Related Projects

PMD - An extensible cross-language static code analyzer

  •    Java

PMD is a source code analyzer. It finds common programming flaws like unused variables, empty catch blocks, unnecessary object creation, and so forth. It supports Java, JavaScript, Salesforce.com Apex and Visualforce, PLSQL, Apache Velocity, XML, XSL.

awesome-static-analysis - A curated list of static analysis tools, linters and code quality checkers for various programming languages

  •    

This is a collection of static analysis tools and code quality checkers. Pull requests are very welcome! Note: ©️ stands for proprietary software. All other tools are Open Source. To the extent possible under law, Matthias Endler has waived all copyright and related or neighboring rights to this work. Title image Designed by Freepik.

Sonarqube - Continuous Code Quality

  •    Java

SonarQube is the open source platform for continuous inspection of code quality. SonarQube provides the capability to not only show health of an application but also to highlight issues newly introduced. With a Quality Gate in place, you can fix the leak and therefore improve code quality systematically. Code analyzers can detect tricky issues such as null-pointers dereferences, logic errors, resource leaks.

CodeNarc - Static Analysis for Groovy

  •    Groovy

CodeNarc analyzes Groovy code for defects, bad practices, inconsistencies, style issues, coding standards, best practices and more. CodeNarc triggers violations based on rules which are predefined or custom rules. The static analysis report is generated in XML or HTML format. It is well integrated with the Ant Task and plugins exist for Maven, Gradle, Grails, Griffon, Sonar and Hudson.


phpinspectionsea - A Static Code Analyzer for PHP (a PhpStorm/Idea Plugin)

  •    Java

This project is an OSS Static Code Analysis tool for PhpStorm (2016.2+) and Idea Ultimate. Some of inspections are expecting conditional statements (e.g. "if") to use group statement for wrapping body expressions. If this requirement is met then additional inspections are applied to the source code.

Infer - A static analyzer for Java, C and Objective-C

  •    OCaml

A static analyzer for Java, C and Objective-C. It is a tool to detect bugs in Android and iOS apps.

prealloc - prealloc is a Go static analysis tool to find slice declarations that could potentially be preallocated

  •    Go

prealloc is a Go static analysis tool to find slice declarations that could potentially be preallocated. Similar to other Go static analysis tools (such as golint, go vet), prealloc can be invoked with one or more filenames, directories, or packages named by its import path. Prealloc also supports the ... wildcard.

PHPStan - PHP Static Analysis Tool - discover bugs in your code without running it!

  •    PHP

PHPStan focuses on finding errors in your code without actually running it. It catches whole classes of bugs even before you write tests for the code.PHPStan moves PHP closer to compiled languages in the sense that the correctness of each line of the code can be checked before you run the actual line.

phan - Phan is a static analyzer for PHP

  •    PHP

Phan is a static analyzer for PHP that prefers to minimize false-positives. Phan attempts to prove incorrectness rather than correctness. Phan looks for common issues and will verify type compatibility on various operations when type information is available or can be deduced. Phan has a good (but not comprehensive) understanding of flow control and does not attempt to track values.

Codelyzer - Static analysis for Angular projects.

  •    TypeScript

A set of tslint rules for static code analysis of Angular TypeScript projects.You can run the static code analyzer over web apps, NativeScript, Ionic, etc.

languagetool - Style and Grammar Checker for 25+ Languages

  •    Java

LanguageTool is an Open Source proofreading software for English, French, German, Polish, Russian, and more than 20 other languages. It finds many errors that a simple spell checker cannot detect. LanguageTool is freely available under the LGPL 2.1 or later.

tailor - Cross-platform static analyzer and linter for Swift.

  •    Java

Tailor is a cross-platform static analysis and lint tool for source code written in Apple's Swift programming language. It analyzes your code to ensure consistent styling and help avoid bugs. Tailor supports Swift 3.0.1 out of the box and helps enforce style guidelines outlined in the The Swift Programming Language, GitHub, Ray Wenderlich, and Coursera style guides. It supports cross-platform usage and can be run on Mac OS X via your shell or integrated with Xcode, as well as on Linux and Windows.

csslint - Automated linting of Cascading Stylesheets

  •    Javascript

CSSLint is an open source CSS code quality tool originally written by Nicholas C. Zakas and Nicole Sullivan. It was released in June 2011 at the Velocity conference.A lint tool performs static analysis of source code and flags patterns that might be errors or otherwise cause problems for the developer.

credo - A static code analysis tool for the Elixir language with a focus on code consistency and teaching

  •    Elixir

Credo is a static code analysis tool for the Elixir language with a focus on teaching and code consistency. It implements its own style guide.

oclint - A static source code analysis tool to improve quality and reduce defects for C, C++ and Objective-C

  •    C++

OCLint is a static code analysis tool for improving quality and reducing defects by inspecting C, C++ and Objective-C code.

FindBugs - Static Analysis Tool for Java

  •    Java

FindBugs uses static analysis to look for bugs in Java code. it can analyze programs compiled for any version of Java. Eclipse and Maven plugins are available. FindBugs has been downloaded more than 700,000 times.

pylint - It's not just a linter that annoys you!

  •    Python

Pylint is a Python static code analysis tool which looks for programming errors, helps enforcing a coding standard, sniffs for code smells and offers simple refactoring suggestions. It's highly configurable, having special pragmas to control its errors and warnings from within your code, as well as from an extensive configuration file. It is also possible to write your own plugins for adding your own checks or for extending pylint in one way or another.

codeclimate - Code Climate CLI

  •    Ruby

codeclimate is a command line interface for the Code Climate analysis platform. It allows you to run Code Climate engines on your local machine inside of Docker containers. The Code Climate CLI is distributed and run as a Docker image. The engines that perform the actual analyses are also Docker images. To support this, you must have Docker installed and running locally. We also require that the Docker daemon supports connections on the default Unix socket /var/run/docker.sock.

jsprime - a javascript static security analysis tool

  •    Javascript

Today, more and more developers are switching to JavaScript as their first choice of language. The reason is simple JavaScript has now been started to be accepted as the mainstream programming for applications, be it on the web or on the mobile; be it on client-side, be it on the server side. JavaScript flexibility and its loose typing is friendly to developers to create rich applications at an unbelievable speed. Major advancements in the performance of JavaScript interpreters, in recent days, have almost eliminated the question of scalability and throughput from many organizations. So the point is JavaScript is now a really important and powerful language we have today and it's usage growing everyday. From client-side code in web applications it grew to server-side through Node.JS and it's now supported as proper language to write applications on major mobile operating system platforms like Windows 8 apps and the upcoming Firefox OS apps. But the problem is, many developers practice insecure coding which leads to many client side attacks, out of which DOM XSS is the most infamous. We tried to understand the root cause of this problem and figured out is that there are not enough practically usable tools that can solve real-world problems. Hence as our first attempt towards solving this problem, we want to talk about JSPrime: A JavaScript static analysis tool for the rest of us. It's a very light-weight and very easy to use point-and-click tool! The static analysis tool is based on the very popular Esprima ECMAScript parser by Aria Hidayat.