Open Source Linux Static Code Analysis Tools
Sort By:
Static Code Analysis Tools for Linux
View 17 business solutionsBrowse free open source Static Code Analysis tools and projects for Linux below. Use the toggles on the left to filter open source Static Code Analysis tools by OS, license, language, programming language, and project status.
-
Simplify IT and security with a single endpoint management platformNinjaOne automates the hardest parts of IT, delivering visibility, security, and control over all endpoints for more than 20,000 customers. The NinjaOne automated endpoint management platform is proven to increase productivity, reduce security risk, and lower costs for IT teams and managed service providers. The company seamlessly integrates with a wide range of IT and security technologies. NinjaOne is obsessed with customer success and provides free and unlimited onboarding, training, and support.
-
Our Free Plans just got better! | Auth0You asked, we delivered! Auth0 is excited to expand our Free and Paid plans to include more options so you can focus on building, deploying, and scaling applications without having to worry about your security. Auth0 now, thank yourself later.
-
1
SonarQube
Continuous inspection
SonarQube empowers all developers to write cleaner and safer code. Thousands of automated Static Code Analysis rules, protecting your app on multiple fronts, and guiding your team. Catch tricky bugs to prevent undefined behavior from impacting end-users. Fix vulnerabilities that compromise your app, and learn AppSec along the way with Security Hotspots. Make sure your codebase is clean and maintainable, to increase developer velocity! We embrace progress - whether it's multi-language applications, teams composed of different backgrounds or a workflow that's a mix of modern and legacy, SonarQube has you covered. SonarQube fits with your existing tools and pro-actively raises a hand when the quality or security of your codebase is at risk. SonarQube can analyse branches of your repo, and notify you directly in your Pull Requests! -
2
RuboCop
A Ruby static code analyzer and formatter, based on the community Ruby
RuboCop is a Ruby static code analyzer (a.k.a. linter) and code formatter. Out of the box it will enforce many of the guidelines outlined in the community Ruby Style Guide. RuboCop packs a lot of features on top of what you’d normally expect from a linter. Works with every major Ruby implementation. Autocorrection of many of the code offenses it detects. Robust code formatting capabilities. Multiple result for matters for both interactive use and for feeding data into other tools. Ability to have different configurations for different parts of your codebase. Ability to disable certain cops only for specific files or parts of files. Extremely flexible configuration that allows you to adapt RuboCop to pretty much every style and preference. It’s easy to extend RuboCop with custom cops and formatters. Many online services use RuboCop internally (e.g. HoundCI, Sider and CodeClimate). -
3
Code Quality and Security for C#
Code analyzer for C# and VB.NET projects
Sonar offers a single cohesive solution with a consistent set of metrics and hundreds of static analysis rules to detect your coding issues early. Plus fast and high-precision analysis means high value, low noise, and reliable results always. A single solution for dozens of popular languages, development frameworks and IaC platforms. Our powerful language-specific analysis not only detects coding issues but also helps you understand what's wrong and how to fix it. Our publicly available ruleset includes thousands of rules covering various issue categories and language standards. Open the rule in SonarQube / SonarCloud, scroll down and (in case the rule has parameters), you can configure the parameters for each Quality Profile the rule is part of. Standalone NuGet packages can be configured the same way as SonarLint in connected mode. -
4
gosec
Golang security checker
A project devoted to secure programming in the Go language. Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with the License. You can integrate third-party code analysis tools with GitHub code scanning by uploading data as SARIF files. The workflow shows an example of running the gosec as a step in a GitHub action workflow that outputs the results.sarif file. The workflow then uploads the results.sarif file to GitHub using the upload-serif action. Gosec can be configured to only run a subset of rules, to exclude certain file paths, and produce reports in different formats. By default, all rules will be run against the supplied input files. -
Build apps or websites quickly on a fully managed platformRun frontend and backend services, batch jobs, host LLMs, and queue processing workloads without the need to manage infrastructure.
-
5
tfsec
Security scanner for your Terraform code
tfsec is a static analysis security scanner for your Terraform code. Designed to run locally and in your CI pipelines, developer-friendly output and fully documented checks mean detection and remediation can take place as quickly and efficiently as possible. tfsec takes a developer-first approach to scanning your Terraform templates; using static analysis and deep integration with the official HCL parser it ensures that security issues can be detected before your infrastructure changes take effect. Checks for misconfigurations across all major (and some minor) cloud providers. Applies (and embellishes) user-defined Rego policies. Supports multiple output formats: CLI, JSON, SARIF, CSV, CheckStyle, and JUnit. Configurable (via CLI flags and/or config file). Very fast, capable of quickly scanning huge repositories. Plugins for popular IDEs available (JetBrains, VSCode and Vim). -
6
Bandit
Bandit is a tool designed to find common security issues in Python
Bandit is a tool designed to find common security issues in Python code. To do this, Bandit processes each file, builds an AST from it, and runs appropriate plugins against the AST nodes. Once Bandit has finished scanning all the files, it generates a report. Bandit was originally developed within the OpenStack Security Project and later rehomed to PyCQA. -
7
SpotBugs
A tool for static analysis to look for bugs in Java code
SpotBugs is a program that uses static analysis to look for bugs in Java code. It is free software, distributed under the terms of the GNU Lesser General Public License. SpotBugs is a fork of FindBugs (which is now an abandoned project), carrying on from the point where it left off with the support of its community. Please check the official manual for details. SpotBugs requires JRE (or JDK) 1.8.0 or later to run. However, it can analyze programs compiled for any version of Java, from 1.0 to 1.9. To build the SpotBugs plugin for Eclipse, you'll need to create the file eclipsePlugin/local.properties, containing a property eclipseRoot.dir that points to an Eclipse installation's root directory (see .travis.yml for an example), then run the build. -
8
Ruff
An extremely fast Python linter, written in Rust
An extremely fast Python linter, written in Rust. Ruff aims to be orders of magnitude faster than alternative tools while integrating more functionality behind a single, common interface. Ruff can be used to replace Flake8 (plus dozens of plugins), isort, pydocstyle, yesqa, eradicate, pyupgrade, and autoflake, all while executing tens or hundreds of times faster than any individual tool. Ruff is extremely actively developed and used in major open-source projects. Ruff can be configured through a pyproject.toml, ruff.toml, or .ruff.toml file (see: Configuration, or Settings for a complete list of all configuration options). Ruff supports over 500 lint rules, many of which are inspired by popular tools like Flake8, isort, pyupgrade, and others. Regardless of the rule's origin, Ruff re-implements every rule in Rust as a first-party feature. -
9
HTMLHint
The static code analysis tool you need for your HTML
Static code analysis tool you need for your HTML. By default, htmlhint looks for a .htmlhintrc file in the current directory and all parent directories and applies its rules when parsing a file. -
Build Securely on Azure with Proven FrameworksMoving to the cloud brings new challenges. How can you manage a larger attack surface while ensuring great network performance? Turn to Fortinet’s Tested Reference Architectures, blueprints for designing and securing cloud environments built by cybersecurity experts. Learn more and explore use cases in this white paper.
-
10
RIPS - PHP Security Analysis
Free Static Code Analysis Tool for PHP Applications
RIPS is a static code analysis tool for the automated detection of security vulnerabilities in PHP applications. It was released 2010 during the Month of PHP Security (www.php-security.org). NOTE: RIPS 0.5 development is abandoned. A complete rewrite with OOP support and higher precision is available at https://www.ripstech.com/next-generation/ -
11
checkstyle
static code analysis tool for Java
Checkstyle is a development tool to help programmers write Java code that adheres to a coding standard. By default it supports the Google Java Style Guide and Sun Code Conventions, but is highly configurable. It can be invoked with an ANT task and a command line program. -
12
PHP Parser
A PHP parser written in PHP
This is a PHP 5.2 to PHP 8.0 parser written in PHP. Its purpose is to simplify static code analysis and manipulation. A parser is useful for static analysis, manipulation of code and basically any other application dealing with code programmatically. A parser constructs an Abstract Syntax Tree (AST) of the code and thus allows dealing with it in an abstract and robust way. As the parser is based on the tokens returned by token_get_all (which is only able to lex the PHP version it runs on), additionally a wrapper for emulating tokens from newer versions is provided. This allows to parse PHP 7.4 source code running on PHP 7.0, for example. This emulation is somewhat hacky and not perfect, but it should work well on any sane code. Support for pretty printing, which is the act of converting an AST into PHP code. Please note that "pretty printing" does not imply that the output is especially pretty. -
13
PHPStan
Dscover bugs in your code without running it!
PHPStan finds bugs in your code without writing tests. It's open-source and free. PHPStan scans your whole codebase and looks for both obvious & tricky bugs. Even in those rarely executed if statements that certainly aren't covered by tests. You can run it on your machine and in CI to prevent those bugs ever reaching your customers in production. Thanks to rule levels you don't get overwhelmed with thousands of errors on the first run. You can increase PHPStan's capabilities on your code at your own pace. It makes work feel like a game. It doesn't matter how old your code is, PHPStan is here to help you improve it. Thanks to the baseline, you can start writing better code today. PHPStan offers extensions for popular frameworks like Symfony, Laravel or Doctrine. Even code taking advantage of magic methods and properties is understood well. -
14
Rubberduck
Every programmer needs a rubberduck. COM add-in for the VBA & VB6 IDE
Rubberduck aims to bring the VBIDE into this century. Rubberduck understands Classic-VB code like no other add-in, giving it superior static code analysis capabilities that go far above and beyond what is possible with simple text-based analysis. Avoid common pitfalls (some not-so-common) with dozens (100+) of configurable inspections. Gain full control over module and member attributes, create a virtual folder hierarchy, and document modules and procedures, all with special comment annotations. Navigate a Classic-VB project like never before, quickly locating identifier references, interface implementations, and anything else that has a name. Add a full folder structure for organizing your modules. Write code that runs your code and verifies its output is as expected, given controlled inputs. Organize tests into categories, run them directly in the VBIDE, and view results in a dedicated explorer toolwindow. -
15
Code Quality and Security for Java
SonarSource Static Analyzer for Java Code Quality and Security
Hundreds of unique rules to find Java bugs, code smells & vulnerabilities. Sonar static analysis helps you build and maintain high-quality Java code. Covering popular build systems, standards and versions, Sonar elevates your coding game while keeping vulnerabilities at bay. With each Java version, we create dedicated rules so you learn shiny, new features and avoid pitfalls. Consistently find tricky, hard-to-spot issues in your regular expressions. Allow you to effortlessly repair your Java coding issues with just a click. Dozens of rules to ensure your tests are always as clean as your code! Dedicated rules to detect vulnerabilities including ones stemming from OWASP & CWE Top 25 guidelines. It all comes from a powerful analysis engine that we constantly refine. Sonar employs advanced rules along with smart, exclusive analysis techniques to find the trickiest, most elusive issues. -
16
PHPMD
PHPMD is a spin-off project of PHP Depend
PHPMD is a code analysis tool that helps developers identify potential issues in their PHP code by detecting messy, suboptimal, or overly complex code structures. It acts as a companion to PHP_CodeSniffer, focusing on design and logic problems rather than just formatting. PHPMD supports a wide range of rulesets and can be customized to enforce specific coding standards, making it useful for maintaining clean, efficient, and maintainable codebases. -
17
Pylint
It's not just a linter that annoys you!
Pylint is a static code analyzer for Python 2 or 3. The latest version supports Python 3.7.2 and above. Pylint analyses your code without actually running it. It checks for errors, enforces a coding standard, looks for code smells, and can make suggestions about how the code could be refactored. Projects that you might want to use alongside pylint include flake8 (faster and simpler checks with very few false positives), mypy, pyright or pyre (typing checks), bandit (security-oriented checks), black and isort (auto-formatting), autoflake (automated removal of unused import or variable), pyupgrade (automated upgrade to newer python syntax) and pydocstringformatter (automated pep257). Pylint isn't smarter than you: it may warn you about things that you have conscientiously done or checks for some things that you don't care about. During adoption, especially in a legacy project where pylint was never enforced. -
18
RuboCop Rails
A RuboCop extension focused on enforcing Rails best practices
A RuboCop extension focused on enforcing Rails best practices and coding conventions. It’s based on the community-driven Rails style guide. You need to tell RuboCop to load the Rails extension. Now you can run rubocop and it will automatically load the RuboCop Rails cops together with the standard cops. If you are using Rails 6.1 or newer, add the following config.generators.after_generate setting to your config/application.rb to apply RuboCop autocorrection to code generated by bin/rails g. It uses rubocop -A to apply Style/FrozenStringLiteralComment and other unsafe autocorretion cops. rubocop -A is unsafe autocorrection, but code generated by default is simple and less likely to be incompatible with rubocop -A. If you have problems you can replace it with rubocop -a instead. -
19
codelyzer
Static analysis for Angular projects
A set of tslint rules for static code analysis of Angular TypeScript projects. (If you are using ESLint check out the new angular-eslint repository.). You can run the static code analyzer over web apps, NativeScript, Ionic, etc. Note that by default all components are aligned with the style guide so you won't see any errors in the console. Codelyzer supports any template and style language by custom hooks. If you're using Sass for instance, you can allow codelyzer to analyze your styles by creating a file .codelyzer.js in the root of your project (where the node_modules directory is). In the configuration file can implement custom pre-processing and template resolution logic. Lint rules encode logic for syntactic & semantic checks of TypeScript, HTML, CSS and Angular expressions source code. -
20
revive Static Code
6x faster, stricter, configurable, and extensible
Fast, configurable, extensible, flexible, and beautiful linter for Go. Drop-in replacement of golint. Revive provides a framework for the development of custom rules, and lets you define a strict preset for enhancing your development & code review processes. Fast & extensible static code analysis framework for Go. Allows us to enable or disable rules using a configuration file. Allows us to configure the linting rules with a TOML file. 2x faster running the same rules as golint. Provides functionality for disabling a specific rule or the entire linter for a file or a range of lines. golint allows this only for generated files. Optional type checking. Most rules in golint do not require type-checking. If you disable them in the config file, revive will run over 6x faster than golint. Provides multiple formats which let us customize the output. Allows us to customize the return code for the entire linter or based on the failure of only some rules. -
21
PhpDependencyAnalysis
Static code analysis to find violations in a dependency graph
PhpDependencyAnalysis is an extendable static code analysis for object-oriented PHP-Projects to generate dependency graphs from abstract datatypes (Classes, Interfaces and Traits) based on namespaces. Dependencies can be aggregated to build graphs for several levels, like Package-Level or Layer-Level. Each dependency can be verified to a defined architecture. -
22
AWS IoT Device Defender Library
Client library for using AWS IoT Defender service on embedded devices
The Device Defender library enables you to send device metrics to the AWS IoT Device Defender Service. This library also supports custom metrics, a feature that helps you monitor operational health metrics that are unique to your fleet or use case. For example, you can define a new metric to monitor the memory usage or CPU usage on your devices. This library has no dependencies on any additional libraries other than the standard C library, and therefore, can be used with any MQTT client library. This library is distributed under the MIT Open Source License. This library has gone through code quality checks including verification that no function has a GNU Complexity score over 8, and checks against deviations from mandatory rules in the MISRA coding standard. Deviations from the MISRA C:2012 guidelines are documented under MISRA Deviations. This library has also undergone static code analysis using Coverity static analysis. -
23
AWS IoT Fleet Provisioning Library
Client library for using AWS IoT Fleet Provisioning service
The Fleet Provisioning library enables you to provision IoT devices without device certificates using the Fleet Provisioning feature of AWS IoT Core. For an overview of provisioning options available, see Device provisioning. This library has no dependencies on any additional libraries other than the standard C library, and therefore, can be used with any MQTT library. This library is distributed under the MIT Open Source License. This library has gone through code quality checks including verification that no function has a GNU Complexity score over 8, and checks against deviations from mandatory rules in the MISRA coding standard. Deviations from the MISRA C:2012 guidelines are documented under MISRA Deviations. This library has also undergone static code analysis using Coverity static analysis, and validation of memory safety through the CBMC automated reasoning tool. -
24
AWS IoT Jobs library
Client library for using AWS IoT Jobs service on embedded devices
The AWS IoT Jobs library helps you notify connected IoT devices of a pending Job. A Job can be used to manage your fleet of devices, update firmware and security certificates on your devices, or perform administrative tasks such as restarting devices and performing diagnostics. It interacts with the AWS IoT Jobs service using MQTT, a lightweight publish-subscribe protocol. This library provides a convenience API to compose and recognize the MQTT topic strings used by the Jobs service. The library is written in C compliant with ISO C90 and MISRA C:2012, and is distributed under the MIT Open Source License. This library has gone through code quality checks including verification that no function has a GNU Complexity score over 8, and checks against deviations from mandatory rules in the MISRA coding standard. Deviations from the MISRA C:2012 guidelines are documented under MISRA Deviations. This library has also undergone both static code analysis from Coverity. -
25
AWS IoT Over-the-air Update Library
Manage the notification of a newly available update
The OTA library enables you to manage the notification of a newly available update, download the update, and perform cryptographic verification of the firmware update. Using the library, you can logically separate firmware updates from the application running on your devices. The OTA library can share a network connection with the application, saving memory in resource-constrained devices. In addition, the OTA library lets you define application-specific logic for testing, committing, or rolling back a firmware update. The library supports different application protocols like Message Queuing Telemetry Transport (MQTT) and Hypertext Transfer Protocol (HTTP), and provides various configuration options you can fine-tune depending on network type and conditions. This library is distributed under the MIT Open Source License. This library has gone through code quality checks including verification that no function has a GNU Complexity score over 8.
