[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-5445":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":16,"subscribersCount":16,"size":16,"stars1d":17,"stars7d":18,"stars30d":19,"stars90d":16,"forks30d":16,"starsTrendScore":20,"compositeScore":21,"rankGlobal":10,"rankLanguage":10,"license":22,"archived":23,"fork":23,"defaultBranch":24,"hasWiki":23,"hasPages":23,"topics":25,"createdAt":10,"pushedAt":10,"updatedAt":34,"readmeContent":35,"aiSummary":36,"trendingCount":16,"starSnapshotCount":16,"syncStatus":37,"lastSyncTime":38,"discoverSource":39},5445,"static-analysis","analysis-tools-dev\u002Fstatic-analysis","analysis-tools-dev","⚙️ A curated list of static analysis (SAST) tools and linters for all programming languages, config files, build tools, and more. The focus is on tools which improve code quality.","https:\u002F\u002Fanalysis-tools.dev",null,"Rust",14618,1474,312,1,0,3,24,85,18,44.51,"MIT License",false,"master",[26,27,28,29,30,31,5,32,33],"analysis","awesome-list","code-quality","hacktoberfest","linter","sast","static-analyzers","static-code-analysis","2026-06-12 02:01:10","\u003C!-- 🚨🚨 DON'T EDIT THIS FILE DIRECTLY. Edit `data\u002Ftools.yml` instead. 🚨🚨 -->\n\n \u003Ca href=\"https:\u002F\u002Fanalysis-tools.dev\u002F\">\n   \u003Cimg alt=\"Analysis Tools Website\" src=\"https:\u002F\u002Fraw.githubusercontent.com\u002Fanalysis-tools-dev\u002Fassets\u002Fmaster\u002Fstatic\u002Fredesign.svg\" \u002F>\n \u003C\u002Fa>\n\nThis repository lists **static analysis tools** for all programming languages, build tools, config files and more. The focus is on tools which improve code quality such as linters and formatters.\nThe official website, [analysis-tools.dev](https:\u002F\u002Fanalysis-tools.dev\u002F) is based on this repository and adds rankings, user comments, and additional resources like videos for each tool.\n\n[![Website](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FWebsite-Online-2B5BAE)](https:\u002F\u002Fanalysis-tools.dev)\n![CI](https:\u002F\u002Fgithub.com\u002Fanalysis-tools-dev\u002Fstatic-analysis\u002Fworkflows\u002FCI\u002Fbadge.svg)\n[![Links](https:\u002F\u002Fgithub.com\u002Fanalysis-tools-dev\u002Fstatic-analysis\u002Factions\u002Fworkflows\u002Flinks.yml\u002Fbadge.svg)](https:\u002F\u002Fgithub.com\u002Fanalysis-tools-dev\u002Fstatic-analysis\u002Factions\u002Fworkflows\u002Flinks.yml)\n\n## Sponsors\n\nThis project would not be possible without the generous support of our sponsors.\n\n\u003Ctable>\n   \u003Ctr>\n      \u003Ctd>\n         \u003Ca href=\"https:\u002F\u002Fwww.pixee.ai\u002F\">\n            \u003Cpicture >\n               \u003Csource width=\"200px\" media=\"(prefers-color-scheme: dark)\" srcset=\"https:\u002F\u002Fraw.githubusercontent.com\u002Fanalysis-tools-dev\u002Fassets\u002Fmaster\u002Fstatic\u002Fsponsors\u002Fpixee-light.png\">\n               \u003Cimg width=\"200px\" alt=\"Pixee\" src=\"https:\u002F\u002Fraw.githubusercontent.com\u002Fanalysis-tools-dev\u002Fassets\u002Fmaster\u002Fstatic\u002Fsponsors\u002Fpixee-dark.png\">\n            \u003C\u002Fpicture>\n         \u003C\u002Fa>\n      \u003C\u002Ftd>\n      \u003Ctd>\n         \u003Ca href=\"https:\u002F\u002Fcoderabbit.ai\">\n            \u003Cimg width=\"200px\" src=\"https:\u002F\u002Fraw.githubusercontent.com\u002Fanalysis-tools-dev\u002Fassets\u002Fmaster\u002Fstatic\u002Fsponsors\u002Fcode-rabbit.svg\" \u002F>\n         \u003C\u002Fa>\n      \u003C\u002Ftd>\n      \u003Ctd>\n         \u003Ca href=\"https:\u002F\u002Fsemgrep.dev\u002F\">\n            \u003Cimg width=\"200px\" src=\"https:\u002F\u002Fraw.githubusercontent.com\u002Fanalysis-tools-dev\u002Fassets\u002Fmaster\u002Fstatic\u002Fsponsors\u002Fsemgrep.svg\" \u002F>\n         \u003C\u002Fa>\n      \u003C\u002Ftd>\n      \u003Ctd>\n         \u003Ca href=\"https:\u002F\u002Foffensive360.com\u002F\">\n            \u003Cimg width=\"200px\" src=\"https:\u002F\u002Fraw.githubusercontent.com\u002Fanalysis-tools-dev\u002Fassets\u002Fmaster\u002Fstatic\u002Fsponsors\u002Foffensive360.png\" \u002F>\n         \u003C\u002Fa>\n      \u003C\u002Ftd>\n   \u003C\u002Ftr>\n\u003C\u002Ftable>\n\nIf you also want to support this project, head over to our [Github sponsors page](https:\u002F\u002Fgithub.com\u002Fsponsors\u002Fanalysis-tools-dev).\n\n## Meaning of Symbols:\n\n- :copyright: stands for proprietary software. All other tools are Open Source.\n- :information_source: indicates that the community does not recommend to use this tool for new projects anymore. The icon links to the discussion issue.\n- :warning: means that this tool was not updated for more than 1 year, or the repo was archived.\n\nPull requests are very welcome!  \nAlso check out the sister project, [awesome-dynamic-analysis](https:\u002F\u002Fgithub.com\u002Fmre\u002Fawesome-dynamic-analysis).\n\n## Table of Contents\n\n#### [Programming Languages](#programming-languages-1)\n\n| | | |\n|---|---|---|\n| [ABAP](#abap) | [Erlang](#erlang) | [PL\u002FSQL](#plsql) |\n| [Ada](#ada) | [F#](#fsharp) | [Perl](#perl) |\n| [Assembly](#asm) | [Fortran](#fortran) | [Python](#python) |\n| [Awk](#awk) | [Go](#go) | [R](#r) |\n| [C](#c) | [Groovy](#groovy) | [Rego](#rego) |\n| [C#](#csharp) | [Haskell](#haskell) | [Ruby](#ruby) |\n| [C++](#cpp) | [Haxe](#haxe) | [Rust](#rust) |\n| [Clojure](#clojure) | [Java](#java) | [SQL](#sql) |\n| [CoffeeScript](#coffeescript) | [JavaScript](#javascript) | [Scala](#scala) |\n| [ColdFusion](#coldfusion) | [Julia](#julia) | [Shell](#shell) |\n| [Crystal](#crystal) | [Kotlin](#kotlin) | [Swift](#swift) |\n| [Dart](#dart) | [Lua](#lua) | [Tcl](#tcl) |\n| [Delphi](#delphi) | [MATLAB](#matlab) | [TypeScript](#typescript) |\n| [Dlang](#dlang) | [Nim](#nim) | [Verilog\u002FSystemVerilog](#verilog) |\n| [Elixir](#elixir) | [Ocaml](#ocaml) | [Vim Script](#vim-script) |\n| [Elm](#elm) | [PHP](#php) | [WebAssembly](#wasm) |\n\n#### [Multiple Languages](#multiple-languages-1)\n\n#### [Other](#other-1)\n\u003Cdetails>\n \u003Csummary>Show Other\u003C\u002Fsummary>\n\n| | | |\n|---|---|---|\n| [.env](#dotenv) | [Embedded Ruby (a.k.a. ERB, eRuby)](#erb) | [Prometheus](#prometheus) |\n| [Ansible](#ansible) | [Gherkin](#gherkin) | [Protocol Buffers](#protobuf) |\n| [Archive](#archive) | [HTML](#html) | [Puppet](#puppet) |\n| [Azure Resource Manager](#arm) | [JSON](#json) | [Rails](#rails) |\n| [Binaries](#binary) | [Kubernetes](#kubernetes) | [Security\u002FSAST](#security) |\n| [Build tools](#buildtool) | [LaTeX](#latex) | [Smart Contracts](#smart-contracts) |\n| [CSS\u002FSASS\u002FSCSS](#css) | [Laravel](#laravel) | [Support](#support) |\n| [Config Files](#configfile) | [Makefiles](#make) | [Template-Languages](#template) |\n| [Configuration Management](#configmanagement) | [Markdown](#markdown) | [Terraform](#terraform) |\n| [Containers](#container) | [Metalinter](#meta) | [Translation](#translation) |\n| [Continuous Integration](#ci) | [Mobile](#mobile) | [Vue.js](#vue) |\n| [Deno](#deno) | [Nix](#nix) | [Writing](#writing) |\n| [Dockerfile](#dockerfile) | [Node.js](#nodejs) | [YAML](#yaml) |\n| [Embedded](#embedded) | [Packages](#package) | [git](#git) |\n\n\u003C\u002Fdetails>\n\n---\n\n## Programming Languages\n\n\u003Ca name=\"abap\" \u002F>\n\u003Ch2>ABAP\u003C\u002Fh2>\n\n\n- [abaplint](https:\u002F\u002Fabaplint.org) — Linter for ABAP, written in TypeScript.\n\n- [abapOpenChecks](https:\u002F\u002Fdocs.abapopenchecks.org) — Enhances the SAP Code Inspector with new and customizable checks.\n\n\n\u003Ca name=\"ada\" \u002F>\n\u003Ch2>Ada\u003C\u002Fh2>\n\n\n- [Polyspace for Ada](https:\u002F\u002Fwww.mathworks.com\u002Fproducts\u002Fpolyspace-ada.html) :copyright: — Provide code verification that proves the absence of overflow, divide-by-zero, out-of-bounds array access, and certain other run-time errors in source code.\n\n- [SPARK](https:\u002F\u002Fwww.adacore.com\u002Fabout-spark) :copyright: — Static analysis and formal verification toolset for Ada.\n\n\n\u003Ca name=\"asm\" \u002F>\n\u003Ch2>Assembly\u003C\u002Fh2>\n\n\n- **STOKE** :warning: — A programming-language agnostic stochastic optimizer for the x86_64 instruction set. It uses random search to explore the extremely high-dimensional space of all possible program transformations.\n\n\n\u003Ca name=\"awk\" \u002F>\n\u003Ch2>Awk\u003C\u002Fh2>\n\n\n- [gawk --lint](https:\u002F\u002Fwww.gnu.org\u002Fsoftware\u002Fgawk\u002Fmanual\u002Fhtml_node\u002FOptions.html) — Warns about constructs that are dubious or nonportable to other awk implementations.\n\n\n\u003Ca name=\"c\" \u002F>\n\u003Ch2>C\u003C\u002Fh2>\n\n\n- [Astrée](https:\u002F\u002Fwww.absint.com\u002Fastree\u002Findex.htm) :copyright: — Astrée automatically proves the absence of runtime errors and invalid con­current behavior in C\u002FC++ applications. It is sound for floating-point computations, very fast, and exceptionally precise. The analyzer also checks for MISRA\u002FCERT\u002FCWE\u002FAdaptive Autosar coding rules and supports qualification for ISO 26262, DO-178C level A, and other safety standards. Jenkins and Eclipse plugins are available.\n\n- [CBMC](http:\u002F\u002Fwww.cprover.org\u002Fcbmc) — Bounded model-checker for C programs, user-defined assertions, standard assertions, several coverage metric analyses.\n\n- [clang-tidy](https:\u002F\u002Fclang.llvm.org\u002Fextra\u002Fclang-tidy) — Clang-based C++ linter tool with the (limited) ability to fix issues, too.\n\n- [clazy](https:\u002F\u002Fgithub.com\u002FKDE\u002Fclazy) — Qt-oriented static code analyzer based on the Clang framework. clazy is a compiler plugin which allows clang to understand Qt semantics. You get more than 50 Qt related compiler warnings, ranging from unneeded memory allocations to misusage of API, including fix-its for automatic refactoring.\n\n- [CMetrics](https:\u002F\u002Fgithub.com\u002FMetricsGrimoire\u002FCMetrics) — Measures size and complexity for C files.\n\n- [CPAchecker](https:\u002F\u002Fcpachecker.sosy-lab.org) — A tool for configurable software verification of C programs.  The name CPAchecker was chosen to reflect that the tool is based on the CPA concepts and is used for checking software programs.\n\n- [cppcheck](https:\u002F\u002Fcppcheck.sourceforge.io) — Static analysis of C\u002FC++ code.\n\n- [CppDepend](https:\u002F\u002Fwww.cppdepend.com) :copyright: — Measure, query and visualize your code and avoid unexpected issues, technical debt and complexity.\n\n- [cpplint](https:\u002F\u002Fgithub.com\u002Fcpplint\u002Fcpplint) — Automated C++ checker that follows Google's style guide.\n\n- [cqmetrics](https:\u002F\u002Fgithub.com\u002Fdspinellis\u002Fcqmetrics) — Quality metrics for C code.\n\n- [CScout](https:\u002F\u002Fwww.spinellis.gr\u002Fcscout) — Complexity and quality metrics for C and C preprocessor code.\n\n- **ENRE-cpp** :warning: — ENRE (ENtity Relationship Extractor) is a tool for extraction of code entity dependencies or relationships from source code. ENRE-cpp is a ENtity Relationship Extractor for C\u002FC++ based on @eclipse\u002FCDT. (Under development)\n\n- [ESBMC](http:\u002F\u002Fesbmc.org) — ESBMC is an open source, permissively licensed, context-bounded model checker based on satisfiability modulo theories for the verification of single- and multi-threaded C\u002FC++ programs.\n\n- **flawfinder** :warning: — Finds possible security weaknesses.\n\n- **flint++** :warning: — Cross-platform, zero-dependency port of flint, a lint program for C++ developed and used at Facebook.\n\n- [Frama-C](https:\u002F\u002Fwww.frama-c.com) — A sound and extensible static analyzer for C code.\n\n- [GCC](https:\u002F\u002Fgcc.gnu.org\u002Fonlinedocs\u002Fgcc\u002FStatic-Analyzer-Options.html) — The GCC compiler has static analysis capabilities since version 10. This option is only available if GCC was configured with analyzer support enabled.  It can also output its diagnostics to a JSON file in the SARIF format (from v13).\n\n- [Goblint](https:\u002F\u002Fgoblint.in.tum.de) — A static analyzer for the analysis of multi-threaded C programs. Its primary focus is the  detection of data races, but it also reports other runtime errors, such as buffer overflows and null-pointer dereferences.\n\n- [Helix QAC](https:\u002F\u002Fwww.perforce.com\u002Fproducts\u002Fhelix-qac) :copyright: — Enterprise-grade static analysis for embedded software. Supports MISRA, CERT, and AUTOSAR coding standards.\n\n- [IKOS](https:\u002F\u002Fgithub.com\u002Fnasa-sw-vnv\u002Fikos) — A sound static analyzer for C\u002FC++ code based on LLVM.\n\n- [KLEE](http:\u002F\u002Fklee.github.io\u002F) — A dynamic symbolic execution engine built on top of the LLVM compiler infrastructure.  It can auto-generate test cases for programs such that the test cases exercise as much of the program as possible.\n\n- [LDRA](https:\u002F\u002Fldra.com) :copyright: — A tool suite including static analysis (TBVISION) to various standards including MISRA C & C++, JSF++ AV, CWE, CERT C, CERT C++ & Custom Rules.\n\n- **MATE** :warning: — A suite of tools for interactive program analysis with a focus on hunting for bugs in C and C++ code. MATE unifies application-specific and low-level vulnerability analysis using code property graphs (CPGs), enabling the discovery of highly application-specific vulnerabilities that depend on both implementation details and the high-level semantics of target C\u002FC++ programs.\n\n- [PC-lint](https:\u002F\u002Fpclintplus.com\u002F) :copyright: — Static analysis for C\u002FC++. Runs natively under Windows\u002FLinux\u002FMacOS. Analyzes code for virtually any platform, supporting C11\u002FC18 and C++17.\n\n- [Phasar](https:\u002F\u002Fphasar.org) — A LLVM-based static analysis framework which comes with a taint and type state analysis.\n\n- [Polyspace Bug Finder](https:\u002F\u002Fwww.mathworks.com\u002Fproducts\u002Fpolyspace-bug-finder.html) :copyright: — Identifies run-time errors, concurrency issues, security vulnerabilities, and other defects in C and C++ embedded software.\n\n- [Polyspace Code Prover](https:\u002F\u002Fwww.mathworks.com\u002Fproducts\u002Fpolyspace-code-prover.html) :copyright: — Provide code verification that proves the absence of overflow, divide-by-zero, out-of-bounds array access, and certain other run-time errors in C and C++ source code.\n\n- [scan-build](https:\u002F\u002Fclang-analyzer.llvm.org\u002Fscan-build.html) — Frontend to drive the Clang Static Analyzer built into Clang via a regular build.\n\n- [splint](http:\u002F\u002Fsplint.org) — Annotation-assisted static program checker.\n\n- [SVF](https:\u002F\u002Fsvf-tools.github.io\u002FSVF) — A static tool that enables scalable and precise interprocedural dependence analysis for C and C++ programs.\n\n- [TrustInSoft Analyzer](https:\u002F\u002Ftrust-in-soft.com) :copyright: — Exhaustive detection of coding errors and their associated security vulnerabilities. This encompasses a sound undefined behavior detection (buffer overflows, out-of-bounds array accesses, null-pointer dereferences, use-after-free, divide-by-zeros, uninitialized memory accesses, signed overflows, invalid pointer arithmetic, etc.), data flow and control flow verification as well as full functional verification of formal specifications. All versions of C up to C18 and C++ up to C++20 are supported. TrustInSoft Analyzer will acquire ISO 26262 qualification in Q2'2023 (TCL3). A MISRA C checker is also bundled.\n\n- **vera++** :warning: — Vera++ is a programmable tool for verification, analysis and transformation of C++ source code.\n\n\n\u003Ca name=\"csharp\" \u002F>\n\u003Ch2>C#\u003C\u002Fh2>\n\n\n- [.NET Analyzers](https:\u002F\u002Fgithub.com\u002FDotNetAnalyzers) — An organization for the development of analyzers (diagnostics and code fixes) using the .NET Compiler Platform.\n\n- [ArchUnitNET](https:\u002F\u002Fgithub.com\u002FTNG\u002FArchUnitNET) — A C# architecture test library to specify and assert architecture rules in C# for automated testing.\n\n- [code-cracker](https:\u002F\u002Fcode-cracker.github.io) — An analyzer library for C# and VB that uses Roslyn to produce refactorings, code analysis, and other niceties.\n\n- **CSharpEssentials** :warning: — C# Essentials is a collection of Roslyn diagnostic analyzers, code fixes and refactorings that make it easy to work with C# 6 language features.\n\n- [Designite](http:\u002F\u002Fwww.designite-tools.com) :copyright: — Designite supports detection of various architecture, design, and implementation smells, computation of various code quality metrics, and trend analysis.\n\n- [Gendarme](https:\u002F\u002Fwww.mono-project.com\u002Fdocs\u002Ftools+libraries\u002Ftools\u002Fgendarme) — Gendarme inspects programs and libraries that contain code in ECMA CIL format (Mono and .NET).\n\n- **Infer#** :warning: — InferSharp (also referred to as Infer#) is an interprocedural and  scalable static code analyzer for C#. Via the capabilities of Facebook's Infer,  this tool detects null pointer dereferences and resource leaks.\n\n- [Meziantou.Analyzer](https:\u002F\u002Fgithub.com\u002Fmeziantou\u002FMeziantou.Analyzer) — A Roslyn analyzer to enforce some good practices in C# in terms of design, usage, security, performance, and style.\n\n- [NDepend](http:\u002F\u002Fwww.ndepend.com) :copyright: — Measure, query and visualize your code and avoid unexpected issues, technical debt and complexity.\n\n- [Puma Scan](https:\u002F\u002Fpumasecurity.io) — Puma Scan provides real time secure code analysis for common vulnerabilities (XSS, SQLi, CSRF, LDAPi, crypto, deserialization, etc.) as development teams write code in Visual Studio.\n\n- [Roslynator](https:\u002F\u002Fgithub.com\u002FJosefPihrt\u002FRoslynator) — A collection of 190+ analyzers and 190+ refactorings for C#, powered by Roslyn.\n\n- [SonarAnalyzer.CSharp](https:\u002F\u002Fgithub.com\u002FSonarSource\u002Fsonar-dotnet) — These Roslyn analyzers allow you to produce Clean Code that is safe, reliable, and maintainable by helping you find and correct bugs, vulnerabilities, and code smells in your codebase.\n\n- **VSDiagnostics** :warning: — A collection of static analyzers based on Roslyn that integrates with VS.\n\n- [Wintellect.Analyzers](https:\u002F\u002Fgithub.com\u002FWintellect\u002FWintellect.Analyzers) — .NET Compiler Platform (\"Roslyn\") diagnostic analyzers and code fixes.\n\n\n\u003Ca name=\"cpp\" \u002F>\n\u003Ch2>C++\u003C\u002Fh2>\n\n\n- [Astrée](https:\u002F\u002Fwww.absint.com\u002Fastree\u002Findex.htm) :copyright: — Astrée automatically proves the absence of runtime errors and invalid con­current behavior in C\u002FC++ applications. It is sound for floating-point computations, very fast, and exceptionally precise. The analyzer also checks for MISRA\u002FCERT\u002FCWE\u002FAdaptive Autosar coding rules and supports qualification for ISO 26262, DO-178C level A, and other safety standards. Jenkins and Eclipse plugins are available.\n\n- [CBMC](http:\u002F\u002Fwww.cprover.org\u002Fcbmc) — Bounded model-checker for C programs, user-defined assertions, standard assertions, several coverage metric analyses.\n\n- [clang-tidy](https:\u002F\u002Fclang.llvm.org\u002Fextra\u002Fclang-tidy) — Clang-based C++ linter tool with the (limited) ability to fix issues, too.\n\n- [clazy](https:\u002F\u002Fgithub.com\u002FKDE\u002Fclazy) — Qt-oriented static code analyzer based on the Clang framework. clazy is a compiler plugin which allows clang to understand Qt semantics. You get more than 50 Qt related compiler warnings, ranging from unneeded memory allocations to misusage of API, including fix-its for automatic refactoring.\n\n- [CMetrics](https:\u002F\u002Fgithub.com\u002FMetricsGrimoire\u002FCMetrics) — Measures size and complexity for C files.\n\n- [cppcheck](https:\u002F\u002Fcppcheck.sourceforge.io) — Static analysis of C\u002FC++ code.\n\n- [CppDepend](https:\u002F\u002Fwww.cppdepend.com) :copyright: — Measure, query and visualize your code and avoid unexpected issues, technical debt and complexity.\n\n- [cpplint](https:\u002F\u002Fgithub.com\u002Fcpplint\u002Fcpplint) — Automated C++ checker that follows Google's style guide.\n\n- [cqmetrics](https:\u002F\u002Fgithub.com\u002Fdspinellis\u002Fcqmetrics) — Quality metrics for C code.\n\n- [CScout](https:\u002F\u002Fwww.spinellis.gr\u002Fcscout) — Complexity and quality metrics for C and C preprocessor code.\n\n- **ENRE-cpp** :warning: — ENRE (ENtity Relationship Extractor) is a tool for extraction of code entity dependencies or relationships from source code. ENRE-cpp is a ENtity Relationship Extractor for C\u002FC++ based on @eclipse\u002FCDT. (Under development)\n\n- [ESBMC](http:\u002F\u002Fesbmc.org) — ESBMC is an open source, permissively licensed, context-bounded model checker based on satisfiability modulo theories for the verification of single- and multi-threaded C\u002FC++ programs.\n\n- **flawfinder** :warning: — Finds possible security weaknesses.\n\n- **flint++** :warning: — Cross-platform, zero-dependency port of flint, a lint program for C++ developed and used at Facebook.\n\n- [GCC](https:\u002F\u002Fgcc.gnu.org\u002Fonlinedocs\u002Fgcc\u002FStatic-Analyzer-Options.html) — The GCC compiler has static analysis capabilities since version 10. This option is only available if GCC was configured with analyzer support enabled.  It can also output its diagnostics to a JSON file in the SARIF format (from v13).\n\n- [Helix QAC](https:\u002F\u002Fwww.perforce.com\u002Fproducts\u002Fhelix-qac) :copyright: — Enterprise-grade static analysis for embedded software. Supports MISRA, CERT, and AUTOSAR coding standards.\n\n- [IKOS](https:\u002F\u002Fgithub.com\u002Fnasa-sw-vnv\u002Fikos) — A sound static analyzer for C\u002FC++ code based on LLVM.\n\n- [KLEE](http:\u002F\u002Fklee.github.io\u002F) — A dynamic symbolic execution engine built on top of the LLVM compiler infrastructure.  It can auto-generate test cases for programs such that the test cases exercise as much of the program as possible.\n\n- [LDRA](https:\u002F\u002Fldra.com) :copyright: — A tool suite including static analysis (TBVISION) to various standards including MISRA C & C++, JSF++ AV, CWE, CERT C, CERT C++ & Custom Rules.\n\n- **MATE** :warning: — A suite of tools for interactive program analysis with a focus on hunting for bugs in C and C++ code. MATE unifies application-specific and low-level vulnerability analysis using code property graphs (CPGs), enabling the discovery of highly application-specific vulnerabilities that depend on both implementation details and the high-level semantics of target C\u002FC++ programs.\n\n- [PC-lint](https:\u002F\u002Fpclintplus.com\u002F) :copyright: — Static analysis for C\u002FC++. Runs natively under Windows\u002FLinux\u002FMacOS. Analyzes code for virtually any platform, supporting C11\u002FC18 and C++17.\n\n- [Phasar](https:\u002F\u002Fphasar.org) — A LLVM-based static analysis framework which comes with a taint and type state analysis.\n\n- [Polyspace Bug Finder](https:\u002F\u002Fwww.mathworks.com\u002Fproducts\u002Fpolyspace-bug-finder.html) :copyright: — Identifies run-time errors, concurrency issues, security vulnerabilities, and other defects in C and C++ embedded software.\n\n- [Polyspace Code Prover](https:\u002F\u002Fwww.mathworks.com\u002Fproducts\u002Fpolyspace-code-prover.html) :copyright: — Provide code verification that proves the absence of overflow, divide-by-zero, out-of-bounds array access, and certain other run-time errors in C and C++ source code.\n\n- [scan-build](https:\u002F\u002Fclang-analyzer.llvm.org\u002Fscan-build.html) — Frontend to drive the Clang Static Analyzer built into Clang via a regular build.\n\n- [splint](http:\u002F\u002Fsplint.org) — Annotation-assisted static program checker.\n\n- [SVF](https:\u002F\u002Fsvf-tools.github.io\u002FSVF) — A static tool that enables scalable and precise interprocedural dependence analysis for C and C++ programs.\n\n- [TrustInSoft Analyzer](https:\u002F\u002Ftrust-in-soft.com) :copyright: — Exhaustive detection of coding errors and their associated security vulnerabilities. This encompasses a sound undefined behavior detection (buffer overflows, out-of-bounds array accesses, null-pointer dereferences, use-after-free, divide-by-zeros, uninitialized memory accesses, signed overflows, invalid pointer arithmetic, etc.), data flow and control flow verification as well as full functional verification of formal specifications. All versions of C up to C18 and C++ up to C++20 are supported. TrustInSoft Analyzer will acquire ISO 26262 qualification in Q2'2023 (TCL3). A MISRA C checker is also bundled.\n\n- **vera++** :warning: — Vera++ is a programmable tool for verification, analysis and transformation of C++ source code.\n\n\n\u003Ca name=\"clojure\" \u002F>\n\u003Ch2>Clojure\u003C\u002Fh2>\n\n\n- [clj-kondo](https:\u002F\u002Fgithub.com\u002Fborkdude\u002Fclj-kondo) — A linter for Clojure code that sparks joy. It informs you about potential errors while you are typing.\n\n\n\u003Ca name=\"coffeescript\" \u002F>\n\u003Ch2>CoffeeScript\u003C\u002Fh2>\n\n\n- **coffeelint** :warning: — A style checker that helps keep CoffeeScript code clean and consistent.\n\n\n\u003Ca name=\"coldfusion\" \u002F>\n\u003Ch2>ColdFusion\u003C\u002Fh2>\n\n\n- [Fixinator](https:\u002F\u002Ffixinator.app) :copyright: — Static security code analysis for ColdFusion or CFML code. Designed to work within a CI pipeline or from the developers terminal.\n\n\n\u003Ca name=\"crystal\" \u002F>\n\u003Ch2>Crystal\u003C\u002Fh2>\n\n\n- [ameba](https:\u002F\u002Fcrystal-ameba.github.io) — A static code analysis tool for Crystal.\n\n- [crystal](https:\u002F\u002Fcrystal-lang.org) — The Crystal compiler has built-in linting functionality.\n\n\n\u003Ca name=\"dart\" \u002F>\n\u003Ch2>Dart\u003C\u002Fh2>\n\n\n- **Dart Code Metrics** :warning: — Additional linter for Dart. Reports code metrics, checks for anti-patterns and provides additional rules for Dart analyzer.\n\n- [effective_dart](https:\u002F\u002Fpub.dev\u002Fpackages\u002Feffective_dart) — Linter rules corresponding to the guidelines in Effective Dart\n\n- **lint** :warning: — An opinionated, community-driven set of lint rules for Dart and Flutter projects. Like pedantic but stricter\n\n- **Linter for dart** :warning: — Style linter for Dart.\n\n\n\u003Ca name=\"delphi\" \u002F>\n\u003Ch2>Delphi\u003C\u002Fh2>\n\n\n- [DelphiLint](https:\u002F\u002Fgithub.com\u002Fintegrated-application-development\u002Fdelphilint) — A Delphi IDE package providing on-the-fly code analysis and linting, powered by SonarDelphi.\n\n- [Fix Insight](https:\u002F\u002Fwww.tmssoftware.com\u002Fsite\u002Ffixinsight.asp) :copyright: — A free IDE Plugin for static code analysis. A _Pro_ edition includes a command line tool for automation purposes.\n\n- [Pascal Analyzer](https:\u002F\u002Fpeganza.com\u002Fproducts_pal.html) :copyright: — A static code analysis tool with numerous reports. A free _Lite_ version is available with limited reporting.\n\n- [Pascal Expert](https:\u002F\u002Fpeganza.com\u002Fproducts_pex.html) :copyright: — IDE plugin for code analysis. Includes a subset of Pascal Analyzer reporting capabilities and is available for Delphi versions 2007 and later.\n\n- [SonarDelphi](https:\u002F\u002Fgithub.com\u002Fintegrated-application-development\u002Fsonar-delphi) — Delphi static analyzer for the SonarQube code quality platform.\n\n\n\u003Ca name=\"dlang\" \u002F>\n\u003Ch2>Dlang\u003C\u002Fh2>\n\n\n- [D-scanner](https:\u002F\u002Fgithub.com\u002Fdlang-community\u002FD-Scanner) — D-Scanner is a tool for analyzing D source code.\n\n\n\u003Ca name=\"elixir\" \u002F>\n\u003Ch2>Elixir\u003C\u002Fh2>\n\n\n- [credo](https:\u002F\u002Fgithub.com\u002Frrrene\u002Fcredo) — A static code analysis tool with a focus on code consistency and teaching.\n\n- [dialyxir](https:\u002F\u002Fgithub.com\u002Fjeremyjh\u002Fdialyxir) — Mix tasks to simplify use of Dialyzer in Elixir projects.\n\n- [sobelow](https:\u002F\u002Fgithub.com\u002Fnccgroup\u002Fsobelow) — Security-focused static analysis for the Phoenix Framework.\n\n\n\u003Ca name=\"elm\" \u002F>\n\u003Ch2>Elm\u003C\u002Fh2>\n\n\n- **elm-analyse** :warning: — A tool that allows you to analyse your Elm code, identify deficiencies and apply best practices.\n\n- [elm-review](https:\u002F\u002Fpackage.elm-lang.org\u002Fpackages\u002Fjfmengels\u002Felm-review\u002Flatest) — Analyzes whole Elm projects, with a focus on shareable and custom rules written in Elm that add guarantees the Elm compiler doesn't give you.\n\n\n\u003Ca name=\"erlang\" \u002F>\n\u003Ch2>Erlang\u003C\u002Fh2>\n\n\n- [dialyzer](https:\u002F\u002Fwww.erlang.org\u002Fdoc\u002Fman\u002Fdialyzer.html) — The DIALYZER, a DIscrepancy AnaLYZer for ERlang programs. Dialyzer is a static analysis tool that identifies software discrepancies,  such as definite type errors, code that has become dead or unreachable  because of programming error, and unnecessary tests,  in single Erlang modules or entire (sets of) applications.\nDialyzer starts its analysis from either debug-compiled BEAM bytecode  or from Erlang source code. The file and line number of a discrepancy  is reported along with an indication of what the discrepancy is about.  Dialyzer bases its analysis on the concept of success typings,  which allows for sound warnings (no false positives).\n\n- [elvis](https:\u002F\u002Fgithub.com\u002Finaka\u002Felvis) — Erlang Style Reviewer.\n\n- **Primitive Erlang Security Tool (PEST)** :warning: — A tool to do a basic scan of Erlang source code and report any function calls that may cause Erlang source code to be insecure.\n\n\n\u003Ca name=\"fsharp\" \u002F>\n\u003Ch2>F#\u003C\u002Fh2>\n\n\n- [fantomas](https:\u002F\u002Ffsprojects.github.io\u002Ffantomas\u002F) — F# source code formatter.\n\n- [FSharpLint](https:\u002F\u002Fgithub.com\u002Ffsprojects\u002FFSharpLint) — Lint tool for F#.\n\n- [ionide-analyzers](https:\u002F\u002Fionide.io\u002Fionide-analyzers\u002F) — A collection of F# analyzers, built with the FSharp.Analyzers.SDK.\n\n\n\u003Ca name=\"fortran\" \u002F>\n\u003Ch2>Fortran\u003C\u002Fh2>\n\n\n- [Fortitude](https:\u002F\u002Ffortitude.readthedocs.io) — Fortran linter, inspired by (and built on) Ruff, and based on community best practices. Supports latest Fortran (2023) standard.\n\n- [fprettify](https:\u002F\u002Fpypi.python.org\u002Fpypi\u002Ffprettify) — Auto-formatter for modern fortran source code, written in Python.\nFprettify is a tool that provides consistent whitespace, indentation, and delimiter alignment in code, including the ability to change letter case and handle preprocessor directives, all while preserving revision history and tested for editor integration.\n\n- **i-Code CNES for Fortran** :warning: — An open source static code analysis tool for Fortran 77, Fortran 90 and Shell.\n\n\n\u003Ca name=\"go\" \u002F>\n\u003Ch2>Go\u003C\u002Fh2>\n\n\n- [aligncheck](https:\u002F\u002Fgitlab.com\u002Fopennota\u002Fcheck) — Find inefficiently packed structs.\n\n- [bodyclose](https:\u002F\u002Fgithub.com\u002Ftimakin\u002Fbodyclose) — Checks whether HTTP response body is closed.\n\n- [deadcode](https:\u002F\u002Fgithub.com\u002Ftsenart\u002Fdeadcode) — Finds unused code.\n\n- **dingo-hunter** :warning: — Static analyser for finding deadlocks in Go.\n\n- [dogsled](https:\u002F\u002Fgithub.com\u002Falexkohler\u002Fdogsled) — Finds assignments\u002Fdeclarations with too many blank identifiers.\n\n- [dupl](https:\u002F\u002Fgithub.com\u002Fmibk\u002Fdupl) — Reports potentially duplicated code.\n\n- [errcheck](https:\u002F\u002Fgithub.com\u002Fkisielk\u002Ferrcheck) — Check that error return values are used.\n\n- **errwrap** :warning: — Wrap and fix Go errors with the new %w verb directive.  This tool analyzes fmt.Errorf() calls and reports calls that contain a verb directive that  is different than the new %w verb directive introduced in Go v1.13.  It's also capable of rewriting calls to use the new %w wrap verb directive.\n\n- [flen](https:\u002F\u002Fgithub.com\u002Flafolle\u002Fflen) — Get info on length of functions in a Go package.\n\n- **Go Meta Linter** :warning: — Concurrently run Go lint tools and normalise their output. Use `golangci-lint` for new projects.\n\n- [go tool vet --shadow](https:\u002F\u002Fgolang.org\u002Fcmd\u002Fvet#hdr-Shadowed_variables) — Reports variables that may have been unintentionally shadowed.\n\n- [go vet](https:\u002F\u002Fgolang.org\u002Fcmd\u002Fvet) — Examines Go source code and reports suspicious.\n\n- **go-consistent** :warning: — Analyzer that helps you to make your Go programs more consistent.\n\n- [go-critic](https:\u002F\u002Fgithub.com\u002Fgo-critic\u002Fgo-critic) — Go source code linter that maintains checks which are currently not implemented in other linters.\n\n- [go\u002Fast](https:\u002F\u002Fgolang.org\u002Fpkg\u002Fgo\u002Fast) — Package ast declares the types used to represent syntax trees for Go packages.\n\n- [goast](https:\u002F\u002Fgithub.com\u002Fm-mizutani\u002Fgoast) — Go AST (Abstract Syntax Tree) based static analysis tool with Rego.\n\n- **gochecknoglobals** :warning: — Checks that no globals are present.\n\n- [goconst](https:\u002F\u002Fgithub.com\u002Fjgautheron\u002Fgoconst) — Finds repeated strings that could be replaced by a constant.\n\n- [gocyclo](https:\u002F\u002Fgithub.com\u002Ffzipp\u002Fgocyclo) — Calculate cyclomatic complexities of functions in Go source code.\n\n- [gofmt -s](https:\u002F\u002Fgolang.org\u002Fcmd\u002Fgofmt) — Checks if the code is properly formatted and could not be further simplified.\n\n- [gofumpt](https:\u002F\u002Fgithub.com\u002Fmvdan\u002Fgofumpt) — Enforce a stricter format than `gofmt`, while being backwards-compatible.  That is, `gofumpt` is happy with a subset of the formats that `gofmt` is happy with.\nThe tool is a fork of `gofmt` as of Go 1.19, and requires Go 1.18 or later.  It can be used as a drop-in replacement to format your Go code, and running gofmt  after gofumpt should produce no changes.\n`gofumpt` will never add rules which disagree with `gofmt` formatting. So we extend `gofmt` rather than compete with it.\n\n- [goimports](https:\u002F\u002Fpkg.go.dev\u002Fgolang.org\u002Fx\u002Ftools\u002Fcmd\u002Fgoimports) — Checks missing or unreferenced package imports.\n\n- [gokart](https:\u002F\u002Fgithub.com\u002Fpraetorian-inc\u002Fgokart) — Golang security analysis with a focus on minimizing false positives. It is capable of tracing the source of variables and function arguments  to determine whether input sources are safe.\n\n- [GolangCI-Lint](https:\u002F\u002Fgolangci-lint.run) — Alternative to `Go Meta Linter`: GolangCI-Lint is a linters aggregator.\n\n- [golint](https:\u002F\u002Fgithub.com\u002Fgolang\u002Flint) — Prints out coding style mistakes in Go source code.\n\n- [goreporter](https:\u002F\u002Fgithub.com\u002F360EntSecGroup-Skylar\u002Fgoreporter) — Concurrently runs many linters and normalises their output to a report.\n\n- [goroutine-inspect](https:\u002F\u002Fgithub.com\u002Flinuxerwang\u002Fgoroutine-inspect) — An interactive tool to analyze Golang goroutine dump.\n\n- [gosec (gas)](https:\u002F\u002Fsecurego.io) — Inspects source code for security problems by scanning the Go AST.\n\n- [gotype](https:\u002F\u002Fpkg.go.dev\u002Fgolang.org\u002Fx\u002Ftools\u002Fcmd\u002Fgotype) — Syntactic and semantic analysis similar to the Go compiler.\n\n- [govulncheck](https:\u002F\u002Fgo.dev\u002Fblog\u002Fvuln) — Govulncheck reports known vulnerabilities that affect Go code.  It uses static analysis of source code or a binary's symbol table to narrow down reports to only those that could affect the application.\nBy default, govulncheck makes requests to the Go vulnerability database at https:\u002F\u002Fvuln.go.dev. Requests to the vulnerability database contain only module paths, not code or other properties of your program.\n\n- [ineffassign](https:\u002F\u002Fgithub.com\u002Fgordonklaus\u002Fineffassign) — Detect ineffectual assignments in Go code.\n\n- **interfacer** :warning: — Suggest narrower interfaces that can be used.\n\n- [lll](https:\u002F\u002Fgithub.com\u002Fwalle\u002Flll) — Report long lines.\n\n- **maligned** :warning: — Detect structs that would take less memory if their fields were sorted.\n\n- [misspell](https:\u002F\u002Fgithub.com\u002Fclient9\u002Fmisspell) — Finds commonly misspelled English words.\n\n- **nakedret** :warning: — Finds naked returns.\n\n- [nargs](https:\u002F\u002Fgithub.com\u002Falexkohler\u002Fnargs) — Finds unused arguments in function declarations.\n\n- [OSV-Scanner](https:\u002F\u002Fosv.dev\u002F) — Vulnerability scanner written in Go which uses the data provided by OSV.dev. Developed by Google to scan dependencies across multiple languages and package managers for known vulnerabilities. Supports container scanning, license scanning, and guided remediation. Works with lockfiles, SBOMs, and container images to identify security issues.\n\n- [prealloc](https:\u002F\u002Fgithub.com\u002Falexkohler\u002Fprealloc) — Finds slice declarations that could potentially be preallocated.\n\n- [Reviewdog](https:\u002F\u002Fgithub.com\u002Fhaya14busa\u002Freviewdog) — A tool for posting review comments from any linter in any code hosting service.\n\n- [revive](https:\u002F\u002Frevive.run) — Fast, configurable, extensible, flexible, and beautiful linter for Go. Drop-in replacement of golint.\n\n- **safesql** :warning: — Static analysis tool for Golang that protects against SQL injections.\n\n- **shisho** :warning: — A lightweight static code analyzer designed for developers and security teams. It allows you to analyze and transform source code with an intuitive DSL similar to sed, but for code.\n\n- [staticcheck](https:\u002F\u002Fstaticcheck.io) — Go static analysis that specialises in finding bugs, simplifying code and improving performance.\n\n- [structcheck](https:\u002F\u002Fgitlab.com\u002Fopennota\u002Fcheck) — Find unused struct fields.\n\n- [structslop](https:\u002F\u002Fgithub.com\u002Forijtech\u002Fstructslop) — Static analyzer for Go that recommends struct field rearrangements to provide for maximum space\u002Fallocation efficiency\n\n- [test](https:\u002F\u002Fpkg.go.dev\u002Ftesting) — Show location of test failures from the stdlib testing module.\n\n- **unconvert** :warning: — Detect redundant type conversions.\n\n- [unparam](https:\u002F\u002Fgithub.com\u002Fmvdan\u002Funparam) — Find unused function parameters.\n\n- [varcheck](https:\u002F\u002Fgitlab.com\u002Fopennota\u002Fcheck) — Find unused global variables and constants.\n\n- [wsl](https:\u002F\u002Fgithub.com\u002Fbombsimon\u002Fwsl) — Enforces empty lines at the right places.\n\n\n\u003Ca name=\"groovy\" \u002F>\n\u003Ch2>Groovy\u003C\u002Fh2>\n\n\n- [CodeNarc](https:\u002F\u002Fcodenarc.github.io\u002FCodeNarc) — A static analysis tool for Groovy source code, enabling monitoring and enforcement of many coding standards and best practices.\n\n\n\u003Ca name=\"haskell\" \u002F>\n\u003Ch2>Haskell\u003C\u002Fh2>\n\n\n- **brittany** :warning: — Haskell source code formatter\n\n- [HLint](https:\u002F\u002Fgithub.com\u002Fndmitchell\u002Fhlint) — HLint is a tool for suggesting possible improvements to Haskell code.\n\n- [Liquid Haskell](https:\u002F\u002Fucsd-progsys.github.io\u002Fliquidhaskell-blog\u002F) — Liquid Haskell is a refinement type checker for Haskell programs.\n\n- [Stan](https:\u002F\u002Fkowainik.github.io\u002Fprojects\u002Fstan) — Stan is a command-line tool for analysing Haskell projects and outputting discovered vulnerabilities in a helpful way with possible solutions for detected problems.\n\n- [Weeder](https:\u002F\u002Fgithub.com\u002Focharles\u002Fweeder) — A tool for detecting dead exports or package imports in Haskell code.\n\n\n\u003Ca name=\"haxe\" \u002F>\n\u003Ch2>Haxe\u003C\u002Fh2>\n\n\n- [Haxe Checkstyle](https:\u002F\u002Fhaxecheckstyle.github.io\u002Fdocs\u002Fhaxe-checkstyle\u002Fhome.html) — A static analysis tool to help developers write Haxe code that adheres to a coding standard.\n\n\n\u003Ca name=\"java\" \u002F>\n\u003Ch2>Java\u003C\u002Fh2>\n\n\n- [Checker Framework](https:\u002F\u002Fcheckerframework.org) — Pluggable type-checking for Java.  This is not just a bug-finder, but a verification tool that gives a guarantee of correctness.  It comes with 27 pre-built type systems, and it enables users to define their own type system; the manual lists over 30 user-contributed type systems.\n\n- [checkstyle](https:\u002F\u002Fcheckstyle.org) — Checking Java source code for adherence to a Code Standard or set of validation rules (best practices).\n\n- [ck](https:\u002F\u002Fgithub.com\u002Fmauricioaniche\u002Fck) — Calculates Chidamber and Kemerer object-oriented metrics by processing the source Java files.\n\n- [ckjm](http:\u002F\u002Fwww.spinellis.gr\u002Fsw\u002Fckjm) — Calculates Chidamber and Kemerer object-oriented metrics by processing the bytecode of compiled Java files.\n\n- **CogniCrypt** :warning: — Checks Java source and byte code for incorrect uses of cryptographic APIs.\n\n- [Dataflow Framework](https:\u002F\u002Fgithub.com\u002Ftypetools\u002Fchecker-framework) — An industrial-strength dataflow framework for Java. The Dataflow Framework is used in the Checker Framework, Google’s Error Prone, Uber’s NullAway, Meta’s Nullsafe, and in other contexts. It is distributed with the Checker Framework.\n\n- [DesigniteJava](http:\u002F\u002Fwww.designite-tools.com\u002Fdesignitejava) :copyright: — DesigniteJava supports detection of various architecture, design, and implementation smells along with computation of various code quality metrics.\n\n- [Diffblue](https:\u002F\u002Fwww.diffblue.com\u002F) :copyright: — Diffblue is a software company that provides AI-powered code analysis and testing solutions for software development teams.\nIts technology helps developers automate testing, find bugs, and reduce manual labor in their software development processes. The company's main product, Diffblue Cover, uses AI to generate and run unit tests for Java code, helping to catch errors and improve code quality.\n\n- [Doop](https:\u002F\u002Fplast-lab.github.io\u002Fdoop-pldi15-tutorial\u002F) — Doop is a declarative framework for static analysis of Java\u002FAndroid programs, centered on pointer analysis algorithms. Doop provides a large variety of analyses and also the surrounding scaffolding to run an analysis end-to-end (fact generation, processing, statistics, etc.).\n\n- **ENRE-java** :warning: — ENRE (ENtity Relationship Extractor) is a tool for extraction of code entity dependencies or relationships from source code. ENRE-java is a ENtity Relationship Extractor for Java projects based on @Eclipse JDT\u002Fparser.\n\n- [Error Prone](https:\u002F\u002Ferrorprone.info) — Catch common Java mistakes as compile-time errors.\n\n- [fb-contrib](http:\u002F\u002Ffb-contrib.sourceforge.net) — A plugin for FindBugs with additional bug detectors.\n\n- [forbidden-apis](https:\u002F\u002Fgithub.com\u002Fpoliceman-tools\u002Fforbidden-apis) — Detects and forbids invocations of specific method\u002Fclass\u002Ffield (like reading from a text stream without a charset). Maven\u002FGradle\u002FAnt compatible.\n\n- [google-java-format](https:\u002F\u002Fgithub.com\u002Fgoogle\u002Fgoogle-java-format) — Reformats Java source code to comply with Google Java Style\n\n- **HuntBugs** :warning: — Bytecode static analyzer tool based on Procyon Compiler Tools aimed to supersede FindBugs.\n\n- [IntelliJ IDEA](https:\u002F\u002Fwww.jetbrains.com\u002Fidea) :copyright: — Comes bundled with a lot of inspections for Java and Kotlin and includes tools for refactoring, formatting and more.\n\n- [JArchitect](https:\u002F\u002Fwww.jarchitect.com) :copyright: — Measure, query and visualize your code and avoid unexpected issues, technical debt and complexity.\n\n- [JBMC](https:\u002F\u002Fwww.cprover.org\u002Fjbmc) — Bounded model-checker for Java (bytecode), verifies user-defined assertions, standard assertions, several coverage metric analyses.\n\n- [JLiSA](https:\u002F\u002Fgithub.com\u002Flisa-analyzer\u002Fjlisa) — An abstract interpretation-based static analyzer for Java build upon the [LiSA](https:\u002F\u002Fgithub.com\u002Flisa-analyzer\u002Flisa) framekwork.\n\n- [Mariana Trench](https:\u002F\u002Fmariana-tren.ch\u002F) — Our security focused static analysis tool for Android and Java applications. Mariana Trench analyzes Dalvik bytecode and is built to run fast on large codebases (10s of millions of lines of code). It can find vulnerabilities as code changes, before it ever lands in your repository.\n\n- [NullAway](https:\u002F\u002Fgithub.com\u002Fuber\u002FNullAway) — Type-based null-pointer checker with low build-time overhead; an [Error Prone](http:\u002F\u002Ferrorprone.info\u002F) plugin.\n\n- **OWASP Dependency Check** :warning: — Checks dependencies for known, publicly disclosed, vulnerabilities.\n\n- [qulice](https:\u002F\u002Fwww.qulice.com) — Combines a few (pre-configured) static analysis tools (checkstyle, PMD, Findbugs, ...).\n\n- [RefactorFirst](https:\u002F\u002Fgithub.com\u002Fjimbethancourt\u002FRefactorFirst) — Identifies and prioritizes God Classes and Highly Coupled classes in Java codebases you should refactor first.\n\n- [Soot](https:\u002F\u002Fsoot-oss.github.io\u002Fsoot) — A framework for analyzing and transforming Java and Android applications.\n\n- [Spoon](https:\u002F\u002Fspoon.gforge.inria.fr) — Spoon is a metaprogramming library to analyze and transform Java source code (incl Java 9, 10, 11, 12, 13, 14). It parses source files to build a well-designed AST with powerful analysis and transformation API. Can be integrated in Maven and Gradle.\n\n- [SpotBugs](https:\u002F\u002Fspotbugs.github.io) — SpotBugs is FindBugs' successor. A tool for static analysis to look for bugs in Java code.\n\n- **steady** :warning: — Analyses your Java applications for open-source dependencies with known vulnerabilities, using both static analysis and testing to determine code context and usage for greater accuracy.\n\n- [Violations Lib](https:\u002F\u002Fgithub.com\u002Ftomasbjerre\u002Fviolations-lib) — Java library for parsing report files from static code analysis. Used by a bunch of Jenkins, Maven and Gradle plugins.\n\n\n\u003Ca name=\"javascript\" \u002F>\n\u003Ch2>JavaScript\u003C\u002Fh2>\n\n\n- **aether** :warning: — Lint, analyze, normalize, transform, sandbox, run, step through, and visualize user JavaScript, in node or the browser.\n\n- [Closure Compiler](https:\u002F\u002Fdevelopers.google.com\u002Fclosure\u002Fcompiler) — A compiler tool to increase efficiency, reduce size, and provide code warnings in JavaScript files.\n\n- **ClosureLinter** :warning: — Ensures that all of your project's JavaScript code follows the guidelines in the Google JavaScript Style Guide. It can also automatically fix many common errors.\n\n- **complexity-report** :warning: — Software complexity analysis for JavaScript projects.\n\n- [DeepScan](https:\u002F\u002Fdeepscan.io) :copyright: — An analyzer for JavaScript which targets runtime errors and quality issues rather than coding conventions.\n\n- **es6-plato** :warning: — Visualize JavaScript (ES6) source complexity.\n\n- [escomplex](https:\u002F\u002Fgithub.com\u002Fjared-stilwell\u002Fescomplex) — Software complexity analysis of JavaScript-family abstract syntax trees.\n\n- **Esprima** :warning: — ECMAScript parsing infrastructure for multipurpose analysis.\n\n- [flow](https:\u002F\u002Fflow.org) — A static type checker for JavaScript.\n\n- **hegel** :warning: — A static type checker for JavaScript with a bias on type inference and strong type systems.\n\n- [jshint](https:\u002F\u002Fjshint.com\u002Fabout) [:information_source:](\u003Chttps:\u002F\u002Fgithub.com\u002Fanalysis-tools-dev\u002Fstatic-analysis\u002Fissues\u002F223>) — Detect errors and potential problems in JavaScript code and enforce your team's coding conventions.\n\n- [JSLint](https:\u002F\u002Fgithub.com\u002Fdouglascrockford\u002FJSLint) [:information_source:](\u003Chttps:\u002F\u002Fgithub.com\u002Fanalysis-tools-dev\u002Fstatic-analysis\u002Fissues\u002F223>) — The JavaScript Code Quality Tool.\n\n- **JSPrime** :warning: — Static security analysis tool.\n\n- **NodeJSScan** :warning: — A static security code scanner for Node.js applications powered by libsast and semgrep that builds on the njsscan cli tool. It features a UI with various dashboards about an application's security status.\n\n- **plato** :warning: — Visualize JavaScript source complexity.\n\n- [Polymer-analyzer](https:\u002F\u002Fgithub.com\u002FPolymer\u002Ftools\u002Ftree\u002Fmaster\u002Fpackages\u002Fanalyzer) — A static analysis framework for Web Components.\n\n- [retire.js](https:\u002F\u002Fretirejs.github.io\u002Fretire.js) — Scanner detecting the use of JavaScript libraries with known vulnerabilities.\n\n- **RSLint** :warning: — A (WIP) JavaScript linter written in Rust designed to be as fast as possible, customizable, and easy to use.\n\n- [standard](http:\u002F\u002Fstandardjs.com) — An npm module that checks for Javascript Styleguide issues.\n\n- [tern](https:\u002F\u002Fternjs.net) — A JavaScript code analyzer for deep, cross-editor language support.\n\n- **TypL** :warning: — With TypL, you just write completely standard JS, and the tool figures out your types via powerful inferencing.\n\n- [xo](https:\u002F\u002Fgithub.com\u002Fxojs\u002Fxo) — Opinionated but configurable ESLint wrapper with lots of goodies included. Enforces strict and readable code.\n\n- **yardstick** :warning: — Javascript code metrics.\n\n\n\u003Ca name=\"julia\" \u002F>\n\u003Ch2>Julia\u003C\u002Fh2>\n\n\n- [JET](https:\u002F\u002Fgithub.com\u002Faviatesk\u002FJET.jl) — Static type inference system to detect bugs and type instabilities.\n\n- [StaticLint](https:\u002F\u002Fgithub.com\u002Fjulia-vscode\u002FStaticLint.jl) — Static Code Analysis for Julia\n\n\n\u003Ca name=\"kotlin\" \u002F>\n\u003Ch2>Kotlin\u003C\u002Fh2>\n\n\n- [detekt](https:\u002F\u002Fdetekt.github.io\u002Fdetekt) — Static code analysis for Kotlin code.\n\n- **diktat** :warning: — Strict coding standard for Kotlin and a linter that detects and auto-fixes code smells.\n\n- [ktfmt](https:\u002F\u002Ffacebook.github.io\u002Fktfmt\u002F) — A program that reformats Kotlin source code to comply with the common community standard for Kotlin code conventions.\nA ktfmt IntelliJ plugin is available from the plugin repository. To install it, go to your IDE's settings and select the Plugins category. Click the Marketplace tab, search for the ktfmt plugin, and click the Install button.\n\n- [ktlint](https:\u002F\u002Fktlint.github.io) — An anti-bikeshedding Kotlin linter with built-in formatter.\n\n\n\u003Ca name=\"lua\" \u002F>\n\u003Ch2>Lua\u003C\u002Fh2>\n\n\n- [luacheck](https:\u002F\u002Fgithub.com\u002Flunarmodules\u002Fluacheck) — A tool for linting and static analysis of Lua code.\n\n- [lualint](https:\u002F\u002Fgithub.com\u002Fphilips\u002Flualint) — lualint performs luac-based static analysis of global variable usage in Lua source code.\n\n- **Luanalysis** :warning: — An IDE for statically typed Lua development.\n\n\n\u003Ca name=\"matlab\" \u002F>\n\u003Ch2>MATLAB\u003C\u002Fh2>\n\n\n- **MISS_HIT** :warning: — MISS_HIT is a free, open-source code quality toolset for MATLAB, Simulink, and Octave. It includes MH Style (style checker and formatter), MH Metrics (complexity metrics), MH Lint (static analysis), MH Trace (requirements traceability), and MH Copyright (copyright management). Designed to work standalone without requiring MATLAB\u002FOctave installation.\n\n- [mlint](https:\u002F\u002Fwww.mathworks.com\u002Fhelp\u002Fmatlab\u002Fref\u002Fmlint.html) :copyright: — Check MATLAB code files for possible problems.\n\n\n\u003Ca name=\"nim\" \u002F>\n\u003Ch2>Nim\u003C\u002Fh2>\n\n\n- [DrNim](https:\u002F\u002Fnim-lang.org\u002Fdocs\u002Fdrnim.html) — DrNim combines the Nim frontend with the Z3 proof engine in order to allow verify \u002F validate software written in Nim.\n\n- **nimfmt** :warning: — Nim code formatter \u002F linter \u002F style checker\n\n\n\u003Ca name=\"ocaml\" \u002F>\n\u003Ch2>Ocaml\u003C\u002Fh2>\n\n\n- [Sys](https:\u002F\u002Fgithub.com\u002FPLSysSec\u002Fsys) — A static\u002Fsymbolic Tool for finding bugs in (browser) code. It uses the LLVM AST to find bugs like uninitialized memory access.\n\n- [VeriFast](https:\u002F\u002Fgithub.com\u002Fverifast\u002Fverifast) — A tool for modular formal verification of correctness properties of single-threaded and multithreaded  C and Java programs annotated with preconditions and postconditions written in separation logic.  To express rich specifications, the programmer can define inductive datatypes,  primitive recursive pure functions over these datatypes, and abstract separation logic predicates.\n\n\n\u003Ca name=\"php\" \u002F>\n\u003Ch2>PHP\u003C\u002Fh2>\n\n\n- [CakeFuzzer](https:\u002F\u002Fzigrin.com\u002Ftools\u002Fcake-fuzzer\u002F) — Web application security testing tool for CakePHP-based web applications. CakeFuzzer employs a predefined set of attacks that are randomly modified before execution. Leveraging its deep understanding of the Cake PHP framework, Cake Fuzzer launches attacks on all potential application entry points.\n\n- [churn-php](https:\u002F\u002Fgithub.com\u002Fbmitch\u002Fchurn-php) — Helps discover good candidates for refactoring.\n\n- [composer-dependency-analyser](https:\u002F\u002Fgithub.com\u002Fshipmonk-rnd\u002Fcomposer-dependency-analyser) — Fast detection of composer dependency issues.\n\n* 💪 Powerful: Detects unused, shadow and misplaced composer dependencies\n* ⚡ Performant: Scans 15 000 files in 2s!\n* ⚙️ Configurable: Fine-grained ignores via PHP config\n* 🕸️ Lightweight: No composer dependencies\n* 🍰 Easy-to-use: No config needed for first try\n* ✨ Compatible: PHP >= 7.2\n\n\n- [dephpend](https:\u002F\u002Fgithub.com\u002Fmihaeu\u002Fdephpend) — Dependency analysis tool.\n\n- [deprecation-detector](https:\u002F\u002Fgithub.com\u002Fsensiolabs-de\u002Fdeprecation-detector) — Finds usages of deprecated (Symfony) code.\n\n- [deptrac](https:\u002F\u002Fgithub.com\u002Fsensiolabs-de\u002Fdeptrac) — Enforce rules for dependencies between software layers.\n\n- [DesignPatternDetector](https:\u002F\u002Fgithub.com\u002FHalleck45\u002FDesignPatternDetector) — Detection of design patterns in PHP code.\n\n- [EasyCodingStandard](https:\u002F\u002Fwww.tomasvotruba.com\u002Fblog\u002F2017\u002F05\u002F03\u002Fcombine-power-of-php-code-sniffer-and-php-cs-fixer-in-3-lines) — Combine [PHP_CodeSniffer](https:\u002F\u002Fgithub.com\u002Fsquizlabs\u002FPHP_CodeSniffer) and [PHP-CS-Fixer](https:\u002F\u002Fgithub.com\u002FFriendsOfPHP\u002FPHP-CS-Fixer).\n\n- **Enlightn** :warning: — A static and dynamic analysis tool for Laravel applications that provides recommendations to improve the performance, security and code reliability of Laravel apps. Contains 120 automated checks.\n\n- [exakat](https:\u002F\u002Fwww.exakat.io) — An automated code reviewing engine for PHP.\n\n- [GrumPHP](https:\u002F\u002Fgithub.com\u002Fphpro\u002Fgrumphp) — Checks code on every commit.\n\n- [larastan](https:\u002F\u002Fgithub.com\u002Flarastan\u002Flarastan) — Adds static analysis to Laravel improving developer productivity and code quality. It is a wrapper around PHPStan.\n\n- [mago](https:\u002F\u002Fmago.carthage.software) — Mago is a complete toolchain for PHP, written in Rust, designed from the ground up for maximum performance.\n- ✨ A blazing-fast formatter that automatically formats your code according to PER-CS, ending style debates forever. - 🔎 An intelligent linter that catches stylistic issues, inconsistencies, and code smells before they become problems. - 🔬 A powerful static analyzer that finds type errors and logical bugs in your code without you ever having to run it. - 🛡️ A robust architectural guard that enforces dependency rules and structural conventions.\n\n- **Mondrian** :warning: — A set of static analysis and refactoring tools which use graph theory.\n\n- [parallel-lint](https:\u002F\u002Fgithub.com\u002Fphp-parallel-lint\u002FPHP-Parallel-Lint) — This tool checks syntax of PHP files faster than serial check with a fancier output.\n\n- [Parse](https:\u002F\u002Fgithub.com\u002Fpsecio\u002Fparse) — A Static Security Scanner.\n\n- [pdepend](https:\u002F\u002Fpdepend.org) — Calculates software metrics like cyclomatic complexity for PHP code.\n\n- [phan](https:\u002F\u002Fgithub.com\u002Fphan\u002Fphan\u002Fwiki) — A modern static analyzer from etsy.\n\n- [PHP Architecture Tester](https:\u002F\u002Fgithub.com\u002Fcarlosas\u002Fphpat) — Easy to use architecture testing tool for PHP.\n\n- [PHP Assumptions](https:\u002F\u002Fgithub.com\u002Frskuipers\u002Fphp-assumptions) — Checks for weak assumptions.\n\n- [PHP Coding Standards Fixer](https:\u002F\u002Fcs.symfony.com) — Fixes your code according to standards like PSR-1, PSR-2, and the Symfony standard.\n\n- [PHP Insights](https:\u002F\u002Fgithub.com\u002Fnunomaduro\u002Fphpinsights) — Instant PHP quality checks from your console. Analysis of code quality and coding style as well as overview of code architecture and its complexity.\n\n- [Php Inspections (EA Extended)](https:\u002F\u002Fplugins.jetbrains.com\u002Fplugin\u002F7622-php-inspections-ea-extended-) — A Static Code Analyzer for PHP.\n\n- [PHP Refactoring Browser](https:\u002F\u002Fqafoolabs.github.io\u002Fphp-refactoring-browser) — Refactoring helper.\n\n- [PHP Semantic Versioning Checker](https:\u002F\u002Fgithub.com\u002Ftomzx\u002Fphp-semver-checker) — Suggests a next version according to semantic versioning.\n\n- [PHP-Parser](https:\u002F\u002Fgithub.com\u002Fnikic\u002FPHP-Parser) — A PHP parser written in PHP.\n\n- [php-speller](https:\u002F\u002Fgithub.com\u002Fmekras\u002Fphp-speller) — PHP spell check library.\n\n- **PHP-Token-Reflection** :warning: — Library emulating the PHP internal reflection.\n\n- **php7cc** :warning: — PHP 7 Compatibility Checker.\n\n- **php7mar** :warning: — Assist developers in porting their code quickly to PHP 7.\n\n- **PHP_CodeSniffer** :warning: — Detects violations of a defined set of coding standards.\n\n- [PHPArkitect](https:\u002F\u002Fgithub.com\u002Fphparkitect\u002Farkitect) — PHPArkitect helps you to keep your PHP codebase coherent and solid, by permitting to add some architectural constraint check to your workflow. You can express the constraint that you want to enforce, in simple and readable PHP code.\n\n- **phpca** :warning: — Finds usage of non-built-in extensions.\n\n- **phpcpd** :warning: — Copy\u002FPaste Detector for PHP code.\n\n- **phpdcd** :warning: — Dead Code Detector (DCD) for PHP code.\n\n- **PhpDependencyAnalysis** :warning: — Builds a dependency graph for a project.\n\n- **PhpDeprecationDetector** :warning: — Analyzer of PHP code to search issues with deprecated functionality in newer interpreter versions.  It finds removed objects (functions, variables, constants and ini-directives),  deprecated functions functionality, and usage of forbidden names or tricks (e.g. reserved identifiers in newer versions).\n\n- **phpdoc-to-typehint** :warning: — Add scalar type hints and return types to existing PHP projects using PHPDoc annotations.\n\n- [phpDocumentor](https:\u002F\u002Fwww.phpdoc.org) — Analyzes PHP source code to generate documentation.\n\n- **phploc** :warning: — A tool for quickly measuring the size and analyzing the structure of a PHP project.\n\n- [PHPMD](https:\u002F\u002Fphpmd.org) — Finds possible bugs in your code.\n\n- [PhpMetrics](http:\u002F\u002Fwww.phpmetrics.org) — Calculates and visualizes various code quality metrics.\n\n- [phpmnd](https:\u002F\u002Fgithub.com\u002Fpovils\u002Fphpmnd) — Helps to detect magic numbers.\n\n- [PHPQA](https:\u002F\u002Fedgedesigncz.github.io\u002Fphpqa) — A tool for running QA tools (phploc, phpcpd, phpcs, pdepend, phpmd, phpmetrics).\n\n- [phpqa - jakzal](https:\u002F\u002Fgithub.com\u002Fjakzal\u002Fphpqa) — Many tools for PHP static analysis in one container.\n\n- [phpqa - jmolivas](https:\u002F\u002Fgithub.com\u002Fjmolivas\u002Fphpqa) — PHPQA all-in-one Analyzer CLI tool.\n\n- **phpsa** :warning: — Static analysis tool for PHP.\n\n- [PHPStan](https:\u002F\u002Fphpstan.org) — PHP Static Analysis Tool - discover bugs in your code without running it!\n\n- [Progpilot](https:\u002F\u002Fgithub.com\u002Fdesignsecurity\u002Fprogpilot) — A static analysis tool for security purposes.\n\n- [Psalm](https:\u002F\u002Fpsalm.dev) — Static analysis tool for finding type errors in PHP applications.\n\n- **Qafoo Quality Analyzer** :warning: — Visualizes metrics and source code.\n\n- [rector](https:\u002F\u002Fgetrector.org) — Instant Upgrades and Automated Refactoring of any PHP 5.3+ code. It upgrades your code for PHP 7.4, 8.0 and beyond. Rector promises a low false-positive rate because it looks for narrowly defined AST (abstract syntax tree) patterns.  The main use-case are tackling technical debt in your legacy code and removing dead code. Rector provides a set of special rules for Symfony, Doctrine, PHPUnit, and many more.\n\n- [Reflection](https:\u002F\u002Fgithub.com\u002FphpDocumentor\u002FReflection) — Reflection library to do Static Analysis for PHP Projects\n\n- [Symfony Insight](https:\u002F\u002Finsight.symfony.com\u002F) :copyright: — Detect security risks, find bugs and provide actionable metrics for PHP projects.\n\n- [Tuli](https:\u002F\u002Fgithub.com\u002Fircmaxell\u002FTuli) — A static analysis engine.\n\n- [twig-lint](https:\u002F\u002Fgithub.com\u002Fasm89\u002Ftwig-lint) — twig-lint is a lint tool for your twig files.\n\n- [WAP](https:\u002F\u002Fsecurityonline.info\u002Fowasp-wap-web-application-protection-project) — Tool to detect and correct input validation vulnerabilities in PHP (4.0 or higher) web applications and predicts false positives by combining static analysis and data mining.\n\n\n\u003Ca name=\"plsql\" \u002F>\n\u003Ch2>PL\u002FSQL\u003C\u002Fh2>\n\n\n- [ZPA](https:\u002F\u002Fzpa.felipebz.com) — An open source parser and code analyzer for PL\u002FSQL and Oracle SQL code.\n\n\n\u003Ca name=\"perl\" \u002F>\n\u003Ch2>Perl\u003C\u002Fh2>\n\n\n- [Perl::Analyzer](https:\u002F\u002Ftechnix.github.io\u002FPerl-Analyzer\u002F) — Perl-Analyzer is a set of programs and modules that allow users to analyze and visualize Perl  codebases by providing information about namespaces and their relations, dependencies,  inheritance, and methods implemented, inherited, and redefined in packages,  as well as calls to methods from parent packages via SUPER. \n\n- [Perl::Critic](https:\u002F\u002Fmetacpan.org\u002Fpod\u002FPerl::Critic) — Critique Perl source code for best-practices.\n\n- [perltidy](https:\u002F\u002Fperltidy.sourceforge.net\u002F) — Perltidy is a Perl script which indents and reformats Perl scripts to make them easier to read. \nThe formatting can be controlled with command line parameters. The default parameter settings approximately follow the suggestions in the Perl Style Guide. \nBesides reformatting scripts, Perltidy can be a great help in tracking down errors with missing or extra braces, parentheses, and square brackets because it is very good at localizing errors.\n\n- [zarn](https:\u002F\u002Fgithub.com\u002Fhtrgouvea\u002Fzarn) — A lightweight static security analysis tool for modern Perl Apps\n\n\n\u003Ca name=\"python\" \u002F>\n\u003Ch2>Python\u003C\u002Fh2>\n\n\n- [autoflake](https:\u002F\u002Fgithub.com\u002FPyCQA\u002Fautoflake) — Autoflake removes unused imports and unused variables from Python code.\n\n- [autopep8](https:\u002F\u002Fpypi.org\u002Fproject\u002Fautopep8\u002F) — A tool that automatically formats Python code to conform to the PEP 8 style guide.\nIt uses the pycodestyle utility to determine what parts of the code needs to be formatted.\n\n- [bandit](https:\u002F\u002Fbandit.readthedocs.io\u002Fen\u002Flatest) — A tool to find common security issues in Python code.\n\n- [bellybutton](https:\u002F\u002Fgithub.com\u002Fhchasestevens\u002Fbellybutton) — A linting engine supporting custom project-specific rules.\n\n- [Black](https:\u002F\u002Fblack.readthedocs.io\u002Fen\u002Fstable) — The uncompromising Python code formatter.\n\n- [Bowler](https:\u002F\u002Fpybowler.io\u002F) — Safe code refactoring for modern Python.  Bowler is a refactoring tool for manipulating Python at the syntax tree level.  It enables safe, large scale code modifications while guaranteeing that the  resulting code compiles and runs. It provides both a simple command line interface  and a fluent API in Python for generating complex code modifications in code.\n\n- **ciocheck** :warning: — Linter, formatter and test suite helper. As a linter, it is a wrapper around `pep8`, `pydocstyle`, `flake8`, and `pylint`.\n\n- [Code Pathfinder](https:\u002F\u002Fcodepathfinder.dev) — An open-source security suite aiming to combine structural code analysis with  AI-powered vulnerability detection. Built for advanced structural search, derive  insights, find vulnerabilities in code.\n\n- **cohesion** :warning: — A tool for measuring Python class cohesion.\n\n- [deal](https:\u002F\u002Fdeal.readthedocs.io\u002F) — Design by contract for Python. Write bug-free code.  By adding a few decorators to your code, you get for free tests, static analysis, formal verification, and much more.\n\n- [Dlint](https:\u002F\u002Fgithub.com\u002Fdlint-py\u002Fdlint) — A tool for ensuring Python code is secure.\n\n- [Dodgy](https:\u002F\u002Fgithub.com\u002Flandscapeio\u002Fdodgy) — Dodgy is a very basic tool to run against your codebase to search for \"dodgy\" looking values. It is a series of simple regular expressions designed to detect things such as accidental SCM diff checkins, or passwords or secret keys hard coded into files.\n\n- **ENRE-py** :warning: — ENRE (ENtity Relationship Extractor) is a tool for extraction of code entity dependencies or relationships from source code. ENRE-py is a ENtity Relationship Extractor for Python based on Python Language Services of The Standard Library.\n\n- [fixit](https:\u002F\u002Fpypi.org\u002Fproject\u002Ffixit) — A framework for creating lint rules and corresponding auto-fixes for source code.\n\n- [flake8](https:\u002F\u002Fgithub.com\u002FPyCQA\u002Fflake8) — A wrapper around `pyflakes`, `pycodestyle` and `mccabe`.\n\n- [flakeheaven](https:\u002F\u002Fpypi.org\u002Fproject\u002Fflakeheaven\u002F) — flakeheaven is a python linter built around flake8 to enable inheritable and complex toml configuration.\n\n- [Griffe](https:\u002F\u002Fmkdocstrings.github.io\u002Fgriffe\u002F) — Signatures for entire Python programs. Extract the structure, the frame, the skeleton of your project, to generate API documentation or find breaking changes in your API.\n\n- **InspectorTiger** :warning: — IT, Inspector Tiger, is a modern python code review tool \u002F framework. It comes with bunch of pre-defined handlers which warns you about improvements and possible bugs. Beside these handlers, you can write your own or use community ones.\n\n- [jedi](https:\u002F\u002Fjedi.readthedocs.io\u002Fen\u002Flatest) — Autocompletion\u002Fstatic analysis library for Python.\n\n- [linty fresh](https:\u002F\u002Fgithub.com\u002Flyft\u002Flinty_fresh) — Parse lint errors and report them to Github as comments on a pull request.\n\n- [mbake](https:\u002F\u002Fpypi.org\u002Fproject\u002Fmbake\u002F) — mbake is a Makefile formatter and linter. It only took 50 years!\n\n- **mccabe** :warning: — Check McCabe complexity.\n\n- **multilint** :warning: — A wrapper around `flake8`, `isort` and `modernize`.\n\n- [mypy](http:\u002F\u002Fwww.mypy-lang.org) — A static type checker that aims to combine the benefits of duck typing and static typing, frequently used with [MonkeyType](https:\u002F\u002Fgithub.com\u002FInstagram\u002FMonkeyType).\n\n- [pip-audit](https:\u002F\u002Fgithub.com\u002Fpypa\u002Fpip-audit) — Tool for scanning Python packages for known vulnerabilities. Developed by the Python Packaging Authority (PyPA) and supported by Trail of Bits and Google. Scans Python environments and requirements files to identify vulnerable packages and suggests remediation. Supports GitHub Actions, pre-commit hooks, and multiple vulnerability service integrations.\n\n- [prospector](https:\u002F\u002Fgithub.com\u002FPyCQA\u002Fprospector) — A wrapper around `pylint`, `pep8`, `mccabe` and others.\n\n- **py-find-injection** :warning: — Find SQL injection vulnerabilities in Python code.\n\n- [pyanalyze](https:\u002F\u002Fpyanalyze.readthedocs.io\u002Fen\u002Flatest\u002F) — A tool for programmatically detecting common mistakes in Python code, such as references to undefined variables and type errors. It can be extended to add additional rules and perform checks specific to particular functions.\n\n- [pycodestyle](https:\u002F\u002Fpycodestyle.pycqa.org\u002Fen\u002Flatest) — (Formerly `pep8`) Check Python code against some of the style conventions in PEP 8.\n\n- **pydocstyle** :warning: — Check compliance with Python docstring conventions.\n\n- [pyflakes](https:\u002F\u002Fpypi.org\u002Fproject\u002Fpyflakes) — Check Python source files for errors.\n\n- [pylint](http:\u002F\u002Fpylint.pycqa.org\u002Fen\u002Flatest) — Looks for programming errors, helps enforcing a coding standard and sniffs for some code smells. It additionally includes `pyreverse` (an UML diagram generator) and `symilar` (a similarities checker).\n\n- [pylyzers](https:\u002F\u002Fmtshiba.github.io\u002Fpylyzer\u002F) — A static code analyzer \u002F language server for Python, written in Rust, focused on type checking and readable output.\n\n- [Pyra](https:\u002F\u002Fgithub.com\u002Fspangea\u002FPyra) — Pyra is a high-level linter static analyzer for data science applications written in Python, that helps developers identify potential issues in their data science code written in Python, as an extension of [Lyra](https:\u002F\u002Fgithub.com\u002Fcaterinaurban\u002FLyra).\n\n- **pyre-check** :warning: — A fast, scalable type checker for large Python codebases. Pyre-check has been superseded by Pyrefly, its next iteration.\n\n- [pyrefly](https:\u002F\u002Fpyrefly.org\u002F) — A fast, incremental type checker and language server for Python, providing IDE features like code navigation, semantic highlighting, and code completion.\n\n- [pyright](https:\u002F\u002Fgithub.com\u002FMicrosoft\u002Fpyright) — Static type checker for Python, created to address gaps in existing tools like mypy.\n\n- [pyroma](https:\u002F\u002Fgithub.com\u002Fregebro\u002Fpyroma) — Rate how well a Python project complies with the best practices of the Python packaging ecosystem, and list issues that could be improved.\n\n- [Pysa](https:\u002F\u002Fpyre-check.org\u002Fdocs\u002Fpysa-basics.html) — A tool based on Facebook's pyre-check to identify potential security issues in Python code identified with taint analysis.\n\n- **PyT - Python Taint** :warning: — A static analysis tool for detecting security vulnerabilities in Python web applications.\n\n- [pytype](https:\u002F\u002Fgoogle.github.io\u002Fpytype) — A static type analyzer for Python code.\n\n- [pyupgrade](https:\u002F\u002Fpypi.org\u002Fproject\u002Fpyupgrade-docs\u002F) — A tool (and pre-commit hook) to automatically upgrade syntax for newer versions of the language.\n\n- **QuantifiedCode** :warning: — Automated code review & repair. It helps you to keep track of issues and metrics in your software projects, and can be easily extended to support new types of analyses.\n\n- **radon** :warning: — A Python tool that computes various metrics from the source code.\n\n- [refurb](https:\u002F\u002Fgithub.com\u002Fdosisod\u002Frefurb) — A tool for refurbishing and modernizing Python codebases. Refurb is heavily inspired by clippy, the built-in linter for Rust.\n\n- [ruff](https:\u002F\u002Fastral.sh\u002Fruff) — Fast Python linter, written in Rust. 10-100x faster than existing linters. Compatible with Python 3.10. Supports file watcher.\n\n- [Safety](https:\u002F\u002Fsafetycli.com\u002F) — Python dependency vulnerability scanner designed to enhance software supply chain security by detecting packages with known vulnerabilities. Checks Python dependencies against a database of known security vulnerabilities and provides detailed reports. Supports CI\u002FCD integration and multiple output formats.\n\n- [ty](https:\u002F\u002Fdocs.astral.sh\u002Fty\u002F) — An extremely fast Python type checker written in Rust.\n\n- [unimport](https:\u002F\u002Funimport.hakancelik.dev) — A linter, formatter for finding and removing unused import statements.\n\n- [vulture](https:\u002F\u002Fgithub.com\u002Fjendrikseipp\u002Fvulture) — Find unused classes, functions and variables in Python code.\n\n- [wemake-python-styleguide](https:\u002F\u002Fwemake-python-styleguide.rtfd.io\u002F) — The strictest and most opinionated python linter ever.\n\n- [wily](https:\u002F\u002Fgithub.com\u002Ftonybaloney\u002Fwily) — A command-line tool for archiving, exploring and graphing the complexity of Python source code.\n\n- **xenon** :warning: — Monitor code complexity using [`radon`](https:\u002F\u002Fgithub.com\u002Frubik\u002Fradon).\n\n- **yapf** :warning: — A formatter for Python files created by Google\nYAPF follows a distinctive methodology, originating from the 'clang-format' tool created by Daniel Jasper. Essentially, the program reframes the code to the most suitable formatting that abides by the style guide, even if the original code already follows the style guide. This concept is similar to the Go programming language's 'gofmt' tool, which aims to put an end to debates about formatting by having the entire codebase of a project pass through YAPF whenever changes are made, thereby maintaining a consistent style throughout the project and eliminating the need to argue about style in every code review.\n\n\n\u003Ca name=\"r\" \u002F>\n\u003Ch2>R\u003C\u002Fh2>\n\n\n- [CodeDepends](https:\u002F\u002Fgithub.com\u002Fduncantl\u002FCodeDepends) — Static Code Analysis for R.\n\n- [cyclocomp](https:\u002F\u002Fgithub.com\u002FMangoTheCat\u002Fcyclocomp) — Quantifies the cyclomatic complexity of R functions \u002F expressions.\n\n- [flowR](https:\u002F\u002Fgithub.com\u002Fflowr-analysis\u002Fflowr) — A [program slicer](https:\u002F\u002Fgithub.com\u002Fflowr-analysis\u002Fflowr\u002Fwiki\u002FTerminology#program-slice) and [dataflow analyzer](https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FData-flow_analysis) for the [R](https:\u002F\u002Fwww.r-project.org\u002F) programming language. Its slicer allows you to reduce a complicated program just to the parts related for a specific task (e.g., the ge","这个项目是一个精心整理的静态分析工具列表，涵盖了所有编程语言、配置文件和构建工具等，旨在提高代码质量。核心功能包括提供各种静态分析工具（SAST）、代码检查器和格式化工具的信息，每个条目都附有详细的描述、使用场景以及社区评价。该项目特别适合开发者在选择合适的代码质量提升工具时参考。通过其官方网站analysis-tools.dev，用户还能获取到更多资源如视频教程、工具排名及用户评论等。",2,"2026-06-11 03:03:22","top_language"]