Top 50 Awesome List

analysis-tools-dev/static-analysis

Computer Science  1 month ago  9.9k
⚙️ A curated list of static analysis (SAST) tools for all programming languages, config files, build tools, and more.
View byDAY/WEEK/README
View on Github
Analysis Tools

This repository lists static analysis tools for all programming languages, build tools, config files and more.
The official website, analysis-tools.dev is based on this repository and adds rankings, user comments, and additional resources like videos for each tool.

CI

What is Static Analysis?

Static program analysis is the analysis of computer software that is performed without actually executing programs — Wikipedia

The most important thing I have done as a programmer in recent years is to aggressively pursue static code analysis. Even more valuable than the hundreds of serious bugs I have prevented with it is the change in mindset about the way I view software reliability and code quality. — John Carmack (Creator of Doom)

Sponsors

This project would not be possible without the generous support of our sponsors.

If you also want to support this project, head over to our Github sponsors page.

Meaning of Symbols:

  • emoji-copyright stands for proprietary software. All other tools are Open Source.
  • emoji-information_source indicates that the community does not recommend to use this tool for new projects anymore. The icon links to the discussion issue.
  • emoji-warning means that this tool was not updated for more than 1 year, or the repo was archived.

Pull requests are very welcome!
Also check out the sister project, awesome-dynamic-analysisstars558.

Table of Contents

Programming Languages

Show languages

Multiple languages

Other


Programming Languages

ABAP

  • abaplint — Linter for ABAP, written in TypeScript.
  • abapOpenChecks — Enhances the SAP Code Inspector with new and customizable checks.

Ada

  • Codepeer emoji-copyright — Detects run-time and logic errors.
  • Polyspace for Ada emoji-copyright — Provide code verification that proves the absence of overflow, divide-by-zero, out-of-bounds array access, and certain other run-time errors in source code.
  • SPARK emoji-copyright — Static analysis and formal verification toolset for Ada.

Assembly

  • STOKEstars614 — A programming-language agnostic stochastic optimizer for the x86_64 instruction set. It uses random search to explore the extremely high-dimensional space of all possible program transformations.

Awk

  • gawk --lint — Warns about constructs that are dubious or nonportable to other awk implementations.

C

  • Astrée emoji-copyright — Astrée automatically proves the absence of runtime errors and invalid con­current behavior in C/C++ applications. It is sound for floating-point computations, very fast, and exceptionally precise. The analyzer also checks for MISRA/CERT/CWE/Adaptive Autosar coding rules and supports qualification for ISO 26262, DO-178C level A, and other safety standards. Jenkins and Eclipse plugins are available.
  • CBMC — Bounded model-checker for C programs, user-defined assertions, standard assertions, several coverage metric analyses.
  • clang-tidy — clang static analyser.
  • clazystars520 — Qt-oriented static code analyzer based on the Clang framework. clazy is a compiler plugin which allows clang to understand Qt semantics. You get more than 50 Qt related compiler warnings, ranging from unneeded memory allocations to misusage of API, including fix-its for automatic refactoring.
  • CMetricsstars63 — Measures size and complexity for C files.
  • CPAchecker — A tool for configurable software verification of C programs. The name CPAchecker was chosen to reflect that the tool is based on the CPA concepts and is used for checking software programs.
  • cppcheck — Static analysis of C/C++ code.
  • CppDepend emoji-warning emoji-copyright — Measure, query and visualize your code and avoid unexpected issues, technical debt and complexity.
  • cpplint — Automated C++ checker that follows Google's style guide.
  • cqmetricsstars48 — Quality metrics for C code.
  • CScout emoji-warning — Complexity and quality metrics for for C and C preprocessor code.
  • ESBMC — ESBMC is an open source, permissively licensed, context-bounded model checker based on satisfiability modulo theories for the verification of single- and multi-threaded C/C++ programs.
  • flawfinder — Finds possible security weaknesses.
  • flint++stars250 — Cross-platform, zero-dependency port of flint, a lint program for C++ developed and used at Facebook.
  • Frama-C — A sound and extensible static analyzer for C code.
  • Helix QAC emoji-copyright — Enterprise-grade static analysis for embedded software. Supports MISRA, CERT, and AUTOSAR coding standards.
  • IKOSstars1.7k — A sound static analyzer for C/C++ code based on LLVM.
  • Joern — Open-source code analysis platform for C/C++ based on code property graphs
  • LDRA emoji-copyright — A tool suite including static analysis (TBVISION) to various standards including MISRA C & C++, JSF++ AV, CWE, CERT C, CERT C++ & Custom Rules.
  • PC-lint emoji-copyright — Static analysis for C/C++. Runs natively under Windows/Linux/MacOS. Analyzes code for virtually any platform, supporting C11/C18 and C++17.
  • Phasar — A LLVM-based static analysis framework which comes with a taint and type state analysis.
  • Polyspace Bug Finder emoji-copyright — Identifies run-time errors, concurrency issues, security vulnerabilities, and other defects in C and C++ embedded software.
  • Polyspace Code Prover emoji-copyright — Provide code verification that proves the absence of overflow, divide-by-zero, out-of-bounds array access, and certain other run-time errors in C and C++ source code.
  • scan-build — Analyzes C/C++ code using LLVM at compile-time.
  • splint — Annotation-assisted static program checker.
  • SVF — A static tool that enables scalable and precise interprocedural dependence analysis for C and C++ programs.
  • vera++ — Vera++ is a programmable tool for verification, analysis and transformation of C++ source code.

C#

  • .NET Analyzers — An organization for the development of analyzers (diagnostics and code fixes) using the .NET Compiler Platform.
  • ArchUnitNETstars258 — A C# architecture test library to specify and assert architecture rules in C# for automated testing.
  • code-cracker — An analyzer library for C# and VB that uses Roslyn to produce refactorings, code analysis, and other niceties.
  • CSharpEssentialsstars156 emoji-warning — C# Essentials is a collection of Roslyn diagnostic analyzers, code fixes and refactorings that make it easy to work with C# 6 language features.
  • Designite emoji-copyright — Designite supports detection of various architecture, design, and implementation smells, computation of various code quality metrics, and trend analysis.
  • Gendarme — Gendarme inspects programs and libraries that contain code in ECMA CIL format (Mono and .NET).
  • Infer#stars549 — InferSharp (also referred to as Infer#) is an interprocedural and scalable static code analyzer for C#. Via the capabilities of Facebook's Infer, this tool detects null pointer dereferences and resource leaks.
  • NDepend emoji-copyright — Measure, query and visualize your code and avoid unexpected issues, technical debt and complexity.
  • Puma Scan — Puma Scan provides real time secure code analysis for common vulnerabilities (XSS, SQLi, CSRF, LDAPi, crypto, deserialization, etc.) as development teams write code in Visual Studio.
  • Roslynatorstars2.4k — A collection of 190+ analyzers and 190+ refactorings for C#, powered by Roslyn.
  • VSDiagnosticsstars64 — A collection of static analyzers based on Roslyn that integrates with VS.
  • Wintellect.Analyzersstars86 — .NET Compiler Platform ("Roslyn") diagnostic analyzers and code fixes.

C++

  • Astrée emoji-copyright — Astrée automatically proves the absence of runtime errors and invalid con­current behavior in C/C++ applications. It is sound for floating-point computations, very fast, and exceptionally precise. The analyzer also checks for MISRA/CERT/CWE/Adaptive Autosar coding rules and supports qualification for ISO 26262, DO-178C level A, and other safety standards. Jenkins and Eclipse plugins are available.
  • CBMC — Bounded model-checker for C programs, user-defined assertions, standard assertions, several coverage metric analyses.
  • clang-tidy — clang static analyser.
  • clazystars520 — Qt-oriented static code analyzer based on the Clang framework. clazy is a compiler plugin which allows clang to understand Qt semantics. You get more than 50 Qt related compiler warnings, ranging from unneeded memory allocations to misusage of API, including fix-its for automatic refactoring.
  • CMetricsstars63 — Measures size and complexity for C files.
  • cppcheck — Static analysis of C/C++ code.
  • CppDepend emoji-warning emoji-copyright — Measure, query and visualize your code and avoid unexpected issues, technical debt and complexity.
  • cpplint — Automated C++ checker that follows Google's style guide.
  • cqmetricsstars48 — Quality metrics for C code.
  • CScout emoji-warning — Complexity and quality metrics for for C and C preprocessor code.
  • ESBMC — ESBMC is an open source, permissively licensed, context-bounded model checker based on satisfiability modulo theories for the verification of single- and multi-threaded C/C++ programs.
  • flawfinder — Finds possible security weaknesses.
  • flint++stars250 — Cross-platform, zero-dependency port of flint, a lint program for C++ developed and used at Facebook.
  • Frama-C — A sound and extensible static analyzer for C code.
  • Helix QAC emoji-copyright — Enterprise-grade static analysis for embedded software. Supports MISRA, CERT, and AUTOSAR coding standards.
  • IKOSstars1.7k — A sound static analyzer for C/C++ code based on LLVM.
  • Joern — Open-source code analysis platform for C/C++ based on code property graphs
  • LDRA emoji-copyright — A tool suite including static analysis (TBVISION) to various standards including MISRA C & C++, JSF++ AV, CWE, CERT C, CERT C++ & Custom Rules.
  • PC-lint emoji-copyright — Static analysis for C/C++. Runs natively under Windows/Linux/MacOS. Analyzes code for virtually any platform, supporting C11/C18 and C++17.
  • Phasar — A LLVM-based static analysis framework which comes with a taint and type state analysis.
  • Polyspace Bug Finder emoji-copyright — Identifies run-time errors, concurrency issues, security vulnerabilities, and other defects in C and C++ embedded software.
  • Polyspace Code Prover emoji-copyright — Provide code verification that proves the absence of overflow, divide-by-zero, out-of-bounds array access, and certain other run-time errors in C and C++ source code.
  • scan-build — Analyzes C/C++ code using LLVM at compile-time.
  • splint — Annotation-assisted static program checker.
  • SVF — A static tool that enables scalable and precise interprocedural dependence analysis for C and C++ programs.
  • vera++ — Vera++ is a programmable tool for verification, analysis and transformation of C++ source code.

Clojure

  • clj-kondostars1.4k — A linter for Clojure code that sparks joy. It informs you about potential errors while you are typing.

CoffeeScript

  • coffeelint — A style checker that helps keep CoffeeScript code clean and consistent.

Crystal

  • ameba — A static code analysis tool for Crystal.
  • crystal — The Crystal compiler has built-in linting functionality.

Dart

  • Dart Code Metrics — Additional linter for Dart. Reports code metrics, checks for anti-patterns and provides additional rules for Dart analyzer.
  • effective_dart — Linter rules corresponding to the guidelines in Effective Dart
  • lintstars234 — An opinionated, community-driven set of lint rules for Dart and Flutter projects. Like pedantic but stricter
  • Linter for dart — Style linter for Dart.

Delphi

  • Fix Insight emoji-copyright — A free IDE Plugin for static code analysis. A Pro edition includes a command line tool for automation purposes.
  • Pascal Analyzer emoji-copyright — A static code analysis tool with numerous reports. A free Lite version is available with limited reporting.
  • Pascal Expert emoji-copyright — IDE plugin for code analysis. Includes a subset of Pascal Analyzer reporting capabilities and is available for Delphi versions 2007 and later.

Dlang

Elixir

  • credostars4.3k — A static code analysis tool with a focus on code consistency and teaching.
  • dialyxirstars1.4k — Mix tasks to simplify use of Dialyzer in Elixir projects.
  • sobelowstars1.3k — Security-focused static analysis for the Phoenix Framework.

Elm

  • elm-analyse emoji-warning — A tool that allows you to analyse your Elm code, identify deficiencies and apply best practices.
  • elm-review — Analyzes whole Elm projects, with a focus on shareable and custom rules written in Elm that add guarantees the Elm compiler doesn't give you.

Erlang

  • dialyzer — The DIALYZER, a DIscrepancy AnaLYZer for ERlang programs. Dialyzer is a static analysis tool that identifies software discrepancies, such as definite type errors, code that has become dead or unreachable because of programming error, and unnecessary tests, in single Erlang modules or entire (sets of) applications.

Dialyzer starts its analysis from either debug-compiled BEAM bytecode or from Erlang source code. The file and line number of a discrepancy is reported along with an indication of what the discrepancy is about. Dialyzer bases its analysis on the concept of success typings, which allows for sound warnings (no false positives).

F#

Fortran

Go

  • aligncheck — Find inefficiently packed structs.
  • bodyclosestars222 — Checks whether HTTP response body is closed.
  • deadcodestars39 — Finds unused code.
  • dingo-hunterstars296 emoji-warning — Static analyser for finding deadlocks in Go.
  • dogsledstars64 — Finds assignments/declarations with too many blank identifiers.
  • duplstars281 emoji-warning — Reports potentially duplicated code.
  • errcheckstars1.8k — Check that error return values are used.
  • errwrapstars351 — Wrap and fix Go errors with the new %w verb directive. This tool analyzes fmt.Errorf() calls and reports calls that contain a verb directive that is different than the new %w verb directive introduced in Go v1.13. It's also capable of rewriting calls to use the new %w wrap verb directive.
  • flenstars49 — Get info on length of functions in a Go package.
  • Go Meta Linterstars3.5k emoji-warning — Concurrently run Go lint tools and normalise their output. Use golangci-lint for new projects.
  • go tool vet --shadow — Reports variables that may have been unintentionally shadowed.
  • go vet — Examines Go source code and reports suspicious.
  • go-consistentstars310 — Analyzer that helps you to make your Go programs more consistent.
  • go-criticstars1.3k — Go source code linter that maintains checks which are currently not implemented in other linters.
  • go/ast — Package ast declares the types used to represent syntax trees for Go packages.
  • gochecknoglobalsstars61 — Checks that no globals are present.
  • goconststars216 — Finds repeated strings that could be replaced by a constant.
  • gocyclostars957 — Calculate cyclomatic complexities of functions in Go source code.
  • gofmt -s — Checks if the code is properly formatted and could not be further simplified.
  • goimports — Checks missing or unreferenced package imports.
  • gokartstars2k — Golang security analysis with a focus on minimizing false positives. It is capable of tracing the source of variables and function arguments to determine whether input sources are safe.
  • GolangCI-Lint — Alternative to Go Meta Linter: GolangCI-Lint is a linters aggregator.
  • golintstars3.9k — Prints out coding style mistakes in Go source code.
  • goreporterstars3k — Concurrently runs many linters and normalises their output to a report.
  • goroutine-inspectstars405 — An interactive tool to analyze Golang goroutine dump.
  • gosec (gas) — Inspects source code for security problems by scanning the Go AST.
  • gotype — Syntactic and semantic analysis similar to the Go compiler.
  • ineffassignstars328 — Detect ineffectual assignments in Go code.
  • interfacerstars696 emoji-warning — Suggest narrower interfaces that can be used.
  • lllstars60 — Report long lines.
  • malignedstars479 — Detect structs that would take less memory if their fields were sorted.
  • misspellstars1.2k — Finds commonly misspelled English words.
  • nakedretstars80 — Finds naked returns.
  • nargsstars81 — Finds unused arguments in function declarations.
  • preallocstars476 — Finds slice declarations that could potentially be preallocated.
  • Reviewdogstars5.1k — A tool for posting review comments from any linter in any code hosting service.
  • revive — Fast, configurable, extensible, flexible, and beautiful linter for Go. Drop-in replacement of golint.
  • safesqlstars564 — Static analysis tool for Golang that protects against SQL injections.
  • shisho — A lightweight static code analyzer designed for developers and security teams. It allows you to analyze and transform source code with an intuitive DSL similar to sed, but for code.
  • staticcheck — Go static analysis that specialises in finding bugs, simplifying code and improving performance.
  • structcheck — Find unused struct fields.
  • structslopstars645 — Static analyzer for Go that recommends struct field rearrangements to provide for maximum space/allocation efficiency
  • test — Show location of test failures from the stdlib testing module.
  • unconvertstars316 — Detect redundant type conversions.
  • unparamstars379 — Find unused function parameters.
  • varcheck — Find unused global variables and constants.
  • wslstars155 — Enforces empty lines at the right places.

Groovy

  • CodeNarc — A static analysis tool for Groovy source code, enabling monitoring and enforcement of many coding standards and best practices.

Haskell

  • brittanystars681 — Haskell source code formatter
  • HLintstars1.3k — HLint is a tool for suggesting possible improvements to Haskell code.
  • Liquid Haskell — Liquid Haskell is a refinement type checker for Haskell programs.
  • Stan — Stan is a command-line tool for analysing Haskell projects and outputting discovered vulnerabilities in a helpful way with possible solutions for detected problems.
  • Weederstars124 — A tool for detecting dead exports or package imports in Haskell code.

Haxe

  • Haxe Checkstyle — A static analysis tool to help developers write Haxe code that adheres to a coding standard.

Java

  • Checker Framework — Pluggable type-checking for Java.
  • checkstyle — Checking Java source code for adherence to a Code Standard or set of validation rules (best practices).
  • ckstars252 — Calculates Chidamber and Kemerer object-oriented metrics by processing the source Java files.
  • ckjm — Calculates Chidamber and Kemerer object-oriented metrics by processing the bytecode of compiled Java files.
  • CogniCrypt — Checks Java source and byte code for incorrect uses of cryptographic APIs.
  • DesigniteJava emoji-copyright — DesigniteJava supports detection of various architecture, design, and implementation smells along with computation of various code quality metrics.
  • Doop — Doop is a declarative framework for static analysis of Java/Android programs, centered on pointer analysis algorithms. Doop provides a large variety of analyses and also the surrounding scaffolding to run an analysis end-to-end (fact generation, processing, statistics, etc.).
  • Error-prone — Catch common Java mistakes as compile-time errors.
  • fb-contrib — A plugin for FindBugs with additional bug detectors.
  • forbidden-apisstars258 — Detects and forbids invocations of specific method/class/field (like reading from a text stream without a charset). Maven/Gradle/Ant compatible.
  • google-java-formatstars4.5k — Google Style Reformat.
  • HuntBugsstars303 emoji-warning — Bytecode static analyzer tool based on Procyon Compiler Tools aimed to supersede FindBugs.
  • IntelliJ IDEA emoji-copyright — Comes bundled with a lot of inspections for Java and Kotlin and includes tools for refactoring, formatting and more.
  • JArchitect emoji-copyright — Measure, query and visualize your code and avoid unexpected issues, technical debt and complexity.
  • JBMC — Bounded model-checker for Java (bytecode), verifies user-defined assertions, standard assertions, several coverage metric analyses.
  • NullAwaystars3.1k — Type-based null-pointer checker with low build-time overhead; an Error Prone plugin.
  • OWASP Dependency Check — Checks dependencies for known, publicly disclosed, vulnerabilities.
  • qulice — Combines a few (pre-configured) static analysis tools (checkstyle, PMD, Findbugs, ...).
  • Reshift emoji-copyright — A source code analysis tool for detecting and managing Java security vulnerabilities.
  • Soot — A framework for analyzing and transforming Java and Android applications.
  • Spoon — Spoon is a metaprogramming library to analyze and transform Java source code (incl Java 9, 10, 11, 12, 13, 14). It parses source files to build a well-designed AST with powerful analysis and transformation API. Can be integrated in Maven and Gradle.
  • SpotBugs — SpotBugs is FindBugs' successor. A tool for static analysis to look for bugs in Java code.
  • Violations Libstars114 — Java library for parsing report files from static code analysis. Used by a bunch of Jenkins, Maven and Gradle plugins.

JavaScript