static-analysis

<a href="https://analysis-tools.dev/"> <img alt="Analysis Tools Website" src="https://raw.githubusercontent.com/analysis-tools-dev/assets/master/static/redesign.svg" /> </a>

This repository lists static analysis tools for all programming languages, build tools, config files and more. The focus is on tools which improve code quality such as linters and formatters. The official website, analysis-tools.dev is based on this repository and adds rankings, user comments, and additional resources like videos for each tool.

Meaning of Symbols:

:copyright: stands for proprietary software. All other tools are Open Source.
:information_source: indicates that the community does not recommend to use this tool for new projects anymore. The icon links to the discussion issue.
:warning: means that this tool was not updated for more than 1 year, or the repo was archived.

Pull requests are very welcome!
Also check out the sister project, awesome-dynamic-analysis.

Programming Languages

ABAP
Ada
Assembly
Awk
C
C#
C++
Clojure
CoffeeScript
ColdFusion
Crystal
Dart
Delphi
Dlang
Elixir
Elm
Erlang
F#
Fortran
Go
Groovy
Haskell
Haxe
Java
JavaScript
Julia
Kotlin
Lua
MATLAB
Nim
Ocaml
PHP
PL/SQL
Perl
Python
R
Rego
Ruby
Rust
SQL
Scala
Shell
Swift
Tcl
TypeScript
Verilog/SystemVerilog
Vim Script

Multiple Languages

Other

<details> <summary>Show Other</summary>

.env
Ansible
Archive
Azure Resource Manager
Binaries
Build tools
CSS/SASS/SCSS
Config Files
Configuration Management
Containers
Continuous Integration
Deno
Embedded
Embedded Ruby (a.k.a. ERB, eRuby)
Gherkin
HTML
JSON
Kubernetes
LaTeX
Laravel
Makefiles
Markdown
Metalinter
Mobile
Nix
Node.js
Packages
Prometheus
Protocol Buffers
Puppet
Rails
Security/SAST
Smart Contracts
Support
Template-Languages
Terraform
Translation
Vue.js
Webassembly
Writing
YAML
git

</details>

Programming Languages

abaplint — Linter for ABAP, written in TypeScript.
abapOpenChecks — Enhances the SAP Code Inspector with new and customizable checks.

Codepeer :copyright: — Detects run-time and logic errors.
Polyspace for Ada :copyright: — Provide code verification that proves the absence of overflow, divide-by-zero, out-of-bounds array access, and certain other run-time errors in source code.
SPARK :copyright: — Static analysis and formal verification toolset for Ada.

<a name="asm" /> <h2>Assembly</h2>

STOKE :warning: — A programming-language agnostic stochastic optimizer for the x86_64 instruction set. It uses random search to explore the extremely high-dimensional space of all possible program transformations.

gawk --lint — Warns about constructs that are dubious or nonportable to other awk implementations.

Astrée :copyright: — Astrée automatically proves the absence of runtime errors and invalid concurrent behavior in C/C++ applications. It is sound for floating-point computations, very fast, and exceptionally precise. The analyzer also checks for MISRA/CERT/CWE/Adaptive Autosar coding rules and supports qualification for ISO 26262, DO-178C level A, and other safety standards. Jenkins and Eclipse plugins are available.
CBMC — Bounded model-checker for C programs, user-defined assertions, standard assertions, several coverage metric analyses.
clang-tidy — Clang-based C++ linter tool with the (limited) ability to fix issues, too.
clazy — Qt-oriented static code analyzer based on the Clang framework. clazy is a compiler plugin which allows clang to understand Qt semantics. You get more than 50 Qt related compiler warnings, ranging from unneeded memory allocations to misusage of API, including fix-its for automatic refactoring.
CMetrics — Measures size and complexity for C files.
CPAchecker — A tool for configurable software verification of C programs. The name CPAchecker was chosen to reflect that the tool is based on the CPA concepts and is used for checking software programs.
cppcheck — Static analysis of C/C++ code.
CppDepend :copyright: — Measure, query and visualize your code and avoid unexpected issues, technical debt and complexity.
cpplint — Automated C++ checker that follows Google's style guide.
cqmetrics — Quality metrics for C code.
CScout — Complexity and quality metrics for C and C preprocessor code.
ESBMC — ESBMC is an open source, permissively licensed, context-bounded model checker based on satisfiability modulo theories for the verification of single- and multi-threaded C/C++ programs.
flawfinder :warning: — Finds possible security weaknesses.
flint++ :warning: — Cross-platform, zero-dependency port of flint, a lint program for C++ developed and used at Facebook.
Frama-C — A sound and extensible static analyzer for C code.
GCC — The GCC compiler has static analysis capabilities since version 10. This option is only available if GCC was configured with analyzer support enabled. It can also output its diagnostics to a JSON file in the SARIF format (from v13).
Goblint — A static analyzer for the analysis of multi-threaded C programs. Its primary focus is the detection of data races, but it also reports other runtime errors, such as buffer overflows and null-pointer dereferences.
Helix QAC :copyright: — Enterprise-grade static analysis for embedded software. Supports MISRA, CERT, and AUTOSAR coding standards.
IKOS — A sound static analyzer for C/C++ code based on LLVM.
Joern — Open-source code analysis platform for C/C++ based on code property graphs
KLEE — A dynamic symbolic execution engine built on top of the LLVM compiler infrastructure. It can auto-generate test cases for programs such that the test cases exercise as much of the program as possible.
LDRA :copyright: — A tool suite including static analysis (TBVISION) to various standards including MISRA C & C++, JSF++ AV, CWE, CERT C, CERT C++ & Custom Rules.
MATE :warning: — A suite of tools for interactive program analysis with a focus on hunting for bugs in C and C++ code. MATE unifies application-specific and low-level vulnerability analysis using code property graphs (CPGs), enabling the discovery of highly application-specific vulnerabilities that depend on both implementation details and the high-level semantics of target C/C++ programs.
PC-lint :copyright: — Static analysis for C/C++. Runs natively under Windows/Linux/MacOS. Analyzes code for virtually any platform, supporting C11/C18 and C++17.
Phasar — A LLVM-based static analysis framework which comes with a taint and type state analysis.
Polyspace Bug Finder :copyright: — Identifies run-time errors, concurrency issues, security vulnerabilities, and other defects in C and C++ embedded software.
Polyspace Code Prover :copyright: — Provide code verification that proves the absence of overflow, divide-by-zero, out-of-bounds array access, and certain other run-time errors in C and C++ source code.
scan-build — Frontend to drive the Clang Static Analyzer built into Clang via a regular build.
splint — Annotation-assisted static program checker.
SVF — A static tool that enables scalable and precise interprocedural dependence analysis for C and C++ programs.
TrustInSoft Analyzer :copyright: — Exhaustive detection of coding errors and their associated security vulnerabilities. This encompasses a sound undefined behavior detection (buffer overflows, out-of-bounds array accesses, null-pointer dereferences, use-after-free, divide-by-zeros, uninitialized memory accesses, signed overflows, invalid pointer arithmetic, etc.), data flow and control flow verification as well as full functional verification of formal specifications. All versions of C up to C18 and C++ up to C++20 are supported. TrustInSoft Analyzer will acquire ISO 26262 qualification in Q2'2023 (TCL3). A MISRA C checker is also bundled.
vera++ — Vera++ is a programmable tool for verification, analysis and transformation of C++ source code.

.NET Analyzers — An organization for the development of analyzers (diagnostics and code fixes) using the .NET Compiler Platform.
ArchUnitNET — A C# architecture test library to specify and assert architecture rules in C# for automated testing.
code-cracker — An analyzer library for C# and VB that uses Roslyn to produce refactorings, code analysis, and other niceties.
CSharpEssentials :warning: — C# Essentials is a collection of Roslyn diagnostic analyzers, code fixes and refactorings that make it easy to work with C# 6 language features.
Designite :copyright: — Designite supports detection of various architecture, design, and implementation smells, computation of various code quality metrics, and trend analysis.
Gendarme — Gendarme inspects programs and libraries that contain code in ECMA CIL format (Mono and .NET).
Infer# — InferSharp (also referred to as Infer#) is an interprocedural and scalable static code analyzer for C#. Via the capabilities of Facebook's Infer, this tool detects null pointer dereferences and resource leaks.
Meziantou.Analyzer — A Roslyn analyzer to enforce some good practices in C# in terms of design, usage, security, performance, and style.
NDepend :copyright: — Measure, query and visualize your code and avoid unexpected issues, technical debt and complexity.
Puma Scan — Puma Scan provides real time secure code analysis for common vulnerabilities (XSS, SQLi, CSRF, LDAPi, crypto, deserialization, etc.) as development teams write code in Visual