Static Analysis & Code Quality

repo: analysis-tools-dev/static-analysis
category: Computer Science

This repository lists static analysis tools for all programming languages, build tools, config files and more. The focus is on tools which improve code quality such as linters and formatters. The official website, analysis-tools.dev is based on this repository and adds rankings, user comments, and additional resources like videos for each tool.

Meaning of Symbols:

:copyright: stands for proprietary software. All other tools are Open Source.
:information_source: indicates that the community does not recommend to use this tool for new projects anymore. The icon links to the discussion issue.
:warning: means that this tool was not updated for more than 1 year, or the repo was archived.

Pull requests are very welcome!
Also check out the sister project, awesome-dynamic-analysis.

Programming Languages

ABAP
Ada
Assembly
Awk
C
C#
C++
Clojure
CoffeeScript
ColdFusion
Crystal
Dart
Delphi
Dlang
Elixir
Elm
Erlang
F#
Fortran
Go
Groovy
Haskell
Haxe
Java
JavaScript
Julia
Kotlin
Lua
MATLAB
Nim
Ocaml
PHP
PL/SQL
Perl
Python
R
Rego
Ruby
Rust
SQL
Scala
Shell
Swift
Tcl
TypeScript
Verilog/SystemVerilog
Vim Script
WebAssembly

Multiple Languages

Other

<details> <summary>Show Other</summary>

.env
Ansible
Archive
Azure Resource Manager
Binaries
Build tools
CSS/SASS/SCSS
Config Files
Configuration Management
Containers
Continuous Integration
Deno
Dockerfile
Embedded
[Embedded Ruby (a.k.a. ERB, eRuby)](#erb)
Gherkin
HTML
JSON
Kubernetes
LaTeX
Laravel
Makefiles
Markdown
Metalinter
Mobile
Nix
Node.js
Packages
Prometheus
Protocol Buffers
Puppet
Rails
Security/SAST
Smart Contracts
Support
Template-Languages
Terraform
Translation
Vue.js
Writing
YAML
git </details>

Programming Languages

abaplint — Linter for ABAP, written in TypeScript.
abapOpenChecks — Enhances the SAP Code Inspector with new and customizable checks.

Polyspace for Ada :copyright: — Provide code verification that proves the absence of overflow, divide-by-zero, out-of-bounds array access, and certain other run-time errors in source code.
SPARK :copyright: — Static analysis and formal verification toolset for Ada.

<a name="asm" /> <h2>Assembly</h2>

STOKE :warning: — A programming-language agnostic stochastic optimizer for the x86_64 instruction set. It uses random search to explore the extremely high-dimensional space of all possible program transformations.

gawk --lint — Warns about constructs that are dubious or nonportable to other awk implementations.

Astrée :copyright: — Astrée automatically proves the absence of runtime errors and invalid concurrent behavior in C/C++ applications. It is sound for floating-point computations, very fast, and exceptionally precise. The analyzer also checks for MISRA/CERT/CWE/Adaptive Autosar coding rules and supports qualification for ISO 26262, DO-178C level A, and other safety standards. Jenkins and Eclipse plugins are available.
CBMC — Bounded model-checker for C programs, user-defined assertions, standard assertions, several coverage metric analyses.
clang-tidy — Clang-based C++ linter tool with the (limited) ability to fix issues, too.
clazy — Qt-oriented static code analyzer based on the Clang framework. clazy is a compiler plugin which allows clang to understand Qt semantics. You get more than 50 Qt related compiler warnings, ranging from unneeded memory allocations to misusage of API, including fix-its for automatic refactoring.
CMetrics — Measures size and complexity for C files.
CPAchecker — A tool for configurable software verification of C programs. The name CPAchecker was chosen to reflect that the tool is based on the CPA concepts and is used for checking software programs.
cppcheck — Static analysis of C/C++ code.
CppDepend :copyright: — Measure, query and visualize your code and avoid unexpected issues, technical debt and complexity.
cpplint — Automated C++ checker that follows Google's style guide.
cqmetrics — Quality metrics for C code.
CScout — Complexity and quality metrics for C and C preprocessor code.
ENRE-cpp :warning: — ENRE (ENtity Relationship Extractor) is a tool for extraction of code entity dependencies or relationships from source code. ENRE-cpp is a ENtity Relationship Extractor for C/C++ based on @eclipse/CDT. (Under development)
ESBMC — ESBMC is an open source, permissively licensed, context-bounded model checker based on satisfiability modulo theories for the verification of single- and multi-threaded C/C++ programs.
flawfinder :warning: — Finds possible security weaknesses.
flint++ :warning: — Cross-platform, zero-dependency port of flint, a lint program for C++ developed and used at Facebook.
Frama-C — A sound and extensible static analyzer for C code.
GCC — The GCC compiler has static analysis capabilities since version 10. This option is only available if GCC was configured with analyzer support enabled. It can also output its diagnostics to a JSON file in the SARIF format (from v13).
Goblint — A static analyzer for the analysis of multi-threaded C programs. Its primary focus is the detection of data races, but it also reports other runtime errors, such as buffer overflows and null-pointer dereferences.
Helix QAC :copyright: — Enterprise-grade static analysis for embedded software. Supports MISRA, CERT, and AUTOSAR coding standards.
IKOS — A sound static analyzer for C/C++ code based on LLVM.
KLEE — A dynamic symbolic execution engine built on top of the LLVM compiler infrastructure. It can auto-generate test cases for programs such that the test cases exercise as much of the program as possible.
LDRA :copyright: — A tool suite including static analysis (TBVISION) to various standards including MISRA C & C++, JSF++ AV, CWE, CERT C, CERT C++ & Custom Rules.
MATE :warning: — A suite of tools for interactive program analysis with a focus on hunting for bugs in C and C++ code. MATE unifies application-specific and low-level vulnerability analysis using code property graphs (CPGs), enabling the discovery of highly application-specific vulnerabilities that depend on both implementation details and the high-level semantics of target C/C++ programs.
PC-lint :copyright: — Static analysis for C/C++. Runs natively under Windows/Linux/MacOS. Analyzes code for virtually any platform, supporting C11/C18 and C++17.
Phasar — A LLVM-based static analysis framework which comes with a taint and type state analysis.
Polyspace Bug Finder :copyright: — Identifies run-time errors, concurrency issues, security vulnerabilities, and other defects in C and C++ embedded software.
Polyspace Code Prover :copyright: — Provide code verification that proves the absence of overflow, divide-by-zero, out-of-bounds array access, and certain other run-time errors in C and C++ source code.
scan-build — Frontend to drive the Clang Static Analyzer built into Clang via a regular build.
splint — Annotation-assisted static program checker.
SVF — A static tool that enables scalable and precise interprocedural dependence analysis for C and C++ programs.
TrustInSoft Analyzer :copyright: — Exhaustive detection of coding errors and their associated security vulnerabilities. This encompasses a sound undefined behavior detection (buffer overflows, out-of-bounds array accesses, null-pointer dereferences, use-after-free, divide-by-zeros, uninitialized memory accesses, signed overflows, invalid pointer arithmetic, etc.), data flow and control flow verification as well as full functional verification of formal specifications. All versions of C up to C18 and C++ up to C++20 are supported. TrustInSoft Analyzer will acquire ISO 26262 qualification in Q2'2023 (TCL3). A MISRA C checker is also bundled.
vera++ :warning: — Vera++ is a programmable tool for verification, analysis and transformation of C++ source code.

.NET Analyzers — An organization for the development of analyzers (diagnostics and code fixes) using the .NET Compiler Platform.
ArchUnitNET — A C# architecture test library to specify and assert architecture rules in C# for automated testing.
code-cracker — An analyzer library for C# and VB that uses Roslyn to produce refactorings, code analysis, and other niceties.
CSharpEssentials :warning: — C# Essentials is a collection of Roslyn diagnostic analyzers, code fixes and refactorings that make it easy to work with C# 6 language features.
Designite :copyright: — Designite supports detection of various architecture, design, and implementation smells, computation of various code quality metrics, and trend analysis.
Gendarme — Gendarme inspects programs and libraries that contain code in ECMA CIL format (Mono and .NET).
Infer# :warning: — InferSharp (also referred to as Infer#) is an interprocedural and scalable static code analyzer for C#. Via the capabilities of Facebook's Infer, this tool detects null pointer dereferences and resource leaks.
Meziantou.Analyzer — A Roslyn analyzer to enforce some good practices in C# in terms of design, usage, security, performance, and style.
NDepend :copyright: — Measure, query and visualize your code and avoid unexpected issues, technical debt and complexity.
Puma Scan — Puma Scan provides real time secure code analysis for common vulnerabilities (XSS, SQLi, CSRF, LDAPi, crypto, deserialization, etc.) as development teams write code in Visual Studio.
Roslynator — A collection of 190+ analyzers and 190+ refactorings for C#, powered by Roslyn.
SonarAnalyzer.CSharp — These Roslyn analyzers allow you to produce Clean Code that is safe, reliable, and maintainable by helping you find and correct bugs, vulnerabilities, and code smells in your codebase.
VSDiagnostics :warning: — A collection of static analyzers based on Roslyn that integrates with VS.
Wintellect.Analyzers — .NET Compiler Platform ("Roslyn") diagnostic analyzers and code fixes.

Astrée :copyright: — Astrée automatically proves the absence of runtime errors and invalid concurrent behavior in C/C++ applications. It is sound for floating-point computations, very fast, and exceptionally precise. The analyzer also checks for MISRA/CERT/CWE/Adaptive Autosar coding rules and supports qualification for ISO 26262, DO-178C level A, and other safety standards. Jenkins and Eclipse plugins are available.
CBMC — Bounded model-checker for C programs, user-defined assertions, standard assertions, several coverage metric analyses.
clang-tidy — Clang-based C++ linter tool with the (limited) ability to fix issues, too.
clazy — Qt-oriented static code analyzer based on the Clang framework. clazy is a compiler plugin which allows clang to understand Qt semantics. You get more than 50 Qt related compiler warnings, ranging from unneeded memory allocations to misusage of API, including fix-its for automatic refactoring.
CMetrics — Measures size and complexity for C files.
cppcheck — Static analysis of C/C++ code.
CppDepend :copyright: — Measure, query and visualize your code and avoid unexpected issues, technical debt and complexity.
cpplint — Automated C++ checker that follows Google's style guide.
cqmetrics — Quality metrics for C code.
CScout — Complexity and quality metrics for C and C preprocessor code.
ENRE-cpp :warning: — ENRE (ENtity Relationship Extractor) is a tool for extraction of code entity dependencies or relationships from source code. ENRE-cpp is a ENtity Relationship Extractor for C/C++ based on @eclipse/CDT. (Under development)
ESBMC — ESBMC is an open source, permissively licensed, context-bounded model checker based on satisfiability modulo theories for the verification of single- and multi-threaded C/C++ programs.
flawfinder :warning: — Finds possible security weaknesses.
flint++ :warning: — Cross-platform, zero-dependency port of flint, a lint program for C++ developed and used at Facebook.
GCC — The GCC compiler has static analysis capabilities since version 10. This option is only available if GCC was configured with analyzer support enabled. It can also output its diagnostics to a JSON file in the SARIF format (from v13).
Helix QAC :copyright: — Enterprise-grade static analysis for embedded software. Supports MISRA, CERT, and AUTOSAR coding standards.
IKOS — A sound static analyzer for C/C++ code based on LLVM.
KLEE — A dynamic symbolic execution engine built on top of the LLVM compiler infrastructure. It can auto-generate test cases for programs such that the test cases exercise as much of the program as possible.
LDRA :copyright: — A tool suite including static analysis (TBVISION) to various standards including MISRA C & C++, JSF++ AV, CWE, CERT C, CERT C++ & Custom Rules.
MATE :warning: — A suite of tools for interactive program analysis with a focus on hunting for bugs in C and C++ code. MATE unifies application-specific and low-level vulnerability analysis using code property graphs (CPGs), enabling the discovery of highly application-specific vulnerabilities that depend on both implementation details and the high-level semantics of target C/C++ programs.
PC-lint :copyright: — Static analysis for C/C++. Runs natively under Windows/Linux/MacOS. Analyzes code for virtually any platform, supporting C11/C18 and C++17.
Phasar — A LLVM-based static analysis framework which comes with a taint and type state analysis.
Polyspace Bug Finder :copyright: — Identifies run-time errors, concurrency issues, security vulnerabilities, and other defects in C and C++ embedded software.
Polyspace Code Prover :copyright: — Provide code verification that proves the absence of overflow, divide-by-zero, out-of-bounds array access, and certain other run-time errors in C and C++ source code.
scan-build — Frontend to drive the Clang Static Analyzer built into Clang via a regular build.
splint — Annotation-assisted static program checker.
SVF — A static tool that enables scalable and precise interprocedural dependence analysis for C and C++ programs.
TrustInSoft Analyzer :copyright: — Exhaustive detection of coding errors and their associated security vulnerabilities. This encompasses a sound undefined behavior detection (buffer overflows, out-of-bounds array accesses, null-pointer dereferences, use-after-free, divide-by-zeros, uninitialized memory accesses, signed overflows, invalid pointer arithmetic, etc.), data flow and control flow verification as well as full functional verification of formal specifications. All versions of C up to C18 and C++ up to C++20 are supported. TrustInSoft Analyzer will acquire ISO 26262 qualification in Q2'2023 (TCL3). A MISRA C checker is also bundled.
vera++ :warning: — Vera++ is a programmable tool for verification, analysis and transformation of C++ source code.

<a name="clojure" /> <h2>Clojure</h2>

clj-kondo — A linter for Clojure code that sparks joy. It informs you about potential errors while you are typing.

<a name="coffeescript" /> <h2>CoffeeScript</h2>

coffeelint :warning: — A style checker that helps keep CoffeeScript code clean and consistent.

<a name="coldfusion" /> <h2>ColdFusion</h2>

Fixinator :copyright: — Static security code analysis for ColdFusion or CFML code. Designed to work within a CI pipeline or from the developers terminal.

<a name="crystal" /> <h2>Crystal</h2>

ameba — A static code analysis tool for Crystal.
crystal — The Crystal compiler has built-in linting functionality.

Dart Code Metrics :warning: — Additional linter for Dart. Reports code metrics, checks for anti-patterns and provides additional rules for Dart analyzer.
effective_dart — Linter rules corresponding to the guidelines in Effective Dart
lint :warning: — An opinionated, community-driven set of lint rules for Dart and Flutter projects. Like pedantic but stricter
Linter for dart :warning: — Style linter for Dart.

<a name="delphi" /> <h2>Delphi</h2>

DelphiLint — A Delphi IDE package providing on-the-fly code analysis and linting, powered by SonarDelphi.
Fix Insight :copyright: — A free IDE Plugin for static code analysis. A Pro edition includes a command line tool for automation purposes.
Pascal Analyzer :copyright: — A static code analysis tool with numerous reports. A free Lite version is available with limited reporting.
Pascal Expert :copyright: — IDE plugin for code analysis. Includes a subset of Pascal Analyzer reporting capabilities and is available for Delphi versions 2007 and later.
SonarDelphi — Delphi static analyzer for the SonarQube code quality platform.

<a name="dlang" /> <h2>Dlang</h2>

D-scanner — D-Scanner is a tool for analyzing D source code.

<a name="elixir" /> <h2>Elixir</h2>

credo — A static code analysis tool with a focus on code consistency and teaching.
dialyxir — Mix tasks to simplify use of Dialyzer in Elixir projects.
sobelow — Security-focused static analysis for the Phoenix Framework.

elm-analyse :warning: — A tool that allows you to analyse your Elm code, identify deficiencies and apply best practices.
elm-review — Analyzes whole Elm projects, with a focus on shareable and custom rules written in Elm that add guarantees the Elm compiler doesn't give you.

<a name="erlang" /> <h2>Erlang</h2>

dialyzer — The DIALYZER, a DIscrepancy AnaLYZer for ERlang programs. Dialyzer is a static analysis tool that identifies software discrepancies, such as definite type errors, code that has become dead or unreachable because of programming error, and unnecessary tests, in single Erlang modules or entire (sets of) applications. Dialyzer starts its analysis from either debug-compiled BEAM bytecode or from Erlang source code. The file and line number of a discrepancy is reported along with an indication of what the discrepancy is about. Dialyzer bases its analysis on the concept of success typings, which allows for sound warnings (no false positives).
elvis — Erlang Style Reviewer.
Primitive Erlang Security Tool (PEST) :warning: — A tool to do a basic scan of Erlang source code and report any function calls that may cause Erlang source code to be insecure.

fantomas — F# source code formatter.
FSharpLint — Lint tool for F#.
ionide-analyzers — A collection of F# analyzers, built with the FSharp.Analyzers.SDK.

<a name="fortran" /> <h2>Fortran</h2>

Fortitude — Fortran linter, inspired by (and built on) Ruff, and based on community best practices. Supports latest Fortran (2023) standard.
fprettify — Auto-formatter for modern fortran source code, written in Python. Fprettify is a tool that provides consistent whitespace, indentation, and delimiter alignment in code, including the ability to change letter case and handle preprocessor directives, all while preserving revision history and tested for editor integration.
i-Code CNES for Fortran :warning: — An open source static code analysis tool for Fortran 77, Fortran 90 and Shell.

aligncheck — Find inefficiently packed structs.
bodyclose — Checks whether HTTP response body is closed.
deadcode — Finds unused code.
dingo-hunter :warning: — Static analyser for finding deadlocks in Go.
dogsled — Finds assignments/declarations with too many blank identifiers.
dupl — Reports potentially duplicated code.
errcheck — Check that error return values are used.
errwrap :warning: — Wrap and fix Go errors with the new %w verb directive. This tool analyzes fmt.Errorf() calls and reports calls that contain a verb directive that is different than the new %w verb directive introduced in Go v1.13. It's also capable of rewriting calls to use the new %w wrap verb directive.
flen — Get info on length of functions in a Go package.
Go Meta Linter :warning: — Concurrently run Go lint tools and normalise their output. Use golangci-lint for new projects.
go tool vet --shadow — Reports variables that may have been unintentionally shadowed.
go vet — Examines Go source code and reports suspicious.
go-consistent :warning: — Analyzer that helps you to make your Go programs more consistent.
go-critic — Go source code linter that maintains checks which are currently not implemented in other linters.
go/ast — Package ast declares the types used to represent syntax trees for Go packages.
goast — Go AST (Abstract Syntax Tree) based static analysis tool with Rego.
gochecknoglobals :warning: — Checks that no globals are present.
goconst — Finds repeated strings that could be replaced by a constant.
gocyclo — Calculate cyclomatic complexities of functions in Go source code.
gofmt -s — Checks if the code is properly formatted and could not be further simplified.
gofumpt — Enforce a stricter format than gofmt, while being backwards-compatible. That is, gofumpt is happy with a subset of the formats that gofmt is happy with. The tool is a fork of gofmt as of Go 1.19, and requires Go 1.18 or later. It can be used as a drop-in replacement to format your Go code, and running gofmt after gofumpt should produce no changes. gofumpt will never add rules which disagree with gofmt formatting. So we extend gofmt rather than compete with it.
goimports — Checks missing or unreferenced package imports.
gokart — Golang security analysis with a focus on minimizing false positives. It is capable of tracing the source of variables and function arguments to determine whether input sources are safe.
GolangCI-Lint — Alternative to Go Meta Linter: GolangCI-Lint is a linters aggregator.
golint — Prints out coding style mistakes in Go source code.
goreporter — Concurrently runs many linters and normalises their output to a report.
goroutine-inspect — An interactive tool to analyze Golang goroutine dump.
gosec (gas) — Inspects source code for security problems by scanning the Go AST.
gotype — Syntactic and semantic analysis similar to the Go compiler.
govulncheck — Govulncheck reports known vulnerabilities that affect Go code. It uses static analysis of source code or a binary's symbol table to narrow down reports to only those that could affect the application.

truncated — full list on GitHub

Static Analysis & Code Quality

Sponsors

Meaning of Symbols:

Table of Contents

Programming Languages

Multiple Languages

Other

Programming Languages