executables and recovering reliable control flow graphs.

Measure, query and visualize your code and avoid unexpected issues, technical debt and complexity.

Bounded model-checker for Java (bytecode), verifies user-defined assertions, standard assertions, several coverage metric analyses.

Decompile and debug binary code. Break down and analyze document files. Android Dalvik, MIPS, ARM, Intel x86, Java, WebAssembly & Ethereum Decompilers.

Autocompletion/static analysis library for Python.

Static type inference system to detect bugs and type instabilities.

Detect errors and potential problems in JavaScript code and enforce your team's coding conventions.

The JavaScript Code Quality Tool.

A JSON parser and validator with a CLI. Standalone version of jsonlint.com

Static security analysis tool.

The Kani Rust Verifier is a bit-precise model checker for Rust. Kani is particularly useful for verifying unsafe code blocks in Rust, where the "unsafe superpowers" are unchecked by the compiler. Kani verifies:

• Memory safety (e.g., null pointer dereferences)
• User-specified assertions (i.e., assert!(...))
• The absence of panics (e.g., unwrap() on None values)
• The absence of some types of unexpected behavior (e.g., arithmetic overflows)

Find security vulnerabilities, compliance issues, and infrastructure misconfigurations in your infrastructure-as-code. Supports Terraform, Kubernetes, Docker, AWS CloudFormation and Ansible

A tool that listens to changes in Kubernetes resources and runs linting rules against them. Identify and debug erroneous objects and nudge objects in line with the policies as both change over time. Klint helps us encode checks and proactively alert teams when they need to take action.

CLI tool for learning commands from your terminal. kmdr delivers a break down of commands with every attribute explained.

Krane is a simple Kubernetes RBAC static analysis tool. It identifies potential security risks in K8s RBAC design and makes suggestions on how to mitigate them. Krane dashboard presents current RBAC security posture and lets you navigate through its definition.

An anti-bikeshedding Kotlin linter with built-in formatter.

Fully cross-platform toolkit and library for MachO+Obj-C editing/analysis. Includes a cli kit, a curses GUI, ObjC header dumping, and much more.

Hunt for security weaknesses in Kubernetes clusters.

A linter for Kubernetes resources with a customizable rule set. You define a list of rules that you would like to validate against your resources and kube-lint will evaluate those rules against them.

KubeLinter is a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure the applications represented in them adhere to best practices.

Static code analysis of your Kubernetes object definitions.

A fast Kubernetes manifests validator with support for custom resources.

It is inspired by, contains code from and is designed to stay close to Kubeval, but with the following improvements:

• high performance: will validate & download manifests over multiple routines, caching downloaded files in memory
• configurable list of remote, or local schemas locations, enabling validating Kubernetes custom resources (CRDs) and offline validation capabilities
• uses by default a self-updating fork of the schemas registry maintained by the kubernetes-json-schema project - which guarantees up-to-date schemas for all recent versions of Kubernetes.

KubeLinter is a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure the applications represented in them adhere to best practices.

Validates your Kubernetes configuration files and supports multiple Kubernetes versions.