This repository lists static analysis tools for all programming languages, build tools, config files and more.
The official website, analysis-tools.dev is based on this repository and adds rankings, user comments, and additional resources like videos for each tool.
Static program analysis is the analysis of computer software that is performed without actually executing programs — Wikipedia
The most important thing I have done as a programmer in recent years is to aggressively pursue static code analysis. Even more valuable than the hundreds of serious bugs I have prevented with it is the change in mindset about the way I view software reliability and code quality. — John Carmack (Creator of Doom)
This project would not be possible without the generous support of our sponsors.
If you also want to support this project, head over to our Github sponsors page.
Pull requests are very welcome!
Also check out the sister project, awesome-dynamic-analysis.
golangci-lintfor new projects.
Go Meta Linter: GolangCI-Lint is a linters aggregator.
pep8) Check Python code against some of the style conventions in PEP 8.
pyreverse(an UML diagram generator) and
symilar(a similarities checker).
ale — Asynchronous Lint Engine for Vim and NeoVim with support for many languages.
Android Studio — Based on IntelliJ IDEA, and comes bundled with tools for Android including Android Lint.
AppChecker ©️ — Static analysis for C/C++/C#, PHP and Java.
Application Inspector ©️ — Commercial Static Code Analysis which generates exploits to verify vulnerabilities.
ApplicationInspector — Creates reports of over 400 rule patterns for feature detection (e.g. the use of cryptography or version control in apps).
ArchUnit — Unit test your Java or Kotlin architecture.
Axivion Bauhaus Suite ©️ — Tracks down error-prone code locations, style violations, cloned or dead code, cyclic dependencies and more for C/C++, C#/.NET, Java and Ada 83/Ada 95.
Better Code Hub ©️ — Better Code Hub checks your GitHub codebase against 10 engineering guidelines devised by the authority in software quality, Software Improvement Group.
callGraph — Statically generates a call graph image and displays it on screen.
CAST Highlight ©️ — Commercial Static Code Analysis which runs locally, but uploads the results to its cloud for presentation.
Checkmarx CxSAST ©️ — Commercial Static Code Analysis which doesn't require pre-compilation.
ClassGraph — A classpath and module path scanner for querying or visualizing class metadata or class relatedness.
Clayton ©️ — AI-powered code reviews for Salesforce. Secure your developments, enforce best practice and control your technical debt in real-time.
Cobra ©️ — Structural source code analyzer by NASA's Jet Propulsion Laboratory.
Codacy ©️ — Code Analysis to ship Better Code, Faster.
Code Intelligence ©️ — CI/CD-agnostic DevSecOps platform which combines industry-leading fuzzing engines for finding bugs and visualizing code coverage
codeburner — Provides a unified interface to sort and act on the issues it finds.
codechecker — A defect database and viewer extension for the Clang Static Analyzer with web GUI.
CodeFactor ©️ — Automated Code Analysis for repos on GitHub or BitBucket.
CodeFlow ©️ — Automated code analysis tool to deal with technical depth. Integrates with Bitbucket and Gitlab. (free for Open Source Projects)
CodeIt.Right ©️ — CodeIt.Right™ provides a fast, automated way to ensure that your source code adheres to (your) predefined design and style guidelines as well as best coding practices.
CodePatrol ©️ — Automated SAST code reviews driven by security, supports 15+ languages and includes security training.
codeql — Deep code analysis - semantic queries and dataflow for several languages with VSCode plugin support.
Coderrect ©️ — Advanced static analyzer for multi-threaded software. Supports OpenMP, Pthreads, std::thread, and GPU/CUDA.
CodeRush ©️ — Code creation, debugging, navigation, refactoring, analysis and visualization tools that use the Roslyn engine in Visual Studio 2015 and up.
CodeScan ©️ — Code Quality and Security for Salesforce Developers. Made exclusively for the Salesforce platform, CodeScan’s code analysis solutions provide you with total visibility into your code health.
CodeScene ©️ — CodeScene is a quality visualization tool for software. Prioritize technical debt, detect delivery risks, and measure organizational aspects. Fully automated.
CodeSonar from GrammaTech ©️ — Advanced, whole program, deep path, static analysis of C, C++, Java and C# with easy-to-understand explanations and code and path visualization.
Codiga ©️ — Automated Code Reviews and Technical Debt management platform that supports 12+ languages.
Corrode ⚠️ — Semi-automatic translation from C to Rust. Could reveal bugs in the original implementation by showing Rust compiler warnings and errors. Superseded by C2Rust.
cpp-linter-action — A Github Action for linting C/C++ code integrating clang-tidy and clang-format to collect feedback provided in the form of thread comments and/or annotations.
cqc ⚠️ — Check your code quality for js, jsx, vue, css, less, scss, sass and styl files.
DeepSource ©️ — In-depth static analysis to find issues in verticals of bug risks, security, anti-patterns, performance, documentation and style. Native integrations with GitHub, GitLab and Bitbucket. Less than 5% false positives.
Depends — Analyses the comprehensive dependencies of code elements for Java, C/C++, Ruby.
DevSkim — Regex-based static analysis tool for Visual Studio, VS Code, and Sublime Text - C/C++, C#, PHP, ASP, Python, Ruby, Java, and others.
ESLint — An extensible linter for JS, following the ECMAScript standard.
Find Security Bugs — The SpotBugs plugin for security audits of Java web applications and Android applications. (Also work with Kotlin, Groovy and Scala projects)
Fortify ©️ — A commercial static analysis platform that supports the scanning of C/C++, C#, VB.NET, VB6, ABAP/BSP, ActionScript, Apex, ASP.NET, Classic ASP, VB Script, Cobol, ColdFusion, HTML, Java, JS, JSP, MXML/Flex, Objective-C, PHP, PL/SQL, T-SQL, Python (2.6, 2.7), Ruby (1.9.3), Swift, Scala, VB, and XML.
Goodcheck — Regexp based customizable linter.
goone ⚠️ — Finds N+1 queries (SQL calls in a for loop) in go code
graudit — Grep rough audit - source code auditing tool.
HCL AppScan Source ©️ — Commercial Static Code Analysis.
Hopper ⚠️ — A static analysis tool written in scala for languages that run on JVM.
imhotep — Comment on commits coming into your repository and check for syntactic errors and general lint warnings.
include-gardener ⚠️ — A multi-language static analyzer for C/C++/Obj-C/Python/Ruby to create a graph (in dot or graphml format) which shows all
#include relations of a given set of files.
Infer — A static analyzer for Java, C and Objective-C
Kiuwan ©️ — Identify and remediate cyber threats in a blazingly fast, collaborative environment, with seamless integration in your SDLC. Python, C\C++, Java, C#, PHP and more.
Klocwork ©️ — Quality and Security Static analysis for C/C++, Java and C#.
LGTM ©️ — Find security vulnerabilities, variants, and critical code quality issues using queries over source code. Automatic PR code review; free for open source. Formerly semmle.
LGTM.com ©️ — Deep code analysis for GitHub and Bitbucket to find security vulnerabilities and critical code quality issues (using Semmle QL). Automatic code review for pull requests; free for public repositories.
lizard — Lizard is an extensible Cyclomatic Complexity Analyzer for many programming languages including C/C++ (doesn't require all the header files or Java imports). It also does copy-paste detection (code clone detection/code duplicate detection) and many other forms of static code analysis. Counts lines of code without comments, CCN (cyclomatic complexity number), token count of functions, parameter count of functions.
Mega-Linter — Mega-Linter can handle any type of project thanks to its 70+ embedded Linters, its advanced reporting, runnable on any CI system or locally, with assisted installation and configuration, able to apply formatting and fixes
oclint — A static source code analysis tool to improve quality and reduce defects for C, C++ and Objective-C.
ocular ©️ — Enables code auditors and security teams to interactively investigate their unique code bases to find business logic flaws and technical vulnerabilities that traditional SASTs cannot. This is done by enabling the analyst to write their own custom queries. Can find hard-coded secrets, authentication issues, and malicious code like rootkits and backdoors.
Offensive 360 ©️ — Commercial Static Code Analysis system doesn't require building the source code or pre-compilation.
parasoft ©️ — Automated Software Testing Solutions for unit-, API-, and web UI testing. Complies with MISRA, OWASP, and others.
pfff — Facebook's tools for code analysis, visualizations, or style-preserving source transformation for many languages.
pre-commit — A framework for managing and maintaining multi-language pre-commit hooks.
Prettier — An opinionated code formatter.
Putout — Pluggable and configurable code transformer with built-in eslint, babel plugins support for js, jsx typescript, flow, markdown, yaml and json.
PVS-Studio ©️ — A (conditionally free for FOSS and individual developers) static analysis of C, C++, C# and Java code. For advertising purposes you can propose a large FOSS project for analysis by PVS employees. Supports CWE mapping, MISRA and CERT coding standards.
Refactoring Essentials ⚠️ — The free Visual Studio 2015 extension for C# and VB.NET refactorings, including code best practice analyzers.
relint — A static file linter that allows you to write custom rules using regular expressions (RegEx).
RIPS ©️ — A static source code analyser for vulnerabilities in PHP scripts.
Rome Formatter — A performant and fault-tolerant code formatter for JS/TS written in Rust
Roslyn Analyzers — Roslyn-based implementation of FxCop analyzers.
Roslyn Security Guard — Project that focuses on the identification of potential vulnerabilities such as SQL injection, cross-site scripting (XSS), CSRF, cryptography weaknesses, hardcoded passwords and many more.
Scanmycode CE (Community Edition) — Scanmycode - Code Scanning/SAST/Linting using many tools/Scanners with One Report
Scrutinizer ©️ — A proprietary code quality checker that can be integrated with GitHub.
Security Code Scan — Security code analyzer for C# and VB.NET. Detects various security vulnerability patterns: SQLi, XSS, CSRF, XXE, Open Redirect, etc. Integrates into Visual Studio 2015 and newer. Detects various security vulnerability patterns: SQLi, XSS, CSRF, XXE, Open Redirect, etc.
Semgrep — A fast, open-source, static analysis tool for finding bugs and enforcing code standards at editor, commit, and CI time. Its rules look like the code you already write; no abstract syntax trees or regex wrestling. Supports 17+ languages.
ShiftLeft ©️ — Identify vulnerabilities that are unique to your code base before they reach production. Leverages the Code Property Graph (CPG) to run its analyses concurrently in a single graph of graphs. Automatically finds business logic flaws in dev like hardcoded secrets and logic bombs
ShiftLeft Scan — Scan is a free open-source DevSecOps platform for detecting security issues in source code and dependencies. It supports a broad range of languages and CI/CD pipelines.
shipshape ⚠️ — Static program analysis platform that allows custom analyzers to plug in through a common interface.
Sider ©️ — An automated code reviewing tool. Improving developers' productivity.
Sigrid ©️ — Sigrid helps you to improve your software by measuring your system's code quality, and then compares the results against a benchmark of thousands of industry systems to give you concrete advice on areas where you can improve.
Similarity Tester — A tool that finds similarities between or within files to support you encountering DRY principle violations.
Snyk ©️ — Vulnerability scanner for dependencies of node.js apps (free for Open Source Projects).
SonarCloud ©️ — Multi-language cloud-based static code analysis. History, trends, security hot-spots, pull request analysis and more. Free for open source.
SonarLint for Visual Studio — SonarLint is an extension for Visual Studio 2015 and 2017 that provides on-the-fly feedback to developers on new bugs and quality issues injected into .NET code.
SonarQube — SonarQube is an open platform to manage code quality.
Sonatype ©️ — Reports known vulnerabilities in common dependencies and recommends updated packages to minimize breaking changes
Soto Platform ©️ — Suite of static analysis tools consisting of the three components Sotoarc (Architecture Analysis), Sotograph (Quality Analysis), and Sotoreport (Quality report). Helps find differences between architecture and implementation, interface violations (e.g. external access of private parts of subsystems, detection of all classes, files, packages and subsystems which are strongly coupled by cyclical relationships and more. The Sotograph product family runs on Windows and Linux.
SourceMeter ©️ — Static Code Analysis for C/C++, Java, C#, Python, and RPG III and RPG IV versions (including free-form).
sqlvet — Performs static analysis on raw SQL queries in your Go code base to surface potential runtime errors. It checks for SQL syntax error, identifies unsafe queries that could potentially lead to SQL injections makes sure column count matches value count in INSERT statements and validates table- and column names.
Super-Linter — Combination of multiple linters to install as a GitHub Action.
Synopsys ©️ — A commercial static analysis platform that allows for scanning of multiple languages (C/C++, Android, C#, Java, JS, PHP, Python, Node.JS, Ruby, Fortran, and Swift).
Teamscale ©️ — Static and dynamic analysis tool supporting more than 25 languages and direct IDE integration. Free hosting for Open Source projects available on request. Free academic licenses available.
TencentCodeAnalysis — Tencent Cloud Code Analysis (TCA for short, code-named CodeDog inside the company early) is a comprehensive platform for code analysis and issue tracking. TCA consist of three components, server, web and client. It integrates of a number of self-developed tools, and also supports dynamic integration of code analysis tools in various programming languages.
ThreatMapper — Vulnerability Scanner and Risk Evaluation for containers, serverless and hosts at runtime. ThreatMapper generates runtime BOMs from dependencies and operating system packages, matches against multiple threat feeds, scans for unprotected secrets, and scores issues based on severity and risk-of-exploit.
todocheck — Linter for integrating annotated TODOs with your issue trackers
trivy — A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts, Suitable for CI. Trivy detects vulnerabilities of OS packages (Alpine, RHEL, CentOS, etc.) and application dependencies (Bundler, Composer, npm, yarn, etc.). Checks containers and filesystems.
trunk ©️ — Modern repositories include many technologies, each with its own set of linters. With 30+ linters and counting, Trunk makes it dead-simple to identify, install, configure, and run the right linters, static analyzers, and formatters for all your repos.
TscanCode — A fast and accurate static analysis solution for C/C++, C#, Lua codes provided by Tencent. Using GPLv3 license.
Undebt — Language-independent tool for massive, automatic, programmable refactoring based on simple pattern definitions.
Understand ©️ — Code visualization tool that provides code analysis, standards testing, metrics, graphing, dependency analysis and more for Ada, VHDL, and others.
weggli — A fast and robust semantic search tool for C and C++ codebases. It is designed to help security researchers identify interesting functionality in large codebases.
WhiteHat Application Security Platform ©️ — WhiteHat Scout (for Developers) combined with WhiteHat Sentinel Source (for Operations) supporting WhiteHat Top 40 and OWASP Top 10.
golangci-lintfor new projects.
To the extent possible under law, Matthias Endler has waived all copyright and related or neighboring rights to this work. The underlying source code used to format and display that content is licensed under the MIT license.
Title image Designed by Freepik.