Open Source Mac Static Code Analysis Tools
Sort By:
Static Code Analysis Tools for Mac
View 16 business solutionsBrowse free open source Static Code Analysis tools and projects for Mac below. Use the toggles on the left to filter open source Static Code Analysis tools by OS, license, language, programming language, and project status.
-
Gen AI apps are built with MongoDB AtlasMongoDB Atlas is the developer-friendly database used to build, scale, and run gen AI and LLM-powered apps—without needing a separate vector database. Atlas offers built-in vector search, global availability across 115+ regions, and flexible document modeling. Start building AI apps faster, all in one place.
-
Photo and Video Editing APIs and SDKsUnlock Picsart's full editing suite by embedding our Editor SDK directly into your platform. Offer your users the power of a full design suite without leaving your site.
-
1
SonarQube
Continuous inspection
SonarQube empowers all developers to write cleaner and safer code. Thousands of automated Static Code Analysis rules, protecting your app on multiple fronts, and guiding your team. Catch tricky bugs to prevent undefined behavior from impacting end-users. Fix vulnerabilities that compromise your app, and learn AppSec along the way with Security Hotspots. Make sure your codebase is clean and maintainable, to increase developer velocity! We embrace progress - whether it's multi-language applications, teams composed of different backgrounds or a workflow that's a mix of modern and legacy, SonarQube has you covered. SonarQube fits with your existing tools and pro-actively raises a hand when the quality or security of your codebase is at risk. SonarQube can analyse branches of your repo, and notify you directly in your Pull Requests! -
2
checkstyle
static code analysis tool for Java
Checkstyle is a development tool to help programmers write Java code that adheres to a coding standard. By default it supports the Google Java Style Guide and Sun Code Conventions, but is highly configurable. It can be invoked with an ANT task and a command line program. -
3
Bandit
Bandit is a tool designed to find common security issues in Python
Bandit is a tool designed to find common security issues in Python code. To do this, Bandit processes each file, builds an AST from it, and runs appropriate plugins against the AST nodes. Once Bandit has finished scanning all the files, it generates a report. Bandit was originally developed within the OpenStack Security Project and later rehomed to PyCQA. -
4
Rubberduck
Every programmer needs a rubberduck. COM add-in for the VBA & VB6 IDE
Rubberduck aims to bring the VBIDE into this century. Rubberduck understands Classic-VB code like no other add-in, giving it superior static code analysis capabilities that go far above and beyond what is possible with simple text-based analysis. Avoid common pitfalls (some not-so-common) with dozens (100+) of configurable inspections. Gain full control over module and member attributes, create a virtual folder hierarchy, and document modules and procedures, all with special comment annotations. Navigate a Classic-VB project like never before, quickly locating identifier references, interface implementations, and anything else that has a name. Add a full folder structure for organizing your modules. Write code that runs your code and verifies its output is as expected, given controlled inputs. Organize tests into categories, run them directly in the VBIDE, and view results in a dedicated explorer toolwindow. -
Get the most trusted enterprise browserDefend against security incidents with Chrome Enterprise. Create customizable controls, manage extensions and set proactive alerts to keep your data and employees protected without slowing down productivity.
-
5
Ruff
An extremely fast Python linter, written in Rust
An extremely fast Python linter, written in Rust. Ruff aims to be orders of magnitude faster than alternative tools while integrating more functionality behind a single, common interface. Ruff can be used to replace Flake8 (plus dozens of plugins), isort, pydocstyle, yesqa, eradicate, pyupgrade, and autoflake, all while executing tens or hundreds of times faster than any individual tool. Ruff is extremely actively developed and used in major open-source projects. Ruff can be configured through a pyproject.toml, ruff.toml, or .ruff.toml file (see: Configuration, or Settings for a complete list of all configuration options). Ruff supports over 500 lint rules, many of which are inspired by popular tools like Flake8, isort, pyupgrade, and others. Regardless of the rule's origin, Ruff re-implements every rule in Rust as a first-party feature. -
6
Error Prone
Catch common Java mistakes as compile-time errors
Error Prone is a static analysis tool for Java that catches common programming mistakes at compile-time. It’s common for even the best programmers to make simple mistakes. And sometimes a refactoring that seems safe can leave behind code that will never do what’s intended. We’re used to getting help from the compiler, but it doesn’t do much beyond static type checking. Using Error Prone to augment the compiler’s type analysis, you can catch more mistakes before they cost you time, or end up as bugs in production. We use Error Prone in Google’s Java build system to eliminate classes of serious bugs from entering our code, and we’ve open-sourced it, so you can too. -
7
PHP CS Fixer
A tool to automatically fix PHP Coding Standards issues
PHP-CS-Fixer is a tool that automatically fixes coding standards issues in PHP files. It helps developers maintain consistent coding style by applying rules defined by PHP-FIG (PSR standards) or custom configuration. It is widely used in CI/CD pipelines to enforce style conformity and reduce code review overhead. -
8
PHP Parser
A PHP parser written in PHP
This is a PHP 5.2 to PHP 8.0 parser written in PHP. Its purpose is to simplify static code analysis and manipulation. A parser is useful for static analysis, manipulation of code and basically any other application dealing with code programmatically. A parser constructs an Abstract Syntax Tree (AST) of the code and thus allows dealing with it in an abstract and robust way. As the parser is based on the tokens returned by token_get_all (which is only able to lex the PHP version it runs on), additionally a wrapper for emulating tokens from newer versions is provided. This allows to parse PHP 7.4 source code running on PHP 7.0, for example. This emulation is somewhat hacky and not perfect, but it should work well on any sane code. Support for pretty printing, which is the act of converting an AST into PHP code. Please note that "pretty printing" does not imply that the output is especially pretty. -
9
SpotBugs
A tool for static analysis to look for bugs in Java code
SpotBugs is a program that uses static analysis to look for bugs in Java code. It is free software, distributed under the terms of the GNU Lesser General Public License. SpotBugs is a fork of FindBugs (which is now an abandoned project), carrying on from the point where it left off with the support of its community. Please check the official manual for details. SpotBugs requires JRE (or JDK) 1.8.0 or later to run. However, it can analyze programs compiled for any version of Java, from 1.0 to 1.9. To build the SpotBugs plugin for Eclipse, you'll need to create the file eclipsePlugin/local.properties, containing a property eclipseRoot.dir that points to an Eclipse installation's root directory (see .travis.yml for an example), then run the build. -
Build Securely on Azure with Proven FrameworksMoving to the cloud brings new challenges. How can you manage a larger attack surface while ensuring great network performance? Turn to Fortinet’s Tested Reference Architectures, blueprints for designing and securing cloud environments built by cybersecurity experts. Learn more and explore use cases in this white paper.
-
10
RIPS - PHP Security Analysis
Free Static Code Analysis Tool for PHP Applications
RIPS is a static code analysis tool for the automated detection of security vulnerabilities in PHP applications. It was released 2010 during the Month of PHP Security (www.php-security.org). NOTE: RIPS 0.5 development is abandoned. A complete rewrite with OOP support and higher precision is available at https://www.ripstech.com/next-generation/ -
11
AWS IoT Device Defender Library
Client library for using AWS IoT Defender service on embedded devices
The Device Defender library enables you to send device metrics to the AWS IoT Device Defender Service. This library also supports custom metrics, a feature that helps you monitor operational health metrics that are unique to your fleet or use case. For example, you can define a new metric to monitor the memory usage or CPU usage on your devices. This library has no dependencies on any additional libraries other than the standard C library, and therefore, can be used with any MQTT client library. This library is distributed under the MIT Open Source License. This library has gone through code quality checks including verification that no function has a GNU Complexity score over 8, and checks against deviations from mandatory rules in the MISRA coding standard. Deviations from the MISRA C:2012 guidelines are documented under MISRA Deviations. This library has also undergone static code analysis using Coverity static analysis. -
12
AWS IoT Jobs library
Client library for using AWS IoT Jobs service on embedded devices
The AWS IoT Jobs library helps you notify connected IoT devices of a pending Job. A Job can be used to manage your fleet of devices, update firmware and security certificates on your devices, or perform administrative tasks such as restarting devices and performing diagnostics. It interacts with the AWS IoT Jobs service using MQTT, a lightweight publish-subscribe protocol. This library provides a convenience API to compose and recognize the MQTT topic strings used by the Jobs service. The library is written in C compliant with ISO C90 and MISRA C:2012, and is distributed under the MIT Open Source License. This library has gone through code quality checks including verification that no function has a GNU Complexity score over 8, and checks against deviations from mandatory rules in the MISRA coding standard. Deviations from the MISRA C:2012 guidelines are documented under MISRA Deviations. This library has also undergone both static code analysis from Coverity. -
13
BemiDB
Postgres read replica optimized for analytics
BemiDB is a high-performance, key-value database designed for efficient data retrieval and storage, optimized for applications requiring fast read and write operations. -
14
HTMLHint
The static code analysis tool you need for your HTML
Static code analysis tool you need for your HTML. By default, htmlhint looks for a .htmlhintrc file in the current directory and all parent directories and applies its rules when parsing a file. -
15
PHPStan Symfony Framework extensions
Symfony extension for PHPStan
Symfony extension for PHPStan. Sometimes, when you are dealing with optional dependencies, the ::has() methods can cause problems. For example, the following construct would complain that the condition is always either on or off, depending on whether you have the dependency for service installed. You can opt in for more advanced analysis of Symfony Console Commands by providing the console application from your own application. This will allow the correct argument and option types to be inferred when accessing $input-getArgument() or $input->getOption(). -
16
RuboCop
A Ruby static code analyzer and formatter, based on the community Ruby
RuboCop is a Ruby static code analyzer (a.k.a. linter) and code formatter. Out of the box it will enforce many of the guidelines outlined in the community Ruby Style Guide. RuboCop packs a lot of features on top of what you’d normally expect from a linter. Works with every major Ruby implementation. Autocorrection of many of the code offenses it detects. Robust code formatting capabilities. Multiple result for matters for both interactive use and for feeding data into other tools. Ability to have different configurations for different parts of your codebase. Ability to disable certain cops only for specific files or parts of files. Extremely flexible configuration that allows you to adapt RuboCop to pretty much every style and preference. It’s easy to extend RuboCop with custom cops and formatters. Many online services use RuboCop internally (e.g. HoundCI, Sider and CodeClimate). -
17
Ameba
A static code analysis tool for Crystal
Code-style linter for Crystal. A single-celled animal that catches food and moves about by extending fingerlike projections of protoplasm. Ameba is a static code analysis tool for the Crystal language. It enforces a consistent Crystal code style, and also catches code smells and wrong code constructions. Ameba allows you to dig deeper into an issue, by showing you details about the issue and the reasoning behind it being reported. Starting from 0.31.0 Crystal supports parallelism. It allows running linting in parallel too. The default configuration file is .ameba.yml. It allows configuring rule properties, disabling specific rules and excludes sources from the rules. -
18
Code Quality and Security for C#
Code analyzer for C# and VB.NET projects
Sonar offers a single cohesive solution with a consistent set of metrics and hundreds of static analysis rules to detect your coding issues early. Plus fast and high-precision analysis means high value, low noise, and reliable results always. A single solution for dozens of popular languages, development frameworks and IaC platforms. Our powerful language-specific analysis not only detects coding issues but also helps you understand what's wrong and how to fix it. Our publicly available ruleset includes thousands of rules covering various issue categories and language standards. Open the rule in SonarQube / SonarCloud, scroll down and (in case the rule has parameters), you can configure the parameters for each Quality Profile the rule is part of. Standalone NuGet packages can be configured the same way as SonarLint in connected mode. -
19
Credo
A static code analysis tool for the Elixir language
Credo is a static code analysis and linting tool for the Elixir language, with an emphasis on promoting code consistency, teaching best practices, and helping developers identify refactoring opportunities, style inconsistencies, and potentially problematic code patterns. Elixir plugin for JetBrains IDEs (IntelliJ IDEA, Rubymine, PHPStorm, PyCharm, etc). Checks your code from style to security, duplication, complexity, and also integrates with coverage. -
20
HLint
Haskell source code suggestions
HLint is a linter for Haskell that suggests stylistic improvements and potential simplifications in Haskell code. It parses Haskell source files and provides hints to refactor code for better readability, maintainability, or performance. HLint is highly configurable and supports custom rules, integrations with CI tools, and editor plugins. It is widely used in the Haskell ecosystem for maintaining consistent code standards. -
21
React Boilerplate
A highly scalable, offline-first foundation with the best DX
React Boilerplate is a highly scalable, offline-first foundation for React.js applications. It offers the best developer experience with a focus on performance and best practices. React Boilerplate offers predictable state management so you can take control of your app’s state and keep state mutations manageable. It also features next generation JavaScript, so you can stop worrying about browser support or use features like arrow functions, JSX syntax and more. There’s also support for next generation CSS, and being offline first, it allows availability without network connection from the moment your users load the app. React Boilerplate also provides instant feedback, so you can have nothing but the best developer experience! -
22
RuboCop Performance
An extension of RuboCop focused on code performance checks
Performance optimization analysis for your projects, as an extension to RuboCop. You need to tell RuboCop to load the Performance extension. Now you can run rubocop and it will automatically load the RuboCop Performance cops together with the standard cops. You need to tell RuboCop to load the Performance extension. Now you can run rubocop and it will automatically load the RuboCop Performance cops together with the standard cops. -
23
Security Code Scan
Vulnerability Patterns Detector for C# and VB.NET
Detects various security vulnerability patterns. SQL Injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), XML eXternal Entity Injection (XXE), etc. Inter-procedural taint analysis for input data. Continuous Integration (CI) support for GitHub and GitLab pipelines. Stand-alone runner or through MSBuild for custom integrations. Analyzes .NET and .NET Core projects in the background (IntelliSense) or during a build. Works with Visual Studio 2019 or higher. Visual Studio Community, Professional and Enterprise editions are supported. Other editors that support Roslyn-based analyzers like Rider or OmniSharp should work too. Security Code Scan (SCS) is not a Linter. It is a real static analysis tool that does extensive computations. Thus installing it as a Visual Studio extension or NuGet package will slow down your Visual Studio IDE. -
24
Soufflé
Datalog variant for tool designers crafting analyses in Horn clauses
Rapid prototyping for your analysis problems with logic; enabling deep design-space explorations; designed for large-scale static analysis; e.g., points-to analysis for Java, taint-analysis, and security checks. Futamura projections/partial evaluation for effective translation to parallel C++; optimized staged compilation; specialized data-structures for logical relations. Efficient translation to parallel C++ of Datalog programs (CAV'16, CC'16) Efficient interpretation using de-specialization techniques (PLDI'21) Specialized data structure for relations (PACT'19, PPoPP'19, PMAM'19) with optimal index selection (VLDB'18) Extended semantics of Datalog, e.g., permitting unbounded recursions with numbers and terms. Simple component model for Datalog specifications. Recursively defined record types/ADTs (aka. constructors) for tuples. User-defined functors. Strongly-typed types for safety. Subsumption, aggregation, Choice Construct (APLAS'21). -
25
Tencent Cloud Code Analysis
Static code analysis
Tencent Cloud Code Analysis (TCA for short, used internally by the R&D code CodeDog ) is a cloud-native, distributed, high-performance comprehensive code analysis and tracking platform that integrates many analysis tools, including server, web and client The three components have integrated a number of self-developed tools, and also support the dynamic integration of analysis tools of various programming languages in the industry. Obtain the Tencent Cloud code analysis platform by deploying TCA Server and Web, and complete the creation of related projects on the platform. After the project is created, you can deploy and configure the Tencent Cloud code analysis client to perform code analysis locally or as an online resident node. Before starting your first code analysis project, you need to deploy the Tencent Cloud Code Analysis client locally. After completing the project configuration on the client, you can start your first code analysis project and view your analysis results.
