jaeswift-website/api/data/awesomelist/analysis-tools-dev--static-analysis.json

{"slug": "analysis-tools-dev--static-analysis", "title": "Static Analysis", "description": "\u2699\ufe0f A curated list of static analysis (SAST) tools and linters for all programming languages, config files, build tools, and more. The focus is on tools which improve code quality.", "github_url": "https://github.com/analysis-tools-dev/static-analysis", "stars": "14K", "tag": "Computer Science", "entry_count": 802, "subcategory_count": 1, "subcategories": [{"name": "Table of Contents", "parent": "", "entries": [{"name": "ABAP", "url": "#abap", "description": ""}, {"name": "Ada", "url": "#ada", "description": ""}, {"name": "Assembly", "url": "#asm", "description": ""}, {"name": "Awk", "url": "#awk", "description": ""}, {"name": "C", "url": "#c", "description": ""}, {"name": "C#", "url": "#csharp", "description": ""}, {"name": "C++", "url": "#cpp", "description": ""}, {"name": "Clojure", "url": "#clojure", "description": ""}, {"name": "CoffeeScript", "url": "#coffeescript", "description": ""}, {"name": "ColdFusion", "url": "#coldfusion", "description": ""}, {"name": "Crystal", "url": "#crystal", "description": ""}, {"name": "Dart", "url": "#dart", "description": ""}, {"name": "Delphi", "url": "#delphi", "description": ""}, {"name": "Dlang", "url": "#dlang", "description": ""}, {"name": "Elixir", "url": "#elixir", "description": ""}, {"name": "Elm", "url": "#elm", "description": ""}, {"name": "Erlang", "url": "#erlang", "description": ""}, {"name": "F#", "url": "#fsharp", "description": ""}, {"name": "Fortran", "url": "#fortran", "description": ""}, {"name": "Go", "url": "#go", "description": ""}, {"name": "Groovy", "url": "#groovy", "description": ""}, {"name": "Haskell", "url": "#haskell", "description": ""}, {"name": "Haxe", "url": "#haxe", "description": ""}, {"name": "Java", "url": "#java", "description": ""}, {"name": "JavaScript", "url": "#javascript", "description": ""}, {"name": "Julia", "url": "#julia", "description": ""}, {"name": "Kotlin", "url": "#kotlin", "description": ""}, {"name": "Lua", "url": "#lua", "description": ""}, {"name": "MATLAB", "url": "#matlab", "description": ""}, {"name": "Nim", "url": "#nim", "description": ""}, {"name": "Ocaml", "url": "#ocaml", "description": ""}, {"name": "PHP", "url": "#php", "description": ""}, {"name": "PL/SQL", "url": "#plsql", "description": ""}, {"name": "Perl", "url": "#perl", "description": ""}, {"name": "Python", "url": "#python", "description": ""}, {"name": "R", "url": "#r", "description": ""}, {"name": "Rego", "url": "#rego", "description": ""}, {"name": "Ruby", "url": "#ruby", "description": ""}, {"name": "Rust", "url": "#rust", "description": ""}, {"name": "SQL", "url": "#sql", "description": ""}, {"name": "Scala", "url": "#scala", "description": ""}, {"name": "Shell", "url": "#shell", "description": ""}, {"name": "Swift", "url": "#swift", "description": ""}, {"name": "Tcl", "url": "#tcl", "description": ""}, {"name": "TypeScript", "url": "#typescript", "description": ""}, {"name": "Verilog/SystemVerilog", "url": "#verilog", "description": ""}, {"name": "Vim Script", "url": "#vim-script", "description": ""}, {"name": "WebAssembly", "url": "#wasm", "description": ""}, {"name": ".env", "url": "#dotenv", "description": ""}, {"name": "Ansible", "url": "#ansible", "description": ""}, {"name": "Archive", "url": "#archive", "description": ""}, {"name": "Azure Resource Manager", "url": "#arm", "description": ""}, {"name": "Binaries", "url": "#binary", "description": ""}, {"name": "Build tools", "url": "#buildtool", "description": ""}, {"name": "CSS/SASS/SCSS", "url": "#css", "description": ""}, {"name": "Config Files", "url": "#configfile", "description": ""}, {"name": "Configuration Management", "url": "#configmanagement", "description": ""}, {"name": "Containers", "url": "#container", "description": ""}, {"name": "Continuous Integration", "url": "#ci", "description": ""}, {"name": "Deno", "url": "#deno", "description": ""}, {"name": "Dockerfile", "url": "#dockerfile", "description": ""}, {"name": "Embedded", "url": "#embedded", "description": ""}, {"name": "Embedded Ruby (a.k.a. ERB, eRuby)", "url": "#erb", "description": ""}, {"name": "Gherkin", "url": "#gherkin", "description": ""}, {"name": "HTML", "url": "#html", "description": ""}, {"name": "JSON", "url": "#json", "description": ""}, {"name": "Kubernetes", "url": "#kubernetes", "description": ""}, {"name": "LaTeX", "url": "#latex", "description": ""}, {"name": "Laravel", "url": "#laravel", "description": ""}, {"name": "Makefiles", "url": "#make", "description": ""}, {"name": "Markdown", "url": "#markdown", "description": ""}, {"name": "Metalinter", "url": "#meta", "description": ""}, {"name": "Mobile", "url": "#mobile", "description": ""}, {"name": "Nix", "url": "#nix", "description": ""}, {"name": "Node.js", "url": "#nodejs", "description": ""}, {"name": "Packages", "url": "#package", "description": ""}, {"name": "Prometheus", "url": "#prometheus", "description": ""}, {"name": "Protocol Buffers", "url": "#protobuf", "description": ""}, {"name": "Puppet", "url": "#puppet", "description": ""}, {"name": "Rails", "url": "#rails", "description": ""}, {"name": "Security/SAST", "url": "#security", "description": ""}, {"name": "Smart Contracts", "url": "#smart-contracts", "description": ""}, {"name": "Support", "url": "#support", "description": ""}, {"name": "Template-Languages", "url": "#template", "description": ""}, {"name": "Terraform", "url": "#terraform", "description": ""}, {"name": "Translation", "url": "#translation", "description": ""}, {"name": "Vue.js", "url": "#vue", "description": ""}, {"name": "Writing", "url": "#writing", "description": ""}, {"name": "YAML", "url": "#yaml", "description": ""}, {"name": "git", "url": "#git", "description": ""}, {"name": "abaplint", "url": "https://abaplint.org", "description": "Linter for ABAP, written in TypeScript."}, {"name": "abapOpenChecks", "url": "https://docs.abapopenchecks.org", "description": "Enhances the SAP Code Inspector with new and customizable checks."}, {"name": "Polyspace for Ada", "url": "https://www.mathworks.com/products/polyspace-ada.html", "description": ""}, {"name": "SPARK", "url": "https://www.adacore.com/about-spark", "description": ""}, {"name": "gawk --lint", "url": "https://www.gnu.org/software/gawk/manual/html_node/Options.html", "description": "Warns about constructs that are dubious or nonportable to other awk implementations."}, {"name": "Astr\u00e9e", "url": "https://www.absint.com/astree/index.htm", "description": ""}, {"name": "CBMC", "url": "http://www.cprover.org/cbmc", "description": "Bounded model-checker for C programs, user-defined assertions, standard assertions, several coverage metric analyses."}, {"name": "clang-tidy", "url": "https://clang.llvm.org/extra/clang-tidy", "description": "Clang-based C++ linter tool with the (limited) ability to fix issues, too."}, {"name": "clazy", "url": "https://github.com/KDE/clazy", "description": "Qt-oriented static code analyzer based on the Clang framework. clazy is a compiler plugin which allows clang to understand Qt semantics. You get more than 50 Qt related compiler warnings, ranging from unneeded memory allocations to misusage of API, including fix-its for automatic refactoring.", "stars": "727"}, {"name": "CMetrics", "url": "https://github.com/MetricsGrimoire/CMetrics", "description": "Measures size and complexity for C files.", "stars": "79"}, {"name": "CPAchecker", "url": "https://cpachecker.sosy-lab.org", "description": "A tool for configurable software verification of C programs.  The name CPAchecker was chosen to reflect that the tool is based on the CPA concepts and is used for checking software programs."}, {"name": "cppcheck", "url": "https://cppcheck.sourceforge.io", "description": "Static analysis of C/C++ code."}, {"name": "CppDepend", "url": "https://www.cppdepend.com", "description": ""}, {"name": "cpplint", "url": "https://github.com/cpplint/cpplint", "description": "Automated C++ checker that follows Google's style guide.", "stars": "1.8k"}, {"name": "cqmetrics", "url": "https://github.com/dspinellis/cqmetrics", "description": "Quality metrics for C code.", "stars": "69"}, {"name": "CScout", "url": "https://www.spinellis.gr/cscout", "description": "Complexity and quality metrics for C and C preprocessor code."}, {"name": "ESBMC", "url": "http://esbmc.org", "description": "ESBMC is an open source, permissively licensed, context-bounded model checker based on satisfiability modulo theories for the verification of single- and multi-threaded C/C++ programs."}, {"name": "Frama-C", "url": "https://www.frama-c.com", "description": "A sound and extensible static analyzer for C code."}, {"name": "GCC", "url": "https://gcc.gnu.org/onlinedocs/gcc/Static-Analyzer-Options.html", "description": "The GCC compiler has static analysis capabilities since version 10. This option is only available if GCC was configured with analyzer support enabled.  It can also output its diagnostics to a JSON file in the SARIF format (from v13)."}, {"name": "Goblint", "url": "https://goblint.in.tum.de", "description": "A static analyzer for the analysis of multi-threaded C programs. Its primary focus is the  detection of data races, but it also reports other runtime errors, such as buffer overflows and null-pointer dereferences."}, {"name": "Helix QAC", "url": "https://www.perforce.com/products/helix-qac", "description": ""}, {"name": "IKOS", "url": "https://github.com/nasa-sw-vnv/ikos", "description": "A sound static analyzer for C/C++ code based on LLVM.", "stars": "3.1k"}, {"name": "KLEE", "url": "http://klee.github.io/", "description": "A dynamic symbolic execution engine built on top of the LLVM compiler infrastructure.  It can auto-generate test cases for programs such that the test cases exercise as much of the program as possible."}, {"name": "LDRA", "url": "https://ldra.com", "description": ""}, {"name": "PC-lint", "url": "https://pclintplus.com/", "description": ""}, {"name": "Phasar", "url": "https://phasar.org", "description": "A LLVM-based static analysis framework which comes with a taint and type state analysis."}, {"name": "Polyspace Bug Finder", "url": "https://www.mathworks.com/products/polyspace-bug-finder.html", "description": ""}, {"name": "Polyspace Code Prover", "url": "https://www.mathworks.com/products/polyspace-code-prover.html", "description": ""}, {"name": "scan-build", "url": "https://clang-analyzer.llvm.org/scan-build.html", "description": "Frontend to drive the Clang Static Analyzer built into Clang via a regular build."}, {"name": "splint", "url": "http://splint.org", "description": "Annotation-assisted static program checker."}, {"name": "SVF", "url": "https://svf-tools.github.io/SVF", "description": "A static tool that enables scalable and precise interprocedural dependence analysis for C and C++ programs."}, {"name": "TrustInSoft Analyzer", "url": "https://trust-in-soft.com", "description": ""}, {"name": ".NET Analyzers", "url": "https://github.com/DotNetAnalyzers", "description": "An organization for the development of analyzers (diagnostics and code fixes) using the .NET Compiler Platform."}, {"name": "ArchUnitNET", "url": "https://github.com/TNG/ArchUnitNET", "description": "A C# architecture test library to specify and assert architecture rules in C# for automated testing.", "stars": "1.2k"}, {"name": "code-cracker", "url": "https://code-cracker.github.io", "description": "An analyzer library for C# and VB that uses Roslyn to produce refactorings, code analysis, and other niceties."}, {"name": "Designite", "url": "http://www.designite-tools.com", "description": ""}, {"name": "Gendarme", "url": "https://www.mono-project.com/docs/tools+libraries/tools/gendarme", "description": "Gendarme inspects programs and libraries that contain code in ECMA CIL format (Mono and .NET)."}, {"name": "Meziantou.Analyzer", "url": "https://github.com/meziantou/Meziantou.Analyzer", "description": "A Roslyn analyzer to enforce some good practices in C# in terms of design, usage, security, performance, and style.", "stars": "1.1k"}, {"name": "NDepend", "url": "http://www.ndepend.com", "description": ""}, {"name": "Puma Scan", "url": "https://pumasecurity.io", "description": "Puma Scan provides real time secure code analysis for common vulnerabilities (XSS, SQLi, CSRF, LDAPi, crypto, deserialization, etc.) as development teams write code in Visual Studio."}, {"name": "Roslynator", "url": "https://github.com/JosefPihrt/Roslynator", "description": "A collection of 190+ analyzers and 190+ refactorings for C#, powered by Roslyn.", "stars": "3.4k"}, {"name": "SonarAnalyzer.CSharp", "url": "https://github.com/SonarSource/sonar-dotnet", "description": "These Roslyn analyzers allow you to produce Clean Code that is safe, reliable, and maintainable by helping you find and correct bugs, vulnerabilities, and code smells in your codebase.", "stars": "894"}, {"name": "Wintellect.Analyzers", "url": "https://github.com/Wintellect/Wintellect.Analyzers", "description": ".NET Compiler Platform (\"Roslyn\") diagnostic analyzers and code fixes.", "stars": "89"}, {"name": "Astr\u00e9e", "url": "https://www.absint.com/astree/index.htm", "description": ""}, {"name": "CBMC", "url": "http://www.cprover.org/cbmc", "description": "Bounded model-checker for C programs, user-defined assertions, standard assertions, several coverage metric analyses."}, {"name": "clang-tidy", "url": "https://clang.llvm.org/extra/clang-tidy", "description": "Clang-based C++ linter tool with the (limited) ability to fix issues, too."}, {"name": "clazy", "url": "https://github.com/KDE/clazy", "description": "Qt-oriented static code analyzer based on the Clang framework. clazy is a compiler plugin which allows clang to understand Qt semantics. You get more than 50 Qt related compiler warnings, ranging from unneeded memory allocations to misusage of API, including fix-its for automatic refactoring.", "stars": "727"}, {"name": "CMetrics", "url": "https://github.com/MetricsGrimoire/CMetrics", "description": "Measures size and complexity for C files.", "stars": "79"}, {"name": "cppcheck", "url": "https://cppcheck.sourceforge.io", "description": "Static analysis of C/C++ code."}, {"name": "CppDepend", "url": "https://www.cppdepend.com", "description": ""}, {"name": "cpplint", "url": "https://github.com/cpplint/cpplint", "description": "Automated C++ checker that follows Google's style guide.", "stars": "1.8k"}, {"name": "cqmetrics", "url": "https://github.com/dspinellis/cqmetrics", "description": "Quality metrics for C code.", "stars": "69"}, {"name": "CScout", "url": "https://www.spinellis.gr/cscout", "description": "Complexity and quality metrics for C and C preprocessor code."}, {"name": "ESBMC", "url": "http://esbmc.org", "description": "ESBMC is an open source, permissively licensed, context-bounded model checker based on satisfiability modulo theories for the verification of single- and multi-threaded C/C++ programs."}, {"name": "GCC", "url": "https://gcc.gnu.org/onlinedocs/gcc/Static-Analyzer-Options.html", "description": "The GCC compiler has static analysis capabilities since version 10. This option is only available if GCC was configured with analyzer support enabled.  It can also output its diagnostics to a JSON file in the SARIF format (from v13)."}, {"name": "Helix QAC", "url": "https://www.perforce.com/products/helix-qac", "description": ""}, {"name": "IKOS", "url": "https://github.com/nasa-sw-vnv/ikos", "description": "A sound static analyzer for C/C++ code based on LLVM.", "stars": "3.1k"}, {"name": "KLEE", "url": "http://klee.github.io/", "description": "A dynamic symbolic execution engine built on top of the LLVM compiler infrastructure.  It can auto-generate test cases for programs such that the test cases exercise as much of the program as possible."}, {"name": "LDRA", "url": "https://ldra.com", "description": ""}, {"name": "PC-lint", "url": "https://pclintplus.com/", "description": ""}, {"name": "Phasar", "url": "https://phasar.org", "description": "A LLVM-based static analysis framework which comes with a taint and type state analysis."}, {"name": "Polyspace Bug Finder", "url": "https://www.mathworks.com/products/polyspace-bug-finder.html", "description": ""}, {"name": "Polyspace Code Prover", "url": "https://www.mathworks.com/products/polyspace-code-prover.html", "description": ""}, {"name": "scan-build", "url": "https://clang-analyzer.llvm.org/scan-build.html", "description": "Frontend to drive the Clang Static Analyzer built into Clang via a regular build."}, {"name": "splint", "url": "http://splint.org", "description": "Annotation-assisted static program checker."}, {"name": "SVF", "url": "https://svf-tools.github.io/SVF", "description": "A static tool that enables scalable and precise interprocedural dependence analysis for C and C++ programs."}, {"name": "TrustInSoft Analyzer", "url": "https://trust-in-soft.com", "description": ""}, {"name": "clj-kondo", "url": "https://github.com/borkdude/clj-kondo", "description": "A linter for Clojure code that sparks joy. It informs you about potential errors while you are typing.", "stars": "1.8k"}, {"name": "Fixinator", "url": "https://fixinator.app", "description": ""}, {"name": "ameba", "url": "https://crystal-ameba.github.io", "description": "A static code analysis tool for Crystal."}, {"name": "crystal", "url": "https://crystal-lang.org", "description": "The Crystal compiler has built-in linting functionality."}, {"name": "effective\\_dart", "url": "https://pub.dev/packages/effective_dart", "description": "Linter rules corresponding to the guidelines in Effective Dart"}, {"name": "DelphiLint", "url": "https://github.com/integrated-application-development/delphilint", "description": "A Delphi IDE package providing on-the-fly code analysis and linting, powered by SonarDelphi.", "stars": "133"}, {"name": "Fix Insight", "url": "https://www.tmssoftware.com/site/fixinsight.asp", "description": ""}, {"name": "Pascal Analyzer", "url": "https://peganza.com/products_pal.html", "description": ""}, {"name": "Pascal Expert", "url": "https://peganza.com/products_pex.html", "description": ""}, {"name": "SonarDelphi", "url": "https://github.com/integrated-application-development/sonar-delphi", "description": "Delphi static analyzer for the SonarQube code quality platform.", "stars": "147"}, {"name": "D-scanner", "url": "https://github.com/dlang-community/D-Scanner", "description": "D-Scanner is a tool for analyzing D source code.", "stars": "251"}, {"name": "credo", "url": "https://github.com/rrrene/credo", "description": "A static code analysis tool with a focus on code consistency and teaching.", "stars": "5.1k"}, {"name": "dialyxir", "url": "https://github.com/jeremyjh/dialyxir", "description": "Mix tasks to simplify use of Dialyzer in Elixir projects.", "stars": "1.8k"}, {"name": "sobelow", "url": "https://github.com/nccgroup/sobelow", "description": "Security-focused static analysis for the Phoenix Framework.", "stars": "1.8k"}, {"name": "elm-review", "url": "https://package.elm-lang.org/packages/jfmengels/elm-review/latest", "description": "Analyzes whole Elm projects, with a focus on shareable and custom rules written in Elm that add guarantees the Elm compiler doesn't give you."}, {"name": "dialyzer", "url": "https://www.erlang.org/doc/man/dialyzer.html", "description": "The DIALYZER, a DIscrepancy AnaLYZer for ERlang programs. Dialyzer is a static analysis tool that identifies software discrepancies,  such as definite type errors, code that has become dead or unreachable  because of programming error, and unnecessary tests,  in single Erlang modules or entire (sets of) applications."}, {"name": "elvis", "url": "https://github.com/inaka/elvis", "description": "Erlang Style Reviewer.", "stars": "429"}, {"name": "fantomas", "url": "https://fsprojects.github.io/fantomas/", "description": "F# source code formatter."}, {"name": "FSharpLint", "url": "https://github.com/fsprojects/FSharpLint", "description": "Lint tool for F#.", "stars": "320"}, {"name": "ionide-analyzers", "url": "https://ionide.io/ionide-analyzers/", "description": "A collection of F# analyzers, built with the FSharp.Analyzers.SDK."}, {"name": "Fortitude", "url": "https://fortitude.readthedocs.io", "description": "Fortran linter, inspired by (and built on) Ruff, and based on community best practices. Supports latest Fortran (2023) standard."}, {"name": "fprettify", "url": "https://pypi.python.org/pypi/fprettify", "description": "Auto-formatter for modern fortran source code, written in Python."}, {"name": "aligncheck", "url": "https://gitlab.com/opennota/check", "description": "Find inefficiently packed structs."}, {"name": "bodyclose", "url": "https://github.com/timakin/bodyclose", "description": "Checks whether HTTP response body is closed.", "stars": "324"}, {"name": "deadcode", "url": "https://github.com/tsenart/deadcode", "description": "Finds unused code.", "stars": "53"}, {"name": "dogsled", "url": "https://github.com/alexkohler/dogsled", "description": "Finds assignments/declarations with too many blank identifiers.", "stars": "73"}, {"name": "dupl", "url": "https://github.com/mibk/dupl", "description": "Reports potentially duplicated code.", "stars": "365"}, {"name": "errcheck", "url": "https://github.com/kisielk/errcheck", "description": "Check that error return values are used.", "stars": "2.5k"}, {"name": "errwrap", "url": "https://github.com/fatih/errwrap", "description": "Wrap and fix Go errors with the new %w verb directive.  This tool analyzes fmt.Errorf() calls and reports calls that contain a verb directive that  is different than the new %w verb directive introduced in Go v1.13.  It's also capable of rewriting calls to use the new %w wrap verb directive.", "stars": "381"}, {"name": "flen", "url": "https://github.com/lafolle/flen", "description": "Get info on length of functions in a Go package.", "stars": "50"}, {"name": "go tool vet --shadow", "url": "https://golang.org/cmd/vet#hdr-Shadowed_variables", "description": "Reports variables that may have been unintentionally shadowed."}, {"name": "go vet", "url": "https://golang.org/cmd/vet", "description": "Examines Go source code and reports suspicious."}, {"name": "go-critic", "url": "https://github.com/go-critic/go-critic", "description": "Go source code linter that maintains checks which are currently not implemented in other linters.", "stars": "2k"}, {"name": "go/ast", "url": "https://golang.org/pkg/go/ast", "description": "Package ast declares the types used to represent syntax trees for Go packages."}, {"name": "goast", "url": "https://github.com/m-mizutani/goast", "description": "Go AST (Abstract Syntax Tree) based static analysis tool with Rego.", "stars": "63"}, {"name": "goconst", "url": "https://github.com/jgautheron/goconst", "description": "Finds repeated strings that could be replaced by a constant.", "stars": "315"}, {"name": "gocyclo", "url": "https://github.com/fzipp/gocyclo", "description": "Calculate cyclomatic complexities of functions in Go source code.", "stars": "1.5k"}, {"name": "gofmt -s", "url": "https://golang.org/cmd/gofmt", "description": "Checks if the code is properly formatted and could not be further simplified."}, {"name": "gofumpt", "url": "https://github.com/mvdan/gofumpt", "description": "Enforce a stricter format than `gofmt`, while being backwards-compatible.  That is, `gofumpt` is happy with a subset of the formats that `gofmt` is happy with.", "stars": "3.9k"}, {"name": "goimports", "url": "https://pkg.go.dev/golang.org/x/tools/cmd/goimports", "description": "Checks missing or unreferenced package imports."}, {"name": "gokart", "url": "https://github.com/praetorian-inc/gokart", "description": "Golang security analysis with a focus on minimizing false positives. It is capable of tracing the source of variables and function arguments  to determine whether input sources are safe.", "stars": "2.2k"}, {"name": "GolangCI-Lint", "url": "https://golangci-lint.run", "description": "Alternative to `Go Meta Linter`: GolangCI-Lint is a linters aggregator."}, {"name": "golint", "url": "https://github.com/golang/lint", "description": "Prints out coding style mistakes in Go source code.", "stars": "4k"}, {"name": "goreporter", "url": "https://github.com/360EntSecGroup-Skylar/goreporter", "description": "Concurrently runs many linters and normalises their output to a report.", "stars": "3.1k"}, {"name": "goroutine-inspect", "url": "https://github.com/linuxerwang/goroutine-inspect", "description": "An interactive tool to analyze Golang goroutine dump.", "stars": "477"}, {"name": "gosec (gas)", "url": "https://securego.io", "description": "Inspects source code for security problems by scanning the Go AST."}, {"name": "gotype", "url": "https://pkg.go.dev/golang.org/x/tools/cmd/gotype", "description": "Syntactic and semantic analysis similar to the Go compiler."}, {"name": "govulncheck", "url": "https://go.dev/blog/vuln", "description": "Govulncheck reports known vulnerabilities that affect Go code.  It uses static analysis of source code or a binary's symbol table to narrow down reports to only those that could affect the application."}, {"name": "ineffassign", "url": "https://github.com/gordonklaus/ineffassign", "description": "Detect ineffectual assignments in Go code.", "stars": "457"}, {"name": "lll", "url": "https://github.com/walle/lll", "description": "Report long lines.", "stars": "70"}, {"name": "misspell", "url": "https://github.com/client9/misspell", "description": "Finds commonly misspelled English words.", "stars": "1.4k"}, {"name": "nakedret", "url": "https://github.com/alexkohler/nakedret", "description": "Finds naked returns.", "stars": "132"}, {"name": "nargs", "url": "https://github.com/alexkohler/nargs", "description": "Finds unused arguments in function declarations.", "stars": "86"}, {"name": "OSV-Scanner", "url": "https://osv.dev/", "description": "Vulnerability scanner written in Go which uses the data provided by OSV.dev. Developed by Google to scan dependencies across multiple languages and package managers for known vulnerabilities. Supports container scanning, license scanning, and guided remediation. Works with lockfiles, SBOMs, and container images to identify security issues."}, {"name": "prealloc", "url": "https://github.com/alexkohler/prealloc", "description": "Finds slice declarations that could potentially be preallocated.", "stars": "664"}, {"name": "Reviewdog", "url": "https://github.com/haya14busa/reviewdog", "description": "A tool for posting review comments from any linter in any code hosting service.", "stars": "9.2k"}, {"name": "revive", "url": "https://revive.run", "description": "Fast, configurable, extensible, flexible, and beautiful linter for Go. Drop-in replacement of golint."}, {"name": "staticcheck", "url": "https://staticcheck.io", "description": "Go static analysis that specialises in finding bugs, simplifying code and improving performance."}, {"name": "structcheck", "url": "https://gitlab.com/opennota/check", "description": "Find unused struct fields."}, {"name": "structslop", "url": "https://github.com/orijtech/structslop", "description": "Static analyzer for Go that recommends struct field rearrangements to provide for maximum space/allocation efficiency", "stars": "833"}, {"name": "test", "url": "https://pkg.go.dev/testing", "description": "Show location of test failures from the stdlib testing module."}, {"name": "unparam", "url": "https://github.com/mvdan/unparam", "description": "Find unused function parameters.", "stars": "568"}, {"name": "varcheck", "url": "https://gitlab.com/opennota/check", "description": "Find unused global variables and constants."}, {"name": "wsl", "url": "https://github.com/bombsimon/wsl", "description": "Enforces empty lines at the right places.", "stars": "346"}, {"name": "CodeNarc", "url": "https://codenarc.github.io/CodeNarc", "description": "A static analysis tool for Groovy source code, enabling monitoring and enforcement of many coding standards and best practices."}, {"name": "HLint", "url": "https://github.com/ndmitchell/hlint", "description": "HLint is a tool for suggesting possible improvements to Haskell code.", "stars": "1.6k"}, {"name": "Liquid Haskell", "url": "https://ucsd-progsys.github.io/liquidhaskell-blog/", "description": "Liquid Haskell is a refinement type checker for Haskell programs."}, {"name": "Stan", "url": "https://kowainik.github.io/projects/stan", "description": "Stan is a command-line tool for analysing Haskell projects and outputting discovered vulnerabilities in a helpful way with possible solutions for detected problems."}, {"name": "Weeder", "url": "https://github.com/ocharles/weeder", "description": "A tool for detecting dead exports or package imports in Haskell code.", "stars": "184"}, {"name": "Haxe Checkstyle", "url": "https://haxecheckstyle.github.io/docs/haxe-checkstyle/home.html", "description": "A static analysis tool to help developers write Haxe code that adheres to a coding standard."}, {"name": "Checker Framework", "url": "https://checkerframework.org", "description": "Pluggable type-checking for Java.  This is not just a bug-finder, but a verification tool that gives a guarantee of correctness.  It comes with 27 pre-built type systems, and it enables users to define their own type system; the manual lists over 30 user-contributed type systems."}, {"name": "checkstyle", "url": "https://checkstyle.org", "description": "Checking Java source code for adherence to a Code Standard or set of validation rules (best practices)."}, {"name": "ck", "url": "https://github.com/mauricioaniche/ck", "description": "Calculates Chidamber and Kemerer object-oriented metrics by processing the source Java files.", "stars": "447"}, {"name": "ckjm", "url": "http://www.spinellis.gr/sw/ckjm", "description": "Calculates Chidamber and Kemerer object-oriented metrics by processing the bytecode of compiled Java files."}, {"name": "Dataflow Framework", "url": "https://github.com/typetools/checker-framework", "description": "An industrial-strength dataflow framework for Java. The Dataflow Framework is used in the Checker Framework, Google\u2019s Error Prone, Uber\u2019s NullAway, Meta\u2019s Nullsafe, and in other contexts. It is distributed with the Checker Framework.", "stars": "1.1k"}, {"name": "DesigniteJava", "url": "http://www.designite-tools.com/designitejava", "description": ""}, {"name": "Diffblue", "url": "https://www.diffblue.com/", "description": ""}, {"name": "Doop", "url": "https://plast-lab.github.io/doop-pldi15-tutorial/", "description": "Doop is a declarative framework for static analysis of Java/Android programs, centered on pointer analysis algorithms. Doop provides a large variety of analyses and also the surrounding scaffolding to run an analysis end-to-end (fact generation, processing, statistics, etc.)."}, {"name": "Error Prone", "url": "https://errorprone.info", "description": "Catch common Java mistakes as compile-time errors."}, {"name": "fb-contrib", "url": "http://fb-contrib.sourceforge.net", "description": "A plugin for FindBugs with additional bug detectors."}, {"name": "forbidden-apis", "url": "https://github.com/policeman-tools/forbidden-apis", "description": "Detects and forbids invocations of specific method/class/field (like reading from a text stream without a charset). Maven/Gradle/Ant compatible.", "stars": "360"}, {"name": "google-java-format", "url": "https://github.com/google/google-java-format", "description": "Reformats Java source code to comply with Google Java Style", "stars": "6.1k"}, {"name": "IntelliJ IDEA", "url": "https://www.jetbrains.com/idea", "description": ""}, {"name": "JArchitect", "url": "https://www.jarchitect.com", "description": ""}, {"name": "JBMC", "url": "https://www.cprover.org/jbmc", "description": "Bounded model-checker for Java (bytecode), verifies user-defined assertions, standard assertions, several coverage metric analyses."}, {"name": "JLiSA", "url": "https://github.com/lisa-analyzer/jlisa", "description": "An abstract interpretation-based static analyzer for Java build upon the [LiSA (\u2b5075)](https://github.com/lisa-analyzer/lisa) framekwork.", "stars": "26"}, {"name": "Mariana Trench", "url": "https://mariana-tren.ch/", "description": "Our security focused static analysis tool for Android and Java applications. Mariana Trench analyzes Dalvik bytecode and is built to run fast on large codebases (10s of millions of lines of code). It can find vulnerabilities as code changes, before it ever lands in your repository."}, {"name": "NullAway", "url": "https://github.com/uber/NullAway", "description": "Type-based null-pointer checker with low build-time overhead; an [Error Prone](http://errorprone.info/) plugin.", "stars": "4k"}, {"name": "qulice", "url": "https://www.qulice.com", "description": "Combines a few (pre-configured) static analysis tools (checkstyle, PMD, Findbugs, ...)."}, {"name": "RefactorFirst", "url": "https://github.com/jimbethancourt/RefactorFirst", "description": "Identifies and prioritizes God Classes and Highly Coupled classes in Java codebases you should refactor first.", "stars": "521"}, {"name": "Soot", "url": "https://soot-oss.github.io/soot", "description": "A framework for analyzing and transforming Java and Android applications."}, {"name": "Spoon", "url": "https://spoon.gforge.inria.fr", "description": "Spoon is a metaprogramming library to analyze and transform Java source code (incl Java 9, 10, 11, 12, 13, 14). It parses source files to build a well-designed AST with powerful analysis and transformation API. Can be integrated in Maven and Gradle."}, {"name": "SpotBugs", "url": "https://spotbugs.github.io", "description": "SpotBugs is FindBugs' successor. A tool for static analysis to look for bugs in Java code."}, {"name": "Violations Lib", "url": "https://github.com/tomasbjerre/violations-lib", "description": "Java library for parsing report files from static code analysis. Used by a bunch of Jenkins, Maven and Gradle plugins.", "stars": "155"}, {"name": "Closure Compiler", "url": "https://developers.google.com/closure/compiler", "description": "A compiler tool to increase efficiency, reduce size, and provide code warnings in JavaScript files."}, {"name": "DeepScan", "url": "https://deepscan.io", "description": ""}, {"name": "escomplex", "url": "https://github.com/jared-stilwell/escomplex", "description": "Software complexity analysis of JavaScript-family abstract syntax trees.", "stars": "271"}, {"name": "flow", "url": "https://flow.org", "description": "A static type checker for JavaScript."}, {"name": "jshint", "url": "https://jshint.com/about", "description": ""}, {"name": "JSLint", "url": "https://github.com/douglascrockford/JSLint", "description": "", "stars": "3.7k"}, {"name": "Polymer-analyzer", "url": "https://github.com/Polymer/tools/tree/master/packages/analyzer", "description": "A static analysis framework for Web Components.", "stars": "436"}, {"name": "retire.js", "url": "https://retirejs.github.io/retire.js", "description": "Scanner detecting the use of JavaScript libraries with known vulnerabilities."}, {"name": "standard", "url": "http://standardjs.com", "description": "An npm module that checks for Javascript Styleguide issues."}, {"name": "tern", "url": "https://ternjs.net", "description": "A JavaScript code analyzer for deep, cross-editor language support."}, {"name": "xo", "url": "https://github.com/xojs/xo", "description": "Opinionated but configurable ESLint wrapper with lots of goodies included. Enforces strict and readable code.", "stars": "8k"}, {"name": "JET", "url": "https://github.com/aviatesk/JET.jl", "description": "Static type inference system to detect bugs and type instabilities.", "stars": "852"}, {"name": "StaticLint", "url": "https://github.com/julia-vscode/StaticLint.jl", "description": "Static Code Analysis for Julia", "stars": "159"}, {"name": "detekt", "url": "https://detekt.github.io/detekt", "description": "Static code analysis for Kotlin code."}, {"name": "ktfmt", "url": "https://facebook.github.io/ktfmt/", "description": "A program that reformats Kotlin source code to comply with the common community standard for Kotlin code conventions."}, {"name": "ktlint", "url": "https://ktlint.github.io", "description": "An anti-bikeshedding Kotlin linter with built-in formatter."}, {"name": "luacheck", "url": "https://github.com/lunarmodules/luacheck", "description": "A tool for linting and static analysis of Lua code.", "stars": "442"}, {"name": "lualint", "url": "https://github.com/philips/lualint", "description": "lualint performs luac-based static analysis of global variable usage in Lua source code.", "stars": "86"}, {"name": "mlint", "url": "https://www.mathworks.com/help/matlab/ref/mlint.html", "description": ""}, {"name": "DrNim", "url": "https://nim-lang.org/docs/drnim.html", "description": "DrNim combines the Nim frontend with the Z3 proof engine in order to allow verify / validate software written in Nim."}, {"name": "Sys", "url": "https://github.com/PLSysSec/sys", "description": "A static/symbolic Tool for finding bugs in (browser) code. It uses the LLVM AST to find bugs like uninitialized memory access.", "stars": "236"}, {"name": "VeriFast", "url": "https://github.com/verifast/verifast", "description": "A tool for modular formal verification of correctness properties of single-threaded and multithreaded  C and Java programs annotated with preconditions and postconditions written in separation logic.  To express rich specifications, the programmer can define inductive datatypes,  primitive recursive pure functions over these datatypes, and abstract separation logic predicates.", "stars": "478"}, {"name": "CakeFuzzer", "url": "https://zigrin.com/tools/cake-fuzzer/", "description": "Web application security testing tool for CakePHP-based web applications. CakeFuzzer employs a predefined set of attacks that are randomly modified before execution. Leveraging its deep understanding of the Cake PHP framework, Cake Fuzzer launches attacks on all potential application entry points."}, {"name": "churn-php", "url": "https://github.com/bmitch/churn-php", "description": "Helps discover good candidates for refactoring.", "stars": "1.4k"}, {"name": "composer-dependency-analyser", "url": "https://github.com/shipmonk-rnd/composer-dependency-analyser", "description": "Fast detection of composer dependency issues.", "stars": "603"}, {"name": "dephpend", "url": "https://github.com/mihaeu/dephpend", "description": "Dependency analysis tool.", "stars": "534"}, {"name": "deprecation-detector", "url": "https://github.com/sensiolabs-de/deprecation-detector", "description": "Finds usages of deprecated (Symfony) code.", "stars": "391"}, {"name": "deptrac", "url": "https://github.com/sensiolabs-de/deptrac", "description": "Enforce rules for dependencies between software layers.", "stars": "2.9k"}, {"name": "DesignPatternDetector", "url": "https://github.com/Halleck45/DesignPatternDetector", "description": "Detection of design patterns in PHP code.", "stars": "116"}, {"name": "EasyCodingStandard", "url": "https://www.tomasvotruba.com/blog/2017/05/03/combine-power-of-php-code-sniffer-and-php-cs-fixer-in-3-lines", "description": "Combine [PHP\\_CodeSniffer (\u2b5011k)](https://github.com/squizlabs/PHP_CodeSniffer) and [PHP-CS-Fixer (\u2b5013k)](https://github.com/FriendsOfPHP/PHP-CS-Fixer)."}, {"name": "exakat", "url": "https://www.exakat.io", "description": "An automated code reviewing engine for PHP."}, {"name": "GrumPHP", "url": "https://github.com/phpro/grumphp", "description": "Checks code on every commit.", "stars": "4.3k"}, {"name": "larastan", "url": "https://github.com/larastan/larastan", "description": "Adds static analysis to Laravel improving developer productivity and code quality. It is a wrapper around PHPStan.", "stars": "6.3k"}, {"name": "mago", "url": "https://mago.carthage.software", "description": "Mago is a complete toolchain for PHP, written in Rust, designed from the ground up for maximum performance."}, {"name": "parallel-lint", "url": "https://github.com/php-parallel-lint/PHP-Parallel-Lint", "description": "This tool checks syntax of PHP files faster than serial check with a fancier output.", "stars": "349"}, {"name": "Parse", "url": "https://github.com/psecio/parse", "description": "A Static Security Scanner.", "stars": "380"}, {"name": "pdepend", "url": "https://pdepend.org", "description": "Calculates software metrics like cyclomatic complexity for PHP code."}, {"name": "phan", "url": "https://github.com/phan/phan/wiki", "description": "A modern static analyzer from etsy.", "stars": "5.6k"}, {"name": "PHP Architecture Tester", "url": "https://github.com/carlosas/phpat", "description": "Easy to use architecture testing tool for PHP.", "stars": "1.2k"}, {"name": "PHP Assumptions", "url": "https://github.com/rskuipers/php-assumptions", "description": "Checks for weak assumptions.", "stars": "165"}, {"name": "PHP Coding Standards Fixer", "url": "https://cs.symfony.com", "description": "Fixes your code according to standards like PSR-1, PSR-2, and the Symfony standard."}, {"name": "PHP Insights", "url": "https://github.com/nunomaduro/phpinsights", "description": "Instant PHP quality checks from your console. Analysis of code quality and coding style as well as overview of code architecture and its complexity.", "stars": "5.6k"}, {"name": "Php Inspections (EA Extended)", "url": "https://plugins.jetbrains.com/plugin/7622-php-inspections-ea-extended-", "description": "A Static Code Analyzer for PHP."}, {"name": "PHP Refactoring Browser", "url": "https://qafoolabs.github.io/php-refactoring-browser", "description": "Refactoring helper."}, {"name": "PHP Semantic Versioning Checker", "url": "https://github.com/tomzx/php-semver-checker", "description": "Suggests a next version according to semantic versioning.", "stars": "434"}, {"name": "PHP-Parser", "url": "https://github.com/nikic/PHP-Parser", "description": "A PHP parser written in PHP.", "stars": "17k"}, {"name": "php-speller", "url": "https://github.com/mekras/php-speller", "description": "PHP spell check library.", "stars": "68"}, {"name": "PHPArkitect", "url": "https://github.com/phparkitect/arkitect", "description": "PHPArkitect helps you to keep your PHP codebase coherent and solid, by permitting to add some architectural constraint check to your workflow. You can express the constraint that you want to enforce, in simple and readable PHP code.", "stars": "880"}, {"name": "phpDocumentor", "url": "https://www.phpdoc.org", "description": "Analyzes PHP source code to generate documentation."}, {"name": "phploc", "url": "https://github.com/sebastianbergmann/phploc", "description": "A tool for quickly measuring the size and analyzing the structure of a PHP project.", "stars": "2.3k"}, {"name": "PHPMD", "url": "https://phpmd.org", "description": "Finds possible bugs in your code."}, {"name": "PhpMetrics", "url": "http://www.phpmetrics.org", "description": "Calculates and visualizes various code quality metrics."}, {"name": "phpmnd", "url": "https://github.com/povils/phpmnd", "description": "Helps to detect magic numbers.", "stars": "580"}, {"name": "PHPQA", "url": "https://edgedesigncz.github.io/phpqa", "description": "A tool for running QA tools (phploc, phpcpd, phpcs, pdepend, phpmd, phpmetrics)."}, {"name": "phpqa - jakzal", "url": "https://github.com/jakzal/phpqa", "description": "Many tools for PHP static analysis in one container.", "stars": "1.3k"}, {"name": "phpqa - jmolivas", "url": "https://github.com/jmolivas/phpqa", "description": "PHPQA all-in-one Analyzer CLI tool.", "stars": "325"}, {"name": "PHPStan", "url": "https://phpstan.org", "description": "PHP Static Analysis Tool - discover bugs in your code without running it!"}, {"name": "Progpilot", "url": "https://github.com/designsecurity/progpilot", "description": "A static analysis tool for security purposes.", "stars": "360"}, {"name": "Psalm", "url": "https://psalm.dev", "description": "Static analysis tool for finding type errors in PHP applications."}, {"name": "rector", "url": "https://getrector.org", "description": "Instant Upgrades and Automated Refactoring of any PHP 5.3+ code. It upgrades your code for PHP 7.4, 8.0 and beyond. Rector promises a low false-positive rate because it looks for narrowly defined AST (abstract syntax tree) patterns.  The main use-case are tackling technical debt in your legacy code and removing dead code. Rector provides a set of special rules for Symfony, Doctrine, PHPUnit, and many more."}, {"name": "Reflection", "url": "https://github.com/phpDocumentor/Reflection", "description": "Reflection library to do Static Analysis for PHP Projects", "stars": "126"}, {"name": "Symfony Insight", "url": "https://insight.symfony.com/", "description": ""}, {"name": "Tuli", "url": "https://github.com/ircmaxell/Tuli", "description": "A static analysis engine.", "stars": "169"}, {"name": "twig-lint", "url": "https://github.com/asm89/twig-lint", "description": "twig-lint is a lint tool for your twig files.", "stars": "118"}, {"name": "WAP", "url": "https://securityonline.info/owasp-wap-web-application-protection-project", "description": "Tool to detect and correct input validation vulnerabilities in PHP (4.0 or higher) web applications and predicts false positives by combining static analysis and data mining."}, {"name": "ZPA", "url": "https://zpa.felipebz.com", "description": "An open source parser and code analyzer for PL/SQL and Oracle SQL code."}, {"name": "Perl::Analyzer", "url": "https://technix.github.io/Perl-Analyzer/", "description": "Perl-Analyzer is a set of programs and modules that allow users to analyze and visualize Perl  codebases by providing information about namespaces and their relations, dependencies,  inheritance, and methods implemented, inherited, and redefined in packages,  as well as calls to methods from parent packages via SUPER."}, {"name": "Perl::Critic", "url": "https://metacpan.org/pod/Perl::Critic", "description": "Critique Perl source code for best-practices."}, {"name": "perltidy", "url": "https://perltidy.sourceforge.net/", "description": "Perltidy is a Perl script which indents and reformats Perl scripts to make them easier to read."}, {"name": "zarn", "url": "https://github.com/htrgouvea/zarn", "description": "A lightweight static security analysis tool for modern Perl Apps", "stars": "56"}, {"name": "autoflake", "url": "https://github.com/PyCQA/autoflake", "description": "Autoflake removes unused imports and unused variables from Python code.", "stars": "951"}, {"name": "autopep8", "url": "https://pypi.org/project/autopep8/", "description": "A tool that automatically formats Python code to conform to the PEP 8 style guide."}, {"name": "bandit", "url": "https://bandit.readthedocs.io/en/latest", "description": "A tool to find common security issues in Python code."}, {"name": "bellybutton", "url": "https://github.com/hchasestevens/bellybutton", "description": "A linting engine supporting custom project-specific rules.", "stars": "278"}, {"name": "Black", "url": "https://black.readthedocs.io/en/stable", "description": "The uncompromising Python code formatter."}, {"name": "Bowler", "url": "https://pybowler.io/", "description": "Safe code refactoring for modern Python.  Bowler is a refactoring tool for manipulating Python at the syntax tree level.  It enables safe, large scale code modifications while guaranteeing that the  resulting code compiles and runs. It provides both a simple command line interface  and a fluent API in Python for generating complex code modifications in code."}, {"name": "Code Pathfinder", "url": "https://codepathfinder.dev", "description": "An open-source security suite aiming to combine structural code analysis with  AI-powered vulnerability detection. Built for advanced structural search, derive  insights, find vulnerabilities in code."}, {"name": "deal", "url": "https://deal.readthedocs.io/", "description": "Design by contract for Python. Write bug-free code.  By adding a few decorators to your code, you get for free tests, static analysis, formal verification, and much more."}, {"name": "Dlint", "url": "https://github.com/dlint-py/dlint", "description": "A tool for ensuring Python code is secure.", "stars": "174"}, {"name": "Dodgy", "url": "https://github.com/landscapeio/dodgy", "description": "Dodgy is a very basic tool to run against your codebase to search for \"dodgy\" looking values. It is a series of simple regular expressions designed to detect things such as accidental SCM diff checkins, or passwords or secret keys hard coded into files.", "stars": "127"}, {"name": "fixit", "url": "https://pypi.org/project/fixit", "description": "A framework for creating lint rules and corresponding auto-fixes for source code."}, {"name": "flake8", "url": "https://github.com/PyCQA/flake8", "description": "A wrapper around `pyflakes`, `pycodestyle` and `mccabe`.", "stars": "3.8k"}, {"name": "flakeheaven", "url": "https://pypi.org/project/flakeheaven/", "description": "flakeheaven is a python linter built around flake8 to enable inheritable and complex toml configuration."}, {"name": "Griffe", "url": "https://mkdocstrings.github.io/griffe/", "description": "Signatures for entire Python programs. Extract the structure, the frame, the skeleton of your project, to generate API documentation or find breaking changes in your API."}, {"name": "jedi", "url": "https://jedi.readthedocs.io/en/latest", "description": "Autocompletion/static analysis library for Python."}, {"name": "linty fresh", "url": "https://github.com/lyft/linty_fresh", "description": "Parse lint errors and report them to Github as comments on a pull request.", "stars": "185"}, {"name": "mbake", "url": "https://pypi.org/project/mbake/", "description": "mbake is a Makefile formatter and linter. It only took 50 years!"}, {"name": "mypy", "url": "http://www.mypy-lang.org", "description": "A static type checker that aims to combine the benefits of duck typing and static typing, frequently used with [MonkeyType (\u2b505k)](https://github.com/Instagram/MonkeyType)."}, {"name": "pip-audit", "url": "https://github.com/pypa/pip-audit", "description": "Tool for scanning Python packages for known vulnerabilities. Developed by the Python Packaging Authority (PyPA) and supported by Trail of Bits and Google. Scans Python environments and requirements files to identify vulnerable packages and suggests remediation. Supports GitHub Actions, pre-commit hooks, and multiple vulnerability service integrations.", "stars": "1.2k"}, {"name": "prospector", "url": "https://github.com/PyCQA/prospector", "description": "A wrapper around `pylint`, `pep8`, `mccabe` and others.", "stars": "2.1k"}, {"name": "pyanalyze", "url": "https://pyanalyze.readthedocs.io/en/latest/", "description": "A tool for programmatically detecting common mistakes in Python code, such as references to undefined variables and type errors. It can be extended to add additional rules and perform checks specific to particular functions."}, {"name": "pycodestyle", "url": "https://pycodestyle.pycqa.org/en/latest", "description": "(Formerly `pep8`) Check Python code against some of the style conventions in PEP 8."}, {"name": "pyflakes", "url": "https://pypi.org/project/pyflakes", "description": "Check Python source files for errors."}, {"name": "pylint", "url": "http://pylint.pycqa.org/en/latest", "description": "Looks for programming errors, helps enforcing a coding standard and sniffs for some code smells. It additionally includes `pyreverse` (an UML diagram generator) and `symilar` (a similarities checker)."}, {"name": "pylyzers", "url": "https://mtshiba.github.io/pylyzer/", "description": "A static code analyzer / language server for Python, written in Rust, focused on type checking and readable output."}, {"name": "Pyra", "url": "https://github.com/spangea/Pyra", "description": "Pyra is a high-level linter static analyzer for data science applications written in Python, that helps developers identify potential issues in their data science code written in Python, as an extension of [Lyra (\u2b5031)](https://github.com/caterinaurban/Lyra).", "stars": "30"}, {"name": "pyrefly", "url": "https://pyrefly.org/", "description": "A fast, incremental type checker and language server for Python, providing IDE features like code navigation, semantic highlighting, and code completion."}, {"name": "pyright", "url": "https://github.com/Microsoft/pyright", "description": "Static type checker for Python, created to address gaps in existing tools like mypy.", "stars": "15k"}, {"name": "pyroma", "url": "https://github.com/regebro/pyroma", "description": "Rate how well a Python project complies with the best practices of the Python packaging ecosystem, and list issues that could be improved.", "stars": "232"}, {"name": "Pysa", "url": "https://pyre-check.org/docs/pysa-basics.html", "description": "A tool based on Facebook's pyre-check to identify potential security issues in Python code identified with taint analysis."}, {"name": "pytype", "url": "https://google.github.io/pytype", "description": "A static type analyzer for Python code."}, {"name": "pyupgrade", "url": "https://pypi.org/project/pyupgrade-docs/", "description": "A tool (and pre-commit hook) to automatically upgrade syntax for newer versions of the language."}, {"name": "refurb", "url": "https://github.com/dosisod/refurb", "description": "A tool for refurbishing and modernizing Python codebases. Refurb is heavily inspired by clippy, the built-in linter for Rust.", "stars": "2.5k"}, {"name": "ruff", "url": "https://astral.sh/ruff", "description": "Fast Python linter, written in Rust. 10-100x faster than existing linters. Compatible with Python 3.10. Supports file watcher."}, {"name": "Safety", "url": "https://safetycli.com/", "description": "Python dependency vulnerability scanner designed to enhance software supply chain security by detecting packages with known vulnerabilities. Checks Python dependencies against a database of known security vulnerabilities and provides detailed reports. Supports CI/CD integration and multiple output formats."}, {"name": "ty", "url": "https://docs.astral.sh/ty/", "description": "An extremely fast Python type checker written in Rust."}, {"name": "unimport", "url": "https://unimport.hakancelik.dev", "description": "A linter, formatter for finding and removing unused import statements."}, {"name": "vulture", "url": "https://github.com/jendrikseipp/vulture", "description": "Find unused classes, functions and variables in Python code.", "stars": "4.4k"}, {"name": "wemake-python-styleguide", "url": "https://wemake-python-styleguide.rtfd.io/", "description": "The strictest and most opinionated python linter ever."}, {"name": "wily", "url": "https://github.com/tonybaloney/wily", "description": "A command-line tool for archiving, exploring and graphing the complexity of Python source code.", "stars": "1.3k"}, {"name": "CodeDepends", "url": "https://github.com/duncantl/CodeDepends", "description": "Static Code Analysis for R.", "stars": "93"}, {"name": "cyclocomp", "url": "https://github.com/MangoTheCat/cyclocomp", "description": "Quantifies the cyclomatic complexity of R functions / expressions.", "stars": "48"}, {"name": "flowR", "url": "https://github.com/flowr-analysis/flowr", "description": "A [program slicer (\u2b5087)](https://github.com/flowr-analysis/flowr/wiki/Terminology#program-slice) and [dataflow analyzer](https://en.wikipedia.org/wiki/Data-flow_analysis) for the [R](https://www.r-project.org/) programming language. Its slicer allows you to reduce a complicated program just to the parts related for a specific task (e.g., the generation of a single or collection of plots, a significance test, ...). The dataflow analysis provides you with a detailed view on the semantics of the R code which can greatly improve other analyses. To use *flowR*, check out the [Visual Studio Code extension](https://marketplace.visualstudio.com/items?itemName=code-inspect.vscode-flowr), the [RStudio Addin (\u2b505)](https://github.com/flowr-analysis/rstudio-addin-flowr), the [Docker image](https://hub.docker.com/r/eagleoutice/flowr), or the [R package (\u2b503)](https://github.com/flowr-analysis/flowr-r-adapter).", "stars": "87"}, {"name": "goodpractice", "url": "https://docs.ropensci.org/goodpractice/", "description": "Analyses the source code for R packages and provides best-practice recommendations."}, {"name": "lintr", "url": "https://github.com/jimhester/lintr", "description": "Static Code Analysis for R.", "stars": "1.3k"}, {"name": "R Language Server", "url": "https://github.com/REditorSupport/languageserver/", "description": "Provides code completion, refactoring, folding, diagnostics (with lintr), and more for R.", "stars": "652"}, {"name": "rco", "url": "https://jcrodriguez1989.github.io/rco/", "description": "Performance optimizer for R code (with GUI)."}, {"name": "styler", "url": "https://styler.r-lib.org", "description": "Formatting of R source code files and pretty-printing of R code."}, {"name": "Regal", "url": "https://github.com/styrainc/regal", "description": "Regal is a linter for the policy language Rego. Regal aims to catch bugs and mistakes in policy code, while at the same time helping people learn the language, best practices and idiomatic constructs.", "stars": "365"}, {"name": "Active Record Doctor", "url": "https://github.com/gregnavis/active_record_doctor", "description": "Identify database issues before they hit production.", "stars": "1.9k"}, {"name": "brakeman", "url": "https://brakemanscanner.org", "description": "A static analysis security vulnerability scanner for Ruby on Rails applications."}, {"name": "Bullet", "url": "https://github.com/flyerhzm/bullet", "description": "Help to kill N+1 queries and unused eager loading.", "stars": "7.3k"}, {"name": "bundler-audit", "url": "https://github.com/rubysec/bundler-audit", "description": "Audit Gemfile.lock for gems with security vulnerabilities reported in [Ruby Advisory Database (\u2b501.1k)](https://github.com/rubysec/ruby-advisory-db).", "stars": "2.7k"}, {"name": "DatabaseConsistency", "url": "https://github.com/djezzzl/database_consistency", "description": "The tool to avoid various issues due to inconsistencies and inefficiencies between a database schema and application models.", "stars": "1.2k"}, {"name": "dawnscanner", "url": "https://github.com/thesp0nge/dawnscanner", "description": "A static analysis security scanner for ruby written web applications. It supports Sinatra, Padrino and Ruby on Rails frameworks.", "stars": "748"}, {"name": "ERB Lint", "url": "https://github.com/Shopify/erb-lint", "description": "Lint your ERB or HTML files", "stars": "742"}, {"name": "ERB::Formatter", "url": "https://github.com/nebulab/erb-formatter", "description": "Format ERB files with speed and precision.", "stars": "194"}, {"name": "Fasterer", "url": "https://github.com/DamirSvrtan/fasterer", "description": "Common Ruby idioms checker.", "stars": "1.8k"}, {"name": "flay", "url": "https://ruby.sadi.st/Flay.html", "description": "Flay analyzes code for structural similarities."}, {"name": "flog", "url": "https://ruby.sadi.st/Flog.html", "description": "Flog reports the most tortured code in an easy to read pain report. The higher the score, the more pain the code is in."}, {"name": "Fukuzatsu", "url": "https://github.com/CoralineAda/fukuzatsu", "description": "A tool for measuring code complexity in Ruby class files. Its analysis generates scores based on cyclomatic complexity algorithms with no added \"opinions\".", "stars": "32"}, {"name": "htmlbeautifier", "url": "https://github.com/threedaymonk/htmlbeautifier", "description": "A normaliser/beautifier for HTML that also understands embedded Ruby. Ideal for tidying up Rails templates.", "stars": "371"}, {"name": "pelusa", "url": "https://github.com/codegram/pelusa", "description": "Static analysis Lint-type tool to improve your OO Ruby code.", "stars": "436"}, {"name": "rails\\_best\\_practices", "url": "https://rails-bestpractices.com", "description": "A code metric tool for Rails projects"}, {"name": "reek", "url": "https://github.com/troessner/reek", "description": "Code smell detector for Ruby.", "stars": "4.1k"}, {"name": "Roodi", "url": "https://github.com/roodi/roodi", "description": "Roodi stands for Ruby Object Oriented Design Inferometer. It parses your Ruby code and warns you about design issues you have based on the checks that it has configured.", "stars": "277"}, {"name": "RuboCop", "url": "https://docs.rubocop.org/rubocop", "description": "A Ruby static code analyzer, based on the community Ruby style guide."}, {"name": "Rubrowser", "url": "https://github.com/blazeeboy/rubrowser", "description": "Ruby classes interactive dependency graph generator.", "stars": "644"}, {"name": "rubycritic", "url": "https://github.com/whitesmith/rubycritic", "description": "A Ruby code quality reporter.", "stars": "3.5k"}, {"name": "rufo", "url": "https://github.com/ruby-formatter/rufo", "description": "An opinionated ruby formatter, intended to be used via the command line as a text-editor plugin, to autoformat files on save or on demand.", "stars": "933"}, {"name": "Skunk", "url": "https://github.com/fastruby/skunk", "description": "A SkunkScore Calculator for Ruby Code -- Find the most complicated code without test coverage!", "stars": "543"}, {"name": "Sorbet", "url": "https://sorbet.org", "description": "A fast, powerful type checker designed for Ruby."}, {"name": "Standard Ruby", "url": "https://github.com/testdouble/standard", "description": "Ruby Style Guide, with linter & automatic code fixer", "stars": "2.9k"}, {"name": "Steep", "url": "https://github.com/soutaro/steep", "description": "Gradual Typing for Ruby.", "stars": "1.5k"}, {"name": "Traceroute", "url": "https://github.com/amatsuda/traceroute", "description": "A Rake task gem that helps you find the unused routes and controller actions for your Rails 3+ app.", "stars": "904"}, {"name": "C2Rust", "url": "https://c2rust.com", "description": "C2Rust helps you migrate C99-compliant code to Rust. The translator (or transpiler) produces unsafe Rust code that closely mirrors the input C code."}, {"name": "cargo udeps", "url": "https://github.com/est31/cargo-udeps", "description": "Find unused dependencies in Cargo.toml. It either prints out a \"unused crates\" line listing the crates,  or it prints out a line saying that no crates were unused.", "stars": "2.1k"}, {"name": "cargo-audit", "url": "https://rustsec.org", "description": "Audit Cargo.lock for crates with security vulnerabilities reported to the [RustSec Advisory Database (\u2b501.1k)](https://github.com/RustSec/advisory-db/)."}, {"name": "cargo-breaking", "url": "https://github.com/iomentum/cargo-breaking", "description": "cargo-breaking compares a crate's public API between two different branches, shows what changed, and suggests the next version according to semver.", "stars": "111"}, {"name": "cargo-call-stack", "url": "https://github.com/japaric/cargo-call-stack", "description": "Whole program static stack analysis The tool produces the full call graph of a program as a dot file.", "stars": "650"}, {"name": "cargo-deny", "url": "https://embarkstudios.github.io/cargo-deny", "description": "A cargo plugin for linting your dependencies. It can be used either as a command line too, a Rust crate, or a Github action for CI. It checks for valid license information, duplicate crates, security vulnerabilities, and more."}, {"name": "cargo-expand", "url": "https://github.com/dtolnay/cargo-expand", "description": "Cargo subcommand to show result of macro expansion  and #\\[derive] expansion applied to the current crate.  This is a wrapper around a more verbose compiler command.", "stars": "3k"}, {"name": "cargo-geiger", "url": "https://github.com/geiger-rs/cargo-geiger", "description": "A cargo plugin for analysing the usage of unsafe Rust code Provides statistical output to aid security auditing", "stars": "1.6k"}, {"name": "cargo-semver-checks", "url": "https://crates.io/crates/cargo-semver-checks", "description": "Scan your Rust crate releases for semver violations. It can be used either directly via the CLI, as a GitHub Action in CI,  or via release managers like `release-plz`. It found semver violations in  [more than 1 in 6 of the top 1000 most-downloaded crates](https://predr.ag/blog/semver-violations-are-common-better-tooling-is-the-answer/) on crates.io."}, {"name": "cargo-show-asm", "url": "https://github.com/pacak/cargo-show-asm", "description": "cargo subcommand showing the assembly, LLVM-IR and MIR generated for Rust code", "stars": "929"}, {"name": "cargo-spellcheck", "url": "https://github.com/drahnr/cargo-spellcheck", "description": "Checks all your documentation for spelling and grammar mistakes  with hunspell (ready) and languagetool (preview)", "stars": "359"}, {"name": "clippy", "url": "https://rust-lang.github.io/rust-clippy", "description": "A code linter to catch common mistakes and improve your Rust code."}, {"name": "diff.rs", "url": "https://diff.rs", "description": "Web application (WASM) to render a diff between Rust crate versions."}, {"name": "dylint", "url": "https://www.trailofbits.com/post/write-rust-lints-without-forking-clippy", "description": "A tool for running Rust lints from dynamic libraries. Dylint makes it easy for developers to maintain their own personal lint collections."}, {"name": "kani", "url": "https://github.com/model-checking/kani", "description": "The Kani Rust Verifier is a bit-precise model checker for Rust.", "stars": "3k"}, {"name": "lockbud", "url": "https://github.com/BurtonQin/lockbud", "description": "Statically detects Rust deadlocks bugs. It currently detects two common kinds of deadlock bugs: doublelock and locks in conflicting order. It will print bugs in JSON format together with the source code location and an explanation of each bug.", "stars": "588"}, {"name": "rust-analyzer", "url": "https://rust-analyzer.github.io", "description": "Supports functionality such as 'goto definition', type inference, symbol search, reformatting, and code completion, and enables renaming and refactorings."}, {"name": "rust-audit", "url": "https://github.com/Shnatsel/rust-audit", "description": "Audit Rust binaries for known bugs or security vulnerabilities. This works by embedding data about the dependency tree (Cargo.lock) in JSON format into a dedicated linker section of the compiled executable.", "stars": "811"}, {"name": "rustfix", "url": "https://github.com/rust-lang/rustfix", "description": "Read and apply the suggestions made by rustc (and third-party lints, like those offered by clippy).", "stars": "853"}, {"name": "rustfmt", "url": "https://github.com/rust-lang/rustfmt", "description": "A tool for formatting Rust code according to style guidelines.", "stars": "6.8k"}, {"name": "RustViz", "url": "https://github.com/rustviz/rustviz", "description": "RustViz is a tool that generates visualizations  from simple Rust programs to assist users in better  understanding the Rust Lifetime and Borrowing mechanism. It generates SVG files with graphical indicators that integrate  with mdbook to render visualizations of data-flow in Rust programs.", "stars": "2.8k"}, {"name": "TangleGuard", "url": "https://tangleguard.com/", "description": ""}, {"name": "dbcritic", "url": "https://github.com/channable/dbcritic", "description": "dbcritic finds problems in a database schema, such as a missing primary key constraint in a table.", "stars": "179"}, {"name": "holistic", "url": "https://holistic.dev/", "description": "More than 1,300 rules to analyze SQL queries. Takes an SQL schema definition and the query source code to generate improvement recommendations. Detects code smells, unused indexes, unused tables, views, materialized views, and more."}, {"name": "pgspot", "url": "https://github.com/timescale/pgspot", "description": "Spot vulnerabilities in postgres extension scripts. Finds unsafe search\\_path usage and unsafe object creation in PostgreSQL extension scripts or any other PostgreSQL SQL code.", "stars": "130"}, {"name": "sleek", "url": "https://github.com/nrempel/sleek", "description": "Sleek is a CLI tool for formatting SQL.  It helps you maintain a consistent style across your SQL code, enhancing readability and productivity. The heavy lifting is done by the sqlformat crate.", "stars": "274"}, {"name": "SQLFluff", "url": "https://www.sqlfluff.com/", "description": "Multiple dialect SQL linter and formatter."}, {"name": "sqlint", "url": "https://github.com/purcell/sqlint", "description": "Simple SQL linter.", "stars": "437"}, {"name": "squawk", "url": "https://squawkhq.com", "description": "Linter for PostgreSQL, focused on migrations. Prevents unexpected downtime caused by database migrations and encourages best practices around Postgres schemas and SQL."}, {"name": "Visual Expert", "url": "https://www.visual-expert.com", "description": ""}, {"name": "Scalastyle", "url": "http://www.scalastyle.org", "description": "Scalastyle examines your Scala code and indicates potential problems with it."}, {"name": "scapegoat", "url": "https://github.com/sksamuel/scapegoat", "description": "Scala compiler plugin for static code analysis.", "stars": "554"}, {"name": "WartRemover", "url": "https://www.wartremover.org", "description": "A flexible Scala code linting tool."}, {"name": "bashate", "url": "https://github.com/openstack/bashate", "description": "Code style enforcement for bash programs. The output format aims to follow pycodestyle (pep8) default output format.", "stars": "394"}, {"name": "kmdr", "url": "https://github.com/ediardo/kmdr-cli", "description": "CLI tool for learning commands from your terminal. kmdr delivers a break down of commands with every attribute explained.", "stars": "19"}, {"name": "sh", "url": "https://pkg.go.dev/mvdan.cc/sh/v3", "description": "A shell parser, formatter, and interpreter with bash support; includes shfmt"}, {"name": "shellcheck", "url": "https://www.shellcheck.net", "description": "ShellCheck, a static analysis tool that gives warnings and suggestions for bash/sh shell scripts."}, {"name": "shellharden", "url": "https://github.com/anordal/shellharden", "description": "A syntax highlighter and a tool to semi-automate the rewriting of scripts to ShellCheck conformance, mainly focused on quoting.", "stars": "4.8k"}, {"name": "SwiftFormat", "url": "https://github.com/nicklockwood/SwiftFormat", "description": "A library and command-line formatting tool for reformatting Swift code.", "stars": "8.7k"}, {"name": "SwiftLint", "url": "https://realm.github.io/SwiftLint", "description": "A tool to enforce Swift style and conventions."}, {"name": "Frink", "url": "http://catless.ncl.ac.uk/Programs/Frink", "description": "A Tcl formatting and static check program (can prettify the program, minimise, obfuscate or just sanity check it)."}, {"name": "Nagelfar", "url": "https://sourceforge.net/projects/nagelfar", "description": "A static syntax checker for Tcl."}, {"name": "tclchecker", "url": "https://github.com/ActiveState/tdk/blob/master/docs/3.0/TDK_3.0_Checker.txt", "description": "A static syntax analysis module (as part of [TDK (\u2b5081)](https://github.com/ActiveState/tdk)).", "stars": "81"}, {"name": "Angular ESLint", "url": "https://github.com/angular-eslint/angular-eslint#readme", "description": "Linter for Angular projects", "stars": "1.8k"}, {"name": "ENRE-ts", "url": "https://github.com/xjtu-enre/ENRE-ts", "description": "ENRE (ENtity Relationship Extractor) is a tool for extraction of code entity dependencies or relationships from source code. ENRE-ts is a ENtity Relationship Extractor for ECMAScript and TypeScript based on @babel/parser.", "stars": "15"}, {"name": "fta", "url": "https://ftaproject.dev/", "description": "Rust-based static analysis for TypeScript projects"}, {"name": "tslint-clean-code", "url": "https://www.npmjs.com/package/tslint-clean-code", "description": "A set of TSLint rules inspired by the Clean Code handbook."}, {"name": "TypeScript Call Graph", "url": "https://github.com/whyboris/TypeScript-Call-Graph", "description": "CLI to generate an interactive graph of functions and calls from your TypeScript files", "stars": "284"}, {"name": "TypeScript ESLint", "url": "https://github.com/typescript-eslint/typescript-eslint", "description": "TypeScript language extension for eslint.", "stars": "16k"}, {"name": "zod", "url": "https://zod.dev", "description": "TypeScript-first schema validation with static type inference. The goal is to eliminate duplicative type declarations. With Zod, you declare a validator once and Zod will automatically infer the static TypeScript type. It is easy to compose simpler types into complex data structures."}, {"name": "svls", "url": "https://github.com/dalance/svls", "description": "A Language Server Protocol implementation for Verilog and SystemVerilog, including lint capabilities.", "stars": "564"}, {"name": "Verilator", "url": "https://www.veripool.org/verilator", "description": "A tool which converts Verilog to a cycle-accurate behavioral model in C++ or SystemC. Performs lint code-quality checks."}, {"name": "vscode-verilog-hdl-support", "url": "https://github.com/mshr-h/vscode-verilog-hdl-support", "description": "Verilog HDL/SystemVerilog/Bluespec SystemVerilog support for VS Code. Provides syntax highlighting and Linting support from Icarus Verilog, Vivado Logical Simulation, Modelsim and Verilator", "stars": "356"}, {"name": "Twiggy", "url": "https://github.com/rustwasm/twiggy", "description": "Analyzes a binary's call graph to profile code size. The goal is to slim down wasm binary size.", "stars": "1.4k"}, {"name": "wasm-language-tools", "url": "https://github.com/g-plane/wasm-language-tools", "description": "WebAssembly Language Tools aims to provide and improve the editing experience of WebAssembly Text Format. It also provides an out-of-the-box formatter (a.k.a. pretty printer) for WebAssembly Text Format.", "stars": "70"}, {"name": "ale", "url": "https://github.com/w0rp/ale", "description": "Asynchronous Lint Engine for Vim and NeoVim with support for many languages.", "stars": "14k"}, {"name": "Android Studio", "url": "https://developer.android.com/studio", "description": "Based on IntelliJ IDEA, and comes bundled with tools for Android including Android Lint."}, {"name": "AppChecker", "url": "https://npo-echelon.ru/en/solutions/appchecker.php", "description": ""}, {"name": "Application Inspector", "url": "https://www.ptsecurity.com/ww-en/products/ai", "description": ""}, {"name": "ApplicationInspector", "url": "https://github.com/microsoft/ApplicationInspector", "description": "Creates reports of over 400 rule patterns for feature detection (e.g. the use of cryptography or version control in apps).", "stars": "4.4k"}, {"name": "ArchUnit", "url": "https://www.archunit.org", "description": "Unit test your Java or Kotlin architecture."}, {"name": "ast-grep", "url": "https://ast-grep.github.io/", "description": "ast-grep is a powerful tool designed for managing code at scale using Abstract Syntax Trees (AST). Think of it as a hybrid of grep, eslint, and codemod, with the ability to search, lint, and rewrite code based on its structure rather than plain text."}, {"name": "autocorrect", "url": "https://huacnlee.github.io/autocorrect", "description": "A linter and formatter to help you to improve copywriting, correct spaces, words, punctuations between CJK (Chinese, Japanese, Korean)."}, {"name": "Axivion Bauhaus Suite", "url": "https://www.axivion.com/en/products-services-9#products_bauhaussuite", "description": ""}, {"name": "Bearer", "url": "https://github.com/bearer/bearer", "description": "Open-Source static code analysis tool to discover,  filter and prioritize security risks and vulnerabilities  leading to sensitive data exposures (PII, PHI, PD).  Highly configurable and easily extensible,  built for security and engineering teams.", "stars": "2.6k"}, {"name": "Better Code Hub", "url": "https://bettercodehub.com", "description": ""}, {"name": "biome", "url": "https://biomejs.dev", "description": "A toolchain for web projects, aimed to provide functionalities to maintain them. Biome formats and lints code in a fraction of a second. It is the successor to Rome. It is designed to eventually replace Biome is designed to eventually replace Babel, ESLint, webpack, Prettier, Jest, and others."}, {"name": "BlockWatch", "url": "https://github.com/mennanov/blockwatch", "description": "A language-agnostic linter that keeps code, documentation, and configuration in sync and enforces strict formatting and validation rules.", "stars": "24"}, {"name": "callGraph", "url": "https://github.com/koknat/callGraph", "description": "Statically generates a call graph image and displays it on screen.", "stars": "327"}, {"name": "CAST Highlight", "url": "https://www.castsoftware.com/products/highlight", "description": ""}, {"name": "Checkmarx CxSAST", "url": "https://www.checkmarx.com/products/static-application-security-testing", "description": ""}, {"name": "ClassGraph", "url": "https://github.com/classgraph/classgraph", "description": "A classpath and module path scanner for querying or visualizing class metadata or class relatedness.", "stars": "3k"}, {"name": "Clayton", "url": "https://www.getclayton.com/", "description": ""}, {"name": "Cobra", "url": "https://spinroot.com/cobra", "description": ""}, {"name": "Codacy", "url": "https://www.codacy.com", "description": ""}, {"name": "Code Intelligence", "url": "https://www.code-intelligence.com", "description": ""}, {"name": "Code-Graph-RAG", "url": "https://code-graph-rag.com", "description": "Builds knowledge graphs from multi-language codebases using Tree-sitter AST parsing and stores them in Memgraph. Supports 11 programming languages with a unified graph schema and enables natural language querying and editing of code structure and relationships. Functions as an MCP server for AI assistant integration."}, {"name": "Codeac", "url": "https://www.codeac.io/?ref=awesome-static-analysis", "description": ""}, {"name": "codeburner", "url": "https://groupon.github.io/codeburner", "description": "Provides a unified interface to sort and act on the issues it finds."}, {"name": "codechecker", "url": "https://codechecker.readthedocs.io/en/latest", "description": "A defect database and viewer extension for the Clang Static Analyzer with web GUI."}, {"name": "CodeFactor", "url": "https://codefactor.io", "description": ""}, {"name": "CodeFlow", "url": "https://www.getcodeflow.com", "description": ""}, {"name": "Codemodder", "url": "https://codemodder.io/", "description": "Codemodder is a pluggable framework for building expressive codemods. Use Codemodder when you need more than a linter or code formatting tool. Use it to fix non-trivial security issues and other code quality problems."}, {"name": "codeql", "url": "https://github.com/github/codeql", "description": "Deep code analysis - semantic queries and dataflow for several languages with VSCode plugin support.", "stars": "9.3k"}, {"name": "CodeQue", "url": "https://codeque.co", "description": "Ecosystem for structural matching JavaScript and TypeScript code. Offers search tool that understands code structure. Available as CLI tool and Visual Studio Code extension. It helps to search code faster and more accurately making you workflow more effective. Soon it will offer ESLint plugin to create your own rules in minutes to help with assuring codebase quality."}, {"name": "CodeRush", "url": "https://www.devexpress.com/products/coderush", "description": ""}, {"name": "CodeScan", "url": "https://www.codescan.io/", "description": ""}, {"name": "CodeScene", "url": "https://codescene.com", "description": ""}, {"name": "CodeSee", "url": "https://www.codesee.io/", "description": ""}, {"name": "CodeSonar from GrammaTech", "url": "https://codesecure.com/our-products/codesonar/", "description": ""}, {"name": "Codety", "url": "https://www.codety.io", "description": ""}, {"name": "Codiga", "url": "https://www.codiga.io", "description": ""}, {"name": "Corgea", "url": "https://corgea.com/", "description": ""}, {"name": "Coverity", "url": "https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html", "description": ""}, {"name": "cpp-linter-action", "url": "https://cpp-linter.github.io/cpp-linter-action/", "description": "A Github Action for linting C/C++ code integrating clang-tidy and clang-format to collect feedback provided in the form of thread comments and/or annotations."}, {"name": "DeepSource", "url": "https://deepsource.com", "description": ""}, {"name": "deleaker", "url": "https://www.deleaker.com/", "description": ""}, {"name": "Depends", "url": "https://github.com/multilang-depends/depends", "description": "Analyses the comprehensive dependencies of code elements for Java, C/C++, Ruby.", "stars": "247"}, {"name": "DerScanner", "url": "https://derscanner.com/", "description": ""}, {"name": "DevSkim", "url": "https://github.com/microsoft/devskim", "description": "Regex-based static analysis tool for Visual Studio, VS Code, and Sublime Text - C/C++, C#, PHP, ASP, Python, Ruby, Java, and others.", "stars": "976"}, {"name": "diesel-guard", "url": "https://github.com/ayarotsky/diesel-guard", "description": "Linter for dangerous Postgres migration patterns in Diesel and SQLx. Prevents downtime caused by unsafe schema changes.", "stars": "104"}, {"name": "dotnet-format", "url": "https://github.com/dotnet/format", "description": "A code formatter for .NET. Preferences will be read from an `.editorconfig` file, if present, otherwise a default set of preferences will be used. At this time dotnet-format is able to format C# and Visual Basic projects with a subset of supported `.editorconfig` options.", "stars": "1.9k"}, {"name": "Embold", "url": "https://embold.io", "description": ""}, {"name": "Enforster AI", "url": "https://enforster.ai/", "description": ""}, {"name": "ESLint", "url": "https://github.com/eslint/eslint", "description": "An extensible linter for JS, following the ECMAScript standard.", "stars": "27k"}, {"name": "ezno", "url": "https://kaleidawave.github.io/posts/introducing-ezno/", "description": "A JavaScript compiler and TypeScript checker written in Rust with a focus on static analysis and runtime performance. Ezno's type checker is built from scratch.  The checker is fully compatible with TypeScript type annotations and can work without any type annotations at all."}, {"name": "Find Security Bugs", "url": "https://find-sec-bugs.github.io", "description": "The SpotBugs plugin for security audits of Java web applications and Android applications. (Also work with Kotlin, Groovy and Scala projects)"}, {"name": "Fortify", "url": "https://www.microfocus.com/en-us/cyberres/application-security/static-code-analyzer", "description": ""}, {"name": "Freeplane Code Explorer", "url": "https://docs.freeplane.org/user-documentation/Code_Explorer.html", "description": "The Code Explorer mode in Freeplane is designed for analyzing the structure and dependencies  of code compiled to JVM class files.  It also allows displaying ArchUnit test results directly in Freeplane,  if Freeplane is running and ArchUnit detects rule violations during the tests."}, {"name": "Goodcheck", "url": "https://sider.github.io/goodcheck", "description": "Regexp based customizable linter."}, {"name": "graudit", "url": "http://www.justanotherhacker.com", "description": "Grep rough audit - source code auditing tool."}, {"name": "HCL AppScan Source", "url": "https://www.hcltechsw.com/products/appscan", "description": ""}, {"name": "Hound CI", "url": "https://houndci.com", "description": "Comments on style violations in GitHub pull requests. Supports Coffeescript, Go, HAML, JavaScript, Ruby, SCSS and Swift."}, {"name": "Infer", "url": "https://fbinfer.com", "description": "A static analyzer for Java, C and Objective-C"}, {"name": "Joern", "url": "https://joern.io", "description": "Joern is a platform for analyzing source code, bytecode, and binary executables. It generates code property graphs (CPGs), a graph representation of code for cross-language code analysis. Code property graphs are stored in a custom graph database. This allows code to be mined using search queries formulated in a Scala-based domain-specific query language. Joern is developed with the goal of providing a useful tool for vulnerability discovery and research in static program analysis."}, {"name": "jQAssistant", "url": "https://jqassistant.org/", "description": "jQAssistant is a plugin based software analytics platform which allows scanning code structures and metadata from repositories into a Neo4j graph database.  The gathered data can be used for ad-hoc exploration using queries, visualization or defining rules for continuous architecture validation."}, {"name": "keploy", "url": "https://keploy.io/", "description": "Keploy is an open-source testing platform that helps developers automate and streamline their testing process. It provides API, and integration testing agents, generating tests, mocks/stubs for APIs that actually work. Additionally, Keploy offers an AI-powered Unit Testing Agent that generates stable, useful unit tests directly in your GitHub PRs and in VSCode, helping catch errors and improve code quality."}, {"name": "Kiuwan", "url": "https://www.kiuwan.com/code-security-sast", "description": ""}, {"name": "Klocwork", "url": "https://www.perforce.com/products/klocwork", "description": ""}, {"name": "LangLint", "url": "https://github.com/HzaCode/Langlint", "description": "Automated translation platform for code comments and docstrings across 20+ file types. Eliminates language barriers in international software collaboration. Supports 100+ language pairs with syntax protection. Integrates into CI/CD pipelines like Ruff. 10-20x faster with concurrent processing."}, {"name": "LGTM", "url": "https://lgtm.com/", "description": ""}, {"name": "lizard", "url": "https://github.com/terryyin/lizard", "description": "Lizard is an extensible Cyclomatic Complexity Analyzer for many programming languages  including C/C++ (doesn't require all the header files or Java imports).  It also does copy-paste detection (code clone detection/code duplicate detection) and many other forms of static code analysis. Counts lines of code without comments, CCN (cyclomatic complexity number), token count of functions, parameter count of functions.", "stars": "2.3k"}, {"name": "Mega-Linter", "url": "https://megalinter.io/", "description": "Mega-Linter can handle any type of project thanks to its 70+ embedded Linters,"}, {"name": "Mobb", "url": "https://mobb.ai", "description": ""}, {"name": "MOPSA", "url": "https://mopsa.lip6.fr", "description": "A static analyzer designed to easily reuse abstract domains across widely different languages (such as C and Python)."}, {"name": "Neurolint-CLI", "url": "https://neurolint.dev", "description": "Deterministic code transformation tool using AST parsing and rule-based transformations."}, {"name": "oclint", "url": "http://oclint.org", "description": "A static source code analysis tool to improve quality and reduce defects for C, C++ and Objective-C."}, {"name": "Offensive 360", "url": "https://offensive360.com/", "description": ""}, {"name": "OpenRewrite", "url": "https://docs.openrewrite.org/", "description": "OpenRewrite [fixes common static analysis issues](https://docs.openrewrite.org/running-recipes/popular-recipe-guides/common-static-analysis-issue-remediation)  reported through Sonar and other tools using a Maven and Gradle plugin or the Moderne CLI."}, {"name": "OpenStaticAnalyzer", "url": "https://github.com/sed-inf-u-szeged/OpenStaticAnalyzer", "description": "OpenStaticAnalyzer is a source code analyzer tool, which can perform deep static analysis of the source code of complex systems.", "stars": "48"}, {"name": "oxc", "url": "https://github.com/web-infra-dev/oxc", "description": "The Oxidation Compiler is creating a suite of high-performance tools for the JavaScript / TypeScript language re-written in Rust.", "stars": "20k"}, {"name": "parasoft", "url": "https://www.parasoft.com/", "description": ""}, {"name": "pfff", "url": "https://github.com/facebookarchive/pfff/wiki/Main", "description": "Facebook's tools for code analysis, visualizations, or style-preserving source transformation for many languages.", "stars": "2.4k"}, {"name": "Pixee", "url": "https://pixee.ai", "description": ""}, {"name": "PMD", "url": "https://pmd.github.io", "description": "A source code analyzer for Java, Salesforce Apex, Javascript, PLSQL, XML, XSL and others."}, {"name": "pre-commit", "url": "https://pre-commit.com", "description": "A framework for managing and maintaining multi-language pre-commit hooks."}, {"name": "Precaution", "url": "https://www.securesauce.dev/", "description": "Precaution is a static analysis security tool (SAST) designed to find potentially critical vulnerabilities in source code prior to production. It is available as a CLI, GitHub Action, and GitHub App."}, {"name": "Prettier", "url": "https://prettier.io", "description": "An opinionated code formatter."}, {"name": "Pronto", "url": "https://github.com/prontolabs/pronto", "description": "Quick automated code review of your changes. Supports more than 40 runners for various languages, including Clang, Elixir, JavaScript, PHP, Ruby and more.", "stars": "2.7k"}, {"name": "Putout", "url": "https://github.com/coderaiser/putout", "description": "Pluggable and configurable code transformer with built-in eslint, babel plugins support for js, jsx typescript, flow, markdown, yaml and json.", "stars": "782"}, {"name": "PVS-Studio", "url": "https://pvs-studio.com", "description": ""}, {"name": "pylama", "url": "https://klen.github.io/pylama/", "description": "Code audit tool for Python and JavaScript. Wraps pycodestyle, pydocstyle, PyFlakes, Mccabe, Pylint, and more"}, {"name": "Qwiet AI", "url": "https://qwiet.ai/", "description": ""}, {"name": "Refactoring Essentials", "url": "https://marketplace.visualstudio.com/items?itemName=SharpDevelopTeam.RefactoringEssentialsforVisualStudio", "description": "The free Visual Studio 2015 extension for C# and VB.NET refactorings, including code best practice analyzers."}, {"name": "relint", "url": "https://github.com/codingjoe/relint", "description": "A static file linter that allows you to write custom rules using regular expressions (RegEx).", "stars": "65"}, {"name": "ReSharper", "url": "https://www.jetbrains.com/resharper", "description": ""}, {"name": "Rev-dep", "url": "https://github.com/jayu/rev-dep", "description": "Dependency analysis and optimization toolkit for modern JavaScript and TypeScript projects. Trace imports, identify circular dependencies, find unused code, clean node modules.", "stars": "214"}, {"name": "RIPS", "url": "https://www.ripstech.com", "description": ""}, {"name": "Roslyn Analyzers", "url": "https://github.com/dotnet/roslyn-analyzers", "description": "Roslyn-based implementation of FxCop analyzers.", "stars": "1.7k"}, {"name": "Roslyn Security Guard", "url": "https://security-code-scan.github.io", "description": "Project that focuses on the identification of potential vulnerabilities such as SQL injection, cross-site scripting (XSS), CSRF, cryptography weaknesses, hardcoded passwords and many more."}, {"name": "SafeQL", "url": "https://safeql.dev", "description": "Validate and auto-generate TypeScript types from raw SQL queries in PostgreSQL. SafeQL is an ESLint plugin for writing SQL queries in a type-safe way."}, {"name": "SAST Online", "url": "https://sast.online/", "description": ""}, {"name": "Security Code Scan", "url": "https://security-code-scan.github.io", "description": "Security code analyzer for C# and VB.NET. Detects various security vulnerability patterns: SQLi, XSS, CSRF, XXE, Open Redirect, etc. Integrates into Visual Studio 2015 and newer. Detects various security vulnerability patterns: SQLi, XSS, CSRF, XXE, Open Redirect, etc."}, {"name": "Semgrep", "url": "https://semgrep.dev", "description": "A fast, open-source, static analysis tool for finding bugs and enforcing code standards at editor, commit, and CI time. Its rules look like the code you already write;  no abstract syntax trees or regex wrestling. Supports 17+ languages."}, {"name": "Semgrep Supply Chain", "url": "https://semgrep.dev/products/semgrep-supply-chain", "description": ""}, {"name": "Seqra", "url": "https://seqra.dev", "description": "Security-focused static analyzer for Java and Kotlin web applications. Analyzes bytecode with Semgrep-style YAML rules and CodeQL-grade dataflow (with first-class Spring support) to find vulnerabilities that source-only scanners miss."}, {"name": "Sigrid", "url": "https://www.softwareimprovementgroup.com/solutions/sigrid-software-assurance-platform/", "description": ""}, {"name": "Similarity Tester", "url": "https://dickgrune.com/Programs/similarity_tester/", "description": "A tool that finds similarities between or within files to support you encountering DRY principle violations."}, {"name": "Skylos", "url": "https://github.com/duriantaco/skylos", "description": "Dead code detection, security scanning, secrets detection, and code quality analysis for Python, TypeScript, and Go. Framework-aware analysis with 98% recall. Includes CI/CD GitHub Action, VS Code extension, and MCP server for AI agent integration.", "stars": "336"}, {"name": "Snyk Code", "url": "https://snyk.io", "description": ""}, {"name": "SonarQube Cloud", "url": "https://sonarcloud.io", "description": ""}, {"name": "SonarQube for IDE", "url": "https://sonarlint.org", "description": "SonarQube for IDE (formerly SonarLint) is a free IDE extension available for IntelliJ, VS Code, Visual Studio, and Eclipse,  to find and fix coding issues in real-time, flagging issues as you code, just like a spell-checker.  More than a linter, it also delivers rich contextual guidance to help developers understand  why there is an issue, assess the risk, and educate them on how to fix it."}, {"name": "SonarQube Server", "url": "https://sonarqube.org", "description": "SonarQube empowers development teams with a code quality and security solution that deeply integrates into your enterprise environment; enabling you to deploy clean code consistently and reliably. SonarQube provides a free and open source Community Build."}, {"name": "Sonatype", "url": "https://www.sonatype.com", "description": ""}, {"name": "Soto Platform", "url": "https://www.hello2morrow.com/products/sotograph", "description": ""}, {"name": "SourceMeter", "url": "https://www.sourcemeter.com/", "description": ""}, {"name": "sqlvet", "url": "https://github.com/houqp/sqlvet", "description": "Performs static analysis on raw SQL queries in your Go code base to surface potential runtime errors. It checks for SQL syntax error, identifies unsafe queries that could potentially lead to SQL injections makes sure column count matches value count in INSERT statements and validates table- and column names.", "stars": "497"}, {"name": "StaticReviewer", "url": "https://securityreviewer.atlassian.net/wiki/spaces/KC/pages/196633/Static+Reviewer", "description": ""}, {"name": "Svace", "url": "https://www.ispras.ru/en/technologies/svace/", "description": ""}, {"name": "Synopsys", "url": "https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html", "description": ""}, {"name": "Teamscale", "url": "https://teamscale.com", "description": ""}, {"name": "TencentCodeAnalysis", "url": "https://tca.tencent.com/", "description": "Tencent Cloud Code Analysis (TCA for short, code-named CodeDog inside the company early) is a comprehensive platform for code analysis and issue tracking. TCA consist of three components, server, web and client. It integrates of a number of self-developed tools, and also supports dynamic integration of code analysis tools in various programming languages."}, {"name": "ThreatMapper", "url": "https://github.com/deepfence/ThreatMapper", "description": "Vulnerability Scanner and Risk Evaluation for containers, serverless and hosts at runtime. ThreatMapper generates runtime BOMs from dependencies and operating system packages, matches against multiple threat feeds, scans for unprotected secrets, and scores issues based on severity and risk-of-exploit.", "stars": "5.2k"}, {"name": "todocheck", "url": "https://github.com/preslavmihaylov/todocheck", "description": "Linter for integrating annotated TODOs with your issue trackers", "stars": "435"}, {"name": "trivy", "url": "https://github.com/aquasecurity/trivy", "description": "A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts, Suitable for CI. Trivy detects vulnerabilities of OS packages (Alpine, RHEL, CentOS, etc.) and application dependencies (Bundler, Composer, npm, yarn, etc.). Checks containers and filesystems.", "stars": "33k"}, {"name": "trunk", "url": "https://trunk.io", "description": ""}, {"name": "TscanCode", "url": "https://github.com/Tencent/TscanCode", "description": "A fast and accurate static analysis solution for C/C++, C#, Lua codes provided by Tencent. Using GPLv3 license.", "stars": "2.1k"}, {"name": "Undebt", "url": "https://github.com/Yelp/undebt", "description": "Language-independent tool for massive, automatic, programmable refactoring based on simple pattern definitions.", "stars": "1.6k"}, {"name": "Understand", "url": "https://www.scitools.com", "description": ""}, {"name": "Unibeautify", "url": "https://unibeautify.com", "description": "Universal code beautifier with a GitHub app. Supports HTML, CSS, JavaScript, TypeScript, JSX, Vue, C++, Go, Objective-C, Java, Python, PHP, GraphQL, Markdown, and more."}, {"name": "Upsource", "url": "https://www.jetbrains.com/upsource", "description": ""}, {"name": "Veracode", "url": "https://www.veracode.com/security/static-code-analysis", "description": ""}, {"name": "WALA", "url": "https://github.com/wala/WALA", "description": "Static analysis capabilities for Java bytecode and related languages and for JavaScript.", "stars": "836"}, {"name": "weggli", "url": "https://github.com/googleprojectzero/weggli", "description": "A fast and robust semantic search tool for C and C++ codebases. It is designed to help security researchers identify interesting functionality in large codebases.", "stars": "2.5k"}, {"name": "WhiteHat Application Security Platform", "url": "https://source.whitehatsec.com/help/sentinel/sast-service-detail.html", "description": ""}, {"name": "XCode", "url": "https://developer.apple.com/xcode", "description": ""}, {"name": "Xygeni", "url": "https://xygeni.io/", "description": ""}, {"name": "GitGuardian ggshield", "url": "https://www.gitguardian.com/ggshield", "description": "ggshield is a CLI application that runs in your local environment  or in a CI environment to help you detect more than 350+ types of secrets,  as well as other potential security vulnerabilities or policy breaks affecting your codebase."}, {"name": "kics", "url": "https://kics.io/", "description": "Find security vulnerabilities, compliance issues, and infrastructure misconfigurations in your infrastructure-as-code. Supports Terraform, Kubernetes, Docker, AWS CloudFormation and Ansible"}, {"name": "Steampunk Spotter", "url": "https://steampunk.si/spotter/", "description": ""}, {"name": "alquitran", "url": "https://github.com/ferivoz/alquitran", "description": "Inspects tar archives and tries to spot portability issues in regard  to POSIX 2017 pax specification and common tar implementations.", "stars": "22"}, {"name": "AzSK", "url": "https://azsk.azurewebsites.net/", "description": "Secure DevOps kit for Azure (AzSK) provides security IntelliSense, Security Verification Tests (SVTs), CICD scan vulnerabilities, compliance issues, and infrastructure misconfiguration in your infrastructure-as-code. Supports Azure via ARM."}, {"name": "angr", "url": "https://github.com/angr/angr", "description": "Binary code analysis tool that also supports symbolic execution.", "stars": "8.5k"}, {"name": "binbloom", "url": "https://github.com/quarkslab/binbloom", "description": "Analyzes a raw binary firmware and determines features like endianness or the loading address.  The tool is compatible with all architectures.", "stars": "568"}, {"name": "BinSkim", "url": "https://github.com/Microsoft/binskim", "description": "A binary static analysis tool that provides security and correctness results for Windows portable executables.", "stars": "840"}, {"name": "Black Duck", "url": "https://www.blackducksoftware.com", "description": ""}, {"name": "bloaty", "url": "https://github.com/google/bloaty", "description": "Ever wondered what's making your binary big? Bloaty McBloatface will show you a size profile of the binary so you can understand what's taking up space inside. Bloaty performs a deep analysis of the binary. Using custom ELF, DWARF, and Mach-O parsers,  Bloaty aims to accurately attribute every byte of the binary to the symbol or compileunit that produced it.  It will even disassemble the binary looking for references to anonymous data. F", "stars": "5.4k"}, {"name": "cwe\\_checker", "url": "https://github.com/fkie-cad/cwe_checker", "description": "cwe\\_checker finds vulnerable patterns in binary executables.", "stars": "1.3k"}, {"name": "Ghidra", "url": "https://ghidra-sre.org", "description": "A software reverse engineering (SRE) suite of tools developed by NSA's Research Directorate in support of the Cybersecurity mission"}, {"name": "Hopper", "url": "https://www.hopperapp.com/", "description": ""}, {"name": "IDA Free", "url": "https://www.hex-rays.com/products/ida/support/download_freeware", "description": ""}, {"name": "Jakstab", "url": "https://github.com/jkinder/jakstab", "description": "Jakstab is an Abstract Interpretation-based, integrated disassembly and static analysis framework for designing analyses on executables and recovering reliable control flow graphs.", "stars": "163"}, {"name": "JEB Decompiler", "url": "https://www.pnfsoftware.com/", "description": ""}, {"name": "Malcat", "url": "https://malcat.fr/", "description": ""}, {"name": "Manalyze", "url": "https://github.com/JusticeRage/Manalyze", "description": "A static analyzer, which checks portable executables for malicious content.", "stars": "1.1k"}, {"name": "Nauz File Detector", "url": "https://github.com/horsicq/Nauz-File-Detector", "description": "Static Linker/Compiler/Tool detector for Windows, Linux and MacOS.", "stars": "569"}, {"name": "rhabdomancer", "url": "https://crates.io/crates/rhabdomancer", "description": "IDA Pro headless plugin that locates calls to potentially insecure API functions in a binary file."}, {"name": "rust-audit", "url": "https://github.com/Shnatsel/rust-audit", "description": "Audit Rust binaries for known bugs or security vulnerabilities. This works by embedding data about the dependency tree (Cargo.lock) in JSON format into a dedicated linker section of the compiled executable.", "stars": "811"}, {"name": "Twiggy", "url": "https://github.com/rustwasm/twiggy", "description": "Analyzes a binary's call graph to profile code size. The goal is to slim down wasm binary size.", "stars": "1.4k"}, {"name": "VMware chap", "url": "https://github.com/vmware/chap", "description": "chap analyzes un-instrumented ELF core files for leaks, memory growth, and corruption.  It is sufficiently reliable that it can be used in automation to catch leaks before  they are committed. As an interactive tool, it helps explain memory growth,  can identify some forms of corruption, and supplements a debugger  by giving the status of various memory locations.", "stars": "391"}, {"name": "zydis", "url": "https://zydis.re", "description": "Fast and lightweight x86/x86-64 disassembler library"}, {"name": "checkmake", "url": "https://github.com/mrtazz/checkmake", "description": "Linter / Analyzer for Makefiles.", "stars": "1.2k"}, {"name": "portlint", "url": "https://www.freebsd.org/cgi/man.cgi?query=portlint\\&sektion=1\\&manpath=FreeBSD+8.1-RELEASE+and+Ports", "description": "A verifier for FreeBSD and DragonFlyBSD port directories."}, {"name": "CSS Stats", "url": "https://cssstats.com", "description": "Potentially interesting stats on stylesheets."}, {"name": "CSScomb", "url": "https://github.com/csscomb/csscomb.js", "description": "A coding style formatter for CSS. Supports own configurations to make style sheets beautiful and consistent.", "stars": "3.3k"}, {"name": "CSSLint", "url": "http://csslint.net", "description": "Does basic syntax checking and finds problematic patterns or signs of inefficiency."}, {"name": "GraphMyCSS.com", "url": "https://graphmycss.com", "description": "CSS Specificity Graph Generator."}, {"name": "Nu Html Checker", "url": "https://validator.github.io/validator/", "description": "Helps you catch problems in your HTML/CSS/SVG"}, {"name": "PostCSS", "url": "https://postcss.org", "description": "A tool for transforming styles with JS plugins. These plugins can lint your CSS, support variables and mixins, transpile future CSS syntax, inline images, and more."}, {"name": "Project Wallace CSS Analyzer", "url": "https://www.projectwallace.com", "description": "Analytics for CSS, part of [Project Wallace](https://www.projectwallace.com)."}, {"name": "Specificity Graph", "url": "https://github.com/pocketjoso/specificity-graph", "description": "CSS Specificity Graph Generator.", "stars": "701"}, {"name": "Stylelint", "url": "http://stylelint.io", "description": "Linter for SCSS/CSS files."}, {"name": "dotenv-linter", "url": "https://dotenv-linter.readthedocs.io/en/latest", "description": "Linting dotenv files like a charm."}, {"name": "dotenv-linter (Rust)", "url": "https://dotenv-linter.github.io/#/", "description": "Lightning-fast linter for .env files. Written in Rust"}, {"name": "gixy", "url": "https://github.com/yandex/gixy", "description": "A tool to analyze Nginx configuration. The main goal is to prevent misconfiguration and automate flaw detection.", "stars": "8.6k"}, {"name": "ansible-lint", "url": "https://ansible.readthedocs.io/projects/lint/", "description": "Checks playbooks for practices and behaviour that could potentially be improved."}, {"name": "AWS CloudFormation Guard", "url": "https://github.com/aws-cloudformation/cloudformation-guard", "description": "Check local CloudFormation templates against policy-as-code rules  and generate rules from existing templates.", "stars": "1.4k"}, {"name": "AzSK", "url": "https://azsk.azurewebsites.net/", "description": "Secure DevOps kit for Azure (AzSK) provides security IntelliSense, Security Verification Tests (SVTs), CICD scan vulnerabilities, compliance issues, and infrastructure misconfiguration in your infrastructure-as-code. Supports Azure via ARM."}, {"name": "cfn-lint", "url": "https://github.com/awslabs/cfn-python-lint", "description": "AWS Labs CloudFormation linter.", "stars": "2.6k"}, {"name": "cfn\\_nag", "url": "https://github.com/stelligent/cfn_nag", "description": "A linter for AWS CloudFormation templates.", "stars": "1.3k"}, {"name": "checkov", "url": "https://www.checkov.io", "description": "Static analysis tool for Terraform files (tf>=v0.12), preventing cloud misconfigs at build time."}, {"name": "cookstyle", "url": "https://docs.chef.io/cookstyle.html", "description": "Cookstyle is a linting tool based on the RuboCop Ruby linting tool for Chef cookbooks."}, {"name": "foodcritic", "url": "http://www.foodcritic.io", "description": "A lint tool that checks Chef cookbooks for common problems."}, {"name": "kics", "url": "https://kics.io/", "description": "Find security vulnerabilities, compliance issues, and infrastructure misconfigurations in your infrastructure-as-code. Supports Terraform, Kubernetes, Docker, AWS CloudFormation and Ansible"}, {"name": "metadata-json-lint", "url": "https://github.com/voxpupuli/metadata-json-lint", "description": "Tool to check the validity of Puppet metadata.json files.", "stars": "31"}, {"name": "Steampunk Spotter", "url": "https://steampunk.si/spotter/", "description": ""}, {"name": "terraform-compliance", "url": "https://terraform-compliance.com", "description": "A lightweight, compliance- and security focused, BDD test framework against Terraform."}, {"name": "terrascan", "url": "https://github.com/cesar-rodriguez/terrascan", "description": "Collection of security and best practice tests for static code analysis of Terraform templates.", "stars": "2"}, {"name": "tflint", "url": "https://github.com/wata727/tflint", "description": "A Terraform linter for detecting errors that can not be detected by `terraform plan`.", "stars": "0"}, {"name": "tfsec", "url": "https://github.com/tfsec/tfsec", "description": "Terraform static analysis tool that prevents potential security issues by checking cloud misconfigurations at build time and directly integrates with the HCL parser for better results. Checks for violations of AWS, Azure and GCP security best practice recommendations.", "stars": "7k"}, {"name": "anchore", "url": "https://anchore.io", "description": "Discover, analyze, and certify container images. A service that analyzes Docker images and applies user-defined acceptance policies  to allow automated container image validation and certification"}, {"name": "clair", "url": "https://github.com/coreos/clair", "description": "Vulnerability Static Analysis for Containers.", "stars": "11k"}, {"name": "Code Pathfinder", "url": "https://codepathfinder.dev", "description": "An open-source security suite aiming to combine structural code analysis with  AI-powered vulnerability detection. Built for advanced structural search, derive  insights, find vulnerabilities in code."}, {"name": "GitGuardian ggshield", "url": "https://www.gitguardian.com/ggshield", "description": "ggshield is a CLI application that runs in your local environment  or in a CI environment to help you detect more than 350+ types of secrets,  as well as other potential security vulnerabilities or policy breaks affecting your codebase."}, {"name": "Grype", "url": "https://github.com/anchore/grype", "description": "Vulnerability scanner for container images and filesystems. Developed by Anchore, it scans container images, directories, and archives for known vulnerabilities. Supports multiple image formats, SBOM integration, and VEX (Vulnerability Exploitability eXchange) for accurate vulnerability assessment. Works with various vulnerability databases and provides detailed reporting.", "stars": "12k"}, {"name": "Haskell Dockerfile Linter", "url": "https://github.com/lukasmartinelli/hadolint", "description": "A smarter Dockerfile linter that helps you build best practice Docker images.", "stars": "12k"}, {"name": "kics", "url": "https://kics.io/", "description": "Find security vulnerabilities, compliance issues, and infrastructure misconfigurations in your infrastructure-as-code. Supports Terraform, Kubernetes, Docker, AWS CloudFormation and Ansible"}, {"name": "krane", "url": "https://github.com/appvia/krane", "description": "Krane is a simple Kubernetes RBAC static analysis tool.", "stars": "738"}, {"name": "OpenSCAP", "url": "https://www.open-scap.org/", "description": "Suite of automated audit tools to examine the configuration and  known vulnerabilities following the NIST-certified Security  Content Automation Protocol (SCAP)."}, {"name": "Qualys Container Security", "url": "https://www.qualys.com/apps/container-security", "description": ""}, {"name": "sysdig", "url": "https://sysdig.com/", "description": ""}, {"name": "Vuls", "url": "https://vuls.io/", "description": "Agent-less Linux vulnerability scanner based on information from NVD, OVAL, etc.  It has some container image support, although is not a container specific tool."}, {"name": "actionlint", "url": "https://rhysd.github.io/actionlint", "description": "Static checker for GitHub Actions workflow files. Provides an online version."}, {"name": "AzSK", "url": "https://azsk.azurewebsites.net/", "description": "Secure DevOps kit for Azure (AzSK) provides security IntelliSense, Security Verification Tests (SVTs), CICD scan vulnerabilities, compliance issues, and infrastructure misconfiguration in your infrastructure-as-code. Supports Azure via ARM."}, {"name": "Code Climate", "url": "https://codeclimate.com", "description": "The open and extensible static analysis platform, for everyone."}, {"name": "Code Pathfinder", "url": "https://codepathfinder.dev", "description": "An open-source security suite aiming to combine structural code analysis with  AI-powered vulnerability detection. Built for advanced structural search, derive  insights, find vulnerabilities in code."}, {"name": "Codecov", "url": "https://about.codecov.io/", "description": ""}, {"name": "CodeRabbit", "url": "https://coderabbit.ai", "description": ""}, {"name": "composer-dependency-analyser", "url": "https://github.com/shipmonk-rnd/composer-dependency-analyser", "description": "Fast detection of composer dependency issues.", "stars": "603"}, {"name": "Diffblue", "url": "https://www.diffblue.com/", "description": ""}, {"name": "exakat", "url": "https://www.exakat.io", "description": "An automated code reviewing engine for PHP."}, {"name": "GitGuardian ggshield", "url": "https://www.gitguardian.com/ggshield", "description": "ggshield is a CLI application that runs in your local environment  or in a CI environment to help you detect more than 350+ types of secrets,  as well as other potential security vulnerabilities or policy breaks affecting your codebase."}, {"name": "Goblint", "url": "https://goblint.in.tum.de", "description": "A static analyzer for the analysis of multi-threaded C programs. Its primary focus is the  detection of data races, but it also reports other runtime errors, such as buffer overflows and null-pointer dereferences."}, {"name": "PullRequest", "url": "https://www.hackerone.com/product/code", "description": ""}, {"name": "RefactorFirst", "url": "https://github.com/jimbethancourt/RefactorFirst", "description": "Identifies and prioritizes God Classes and Highly Coupled classes in Java codebases you should refactor first.", "stars": "521"}, {"name": "Reviewdog", "url": "https://github.com/haya14busa/reviewdog", "description": "A tool for posting review comments from any linter in any code hosting service.", "stars": "9.2k"}, {"name": "Symfony Insight", "url": "https://insight.symfony.com/", "description": ""}, {"name": "TangleGuard", "url": "https://tangleguard.com/", "description": ""}, {"name": "Violations Lib", "url": "https://github.com/tomasbjerre/violations-lib", "description": "Java library for parsing report files from static code analysis. Used by a bunch of Jenkins, Maven and Gradle plugins.", "stars": "155"}, {"name": "deno\\_lint", "url": "https://github.com/denoland/deno_lint", "description": "Official linter for Deno.", "stars": "1.6k"}, {"name": "Cloud (IaC) Security for JetBrains IDEs", "url": "https://plugins.jetbrains.com/plugin/25413-cloud-iac-security", "description": "Cloud (IaC) Security plugin for JetBrains IDEs. Performs real-time inspections of Docker & Kubernetes IaC with 50+ rules based on Docker image/build security best practices, Kubernetes Pod Security Standards, and NSA/CISA Kubernetes Hardening Guidance."}, {"name": "Code Pathfinder", "url": "https://codepathfinder.dev", "description": "An open-source security suite aiming to combine structural code analysis with  AI-powered vulnerability detection. Built for advanced structural search, derive  insights, find vulnerabilities in code."}, {"name": "oelint-adv", "url": "https://github.com/priv-kweihmann/oelint-adv", "description": "Linter for bitbake recipes used in open-embedded and YOCTO", "stars": "77"}, {"name": "ERB Lint", "url": "https://github.com/Shopify/erb-lint", "description": "Lint your ERB or HTML files", "stars": "742"}, {"name": "ERB::Formatter", "url": "https://github.com/nebulab/erb-formatter", "description": "Format ERB files with speed and precision.", "stars": "194"}, {"name": "htmlbeautifier", "url": "https://github.com/threedaymonk/htmlbeautifier", "description": "A normaliser/beautifier for HTML that also understands embedded Ruby. Ideal for tidying up Rails templates.", "stars": "371"}, {"name": "gherkin-lint", "url": "https://github.com/vsiakka/gherkin-lint", "description": "A linter for the Gherkin-Syntax written in Javascript.", "stars": "194"}, {"name": "Angular ESLint", "url": "https://github.com/angular-eslint/angular-eslint#readme", "description": "Linter for Angular projects", "stars": "1.8k"}, {"name": "axe-core", "url": "https://www.deque.com/axe/", "description": "Accessibility engine for automated Web UI testing. Tests HTML against WCAG 2.0, 2.1, and 2.2 guidelines. Used by Google Lighthouse, Microsoft Accessibility Insights, and thousands of organizations worldwide."}, {"name": "ERB Lint", "url": "https://github.com/Shopify/erb-lint", "description": "Lint your ERB or HTML files", "stars": "742"}, {"name": "ERB::Formatter", "url": "https://github.com/nebulab/erb-formatter", "description": "Format ERB files with speed and precision.", "stars": "194"}, {"name": "HTML Tidy", "url": "http://www.html-tidy.org", "description": "Corrects and cleans up HTML and XML documents by fixing markup errors and upgrading legacy code to modern standards."}, {"name": "HTML-Validate", "url": "https://html-validate.org/", "description": "Offline HTML5 validator."}, {"name": "htmlbeautifier", "url": "https://github.com/threedaymonk/htmlbeautifier", "description": "A normaliser/beautifier for HTML that also understands embedded Ruby. Ideal for tidying up Rails templates.", "stars": "371"}, {"name": "HTMLHint", "url": "https://htmlhint.com", "description": "A Static Code Analysis Tool for HTML."}, {"name": "Nu Html Checker", "url": "https://validator.github.io/validator/", "description": "Helps you catch problems in your HTML/CSS/SVG"}, {"name": "Pa11y", "url": "https://pa11y.org/", "description": "Automated accessibility testing tool that runs HTML CodeSniffer or axe-core from the command line. Supports CI/CD integration, multiple reporters, and testing against WCAG 2.1 AA standards."}, {"name": "Polymer-analyzer", "url": "https://github.com/Polymer/tools/tree/master/packages/analyzer", "description": "A static analysis framework for Web Components.", "stars": "436"}, {"name": "jsonlint", "url": "https://jsonlint.com/", "description": "A JSON parser and validator with a CLI. Standalone version of jsonlint.com"}, {"name": "Spectral", "url": "https://stoplight.io/open-source/spectral", "description": "A flexible JSON/YAML linter, with out-of-the-box support for OpenAPI v2/v3 and AsyncAPI v2."}, {"name": "chart-testing", "url": "https://github.com/helm/chart-testing", "description": "ct is the tool for testing Helm charts.  It is meant to be used for linting and testing pull requests.  It automatically detects charts changed against the target branch.", "stars": "1.6k"}, {"name": "Cloud (IaC) Security for JetBrains IDEs", "url": "https://plugins.jetbrains.com/plugin/25413-cloud-iac-security", "description": "Cloud (IaC) Security plugin for JetBrains IDEs. Performs real-time inspections of Docker & Kubernetes IaC with 50+ rules based on Docker image/build security best practices, Kubernetes Pod Security Standards, and NSA/CISA Kubernetes Hardening Guidance."}, {"name": "clusterlint", "url": "https://github.com/digitalocean/clusterlint", "description": "Clusterlint queries live Kubernetes clusters for resources, executes common and  platform specific checks against these resources and provides actionable feedback to cluster operators.  It is a non invasive tool that is run externally. Clusterlint does not alter the resource configurations.", "stars": "586"}, {"name": "Datree", "url": "https://datree.io/", "description": "A CLI tool to prevent Kubernetes misconfigurations by ensuring that manifests and Helm charts follow best practices as well as your organization\u2019s policies"}, {"name": "kics", "url": "https://kics.io/", "description": "Find security vulnerabilities, compliance issues, and infrastructure misconfigurations in your infrastructure-as-code. Supports Terraform, Kubernetes, Docker, AWS CloudFormation and Ansible"}, {"name": "klint", "url": "https://github.com/uswitch/klint", "description": "A tool that listens to changes in Kubernetes resources and runs linting rules against them. Identify and debug erroneous objects and nudge objects in line with the policies as both change over time. Klint helps us encode checks and proactively alert teams when they need to take action.", "stars": "42"}, {"name": "krane", "url": "https://github.com/appvia/krane", "description": "Krane is a simple Kubernetes RBAC static analysis tool.", "stars": "738"}, {"name": "kube-lint", "url": "https://github.com/viglesiasce/kube-lint", "description": "A linter for Kubernetes resources with a customizable rule set. You define a list of rules that you would like to validate against your  resources and kube-lint will evaluate those rules against them.", "stars": "156"}, {"name": "kube-linter", "url": "https://github.com/stackrox/kube-linter", "description": "KubeLinter is a static analysis tool that checks Kubernetes YAML files  and Helm charts to ensure the applications represented in them adhere to best practices.", "stars": "3.4k"}, {"name": "kube-score", "url": "https://kube-score.com", "description": "Static code analysis of your Kubernetes object definitions."}, {"name": "kubeconform", "url": "https://github.com/yannh/kubeconform", "description": "A fast Kubernetes manifests validator with support for custom resources.", "stars": "3k"}, {"name": "KubeLinter", "url": "https://github.com/stackrox/kube-linter", "description": "KubeLinter is a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure the applications represented in them adhere to best practices.", "stars": "3.4k"}, {"name": "lacheck", "url": "https://www.ctan.org/pkg/lacheck", "description": "A tool for finding common mistakes in LaTeX documents."}, {"name": "TeXLab", "url": "https://texlab.netlify.app", "description": "A Language Server Protocol implementation for TeX/LaTeX, including lint capabilities."}, {"name": "larastan", "url": "https://github.com/larastan/larastan", "description": "Adds static analysis to Laravel improving developer productivity and code quality. It is a wrapper around PHPStan.", "stars": "6.3k"}, {"name": "checkmake", "url": "https://github.com/mrtazz/checkmake", "description": "Linter / Analyzer for Makefiles.", "stars": "1.2k"}, {"name": "mbake", "url": "https://pypi.org/project/mbake/", "description": "mbake is a Makefile formatter and linter. It only took 50 years!"}, {"name": "portlint", "url": "https://www.freebsd.org/cgi/man.cgi?query=portlint\\&sektion=1\\&manpath=FreeBSD+8.1-RELEASE+and+Ports", "description": "A verifier for FreeBSD and DragonFlyBSD port directories."}, {"name": "markdownlint", "url": "https://github.com/DavidAnson/markdownlint", "description": "Node.js -based style checker and lint tool for Markdown/CommonMark files.", "stars": "5.9k"}, {"name": "mdformat", "url": "https://mdformat.rtfd.io", "description": "CommonMark compliant Markdown formatter"}, {"name": "mdl", "url": "https://github.com/mivok/markdownlint", "description": "A tool to check Markdown files and flag style issues.", "stars": "2k"}, {"name": "mdsf", "url": "https://github.com/hougesen/mdsf", "description": "Format markdown code blocks using your favorite code formatters.", "stars": "99"}, {"name": "remark-lint", "url": "https://remark.js.org", "description": "Pluggable Markdown code style linter written in JavaScript."}, {"name": "textlint", "url": "https://textlint.github.io/", "description": "textlint is an open source text linting utility written in JavaScript."}, {"name": "flake8", "url": "https://github.com/PyCQA/flake8", "description": "A wrapper around `pyflakes`, `pycodestyle` and `mccabe`.", "stars": "3.8k"}, {"name": "flakeheaven", "url": "https://pypi.org/project/flakeheaven/", "description": "flakeheaven is a python linter built around flake8 to enable inheritable and complex toml configuration."}, {"name": "goreporter", "url": "https://github.com/360EntSecGroup-Skylar/goreporter", "description": "Concurrently runs many linters and normalises their output to a report.", "stars": "3.1k"}, {"name": "prospector", "url": "https://github.com/PyCQA/prospector", "description": "A wrapper around `pylint`, `pep8`, `mccabe` and others.", "stars": "2.1k"}, {"name": "Android Lint", "url": "https://developer.android.com/studio/write/lint", "description": "Run static analysis on Android projects."}, {"name": "FlowDroid", "url": "https://github.com/secure-software-engineering/FlowDroid", "description": "Static taint analysis tool for Android applications.", "stars": "1.2k"}, {"name": "Mariana Trench", "url": "https://mariana-tren.ch/", "description": "Our security focused static analysis tool for Android and Java applications. Mariana Trench analyzes Dalvik bytecode and is built to run fast on large codebases (10s of millions of lines of code). It can find vulnerabilities as code changes, before it ever lands in your repository."}, {"name": "Oversecured", "url": "https://oversecured.com", "description": ""}, {"name": "redex", "url": "https://fbredex.com", "description": "Redex provides a framework for reading, writing, and analyzing .dex files, and a set of optimization passes  that use this framework to improve the bytecode. An APK optimized by Redex should be smaller and faster."}, {"name": "deadnix", "url": "https://github.com/astro/deadnix", "description": "Scan Nix files for dead code (unused variable bindings)", "stars": "732"}, {"name": "statix", "url": "https://github.com/nerdypepper/statix", "description": "Lints and suggestions for the Nix programming language. \"statix check\" highlights antipatterns in Nix code. \"statix fix\" can fix several such occurrences.", "stars": "848"}, {"name": "lockfile-lint", "url": "https://github.com/lirantal/lockfile-lint", "description": "Lint an npm or yarn lockfile to analyze and detect security issues", "stars": "843"}, {"name": "standard", "url": "http://standardjs.com", "description": "An npm module that checks for Javascript Styleguide issues."}, {"name": "composer-dependency-analyser", "url": "https://github.com/shipmonk-rnd/composer-dependency-analyser", "description": "Fast detection of composer dependency issues.", "stars": "603"}, {"name": "lintian", "url": "https://wiki.debian.org/Lintian", "description": "Static analysis tool for Debian packages."}, {"name": "rpmlint", "url": "https://github.com/rpm-software-management/rpmlint", "description": "Tool for checking common errors in rpm packages.", "stars": "163"}, {"name": "promformat", "url": "https://github.com/facetoe/promformat", "description": "Promformat is a PromQL formatter written in Python.", "stars": "38"}, {"name": "promval", "url": "https://github.com/facetoe/promval", "description": "PromQL validator written in Python. It can be used to validate that PromQL expressions are written as expected.", "stars": "4"}, {"name": "buf", "url": "https://buf.build", "description": "Provides a CLI linter that enforces good API design choices and structure"}, {"name": "protolint", "url": "https://github.com/yoheimuta/protolint", "description": "Pluggable linter and fixer to enforce Protocol Buffer style and conventions.", "stars": "678"}, {"name": "metadata-json-lint", "url": "https://github.com/voxpupuli/metadata-json-lint", "description": "Tool to check the validity of Puppet metadata.json files.", "stars": "31"}, {"name": "Active Record Doctor", "url": "https://github.com/gregnavis/active_record_doctor", "description": "Identify database issues before they hit production.", "stars": "1.9k"}, {"name": "Bullet", "url": "https://github.com/flyerhzm/bullet", "description": "Help to kill N+1 queries and unused eager loading.", "stars": "7.3k"}, {"name": "DatabaseConsistency", "url": "https://github.com/djezzzl/database_consistency", "description": "The tool to avoid various issues due to inconsistencies and inefficiencies between a database schema and application models.", "stars": "1.2k"}, {"name": "dawnscanner", "url": "https://github.com/thesp0nge/dawnscanner", "description": "A static analysis security scanner for ruby written web applications. It supports Sinatra, Padrino and Ruby on Rails frameworks.", "stars": "748"}, {"name": "ERB::Formatter", "url": "https://github.com/nebulab/erb-formatter", "description": "Format ERB files with speed and precision.", "stars": "194"}, {"name": "Skunk", "url": "https://github.com/fastruby/skunk", "description": "A SkunkScore Calculator for Ruby Code -- Find the most complicated code without test coverage!", "stars": "543"}, {"name": "Traceroute", "url": "https://github.com/amatsuda/traceroute", "description": "A Rake task gem that helps you find the unused routes and controller actions for your Rails 3+ app.", "stars": "904"}, {"name": "AzSK", "url": "https://azsk.azurewebsites.net/", "description": "Secure DevOps kit for Azure (AzSK) provides security IntelliSense, Security Verification Tests (SVTs), CICD scan vulnerabilities, compliance issues, and infrastructure misconfiguration in your infrastructure-as-code. Supports Azure via ARM."}, {"name": "brakeman", "url": "https://brakemanscanner.org", "description": "A static analysis security vulnerability scanner for Ruby on Rails applications."}, {"name": "Cloud (IaC) Security for JetBrains IDEs", "url": "https://plugins.jetbrains.com/plugin/25413-cloud-iac-security", "description": "Cloud (IaC) Security plugin for JetBrains IDEs. Performs real-time inspections of Docker & Kubernetes IaC with 50+ rules based on Docker image/build security best practices, Kubernetes Pod Security Standards, and NSA/CISA Kubernetes Hardening Guidance."}, {"name": "Code Pathfinder", "url": "https://codepathfinder.dev", "description": "An open-source security suite aiming to combine structural code analysis with  AI-powered vulnerability detection. Built for advanced structural search, derive  insights, find vulnerabilities in code."}, {"name": "Credential Digger", "url": "https://github.com/SAP/credential-digger", "description": "Credential Digger is a GitHub scanning tool that identifies hardcoded credentials (Passwords, API Keys, Secret Keys, Tokens, personal information, etc),  and filtering the false positive data through a machine learning model called [Password Model](https://huggingface.co/SAPOSS/password-model). This scanner is able to detect passwords and non structured tokens with a low false positive rate.", "stars": "361"}, {"name": "Datree", "url": "https://datree.io/", "description": "A CLI tool to prevent Kubernetes misconfigurations by ensuring that manifests and Helm charts follow best practices as well as your organization\u2019s policies"}, {"name": "detect-secrets", "url": "https://github.com/Yelp/detect-secrets", "description": "An enterprise friendly way of detecting and preventing secrets in code.", "stars": "4.4k"}, {"name": "GitGuardian ggshield", "url": "https://www.gitguardian.com/ggshield", "description": "ggshield is a CLI application that runs in your local environment  or in a CI environment to help you detect more than 350+ types of secrets,  as well as other potential security vulnerabilities or policy breaks affecting your codebase."}, {"name": "Gitleaks", "url": "https://github.com/zricethezav/gitleaks", "description": "A SAST tool for detecting hardcoded secrets like passwords, api keys, and tokens in git repos.", "stars": "25k"}, {"name": "gokart", "url": "https://github.com/praetorian-inc/gokart", "description": "Golang security analysis with a focus on minimizing false positives. It is capable of tracing the source of variables and function arguments  to determine whether input sources are safe.", "stars": "2.2k"}, {"name": "Grype", "url": "https://github.com/anchore/grype", "description": "Vulnerability scanner for container images and filesystems. Developed by Anchore, it scans container images, directories, and archives for known vulnerabilities. Supports multiple image formats, SBOM integration, and VEX (Vulnerability Exploitability eXchange) for accurate vulnerability assessment. Works with various vulnerability databases and provides detailed reporting.", "stars": "12k"}, {"name": "HasMySecretLeaked", "url": "https://gitguardian.com/hasmysecretleaked", "description": ""}, {"name": "kani", "url": "https://github.com/model-checking/kani", "description": "The Kani Rust Verifier is a bit-precise model checker for Rust.", "stars": "3k"}, {"name": "kics", "url": "https://kics.io/", "description": "Find security vulnerabilities, compliance issues, and infrastructure misconfigurations in your infrastructure-as-code. Supports Terraform, Kubernetes, Docker, AWS CloudFormation and Ansible"}, {"name": "lockfile-lint", "url": "https://github.com/lirantal/lockfile-lint", "description": "Lint an npm or yarn lockfile to analyze and detect security issues", "stars": "843"}, {"name": "Malcat", "url": "https://malcat.fr/", "description": ""}, {"name": "OSV-Scanner", "url": "https://osv.dev/", "description": "Vulnerability scanner written in Go which uses the data provided by OSV.dev. Developed by Google to scan dependencies across multiple languages and package managers for known vulnerabilities. Supports container scanning, license scanning, and guided remediation. Works with lockfiles, SBOMs, and container images to identify security issues."}, {"name": "Oversecured", "url": "https://oversecured.com", "description": ""}, {"name": "OWASP Noir", "url": "https://owasp-noir.github.io/noir/", "description": "Attack surface detector that identifies endpoints by static analysis."}, {"name": "pip-audit", "url": "https://github.com/pypa/pip-audit", "description": "Tool for scanning Python packages for known vulnerabilities. Developed by the Python Packaging Authority (PyPA) and supported by Trail of Bits and Google. Scans Python environments and requirements files to identify vulnerable packages and suggests remediation. Supports GitHub Actions, pre-commit hooks, and multiple vulnerability service integrations.", "stars": "1.2k"}, {"name": "PT Application Inspector", "url": "https://www.ptsecurity.com", "description": ""}, {"name": "Qualys Container Security", "url": "https://www.qualys.com/apps/container-security", "description": ""}, {"name": "Safety", "url": "https://safetycli.com/", "description": "Python dependency vulnerability scanner designed to enhance software supply chain security by detecting packages with known vulnerabilities. Checks Python dependencies against a database of known security vulnerabilities and provides detailed reports. Supports CI/CD integration and multiple output formats."}, {"name": "scorecard", "url": "https://github.com/ossf/scorecard", "description": "Security Scorecards - Security health metrics for Open Source", "stars": "5.3k"}, {"name": "Steampunk Spotter", "url": "https://steampunk.si/spotter/", "description": ""}, {"name": "Symfony Insight", "url": "https://insight.symfony.com/", "description": ""}, {"name": "tfsec", "url": "https://github.com/tfsec/tfsec", "description": "Terraform static analysis tool that prevents potential security issues by checking cloud misconfigurations at build time and directly integrates with the HCL parser for better results. Checks for violations of AWS, Azure and GCP security best practice recommendations.", "stars": "7k"}, {"name": "trufflehog", "url": "https://trufflesecurity.com", "description": "Find credentials all over the place"}, {"name": "Tsunami Security Scanner", "url": "https://github.com/google/tsunami-security-scanner", "description": "A general purpose network security scanner with an extensible plugin system for  detecting high severity RCE-like vulnerabilities with high confidence. Custom detectors for finding vulnerabilities (e.g. open APIs) can be added.", "stars": "8.6k"}, {"name": "mythril", "url": "https://github.com/ConsenSys/mythril", "description": "A symbolic execution framework with batteries included, can be used to find and exploit vulnerabilities in smart contracts automatically.", "stars": "4.2k"}, {"name": "MythX", "url": "https://mythx.io", "description": ""}, {"name": "slither", "url": "https://github.com/trailofbits/slither", "description": "Static analysis framework that runs a suite of vulnerability detectors, prints visual information about contract details, and provides an API to easily write custom analyses.", "stars": "6.2k"}, {"name": "solhint", "url": "https://protofire.github.io/solhint", "description": "Solhint is an open source project created by <https://protofire.io>. Its goal is to provide a linting utility for Solidity code."}, {"name": "solium", "url": "https://ethlint.readthedocs.io/en/latest", "description": "Solium is a linter to identify and fix style and security issues in Solidity smart contracts."}, {"name": "LibVCS4j", "url": "https://github.com/uni-bremen-agst/libvcs4j", "description": "A Java library that allows existing tools to analyse the evolution of software systems by providing a common API for different version control systems and issue trackers.", "stars": "23"}, {"name": "RefactorFirst", "url": "https://github.com/jimbethancourt/RefactorFirst", "description": "Identifies and prioritizes God Classes and Highly Coupled classes in Java codebases you should refactor first.", "stars": "521"}, {"name": "Violations Lib", "url": "https://github.com/tomasbjerre/violations-lib", "description": "Java library for parsing report files from static code analysis. Used by a bunch of Jenkins, Maven and Gradle plugins.", "stars": "155"}, {"name": "ember-template-lint", "url": "https://github.com/ember-template-lint/ember-template-lint", "description": "Linter for Ember or Handlebars templates.", "stars": "265"}, {"name": "haml-lint", "url": "https://github.com/sds/haml-lint", "description": "Tool for writing clean and consistent HAML.", "stars": "335"}, {"name": "slim-lint", "url": "https://github.com/sds/slim-lint", "description": "Configurable tool for analyzing Slim templates.", "stars": "225"}, {"name": "yamllint", "url": "https://yamllint.readthedocs.io", "description": "Checks YAML files for syntax validity, key repetition and cosmetic problems such as lines length, trailing spaces, and indentation."}, {"name": "GitGuardian ggshield", "url": "https://www.gitguardian.com/ggshield", "description": "ggshield is a CLI application that runs in your local environment  or in a CI environment to help you detect more than 350+ types of secrets,  as well as other potential security vulnerabilities or policy breaks affecting your codebase."}, {"name": "kics", "url": "https://kics.io/", "description": "Find security vulnerabilities, compliance issues, and infrastructure misconfigurations in your infrastructure-as-code. Supports Terraform, Kubernetes, Docker, AWS CloudFormation and Ansible"}, {"name": "dennis", "url": "https://github.com/willkg/dennis", "description": "A set of utilities for working with PO files to ease development and improve quality.", "stars": "50"}, {"name": "HTML-Validate", "url": "https://html-validate.org/", "description": "Offline HTML5 validator."}, {"name": "codespell", "url": "https://github.com/codespell-project/codespell", "description": "Check code for common misspellings.", "stars": "2.3k"}, {"name": "languagetool", "url": "https://languagetool.org", "description": "Style and grammar checker for 25+ languages. It finds many errors that a simple spell checker cannot detect."}, {"name": "misspell-fixer", "url": "https://github.com/vlajos/misspell-fixer", "description": "Quick tool for fixing common misspellings, typos in source code.", "stars": "197"}, {"name": "Misspelled Words In Context", "url": "https://jwilk.net/software/mwic", "description": "A spell-checker that groups possible misspellings and shows them in their contexts."}, {"name": "proselint", "url": "https://github.com/amperser/proselint", "description": "A linter for English prose with a focus on writing style instead of grammar.", "stars": "4.5k"}, {"name": "vale", "url": "https://vale.sh", "description": "A syntax-aware linter for prose built with speed and extensibility in mind."}, {"name": "Spectral", "url": "https://stoplight.io/open-source/spectral", "description": "A flexible JSON/YAML linter, with out-of-the-box support for OpenAPI v2/v3 and AsyncAPI v2."}, {"name": "yamllint", "url": "https://yamllint.readthedocs.io", "description": "Checks YAML files for syntax validity, key repetition and cosmetic problems such as lines length, trailing spaces, and indentation."}, {"name": "commitlint", "url": "https://commitlint.js.org", "description": "checks if your commit messages meet the conventional commit format"}, {"name": "GitGuardian ggshield", "url": "https://www.gitguardian.com/ggshield", "description": "ggshield is a CLI application that runs in your local environment  or in a CI environment to help you detect more than 350+ types of secrets,  as well as other potential security vulnerabilities or policy breaks affecting your codebase."}, {"name": "HasMySecretLeaked", "url": "https://gitguardian.com/hasmysecretleaked", "description": ""}, {"name": "Clean code linters", "url": "https://github.com/collections/clean-code-linters", "description": "A collection of linters in github collections"}, {"name": "Code Quality Checker Tools For PHP Projects", "url": "https://github.com/collections/code-quality-in-php", "description": "A collection of PHP linters in github collections"}, {"name": "go-tools", "url": "https://github.com/dominikh/go-tools", "description": "A collection of tools and libraries for working with Go code, including linters and static analysis", "stars": "6.7k"}, {"name": "linters", "url": "https://github.com/mcandre/linters", "description": "An introduction to static code analysis", "stars": "349"}, {"name": "OWASP Source Code Analysis Tools", "url": "https://owasp.org/www-community/Source_Code_Analysis_Tools", "description": "List of tools maintained by the Open Web Application Security Project"}, {"name": "php-static-analysis-tools", "url": "https://github.com/exakat/php-static-analysis-tools", "description": "A reviewed list of useful PHP static analysis tools", "stars": "2.9k"}, {"name": "AppSec Santa \u2014 SAST Tools", "url": "https://appsecsanta.com/sast-tools", "description": "Independent comparison of 30+ static analysis security testing tools with features, pricing, and alternatives"}, {"name": "Wikipedia", "url": "http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis", "description": "A list of tools for static code analysis."}]}], "name": ""}