444 awesome lists. 23 categories. 409 curators. I feel lucky.
Computer Science

Static Analysis & Code Quality

Static analysis tools for all programming


mremre/awesome-static-analysisUpdated Fresh 4585 249 537



Static program analysis is the analysis of computer software that is performed without actually executing programs — Wikipedia

This is a collection of static analysis tools and code quality checkers. Pull requests are very welcome!
Note: ©️ stands for proprietary software. All other tools are Open Source.
Also check out the sister project, awesome-dynamic-analysis.

Table of Contents

Programming Languages

Show languages

Multiple languages


More Collections

Programming Languages


  • abapOpenChecks - Enhances the SAP Code Inspector with new and customizable checks.


  • Codepeer - detects run-time and logic errors
  • Polyspace for Ada ©️ - provide code verification that proves the absence of overflow, divide-by-zero, out-of-bounds array access, and certain other run-time errors in source code.
  • SPARK ©️ - Static analysis and formal verification toolset for Ada
  • Understand ©️ - IDE that provides code analysis, standards testing, metrics, graphing, dependency analysis and more for Ada and VHDL.


  • gawk --lint - warns about constructs that are dubious or nonportable to other awk implementations.


  • CBMC - bounded model-checker for C programs, user-defined assertions, standard assertions, several coverage metric analyses
  • clang-tidy - clang static analyser
  • CMetrics - Measures size and complexity for C files
  • CodeSonar from GrammaTech ©️ - Advanced, whole program, deep path, static analysis of C and C++ with easy-to-understand explanations and code and path visualization.
  • Corrode - Semi-automatic translation from C to Rust. Could reveal bugs in the original implementation by showing Rust compiler warnings and errors.
  • cppcheck - static analysis of C/C++ code
  • CppDepend ©️ - Measure, query and visualize your code and avoid unexpected issues, technical debt and complexity.
  • cpplint - automated C++ checker that follows Google's style guide
  • cqmetrics - quality metrics for C code
  • CScout - complexity and quality metrics for for C and C preprocessor code
  • flawfinder - finds possible security weaknesses
  • flint++ - cross-platform, zero-dependency port of flint, a lint program for C++ developed and used at Facebook.
  • Frama-C - a sound and extensible static analyzer for C code
  • IKOS - a sound static analyzer for C/C++ code based on LLVM
  • include-gardener - a static analyzer for C/C++/Obj-C to create a graph (in dot or graphml format) which shows all #include relations of a given set of files.
  • oclint - static analysis of C/C++ code
  • Polyspace Bug Finder ©️ - identifies run-time errors, concurrency issues, security vulnerabilities, and other defects in C and C++ embedded software.
  • Polyspace Code Prover ©️ - provide code verification that proves the absence of overflow, divide-by-zero, out-of-bounds array access, and certain other run-time errors in C and C++ source code.
  • scan-build - Analyzes C/C++ code using LLVM at compile-time
  • splint - Annotation-assisted static program checker
  • vera++ - Vera++ is a programmable tool for verification, analysis and transformation of C++ source code.


  • .NET Analyzers - An organization for the development of analyzers (diagnostics and code fixes) using the .NET Compiler Platform.
  • Code Analysis Rule Collection - Contains a set of diagnostics, code fixes and refactorings built on the Microsoft .NET Compiler Platform "Roslyn".
  • code-cracker - An analyzer library for C# and VB that uses Roslyn to produce refactorings, code analysis, and other niceties.
  • CodeRush ©️ - Code creation, debugging, navigation, refactoring, analysis and visualization tools that use the Roslyn engine in Visual Studio 2015 and up.
  • CSharpEssentials - C# Essentials is a collection of Roslyn diagnostic analyzers, code fixes and refactorings that make it easy to work with C# 6 language features.
  • Designite ©️ - Designite is a software design quality assessment tool. It supports detection of implementation and design smells, computation of various code quality metrics, and trend analysis.
  • Gendarme - Gendarme inspects programs and libraries that contain code in ECMA CIL format (Mono and .NET).
  • NDepend ©️ - Measure, query and visualize your code and avoid unexpected issues, technical debt and complexity.
  • Puma Scan - Puma Scan provides real time secure code analysis for common vulnerabilities (XSS, SQLi, CSRF, LDAPi, crypto, deserialization, etc.) as development teams write code in Visual Studio.
  • Refactoring Essentials - The free Visual Studio 2015 extension for C# and VB.NET refactorings, including code best practice analyzers.
  • ReSharper ©️ - Extends Visual Studio with on-the-fly code inspections for C#, VB.NET, ASP.NET, JavaScript, TypeScript and other technologies.
  • Roslyn Security Guard - Project that focuses on the identification of potential vulnerabilities such as SQL injection, cross-site scripting (XSS), CSRF, cryptography weaknesses, hardcoded passwords and many more.
  • Roslynator - A collection of 190+ analyzers and 190+ refactorings for C#, powered by Roslyn.
  • Security Code Scan - Security code analyzer for C# and VB.NET. Detects various security vulnerability patterns: SQLi, XSS, CSRF, XXE, Open Redirect, etc.
  • SonarLint for Visual Studio - SonarLint is an extension for Visual Studio 2015 and 2017 that provides on-the-fly feedback to developers on new bugs and quality issues injected into .NET code.
  • VSDiagnostics - A collection of static analyzers based on Roslyn that integrates with VS.
  • Wintellect.Analyzers - .NET Compiler Platform ("Roslyn") diagnostic analyzers and code fixes.


  • ameba - A static code analysis tool for Crystal
  • crystal - The Crystal compiler has built-in linting functionality.


  • D-scanner - D-Scanner is a tool for analyzing D source code


  • credo - A static code analysis tool with a focus on code consistency and teaching.
  • sobelow - Security-focused static analysis for the Phoenix Framework


  • elvis - Erlang Style Reviewer




  • deadcode - Finds unused code.
  • dingo-hunter - Static analyser for finding deadlocks in Go.
  • dupl - Reports potentially duplicated code.
  • errcheck - Check that error return values are used.
  • flen - Get info on length of functions in a Go package.
  • gas - Inspects source code for security problems by scanning the Go AST.
  • Go Meta Linter - Concurrently run Go lint tools and normalise their output.
  • go tool vet --shadow - Reports variables that may have been unintentionally shadowed.
  • go vet - Examines Go source code and reports suspicious.
  • go-consistent - Analyzer that helps you to make your Go programs more consistent.
  • go-critic - Go source code linter that maintains checks which are currently not implemented in other linters.
  • go-staticcheck - go vet on steroids, similar to ReSharper for C#.
  • go/ast - Package ast declares the types used to represent syntax trees for Go packages.
  • goconst - Finds repeated strings that could be replaced by a constant.
  • gocyclo - Calculate cyclomatic complexities of functions in Go source code.
  • gofmt -s - Checks if the code is properly formatted and could not be further simplified.
  • goimports - Checks missing or unreferenced package imports.
  • GolangCI-Lint - Alternative to Go Meta Linter: GolangCI-Lint is a linters aggregator.
  • golint - Prints out coding style mistakes in Go source code.
  • goreporter - concurrently runs many linters and normalises their output to a report.
  • goroutine-inspect - An interactive tool to analyze Golang goroutine dump.
  • gosimple - Report simplifications in code.
  • gotype - Syntactic and semantic analysis similar to the Go compiler.
  • ineffassign - Detect ineffectual assignments in Go code
  • interfacer - Suggest narrower interfaces that can be used.
  • lll - Report long lines.
  • maligned - Detect structs that would take less memory if their fields were sorted.
  • megacheck - Run staticcheck, gosimple and unused, sharing work.
  • misspell - Finds commonly misspelled English words.
  • nakedret - Finds naked returns.
  • prealloc - Finds slice declarations that could potentially be preallocated.
  • revive - Fast, configurable, extensible, flexible, and beautiful linter for Go. Drop-in replacement of golint.
  • safesql - Static analysis tool for Golang that protects against SQL injections.
  • structcheck - Find unused struct fields.
  • test - Show location of test failures from the stdlib testing module.
  • testify - Show location of failed testify assertions.
  • unconvert - Detect redundant type conversions.
  • unimport - Finds unnecessary import aliases
  • unparam - Find unused function parameters.
  • unused - Find unused variables.
  • varcheck - Find unused global variables and constants.


  • CodeNarc - a static analysis tool for Groovy source code, enabling monitoring and enforcement of many coding standards and best practices


  • HLint - HLint is a tool for suggesting possible improvements to Haskell code.


  • Haxe Checkstyle - A static analysis tool to help developers write Haxe code that adheres to a coding standard.


  • ArchUnit - Unit test your Java architecture
  • Checker Framework - Pluggable type-checking for Java
  • checkstyle - checking Java source code for adherence to a Code Standard or set of validation rules (best practices)
  • ckjm - calculates Chidamber and Kemerer object-oriented metrics by processing the bytecode of compiled Java files
  • ClassGraph - a classpath and module path scanner for querying or visualizing class metadata or class relatedness
  • CogniCrypt - checks Java source and byte code for incorrect uses of cryptographic APIs
  • Error-prone - Catch common Java mistakes as compile-time errors
  • fb-contrib - A plugin for FindBugs with additional bug detectors
  • Find Security Bugs - IDE/SonarQube plugin for security audits of Java web applications.
  • Hopper - A static analysis tool written in scala for languages that run on JVM
  • HuntBugs - Bytecode static analyzer tool based on Procyon Compiler Tools aimed to supersede FindBugs.
  • JArchitect ©️ - Measure, query and visualize your code and avoid unexpected issues, technical debt and complexity.
  • JBMC - bounded model-checker for Java (bytecode), verifies user-defined assertions, standard assertions, several coverage metric analyses
  • NullAway - Type-based null-pointer checker with low build-time overhead; an Error Prone plugin
  • OWASP Dependency Check - Checks dependencies for known, publicly disclosed, vulnerabilities.
  • Soot - A framework for analyzing and transforming Java and Android applications.
  • Spoon - Library to write your own static analyses and architectural rule checkers for Java. Can be integrated in Maven and Gradle.
  • SpotBugs - SpotBugs is FindBugs' successor. A tool for static analysis to look for bugs in Java code.


  • aether - Lint, analyze, normalize, transform, sandbox, run, step through, and visualize user JavaScript, in node or the browser.
  • ClosureLinter - ensures that all of your project's JavaScript code follows the guidelines in the Google JavaScript Style Guide. It can also automatically fix many common errors
  • coffeelint - A style checker that helps keep CoffeeScript code clean and consistent.
  • complexity-report - Software complexity analysis for JavaScript projects
  • DeepScan ©️ - An analyzer for JavaScript which targets runtime errors and quality issues rather than coding conventions.
  • escomplex - Software complexity analysis of JavaScript-family abstract syntax trees.
  • eslint - A fully pluggable tool for identifying and reporting on patterns in JavaScript
  • Esprima - ECMAScript parsing infrastructure for multipurpose analysis
  • flow - A static type checker for JavaScript.
  • jshint - detect errors and potential problems in JavaScript code and enforce your team's coding conventions
  • JSLint ©️ - The JavaScript Code Quality Tool
  • JSPrime - static security analysis tool
  • NodeJSScan - NodeJsScan is a static security code scanner for Node.js applications.
  • plato - Visualize JavaScript source complexity
  • Prettier - An opinionated code formatter.
  • quality - zero configuration code and module linting
  • retire.js - Scanner detecting the use of JavaScript libraries with known vulnerabilities
  • standard - An npm module that checks for Javascript Styleguide issues
  • tern - A JavaScript code analyzer for deep, cross-editor language support
  • xo - Opinionated but configurable ESLint wrapper with lots of goodies included. Enforces strict and readable code.
  • yardstick - Javascript code metrics


  • detekt - Static code analysis for Kotlin code.
  • ktlint - An anti-bikeshedding Kotlin linter with built-in formatter


  • luacheck - A tool for linting and static analysis of Lua code.


  • mlint ©️ - Check MATLAB code files for possible problems.


  • Perl::Critic - Critique Perl source code for best-practices.


  • dephpend - Dependency analysis tool
  • deprecation-detector - Finds usages of deprecated (Symfony) code
  • deptrac - Enforce rules for dependencies between software layers.
  • DesignPatternDetector - detection of design patterns in PHP code
  • EasyCodingStandard - combine PHP_CodeSniffer and PHP-CS-Fixer
  • exakat - An automated code reviewing engine for PHP
  • GrumPHP - checks code on every commit
  • Mondrian - a set of static analysis and refactoring tools which use graph theory
  • parallel-lint - This tool checks syntax of PHP files faster than serial check with a fancier output.
  • Parse - A Static Security Scanner
  • pdepend - Calculates software metrics like cyclomatic complexity for PHP code.
  • phan - a modern static analyzer from etsy
  • PHP Assumptions - Checks for weak assumptions
  • PHP Coding Standards Fixer - Fixes your code according to standards like PSR-1, PSR-2, and the Symfony standard.
  • Php Inspections (EA Extended) - A Static Code Analyzer for PHP.
  • PHP Refactoring Browser - Refactoring helper
  • PHP Semantic Versioning Checker - Suggests a next version according to semantic versioning
  • PHP-Parser - A PHP parser written in PHP
  • PHP-Token-Reflection - Library emulating the PHP internal reflection
  • php7cc - PHP 7 Compatibility Checker
  • php7mar - assist developers in porting their code quickly to PHP 7
  • PHP_CodeSniffer - detects violations of a defined set of coding standards
  • phpca - Finds usage of non-built-in extensions
  • phpcf - Finds usage of deprecated PHP features
  • phpcpd - Copy/Paste Detector for PHP code.
  • phpdcd - Dead Code Detector (DCD) for PHP code.
  • PhpDependencyAnalysis - builds a dependency graph for a project
  • phpdoc-to-typehint - Add scalar type hints and return types to existing PHP projects using PHPDoc annotations
  • phpDocumentor - Analyzes PHP source code to generate documentation
  • PHPMD - finds possible bugs in your code
  • PhpMetrics - Calculates and visualizes various code quality metrics
  • phpmnd - Helps to detect magic numbers
  • PHPQA - A tool for running QA tools (phploc, phpcpd, phpcs, pdepend, phpmd, phpmetrics)
  • phpqa - jakzal - Many tools for PHP static analysis in one container
  • phpqa - jmolivas - PHPQA all-in-one Analyzer CLI tool
  • phpsa - Static analysis tool for PHP.
  • PHPStan - PHP Static Analysis Tool - discover bugs in your code without running it!
  • Progpilot - A static analysis tool for security purposes
  • Psalm - Static analysis tool for finding type errors in PHP applications
  • Qafoo Quality Analyzer - Visualizes metrics and source code
  • RIPS - A static source code analyser for vulnerabilities in PHP scripts
  • Tuli - A static analysis engine
  • twig-lint - twig-lint is a lint tool for your twig files.
  • WAP - Tool to detect and correct input validation vulnerabilities in PHP (4.0 or higher) web applications and predicts false positives by combining static analysis and data mining.


  • bandit - a tool to find common security issues in Python code
  • bellybutton - a linting engine supporting custom project-specific rules
  • Black - The uncompromising Python code formatter
  • cohesion - a tool for measuring Python class cohesion
  • jedi - autocompletion/static analysis library for Python
  • linty fresh - parse lint errors and report them to Github as comments on a pull request
  • mccabe - check McCabe complexity
  • mypy - a static type checker that aims to combine the benefits of duck typing and static typing, frequently used with MonkeyType
  • py-find-injection - find SQL injection vulnerabilities in Python code
  • pycodestyle - (formerly pep8) check Python code against some of the style conventions in PEP 8
  • pydocstyle - check compliance with Python docstring conventions
  • pyflakes - check Python source files for errors
  • pylint - looks for programming errors, helps enforcing a coding standard and sniffs for some code smells. It additionally includes pyreverse (an UML diagram generator) and symilar (a similarities checker).
  • pyre-check - A fast, scalable type checker for large Python codebases
  • pyroma - rate how well a Python project complies with the best practices of the Python packaging ecosystem, and list issues that could be improved
  • PyT - Python Taint - A static analysis tool for detecting security vulnerabilities in Python web applications.
  • radon - a Python tool that computes various metrics from the source code
  • vulture - find unused classes, functions and variables in Python code
  • xenon - monitor code complexity using radon

Python wrappers

  • ciocheck - linter, formatter and test suite helper. As a linter, it is a wrapper around pep8, pydocstyle, flake8, and pylint.
  • flake8 - a wrapper around pyflakes, pycodestyle and mccabe
  • multilint - a wrapper around flake8, isort and modernize
  • prospector - a wrapper around pylint, pep8, mccabe and others


  • lintr ©️ - Static Code Analysis for R


  • SourceMeter ©️ - Static Code Analysis for RPG III and RPG IV versions (including free-form)


  • brakeman - A static analysis security vulnerability scanner for Ruby on Rails applications
  • cane - Code quality threshold checking as part of your build
  • dawnscanner - a static analysis security scanner for ruby written web applications. It supports Sinatra, Padrino and Ruby on Rails frameworks.
  • flay - Flay analyzes code for structural similarities.
  • flog - Flog reports the most tortured code in an easy to read pain report. The higher the score, the more pain the code is in.
  • laser - Static analysis and style linter for Ruby code.
  • pelusa - Static analysis Lint-type tool to improve your OO Ruby code
  • quality - Runs quality checks on your code using community tools, and makes sure your numbers don't get any worse over time.
  • Querly - Pattern Based Checking Tool for Ruby
  • reek - Code smell detector for Ruby
  • RuboCop - A Ruby static code analyzer, based on the community Ruby style guide.
  • Rubrowser - Ruby classes interactive dependency graph generator.
  • ruby-lint - Static code analysis for Ruby
  • rubycritic - A Ruby code quality reporter
  • SandiMeter - Static analysis tool for checking Ruby code for Sandi Metz' rules.


  • cargo-audit - Audit Cargo.lock for crates with security vulnerabilities reported to the RustSec Advisory Database.
  • cargo-inspect - Inspect Rust code without syntactic sugar to see what the compiler does behind the curtains.
  • clippy - A code linter to catch common mistakes and improve your Rust code
  • electrolysis - A tool for formally verifying Rust programs by transpiling them into definitions in the Lean theorem prover.
  • herbie - Adds warnings or errors to your crate when using a numerically unstable floating point expression.
  • linter-rust - Linting your Rust-files in Atom, using rustc and cargo
  • Rust Language Server - Supports functionality such as 'goto definition', symbol search, reformatting, and code completion, and enables renaming and refactorings.
  • rustfix - read and apply the suggestions made by rustc (and third-party lints, like those offered by clippy).


  • linter - Linter is a Scala static analysis compiler plugin which adds compile-time checks for various possible bugs, inefficiencies, and style problems.
  • Scalastyle - Scalastyle examines your Scala code and indicates potential problems with it.
  • scapegoat - Scala compiler plugin for static code analysis
  • WartRemover - a flexible Scala code linting tool.


  • i-Code CNES for Shell - An open source static code analysis tool for Shell and Fortran (77 and 90).
  • shellcheck - ShellCheck, a static analysis tool that gives warnings and suggestions for bash/sh shell scripts


  • slither - Static analysis framework that runs a suite of vulnerability detectors, prints visual information about contract details, and provides an API to easily write custom analyses
  • solium - Solium is a linter to identify and fix style and security issues in Solidity smart contracts


  • sqlcheck - Automatically identify anti-patterns in SQL queries
  • sqlint - Simple SQL linter
  • tsqllint - T-SQL-specific linter
  • TSqlRules - TSQL Static Code Analysis Rules for SQL Server


  • SwiftFormat - A library and command-line formatting tool for reformatting Swift code
  • SwiftLint - A tool to enforce Swift style and conventions
  • Tailor - A static analysis and lint tool for source code written in Apple's Swift programming language.


  • Codelyzer - A set of tslint rules for static code analysis of Angular 2 TypeScript projects.
  • TSLint - An extensible linter for the TypeScript language.
  • tslint-clean-code - A set of TSLint rules inspired by the Clean Code handbook.
  • tslint-microsoft-contrib - A set of tslint rules for static code analysis of TypeScript projects maintained by Microsoft.


  • Test Design Studio ©️ - A full IDE with static code analysis for Micro Focus Unified Functional Testing VBScript-based automated tests.

Multiple languages

  • AppChecker ©️ - Static analysis for C/C++/C#, PHP and Java
  • Application Inspector ©️ - Combined SAST, DAST, IAST security scanner for C#, PHP, Java, SQL languages
  • AppScan ©️ - Commercial Static Code Analysis. Supports: Microsoft .NET Framework (C#, ASP.NET, VB.NET), ASP (JavaScript/VBScript), C/C++, COBOL, ColdFusion, JavaScript, JavaServer Pages (JSP), Java™ (including support for Android APIs), Perl, PHP, PL/SQL, T-SQL, Visual Basic 6
  • APPscreener ©️ - Static code analysis for binary and source code - Java/Scala, PHP, Javascript, C#, PL/SQL, Python, T-SQL, C/C++, ObjectiveC/Swift, Visual Basic 6.0, Ruby, Delphi, ABAP, HTML5 and Solidity
  • Axivion Bauhaus Suite ©️ - Tracks down error-prone code locations, style violations, cloned or dead code, cyclic dependencies and more for C/C++, C#/.NET, Java and Ada 83/Ada 95
  • Checkmarx ©️ - Commercial Static Code Analysis which doesn't require pre-compilation. Supports: Android (Java), Apex and VisualForce, ASP, C#, C/C++, Go, Groovy, HTML5, Java, JavaScript, Node.js, Objective C, Perl, PhoneGap, PHP, Python, Ruby, Scala, Swift, VB.NET, VB6, VBScript
  • coala - Language independent framework for creating code analysis - supports over 60 languages by default
  • Cobra ©️ - Structural source code analyzer by NASA's Jet Propulsion Laboratory. Supports C, C++, Ada, and Python.
  • codeburner - Provides a unified interface to sort and act on the issues it finds
  • CodeFactor ©️ - Static Code Analysis for C#, C, C++, CoffeeScript, CSS, Groovy, GO, JAVA, JavaScript, Less, Python, Ruby, Scala, SCSS, TypeScript.
  • CodeIt.Right ©️ - CodeIt.Right™ provides a fast, automated way to ensure that your source code adheres to (your) predefined design and style guidelines as well as best coding practices. Supported languages: C#, VB.NET.
  • CodeScene ©️ - CodeScene prioritizes technical debt, finds social patterns and identifies hidden risks in your code.
  • cqc - Check your code quality for js, jsx, vue, css, less, scss, sass and styl files.
  • DevSkim - Regex-based static analysis tool for Visual Studio, VS Code, and Sublime Text - C/C++, C#, PHP, ASP, Python, Ruby, Java, and others.
  • Fortify ©️ A commercial static analysis platform that supports the scanning of C/C++, C#, VB.NET, VB6, ABAP/BSP, ActionScript, Apex, ASP.NET, Classic ASP, VB Script, Cobol, ColdFusion, HTML, Java, JS, JSP, MXML/Flex, Objective-C, PHP, PL/SQL, T-SQL, Python (2.6, 2.7), Ruby (1.9.3), Swift, Scala, VB, and XML.
  • Goodcheck - Regexp based customizable linter
  • graudit - Grep rough audit - source code auditing tool - C/C++, PHP, ASP, C#, Java, Perl, Python, Ruby
  • Hound CI - Comments on style violations in GitHub pull requests. Supports Coffeescript, Go, HAML, JavaScript, Ruby, SCSS and Swift.
  • imhotep - Comment on commits coming into your repository and check for syntactic errors and general lint warnings.
  • Infer - A static analyzer for Java, C and Objective-C
  • Klocwork ©️ - Quality and Security Static analysis for C/C++, Java and C#
  • Kiuwan ©️ - Identify and remediate cyber threats in a blazingly fast, collaborative environment, with seamless integration in your SDLC. Python, C\C++, Java, C#, PHP and more
  • oclint - A static source code analysis tool to improve quality and reduce defects for C, C++ and Objective-C
  • pfff - Facebook's tools for code analysis, visualizations, or style-preserving source transformation for many languages
  • PMD - A source code analyzer for Java, Javascript, PLSQL, XML, XSL and others
  • Pronto - Quick automated code review of your changes. Supports more than 40 runners for various languages, including Clang, Elixir, JavaSCript, PHP, Ruby and more
  • pre-commit - A framework for managing and maintaining multi-language pre-commit hooks.
  • PT.PM - An engine for searching patterns in the source code, based on Unified AST or UST. At present time C#, Java, PHP, PL/SQL, T-SQL, and JavaScript are supported. Patterns can be described within the code or using a DSL.
  • PVS-Studio ©️ - a (conditionally free for FOSS) static analysis of C/C++ and C# code. For advertising purposes you can propose a large FOSS project for analysis by PVS employees.
  • Reviewdog - A tool for posting review comments from any linter in any code hosting service.
  • Security Code Scan - Security code analyzer for C# and VB.NET. Detects various security vulnerability patterns: SQLi, XSS, CSRF, XXE, Open Redirect, etc.
  • Semmle QL and LGTM ©️ - Find security vulnerabilities, variants, and critical code quality issues using queries over source code. Automatic PR code review; free for public GitHub/Bitbucket repo:
  • shipshape - Static program analysis platform that allows custom analyzers to plug in through a common interface
  • SonarQube - SonarQube is an open platform to manage code quality.
  • STOKE - a programming-language agnostic stochastic optimizer for the x86_64 instruction set. It uses random search to explore the extremely high-dimensional space of all possible program transformations
  • Synopsys ©️ - A commercial static analysis platform that allows for scanning of multiple languages (C/C++, Android, C#, Java, JS, PHP, Python, Node.JS, Ruby, Fortran, and Swift)
  • TscanCode - A fast and accurate static analysis solution for C/C++, C#, Lua codes provided by Tencent. Using GPLv3 license.
  • Undebt - Language-independent tool for massive, automatic, programmable refactoring based on simple pattern definitions
  • Veracode ©️ - Find flaws in binaries and bytecode without requiring source. Support all major programming languages: Java, .NET, JavaScript, Swift, Objective-C, C, C++ and more.
  • WALA - static analysis capabilities for Java bytecode and related languages and for JavaScript
  • Wotan - Pluggable TypeScript and JavaScript linter
  • XCode ©️ - XCode provides a pretty decent UI for Clang's static code analyzer (C/C++, Obj-C)


Build tools

  • checkmake - Linter / Analyzer for Makefiles
  • codechecker - a defect database and viewer extension for the Clang Static Analyzer


  • BinSkim - A binary static analysis tool that provides security and correctness results for Windows portable executables.
  • Jakstab - Jakstab is an Abstract Interpretation-based, integrated disassembly and static analysis framework for designing analyses on executables and recovering reliable control flow graphs.
  • Manalyze - A static analyzer, which checks portable executables for malicious content.
  • Twiggy - Analyzes a binary's call graph to profile code size. The goal is to slim down binaries.


  • anchore - Discover, analyze, and certify container images
  • clair - Vulnerability Static Analysis for Containers
  • collector - Run arbitrary scripts inside containers, and gather useful information
  • dagda - Perform static analysis of known vulnerabilities in docker images/containers.
  • Docker Label Inspector - Lint and validate Dockerfile labels
  • Haskell Dockerfile Linter - A smarter Dockerfile linter that helpsyou build best practice Docker images
  • kube-score - Static code analysis of your Kubernetes object definitions.

Config Files

  • dotenv-linter - Linting dotenv files like a charm.
  • gixy - a tool to analyze Nginx configuration. The main goal is to prevent misconfiguration and automate flaw detection.

Configuration Management

  • ansible-lint - Checks playbooks for practices and behaviour that could potentially be improved
  • cfn_nag - A linter for AWS CloudFormation templates.
  • cookstyle - Cookstyle is a linting tool based on the RuboCop Ruby linting tool for Chef cookbooks
  • foodcritic - A lint tool that checks Chef cookbooks for common problems.
  • Puppet Lint - Check that your Puppet manifests conform to the style guide.
  • tflint - A Terraform linter for detecting errors that can not be detected by terraform plan.



  • gherkin-lint - A linter for the Gherkin-Syntax written in Javascript.


  • HTML Inspector - HTML Inspector is a code quality tool to help you and your team write better markup.
  • HTML Tidy - Corrects and cleans up HTML and XML documents by fixing markup errors and upgrading legacy code to modern standards.
  • HTMLHint - A Static Code Analysis Tool for HTML
  • Polymer-analyzer - A static analysis framework for Web Components.

IDE Plugins

  • ale - Asynchronous Lint Engine for Vim and NeoVim with support for many languages
  • Attackflow Extension ©️ - Attackflow plugin for Visual Studio, which enables developers to find critical security bugs at real time in the source code without any prior knowledge.
  • DevSkim - Inline, realtime security analysis. Works with multiple programming languages and IDEs (VS, VS Code, Sublime Text, ...).
  • Puma Scan - Puma Scan provides real time secure code analysis for common vulnerabilities (XSS, SQLi, CSRF, LDAPi, crypto, deserialization, etc.) as development teams write code in Visual Studio.
  • Security Code Scan - Security code analyzer for C# and VB.NET that integrates into Visual Studio 2015 and newer. Detects various security vulnerability patterns: SQLi, XSS, CSRF, XXE, Open Redirect, etc.
  • vint - Fast and Highly Extensible Vim script Language Lint implemented by Python.


  • ChkTeX - A linter for LaTex which catches some typographic errors LaTeX oversees.
  • lacheck - A tool for finding common mistakes in LaTeX documents.


  • portlint - A verifier for FreeBSD and DragonFlyBSD port directories


  • mdl - A tool to check markdown files and flag style issues.


  • android-lint-summary - Combines lint errors of multiple projects into one output, check lint results of multiple sub-projects at once.
  • FlowDroid - static taint analysis tool for Android applications
  • paprika - A toolkit to detect some code smells in analyzed Android applications.
  • qark - Tool to look for several security related Android application vulnerabilities


  • lintian - Static analysis tool for Debian packages
  • rpmlint - Tool for checking common errors in rpm packages

Supporting Tools

  • LibVCS4j - A Java library that allows existing tools to analyse the evolution of software systems by providing a common API for different version control systems and issue trackers.
  • Violations Lib - Java library for parsing report files from static code analysis. Used by a bunch of Jenkins, Maven and Gradle plugins.


  • ember-template-lint - Linter for Ember or Handlebars templates.
  • haml-lint - Tool for writing clean and consistent HAML
  • slim-lint - Configurable tool for analyzing Slim templates
  • yamllint - Checks YAML files for syntax validity, key repetition and cosmetic problems such as lines length, trailing spaces, and indentation.


  • dennis - A set of utilities for working with PO files to ease development and improve quality.


  • languagetool - Style and grammar checker for 25+ languages. It finds many errors that a simple spell checker cannot detect.
  • misspell-fixer - Quick tool for fixing common misspellings, typos in source code
  • proselint - a linter for English prose with a focus on writing style instead of grammar.
  • vale - A customizable, syntax-aware linter for prose.
  • write-good - A linter with a focus on eliminating "weasel words".

Web services

  • Codacy ©️ - Code Analysis to ship Better Code, Faster.
  • Code Climate ©️ - The open and extensible static analysis platform, for everyone.
  • CodeFactor ©️ - Automated Code Analysis for repos on GitHub or BitBucket.
  • CodeFlow ©️ - Automated code analysis tool to deal with technical depth. Integrates with Bitbucket and Gitlab. (free for Open Source Projects)
  • Gamma ©️ - An intelligent software analytics platform that identifies issues from multiple lenses: Design issues, code issues, duplication and metrics. Available for Java, C, C++ and C#.
  • kiuwan ©️ - Software Analytics in the Cloud supporting more than 22 programming languages.
  • Landscape ©️ - Static code analysis for Python
  • Layered Insight ©️ - Container native application protection to provide visibility and control of containerized applications.
  • ©️ - Deep code analysis for GitHub and Bitbucket to find security vulnerabilities and critical code quality issues (using Semmle QL). Automatic code review for pull requests; free for public repositories.
  • Nitpick CI ©️ - Automated PHP code review
  • PullRequest ©️ - Code review as a service with built-in static analysis
  • QuantifiedCode - Automated code review & repair
  • Reshift ©️ - A source code analysis tool for detecting and managing Java security vulnerabilities.
  • Scrutinizer ©️ - A proprietary code quality checker that can be integrated with GitHub
  • SensioLabs Insight ©️ - Detect security risks, find bugs and provide actionable metrics for PHP projects
  • Sider ©️ - An automated code reviewing tool. Improving developers' productivity.
  • Snyk ©️ - Vulnerability scanner for dependencies of node.js apps (free for Open Source Projects)
  • Teamscale ©️ - Static and dynamic analysis tool supporting more than 25 languages and direct IDE integration. Free hosting for Open Source projects available on request. Free academic licenses available.
  • Upsource ©️ - Code review tool with static code analysis and code-aware navigation for Java, PHP, JavaScript and Kotlin.

More collections

  • go-tools - A collection of tools and libraries for working with Go code, including linters and static analysis
  • linters - An introduction to static code analysis
  • php-static-analysis-tools - A reviewed list of useful PHP static analysis tools
  • Tools for C/C++ - A list of static analysis tools for C/C++
  • Wikipedia - A list of tools for static code analysis.



To the extent possible under law, Matthias Endler has waived all copyright and related or neighboring rights to this work. Title image Designed by Freepik.

Built With LoveBuilt With LoveSearch by