Open Source Static Code Analysis Tools - Page 2
Sort By:
Static Code Analysis Tools
View 94 business solutions-
Fully Managed MySQL, PostgreSQL, and SQL ServerCloud SQL handles your database ops end to end, so you can focus on your app.
-
Application Monitoring That Won't Slow Your App DownFull APM with errors, performance, logs, and uptime monitoring. 99.999% uptime SLA on the platform itself.
-
1
Kibit
There's a function for that
kibit is a static analysis tool for Clojure/ClojureScript that detects code patterns that can be rewritten more idiomatically. Based on core.logic, it suggests replacements—like using when instead of if for single-branch logic. It integrates via the command line or Leiningen plugin, enhancing code quality and readability. -
2
PHPDoc-Parser for PHPStan
Next-gen phpDoc parser with support for intersection types
Next-generation phpDoc parser with support for intersection types and generics. This project adheres to a Contributor Code of Conduct. By participating in this project and its community, you are expected to uphold this code. Initially you need to run composer install or composer update in case you aren't working in a folder that was built before. Afterward, you can either run the whole build including linting and coding standards. -
3
codelyzer
Static analysis for Angular projects
A set of tslint rules for static code analysis of Angular TypeScript projects. (If you are using ESLint check out the new angular-eslint repository.). You can run the static code analyzer over web apps, NativeScript, Ionic, etc. Note that by default all components are aligned with the style guide so you won't see any errors in the console. Codelyzer supports any template and style language by custom hooks. If you're using Sass for instance, you can allow codelyzer to analyze your styles by creating a file .codelyzer.js in the root of your project (where the node_modules directory is). In the configuration file can implement custom pre-processing and template resolution logic. Lint rules encode logic for syntactic & semantic checks of TypeScript, HTML, CSS and Angular expressions source code. -
4
detekt Kotlin
Static code analysis for Kotlin
detekt helps you write cleaner Kotlin code so you can focus on what matters the most building amazing software. detekt comes with a set of plugins that helps you configure it easily in your Gradle, Maven, Bazel, ... build. Enjoy static analysis on Android, JVM, JS, Native, and Multiplatform projects out of the box. detekt can be easily extended with custom rules that help you track and fix anti-patterns in your codebase. detekt is entirely open-source and developed by the community. Join us on GitHub and help us shape the future of this tool. -
Gemini 3 and 200+ AI Models on One PlatformBuild generative AI apps with Vertex AI. Switch between models without switching platforms.
-
5
i18n-tasks
Manage translation and localization with static analysis, for Ruby i18
Manage translation and localization with static analysis, for Ruby i18n. i18n-tasks helps you find and manage missing and unused translations. This gem analyses code statically for key usages, such as I18n.t('some.key'), in order to report keys that are missing or unused. Pre-fill missing keys, optionally from Google Translate or DeepL Pro. Remove unused keys. Thus addressing the two main problems of i18n gem design, missing keys only blow up at runtime. i18n-tasks can be used with any project using the ruby i18n gem (default in Rails). i18n-tasks health checks if any keys are missing or not used, that interpolations variables are consistent across locales, and that all the locale files are normalized (auto-formatted). -
6
RIPS - PHP Security Analysis
Free Static Code Analysis Tool for PHP Applications
RIPS is a static code analysis tool for the automated detection of security vulnerabilities in PHP applications. It was released 2010 during the Month of PHP Security (www.php-security.org). NOTE: RIPS 0.5 development is abandoned. A complete rewrite with OOP support and higher precision is available at https://www.ripstech.com/next-generation/ -
7
Credo
A static code analysis tool for the Elixir language
Credo is a static code analysis and linting tool for the Elixir language, with an emphasis on promoting code consistency, teaching best practices, and helping developers identify refactoring opportunities, style inconsistencies, and potentially problematic code patterns. Elixir plugin for JetBrains IDEs (IntelliJ IDEA, Rubymine, PHPStorm, PyCharm, etc). Checks your code from style to security, duplication, complexity, and also integrates with coverage. -
8
Elixir Code Smells
Catalog of Elixir-specific code smells
Elixir-Code-Smells is a research-driven catalog of code smells specific to the Elixir programming language. Unlike generic code smell lists, this project identifies issues emerging from Elixir’s functional, concurrent, and process-based nature. Initially compiled via grey literature (blogs, talks, forums), the catalog now includes 23 Elixir-specific smells plus 12 traditional smells adapted to Elixir. Each entry documents the name, category, problem, example, refactoring strategy, and step-by-step treatments. The smells are grouped into two categories: design-related (coarse-grained, harder to detect, affecting architecture/processes) and low-level concerns (fine-grained, often readability and maintainability issues). The catalog evolves with community feedback and contributions, aiming to help developers recognize harmful patterns and apply disciplined refactoring to improve maintainability, testability, and performance in Elixir systems. -
9
Error Prone
Catch common Java mistakes as compile-time errors
Error Prone is a static analysis tool for Java that catches common programming mistakes at compile-time. It’s common for even the best programmers to make simple mistakes. And sometimes a refactoring that seems safe can leave behind code that will never do what’s intended. We’re used to getting help from the compiler, but it doesn’t do much beyond static type checking. Using Error Prone to augment the compiler’s type analysis, you can catch more mistakes before they cost you time, or end up as bugs in production. We use Error Prone in Google’s Java build system to eliminate classes of serious bugs from entering our code, and we’ve open-sourced it, so you can too. -
Train ML Models With SQL You Already KnowBuild and deploy ML models using familiar SQL. Automate data prep with built-in Gemini. Query 1 TB and store 10 GB free monthly.
-
10
RuboCop
A Ruby static code analyzer and formatter, based on the community Ruby
RuboCop is a Ruby static code analyzer (a.k.a. linter) and code formatter. Out of the box it will enforce many of the guidelines outlined in the community Ruby Style Guide. RuboCop packs a lot of features on top of what you’d normally expect from a linter. Works with every major Ruby implementation. Autocorrection of many of the code offenses it detects. Robust code formatting capabilities. Multiple result for matters for both interactive use and for feeding data into other tools. Ability to have different configurations for different parts of your codebase. Ability to disable certain cops only for specific files or parts of files. Extremely flexible configuration that allows you to adapt RuboCop to pretty much every style and preference. It’s easy to extend RuboCop with custom cops and formatters. Many online services use RuboCop internally (e.g. HoundCI, Sider and CodeClimate). -
11
ngrev
Tool for reverse engineering of Angular applications
Graphical tool for reverse engineering of Angular projects. It allows you to navigate in the structure of your application and observe the relationship between the different modules, providers, and directives. The tool performs static code analysis which means that you don't have to run your application in order to use it. ngrev is not maintained by the Angular team. It's a side project developed by the open-source community. The application is not signed, so you may have to explicitly allow your mac to run it in System Preferences. You can add your own theme by creating a [theme-name].theme.json file in Electron [userData]/themes. For a sample theme see Dark. Your application needs to be compatible with Angular Ivy compiler. ngrev is not tested with versions older than v11. To stay up to date check the update guide on angular.io. -
12
AWS IoT Device Defender Library
Client library for using AWS IoT Defender service on embedded devices
The Device Defender library enables you to send device metrics to the AWS IoT Device Defender Service. This library also supports custom metrics, a feature that helps you monitor operational health metrics that are unique to your fleet or use case. For example, you can define a new metric to monitor the memory usage or CPU usage on your devices. This library has no dependencies on any additional libraries other than the standard C library, and therefore, can be used with any MQTT client library. This library is distributed under the MIT Open Source License. This library has gone through code quality checks including verification that no function has a GNU Complexity score over 8, and checks against deviations from mandatory rules in the MISRA coding standard. Deviations from the MISRA C:2012 guidelines are documented under MISRA Deviations. This library has also undergone static code analysis using Coverity static analysis. -
13
JSHint
A tool that helps to detect errors and in your JavaScript code
JSHint is a community-driven tool that detects errors and potential problems in JavaScript code. Since JSHint is so flexible, you can easily adjust it in the environment you expect your code to execute. JSHint is publicly available and will always stay this way. The project aims to help JavaScript developers write complex programs without worrying about typos and language gotchas. Any code base eventually becomes huge at some point, so simple mistakes, that would not show themselves when written, can become show stoppers and add extra hours of debugging. So, static code analysis tools come into play and help developers spot such problems. JSHint scans a program written in JavaScript and reports about commonly made mistakes and potential bugs. The potential problem could be a syntax error, a bug due to an implicit type conversion, a leaking variable, or something else entirely. -
14
PHP Parser
A PHP parser written in PHP
This is a PHP 5.2 to PHP 8.0 parser written in PHP. Its purpose is to simplify static code analysis and manipulation. A parser is useful for static analysis, manipulation of code and basically any other application dealing with code programmatically. A parser constructs an Abstract Syntax Tree (AST) of the code and thus allows dealing with it in an abstract and robust way. As the parser is based on the tokens returned by token_get_all (which is only able to lex the PHP version it runs on), additionally a wrapper for emulating tokens from newer versions is provided. This allows to parse PHP 7.4 source code running on PHP 7.0, for example. This emulation is somewhat hacky and not perfect, but it should work well on any sane code. Support for pretty printing, which is the act of converting an AST into PHP code. Please note that "pretty printing" does not imply that the output is especially pretty. -
15
lintr
Static Code Analysis for R
lintr is a static code analysis tool for R that identifies syntax errors, style inconsistencies, and other potential issues in R scripts and packages. It supports customizable lint rules and integrates with many editors to provide realtime feedback and enforce coding standards (e.g., tidyverse style). -
16
AWS IoT Fleet Provisioning Library
Client library for using AWS IoT Fleet Provisioning service
The Fleet Provisioning library enables you to provision IoT devices without device certificates using the Fleet Provisioning feature of AWS IoT Core. For an overview of provisioning options available, see Device provisioning. This library has no dependencies on any additional libraries other than the standard C library, and therefore, can be used with any MQTT library. This library is distributed under the MIT Open Source License. This library has gone through code quality checks including verification that no function has a GNU Complexity score over 8, and checks against deviations from mandatory rules in the MISRA coding standard. Deviations from the MISRA C:2012 guidelines are documented under MISRA Deviations. This library has also undergone static code analysis using Coverity static analysis, and validation of memory safety through the CBMC automated reasoning tool. -
17
AWS IoT Over-the-air Update Library
Manage the notification of a newly available update
The OTA library enables you to manage the notification of a newly available update, download the update, and perform cryptographic verification of the firmware update. Using the library, you can logically separate firmware updates from the application running on your devices. The OTA library can share a network connection with the application, saving memory in resource-constrained devices. In addition, the OTA library lets you define application-specific logic for testing, committing, or rolling back a firmware update. The library supports different application protocols like Message Queuing Telemetry Transport (MQTT) and Hypertext Transfer Protocol (HTTP), and provides various configuration options you can fine-tune depending on network type and conditions. This library is distributed under the MIT Open Source License. This library has gone through code quality checks including verification that no function has a GNU Complexity score over 8. -
18
AWS SigV4 Library
AWS library to sign AWS HTTP requests with Signature Version 4
The AWS SigV4 Library is a standalone library for generating authorization headers and signatures according to the specifications of the Signature Version 4 signing process. Authorization headers are required for authentication when sending HTTP requests to AWS. This library can optionally be used by applications sending direct HTTP requests to AWS services requiring SigV4 authentication. This library has no dependencies on any additional libraries other than the standard C library. This library is distributed under the MIT Open Source License. This library has gone through code quality checks including verification that no function has a GNU Complexity score over 8, and checks against deviations from mandatory rules in the MISRA coding standard. Deviations from the MISRA C:2012 guidelines are documented under MISRA Deviations. This library has also undergone static code analysis using Coverity static analysis, and validation of memory safety through the CBMC automated reasoning tool. -
19
Anduin
A scripting language for industrial software
Anduin aims to replace perl, python, tcl, and others as the workhorse language in industrial programming projects. It places emphasis on enabling the interpreter to perform compile-time static code analysis as a means of closing the development loop faster and letting fewer bugs get to the user. -
20
AutoReplacerPlus
Automatic correction of software bugs and grammar mistakes
Automatic correction of software bugs announced in compilers (clang, gcc) / Static Code Analysis tools (cppcheck, FindBugs) and grammar/style errors like in LanguageTool. Usage: use tool (e.g. cppcheck) and store results in a text file. Afterwards call: autoreplacerplus mytextfile -
21
Code Quality and Security for C#
Code analyzer for C# and VB.NET projects
Sonar offers a single cohesive solution with a consistent set of metrics and hundreds of static analysis rules to detect your coding issues early. Plus fast and high-precision analysis means high value, low noise, and reliable results always. A single solution for dozens of popular languages, development frameworks and IaC platforms. Our powerful language-specific analysis not only detects coding issues but also helps you understand what's wrong and how to fix it. Our publicly available ruleset includes thousands of rules covering various issue categories and language standards. Open the rule in SonarQube / SonarCloud, scroll down and (in case the rule has parameters), you can configure the parameters for each Quality Profile the rule is part of. Standalone NuGet packages can be configured the same way as SonarLint in connected mode. -
22
DiffReport
Code Difference report
Often I have seen some Huge Maintenance Projects it is always very difficult to track the incremental files for each release and If we want to do that we need to checkout both the branches and use some UI based tool to get the diff of the files finally we end up waiting in front of the PC for a long time and do this job. In many cases we spend more than 2 hrs/day. The time increases if there are more such parallel releases and at the end of the day 1 developer does it as full time job and has zero productivity. I thought of adding value here. This just gets the diff files. Can be used for Static code analysis like PMD to do PMD only for the delta. The current status of the project is in Development". If you wish to add something please mail me. -
23
GoKart
A static analysis tool for securing Go code
GoKart is a static analysis tool for Go that finds vulnerabilities using the SSA (single static assignment) form of Go source code. It is capable of tracing the source of variables and function arguments to determine whether input sources are safe, which reduces the number of false positives compared to other Go security scanners. For instance, a SQL query that is concatenated with a variable might traditionally be flagged as SQL injection; however, GoKart can figure out if the variable is actually a constant or constant equivalent, in which case there is no vulnerability. GoKart also helps to power Chariot, Praetorian's security platform that helps you find, manage, and fix vulnerabilities in your source code and cloud environments. Chariot makes it simple to run automated, continuous GoKart scans on your source code. If you want to try GoKart, you can set up a free Chariot account in minutes. -
24
Java Architecture Testing Framework
A framework for automated architecture tests.
Project moved to https://github.com/Duke2k/jatf . The source repo here is out-of-date. This framework allows developers to quickly integrate code quality tests as dynamic unit tests, without the need of static code analysis tools. It uses annotations and rules to determine which classes of your project are tested for conventions, metrics, dependencies, or patterns. The framework is currently the first prototype, as a result of my master's thesis. The project is licensed under GPLv3 (see http://gplv3.fsf.org/). -
25
PEP 8 Speaks
A GitHub app to automatically review Python code style
A GitHub app to automatically review Python code style over Pull Requests. PEP 8 Speaks is a GitHub integration which detects Python code style issues on new Pull Requests. You can install it on your Python projects and configure with your own code style. Check out the project on GitHub. Maintainers of Python projects have a difficult time reviewing Pull Requests by new contributors who may not be aware of the code style. This project makes reviewing Pull Requests a little bit easier. Style issues get lost in the long CI build logs and the authors of the Pull Requests are not notified about them (unless flake8 is strict about failing the build). Thus, new issues are overlooked and introduced in the project. PEP 8 Speaks can read the setup.cfg file and adopt your already existing flake8/pycodestyle settings. PEP 8 Speaks is free of cost. By default, it can not work on private repositories.
