Open Source Windows Static Code Analysis Tools
Sort By:
Static Code Analysis Tools for Windows
View 22 business solutionsBrowse free open source Static Code Analysis tools and projects for Windows below. Use the toggles on the left to filter open source Static Code Analysis tools by OS, license, language, programming language, and project status.
-
Auth0 for AI Agents now in GAConnect your AI agents to apps and data more securely, give users control over the actions AI agents can perform and the data they can access, and enable human confirmation for critical agent actions.
-
Orchestrate Your AI Agents with ZenflowZenflow orchestrates AI agents like a real engineering system. With parallel execution, spec-driven workflows, and deep multi-repo understanding, agents plan, implement, test, and verify end-to-end. Upgrade to AI workflows that work the way your team does.
-
1
Rubberduck
Every programmer needs a rubberduck. COM add-in for the VBA & VB6 IDE
Rubberduck aims to bring the VBIDE into this century. Rubberduck understands Classic-VB code like no other add-in, giving it superior static code analysis capabilities that go far above and beyond what is possible with simple text-based analysis. Avoid common pitfalls (some not-so-common) with dozens (100+) of configurable inspections. Gain full control over module and member attributes, create a virtual folder hierarchy, and document modules and procedures, all with special comment annotations. Navigate a Classic-VB project like never before, quickly locating identifier references, interface implementations, and anything else that has a name. Add a full folder structure for organizing your modules. Write code that runs your code and verifies its output is as expected, given controlled inputs. Organize tests into categories, run them directly in the VBIDE, and view results in a dedicated explorer toolwindow. -
2
SonarQube
Continuous inspection
SonarQube empowers all developers to write cleaner and safer code. Thousands of automated Static Code Analysis rules, protecting your app on multiple fronts, and guiding your team. Catch tricky bugs to prevent undefined behavior from impacting end-users. Fix vulnerabilities that compromise your app, and learn AppSec along the way with Security Hotspots. Make sure your codebase is clean and maintainable, to increase developer velocity! We embrace progress - whether it's multi-language applications, teams composed of different backgrounds or a workflow that's a mix of modern and legacy, SonarQube has you covered. SonarQube fits with your existing tools and pro-actively raises a hand when the quality or security of your codebase is at risk. SonarQube can analyse branches of your repo, and notify you directly in your Pull Requests! -
3
Elixir Code Smells
Catalog of Elixir-specific code smells
Elixir-Code-Smells is a research-driven catalog of code smells specific to the Elixir programming language. Unlike generic code smell lists, this project identifies issues emerging from Elixirβs functional, concurrent, and process-based nature. Initially compiled via grey literature (blogs, talks, forums), the catalog now includes 23 Elixir-specific smells plus 12 traditional smells adapted to Elixir. Each entry documents the name, category, problem, example, refactoring strategy, and step-by-step treatments. The smells are grouped into two categories: design-related (coarse-grained, harder to detect, affecting architecture/processes) and low-level concerns (fine-grained, often readability and maintainability issues). The catalog evolves with community feedback and contributions, aiming to help developers recognize harmful patterns and apply disciplined refactoring to improve maintainability, testability, and performance in Elixir systems. -
4
AWS IoT Jobs library
Client library for using AWS IoT Jobs service on embedded devices
The AWS IoT Jobs library helps you notify connected IoT devices of a pending Job. A Job can be used to manage your fleet of devices, update firmware and security certificates on your devices, or perform administrative tasks such as restarting devices and performing diagnostics. It interacts with the AWS IoT Jobs service using MQTT, a lightweight publish-subscribe protocol. This library provides a convenience API to compose and recognize the MQTT topic strings used by the Jobs service. The library is written in C compliant with ISO C90 and MISRA C:2012, and is distributed under the MIT Open Source License. This library has gone through code quality checks including verification that no function has a GNU Complexity score over 8, and checks against deviations from mandatory rules in the MISRA coding standard. Deviations from the MISRA C:2012 guidelines are documented under MISRA Deviations. This library has also undergone both static code analysis from Coverity. -
AestheticsPro Medical Spa SoftwareAestheticsPro is the most complete Aesthetics Software on the market today. HIPAA Cloud Compliant with electronic charting, integrated POS, targeted marketing and results driven reporting; AestheticsPro delivers the tools you need to manage your medical spa business. It is our mission To Provide an All-in-One Cutting Edge Software to the Aesthetics Industry.
-
5
SpotBugs
A tool for static analysis to look for bugs in Java code
SpotBugs is a program that uses static analysis to look for bugs in Java code. It is free software, distributed under the terms of the GNU Lesser General Public License. SpotBugs is a fork of FindBugs (which is now an abandoned project), carrying on from the point where it left off with the support of its community. Please check the official manual for details. SpotBugs requires JRE (or JDK) 1.8.0 or later to run. However, it can analyze programs compiled for any version of Java, from 1.0 to 1.9. To build the SpotBugs plugin for Eclipse, you'll need to create the file eclipsePlugin/local.properties, containing a property eclipseRoot.dir that points to an Eclipse installation's root directory (see .travis.yml for an example), then run the build. -
6
checkstyle
static code analysis tool for Java
Checkstyle is a development tool to help programmers write Java code that adheres to a coding standard. By default it supports the Google Java Style Guide and Sun Code Conventions, but is highly configurable. It can be invoked with an ANT task and a command line program. -
7
RIPS - PHP Security Analysis
Free Static Code Analysis Tool for PHP Applications
RIPS is a static code analysis tool for the automated detection of security vulnerabilities in PHP applications. It was released 2010 during the Month of PHP Security (www.php-security.org). NOTE: RIPS 0.5 development is abandoned. A complete rewrite with OOP support and higher precision is available at https://www.ripstech.com/next-generation/ -
8
HTMLHint
The static code analysis tool you need for your HTML
Static code analysis tool you need for your HTML. By default, htmlhint looks for a .htmlhintrc file in the current directory and all parent directories and applies its rules when parsing a file. -
9
revive Static Code
6x faster, stricter, configurable, and extensible
Fast, configurable, extensible, flexible, and beautiful linter for Go. Drop-in replacement of golint. Revive provides a framework for the development of custom rules, and lets you define a strict preset for enhancing your development & code review processes. Fast & extensible static code analysis framework for Go. Allows us to enable or disable rules using a configuration file. Allows us to configure the linting rules with a TOML file. 2x faster running the same rules as golint. Provides functionality for disabling a specific rule or the entire linter for a file or a range of lines. golint allows this only for generated files. Optional type checking. Most rules in golint do not require type-checking. If you disable them in the config file, revive will run over 6x faster than golint. Provides multiple formats which let us customize the output. Allows us to customize the return code for the entire linter or based on the failure of only some rules. -
D&B Hoovers is Your Sales AcceleratorSpeed up sales prospecting with the rich audience targeting capabilities of D&B Hoovers so you can spend more sales time closing.
-
10
AWS IoT Device Defender Library
Client library for using AWS IoT Defender service on embedded devices
The Device Defender library enables you to send device metrics to the AWS IoT Device Defender Service. This library also supports custom metrics, a feature that helps you monitor operational health metrics that are unique to your fleet or use case. For example, you can define a new metric to monitor the memory usage or CPU usage on your devices. This library has no dependencies on any additional libraries other than the standard C library, and therefore, can be used with any MQTT client library. This library is distributed under the MIT Open Source License. This library has gone through code quality checks including verification that no function has a GNU Complexity score over 8, and checks against deviations from mandatory rules in the MISRA coding standard. Deviations from the MISRA C:2012 guidelines are documented under MISRA Deviations. This library has also undergone static code analysis using Coverity static analysis. -
11
Bandit
Bandit is a tool designed to find common security issues in Python
Bandit is a tool designed to find common security issues in Python code. To do this, Bandit processes each file, builds an AST from it, and runs appropriate plugins against the AST nodes. Once Bandit has finished scanning all the files, it generates a report. Bandit was originally developed within the OpenStack Security Project and later rehomed to PyCQA. -
12
PHPStan
Dscover bugs in your code without running it!
PHPStan finds bugs in your code without writing tests. It's open-source and free. PHPStan scans your whole codebase and looks for both obvious & tricky bugs. Even in those rarely executed if statements that certainly aren't covered by tests. You can run it on your machine and in CI to prevent those bugs ever reaching your customers in production. Thanks to rule levels you don't get overwhelmed with thousands of errors on the first run. You can increase PHPStan's capabilities on your code at your own pace. It makes work feel like a game. It doesn't matter how old your code is, PHPStan is here to help you improve it. Thanks to the baseline, you can start writing better code today. PHPStan offers extensions for popular frameworks like Symfony, Laravel or Doctrine. Even code taking advantage of magic methods and properties is understood well. -
13
Tencent Cloud Code Analysis
Static code analysis
Tencent Cloud Code Analysis (TCA for short, used internally by the R&D code CodeDog ) is a cloud-native, distributed, high-performance comprehensive code analysis and tracking platform that integrates many analysis tools, including server, web and client The three components have integrated a number of self-developed tools, and also support the dynamic integration of analysis tools of various programming languages ββin the industry. Obtain the Tencent Cloud code analysis platform by deploying TCA Server and Web, and complete the creation of related projects on the platform. After the project is created, you can deploy and configure the Tencent Cloud code analysis client to perform code analysis locally or as an online resident node. Before starting your first code analysis project, you need to deploy the Tencent Cloud Code Analysis client locally. After completing the project configuration on the client, you can start your first code analysis project and view your analysis results. -
14
Zine
Fast, Scalable, Flexible Static Site Generator (SSG)
A Zine site is a collection of content files and layouts. Zine turns your content into HTML, styles it using your layouts, and finally copies the result (alongside other assets like images) into an output directory that you can then publish on static hosting services like GitHub Pages. Zine uses a structured approach to content authoring that helps keep sizeable content collections manageable. Similarly, the build process uses surgical dependency tracking to ensure minimal rebuilds, keeping the authoring experience excellent at all scales. SuperMD is an extension of Markdown that allows you to define embedded assets and semantic constructs that would be impossible to express in Markdown without using inline HTML. SuperHTML is an extension of HTML5 that focuses on expressing correct templating logic. With SuperHTML it's impossible to generate malformed HTML and most mistakes become build-time errors. -
15
gosec
Golang security checker
A project devoted to secure programming in the Go language. Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with the License. You can integrate third-party code analysis tools with GitHub code scanning by uploading data as SARIF files. The workflow shows an example of running the gosec as a step in a GitHub action workflow that outputs the results.sarif file. The workflow then uploads the results.sarif file to GitHub using the upload-serif action. Gosec can be configured to only run a subset of rules, to exclude certain file paths, and produce reports in different formats. By default, all rules will be run against the supplied input files. -
16
kube-score
Kubernetes object analysis with recommendations
Kubernetes object analysis with recommendations for improved reliability and security. kube-score is a tool that does static code analysis of your Kubernetes object definitions. The output is a list of recommendations of what you can improve to make your application more secure and resilient. kube-score is open-source and available under the MIT-license. Container limits (should be set) Pod is targeted by a NetworkPolicy, both egress and ingress rules are recommended. Deployments and StatefulSets should have a PodDisruptionPolicy. Deployments and StatefulSets should have host PodAntiAffinity configured. For container probes, a readiness should be configured, and should not be identical to the liveness probe. Read more in README_PROBES.md. Container securityContext, run as a high number user/group, do not run as root or with privileged root fs. Read more in README_SECURITYCONTEXT.md. Stable APIs, use a stable API if available (supported: Deployments, StatefulSets, DaemonSet) -
17
ngrev
Tool for reverse engineering of Angular applications
Graphical tool for reverse engineering of Angular projects. It allows you to navigate in the structure of your application and observe the relationship between the different modules, providers, and directives. The tool performs static code analysis which means that you don't have to run your application in order to use it. ngrev is not maintained by the Angular team. It's a side project developed by the open-source community. The application is not signed, so you may have to explicitly allow your mac to run it in System Preferences. You can add your own theme by creating a [theme-name].theme.json file in Electron [userData]/themes. For a sample theme see Dark. Your application needs to be compatible with Angular Ivy compiler. ngrev is not tested with versions older than v11. To stay up to date check the update guide on angular.io. -
18
AWS IoT Fleet Provisioning Library
Client library for using AWS IoT Fleet Provisioning service
The Fleet Provisioning library enables you to provision IoT devices without device certificates using the Fleet Provisioning feature of AWS IoT Core. For an overview of provisioning options available, see Device provisioning. This library has no dependencies on any additional libraries other than the standard C library, and therefore, can be used with any MQTT library. This library is distributed under the MIT Open Source License. This library has gone through code quality checks including verification that no function has a GNU Complexity score over 8, and checks against deviations from mandatory rules in the MISRA coding standard. Deviations from the MISRA C:2012 guidelines are documented under MISRA Deviations. This library has also undergone static code analysis using Coverity static analysis, and validation of memory safety through the CBMC automated reasoning tool. -
19
AWS IoT Over-the-air Update Library
Manage the notification of a newly available update
The OTA library enables you to manage the notification of a newly available update, download the update, and perform cryptographic verification of the firmware update. Using the library, you can logically separate firmware updates from the application running on your devices. The OTA library can share a network connection with the application, saving memory in resource-constrained devices. In addition, the OTA library lets you define application-specific logic for testing, committing, or rolling back a firmware update. The library supports different application protocols like Message Queuing Telemetry Transport (MQTT) and Hypertext Transfer Protocol (HTTP), and provides various configuration options you can fine-tune depending on network type and conditions. This library is distributed under the MIT Open Source License. This library has gone through code quality checks including verification that no function has a GNU Complexity score over 8. -
20
AWS SigV4 Library
AWS library to sign AWS HTTP requests with Signature Version 4
The AWS SigV4 Library is a standalone library for generating authorization headers and signatures according to the specifications of the Signature Version 4 signing process. Authorization headers are required for authentication when sending HTTP requests to AWS. This library can optionally be used by applications sending direct HTTP requests to AWS services requiring SigV4 authentication. This library has no dependencies on any additional libraries other than the standard C library. This library is distributed under the MIT Open Source License. This library has gone through code quality checks including verification that no function has a GNU Complexity score over 8, and checks against deviations from mandatory rules in the MISRA coding standard. Deviations from the MISRA C:2012 guidelines are documented under MISRA Deviations. This library has also undergone static code analysis using Coverity static analysis, and validation of memory safety through the CBMC automated reasoning tool. -
21
Ameba
A static code analysis tool for Crystal
Code-style linter for Crystal. A single-celled animal that catches food and moves about by extending fingerlike projections of protoplasm. Ameba is a static code analysis tool for the Crystal language. It enforces a consistent Crystal code style, and also catches code smells and wrong code constructions. Ameba allows you to dig deeper into an issue, by showing you details about the issue and the reasoning behind it being reported. Starting from 0.31.0 Crystal supports parallelism. It allows running linting in parallel too. The default configuration file is .ameba.yml. It allows configuring rule properties, disabling specific rules and excludes sources from the rules. -
22
Anduin
A scripting language for industrial software
Anduin aims to replace perl, python, tcl, and others as the workhorse language in industrial programming projects. It places emphasis on enabling the interpreter to perform compile-time static code analysis as a means of closing the development loop faster and letting fewer bugs get to the user. -
23
AutoReplacerPlus
Automatic correction of software bugs and grammar mistakes
Automatic correction of software bugs announced in compilers (clang, gcc) / Static Code Analysis tools (cppcheck, FindBugs) and grammar/style errors like in LanguageTool. Usage: use tool (e.g. cppcheck) and store results in a text file. Afterwards call: autoreplacerplus mytextfile -
24
BemiDB
Postgres read replica optimized for analytics
BemiDB is a high-performance, key-value database designed for efficient data retrieval and storage, optimized for applications requiring fast read and write operations. -
25
Code Quality and Security for C#
Code analyzer for C# and VB.NET projects
Sonar offers a single cohesive solution with a consistent set of metrics and hundreds of static analysis rules to detect your coding issues early. Plus fast and high-precision analysis means high value, low noise, and reliable results always. A single solution for dozens of popular languages, development frameworks and IaC platforms. Our powerful language-specific analysis not only detects coding issues but also helps you understand what's wrong and how to fix it. Our publicly available ruleset includes thousands of rules covering various issue categories and language standards. Open the rule in SonarQube / SonarCloud, scroll down and (in case the rule has parameters), you can configure the parameters for each Quality Profile the rule is part of. Standalone NuGet packages can be configured the same way as SonarLint in connected mode.
