Top 23 Static Analysis Open-Source Projects

• ShellCheck

  489 35,056 8.7 Haskell

  ShellCheck, a static analysis tool for shell scripts

Project mention: How I use Devbox in my Elm projects | dev.to | 2024-05-02

These projects use Caddy as my local development server, Dart Sass for converting my Sass files to CSS, elm, elm-format, elm-optimize-level-2, elm-review, elm-test (only in Calculator), ShellCheck to find bugs in my shell scripts, and Terser to mangle and compress JavaScript code.

• ImHex

  46 33,019 9.9 C++

  🔍 A Hex Editor for Reverse Engineers, Programmers and people who value their retinas when working at 3 AM.

Project mention: Ask HN: What Underrated Open Source Project Deserves More Recognition? | news.ycombinator.com | 2024-03-07

ImHex

“A Hex Editor for Reverse Engineers, Programmers and people who value their retinas when working at 3 AM.”

I actually used it not too long ago to inspect why a mp4 file wasn’t valid. The pattern language that they have is quite nice and having sections of the hex highlighted and being able to see what structures they represent and what data was on those structures was very useful!

https://github.com/WerWolv/ImHex

• InfluxDB

  www.influxdata.com featured

  Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

  

• ruff

  97 26,725 10.0 Rust

  An extremely fast Python linter and code formatter, written in Rust.

  

Project mention: Ruff: The Extensible Python Linter | dev.to | 2024-05-07

Ruff is an open-source Python linter created by Astral Sh that stands out for its impressive speed, adaptability, and wide-ranging features.

• SwiftLint

  23 18,322 9.4 Swift

  A tool to enforce Swift style and conventions.

  

Project mention: A problem when adding Swiftlint as a dependency on my won package? | /r/swift | 2023-10-27

• PHP Parser

  11 16,846 8.3 PHP

  A PHP parser written in PHP

Project mention: PHP-Parser: A PHP parser written in PHP | news.ycombinator.com | 2024-03-06

• Mobile-Security-Framework-MobSF

  6 16,355 8.6 JavaScript

  Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.

  

• infer

  42 14,716 9.9 OCaml

  A static analyzer for Java, C, C++, and Objective-C

  

Project mention: An Introduction to Temporal Logic (With Applications to Concurrency Problems) | news.ycombinator.com | 2024-01-22

I think most development occurs on problems that can't be formally modeled anyway. Most developers work on things like, "can you add this feature to the e-commerce site? And can the pop-up be blue?" which isn't really model-able.

But that's not to say that formal methods are useless! We can still prove some interesting aspects of programs -- for example, that every lock that gets acquired later gets released. I think tools like Infer[0] could become common in the coming years.

[0]: https://fbinfer.com/

• SaaSHub

  www.saashub.com featured

  SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

  

• bytecode-viewer

  9 14,351 7.2 Java

  A Java 8+ Jar & Android APK Reverse Engineering Suite (Decompiler, Editor, Debugger & More)

• static-analysis

  15 12,881 9.4 Rust

  ⚙️ A curated list of static analysis (SAST) tools and linters for all programming languages, config files, build tools, and more. The focus is on tools which improve code quality.

  

Project mention: Static Analysis Tools for C | news.ycombinator.com | 2023-10-26

Readers should also peruse the 'Multiple languages' section, many of the big names, Coverity, Klocwork et al. are listed there.

see https://github.com/analysis-tools-dev/static-analysis#multip...

• PHP CS Fixer

  41 12,575 9.8 PHP

  A tool to automatically fix PHP Coding Standards issues

  

Project mention: 8 Essential Tools Every PHP Developer Needs | dev.to | 2024-02-27

PHP-CS-Fixer automatically fixes PHP coding standard issues, maintaining a clean codebase and adhering to coding standards. It can be integrated into the development workflow to ensure all code complies with defined standards.

• PHPStan

  59 12,548 9.9 PHP

  PHP Static Analysis Tool - discover bugs in your code without running it!

  

Project mention: Rector keeps your PHP code base fresh and perfect | dev.to | 2024-03-15

As part of the journey to PHP perfection, you should embrace Rector. It's a amazing, free, and open-source tool for migrations, code quality, type coverage, pushing PHPStan to the highest levels, and yes, it can even auto-fix your existing code! It seamlessly integrates into the CI process, making your development workflow smoother than ever.

• cmake-examples

  25 11,961 0.0 CMake

  Useful CMake Examples

• owasp-mastg

  22 11,290 8.3 Python

  The Mobile Application Security Testing Guide (MASTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes the technical processes for verifying the controls listed in the OWASP Mobile Application Security Verification Standard (MASVS).

  

Project mention: More ways to identify independently security tested apps on Google Play | news.ycombinator.com | 2023-11-03

• awesome-malware-analysis

  8 11,085 2.7

  Defund the Police.

• PHP Code Sniffer

  47 10,598 6.8 PHP

  PHP_CodeSniffer tokenizes PHP files and detects violations of a defined set of coding standards.

  

Project mention: The Future of PHP_CodeSniffer | news.ycombinator.com | 2024-02-17

• clair

  21 10,052 9.2 Go

  Vulnerability Static Analysis for Containers

  

Project mention: I looked through attacks in my access logs. Here's what I found | news.ycombinator.com | 2024-01-28

Besides pointing pentester tools like metasploit at yourself, there are some nice scanners out there.

https://github.com/quay/clair

https://github.com/anchore/grype/

• semgrep

  75 9,742 9.9 OCaml

  Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.

  

Project mention: Semgrep: Semantic Grep for Code | news.ycombinator.com | 2024-04-30

• hadolint

  25 9,728 7.3 Haskell

  Dockerfile linter, validate inline bash, written in Haskell

  

Project mention: Cloud Security and Resilience: DevSecOps Tools and Practices | dev.to | 2024-05-01

3. Hadolint: https://github.com/hadolint/hadolint Hadolint is a Dockerfile linter that helps you build best practice Docker images, reducing vulnerabilities in your container configurations.

• SonarQube

  66 8,594 9.9 Java

  Continuous Inspection

  

Project mention: Cloud Security and Resilience: DevSecOps Tools and Practices | dev.to | 2024-05-01

2. SonarQube: https://github.com/SonarSource/sonarqube SonarQube enhances code quality and security. It performs automatic reviews to detect bugs, vulnerabilities, and code smells in your code.

• Checkstyle

  15 8,138 9.9 Java

  Checkstyle is a development tool to help programmers write Java code that adheres to a coding standard. By default it supports the Google Java Style Guide and Sun Code Conventions, but is highly configurable. It can be invoked with an ANT task and a command line program.

  

• Scanners-Box

  2 7,991 6.4

  A powerful and open-source toolkit for hackers and security automation - 安全行业从业者自研开源扫描器合辑

• grype

  56 7,678 9.5 Go

  A vulnerability scanner for container images and filesystems

  

Project mention: Introduction to the Kubernetes ecosystem | dev.to | 2024-04-25

Trivy Operator : A simple and comprehensive vulnerability scanner for containers and other artifacts. It detects vulnerabilities of OS packages (Alpine, Debian, CentOS, etc.) and application dependencies (pip, npm, yarn, composer, etc.) (Alternatives : Grype, Snyk, Clair, Anchore, Twistlock)

• gosec

  20 7,468 8.7 Go

  Go security checker

  

Project mention: Secure Randomness in Go 1.22 | news.ycombinator.com | 2024-05-07

For those unaware, gosec (and by extension golangci-lint) will warn about uses of `math/rand`

https://github.com/securego/gosec/blob/d3b2359ae29fe344f4df5...

• SaaSHub

  www.saashub.com featured

  SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

  

Static Analysis related posts

• We Have Code Quality At Home: Open Source Java Code Quality Tools

  4 projects | dev.to | 6 May 2024

• Open source software maintenance is difficult: examples with Go math/rand/v2 and testify

  1 project | dev.to | 2 May 2024

• Cloud Security and Resilience: DevSecOps Tools and Practices

  10 projects | dev.to | 1 May 2024

• Handling EI_EXPOSE_REP & EI_EXPOSE_REP2 👨🏻‍💻

  1 project | dev.to | 30 Apr 2024

• Semgrep: Semantic Grep for Code

  1 project | news.ycombinator.com | 30 Apr 2024

• Show HN: MicroSCOPE – identify ransomware statically with heuristics

  1 project | news.ycombinator.com | 23 Apr 2024

• Ask HN: Is there a GUI for bash shell?

  2 projects | news.ycombinator.com | 19 Apr 2024
• A note from our sponsor - InfluxDB
  www.influxdata.com | 8 May 2024

  Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality. Learn more →

Index

Sponsored

SaaSHub - Software Alternatives and Reviews

SaaSHub helps you find the best software and product alternatives

www.saashub.com