static-code-analysis

Open-source projects categorized as static-code-analysis

Top 23 static-code-analysis Open-Source Projects

  • Standard

    🌟 JavaScript Style Guide, with linter & automatic code fixer

    Project mention: Why is Prettier rock solid? | news.ycombinator.com | 2024-02-19

    I picked up standard[1] a while back for this reason, I don't want to have to think about it. It works fine, I have no complaints (took me a while to get used to not using semi-colons but now I prefer it) Same reason I use `cargo fmt` as well.

    [1] https://standardjs.com/

  • ruff

    An extremely fast Python linter and code formatter, written in Rust.

    Project mention: Enhance Your Project Quality with These Top Python Libraries | dev.to | 2024-03-18

    Ruff is a Python linter that helps to identify and remove code smells. Over 700 built-in rules: Ruff includes native re-implementations of popular Flake8 plugins, like flake8-bugbear. And also built-in caching to avoid re-analyzing unchanged files.

  • InfluxDB

    Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

  • ESLint

    Find and fix problems in your JavaScript code.

    Project mention: 6 Tools To Help Keep Your Dependencies And Code More Secure | dev.to | 2024-03-18

    ESLint

  • infer

    A static analyzer for Java, C, C++, and Objective-C

    Project mention: An Introduction to Temporal Logic (With Applications to Concurrency Problems) | news.ycombinator.com | 2024-01-22

    I think most development occurs on problems that can't be formally modeled anyway. Most developers work on things like, "can you add this feature to the e-commerce site? And can the pop-up be blue?" which isn't really model-able.

    But that's not to say that formal methods are useless! We can still prove some interesting aspects of programs -- for example, that every lock that gets acquired later gets released. I think tools like Infer[0] could become common in the coming years.

    [0]: https://fbinfer.com/

  • static-analysis

    ⚙️ A curated list of static analysis (SAST) tools and linters for all programming languages, config files, build tools, and more. The focus is on tools which improve code quality.

    Project mention: Static Analysis Tools for C | news.ycombinator.com | 2023-10-26

    Readers should also peruse the 'Multiple languages' section, many of the big names, Coverity, Klocwork et al. are listed there.

    see https://github.com/analysis-tools-dev/static-analysis#multip...

  • PHPStan

    PHP Static Analysis Tool - discover bugs in your code without running it!

    Project mention: Rector keeps your PHP code base fresh and perfect | dev.to | 2024-03-15

    As part of the journey to PHP perfection, you should embrace Rector. It's a amazing, free, and open-source tool for migrations, code quality, type coverage, pushing PHPStan to the highest levels, and yes, it can even auto-fix your existing code! It seamlessly integrates into the CI process, making your development workflow smoother than ever.

  • rubocop

    A Ruby static code analyzer and formatter, based on the community Ruby style guide.

    Project mention: Must-have gems for mature Rails | dev.to | 2024-02-02

    gem "rubocop" - https://github.com/rubocop/rubocop | Set up code guidelines for your dev team, I recommend using whatever Standard recommends.

  • WorkOS

    The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.

  • semgrep

    Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.

    Project mention: Creating a DevSecOps pipeline with Jenkins — Part 1 | dev.to | 2024-03-17

    For the SAST stage, I used SonarQube tool. SonarQube is an open-source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs and code smells on more than 30 programming languages. I preferred SonarQube instead of other SAST tools because it has a detailed documentation and plugins about integration with Jenkins and SonarQube works with Java projects pretty well. Of course you can similar multi-language-supported tools such as Semgrep or language-specific tools such as Bandit.

  • biome

    A toolchain for web projects, aimed to provide functionalities to maintain them. Biome offers formatter and linter, usable via CLI and LSP.

    Project mention: Biomejs.dev (previously Rome-tools by Meta) | news.ycombinator.com | 2024-03-07
  • Checkstyle

    Checkstyle is a development tool to help programmers write Java code that adheres to a coding standard. By default it supports the Google Java Style Guide and Sun Code Conventions, but is highly configurable. It can be invoked with an ANT task and a command line program.

  • gosec

    Go security checker

    Project mention: Top 10 Snyk Alternatives for Code Security | dev.to | 2023-08-31

    6. Gosec

  • reviewdog

    🐶 Automated code review tool integrated with any code analysis tools regardless of programming language

    Project mention: Code reviews and Suggestions from SARIF report | dev.to | 2023-05-16

    I build a general converter from SARIF to Reviewdog Diagnostic Format (RDFormat), then use Reviewdog to give suggested code changes as well as the context of the changes for PR reviewing.

  • datree

    Prevent Kubernetes misconfigurations from reaching production (again 😤 )! From code to cloud, Datree provides an E2E policy enforcement solution to run automatic checks for rule violations. See our docs: https://hub.datree.io

    Project mention: Show HN: Datree (YC W20) – End-to-End Policy Management for Kubernetes | news.ycombinator.com | 2023-04-04

    Hi HN, I’m Shimon, the co-founder of Datree: A policy management solution for Kubernetes. We help DevOps engineers prevent misconfigurations in their Kubernetes by enforcing an organizational policy on their clusters. Engineers can define a custom policy or use one of Datree’s built-in policies, such as NIST/NSA Hardening Guide, EKS Security Best Practices, CIS Benchmark, and more.

    Our website is at https://datree.io and our GitHub is here: https://github.com/datreeio/datree

    This is not the first time I have shown Datree to the HN community: A little over a year ago, I posted here an earlier version of Datree (https://news.ycombinator.com/item?id=28918850). At that time, Datree consisted of a CLI tool to detect Kubernetes misconfigurations during the development process (locally or in the CI/CD), unlike the version I present today in which the enforcement happens in production.

    We built the CLI tool because we detected a big problem among Kubernetes operators: Misconfigurations. Kubernetes is extremely complex and flexible, which makes it very easy to poorly configure it in ways that are not secure. And indeed, we talked to dozens of Kubernetes operators who suffered from various problems, starting with failed audits, all the way to downtime in production, all because of misconfigurations.

    Our solution was simple: Give the developers the means to shift-left security testing during the development process with a CLI tool that can be integrated into the CI/CD. We thought this was the best way to approach the problem: It is easiest to fix misconfigurations in the development process before they are deployed to production, it prevents context-switching and relieves resources from the DevOps team.

    While the CLI tool was very popular among the open-source community (it got over 6000 stars on GitHub), we soon realized that CI/CD enforcement is not enough. As we talked with Datree’s users, we realized we had made a fundamental mistake: We thought of misconfiguration prevention in technical terms rather than organizational terms.

    Indeed, from a technical point of view, it makes sense to shift-left Kubernetes security. But when considering the organizational structure in which it takes place, it simply isn’t enough. DevOps engineers told us that they love the shift-left concept, but they simply cannot rely on the goodwill of the engineers to run a CLI tool locally or to monitor all the pipelines leading to production. They need governance, something to help them stay in control of the state of their clusters.

    Moreover, we realized that many companies who use Kubernetes are heavily regulated, and cannot take any chances with their security. Sure, these companies want the engineers to fix misconfigurations during development, but they also want something to make sure that no matter what, their clusters remain misconfiguration-free.

    Based on this understanding, we developed a new version of Datree that sits on the cluster itself (rather than in the CI/CD) and protects the production environment by blocking misconfigured resources with an admission webhook. It has a centralized policy management solution to enable governance, and native monitoring to get real-time insights into the state of your Kubernetes.

    I look forward to hearing your feedback and answering any questions you may have.

  • bandit

    Bandit is a tool designed to find common security issues in Python code.

    Project mention: Enhance Your Project Quality with These Top Python Libraries | dev.to | 2024-03-18

    Bandit is a tool designed to find common security issues in Python code. It was developed by the OpenStack Security Project and is a great addition to any serious Python project.

  • phan

    Phan is a static analyzer for PHP. Phan prefers to avoid false-positives and attempts to prove incorrectness rather than correctness.

    Project mention: 7.4 to 8.x upgrade help | /r/PHP | 2023-04-29

    Besides what others have already advised, you can also get Phan to scan your project. Set the target to 8.1 and let it run its analysis. Check GitHub repo and docs there for more verbose instructions: https://github.com/phan/phan/

  • Pylint

    It's not just a linter that annoys you!

    Project mention: W1203: logging-fstring-interpolation (Solved) | dev.to | 2024-01-21

    A little introduction about pylint. Pylint is a static code analyzer, it analyses your code without actually running it. Pylint looks for potential errors, gives suggestions on coding standards that your code is not adhering to, potential places where refactoring might help, and also warnings about smelly code.

  • PMD

    An extensible multilanguage static code analyzer.

    Project mention: PMD 7 Is Here | news.ycombinator.com | 2024-03-22
  • revive

    🔥 ~6x faster, stricter, configurable, extensible, and beautiful drop-in replacement for golint

    Project mention: revive v1.3.4 is now available | /r/golang | 2023-09-18

    The v1.3.4 of revive, the fast, configurable, extensible, flexible, and beautiful linter for Go, is available.

  • pytype

    A static type analyzer for Python code

    Project mention: Enhance Your Project Quality with These Top Python Libraries | dev.to | 2024-03-18

    Pytype checks and infers types for your Python code - without requiring type annotations. Pytype can catch type errors in your Python code before you even run it.

  • NullAway

    A tool to help eliminate NullPointerExceptions (NPEs) in your Java code with low build-time overhead

  • Spotbugs

    SpotBugs is FindBugs' successor. A tool for static analysis to look for bugs in Java code.

  • Flake8

    flake8 is a python tool that glues together pycodestyle, pyflakes, mccabe, and third-party plugins to check the style and quality of some python code.

    Project mention: Enhance Your Project Quality with These Top Python Libraries | dev.to | 2024-03-18

    Flake8. This library is a wrapper around pycodestyle (PEP8), pyflakes, and Ned Batchelder’s McCabe script. It is a great toolkit for checking your code base against coding style (PEP8), programming errors (like SyntaxError, NameError, etc) and to check cyclomatic complexity.

  • eslint-config-standard

    ESLint Config for JavaScript Standard Style

    Project mention: PURISTA - Thanks to amazing open-source software | dev.to | 2023-09-11

    eslint-config-standard

  • SaaSHub

    SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

NOTE: The open source projects on this list are ordered by number of github stars. The number of mentions indicates repo mentiontions in the last 12 Months or since we started tracking (Dec 2020). The latest post mention was on 2024-03-22.

static-code-analysis related posts

Index

What are some of the best open-source static-code-analysis projects? This list will help you:

Project Stars
1 Standard 28,828
2 ruff 25,475
3 ESLint 24,049
4 infer 14,657
5 static-analysis 12,731
6 PHPStan 12,484
7 rubocop 12,482
8 semgrep 9,565
9 biome 9,521
10 Checkstyle 8,092
11 gosec 7,393
12 reviewdog 7,263
13 datree 6,401
14 bandit 5,914
15 phan 5,492
16 Pylint 5,078
17 PMD 4,614
18 revive 4,567
19 pytype 4,517
20 NullAway 3,488
21 Spotbugs 3,311
22 Flake8 3,231
23 eslint-config-standard 2,547
SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com