├── .gitignore ├── LICENSE ├── Makefile ├── README.md ├── code-of-conduct.md ├── dast-vs-sast.md └── img ├── Application-Security-Testing.png ├── dast-pipelines.png ├── dast_sast.jpg ├── static-analysis.webp ├── static-code-analysis.jpg └── static.png /.gitignore: -------------------------------------------------------------------------------- 1 | pom.xml 2 | pom.xml.asc 3 | *.jar 4 | *.class 5 | /lib/ 6 | /classes/ 7 | /target/ 8 | /checkouts/ 9 | .lein-deps-sum 10 | .lein-repl-history 11 | .lein-plugins/ 12 | .lein-failures 13 | .nrepl-port 14 | .cpcache/ 15 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 Paul Veillard, P. Eng 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | .PHONY: render 2 | render: 3 | cargo run --manifest-path data/render/Cargo.toml -- --tags data/tags.yml --tools data/tools --out README.md 4 | 5 | .PHONY: render-skip-deprecated 6 | render-skip-deprecated: 7 | cargo run --manifest-path data/render/Cargo.toml -- --tags data/tags.yml --tools data/tools --out README.md --skip-deprecated 8 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Static Analysis Tools 2 | > An ongoing & curated collection of awesome vulnerability scanning software, libraries and frameworks, best guidelines and technical resources and most important static application security testing (SAST) 3 | 4 | 5 | ## `What is Static Analysis?` 6 | [Static analysis](https://www.intel.com/content/www/us/en/develop/documentation/inspector-user-guide-windows/top/getting-started/dynamic-analysis-vs-static-analysis.html) is the testing and evaluation of an application by examining the code without executing the application. 7 | 8 | ![static](https://github.com/paulveillard/cybersecurity-static-analysis/blob/main/img/static.png) 9 | 10 | ## `Why Static Code Analysis is important?` 11 | 12 | It examines all possible execution paths and variable values, not just those invoked during execution. Thus static analysis can reveal errors that may not manifest themselves until weeks, months or years after release. This aspect of static analysis is especially valuable in security assurance, because security attacks often exercise an application in unforeseen and untested ways. 13 | 14 | 15 | ## `Table of Contents` 16 | 17 | #### [Programming Languages](#programming-languages-1) 18 | 19 |
20 | Show languages 21 | 22 | 70 |
71 | 72 | #### [Multiple languages](#multiple-languages-1) 73 | 74 | #### [Other](#other-1) 75 | 76 | - [Angular](#angular) 77 | - [Ansible](#ansible) 78 | - [Azure Resource Manager](#arm) 79 | - [Binaries](#binary) 80 | - [Build tools](#buildtool) 81 | - [CSS/SASS/SCSS](#css) 82 | - [Config Files](#configfile) 83 | - [Configuration Management](#configmanagement) 84 | - [Containers](#container) 85 | - [Continuous Integration](#ci) 86 | - [Deno](#deno) 87 | - [Embedded](#embedded) 88 | - [Embedded Ruby (a.k.a. ERB, eRuby)](#erb) 89 | - [Gherkin](#gherkin) 90 | - [HTML](#html) 91 | - [JSON](#json) 92 | - [Kubernetes](#kubernetes) 93 | - [LaTeX](#latex) 94 | - [Laravel](#laravel) 95 | - [Makefiles](#make) 96 | - [Markdown](#markdown) 97 | - [Metalinter](#meta) 98 | - [Mobile](#mobile) 99 | - [Nix](#nix) 100 | - [Node.js](#nodejs) 101 | - [Packages](#package) 102 | - [Protocol Buffers](#protobuf) 103 | - [Puppet](#puppet) 104 | - [Rails](#rails) 105 | - [Security/SAST](#security) 106 | - [Smart Contracts](#smart-contracts) 107 | - [Support](#support) 108 | - [Template-Languages](#template) 109 | - [Terraform](#terraform) 110 | - [Translation](#translation) 111 | - [Vue.js](#vue) 112 | - [Webassembly](#wasm) 113 | - [Writing](#writing) 114 | - [YAML](#yaml) 115 | - [git](#git) 116 | 117 | --- 118 | 119 | ## `Programming Languages` 120 | 121 |

ABAP

122 | 123 | - [abaplint](https://abaplint.org) — Linter for ABAP, written in TypeScript. 124 | - [abapOpenChecks](https://docs.abapopenchecks.org) — Enhances the SAP Code Inspector with new and customizable checks. 125 | 126 | 127 |

Ada

128 | 129 | - [Codepeer](http://www.adacore.com/codepeer) :copyright: — Detects run-time and logic errors. 130 | - [Polyspace for Ada](https://www.mathworks.com/products/polyspace-ada.html) :copyright: — Provide code verification that proves the absence of overflow, divide-by-zero, out-of-bounds array access, and certain other run-time errors in source code. 131 | - [SPARK](https://www.adacore.com/about-spark) :copyright: — Static analysis and formal verification toolset for Ada. 132 | 133 | 134 |

Assembly

135 | 136 | - [STOKE](https://github.com/StanfordPL/stoke) :warning: — A programming-language agnostic stochastic optimizer for the x86_64 instruction set. It uses random search to explore the extremely high-dimensional space of all possible program transformations. 137 | 138 | 139 |

Awk

140 | 141 | - [gawk --lint](https://www.gnu.org/software/gawk/manual/html_node/Options.html) — Warns about constructs that are dubious or nonportable to other awk implementations. 142 | 143 | 144 |

C

145 | 146 | - [Astrée](https://www.absint.com/astree/index.htm) :copyright: — Astrée automatically proves the absence of runtime errors and invalid con­current behavior in C/C++ applications. It is sound for floating-point computations, very fast, and exceptionally precise. The analyzer also checks for MISRA/CERT/CWE/Adaptive Autosar coding rules and supports qualification for ISO 26262, DO-178C level A, and other safety standards. Jenkins and Eclipse plugins are available. 147 | - [CBMC](http://www.cprover.org/cbmc) — Bounded model-checker for C programs, user-defined assertions, standard assertions, several coverage metric analyses. 148 | - [clang-tidy](http://clang.llvm.org/extra/clang-tidy) — clang static analyser. 149 | - [clazy](https://github.com/KDE/clazy) — Qt-oriented static code analyzer based on the Clang framework. clazy is a compiler plugin which allows clang to understand Qt semantics. You get more than 50 Qt related compiler warnings, ranging from unneeded memory allocations to misusage of API, including fix-its for automatic refactoring. 150 | - [CMetrics](https://github.com/MetricsGrimoire/CMetrics) — Measures size and complexity for C files. 151 | - [CPAchecker](https://cpachecker.sosy-lab.org) — A tool for configurable software verification of C programs. The name CPAchecker was chosen to reflect that the tool is based on the CPA concepts and is used for checking software programs. 152 | - [cppcheck](http://cppcheck.sourceforge.net) — Static analysis of C/C++ code. 153 | - [CppDepend](https://www.cppdepend.com) :warning: :copyright: — Measure, query and visualize your code and avoid unexpected issues, technical debt and complexity. 154 | - [cpplint](https://github.com/google/styleguide/tree/gh-pages/cpplint) — Automated C++ checker that follows Google's style guide. 155 | - [cqmetrics](https://github.com/dspinellis/cqmetrics) — Quality metrics for C code. 156 | - [CScout](https://www.spinellis.gr/cscout) :warning: — Complexity and quality metrics for for C and C preprocessor code. 157 | - [ESBMC](http://esbmc.org) — ESBMC is an open source, permissively licensed, context-bounded model checker based on satisfiability modulo theories for the verification of single- and multi-threaded C/C++ programs. 158 | - [flawfinder](http://dwheeler.com/flawfinder/) — Finds possible security weaknesses. 159 | - [flint++](https://github.com/JossWhittle/FlintPlusPlus) — Cross-platform, zero-dependency port of flint, a lint program for C++ developed and used at Facebook. 160 | - [Frama-C](http://frama-c.com) — A sound and extensible static analyzer for C code. 161 | - [Helix QAC](https://www.perforce.com/products/helix-qac) :copyright: — Enterprise-grade static analysis for embedded software. Supports MISRA, CERT, and AUTOSAR coding standards. 162 | - [IKOS](https://github.com/nasa-sw-vnv/ikos) — A sound static analyzer for C/C++ code based on LLVM. 163 | - [Joern](https://joern.io) — Open-source code analysis platform for C/C++ based on code property graphs 164 | - [LDRA](https://ldra.com) :copyright: — A tool suite including static analysis (TBVISION) to various standards including MISRA C & C++, JSF++ AV, CWE, CERT C, CERT C++ & Custom Rules. 165 | - [PC-lint](https://www.gimpel.com) :copyright: — Static analysis for C/C++. Runs natively under Windows/Linux/MacOS. Analyzes code for virtually any platform, supporting C11/C18 and C++17. 166 | - [Phasar](https://phasar.org) — A LLVM-based static analysis framework which comes with a taint and type state analysis. 167 | - [Polyspace Bug Finder](https://www.mathworks.com/products/polyspace-bug-finder.html) :copyright: — Identifies run-time errors, concurrency issues, security vulnerabilities, and other defects in C and C++ embedded software. 168 | - [Polyspace Code Prover](https://www.mathworks.com/products/polyspace-code-prover.html) :copyright: — Provide code verification that proves the absence of overflow, divide-by-zero, out-of-bounds array access, and certain other run-time errors in C and C++ source code. 169 | - [scan-build](https://clang-analyzer.llvm.org/scan-build.html) — Analyzes C/C++ code using LLVM at compile-time. 170 | - [splint](http://splint.org) — Annotation-assisted static program checker. 171 | - [SVF](http://svf-tools.github.io/SVF) — A static tool that enables scalable and precise interprocedural dependence analysis for C and C++ programs. 172 | - [vera++](https://bitbucket.org/verateam/vera/wiki/Introduction) — Vera++ is a programmable tool for verification, analysis and transformation of C++ source code. 173 | 174 | 175 |

C#

176 | 177 | - [.NET Analyzers](https://github.com/DotNetAnalyzers) — An organization for the development of analyzers (diagnostics and code fixes) using the .NET Compiler Platform. 178 | - [ArchUnitNET](https://github.com/TNG/ArchUnitNET) — A C# architecture test library to specify and assert architecture rules in C# for automated testing. 179 | - [code-cracker](http://code-cracker.github.io) — An analyzer library for C# and VB that uses Roslyn to produce refactorings, code analysis, and other niceties. 180 | - [CSharpEssentials](https://github.com/DustinCampbell/CSharpEssentials) :warning: — C# Essentials is a collection of Roslyn diagnostic analyzers, code fixes and refactorings that make it easy to work with C# 6 language features. 181 | - [Designite](http://www.designite-tools.com) :copyright: — Designite supports detection of various architecture, design, and implementation smells, computation of various code quality metrics, and trend analysis. 182 | - [Gendarme](https://www.mono-project.com/docs/tools+libraries/tools/gendarme) — Gendarme inspects programs and libraries that contain code in ECMA CIL format (Mono and .NET). 183 | - [Infer#](https://github.com/microsoft/infersharp) — InferSharp (also referred to as Infer#) is an interprocedural and scalable static code analyzer for C#. Via the capabilities of Facebook's Infer, this tool detects null pointer dereferences and resource leaks. 184 | - [NDepend](http://www.ndepend.com) :copyright: — Measure, query and visualize your code and avoid unexpected issues, technical debt and complexity. 185 | - [Puma Scan](https://pumasecurity.io) — Puma Scan provides real time secure code analysis for common vulnerabilities (XSS, SQLi, CSRF, LDAPi, crypto, deserialization, etc.) as development teams write code in Visual Studio. 186 | - [Roslynator](https://github.com/JosefPihrt/Roslynator) — A collection of 190+ analyzers and 190+ refactorings for C#, powered by Roslyn. 187 | - [VSDiagnostics](https://github.com/Vannevelj/VSDiagnostics) :warning: — A collection of static analyzers based on Roslyn that integrates with VS. 188 | - [Wintellect.Analyzers](https://github.com/Wintellect/Wintellect.Analyzers) — .NET Compiler Platform ("Roslyn") diagnostic analyzers and code fixes. 189 | 190 | 191 |

C++

192 | 193 | - [Astrée](https://www.absint.com/astree/index.htm) :copyright: — Astrée automatically proves the absence of runtime errors and invalid con­current behavior in C/C++ applications. It is sound for floating-point computations, very fast, and exceptionally precise. The analyzer also checks for MISRA/CERT/CWE/Adaptive Autosar coding rules and supports qualification for ISO 26262, DO-178C level A, and other safety standards. Jenkins and Eclipse plugins are available. 194 | - [CBMC](http://www.cprover.org/cbmc) — Bounded model-checker for C programs, user-defined assertions, standard assertions, several coverage metric analyses. 195 | - [clang-tidy](http://clang.llvm.org/extra/clang-tidy) — clang static analyser. 196 | - [clazy](https://github.com/KDE/clazy) — Qt-oriented static code analyzer based on the Clang framework. clazy is a compiler plugin which allows clang to understand Qt semantics. You get more than 50 Qt related compiler warnings, ranging from unneeded memory allocations to misusage of API, including fix-its for automatic refactoring. 197 | - [CMetrics](https://github.com/MetricsGrimoire/CMetrics) — Measures size and complexity for C files. 198 | - [cppcheck](http://cppcheck.sourceforge.net) — Static analysis of C/C++ code. 199 | - [CppDepend](https://www.cppdepend.com) :warning: :copyright: — Measure, query and visualize your code and avoid unexpected issues, technical debt and complexity. 200 | - [cpplint](https://github.com/google/styleguide/tree/gh-pages/cpplint) — Automated C++ checker that follows Google's style guide. 201 | - [cqmetrics](https://github.com/dspinellis/cqmetrics) — Quality metrics for C code. 202 | - [CScout](https://www.spinellis.gr/cscout) :warning: — Complexity and quality metrics for for C and C preprocessor code. 203 | - [ESBMC](http://esbmc.org) — ESBMC is an open source, permissively licensed, context-bounded model checker based on satisfiability modulo theories for the verification of single- and multi-threaded C/C++ programs. 204 | - [flawfinder](http://dwheeler.com/flawfinder/) — Finds possible security weaknesses. 205 | - [flint++](https://github.com/JossWhittle/FlintPlusPlus) — Cross-platform, zero-dependency port of flint, a lint program for C++ developed and used at Facebook. 206 | - [Frama-C](http://frama-c.com) — A sound and extensible static analyzer for C code. 207 | - [Helix QAC](https://www.perforce.com/products/helix-qac) :copyright: — Enterprise-grade static analysis for embedded software. Supports MISRA, CERT, and AUTOSAR coding standards. 208 | - [IKOS](https://github.com/nasa-sw-vnv/ikos) — A sound static analyzer for C/C++ code based on LLVM. 209 | - [Joern](https://joern.io) — Open-source code analysis platform for C/C++ based on code property graphs 210 | - [LDRA](https://ldra.com) :copyright: — A tool suite including static analysis (TBVISION) to various standards including MISRA C & C++, JSF++ AV, CWE, CERT C, CERT C++ & Custom Rules. 211 | - [PC-lint](https://www.gimpel.com) :copyright: — Static analysis for C/C++. Runs natively under Windows/Linux/MacOS. Analyzes code for virtually any platform, supporting C11/C18 and C++17. 212 | - [Phasar](https://phasar.org) — A LLVM-based static analysis framework which comes with a taint and type state analysis. 213 | - [Polyspace Bug Finder](https://www.mathworks.com/products/polyspace-bug-finder.html) :copyright: — Identifies run-time errors, concurrency issues, security vulnerabilities, and other defects in C and C++ embedded software. 214 | - [Polyspace Code Prover](https://www.mathworks.com/products/polyspace-code-prover.html) :copyright: — Provide code verification that proves the absence of overflow, divide-by-zero, out-of-bounds array access, and certain other run-time errors in C and C++ source code. 215 | - [scan-build](https://clang-analyzer.llvm.org/scan-build.html) — Analyzes C/C++ code using LLVM at compile-time. 216 | - [splint](http://splint.org) — Annotation-assisted static program checker. 217 | - [SVF](http://svf-tools.github.io/SVF) — A static tool that enables scalable and precise interprocedural dependence analysis for C and C++ programs. 218 | - [vera++](https://bitbucket.org/verateam/vera/wiki/Introduction) — Vera++ is a programmable tool for verification, analysis and transformation of C++ source code. 219 | 220 | 221 |

Clojure

222 | 223 | - [clj-kondo](https://github.com/borkdude/clj-kondo) — A linter for Clojure code that sparks joy. It informs you about potential errors while you are typing. 224 | 225 | 226 |

CoffeeScript

227 | 228 | - [coffeelint](http://www.coffeelint.org) — A style checker that helps keep CoffeeScript code clean and consistent. 229 | 230 | 231 |

Crystal

232 | 233 | - [ameba](https://crystal-ameba.github.io) — A static code analysis tool for Crystal. 234 | - [crystal](https://crystal-lang.org) — The Crystal compiler has built-in linting functionality. 235 | 236 | 237 |

Dart

238 | 239 | - [Dart Code Metrics](https://pub.dev/packages/dart_code_metrics) — Additional linter for Dart. Reports code metrics, checks for anti-patterns and provides additional rules for Dart analyzer. 240 | - [effective_dart](https://pub.dev/packages/effective_dart) — Linter rules corresponding to the guidelines in Effective Dart 241 | - [lint](https://github.com/passsy/dart-lint) — An opinionated, community-driven set of lint rules for Dart and Flutter projects. Like pedantic but stricter 242 | - [Linter for dart](https://dart-lang.github.io/linter) — Style linter for Dart. 243 | 244 | 245 |

Delphi

246 | 247 | - [Fix Insight](https://www.tmssoftware.com/site/fixinsight.asp) :copyright: — A free IDE Plugin for static code analysis. A _Pro_ edition includes a command line tool for automation purposes. 248 | - [Pascal Analyzer](https://peganza.com/products_pal.html) :copyright: — A static code analysis tool with numerous reports. A free _Lite_ version is available with limited reporting. 249 | - [Pascal Expert](https://peganza.com/products_pex.html) :copyright: — IDE plugin for code analysis. Includes a subset of Pascal Analyzer reporting capabilities and is available for Delphi versions 2007 and later. 250 | 251 | 252 |

Dlang

253 | 254 | - [D-scanner](https://github.com/dlang-community/D-Scanner) — D-Scanner is a tool for analyzing D source code. 255 | 256 | 257 |

Elixir

258 | 259 | - [credo](https://github.com/rrrene/credo) — A static code analysis tool with a focus on code consistency and teaching. 260 | - [dialyxir](https://github.com/jeremyjh/dialyxir) — Mix tasks to simplify use of Dialyzer in Elixir projects. 261 | - [sobelow](https://github.com/nccgroup/sobelow) — Security-focused static analysis for the Phoenix Framework. 262 | 263 | 264 |

Elm

265 | 266 | - [elm-analyse](https://stil4m.github.io/elm-analyse) :warning: — A tool that allows you to analyse your Elm code, identify deficiencies and apply best practices. 267 | - [elm-review](https://package.elm-lang.org/packages/jfmengels/elm-review/latest) — Analyzes whole Elm projects, with a focus on shareable and custom rules written in Elm that add guarantees the Elm compiler doesn't give you. 268 | 269 | 270 |

Erlang

271 | 272 | - [dialyzer](https://www.erlang.org/doc/man/dialyzer.html) — The DIALYZER, a DIscrepancy AnaLYZer for ERlang programs. Dialyzer is a static analysis tool that identifies software discrepancies, such as definite type errors, code that has become dead or unreachable because of programming error, and unnecessary tests, in single Erlang modules or entire (sets of) applications. 273 | Dialyzer starts its analysis from either debug-compiled BEAM bytecode or from Erlang source code. The file and line number of a discrepancy is reported along with an indication of what the discrepancy is about. Dialyzer bases its analysis on the concept of success typings, which allows for sound warnings (no false positives). 274 | - [elvis](https://github.com/inaka/elvis) — Erlang Style Reviewer. 275 | - [Primitive Erlang Security Tool (PEST)](https://github.com/okeuday/pest) — A tool to do a basic scan of Erlang source code and report any function calls that may cause Erlang source code to be insecure. 276 | 277 | 278 |

F#

279 | 280 | - [FSharpLint](http://fsprojects.github.io/FSharpLint) — Lint tool for F#. 281 | 282 | 283 |

Fortran

284 | 285 | - [i-Code CNES for Fortran](https://github.com/lequal/i-CodeCNES) :warning: — An open source static code analysis tool for Fortran 77, Fortran 90 and Shell. 286 | 287 | 288 |

Go

289 | 290 | - [aligncheck](https://gitlab.com/opennota/check) — Find inefficiently packed structs. 291 | - [bodyclose](https://github.com/timakin/bodyclose) — Checks whether HTTP response body is closed. 292 | - [deadcode](https://github.com/tsenart/deadcode) — Finds unused code. 293 | - [dingo-hunter](https://github.com/nickng/dingo-hunter) :warning: — Static analyser for finding deadlocks in Go. 294 | - [dogsled](https://github.com/alexkohler/dogsled) — Finds assignments/declarations with too many blank identifiers. 295 | - [dupl](https://github.com/mibk/dupl) :warning: — Reports potentially duplicated code. 296 | - [errcheck](https://github.com/kisielk/errcheck) — Check that error return values are used. 297 | - [errwrap](https://github.com/fatih/errwrap) — Wrap and fix Go errors with the new %w verb directive. This tool analyzes fmt.Errorf() calls and reports calls that contain a verb directive that is different than the new %w verb directive introduced in Go v1.13. It's also capable of rewriting calls to use the new %w wrap verb directive. 298 | - [flen](https://github.com/lafolle/flen) — Get info on length of functions in a Go package. 299 | - [Go Meta Linter](https://github.com/alecthomas/gometalinter) :warning: — Concurrently run Go lint tools and normalise their output. Use `golangci-lint` for new projects. 300 | - [go tool vet --shadow](https://golang.org/cmd/vet#hdr-Shadowed_variables) — Reports variables that may have been unintentionally shadowed. 301 | - [go vet](https://golang.org/cmd/vet) — Examines Go source code and reports suspicious. 302 | - [go-consistent](https://github.com/Quasilyte/go-consistent) :warning: — Analyzer that helps you to make your Go programs more consistent. 303 | - [go-critic](https://github.com/go-critic/go-critic) — Go source code linter that maintains checks which are currently not implemented in other linters. 304 | - [go/ast](https://golang.org/pkg/go/ast) — Package ast declares the types used to represent syntax trees for Go packages. 305 | - [gochecknoglobals](https://github.com/leighmcculloch/gochecknoglobals) — Checks that no globals are present. 306 | - [goconst](https://github.com/jgautheron/goconst) — Finds repeated strings that could be replaced by a constant. 307 | - [gocyclo](https://github.com/fzipp/gocyclo) — Calculate cyclomatic complexities of functions in Go source code. 308 | - [gofmt -s](https://golang.org/cmd/gofmt) — Checks if the code is properly formatted and could not be further simplified. 309 | - [goimports](https://pkg.go.dev/golang.org/x/tools/cmd/goimports) — Checks missing or unreferenced package imports. 310 | - [gokart](https://github.com/praetorian-inc/gokart) — Golang security analysis with a focus on minimizing false positives. It is capable of tracing the source of variables and function arguments to determine whether input sources are safe. 311 | - [GolangCI-Lint](https://golangci-lint.run) — Alternative to `Go Meta Linter`: GolangCI-Lint is a linters aggregator. 312 | - [golint](https://github.com/golang/lint) — Prints out coding style mistakes in Go source code. 313 | - [goreporter](https://github.com/360EntSecGroup-Skylar/goreporter) — Concurrently runs many linters and normalises their output to a report. 314 | - [goroutine-inspect](https://github.com/linuxerwang/goroutine-inspect) — An interactive tool to analyze Golang goroutine dump. 315 | - [gosec (gas)](https://securego.io) — Inspects source code for security problems by scanning the Go AST. 316 | - [gotype](https://pkg.go.dev/golang.org/x/tools/cmd/gotype) — Syntactic and semantic analysis similar to the Go compiler. 317 | - [ineffassign](https://github.com/gordonklaus/ineffassign) — Detect ineffectual assignments in Go code. 318 | - [interfacer](https://github.com/mvdan/interfacer) :warning: — Suggest narrower interfaces that can be used. 319 | - [lll](https://github.com/walle/lll) :warning: — Report long lines. 320 | - [maligned](https://github.com/mdempsky/maligned) — Detect structs that would take less memory if their fields were sorted. 321 | - [misspell](https://github.com/client9/misspell) — Finds commonly misspelled English words. 322 | - [nakedret](https://github.com/alexkohler/nakedret) — Finds naked returns. 323 | - [nargs](https://github.com/alexkohler/nargs) — Finds unused arguments in function declarations. 324 | - [prealloc](https://github.com/alexkohler/prealloc) — Finds slice declarations that could potentially be preallocated. 325 | - [Reviewdog](https://github.com/haya14busa/reviewdog) — A tool for posting review comments from any linter in any code hosting service. 326 | - [revive](https://revive.run) — Fast, configurable, extensible, flexible, and beautiful linter for Go. Drop-in replacement of golint. 327 | - [safesql](https://github.com/stripe/safesql) — Static analysis tool for Golang that protects against SQL injections. 328 | - [shisho](https://docs.shisho.dev/) — A lightweight static code analyzer designed for developers and security teams. It allows you to analyze and transform source code with an intuitive DSL similar to sed, but for code. 329 | - [staticcheck](https://staticcheck.io) — Go static analysis that specialises in finding bugs, simplifying code and improving performance. 330 | - [structcheck](https://gitlab.com/opennota/check) — Find unused struct fields. 331 | - [structslop](https://github.com/orijtech/structslop) — Static analyzer for Go that recommends struct field rearrangements to provide for maximum space/allocation efficiency 332 | - [test](http://golang.org/pkg/testing) — Show location of test failures from the stdlib testing module. 333 | - [unconvert](https://github.com/mdempsky/unconvert) :warning: — Detect redundant type conversions. 334 | - [unparam](https://github.com/mvdan/unparam) — Find unused function parameters. 335 | - [varcheck](https://gitlab.com/opennota/check) — Find unused global variables and constants. 336 | - [wsl](https://github.com/bombsimon/wsl) — Enforces empty lines at the right places. 337 | 338 | 339 |

Groovy

340 | 341 | - [CodeNarc](https://codenarc.github.io/CodeNarc) — A static analysis tool for Groovy source code, enabling monitoring and enforcement of many coding standards and best practices. 342 | 343 | 344 |

Haskell

345 | 346 | - [brittany](https://github.com/lspitzner/brittany) — Haskell source code formatter 347 | - [HLint](https://github.com/ndmitchell/hlint) — HLint is a tool for suggesting possible improvements to Haskell code. 348 | - [Stan](https://kowainik.github.io/projects/stan) — Stan is a command-line tool for analysing Haskell projects and outputting discovered vulnerabilities in a helpful way with possible solutions for detected problems. 349 | - [Weeder](https://github.com/ocharles/weeder) — A tool for detecting dead exports or package imports in Haskell code. 350 | 351 | 352 |

Haxe

353 | 354 | - [Haxe Checkstyle](http://haxecheckstyle.github.io/docs/haxe-checkstyle/home.html) — A static analysis tool to help developers write Haxe code that adheres to a coding standard. 355 | 356 | 357 |

Java

358 | 359 | - [Checker Framework](https://checkerframework.org) — Pluggable type-checking for Java. 360 | - [checkstyle](https://checkstyle.org) — Checking Java source code for adherence to a Code Standard or set of validation rules (best practices). 361 | - [ck](https://github.com/mauricioaniche/ck) — Calculates Chidamber and Kemerer object-oriented metrics by processing the source Java files. 362 | - [ckjm](http://www.spinellis.gr/sw/ckjm) — Calculates Chidamber and Kemerer object-oriented metrics by processing the bytecode of compiled Java files. 363 | - [CogniCrypt](https://www.eclipse.org/cognicrypt) — Checks Java source and byte code for incorrect uses of cryptographic APIs. 364 | - [DesigniteJava](http://www.designite-tools.com/designitejava) :copyright: — DesigniteJava supports detection of various architecture, design, and implementation smells along with computation of various code quality metrics. 365 | - [Doop](https://bitbucket.org/yanniss/doop) — Doop is a declarative framework for static analysis of Java/Android programs, centered on pointer analysis algorithms. Doop provides a large variety of analyses and also the surrounding scaffolding to run an analysis end-to-end (fact generation, processing, statistics, etc.). 366 | - [Error-prone](https://errorprone.info) — Catch common Java mistakes as compile-time errors. 367 | - [fb-contrib](http://fb-contrib.sourceforge.net) — A plugin for FindBugs with additional bug detectors. 368 | - [forbidden-apis](https://github.com/policeman-tools/forbidden-apis) — Detects and forbids invocations of specific method/class/field (like reading from a text stream without a charset). Maven/Gradle/Ant compatible. 369 | - [google-java-format](https://github.com/google/google-java-format) — Google Style Reformat. 370 | - [HuntBugs](https://github.com/amaembo/huntbugs) :warning: — Bytecode static analyzer tool based on Procyon Compiler Tools aimed to supersede FindBugs. 371 | - [IntelliJ IDEA](https://www.jetbrains.com/idea) :copyright: — Comes bundled with a lot of inspections for Java and Kotlin and includes tools for refactoring, formatting and more. 372 | - [JArchitect](https://www.jarchitect.com) :copyright: — Measure, query and visualize your code and avoid unexpected issues, technical debt and complexity. 373 | - [JBMC](https://www.cprover.org/jbmc) — Bounded model-checker for Java (bytecode), verifies user-defined assertions, standard assertions, several coverage metric analyses. 374 | - [NullAway](https://github.com/uber/NullAway) — Type-based null-pointer checker with low build-time overhead; an [Error Prone](http://errorprone.info/) plugin. 375 | - [OWASP Dependency Check](https://owasp.org/www-project-dependency-check) — Checks dependencies for known, publicly disclosed, vulnerabilities. 376 | - [qulice](https://www.qulice.com) — Combines a few (pre-configured) static analysis tools (checkstyle, PMD, Findbugs, ...). 377 | - [Reshift](https://www.reshiftsecurity.com) :copyright: — A source code analysis tool for detecting and managing Java security vulnerabilities. 378 | - [Soot](https://soot-oss.github.io/soot) — A framework for analyzing and transforming Java and Android applications. 379 | - [Spoon](http://spoon.gforge.inria.fr) — Spoon is a metaprogramming library to analyze and transform Java source code (incl Java 9, 10, 11, 12, 13, 14). It parses source files to build a well-designed AST with powerful analysis and transformation API. Can be integrated in Maven and Gradle. 380 | - [SpotBugs](https://spotbugs.github.io) — SpotBugs is FindBugs' successor. A tool for static analysis to look for bugs in Java code. 381 | - [Violations Lib](https://github.com/tomasbjerre/violations-lib) — Java library for parsing report files from static code analysis. Used by a bunch of Jenkins, Maven and Gradle plugins. 382 | 383 | 384 |

JavaScript

385 | 386 | - [aether](http://aetherjs.com) :warning: — Lint, analyze, normalize, transform, sandbox, run, step through, and visualize user JavaScript, in node or the browser. 387 | - [Closure Compiler](https://developers.google.com/closure/compiler) — A compiler tool to increase efficiency, reduce size, and provide code warnings in JavaScript files. 388 | - [ClosureLinter](https://github.com/google/closure-linter) :warning: — Ensures that all of your project's JavaScript code follows the guidelines in the Google JavaScript Style Guide. It can also automatically fix many common errors. 389 | - [complexity-report](https://github.com/escomplex/complexity-report) :warning: — Software complexity analysis for JavaScript projects. 390 | - [DeepScan](https://deepscan.io) :copyright: — An analyzer for JavaScript which targets runtime errors and quality issues rather than coding conventions. 391 | - [es6-plato](https://github.com/the-simian/es6-plato) — Visualize JavaScript (ES6) source complexity. 392 | - [escomplex](https://github.com/jared-stilwell/escomplex) :warning: — Software complexity analysis of JavaScript-family abstract syntax trees. 393 | - [Esprima](https://esprima.org) — ECMAScript parsing infrastructure for multipurpose analysis. 394 | - [flow](https://flow.org) — A static type checker for JavaScript. 395 | - [hegel](https://hegel.js.org) — A static type checker for JavaScript with a bias on type inference and strong type systems. 396 | - [jshint](https://jshint.com/about) [:information_source:]() — Detect errors and potential problems in JavaScript code and enforce your team's coding conventions. 397 | - [JSLint](https://github.com/douglascrockford/JSLint) [:information_source:]() — The JavaScript Code Quality Tool. 398 | - [JSPrime](http://dpnishant.github.io/jsprime) :warning: — Static security analysis tool. 399 | - [NodeJSScan](https://opensecurity.in) — A static security code scanner for Node.js applications powered by libsast and semgrep that builds on the njsscan cli tool. It features a UI with various dashboards about an application's security status. 400 | - [plato](https://github.com/es-analysis/plato) :warning: — Visualize JavaScript source complexity. 401 | - [Polymer-analyzer](https://github.com/Polymer/tools/tree/master/packages/analyzer) — A static analysis framework for Web Components. 402 | - [retire.js](http://retirejs.github.io/retire.js) — Scanner detecting the use of JavaScript libraries with known vulnerabilities. 403 | - [RSLint](http://rslint.org/) — A (WIP) JavaScript linter written in Rust designed to be as fast as possible, customizable, and easy to use. 404 | - [standard](http://standardjs.com) — An npm module that checks for Javascript Styleguide issues. 405 | - [tern](https://ternjs.net) — A JavaScript code analyzer for deep, cross-editor language support. 406 | - [TypL](https://typl.dev) — With TypL, you just write completely standard JS, and the tool figures out your types via powerful inferencing. 407 | - [xo](https://github.com/xojs/xo) — Opinionated but configurable ESLint wrapper with lots of goodies included. Enforces strict and readable code. 408 | - [yardstick](https://github.com/calmh/yardstick) :warning: — Javascript code metrics. 409 | 410 | 411 |

Julia

412 | 413 | - [StaticLint](https://github.com/julia-vscode/StaticLint.jl) — Static Code Analysis for Julia 414 | 415 | 416 |

Kotlin

417 | 418 | - [detekt](https://detekt.github.io/detekt) — Static code analysis for Kotlin code. 419 | - [diktat](https://analysis-dev.github.io/diktat) — Strict coding standard for Kotlin and a linter that detects and auto-fixes code smells. 420 | - [ktlint](https://ktlint.github.io) — An anti-bikeshedding Kotlin linter with built-in formatter. 421 | 422 | 423 |

Lua

424 | 425 | - [luacheck](https://github.com/mpeterv/luacheck) :warning: — A tool for linting and static analysis of Lua code. 426 | - [lualint](https://github.com/philips/lualint) — lualint performs luac-based static analysis of global variable usage in Lua source code. 427 | - [Luanalysis](https://plugins.jetbrains.com/plugin/14698-luanalysis) — An IDE for statically typed Lua development. 428 | 429 | 430 |

MATLAB

431 | 432 | - [mlint](https://mathworks.com/help/matlab/ref/mlint.html) :copyright: — Check MATLAB code files for possible problems. 433 | 434 | 435 |

Nim

436 | 437 | - [DrNim](https://nim-lang.org/docs/drnim.html) — DrNim combines the Nim frontend with the Z3 proof engine in order to allow verify / validate software written in Nim. 438 | - [nimfmt](https://github.com/FedericoCeratto/nimfmt) — Nim code formatter / linter / style checker 439 | 440 | 441 |

Ocaml

442 | 443 | - [Sys](https://github.com/PLSysSec/sys) :warning: — A static/symbolic Tool for finding bugs in (browser) code. It uses the LLVM AST to find bugs like uninitialized memory access. 444 | - [VeriFast](https://github.com/verifast/verifast) — A tool for modular formal verification of correctness properties of single-threaded and multithreaded C and Java programs annotated with preconditions and postconditions written in separation logic. To express rich specifications, the programmer can define inductive datatypes, primitive recursive pure functions over these datatypes, and abstract separation logic predicates. 445 | 446 | 447 |

PHP

448 | 449 | - [churn-php](https://github.com/bmitch/churn-php) — Helps discover good candidates for refactoring. 450 | - [dephpend](https://github.com/mihaeu/dephpend) — Dependency analysis tool. 451 | - [deprecation-detector](https://github.com/sensiolabs-de/deprecation-detector) — Finds usages of deprecated (Symfony) code. 452 | - [deptrac](https://github.com/sensiolabs-de/deptrac) — Enforce rules for dependencies between software layers. 453 | - [DesignPatternDetector](https://github.com/Halleck45/DesignPatternDetector) — Detection of design patterns in PHP code. 454 | - [EasyCodingStandard](https://www.tomasvotruba.com/blog/2017/05/03/combine-power-of-php-code-sniffer-and-php-cs-fixer-in-3-lines) — Combine [PHP_CodeSniffer](https://github.com/squizlabs/PHP_CodeSniffer) and [PHP-CS-Fixer](https://github.com/FriendsOfPHP/PHP-CS-Fixer). 455 | - [Enlightn](https://www.laravel-enlightn.com/) — A static and dynamic analysis tool for Laravel applications that provides recommendations to improve the performance, security and code reliability of Laravel apps. Contains 120 automated checks. 456 | - [exakat](https://www.exakat.io) — An automated code reviewing engine for PHP. 457 | - [GrumPHP](https://github.com/phpro/grumphp) — Checks code on every commit. 458 | - [larastan](https://github.com/nunomaduro/larastan) — Adds static analysis to Laravel improving developer productivity and code quality. It is a wrapper around PHPStan. 459 | - [Mondrian](http://trismegiste.github.io/Mondrian) :warning: — A set of static analysis and refactoring tools which use graph theory. 460 | - [Nitpick CI](https://nitpick-ci.com) :copyright: — Automated PHP code review. 461 | - [parallel-lint](https://github.com/php-parallel-lint/PHP-Parallel-Lint) — This tool checks syntax of PHP files faster than serial check with a fancier output. 462 | - [Parse](https://github.com/psecio/parse) — A Static Security Scanner. 463 | - [pdepend](https://pdepend.org) — Calculates software metrics like cyclomatic complexity for PHP code. 464 | - [phan](https://github.com/phan/phan/wiki) — A modern static analyzer from etsy. 465 | - [PHP Architecture Tester](https://github.com/carlosas/phpat) — Easy to use architecture testing tool for PHP. 466 | - [PHP Assumptions](https://github.com/rskuipers/php-assumptions) — Checks for weak assumptions. 467 | - [PHP Coding Standards Fixer](https://cs.symfony.com) — Fixes your code according to standards like PSR-1, PSR-2, and the Symfony standard. 468 | - [PHP Insights](https://phpinsights.com) — Instant PHP quality checks from your console. Analysis of code quality and coding style as well as overview of code architecture and its complexity. 469 | - [Php Inspections (EA Extended)](https://plugins.jetbrains.com/plugin/7622-php-inspections-ea-extended-) — A Static Code Analyzer for PHP. 470 | - [PHP Refactoring Browser](http://qafoolabs.github.io/php-refactoring-browser) — Refactoring helper. 471 | - [PHP Semantic Versioning Checker](https://github.com/tomzx/php-semver-checker) — Suggests a next version according to semantic versioning. 472 | - [PHP-Parser](https://github.com/nikic/PHP-Parser) — A PHP parser written in PHP. 473 | - [php-speller](https://github.com/mekras/php-speller) — PHP spell check library. 474 | - [PHP-Token-Reflection](https://github.com/Andrewsville/PHP-Token-Reflection) :warning: — Library emulating the PHP internal reflection. 475 | - [php7cc](https://github.com/sstalle/php7cc) :warning: — PHP 7 Compatibility Checker. 476 | - [php7mar](https://github.com/Alexia/php7mar) :warning: — Assist developers in porting their code quickly to PHP 7. 477 | - [PHP_CodeSniffer](https://pear.php.net/package/PHP_CodeSniffer) — Detects violations of a defined set of coding standards. 478 | - [phpca](https://github.com/wapmorgan/PhpCodeAnalyzer) :warning: — Finds usage of non-built-in extensions. 479 | - [phpcpd](https://github.com/sebastianbergmann/phpcpd) — Copy/Paste Detector for PHP code. 480 | - [phpdcd](https://github.com/sebastianbergmann/phpdcd) :warning: — Dead Code Detector (DCD) for PHP code. 481 | - [PhpDependencyAnalysis](https://mamuz.github.io/PhpDependencyAnalysis) :warning: — Builds a dependency graph for a project. 482 | - [PhpDeprecationDetector](https://github.com/wapmorgan/PhpDeprecationDetector) — Analyzer of PHP code to search issues with deprecated functionality in newer interpreter versions. It finds removed objects (functions, variables, constants and ini-directives), deprecated functions functionality, and usage of forbidden names or tricks (e.g. reserved identifiers in newer versions). 483 | - [phpdoc-to-typehint](https://github.com/dunglas/phpdoc-to-typehint) :warning: — Add scalar type hints and return types to existing PHP projects using PHPDoc annotations. 484 | - [phpDocumentor](https://www.phpdoc.org) — Analyzes PHP source code to generate documentation. 485 | - [phploc](https://github.com/sebastianbergmann/phploc) — A tool for quickly measuring the size and analyzing the structure of a PHP project. 486 | - [PHPMD](https://phpmd.org) — Finds possible bugs in your code. 487 | - [PhpMetrics](http://www.phpmetrics.org) — Calculates and visualizes various code quality metrics. 488 | - [phpmnd](https://github.com/povils/phpmnd) — Helps to detect magic numbers. 489 | - [PHPQA](https://edgedesigncz.github.io/phpqa) — A tool for running QA tools (phploc, phpcpd, phpcs, pdepend, phpmd, phpmetrics). 490 | - [phpqa - jakzal](https://github.com/jakzal/phpqa) — Many tools for PHP static analysis in one container. 491 | - [phpqa - jmolivas](https://github.com/jmolivas/phpqa) — PHPQA all-in-one Analyzer CLI tool. 492 | - [phpsa](https://github.com/ovr/phpsa) :warning: — Static analysis tool for PHP. 493 | - [PHPStan](https://phpstan.org) — PHP Static Analysis Tool - discover bugs in your code without running it! 494 | - [Progpilot](https://github.com/designsecurity/progpilot) — A static analysis tool for security purposes. 495 | - [Psalm](https://psalm.dev) — Static analysis tool for finding type errors in PHP applications. 496 | - [Qafoo Quality Analyzer](https://github.com/Qafoo/QualityAnalyzer) :warning: — Visualizes metrics and source code. 497 | - [Symfony Insight](https://insight.symfony.com/) :copyright: — Detect security risks, find bugs and provide actionable metrics for PHP projects. 498 | - [Tuli](https://github.com/ircmaxell/Tuli) — A static analysis engine. 499 | - [twig-lint](https://github.com/asm89/twig-lint) — twig-lint is a lint tool for your twig files. 500 | - [WAP](https://securityonline.info/owasp-wap-web-application-protection-project) — Tool to detect and correct input validation vulnerabilities in PHP (4.0 or higher) web applications and predicts false positives by combining static analysis and data mining. 501 | 502 | 503 |

PL/SQL

504 | 505 | - [ZPA](https://felipezorzo.com.br/zpa/) — Z PL/SQL Analyzer (ZPA) is an extensible code analyzer for PL/SQL and Oracle SQL. It can be integrated with SonarQube. 506 | 507 | 508 |

Perl

509 | 510 | - [Perl::Critic](https://metacpan.org/pod/Perl::Critic) — Critique Perl source code for best-practices. 511 | 512 | 513 |

Python

514 | 515 | - [bandit](https://bandit.readthedocs.io/en/latest) — A tool to find common security issues in Python code. 516 | - [bellybutton](https://github.com/hchasestevens/bellybutton) — A linting engine supporting custom project-specific rules. 517 | - [Black](https://black.readthedocs.io/en/stable) — The uncompromising Python code formatter. 518 | - [Bowler](https://pybowler.io/) — Safe code refactoring for modern Python. Bowler is a refactoring tool for manipulating Python at the syntax tree level. It enables safe, large scale code modifications while guaranteeing that the resulting code compiles and runs. It provides both a simple command line interface and a fluent API in Python for generating complex code modifications in code. 519 | - [ciocheck](https://github.com/ContinuumIO/ciocheck) :warning: — Linter, formatter and test suite helper. As a linter, it is a wrapper around `pep8`, `pydocstyle`, `flake8`, and `pylint`. 520 | - [cohesion](https://github.com/mschwager/cohesion) :warning: — A tool for measuring Python class cohesion. 521 | - [Dlint](https://github.com/dlint-py/dlint) — A tool for ensuring Python code is secure. 522 | - [fixit](https://pypi.org/project/fixit) — A framework for creating lint rules and corresponding auto-fixes for source code. 523 | - [flake8](https://github.com/PyCQA/flake8) — A wrapper around `pyflakes`, `pycodestyle` and `mccabe`. 524 | - [InspectorTiger](https://github.com/thg-consulting/it) :warning: — IT, Inspector Tiger, is a modern python code review tool / framework. It comes with bunch of pre-defined handlers which warns you about improvements and possible bugs. Beside these handlers, you can write your own or use community ones. 525 | - [jedi](https://jedi.readthedocs.io/en/latest) — Autocompletion/static analysis library for Python. 526 | - [linty fresh](https://github.com/lyft/linty_fresh) — Parse lint errors and report them to Github as comments on a pull request. 527 | - [mccabe](https://pypi.org/project/mccabe) — Check McCabe complexity. 528 | - [multilint](https://github.com/adamchainz/multilint) :warning: — A wrapper around `flake8`, `isort` and `modernize`. 529 | - [mypy](http://www.mypy-lang.org) — A static type checker that aims to combine the benefits of duck typing and static typing, frequently used with [MonkeyType](https://github.com/Instagram/MonkeyType). 530 | - [prospector](https://github.com/PyCQA/prospector) — A wrapper around `pylint`, `pep8`, `mccabe` and others. 531 | - [py-find-injection](https://github.com/uber/py-find-injection) :warning: — Find SQL injection vulnerabilities in Python code. 532 | - [pyanalyze](https://pyanalyze.readthedocs.io/en/latest/) — A tool for programmatically detecting common mistakes in Python code, such as references to undefined variables and type errors. It can be extended to add additional rules and perform checks specific to particular functions. 533 | - [PyCodeQual](https://pycodequ.al) :copyright: — PyCodeQual gives you insights into complexity and bug risks. It adds automatic reviews to your pull requests. 534 | - [pycodestyle](https://pycodestyle.pycqa.org/en/latest) — (Formerly `pep8`) Check Python code against some of the style conventions in PEP 8. 535 | - [pydocstyle](http://www.pydocstyle.org) — Check compliance with Python docstring conventions. 536 | - [pyflakes](https://pypi.org/project/pyflakes) — Check Python source files for errors. 537 | - [pylint](http://pylint.pycqa.org/en/latest) — Looks for programming errors, helps enforcing a coding standard and sniffs for some code smells. It additionally includes `pyreverse` (an UML diagram generator) and `symilar` (a similarities checker). 538 | - [pyre-check](https://pyre-check.org) — A fast, scalable type checker for large Python codebases. 539 | - [pyright](https://github.com/Microsoft/pyright) — Static type checker for Python, created to address gaps in existing tools like mypy. 540 | - [pyroma](https://github.com/regebro/pyroma) — Rate how well a Python project complies with the best practices of the Python packaging ecosystem, and list issues that could be improved. 541 | - [Pysa](https://pyre-check.org/docs/pysa-basics.html) — A tool based on Facebook's pyre-check to identify potential security issues in Python code identified with taint analysis. 542 | - [PyT - Python Taint](https://github.com/python-security/pyt) :warning: — A static analysis tool for detecting security vulnerabilities in Python web applications. 543 | - [pytype](https://google.github.io/pytype) — A static type analyzer for Python code. 544 | - [QuantifiedCode](https://github.com/quantifiedcode/quantifiedcode) :warning: — Automated code review & repair. It helps you to keep track of issues and metrics in your software projects, and can be easily extended to support new types of analyses. 545 | - [radon](https://radon.readthedocs.io/en/latest) — A Python tool that computes various metrics from the source code. 546 | - [unimport](https://unimport.hakancelik.dev) — A linter, formatter for finding and removing unused import statements. 547 | - [vulture](https://github.com/jendrikseipp/vulture) — Find unused classes, functions and variables in Python code. 548 | - [wemake-python-styleguide](https://wemake-python-stylegui.de) — The strictest and most opinionated python linter ever. 549 | - [wily](https://github.com/tonybaloney/wily) — A command-line tool for archiving, exploring and graphing the complexity of Python source code. 550 | - [xenon](https://xenon.readthedocs.io) — Monitor code complexity using [`radon`](https://github.com/rubik/radon). 551 | 552 | 553 |

R

554 | 555 | - [cyclocomp](https://github.com/MangoTheCat/cyclocomp) — Quantifies the cyclomatic complexity of R functions / expressions. 556 | - [goodpractice](http://mangothecat.github.io/goodpractice) — Analyses the source code for R packages and provides best-practice recommendations. 557 | - [lintr](https://github.com/jimhester/lintr) — Static Code Analysis for R. 558 | - [styler](https://styler.r-lib.org) — Formatting of R source code files and pretty-printing of R code. 559 | 560 | 561 |

Ruby

562 | 563 | - [brakeman](https://brakemanscanner.org) — A static analysis security vulnerability scanner for Ruby on Rails applications. 564 | - [bundler-audit](https://github.com/rubysec/bundler-audit) — Audit Gemfile.lock for gems with security vulnerabilities reported in [Ruby Advisory Database](https://github.com/rubysec/ruby-advisory-db). 565 | - [cane](https://github.com/square/cane) :warning: — Code quality threshold checking as part of your build. 566 | - [dawnscanner](https://github.com/thesp0nge/dawnscanner) — A static analysis security scanner for ruby written web applications. It supports Sinatra, Padrino and Ruby on Rails frameworks. 567 | - [ERB Lint](https://github.com/Shopify/erb-lint) — Lint your ERB or HTML files 568 | - [Fasterer](https://github.com/DamirSvrtan/fasterer) — Common Ruby idioms checker. 569 | - [flay](https://ruby.sadi.st/Flay.html) — Flay analyzes code for structural similarities. 570 | - [flog](https://ruby.sadi.st/Flog.html) — Flog reports the most tortured code in an easy to read pain report. The higher the score, the more pain the code is in. 571 | - [Fukuzatsu](https://github.com/CoralineAda/fukuzatsu) — A tool for measuring code complexity in Ruby class files. Its analysis generates scores based on cyclomatic complexity algorithms with no added "opinions". 572 | - [laser](https://github.com/michaeledgar/laser) :warning: — Static analysis and style linter for Ruby code. 573 | - [pelusa](https://github.com/codegram/pelusa) — Static analysis Lint-type tool to improve your OO Ruby code. 574 | - [quality](https://github.com/apiology/quality) :warning: — Runs quality checks on your code using community tools, and makes sure your numbers don't get any worse over time. 575 | - [Querly](https://github.com/soutaro/querly) — Pattern Based Checking Tool for Ruby. 576 | - [Railroader](https://railroader.org) :warning: — An open source static analysis security vulnerability scanner for Ruby on Rails applications. 577 | - [rails_best_practices](https://rails-bestpractices.com) — A code metric tool for Rails projects 578 | - [reek](https://github.com/troessner/reek) — Code smell detector for Ruby. 579 | - [RuboCop](https://docs.rubocop.org/rubocop) — A Ruby static code analyzer, based on the community Ruby style guide. 580 | - [Rubrowser](https://github.com/blazeeboy/rubrowser) — Ruby classes interactive dependency graph generator. 581 | - [ruby-lint](http://code.yorickpeterse.com/ruby-lint/latest) :warning: — Static code analysis for Ruby. 582 | - [rubycritic](https://github.com/whitesmith/rubycritic) — A Ruby code quality reporter. 583 | - [rufo](https://github.com/ruby-formatter/rufo) — An opinionated ruby formatter, intended to be used via the command line as a text-editor plugin, to autoformat files on save or on demand. 584 | - [Saikuro](https://metricfu.github.io/Saikuro) :warning: — A Ruby cyclomatic complexity analyzer. 585 | - [SandiMeter](https://rubygems.org/gems/sandi_meter) :warning: — Static analysis tool for checking Ruby code for Sandi Metz' rules. 586 | - [Sorbet](https://sorbet.org) — A fast, powerful type checker designed for Ruby. 587 | - [Standard Ruby](https://github.com/testdouble/standard) — Ruby Style Guide, with linter & automatic code fixer 588 | - [Steep](https://github.com/soutaro/steep) — Gradual Typing for Ruby. 589 | 590 | 591 |

Rust

592 | 593 | - [C2Rust](https://c2rust.com) — C2Rust helps you migrate C99-compliant code to Rust. The translator (or transpiler) produces unsafe Rust code that closely mirrors the input C code. 594 | - [cargo udeps](https://github.com/est31/cargo-udeps) — Find unused dependencies in Cargo.toml. It either prints out a "unused crates" line listing the crates, or it prints out a line saying that no crates were unused. 595 | - [cargo-audit](https://rustsec.org) — Audit Cargo.lock for crates with security vulnerabilities reported to the [RustSec Advisory Database](https://github.com/RustSec/advisory-db/). 596 | - [cargo-bloat](https://github.com/RazrFalcon/cargo-bloat) — Find out what takes most of the space in your executable. supports ELF (Linux, BSD), Mach-O (macOS) and PE (Windows) binaries. 597 | - [cargo-deny](https://embarkstudios.github.io/cargo-deny) — A cargo plugin for linting your dependencies. It can be used either as a command line too, a Rust crate, or a Github action for CI. It checks for valid license information, duplicate crates, security vulnerabilities, and more. 598 | - [cargo-expand](https://github.com/dtolnay/cargo-expand) — Cargo subcommand to show result of macro expansion and #[derive] expansion applied to the current crate. This is a wrapper around a more verbose compiler command. 599 | - [cargo-inspect](https://github.com/mre/cargo-inspect) — Inspect Rust code without syntactic sugar to see what the compiler does behind the curtains. 600 | - [cargo-spellcheck](https://github.com/drahnr/cargo-spellcheck) — Checks all your documentation for spelling and grammar mistakes with hunspell (ready) and languagetool (preview) 601 | - [clippy](https://rust-lang.github.io/rust-clippy) — A code linter to catch common mistakes and improve your Rust code. 602 | - [dylint](https://www.trailofbits.com/post/write-rust-lints-without-forking-clippy) — A tool for running Rust lints from dynamic libraries. Dylint makes it easy for developers to maintain their own personal lint collections. 603 | - [electrolysis](http://kha.github.io/electrolysis) :warning: — A tool for formally verifying Rust programs by transpiling them into definitions in the Lean theorem prover. 604 | - [herbie](https://github.com/mcarton/rust-herbie-lint) :warning: — Adds warnings or errors to your crate when using a numerically unstable floating point expression. 605 | - [linter-rust](https://github.com/AtomLinter/linter-rust) :warning: — Linting your Rust-files in Atom, using rustc and cargo. 606 | - [MIRAI](https://github.com/facebookexperimental/MIRAI) — And abstract interpreter operating on Rust's mid-level intermediate language, and providing warnings based on taint analysis. 607 | - [prae](https://github.com/teenjuna/prae) — Provides a convenient macro that allows you to generate type wrappers that promise to always uphold arbitrary invariants that you specified. 608 | - [Prusti](https://www.pm.inf.ethz.ch/research/prusti.html) — A static verifier for Rust, based on the Viper verification infrastructure. By default Prusti verifies absence of panics by proving that statements such as unreachable!() and panic!() are unreachable. 609 | - [Rudra](https://github.com/sslab-gatech/Rudra) :copyright: — Rust Memory Safety & Undefined Behavior Detection. It is capable of analyzing single Rust packages as well as all the packages on crates.io. 610 | - [Rust Language Server](https://github.com/rust-lang-nursery/rls) — Supports functionality such as 'goto definition', symbol search, reformatting, and code completion, and enables renaming and refactorings. 611 | - [rust-analyzer](https://rust-analyzer.github.io) — Supports functionality such as 'goto definition', type inference, symbol search, reformatting, and code completion, and enables renaming and refactorings. 612 | - [rust-audit](https://github.com/Shnatsel/rust-audit) — Audit Rust binaries for known bugs or security vulnerabilities. This works by embedding data about the dependency tree (Cargo.lock) in JSON format into a dedicated linker section of the compiled executable. 613 | - [rustfix](https://github.com/rust-lang/rustfix) — Read and apply the suggestions made by rustc (and third-party lints, like those offered by clippy). 614 | - [rustfmt](https://github.com/rust-lang/rustfmt) — A tool for formatting Rust code according to style guidelines. 615 | - [RustViz](https://github.com/rustviz/rustviz) — RustViz is a tool that generates visualizations from simple Rust programs to assist users in better understanding the Rust Lifetime and Borrowing mechanism. It generates SVG files with graphical indicators that integrate with mdbook to render visualizations of data-flow in Rust programs. 616 | - [warnalyzer](https://github.com/est31/warnalyzer) — Show unused code from multi-crate Rust projects 617 | 618 | 619 |

SQL

620 | 621 | - [dbcritic](https://github.com/channable/dbcritic) — dbcritic finds problems in a database schema, such as a missing primary key constraint in a table. 622 | - [sqlcheck](https://github.com/jarulraj/sqlcheck) — Automatically identify anti-patterns in SQL queries. 623 | - [SQLFluff](https://www.sqlfluff.com/) — Multiple dialect SQL linter and formatter. 624 | - [sqlint](https://github.com/purcell/sqlint) — Simple SQL linter. 625 | - [squawk](https://squawkhq.com) — Linter for PostgreSQL, focused on migrations. Prevents unexpected downtime caused by database migrations and encourages best practices around Postgres schemas and SQL. 626 | - [tsqllint](https://github.com/tsqllint/tsqllint) — T-SQL-specific linter. 627 | - [TSqlRules](https://github.com/ashleyglee/TSqlRules) :warning: — TSQL Static Code Analysis Rules for SQL Server. 628 | - [Visual Expert](https://www.visual-expert.com) :copyright: — Code analysis for PowerBuilder, Oracle, and SQL Server Explores, analyzes, and documents Code 629 | 630 | 631 |

Scala

632 | 633 | - [linter](https://github.com/HairyFotr/linter) :warning: — Linter is a Scala static analysis compiler plugin which adds compile-time checks for various possible bugs, inefficiencies, and style problems. 634 | - [Scalastyle](http://www.scalastyle.org) — Scalastyle examines your Scala code and indicates potential problems with it. 635 | - [scapegoat](https://github.com/sksamuel/scapegoat) — Scala compiler plugin for static code analysis. 636 | - [WartRemover](https://www.wartremover.org) — A flexible Scala code linting tool. 637 | 638 | 639 |

Shell

640 | 641 | - [bashate](https://github.com/openstack/bashate) — Code style enforcement for bash programs. The output format aims to follow pycodestyle (pep8) default output format. 642 | - [i-Code CNES for Shell](https://github.com/lequal/i-CodeCNES) :warning: — An open source static code analysis tool for Shell and Fortran (77 and 90). 643 | - [kmdr](https://kmdr.sh) — CLI tool for learning commands from your terminal. kmdr delivers a break down of commands with every attribute explained. 644 | - [sh](https://pkg.go.dev/mvdan.cc/sh/v3) — A shell parser, formatter, and interpreter with bash support; includes shfmt 645 | - [shellcheck](https://www.shellcheck.net) — ShellCheck, a static analysis tool that gives warnings and suggestions for bash/sh shell scripts. 646 | - [shellharden](https://github.com/anordal/shellharden) — A syntax highlighter and a tool to semi-automate the rewriting of scripts to ShellCheck conformance, mainly focused on quoting. 647 | 648 | 649 |

Swift

650 | 651 | - [SwiftFormat](https://github.com/nicklockwood/SwiftFormat) — A library and command-line formatting tool for reformatting Swift code. 652 | - [SwiftLint](https://realm.github.io/SwiftLint) — A tool to enforce Swift style and conventions. 653 | - [Tailor](https://sleekbyte.github.io/tailor) :warning: — A static analysis and lint tool for source code written in Apple's Swift programming language. 654 | 655 | 656 |

Tcl

657 | 658 | - [Frink](http://catless.ncl.ac.uk/Programs/Frink) — A Tcl formatting and static check program (can prettify the program, minimise, obfuscate or just sanity check it). 659 | - [Nagelfar](https://sourceforge.net/projects/nagelfar) — A static syntax checker for Tcl. 660 | - [tclchecker](https://github.com/ActiveState/tdk/blob/master/docs/3.0/TDK_3.0_Checker.txt) — A static syntax analysis module (as part of [TDK](https://github.com/ActiveState/tdk)). 661 | 662 | 663 |

TypeScript

664 | 665 | - [Angular ESLint](https://github.com/angular-eslint/angular-eslint#readme) — Linter for Angular projects 666 | - [Codelyzer](http://codelyzer.com) — A set of tslint rules for static code analysis of Angular 2 TypeScript projects. 667 | - [tslint-clean-code](https://www.npmjs.com/package/tslint-clean-code) — A set of TSLint rules inspired by the Clean Code handbook. 668 | - [tslint-microsoft-contrib](https://github.com/Microsoft/tslint-microsoft-contrib) :warning: — A set of tslint rules for static code analysis of TypeScript projects maintained by Microsoft. 669 | - [TypeScript Call Graph](https://github.com/whyboris/TypeScript-Call-Graph) — CLI to generate an interactive graph of functions and calls from your TypeScript files 670 | - [TypeScript ESLint](https://github.com/typescript-eslint/typescript-eslint) — TypeScript language extension for eslint. 671 | 672 | 673 |

VBScript

674 | 675 | - [Test Design Studio](http://patterson-consulting.net/tds) :copyright: — A full IDE with static code analysis for Micro Focus Unified Functional Testing VBScript-based automated tests. 676 | 677 | 678 |

Verilog/SystemVerilog

679 | 680 | - [Icarus Verilog](https://github.com/steveicarus/iverilog) — A Verilog simulation and synthesis tool that operates by compiling source code written in IEEE-1364 Verilog into some target format 681 | - [svls](https://github.com/dalance/svls) — A Language Server Protocol implementation for Verilog and SystemVerilog, including lint capabilities. 682 | - [verible-linter-action](https://github.com/chipsalliance/verible-linter-action) — Automatic SystemVerilog linting in github actions with the help of Verible Used to lint Verilog and SystemVerilog source files and comment erroneous lines of code in Pull Requests automatically. 683 | - [Verilator](https://www.veripool.org/verilator) — A tool which converts Verilog to a cycle-accurate behavioral model in C++ or SystemC. Performs lint code-quality checks. 684 | - [vscode-verilog-hdl-support](https://github.com/mshr-h/vscode-verilog-hdl-support) — Verilog HDL/SystemVerilog/Bluespec SystemVerilog support for VS Code. Provides syntax highlighting and Linting support from Icarus Verilog, Vivado Logical Simulation, Modelsim and Verilator 685 | 686 | 687 |

Vim Script

688 | 689 | - [vint](https://github.com/Kuniwak/vint) :warning: — Fast and Highly Extensible Vim script Language Lint implemented by Python. 690 | 691 | 692 | ## Multiple languages 693 | 694 | - [ale](https://github.com/w0rp/ale) — Asynchronous Lint Engine for Vim and NeoVim with support for many languages. 695 | - [Android Studio](https://developer.android.com/studio) — Based on IntelliJ IDEA, and comes bundled with tools for Android including Android Lint. 696 | - [AppChecker](https://npo-echelon.ru/en/solutions/appchecker.php) :copyright: — Static analysis for C/C++/C#, PHP and Java. 697 | - [Application Inspector](https://www.ptsecurity.com/ww-en/products/ai) :copyright: — Commercial Static Code Analysis which generates exploits to verify vulnerabilities. 698 | - [ApplicationInspector](https://github.com/microsoft/ApplicationInspector) — Creates reports of over 400 rule patterns for feature detection (e.g. the use of cryptography or version control in apps). 699 | - [APPscreener](https://solarappscreener.com) :copyright: — Static code analysis for binary and source code - Java/Scala, PHP, Javascript, C#, PL/SQL, Python, T-SQL, C/C++, ObjectiveC/Swift, Visual Basic 6.0, Ruby, Delphi, ABAP, HTML5 and Solidity. 700 | - [ArchUnit](https://www.archunit.org) — Unit test your Java or Kotlin architecture. 701 | - [Atom-Beautify](https://atom.io/packages/atom-beautify) :warning: — Beautify HTML, CSS, JavaScript, PHP, Python, Ruby, Java, C, C++, C#, Objective-C, CoffeeScript, TypeScript, Coldfusion, SQL, and more in Atom editor. 702 | - [Axivion Bauhaus Suite](https://www.axivion.com/en/products-services-9#products_bauhaussuite) :copyright: — Tracks down error-prone code locations, style violations, cloned or dead code, cyclic dependencies and more for C/C++, C#/.NET, Java and Ada 83/Ada 95. 703 | - [Better Code Hub](https://bettercodehub.com) :copyright: — Better Code Hub checks your GitHub codebase against 10 engineering guidelines devised by the authority in software quality, Software Improvement Group. 704 | - [CAST Highlight](https://www.castsoftware.com/products/highlight) :copyright: — Commercial Static Code Analysis which runs locally, but uploads the results to its cloud for presentation. 705 | - [Checkmarx CxSAST](https://www.checkmarx.com/products/static-application-security-testing) :copyright: — Commercial Static Code Analysis which doesn't require pre-compilation. 706 | - [ClassGraph](https://github.com/classgraph/classgraph) — A classpath and module path scanner for querying or visualizing class metadata or class relatedness. 707 | - [Clayton](https://www.getclayton.com/) :copyright: — AI-powered code reviews for Salesforce. Secure your developments, enforce best practice and control your technical debt in real-time. 708 | - [coala](https://coala.io) — Language independent framework for creating code analysis - supports [over 60 languages](https://coala.io/languages) by default. 709 | - [Cobra](http://spinroot.com/cobra) :copyright: — Structural source code analyzer by NASA's Jet Propulsion Laboratory. 710 | - [Codacy](https://www.codacy.com) :copyright: — Code Analysis to ship Better Code, Faster. 711 | - [Code Intelligence](https://www.code-intelligence.com) :copyright: — CI/CD-agnostic DevSecOps platform which combines industry-leading fuzzing engines for finding bugs and visualizing code coverage 712 | - [Codeac](https://www.codeac.io/?ref=awesome-static-analysis) :copyright: — Automated code review tool integrates with GitHub, Bitbucket and GitLab (even self-hosted). Available for JavaScript, TypeScript, Python, Ruby, Go, PHP, Java, Docker, and more. (open-source free) 713 | - [codeburner](http://groupon.github.io/codeburner) :warning: — Provides a unified interface to sort and act on the issues it finds. 714 | - [codechecker](https://codechecker.readthedocs.io/en/latest) — A defect database and viewer extension for the Clang Static Analyzer with web GUI. 715 | - [CodeFactor](https://codefactor.io) :copyright: — Automated Code Analysis for repos on GitHub or BitBucket. 716 | - [CodeFlow](https://www.getcodeflow.com) :copyright: — Automated code analysis tool to deal with technical depth. Integrates with Bitbucket and Gitlab. (free for Open Source Projects) 717 | - [CodeIt.Right](https://submain.com/products/codeit.right.aspx) :copyright: — CodeIt.Right™ provides a fast, automated way to ensure that your source code adheres to (your) predefined design and style guidelines as well as best coding practices. 718 | - [CodePatrol](https://cyber-security.claranet.fr/en/codepatrol) :copyright: — Automated SAST code reviews driven by security, supports 15+ languages and includes security training. 719 | - [codeql](https://github.com/github/codeql) — Deep code analysis - semantic queries and dataflow for several languages with VSCode plugin support. 720 | - [Coderrect](https://coderrect.com/) :copyright: — Advanced static analyzer for multi-threaded software. Supports OpenMP, Pthreads, std::thread, and GPU/CUDA. 721 | - [CodeRush](https://www.devexpress.com/products/coderush) :copyright: — Code creation, debugging, navigation, refactoring, analysis and visualization tools that use the Roslyn engine in Visual Studio 2015 and up. 722 | - [CodeScan](https://www.codescan.io/) :copyright: — Code Quality and Security for Salesforce Developers. Made exclusively for the Salesforce platform, CodeScan’s code analysis solutions provide you with total visibility into your code health. 723 | - [CodeScene](https://codescene.com) :copyright: — CodeScene is a quality visualization tool for software. Prioritize technical debt, detect delivery risks, and measure organizational aspects. Fully automated. 724 | - [CodeSonar from GrammaTech](https://www.grammatech.com/products/codesonar) :copyright: — Advanced, whole program, deep path, static analysis of C, C++, Java and C# with easy-to-understand explanations and code and path visualization. 725 | - [Codiga](https://www.codiga.io) :copyright: — Automated Code Reviews and Technical Debt management platform that supports 12+ languages. 726 | - [Corrode](https://github.com/jameysharp/corrode) :warning: — Semi-automatic translation from C to Rust. Could reveal bugs in the original implementation by showing Rust compiler warnings and errors. Superseded by C2Rust. 727 | - [Coverity](https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html) :copyright: — Synopsys Coverity supports 20 languages and over 70 frameworks including Ruby on rails, Scala, PHP, Python, JavaScript, TypeScript, Java, Fortran, C, C++, C#, VB.NET. 728 | - [cqc](https://github.com/xcatliu/cqc) :warning: — Check your code quality for js, jsx, vue, css, less, scss, sass and styl files. 729 | - [DeepCode](https://www.deepcode.ai) :copyright: — DeepCode finds bugs, security vulnerabilities, performance and API issues based on AI. DeepCode's speed of analysis allow us to analyse your code in real time and deliver results when you hit the save button in your IDE. Supported languages are Java, C/C++, JavaScript, Python, and TypeScript. Integrations with GitHub, BitBucket and Gitlab. 730 | - [DeepSource](https://deepsource.io) :copyright: — In-depth static analysis to find issues in verticals of bug risks, security, anti-patterns, performance, documentation and style. Native integrations with GitHub, GitLab and Bitbucket. Less than 5% false positives. 731 | - [Depends](https://github.com/multilang-depends/depends) — Analyses the comprehensive dependencies of code elements for Java, C/C++, Ruby. 732 | - [DevSkim](https://github.com/microsoft/devskim) — Regex-based static analysis tool for Visual Studio, VS Code, and Sublime Text - C/C++, C#, PHP, ASP, Python, Ruby, Java, and others. 733 | - [Embold](https://embold.io) :copyright: — Intelligent software analytics platform that identifies design issues, code issues, duplication and metrics. Supports Java, C, C++, C#, JavaScript, TypeScript, Python, Go, Kotlin and more. 734 | - [ESLint](https://github.com/eslint/eslint) — An extensible linter for JS, following the ECMAScript standard. 735 | - [Find Security Bugs](https://find-sec-bugs.github.io) — The SpotBugs plugin for security audits of Java web applications and Android applications. (Also work with Kotlin, Groovy and Scala projects) 736 | - [Fortify](https://software.microfocus.com/en-us/products/static-code-analysis-sast/overview) :copyright: — A commercial static analysis platform that supports the scanning of C/C++, C#, VB.NET, VB6, ABAP/BSP, ActionScript, Apex, ASP.NET, Classic ASP, VB Script, Cobol, ColdFusion, HTML, Java, JS, JSP, MXML/Flex, Objective-C, PHP, PL/SQL, T-SQL, Python (2.6, 2.7), Ruby (1.9.3), Swift, Scala, VB, and XML. 737 | - [Goodcheck](https://sider.github.io/goodcheck) — Regexp based customizable linter. 738 | - [goone](https://github.com/masibw/goone) :warning: — Finds N+1 queries (SQL calls in a for loop) in go code 739 | - [graudit](http://www.justanotherhacker.com) — Grep rough audit - source code auditing tool. 740 | - [HCL AppScan Source](https://www.hcltechsw.com/products/appscan) :copyright: — Commercial Static Code Analysis. 741 | - [Hopper](https://github.com/cuplv/hopper) :warning: — A static analysis tool written in scala for languages that run on JVM. 742 | - [Hound CI](https://houndci.com) — Comments on style violations in GitHub pull requests. Supports Coffeescript, Go, HAML, JavaScript, Ruby, SCSS and Swift. 743 | - [imhotep](https://github.com/justinabrahms/imhotep) — Comment on commits coming into your repository and check for syntactic errors and general lint warnings. 744 | - [include-gardener](https://github.com/feddischson/include_gardener) :warning: — A multi-language static analyzer for C/C++/Obj-C/Python/Ruby to create a graph (in dot or graphml format) which shows all `#include` relations of a given set of files. 745 | - [Infer](https://fbinfer.com) — A static analyzer for Java, C and Objective-C 746 | - [InsiderSec](https://insidersec.io) :warning: — A open source Static Application Security Testing tool (SAST) written in GoLang for Java (Maven and Android), Kotlin (Android), Swift (iOS), .NET Full Framework, C# and Javascript (Node.js). 747 | - [Kiuwan](https://www.kiuwan.com/code-security-sast) :copyright: — Identify and remediate cyber threats in a blazingly fast, collaborative environment, with seamless integration in your SDLC. Python, C\C++, Java, C#, PHP and more. 748 | - [Klocwork](https://www.perforce.com/products/klocwork) :copyright: — Quality and Security Static analysis for C/C++, Java and C#. 749 | - [LGTM](https://lgtm.com/) :copyright: — Find security vulnerabilities, variants, and critical code quality issues using queries over source code. Automatic PR code review; free for open source. Formerly semmle. 750 | - [LGTM.com](https://lgtm.com) :copyright: — Deep code analysis for GitHub and Bitbucket to find security vulnerabilities and critical code quality issues (using Semmle QL). Automatic code review for pull requests; free for public repositories. 751 | - [lizard](https://github.com/terryyin/lizard) — Lizard is an extensible Cyclomatic Complexity Analyzer for many programming languages including C/C++ (doesn't require all the header files or Java imports). It also does copy-paste detection (code clone detection/code duplicate detection) and many other forms of static code analysis. Counts lines of code without comments, CCN (cyclomatic complexity number), token count of functions, parameter count of functions. 752 | - [Mega-Linter](https://nvuillam.github.io/mega-linter/) — Mega-Linter can handle any type of project thanks to its 70+ embedded Linters, 753 | its advanced reporting, runnable on any CI system or locally, 754 | with assisted installation and configuration, able to apply formatting and fixes 755 | - [oclint](http://oclint.org) — A static source code analysis tool to improve quality and reduce defects for C, C++ and Objective-C. 756 | - [ocular](https://www.shiftleft.io/ocular/) :copyright: — Enables code auditors and security teams to interactively investigate their unique code bases to find business logic flaws and technical vulnerabilities that traditional SASTs cannot. This is done by enabling the analyst to write their own custom queries. Can find hard-coded secrets, authentication issues, and malicious code like rootkits and backdoors. 757 | - [Offensive 360](https://offensive360.com/) :copyright: — Commercial Static Code Analysis system doesn't require building the source code or pre-compilation. 758 | - [parasoft](https://www.parasoft.com/) :copyright: — Automated Software Testing Solutions for unit-, API-, and web UI testing. Complies with MISRA, OWASP, and others. 759 | - [pfff](https://github.com/facebookarchive/pfff/wiki/Main) — Facebook's tools for code analysis, visualizations, or style-preserving source transformation for many languages. 760 | - [PMD](https://pmd.github.io) — A source code analyzer for Java, Salesforce Apex, Javascript, PLSQL, XML, XSL and others. 761 | - [pre-commit](https://pre-commit.com) — A framework for managing and maintaining multi-language pre-commit hooks. 762 | - [Prettier](https://prettier.io) — An opinionated code formatter. 763 | - [Pronto](https://github.com/prontolabs/pronto) — Quick automated code review of your changes. Supports more than 40 runners for various languages, including Clang, Elixir, JavaScript, PHP, Ruby and more. 764 | - [PT.PM](https://github.com/PositiveTechnologies/PT.PM) :warning: — An engine for searching patterns in the source code, based on Unified AST or UST. At present time C#, Java, PHP, PL/SQL, T-SQL, and JavaScript are supported. Patterns can be described within the code or using a DSL. 765 | - [PVS-Studio](https://pvs-studio.com) :copyright: — A ([conditionally free](https://pvs-studio.com/en/order/open-source-license) for FOSS and individual developers) static analysis of C, C++, C# and Java code. For advertising purposes [you can propose a large FOSS project for analysis by PVS employees](https://github.com/viva64/pvs-studio-check-list). Supports CWE mapping, MISRA and CERT coding standards. 766 | - [pylama](https://klen.github.io/pylama/) — Code audit tool for Python and JavaScript. Wraps pycodestyle, pydocstyle, PyFlakes, Mccabe, Pylint, and more 767 | - [Refactoring Essentials](https://marketplace.visualstudio.com/items?itemName=SharpDevelopTeam.RefactoringEssentialsforVisualStudio) :warning: — The free Visual Studio 2015 extension for C# and VB.NET refactorings, including code best practice analyzers. 768 | - [relint](https://github.com/codingjoe/relint) — A static file linter that allows you to write custom rules using regular expressions (RegEx). 769 | - [ReSharper](https://www.jetbrains.com/resharper) :copyright: — Extends Visual Studio with on-the-fly code inspections for C#, VB.NET, ASP.NET, JavaScript, TypeScript and other technologies. 770 | - [RIPS](https://www.ripstech.com) :copyright: — A static source code analyser for vulnerabilities in PHP scripts. 771 | - [Rome](https://rome.tools/) — Rome is a linter, compiler, bundler, and [more](https://rome.tools/#development-status) for JavaScript, TypeScript, JSON, HTML, Markdown, and CSS. 772 | - [Roslyn Analyzers](https://github.com/dotnet/roslyn-analyzers) — Roslyn-based implementation of FxCop analyzers. 773 | - [Roslyn Security Guard](https://security-code-scan.github.io) — Project that focuses on the identification of potential vulnerabilities such as SQL injection, cross-site scripting (XSS), CSRF, cryptography weaknesses, hardcoded passwords and many more. 774 | - [Scanmycode CE (Community Edition)](http://www.scanmycode.today) — Scanmycode - Code Scanning/SAST/Linting using many tools/Scanners with One Report 775 | - [Scrutinizer](https://scrutinizer-ci.com) :copyright: — A proprietary code quality checker that can be integrated with GitHub. 776 | - [Security Code Scan](https://security-code-scan.github.io) — Security code analyzer for C# and VB.NET. Detects various security vulnerability patterns: SQLi, XSS, CSRF, XXE, Open Redirect, etc. Integrates into Visual Studio 2015 and newer. Detects various security vulnerability patterns: SQLi, XSS, CSRF, XXE, Open Redirect, etc. 777 | - [Semgrep](https://semgrep.dev) — A fast, open-source, static analysis tool for finding bugs and enforcing code standards at editor, commit, and CI time. Its rules look like the code you already write; no abstract syntax trees or regex wrestling. Supports 17+ languages. 778 | - [ShiftLeft](https://www.shiftleft.io) :copyright: — Identify vulnerabilities that are unique to your code base before they reach production. Leverages the Code Property Graph (CPG) to run its analyses concurrently in a single graph of graphs. Automatically finds business logic flaws in dev like hardcoded secrets and logic bombs 779 | - [ShiftLeft Scan](https://slscan.io) — Scan is a free open-source DevSecOps platform for detecting security issues in source code and dependencies. It supports a broad range of languages and CI/CD pipelines. 780 | - [shipshape](https://github.com/google/shipshape) :warning: — Static program analysis platform that allows custom analyzers to plug in through a common interface. 781 | - [Sider](https://sider.review) :copyright: — An automated code reviewing tool. Improving developers' productivity. 782 | - [Similarity Tester](https://dickgrune.com/Programs/similarity_tester/) — A tool that finds similarities between or within files to support you encountering DRY principle violations. 783 | - [Snyk](https://snyk.io) :copyright: — Vulnerability scanner for dependencies of node.js apps (free for Open Source Projects). 784 | - [SonarCloud](https://sonarcloud.io) :copyright: — Multi-language cloud-based static code analysis. History, trends, security hot-spots, pull request analysis and more. Free for open source. 785 | - [SonarLint for Visual Studio](https://vs.sonarlint.org) — SonarLint is an extension for Visual Studio 2015 and 2017 that provides on-the-fly feedback to developers on new bugs and quality issues injected into .NET code. 786 | - [SonarQube](http://www.sonarqube.org) — SonarQube is an open platform to manage code quality. 787 | - [Sonatype](https://www.sonatype.com) :copyright: — Reports known vulnerabilities in common dependencies and recommends updated packages to minimize breaking changes 788 | - [Soto Platform](https://www.hello2morrow.com/products/sotograph) :copyright: — Suite of static analysis tools consisting of the three components Sotoarc (Architecture Analysis), Sotograph (Quality Analysis), and Sotoreport (Quality report). Helps find differences between architecture and implementation, interface violations (e.g. external access of private parts of subsystems, detection of all classes, files, packages and subsystems which are strongly coupled by cyclical relationships and more. The Sotograph product family runs on Windows and Linux. 789 | - [SourceMeter](https://www.sourcemeter.com/) :copyright: — Static Code Analysis for C/C++, Java, C#, Python, and RPG III and RPG IV versions (including free-form). 790 | - [sqlvet](https://github.com/houqp/sqlvet) — Performs static analysis on raw SQL queries in your Go code base to surface potential runtime errors. It checks for SQL syntax error, identifies unsafe queries that could potentially lead to SQL injections makes sure column count matches value count in INSERT statements and validates table- and column names. 791 | - [Super-Linter](https://github.com/github/super-linter) — Combination of multiple linters to install as a GitHub Action. 792 | - [Synopsys](https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html) :copyright: — A commercial static analysis platform that allows for scanning of multiple languages (C/C++, Android, C#, Java, JS, PHP, Python, Node.JS, Ruby, Fortran, and Swift). 793 | - [Teamscale](https://www.cqse.eu/en/teamscale/overview/) :copyright: — Static and dynamic analysis tool supporting more than 25 languages and direct IDE integration. Free hosting for Open Source projects available on request. Free academic licenses available. 794 | - [todocheck](https://github.com/preslavmihaylov/todocheck) — Linter for integrating annotated TODOs with your issue trackers 795 | - [trivy](https://github.com/aquasecurity/trivy) — A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts, Suitable for CI. Trivy detects vulnerabilities of OS packages (Alpine, RHEL, CentOS, etc.) and application dependencies (Bundler, Composer, npm, yarn, etc.). Checks containers and filesystems. 796 | 797 | - [trunk](https://trunk.io) :copyright: — Modern repositories include many technologies, each with its own set of linters. With 30+ linters and counting, Trunk makes it dead-simple to identify, install, configure, and run the right linters, static analyzers, and formatters for all your repos. 798 | - [TscanCode](https://github.com/Tencent/TscanCode) — A fast and accurate static analysis solution for C/C++, C#, Lua codes provided by Tencent. Using GPLv3 license. 799 | - [Undebt](https://github.com/Yelp/undebt) — Language-independent tool for massive, automatic, programmable refactoring based on simple pattern definitions. 800 | - [Understand](https://www.scitools.com) :copyright: — Code visualization tool that provides code analysis, standards testing, metrics, graphing, dependency analysis and more for Ada, VHDL, and others. 801 | - [Unibeautify](https://unibeautify.com) — Universal code beautifier with a GitHub app. Supports HTML, CSS, JavaScript, TypeScript, JSX, Vue, C++, Go, Objective-C, Java, Python, PHP, GraphQL, Markdown, and more. 802 | - [Upsource](https://www.jetbrains.com/upsource) :copyright: — Code review tool with static code analysis and code-aware navigation for Java, PHP, JavaScript and Kotlin. 803 | - [Veracode](http://www.veracode.com/products/static-analysis-sast/static-code-analysis) :copyright: — Find flaws in binaries and bytecode without requiring source. Support all major programming languages: Java, .NET, JavaScript, Swift, Objective-C, C, C++ and more. 804 | - [Viezly](https://viezly.com) :copyright: — Code review tool with dependency diagrams. Improve your team's code reviews with better navigation and code analysis 805 | - [WALA](https://github.com/wala/WALA) — Static analysis capabilities for Java bytecode and related languages and for JavaScript. 806 | - [weggli](https://github.com/googleprojectzero/weggli) — A fast and robust semantic search tool for C and C++ codebases. It is designed to help security researchers identify interesting functionality in large codebases. 807 | - [WhiteHat Application Security Platform](https://www.whitehatsec.com/platform/static-application-security-testing) :copyright: — WhiteHat Scout (for Developers) combined with WhiteHat Sentinel Source (for Operations) supporting WhiteHat Top 40 and OWASP Top 10. 808 | - [Wotan](https://github.com/fimbullinter/wotan) — Pluggable TypeScript and JavaScript linter. 809 | - [XCode](https://developer.apple.com/xcode) :copyright: — XCode provides a pretty decent UI for [Clang's](http://clang-analyzer.llvm.org/xcode.html) static code analyzer (C/C++, Obj-C). 810 | - [🐊Putout](https://github.com/coderaiser/putout) — Pluggable and configurable code transformer with built-in eslint, babel plugins support for js, jsx typescript, flow, markdown, yaml and json. 811 | 812 | 813 | ## Other 814 | 815 | 816 | 817 |

Angular

818 | 819 | - [Angular ESLint](https://github.com/angular-eslint/angular-eslint#readme) — Linter for Angular projects 820 | 821 | 822 |

Ansible

823 | 824 | - [kics](https://kics.io/) — Find security vulnerabilities, compliance issues, and infrastructure misconfigurations in your infrastructure-as-code. Supports Terraform, Kubernetes, Docker, AWS CloudFormation and Ansible 825 | 826 | 827 |

Azure Resource Manager

828 | 829 | - [AzSK](https://azsk.azurewebsites.net/) — Secure DevOps kit for Azure (AzSK) provides security IntelliSense, Security Verification Tests (SVTs), CICD scan vulnerabilities, compliance issues, and infrastructure misconfiguration in your infrastructure-as-code. Supports Azure via ARM. 830 | 831 | 832 |

Binaries

833 | 834 | - [angr](https://github.com/angr/angr) — Binary code analysis tool that also supports symbolic execution. 835 | - [binbloom](https://github.com/quarkslab/binbloom) — Analyzes a raw binary firmware and determines features like endianness or the loading address. The tool is compatible with all architectures. 836 | Loading address: binbloom can parse a raw binary firmware and determine its loading address. Endianness: binbloom can use heuristics to determine the endianness of a firmware. UDS Database: binbloom can parse a raw binary firmware and check if it contains an array containing UDS command IDs. 837 | - [BinSkim](https://github.com/Microsoft/binskim) — A binary static analysis tool that provides security and correctness results for Windows portable executables. 838 | - [Black Duck](https://www.blackducksoftware.com) :copyright: — Tool to analyze source code and binaries for reusable code, necessary licenses and potential security aspects. 839 | - [bloaty](https://github.com/google/bloaty) — Ever wondered what's making your binary big? Bloaty McBloatface will show you a size profile of the binary so you can understand what's taking up space inside. Bloaty performs a deep analysis of the binary. Using custom ELF, DWARF, and Mach-O parsers, Bloaty aims to accurately attribute every byte of the binary to the symbol or compileunit that produced it. It will even disassemble the binary looking for references to anonymous data. F 840 | - [cargo-bloat](https://github.com/RazrFalcon/cargo-bloat) — Find out what takes most of the space in your executable. supports ELF (Linux, BSD), Mach-O (macOS) and PE (Windows) binaries. 841 | - [cwe_checker](https://github.com/fkie-cad/cwe_checker) — cwe_checker finds vulnerable patterns in binary executables. 842 | - [Ghidra](https://ghidra-sre.org) — A software reverse engineering (SRE) suite of tools developed by NSA's Research Directorate in support of the Cybersecurity mission 843 | - [IDA Free](https://www.hex-rays.com/products/ida/support/download_freeware) :copyright: — Binary code analysis tool. 844 | - [Jakstab](https://github.com/jkinder/jakstab) — Jakstab is an Abstract Interpretation-based, integrated disassembly and static analysis framework for designing analyses on executables and recovering reliable control flow graphs. 845 | - [JEB Decompiler](https://www.pnfsoftware.com/) :copyright: — Decompile and debug binary code. Break down and analyze document files. Android Dalvik, MIPS, ARM, Intel x86, Java, WebAssembly & Ethereum Decompilers. 846 | - [Manalyze](https://github.com/JusticeRage/Manalyze) — A static analyzer, which checks portable executables for malicious content. 847 | - [mcsema](https://github.com/lifting-bits/mcsema) — Framework for lifting x86, amd64, aarch64, sparc32, and sparc64 program binaries to LLVM bitcode. It translates ("lifts") executable binaries from native machine code to LLVM bitcode, which is very useful for performing program analysis methods. 848 | - [Nauz File Detector](https://github.com/horsicq/Nauz-File-Detector) — Static Linker/Compiler/Tool detector for Windows, Linux and MacOS. 849 | - [Twiggy](https://rustwasm.github.io/twiggy) — Analyzes a binary's call graph to profile code size. The goal is to slim down wasm binary size. 850 | - [VMware chap](https://github.com/vmware/chap) — chap analyzes un-instrumented ELF core files for leaks, memory growth, and corruption. It is sufficiently reliable that it can be used in automation to catch leaks before they are committed. As an interactive tool, it helps explain memory growth, can identify some forms of corruption, and supplements a debugger by giving the status of various memory locations. 851 | - [zydis](https://zydis.re) — Fast and lightweight x86/x86-64 disassembler library 852 | 853 | 854 |

Build tools

855 | 856 | - [checkmake](https://github.com/mrtazz/checkmake) — Linter / Analyzer for Makefiles. 857 | - [portlint](https://www.freebsd.org/cgi/man.cgi?query=portlint&sektion=1&manpath=FreeBSD+8.1-RELEASE+and+Ports) — A verifier for FreeBSD and DragonFlyBSD port directories. 858 | 859 | 860 |

CSS/SASS/SCSS

861 | 862 | - [CSS Stats](https://cssstats.com) — Potentially interesting stats on stylesheets. 863 | - [CSScomb](https://github.com/csscomb/csscomb.js) — A coding style formatter for CSS. Supports own configurations to make style sheets beautiful and consistent. 864 | - [CSSLint](http://csslint.net) — Does basic syntax checking and finds problematic patterns or signs of inefficiency. 865 | - [GraphMyCSS.com](https://graphmycss.com) — CSS Specificity Graph Generator. 866 | - [Nu Html Checker](https://validator.github.io/validator/) — Helps you catch problems in your HTML/CSS/SVG 867 | - [Parker](https://github.com/katiefenn/parker) :warning: — Stylesheet analysis tool. 868 | - [PostCSS](https://postcss.org) — A tool for transforming styles with JS plugins. These plugins can lint your CSS, support variables and mixins, transpile future CSS syntax, inline images, and more. 869 | - [Project Wallace CSS Analyzer](https://www.projectwallace.com) — Analytics for CSS, part of [Project Wallace](https://www.projectwallace.com). 870 | - [sass-lint](https://github.com/sasstools/sass-lint) :warning: — A Node-only Sass linter for both sass and scss syntax. 871 | - [scsslint](https://github.com/brigade/scss-lint) — Linter for SCSS files. 872 | - [Specificity Graph](https://jonassebastianohlsson.com/specificity-graph) — CSS Specificity Graph Generator. 873 | - [Stylelint](http://stylelint.io) — Linter for SCSS/CSS files. 874 | 875 | 876 |

Config Files

877 | 878 | - [dotenv-linter](https://dotenv-linter.readthedocs.io/en/latest) — Linting dotenv files like a charm. 879 | - [dotenv-linter (Rust)](https://dotenv-linter.github.io/#/) — Lightning-fast linter for .env files. Written in Rust 880 | - [gixy](https://github.com/yandex/gixy) :warning: — A tool to analyze Nginx configuration. The main goal is to prevent misconfiguration and automate flaw detection. 881 | 882 | 883 |

Configuration Management

884 | 885 | - [ansible-lint](https://docs.ansible.com/ansible-lint) — Checks playbooks for practices and behaviour that could potentially be improved. 886 | - [AWS CloudFormation Guard](https://github.com/aws-cloudformation/cloudformation-guard) — Check local CloudFormation templates against policy-as-code rules and generate rules from existing templates. 887 | - [AzSK](https://azsk.azurewebsites.net/) — Secure DevOps kit for Azure (AzSK) provides security IntelliSense, Security Verification Tests (SVTs), CICD scan vulnerabilities, compliance issues, and infrastructure misconfiguration in your infrastructure-as-code. Supports Azure via ARM. 888 | - [cfn-lint](https://github.com/awslabs/cfn-python-lint) — AWS Labs CloudFormation linter. 889 | - [cfn_nag](https://github.com/stelligent/cfn_nag) — A linter for AWS CloudFormation templates. 890 | - [chart-testing](https://github.com/helm/chart-testing) — ct is the the tool for testing Helm charts. It is meant to be used for linting and testing pull requests. It automatically detects charts changed against the target branch. 891 | - [checkov](https://www.checkov.io) — Static analysis tool for Terraform files (tf>=v0.12), preventing cloud misconfigs at build time. 892 | - [clusterlint](https://github.com/digitalocean/clusterlint) — Clusterlint queries live Kubernetes clusters for resources, executes common and platform specific checks against these resources and provides actionable feedback to cluster operators. It is a non invasive tool that is run externally. Clusterlint does not alter the resource configurations. 893 | - [cookstyle](https://docs.chef.io/cookstyle.html) — Cookstyle is a linting tool based on the RuboCop Ruby linting tool for Chef cookbooks. 894 | - [Datree](https://datree.io/) — A CLI tool to prevent Kubernetes misconfigurations by ensuring that manifests and Helm charts follow best practices as well as your organization’s policies 895 | - [foodcritic](http://www.foodcritic.io) — A lint tool that checks Chef cookbooks for common problems. 896 | - [kics](https://kics.io/) — Find security vulnerabilities, compliance issues, and infrastructure misconfigurations in your infrastructure-as-code. Supports Terraform, Kubernetes, Docker, AWS CloudFormation and Ansible 897 | - [kube-lint](https://github.com/viglesiasce/kube-lint) — A linter for Kubernetes resources with a customizable rule set. You define a list of rules that you would like to validate against your resources and kube-lint will evaluate those rules against them. 898 | - [kube-linter](https://github.com/stackrox/kube-linter) — KubeLinter is a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure the applications represented in them adhere to best practices. 899 | - [kubeval](https://kubeval.instrumenta.dev) — Validates your Kubernetes configuration files and supports multiple Kubernetes versions. 900 | - [metadata-json-lint](https://github.com/voxpupuli/metadata-json-lint) — Tool to check the validity of Puppet metadata.json files. 901 | - [Puppet Lint](https://github.com/rodjek/puppet-lint) — Check that your Puppet manifests conform to the style guide. 902 | - [terraform-compliance](https://terraform-compliance.com) — A lightweight, compliance- and security focused, BDD test framework against Terraform. 903 | - [terrascan](https://github.com/cesar-rodriguez/terrascan) — Collection of security and best practice tests for static code analysis of Terraform templates. 904 | - [tflint](https://github.com/wata727/tflint) — A Terraform linter for detecting errors that can not be detected by `terraform plan`. 905 | - [tfsec](https://github.com/tfsec/tfsec) — Terraform static analysis tool that prevents potential security issues by checking cloud misconfigurations at build time and directly integrates with the HCL parser for better results. Checks for violations of AWS, Azure and GCP security best practice recommendations. 906 | 907 | 908 |

Containers

909 | 910 | - [anchore](https://anchore.io) — Discover, analyze, and certify container images. A service that analyzes Docker images and applies user-defined acceptance policies to allow automated container image validation and certification 911 | - [chart-testing](https://github.com/helm/chart-testing) — ct is the the tool for testing Helm charts. It is meant to be used for linting and testing pull requests. It automatically detects charts changed against the target branch. 912 | - [clair](https://github.com/coreos/clair) — Vulnerability Static Analysis for Containers. 913 | - [clusterlint](https://github.com/digitalocean/clusterlint) — Clusterlint queries live Kubernetes clusters for resources, executes common and platform specific checks against these resources and provides actionable feedback to cluster operators. It is a non invasive tool that is run externally. Clusterlint does not alter the resource configurations. 914 | - [collector](https://github.com/banyanops/collector) :warning: — Run arbitrary scripts inside containers, and gather useful information. 915 | - [dagda](https://github.com/eliasgranderubio/dagda) — Perform static analysis of known vulnerabilities in docker images/containers. 916 | - [Datree](https://datree.io/) — A CLI tool to prevent Kubernetes misconfigurations by ensuring that manifests and Helm charts follow best practices as well as your organization’s policies 917 | - [Docker Label Inspector](https://github.com/garethr/docker-label-inspector) :warning: — Lint and validate Dockerfile labels. 918 | - [Haskell Dockerfile Linter](https://github.com/lukasmartinelli/hadolint) — A smarter Dockerfile linter that helps you build best practice Docker images. 919 | - [kics](https://kics.io/) — Find security vulnerabilities, compliance issues, and infrastructure misconfigurations in your infrastructure-as-code. Supports Terraform, Kubernetes, Docker, AWS CloudFormation and Ansible 920 | - [kube-lint](https://github.com/viglesiasce/kube-lint) — A linter for Kubernetes resources with a customizable rule set. You define a list of rules that you would like to validate against your resources and kube-lint will evaluate those rules against them. 921 | - [kube-linter](https://github.com/stackrox/kube-linter) — KubeLinter is a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure the applications represented in them adhere to best practices. 922 | - [kube-score](https://kube-score.com) — Static code analysis of your Kubernetes object definitions. 923 | - [KubeLinter](https://github.com/stackrox/kube-linter) — KubeLinter is a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure the applications represented in them adhere to best practices. 924 | - [kubeval](https://kubeval.instrumenta.dev) — Validates your Kubernetes configuration files and supports multiple Kubernetes versions. 925 | - [OpenSCAP](https://www.open-scap.org/) — Suite of automated audit tools to examine the configuration and known vulnerabilities following the NIST-certified Security Content Automation Protocol (SCAP). 926 | - [Qualys Container Security](https://www.qualys.com/apps/container-security) :copyright: — Container native application protection to provide visibility and control of containerized applications. 927 | - [sysdig](https://sysdig.com/) :copyright: — A secure DevOps platform for cloud and container forensics. Built on an open source stack, Sysdig provides Docker image scanning and created Falco, the open standard for runtime threat detection for containers, Kubernetes and cloud. 928 | - [Vuls](https://vuls.io/) — Agent-less Linux vulnerability scanner based on information from NVD, OVAL, etc. It has some container image support, although is not a container specific tool. 929 | 930 | 931 |

Continuous Integration

932 | 933 | - [actionlint](https://rhysd.github.io/actionlint) — Static checker for GitHub Actions workflow files. Provides an online version. 934 | - [AzSK](https://azsk.azurewebsites.net/) — Secure DevOps kit for Azure (AzSK) provides security IntelliSense, Security Verification Tests (SVTs), CICD scan vulnerabilities, compliance issues, and infrastructure misconfiguration in your infrastructure-as-code. Supports Azure via ARM. 935 | - [Code Climate](https://codeclimate.com) — The open and extensible static analysis platform, for everyone. 936 | - [exakat](https://www.exakat.io) — An automated code reviewing engine for PHP. 937 | - [Nitpick CI](https://nitpick-ci.com) :copyright: — Automated PHP code review. 938 | - [PullRequest](https://www.pullrequest.com) :copyright: — Code review as a service with built-in static analysis. Increase velocity and reduce technical debt through quality code review by expert engineers backed by best-in-class automation. 939 | - [quality](https://github.com/apiology/quality) :warning: — Runs quality checks on your code using community tools, and makes sure your numbers don't get any worse over time. 940 | - [QuantifiedCode](https://github.com/quantifiedcode/quantifiedcode) :warning: — Automated code review & repair. It helps you to keep track of issues and metrics in your software projects, and can be easily extended to support new types of analyses. 941 | - [Reviewdog](https://github.com/haya14busa/reviewdog) — A tool for posting review comments from any linter in any code hosting service. 942 | - [Symfony Insight](https://insight.symfony.com/) :copyright: — Detect security risks, find bugs and provide actionable metrics for PHP projects. 943 | - [Violations Lib](https://github.com/tomasbjerre/violations-lib) — Java library for parsing report files from static code analysis. Used by a bunch of Jenkins, Maven and Gradle plugins. 944 | 945 | 946 |

Deno

947 | 948 | - [deno_lint](https://github.com/denoland/deno_lint) — Official linter for Deno. 949 | 950 | 951 |

Embedded

952 | 953 | - [oelint-adv](https://github.com/priv-kweihmann/oelint-adv) — Linter for bitbake recipes used in open-embedded and YOCTO 954 | 955 | 956 |

Embedded Ruby (a.k.a. ERB, eRuby)

957 | 958 | - [ERB Lint](https://github.com/Shopify/erb-lint) — Lint your ERB or HTML files 959 | 960 | 961 |

Gherkin

962 | 963 | - [gherkin-lint](https://github.com/vsiakka/gherkin-lint) — A linter for the Gherkin-Syntax written in Javascript. 964 | 965 | 966 |

HTML

967 | 968 | - [Angular ESLint](https://github.com/angular-eslint/angular-eslint#readme) — Linter for Angular projects 969 | - [Bootlint](https://github.com/twbs/bootlint) — An HTML linter for Bootstrap projects. 970 | - [ERB Lint](https://github.com/Shopify/erb-lint) — Lint your ERB or HTML files 971 | - [grunt-bootlint](https://github.com/twbs/grunt-bootlint) — A Grunt wrapper for [Bootlint](https://github.com/twbs/bootlint), the HTML linter for Bootstrap projects. 972 | - [gulp-bootlint](https://github.com/tschortsch/gulp-bootlint) — A gulp wrapper for [Bootlint](https://github.com/twbs/bootlint), the HTML linter for Bootstrap projects. 973 | - [HTML Inspector](https://github.com/philipwalton/html-inspector) :warning: — HTML Inspector is a code quality tool to help you and your team write better markup. 974 | - [HTML Tidy](http://www.html-tidy.org) — Corrects and cleans up HTML and XML documents by fixing markup errors and upgrading legacy code to modern standards. 975 | - [HTML-Validate](https://html-validate.org/) — Offline HTML5 validator. 976 | - [HTMLHint](https://htmlhint.com) — A Static Code Analysis Tool for HTML. 977 | - [Nu Html Checker](https://validator.github.io/validator/) — Helps you catch problems in your HTML/CSS/SVG 978 | - [Polymer-analyzer](https://github.com/Polymer/tools/tree/master/packages/analyzer) — A static analysis framework for Web Components. 979 | 980 | 981 |

JSON

982 | 983 | - [Spectral](https://stoplight.io/open-source/spectral) — A flexible JSON/YAML linter, without of the box support for OpenAPI v2/v3 and AsyncAPI v2. 984 | 985 | 986 |

Kubernetes

987 | 988 | - [chart-testing](https://github.com/helm/chart-testing) — ct is the the tool for testing Helm charts. It is meant to be used for linting and testing pull requests. It automatically detects charts changed against the target branch. 989 | - [clusterlint](https://github.com/digitalocean/clusterlint) — Clusterlint queries live Kubernetes clusters for resources, executes common and platform specific checks against these resources and provides actionable feedback to cluster operators. It is a non invasive tool that is run externally. Clusterlint does not alter the resource configurations. 990 | - [Datree](https://datree.io/) — A CLI tool to prevent Kubernetes misconfigurations by ensuring that manifests and Helm charts follow best practices as well as your organization’s policies 991 | - [kics](https://kics.io/) — Find security vulnerabilities, compliance issues, and infrastructure misconfigurations in your infrastructure-as-code. Supports Terraform, Kubernetes, Docker, AWS CloudFormation and Ansible 992 | - [kube-lint](https://github.com/viglesiasce/kube-lint) — A linter for Kubernetes resources with a customizable rule set. You define a list of rules that you would like to validate against your resources and kube-lint will evaluate those rules against them. 993 | - [kube-linter](https://github.com/stackrox/kube-linter) — KubeLinter is a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure the applications represented in them adhere to best practices. 994 | - [kubeval](https://kubeval.instrumenta.dev) — Validates your Kubernetes configuration files and supports multiple Kubernetes versions. 995 | 996 | 997 |

LaTeX

998 | 999 | - [ChkTeX](http://www.nongnu.org/chktex) — A linter for LaTex which catches some typographic errors LaTeX oversees. 1000 | - [lacheck](https://www.ctan.org/pkg/lacheck) — A tool for finding common mistakes in LaTeX documents. 1001 | - [TeXLab](https://texlab.netlify.app) — A Language Server Protocol implementation for TeX/LaTeX, including lint capabilities. 1002 | 1003 | 1004 |

Laravel

1005 | 1006 | - [Enlightn](https://www.laravel-enlightn.com/) — A static and dynamic analysis tool for Laravel applications that provides recommendations to improve the performance, security and code reliability of Laravel apps. Contains 120 automated checks. 1007 | 1008 | 1009 |

Makefiles

1010 | 1011 | - [checkmake](https://github.com/mrtazz/checkmake) — Linter / Analyzer for Makefiles. 1012 | - [portlint](https://www.freebsd.org/cgi/man.cgi?query=portlint&sektion=1&manpath=FreeBSD+8.1-RELEASE+and+Ports) — A verifier for FreeBSD and DragonFlyBSD port directories. 1013 | 1014 | 1015 |

Markdown

1016 | 1017 | - [markdownlint](https://github.com/DavidAnson/markdownlint) — Node.js -based style checker and lint tool for Markdown/CommonMark files. 1018 | - [mdformat](https://mdformat.rtfd.io) — CommonMark compliant Markdown formatter 1019 | - [mdl](https://github.com/mivok/markdownlint) — A tool to check Markdown files and flag style issues. 1020 | - [remark-lint](https://remark.js.org) — Pluggable Markdown code style linter written in JavaScript. 1021 | 1022 | 1023 |

Metalinter

1024 | 1025 | - [ciocheck](https://github.com/ContinuumIO/ciocheck) :warning: — Linter, formatter and test suite helper. As a linter, it is a wrapper around `pep8`, `pydocstyle`, `flake8`, and `pylint`. 1026 | - [flake8](https://github.com/PyCQA/flake8) — A wrapper around `pyflakes`, `pycodestyle` and `mccabe`. 1027 | - [Go Meta Linter](https://github.com/alecthomas/gometalinter) :warning: — Concurrently run Go lint tools and normalise their output. Use `golangci-lint` for new projects. 1028 | - [goreporter](https://github.com/360EntSecGroup-Skylar/goreporter) — Concurrently runs many linters and normalises their output to a report. 1029 | - [multilint](https://github.com/adamchainz/multilint) :warning: — A wrapper around `flake8`, `isort` and `modernize`. 1030 | - [prospector](https://github.com/PyCQA/prospector) — A wrapper around `pylint`, `pep8`, `mccabe` and others. 1031 | 1032 | 1033 |

Mobile

1034 | 1035 | - [Android Lint](http://tools.android.com/tips/lint) — Run static analysis on Android projects. 1036 | - [android-lint-summary](https://passy.github.io/android-lint-summary) :warning: — Combines lint errors of multiple projects into one output, check lint results of multiple sub-projects at once. 1037 | - [FlowDroid](https://github.com/secure-software-engineering/FlowDroid) — Static taint analysis tool for Android applications. 1038 | - [iblessing](https://www.kitploit.com/2020/08/iblessing-ios-security-exploiting.html) — iblessing is an iOS security exploiting toolkit. It can be used for reverse engineering, binary analysis and vulnerability mining. 1039 | - [Oversecured](https://oversecured.com) :copyright: — Enterprise vulnerability scanner for Android and iOS apps. It allows app owners and developers to secure each new version of a mobile app by integrating Oversecured into the development process. 1040 | - [paprika](https://github.com/GeoffreyHecht/paprika) :warning: — A toolkit to detect some code smells in analyzed Android applications. 1041 | - [qark](https://github.com/linkedin/qark) :warning: — Tool to look for several security related Android application vulnerabilities. 1042 | - [redex](https://fbredex.com) — Redex provides a framework for reading, writing, and analyzing .dex files, and a set of optimization passes that use this framework to improve the bytecode. An APK optimized by Redex should be smaller and faster. 1043 | 1044 | 1045 |

Nix

1046 | 1047 | - [deadnix](https://github.com/astro/deadnix) — Scan Nix files for dead code (unused variable bindings) 1048 | 1049 | 1050 |

Node.js

1051 | 1052 | - [lockfile-lint](https://github.com/lirantal/lockfile-lint) — Lint an npm or yarn lockfile to analyze and detect security issues 1053 | - [njsscan](https://opensecurity.in) — A static application testing (SAST) tool that can find insecure code patterns in your node.js applications using simple pattern matcher from libsast and syntax-aware semantic code pattern search tool semgrep. 1054 | - [NodeJSScan](https://opensecurity.in) — A static security code scanner for Node.js applications powered by libsast and semgrep that builds on the njsscan cli tool. It features a UI with various dashboards about an application's security status. 1055 | - [standard](http://standardjs.com) — An npm module that checks for Javascript Styleguide issues. 1056 | 1057 | 1058 |

Packages

1059 | 1060 | - [lintian](https://lintian.debian.org) — Static analysis tool for Debian packages. 1061 | - [rpmlint](https://github.com/rpm-software-management/rpmlint) — Tool for checking common errors in rpm packages. 1062 | 1063 | 1064 |

Protocol Buffers

1065 | 1066 | - [buf](https://buf.build) — Provides a CLI linter that enforces good API design choices and structure 1067 | - [protolint](https://github.com/yoheimuta/protolint) — Pluggable linter and fixer to enforce Protocol Buffer style and conventions. 1068 | 1069 | 1070 |

Puppet

1071 | 1072 | - [metadata-json-lint](https://github.com/voxpupuli/metadata-json-lint) — Tool to check the validity of Puppet metadata.json files. 1073 | 1074 | 1075 |

Rails

1076 | 1077 | - [dawnscanner](https://github.com/thesp0nge/dawnscanner) — A static analysis security scanner for ruby written web applications. It supports Sinatra, Padrino and Ruby on Rails frameworks. 1078 | 1079 | 1080 |

Security/SAST

1081 | 1082 | - [AzSK](https://azsk.azurewebsites.net/) — Secure DevOps kit for Azure (AzSK) provides security IntelliSense, Security Verification Tests (SVTs), CICD scan vulnerabilities, compliance issues, and infrastructure misconfiguration in your infrastructure-as-code. Supports Azure via ARM. 1083 | - [brakeman](https://brakemanscanner.org) — A static analysis security vulnerability scanner for Ruby on Rails applications. 1084 | - [Datree](https://datree.io/) — A CLI tool to prevent Kubernetes misconfigurations by ensuring that manifests and Helm charts follow best practices as well as your organization’s policies 1085 | - [Enlightn](https://www.laravel-enlightn.com/) — A static and dynamic analysis tool for Laravel applications that provides recommendations to improve the performance, security and code reliability of Laravel apps. Contains 120 automated checks. 1086 | - [Gitleaks](https://github.com/zricethezav/gitleaks) — A SAST tool for detecting hardcoded secrets like passwords, api keys, and tokens in git repos. 1087 | - [gokart](https://github.com/praetorian-inc/gokart) — Golang security analysis with a focus on minimizing false positives. It is capable of tracing the source of variables and function arguments to determine whether input sources are safe. 1088 | - [iblessing](https://www.kitploit.com/2020/08/iblessing-ios-security-exploiting.html) — iblessing is an iOS security exploiting toolkit. It can be used for reverse engineering, binary analysis and vulnerability mining. 1089 | - [kics](https://kics.io/) — Find security vulnerabilities, compliance issues, and infrastructure misconfigurations in your infrastructure-as-code. Supports Terraform, Kubernetes, Docker, AWS CloudFormation and Ansible 1090 | - [lockfile-lint](https://github.com/lirantal/lockfile-lint) — Lint an npm or yarn lockfile to analyze and detect security issues 1091 | - [njsscan](https://opensecurity.in) — A static application testing (SAST) tool that can find insecure code patterns in your node.js applications using simple pattern matcher from libsast and syntax-aware semantic code pattern search tool semgrep. 1092 | - [NodeJSScan](https://opensecurity.in) — A static security code scanner for Node.js applications powered by libsast and semgrep that builds on the njsscan cli tool. It features a UI with various dashboards about an application's security status. 1093 | - [Oversecured](https://oversecured.com) :copyright: — Enterprise vulnerability scanner for Android and iOS apps. It allows app owners and developers to secure each new version of a mobile app by integrating Oversecured into the development process. 1094 | - [PT Application Inspector](https://www.ptsecurity.com) :copyright: — Identifies code flaws and detects vulnerabilities to prevent web attacks. Demonstrates remote code execution by presenting possible exploits. 1095 | - [Qualys Container Security](https://www.qualys.com/apps/container-security) :copyright: — Container native application protection to provide visibility and control of containerized applications. 1096 | - [QuantifiedCode](https://github.com/quantifiedcode/quantifiedcode) :warning: — Automated code review & repair. It helps you to keep track of issues and metrics in your software projects, and can be easily extended to support new types of analyses. 1097 | - [Reshift](https://www.reshiftsecurity.com) :copyright: — A source code analysis tool for detecting and managing Java security vulnerabilities. 1098 | - [scorecard](https://github.com/ossf/scorecard) — Security Scorecards - Security health metrics for Open Source 1099 | - [SearchDiggity](https://resources.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/) :copyright: — Identifies vulnerabilities in open source code projects hosted on Github, Google Code, MS CodePlex, SourceForge, and more. The tool comes with over 130 default searches that identify SQL injection, cross-site scripting (XSS), insecure remote and local file includes, hard-coded passwords, etc. 1100 | - [Symfony Insight](https://insight.symfony.com/) :copyright: — Detect security risks, find bugs and provide actionable metrics for PHP projects. 1101 | - [tfsec](https://github.com/tfsec/tfsec) — Terraform static analysis tool that prevents potential security issues by checking cloud misconfigurations at build time and directly integrates with the HCL parser for better results. Checks for violations of AWS, Azure and GCP security best practice recommendations. 1102 | - [Tsunami Security Scanner](https://github.com/google/tsunami-security-scanner) — A general purpose network security scanner with an extensible plugin system for detecting high severity RCE-like vulnerabilities with high confidence. Custom detectors for finding vulnerabilities (e.g. open APIs) can be added. 1103 | 1104 | 1105 |

Smart Contracts

1106 | 1107 | - [mythril](https://github.com/ConsenSys/mythril) — A symbolic execution framework with batteries included, can be used to find and exploit vulnerabilities in smart contracts automatically. 1108 | - [MythX](https://mythx.io) :copyright: — MythX is an easy to use analysis platform which integrates several analysis methods like fuzzing, symbolic execution and static analysis to find vulnerabilities with high precision. It can be integrated with toolchains like Remix or VSCode or called from the command-line. 1109 | - [slither](https://github.com/trailofbits/slither) — Static analysis framework that runs a suite of vulnerability detectors, prints visual information about contract details, and provides an API to easily write custom analyses. 1110 | - [solhint](https://protofire.github.io/solhint) — Solhint is an open source project created by https://protofire.io. Its goal is to provide a linting utility for Solidity code. 1111 | - [solium](https://ethlint.readthedocs.io/en/latest) — Solium is a linter to identify and fix style and security issues in Solidity smart contracts. 1112 | 1113 | 1114 |

Support

1115 | 1116 | - [LibVCS4j](https://github.com/uni-bremen-agst/libvcs4j) — A Java library that allows existing tools to analyse the evolution of software systems by providing a common API for different version control systems and issue trackers. 1117 | - [Violations Lib](https://github.com/tomasbjerre/violations-lib) — Java library for parsing report files from static code analysis. Used by a bunch of Jenkins, Maven and Gradle plugins. 1118 | 1119 | 1120 |

Template-Languages

1121 | 1122 | - [ember-template-lint](https://github.com/ember-template-lint/ember-template-lint) — Linter for Ember or Handlebars templates. 1123 | - [haml-lint](https://github.com/sds/haml-lint) — Tool for writing clean and consistent HAML. 1124 | - [slim-lint](https://github.com/sds/slim-lint) — Configurable tool for analyzing Slim templates. 1125 | - [yamllint](https://yamllint.readthedocs.io) — Checks YAML files for syntax validity, key repetition and cosmetic problems such as lines length, trailing spaces, and indentation. 1126 | 1127 | 1128 |

Terraform

1129 | 1130 | - [kics](https://kics.io/) — Find security vulnerabilities, compliance issues, and infrastructure misconfigurations in your infrastructure-as-code. Supports Terraform, Kubernetes, Docker, AWS CloudFormation and Ansible 1131 | - [shisho](https://docs.shisho.dev/) — A lightweight static code analyzer designed for developers and security teams. It allows you to analyze and transform source code with an intuitive DSL similar to sed, but for code. 1132 | 1133 | 1134 |

Translation

1135 | 1136 | - [dennis](https://github.com/willkg/dennis) :warning: — A set of utilities for working with PO files to ease development and improve quality. 1137 | 1138 | 1139 |

Vue.js

1140 | 1141 | - [HTML-Validate](https://html-validate.org/) — Offline HTML5 validator. 1142 | - [Vetur](https://marketplace.visualstudio.com/items?itemName=octref.vetur) — Vue tooling for VS Code, powered by vls (vue language server). Vetur has support for formatting embedded HTML, CSS, SCSS, JS, TypeScript, and more. Vetur only has a "whole document formatter" and cannot format arbitrary ranges. 1143 | 1144 | 1145 |

Webassembly

1146 | 1147 | - [Twiggy](https://rustwasm.github.io/twiggy) — Analyzes a binary's call graph to profile code size. The goal is to slim down wasm binary size. 1148 | 1149 | 1150 |

Writing

1151 | 1152 | - [After the Deadline](https://open.afterthedeadline.com) :warning: — Spell, style and grammar checker. 1153 | - [alex](https://alexjs.com) — Catch insensitive, inconsiderate writing 1154 | - [codespell](https://github.com/codespell-project/codespell) — Check code for common misspellings. 1155 | - [languagetool](https://languagetool.org) — Style and grammar checker for 25+ languages. It finds many errors that a simple spell checker cannot detect. 1156 | - [misspell-fixer](https://github.com/vlajos/misspell-fixer) — Quick tool for fixing common misspellings, typos in source code. 1157 | - [Misspelled Words In Context](https://jwilk.net/software/mwic) — A spell-checker that groups possible misspellings and shows them in their contexts. 1158 | - [proselint](http://proselint.com) — A linter for English prose with a focus on writing style instead of grammar. 1159 | - [vale](https://docs.errata.ai/vale/about) — A syntax-aware linter for prose built with speed and extensibility in mind. 1160 | - [write-good](https://github.com/btford/write-good) — A linter with a focus on eliminating "weasel words". 1161 | 1162 | 1163 |

YAML

1164 | 1165 | - [Spectral](https://stoplight.io/open-source/spectral) — A flexible JSON/YAML linter, without of the box support for OpenAPI v2/v3 and AsyncAPI v2. 1166 | - [yamllint](https://yamllint.readthedocs.io) — Checks YAML files for syntax validity, key repetition and cosmetic problems such as lines length, trailing spaces, and indentation. 1167 | 1168 | 1169 |

git

1170 | 1171 | - [commitlint](https://commitlint.js.org) — checks if your commit messages meet the conventional commit format 1172 | 1173 | 1174 | ## `More Collections` 1175 | 1176 | - [Clean code linters](https://github.com/collections/clean-code-linters) — A collection of linters in github collections 1177 | - [Code Quality Checker Tools For PHP Projects](https://github.com/collections/code-quality-in-php) — A collection of PHP linters in github collections 1178 | - [go-tools](https://github.com/dominikh/go-tools) — A collection of tools and libraries for working with Go code, including linters and static analysis 1179 | - [linters](https://github.com/mcandre/linters) — An introduction to static code analysis 1180 | - [OWASP Source Code Analysis Tools](https://owasp.org/www-community/Source_Code_Analysis_Tools) — List of tools maintained by the Open Web Application Security Project 1181 | - [php-static-analysis-tools](https://github.com/exakat/php-static-analysis-tools) — A reviewed list of useful PHP static analysis tools 1182 | - [Wikipedia](http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis) — A list of tools for static code analysis. 1183 | 1184 | **[`^ back to top ^`](#)** 1185 | 1186 | ## `License` 1187 | MIT License & [cc](https://creativecommons.org/licenses/by/4.0/) license 1188 | 1189 | Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License. 1190 | 1191 | To the extent possible under law, [Paul Veillard](https://github.com/paulveillard/) has waived all copyright and related or neighboring rights to this work. 1192 | -------------------------------------------------------------------------------- /code-of-conduct.md: -------------------------------------------------------------------------------- 1 | # Contributor Covenant Code of Conduct 2 | 3 | ## Our Pledge 4 | 5 | We as members, contributors, and leaders pledge to make participation in 6 | ansible-security-hardening project and our community a harassment-free 7 | experience for everyone, regardless of age, body size, visible or invisible 8 | disability, ethnicity, sex characteristics, gender identity and expression, 9 | level of experience, education, socio-economic status, nationality, personal 10 | appearance, race, religion, or sexual identity and orientation. 11 | 12 | We pledge to act and interact in ways that contribute to an open, welcoming, 13 | diverse, inclusive, and healthy community. 14 | 15 | ## Our Standards 16 | 17 | Examples of behavior that contributes to a positive environment for our 18 | community include: 19 | 20 | * Demonstrating empathy and kindness toward other people 21 | * Being respectful of differing opinions, viewpoints, and experiences 22 | * Giving and gracefully accepting constructive feedback 23 | * Accepting responsibility and apologizing to those affected by our mistakes, 24 | and learning from the experience 25 | * Focusing on what is best not just for us as individuals, but for the 26 | overall community 27 | 28 | Examples of unacceptable behavior include: 29 | 30 | * The use of sexualized language or imagery, and sexual attention or 31 | advances of any kind 32 | * Trolling, insulting or derogatory comments, and personal or political attacks 33 | * Public or private harassment 34 | * Publishing others' private information, such as a physical or email 35 | address, without their explicit permission 36 | * Other conduct which could reasonably be considered inappropriate in a 37 | professional setting 38 | 39 | ## Enforcement Responsibilities 40 | 41 | Community leaders are responsible for clarifying and enforcing our standards of 42 | acceptable behavior and will take appropriate and fair corrective action in 43 | response to any behavior that they deem inappropriate, threatening, offensive, 44 | or harmful. 45 | 46 | Community leaders have the right and responsibility to remove, edit, or reject 47 | comments, commits, code, wiki edits, issues, and other contributions that are 48 | not aligned to this Code of Conduct, and will communicate reasons for moderation 49 | decisions when appropriate. 50 | 51 | ## Scope 52 | 53 | This Code of Conduct applies within all community spaces, and also applies when 54 | an individual is officially representing the community in public spaces. 55 | Examples of representing our community include using an official e-mail address, 56 | posting via an official social media account, or acting as an appointed 57 | representative at an online or offline event. 58 | 59 | ## Enforcement 60 | 61 | Instances of abusive, harassing, or otherwise unacceptable behavior may be 62 | reported to the community leaders responsible for enforcement at info@paulveillard.com. 63 | All complaints will be reviewed and investigated promptly and fairly. 64 | 65 | All community leaders are obligated to respect the privacy and security of the 66 | reporter of any incident. 67 | 68 | ## Enforcement Guidelines 69 | 70 | Community leaders will follow these Community Impact Guidelines in determining 71 | the consequences for any action they deem in violation of this Code of Conduct: 72 | 73 | ### 1. Correction 74 | 75 | **Community Impact**: Use of inappropriate language or other behavior deemed 76 | unprofessional or unwelcome in the community. 77 | 78 | **Consequence**: A private, written warning from community leaders, providing 79 | clarity around the nature of the violation and an explanation of why the 80 | behavior was inappropriate. A public apology may be requested. 81 | 82 | ### 2. Warning 83 | 84 | **Community Impact**: A violation through a single incident or series 85 | of actions. 86 | 87 | **Consequence**: A warning with consequences for continued behavior. No 88 | interaction with the people involved, including unsolicited interaction with 89 | those enforcing the Code of Conduct, for a specified period of time. This 90 | includes avoiding interactions in community spaces as well as external channels 91 | like social media. Violating these terms may lead to a temporary or 92 | permanent ban. 93 | 94 | ### 3. Temporary Ban 95 | 96 | **Community Impact**: A serious violation of community standards, including 97 | sustained inappropriate behavior. 98 | 99 | **Consequence**: A temporary ban from any sort of interaction or public 100 | communication with the community for a specified period of time. No public or 101 | private interaction with the people involved, including unsolicited interaction 102 | with those enforcing the Code of Conduct, is allowed during this period. 103 | Violating these terms may lead to a permanent ban. 104 | 105 | ### 4. Permanent Ban 106 | 107 | **Community Impact**: Demonstrating a pattern of violation of community 108 | standards, including sustained inappropriate behavior, harassment of an 109 | individual, or aggression toward or disparagement of classes of individuals. 110 | 111 | **Consequence**: A permanent ban from any sort of public interaction within 112 | the community. 113 | 114 | ## Attribution 115 | 116 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], 117 | version 2.0, available at 118 | https://www.contributor-covenant.org/version/2/0/code_of_conduct.html. 119 | 120 | Community Impact Guidelines were inspired by [Mozilla's code of conduct 121 | enforcement ladder](https://github.com/mozilla/diversity). 122 | 123 | [homepage]: https://www.contributor-covenant.org 124 | 125 | For answers to common questions about this code of conduct, see the FAQ at 126 | https://www.contributor-covenant.org/faq. Translations are available at 127 | https://www.contributor-covenant.org/translations. 128 | -------------------------------------------------------------------------------- /dast-vs-sast.md: -------------------------------------------------------------------------------- 1 | # Static and Dynamic Analysis Explained 2 | 3 | ![static-dynamic](https://github.com/paulveillard/cybersecurity-static-analysis/blob/main/img/dast_sast.jpg) 4 | 5 | ## Dynamic Code Analysis: A Primer 6 | 7 | The development of a fully optimized and secure application or software requires a wide array of testing tools and analyzers to verify the quality of the application and to make sure that it is running as expected. There are several testing methodologies for analyzing an application’s performance and security – such as static code analysis, dynamic code analysis, or a combination of both. These methodologies are used during source code review for organizations’ applications or software. 8 | 9 | In the current COVID-19 pandemic, we’ve seen a lot of businesses struggle with security and application functionality in production. For example, a Zoom outage showcased how a poorly developed or untested application can bring down a company’s reputation and raise questions about users’ data security and privacy. 10 | 11 | To address these issues, organizations need to understand what dynamic code analysis is, the advantages of using this method and how it is different from static code analysis. 12 | 13 | ### What is Dynamic Code Analysis? 14 | Dynamic code analysis is the process of analyzing an application or software during execution. It is the practice of analyzing the source code for reliability, quality and security while the application or software is running. 15 | 16 | Performing dynamic code analysis for an application helps developers and testers find issues related to the application’s integration with database servers, application servers and web services. It also provides an analysis of how the application interacts with these services. 17 | 18 | The primary goal is to find bugs and vulnerabilities present in the application or software so they can be debugged. Dynamic code analysis also helps find other issues such as problems related to authentication, session management, framework configuration, runtime privileges, protocol parser and more. It is most effective when the application being tested is executed with sufficient test inputs to achieve all possible outputs. 19 | 20 | ### How it Differs from Static Code Analysis 21 | - The main difference is that static code analysis looks at the source code of the application for hidden flaws and bugs. 22 | 23 | Analyzing the source code helps to identify the security flaws and defects that can compromise the safety of your application. Static code analysis does not give a holistic view of the application, though, as it provides very little or no understanding of developer intent. 24 | 25 | Detection of memory leaks, null pointer dereferencing and concurrency-related issues are difficult to identify through static analysis. To detect such errors, dynamic analysis must be performed. 26 | 27 | Dynamic code analysis, as mentioned, debugs an application or software during execution. Since it deals with real input data, this method enables you to discover issues with interfaces, sessions, requests, responses, authentication and more, as it is happening. 28 | 29 | Another difference between the two methods is that, in static code analysis, the tester has access to the application’s architecture, source code, and libraries used before they perform the analysis; it’s a white-box security test. On the other hand, dynamic code analysis is a black-box type – the tester has no prior information about the application, and all testing is performed during execution. 30 | 31 | ### Every Application Needs Dynamic Code Analysis 32 | This form of code analysis is essential, as it tests the code in real-life scenarios. Unexpected errors caused by interaction with multiple application functions are hard, or even impossible to find using static analysis. These errors only become obvious during the integration of various components or interaction with the whole system on deployment. Therefore, a dynamic analysis should be performed once the software is functionally complete. Additionally, doing dynamic analysis will: 33 | 34 | - Allow testers to perform application analysis without having access to the actual code. 35 | - Reveal errors that can crash the program. 36 | - Help testers ensure that the product/software works well. 37 | - Help quality enhancement by taking into consideration any drawbacks. 38 | - Require less expertise to perform; therefore, it is less expensive than static code analysis. Static code analysis requires an expert in the language in which the application has been developed. 39 | 40 | 41 | ### How to DIY Dynamic Code Analysis 42 | Dynamic code analysis can be customized depending upon the application being tested. But here are a few generalized steps that go into a dynamic code analysis: 43 | 44 | - 1) Identifying the scope of application: The first step is to define the scope of the application that needs to be tested. For example, if the application is a web app, then its scope should include all the URLs on which the testing is required. 45 | - 2) Fuzz the input fields: The second step is to fuzz the input fields and look for any anomalous behavior in the application’s functionality. For example, check if the web app requires login with valid credentials to access some of its features. Then, the tester must try anything that doesn’t make sense in the context of the application’s behavior. This will help to find security flaws like broken authentication. 46 | - 3) Find anomalies: The third step is to look for what is causing performance or functionality anomalies. Search and closely analyze the output for each input to single out the improper behavior of the application. 47 | - 4) Try to breach more security areas: Once you’ve found an anomaly, the fourth step is to try to target the same parameter, input or functionality to gauge access and impact from that flaw. For example, if there exists an authentication bypass in the application, then check to see if it leads to increasing the privileges of users. 48 | - 5) Repeat steps 2 and 4 for another input in the scope of application. 49 | You can also use open source tools to conduct dynamic code analysis for your application, based on the programming language in which the application/software is built: 50 | 51 | - 1. .NET 52 | Microsoft IntelliTest 53 | Pex and Moles 54 | 55 | - 2. Java 56 | Java PathFinder 57 | 58 | - 3. C & C++ 59 | CHAP 60 | KLEE 61 | 62 | LLVM/Clang Sanitizers: 63 | 64 | AddressSanitizer 65 | MemorySanitizer 66 | ThreadSanitizer 67 | - 4. JavaScript 68 | Iroh.js 69 | Jalangi2 70 | 71 | - 5. Python 72 | CrossHair 73 | Icontract 74 | Scalene 75 | typo 76 | 77 | - 6. Rust 78 | MIRI 79 | puffin 80 | stuck 81 | 82 | Static and dynamic code analysis are both an essential part of an application’s audit, whether for web, mobile – any type of application can benefit. Both these methodologies can provide a comprehensive view of the performance and security of your application. Dynamic code analysis can help ensure the security of your application by uncovering vulnerabilities that can be exploited by bad actors if not patched. Static code analysis can scan your application for bugs. Both of these complement each other and, together, can protect your applications and software from cyberattacks. 83 | -------------------------------------------------------------------------------- /img/Application-Security-Testing.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/paulveillard/cybersecurity-static-analysis/e11c6793944c2728c52b0cb21a074f994ed463d9/img/Application-Security-Testing.png -------------------------------------------------------------------------------- /img/dast-pipelines.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/paulveillard/cybersecurity-static-analysis/e11c6793944c2728c52b0cb21a074f994ed463d9/img/dast-pipelines.png -------------------------------------------------------------------------------- /img/dast_sast.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/paulveillard/cybersecurity-static-analysis/e11c6793944c2728c52b0cb21a074f994ed463d9/img/dast_sast.jpg -------------------------------------------------------------------------------- /img/static-analysis.webp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/paulveillard/cybersecurity-static-analysis/e11c6793944c2728c52b0cb21a074f994ed463d9/img/static-analysis.webp -------------------------------------------------------------------------------- /img/static-code-analysis.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/paulveillard/cybersecurity-static-analysis/e11c6793944c2728c52b0cb21a074f994ed463d9/img/static-code-analysis.jpg -------------------------------------------------------------------------------- /img/static.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/paulveillard/cybersecurity-static-analysis/e11c6793944c2728c52b0cb21a074f994ed463d9/img/static.png --------------------------------------------------------------------------------