Python Static Analysis

Open-source Python projects categorized as Static Analysis | Edit details

Top 23 Python Static Analysis Projects

  • Mobile-Security-Framework-MobSF

    Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.

    Project mention: Strengthen your Android or iOS Application Security using MobSF - Learn by example (2021) | dev.to | 2021-12-03

    # This will download MobSF into a folder # called Mobile-Security-Framework-MobSF git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git

  • jedi

    Awesome autocompletion, static analysis and refactoring library for python

    Project mention: What are your bad python habits? | reddit.com/r/Python | 2021-11-27

    Or better, use refactoring tool like rope, jedi, or whatever you have in your IDE to rename them.

  • SonarQube

    Static code analysis for 29 languages.. Your projects are multi-language. So is SonarQube analysis. Find Bugs, Vulnerabilities, Security Hotspots, and Code Smells so you can release quality code every time. Get started analyzing your projects today for free.

  • Pylint

    It's not just a linter that annoys you!

    Project mention: 5% of 666 Python repos had comma typo bugs (inc V8, TensorFlow and PyTorch) | news.ycombinator.com | 2022-01-07

    The PR has been merged (for lists and tuples and sets only).

    https://github.com/PyCQA/pylint/pull/1655

  • checkov

    Prevent cloud misconfigurations during build-time for Terraform, CloudFormation, Kubernetes, Serverless framework and other infrastructure-as-code-languages with Checkov by Bridgecrew.

    Project mention: Learn About Infrastructure as Code in 5 Minutes and Why You Should Use It | dev.to | 2022-01-21

    Errors in IaC files can be a serious problem if they are not detected prior to deploying IaC definitions. Therefore, it is recommended to automatically and continuously scan IaC files, ensuring that verification occurs whenever an IaC definition is created or updated. You can do it using such tools as Checkov, TFLint, Accurics.

  • pytype

    A static type analyzer for Python code

    Project mention: mypy alternatives - pytype and pyright | libhunt.com/r/mypy | 2021-10-30

    another library to check typing in python code (by google)

  • apkleaks

    Scanning APK file for URIs, endpoints & secrets.

    Project mention: Scan the apk file to check its different layers | reddit.com/r/NETSECSOFT | 2022-01-09

    git clone https://github.com/dwisiswant0/apkleaks

  • pyt

    A Static Analysis Tool for Detecting Security Vulnerabilities in Python Web Applications

    Project mention: python-security/pyt - A Static Analysis Tool for Detecting Security Vulnerabilities in Python Web Applications | reddit.com/r/GithubSecurityTools | 2021-03-16
  • Scout APM

    Less time debugging, more time building. Scout APM allows you to find and fix performance issues with no hassle. Now with error monitoring and external services monitoring, Scout is a developer's best friend when it comes to application development.

  • Flake8

    flake8 is a python tool that glues together pycodestyle, pyflakes, mccabe, and third-party plugins to check the style and quality of some python code.

    Project mention: Modern Python setup for quality development | dev.to | 2022-01-07

    flake8: Flake8 is a wrapper around these tools: PyFlakes pycodestyle Ned Batchelder's McCabe script

  • slither

    Static Analyzer for Solidity

    Project mention: DEV update: threat reporting and other UI improvements | reddit.com/r/lsr_finance | 2021-12-06

    Added reference to threat provider. Currently we support: a) Slither: it's a static code analysis framework that scans contract code and reports detected vulnerabilities b) LSR: obviously we are the main threat author on our service; we analyze state of social accounts, different suspicious patterns in contract code, social activity, metadata and so on. c) CoinMarketCap, CoinGecko, CoinAlpha, CoinHunt, Nomics: these are the platforms that may list a coin; if coin is not listed anywhere (especially for a long time) - it's a sure sign of fraud or untrustworthy token

  • anchore-engine

    A service that analyzes docker images and applies user-defined acceptance policies to allow automated container image validation and certification

    Project mention: How to Secure Your Kubernetes Clusters With Best Practices | dev.to | 2021-12-02

    Enable container image scanning in your CI/CD phase to catch known vulnerabilities using tools like clair or Anchore.

  • dagda

    a tool to perform static analysis of known vulnerabilities, trojans, viruses, malware & other malicious threats in docker images/containers and to monitor the docker daemon and running docker containers for detecting anomalous activities

    Project mention: 2 Widespread Attacks on Your Containerized Environment and 7 Rules to Prevent it. | dev.to | 2021-07-23

    Dagda uses a static analysis approach to find viruses, malware, and fake sub-images and trojans. It is based on Red Hat Security Advisories (RHSA) libraries of existing vulnerabilities databases.

  • CrossHair

    An analysis tool for Python that blurs the line between testing and type systems.

    Project mention: Klara: Python automatic test generations and static analysis library | reddit.com/r/Python | 2021-09-13

    The main difference that Klara bring to the table, compared to similar tool like pynguin and Crosshair is that the analysis is entirely static, meaning that no user code will be executed, and you can easily extend the test generation strategy via plugin loading (e.g. the options arg to the Component object returned from function above is not needed for test coverage).

  • PEP 8 Speaks

    A GitHub :octocat: app to automatically review Python code style over Pull Requests

  • prometeo

    An experimental Python-to-C transpiler and domain specific language for embedded high-performance computing

    Project mention: Profiling and Analyzing Performance of Python Programs | dev.to | 2022-01-04

    If you don't mind switching to a little different syntax of Python, then you also might want to take a look at prometeo - an embedded domain specific language based on Python, specifically aimed at scientific computing. Prometeo programs transpile to pure C code and its performance can be comparable with hand-written C code.

  • semgrep-rules

    Semgrep rules registry

    Project mention: RCE 0-day exploit found in log4j, a popular Java logging package | reddit.com/r/netsec | 2021-12-09

    Semgrep Rules for searching source code

  • tryceratops

    A linter to prevent exception handling antipatterns in Python (limited only for those who like dinosaurs).

    Project mention: Is it bad to capture a bare Exception? | news.ycombinator.com | 2021-07-22
  • klara

    Automatic test case generation for python and static analysis library

    Project mention: Klara: Python automatic test generations and static analysis library | reddit.com/r/Python | 2021-09-13

    Klara is an automatic python unit test generation tool based on SMT (z3) solver. It's currently in early stage and still have many limitation (looping, comprehension, importing is not supported to name a few).

  • unimport

    A linter, formatter for finding and removing unused import statements.

  • AMDH

    Android Mobile Device Hardening

    Project mention: Open source app like Bouncer for temporary permissions? | reddit.com/r/fdroid | 2021-04-05

    If your device gets android 11 update it would have been easier . For now you can harden android and thus avoid any access to your data from 3rd party . Since you have old version its better to root and install stock ram that does that or install app like App ops and Storage isolation

  • pycg

    Static Python call graph generator

    Project mention: Static Python call graph generation – PyCG | news.ycombinator.com | 2021-06-03
  • opem

    OPEM (Open Source PEM Fuel Cell Simulation Tool)

    Project mention: OPEM 1.3 Released : Open Source PEM Fuel Cell Simulation Tool | reddit.com/r/coolgithubprojects | 2021-06-30
  • nbsafety

    Fearless interactivity for Jupyter notebooks.

    Project mention: Does Netflix use Jupyter Notebooks in production? | reddit.com/r/datascience | 2021-05-18

    Check out https://github.com/nbsafety-project/nbsafety

  • aura

    Python source code auditing and static analysis on a large scale (by SourceCode-AI)

    Project mention: A Large-Scale Security-Oriented Static Analysis of Python Packages in PyPI | news.ycombinator.com | 2021-07-30

    I've done extensive research in this area and looked at existing tools including bandit to scan the whole pypi repository and monitor what is being uploaded there, the conclusion was that most of the tools are not up for this task so I made a new framework from scratch that is specially design for this purpose, to scan the whole PyPI repository, it's called Aura: https://github.com/SourceCode-AI/aura

NOTE: The open source projects on this list are ordered by number of github stars. The number of mentions indicates repo mentiontions in the last 12 Months or since we started tracking (Dec 2020). The latest post mention was on 2022-01-21.

Python Static Analysis related posts

Index

What are some of the best open-source Static Analysis projects in Python? This list will help you:

Project Stars
1 Mobile-Security-Framework-MobSF 10,377
2 jedi 5,046
3 Pylint 3,768
4 checkov 3,685
5 pytype 3,582
6 apkleaks 2,748
7 pyt 2,062
8 Flake8 1,738
9 slither 1,646
10 anchore-engine 1,404
11 dagda 930
12 CrossHair 735
13 PEP 8 Speaks 561
14 prometeo 489
15 semgrep-rules 295
16 tryceratops 262
17 klara 233
18 unimport 118
19 AMDH 114
20 pycg 112
21 opem 104
22 nbsafety 97
23 aura 69
Find remote jobs at our new job board 99remotejobs.com. There are 29 new remote jobs listed recently.
Are you hiring? Post a new remote job listing for free.
OPS - Build and Run Open Source Unikernels
Quickly and easily build and deploy open source unikernels in tens of seconds. Deploy in any language to any cloud.
github.com/nanovms