Terraform static analysis tool that prevents potential security issues by checking cloud misconfigurations at build time and directly integrates with the HCL parser for better results. Checks for violations of AWS, Azure and GCP security best practice recommendations.
Tutorials / Guides
509 Alternatives to tfsec
Static checker for GitHub Actions workflow files. Provides an online version.
After the Deadline
Spell, style and grammar checker.
Catch insensitive, inconsiderate writing
Inspects tar archives and tries to spot portability issues in regard to POSIX 2017 pax specification and common tar implementations. This project is intended to be used by maintainers of projects who want to offer portable source code archives for as many systems as possible. Checking tar archives with alquitran before publishing them should help spotting issues before they reach distributors and users.
Discover, analyze, and certify container images. A service that analyzes Docker images and applies user-defined acceptance policies to allow automated container image validation and certification
Run static analysis on Android projects.
Combines lint errors of multiple projects into one output, check lint results of multiple sub-projects at once.
Platform agnostic binary analysis framework from UCSB.
Checks playbooks for practices and behaviour that could potentially be improved.
AWS CloudFormation Guard
Check local CloudFormation templates against policy-as-code rules and generate rules from existing templates.
Secure DevOps kit for Azure (AzSK) provides security IntelliSense, Security Verification Tests (SVTs), CICD scan vulnerabilities, compliance issues, and infrastructure misconfiguration in your infrastructure-as-code. Supports Azure via ARM.
Analyzes a raw binary firmware and determines features like endianness or the loading address. The tool is compatible with all architectures. Loading address: binbloom can parse a raw binary firmware and determine its loading address. Endianness: binbloom can use heuristics to determine the endianness of a firmware. UDS Database: binbloom can parse a raw binary firmware and check if it contains an array containing UDS command IDs.
A binary static analysis tool that provides security and correctness results for Windows portable executables.
Tool to analyze source code and binaries for reusable code, necessary licenses and potential security aspects.
Ever wondered what's making your binary big? Bloaty McBloatface will show you a size profile of the binary so you can understand what's taking up space inside. Bloaty performs a deep analysis of the binary. Using custom ELF, DWARF, and Mach-O parsers, Bloaty aims to accurately attribute every byte of the binary to the symbol or compileunit that produced it. It will even disassemble the binary looking for references to anonymous data. F
An HTML linter for Bootstrap projects.
Safe code refactoring for modern Python. Bowler is a refactoring tool for manipulating Python at the syntax tree level. It enables safe, large scale code modifications while guaranteeing that the resulting code compiles and runs. It provides both a simple command line interface and a fluent API in Python for generating complex code modifications in code.
Provides a CLI linter that enforces good API design choices and structure
Web application security testing tool for CakePHP-based web applications. CakeFuzzer employs a predefined set of attacks that are randomly modified before execution. Leveraging its deep understanding of the Cake PHP framework, Cake Fuzzer launches attacks on all potential application entry points.
Find potential unused enabled feature flags and prune them. You can generate a simple HTML report from the json to make it easier to inspect results. It removes a feature of a dependency and then compiles the project to see if it still compiles. If it does, the feature flag can possibly be removed, but it can be a false-positve.
AWS Labs CloudFormation linter.
A linter for AWS CloudFormation templates.
ct is the the tool for testing Helm charts. It is meant to be used for linting and testing pull requests. It automatically detects charts changed against the target branch.
Pluggable type-checking for Java. This is not just a bug-finder, but a verification tool that gives a guarantee of correctness. It comes with 27 pre-built type systems, and it enables users to define their own type system; the manual lists over 30 user-contributed type systems.
Linter / Analyzer for Makefiles.
Static analysis tool for Terraform files (tf>=v0.12), preventing cloud misconfigs at build time.
A linter for LaTex which catches some typographic errors LaTeX oversees.
Vulnerability Static Analysis for Containers.
Clusterlint queries live Kubernetes clusters for resources, executes common and platform specific checks against these resources and provides actionable feedback to cluster operators. It is a non invasive tool that is run externally. Clusterlint does not alter the resource configurations.
Check code for common misspellings.
checks if your commit messages meet the conventional commit format
Cookstyle is a linting tool based on the RuboCop Ruby linting tool for Chef cookbooks.
Credential Digger is a GitHub scanning tool that identifies hardcoded credentials (Passwords, API Keys, Secret Keys, Tokens, personal information, etc), and filtering the false positive data through a machine learning model called Password Model. This scanner is able to detect passwords and non structured tokens with a low false positive rate.
Potentially interesting stats on stylesheets.
Does basic syntax checking and finds problematic patterns or signs of inefficiency.
cwe_checker finds vulnerable patterns in binary executables.
Perform static analysis of known vulnerabilities in docker images/containers.
A CLI tool to prevent Kubernetes misconfigurations by ensuring that manifests and Helm charts follow best practices as well as your organization’s policies
Scan Nix files for dead code (unused variable bindings)
A set of utilities for working with PO files to ease development and improve quality.
Official linter for Deno.
An enterprise friendly way of detecting and preventing secrets in code. It does this by running periodic diff outputs against heuristically crafted regex statements, to identify whether any new secret has been committed. This way, it avoids the overhead of digging through all git history, as well as the need to scan the entire repository every time.
The DIALYZER, a DIscrepancy AnaLYZer for ERlang programs. Dialyzer is a static analysis tool that identifies software discrepancies, such as definite type errors, code that has become dead or unreachable because of programming error, and unnecessary tests, in single Erlang modules or entire (sets of) applications. Dialyzer starts its analysis from either debug-compiled BEAM bytecode or from Erlang source code. The file and line number of a discrepancy is reported along with an indication of what the discrepancy is about. Dialyzer bases its analysis on the concept of success typings, which allows for sound warnings (no false positives).
Docker Label Inspector
Lint and validate Dockerfile labels.
Linting dotenv files like a charm.
Lightning-fast linter for .env files. Written in Rust
A tool that allows you to analyse your Elm code, identify deficiencies and apply best practices.