Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality. Learn more →
Top 23 static-code-analysis Open-Source Projects
-
I picked up standard[1] a while back for this reason, I don't want to have to think about it. It works fine, I have no complaints (took me a while to get used to not using semi-colons but now I prefer it) Same reason I use `cargo fmt` as well.
-
Ruff is a Python linter that helps to identify and remove code smells. Over 700 built-in rules: Ruff includes native re-implementations of popular Flake8 plugins, like flake8-bugbear. And also built-in caching to avoid re-analyzing unchanged files.
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
ESLint
-
Project mention: An Introduction to Temporal Logic (With Applications to Concurrency Problems) | news.ycombinator.com | 2024-01-22
I think most development occurs on problems that can't be formally modeled anyway. Most developers work on things like, "can you add this feature to the e-commerce site? And can the pop-up be blue?" which isn't really model-able.
But that's not to say that formal methods are useless! We can still prove some interesting aspects of programs -- for example, that every lock that gets acquired later gets released. I think tools like Infer[0] could become common in the coming years.
[0]: https://fbinfer.com/
-
static-analysis
⚙️ A curated list of static analysis (SAST) tools and linters for all programming languages, config files, build tools, and more. The focus is on tools which improve code quality.
Readers should also peruse the 'Multiple languages' section, many of the big names, Coverity, Klocwork et al. are listed there.
see https://github.com/analysis-tools-dev/static-analysis#multip...
-
As part of the journey to PHP perfection, you should embrace Rector. It's a amazing, free, and open-source tool for migrations, code quality, type coverage, pushing PHPStan to the highest levels, and yes, it can even auto-fix your existing code! It seamlessly integrates into the CI process, making your development workflow smoother than ever.
-
gem "rubocop" - https://github.com/rubocop/rubocop | Set up code guidelines for your dev team, I recommend using whatever Standard recommends.
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
-
semgrep
Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.
For the SAST stage, I used SonarQube tool. SonarQube is an open-source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs and code smells on more than 30 programming languages. I preferred SonarQube instead of other SAST tools because it has a detailed documentation and plugins about integration with Jenkins and SonarQube works with Java projects pretty well. Of course you can similar multi-language-supported tools such as Semgrep or language-specific tools such as Bandit.
-
biome
A toolchain for web projects, aimed to provide functionalities to maintain them. Biome offers formatter and linter, usable via CLI and LSP.
-
Checkstyle
Checkstyle is a development tool to help programmers write Java code that adheres to a coding standard. By default it supports the Google Java Style Guide and Sun Code Conventions, but is highly configurable. It can be invoked with an ANT task and a command line program.
-
6. Gosec
-
reviewdog
🐶 Automated code review tool integrated with any code analysis tools regardless of programming language
I build a general converter from SARIF to Reviewdog Diagnostic Format (RDFormat), then use Reviewdog to give suggested code changes as well as the context of the changes for PR reviewing.
-
datree
Prevent Kubernetes misconfigurations from reaching production (again 😤 )! From code to cloud, Datree provides an E2E policy enforcement solution to run automatic checks for rule violations. See our docs: https://hub.datree.io
Project mention: Show HN: Datree (YC W20) – End-to-End Policy Management for Kubernetes | news.ycombinator.com | 2023-04-04Hi HN, I’m Shimon, the co-founder of Datree: A policy management solution for Kubernetes. We help DevOps engineers prevent misconfigurations in their Kubernetes by enforcing an organizational policy on their clusters. Engineers can define a custom policy or use one of Datree’s built-in policies, such as NIST/NSA Hardening Guide, EKS Security Best Practices, CIS Benchmark, and more.
Our website is at https://datree.io and our GitHub is here: https://github.com/datreeio/datree
This is not the first time I have shown Datree to the HN community: A little over a year ago, I posted here an earlier version of Datree (https://news.ycombinator.com/item?id=28918850). At that time, Datree consisted of a CLI tool to detect Kubernetes misconfigurations during the development process (locally or in the CI/CD), unlike the version I present today in which the enforcement happens in production.
We built the CLI tool because we detected a big problem among Kubernetes operators: Misconfigurations. Kubernetes is extremely complex and flexible, which makes it very easy to poorly configure it in ways that are not secure. And indeed, we talked to dozens of Kubernetes operators who suffered from various problems, starting with failed audits, all the way to downtime in production, all because of misconfigurations.
Our solution was simple: Give the developers the means to shift-left security testing during the development process with a CLI tool that can be integrated into the CI/CD. We thought this was the best way to approach the problem: It is easiest to fix misconfigurations in the development process before they are deployed to production, it prevents context-switching and relieves resources from the DevOps team.
While the CLI tool was very popular among the open-source community (it got over 6000 stars on GitHub), we soon realized that CI/CD enforcement is not enough. As we talked with Datree’s users, we realized we had made a fundamental mistake: We thought of misconfiguration prevention in technical terms rather than organizational terms.
Indeed, from a technical point of view, it makes sense to shift-left Kubernetes security. But when considering the organizational structure in which it takes place, it simply isn’t enough. DevOps engineers told us that they love the shift-left concept, but they simply cannot rely on the goodwill of the engineers to run a CLI tool locally or to monitor all the pipelines leading to production. They need governance, something to help them stay in control of the state of their clusters.
Moreover, we realized that many companies who use Kubernetes are heavily regulated, and cannot take any chances with their security. Sure, these companies want the engineers to fix misconfigurations during development, but they also want something to make sure that no matter what, their clusters remain misconfiguration-free.
Based on this understanding, we developed a new version of Datree that sits on the cluster itself (rather than in the CI/CD) and protects the production environment by blocking misconfigured resources with an admission webhook. It has a centralized policy management solution to enable governance, and native monitoring to get real-time insights into the state of your Kubernetes.
I look forward to hearing your feedback and answering any questions you may have.
-
Bandit is a tool designed to find common security issues in Python code. It was developed by the OpenStack Security Project and is a great addition to any serious Python project.
-
phan
Phan is a static analyzer for PHP. Phan prefers to avoid false-positives and attempts to prove incorrectness rather than correctness.
Besides what others have already advised, you can also get Phan to scan your project. Set the target to 8.1 and let it run its analysis. Check GitHub repo and docs there for more verbose instructions: https://github.com/phan/phan/
-
A little introduction about pylint. Pylint is a static code analyzer, it analyses your code without actually running it. Pylint looks for potential errors, gives suggestions on coding standards that your code is not adhering to, potential places where refactoring might help, and also warnings about smelly code.
-
-
revive
🔥 ~6x faster, stricter, configurable, extensible, and beautiful drop-in replacement for golint
The v1.3.4 of revive, the fast, configurable, extensible, flexible, and beautiful linter for Go, is available.
-
Pytype checks and infers types for your Python code - without requiring type annotations. Pytype can catch type errors in your Python code before you even run it.
-
NullAway
A tool to help eliminate NullPointerExceptions (NPEs) in your Java code with low build-time overhead
-
-
Flake8
flake8 is a python tool that glues together pycodestyle, pyflakes, mccabe, and third-party plugins to check the style and quality of some python code.
Flake8. This library is a wrapper around pycodestyle (PEP8), pyflakes, and Ned Batchelder’s McCabe script. It is a great toolkit for checking your code base against coding style (PEP8), programming errors (like SyntaxError, NameError, etc) and to check cyclomatic complexity.
-
eslint-config-standard
-
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
static-code-analysis related posts
- PMD 7 Is Here
- Creating a DevSecOps pipeline with Jenkins — Part 1
- Tree-Sitter
- Rubberduck – A free and open-source VBIDE add-in
- An Introduction to Temporal Logic (With Applications to Concurrency Problems)
- W1203: logging-fstring-interpolation (Solved)
- Mastering Linters : A Code Quality Assurance Comprehensive Guide using Ruby on Rails
-
A note from our sponsor - InfluxDB
www.influxdata.com | 28 Mar 2024
Index
What are some of the best open-source static-code-analysis projects? This list will help you:
Project | Stars | |
---|---|---|
1 | Standard | 28,828 |
2 | ruff | 25,475 |
3 | ESLint | 24,049 |
4 | infer | 14,657 |
5 | static-analysis | 12,731 |
6 | PHPStan | 12,484 |
7 | rubocop | 12,482 |
8 | semgrep | 9,565 |
9 | biome | 9,521 |
10 | Checkstyle | 8,092 |
11 | gosec | 7,393 |
12 | reviewdog | 7,263 |
13 | datree | 6,401 |
14 | bandit | 5,914 |
15 | phan | 5,492 |
16 | Pylint | 5,078 |
17 | PMD | 4,614 |
18 | revive | 4,567 |
19 | pytype | 4,517 |
20 | NullAway | 3,488 |
21 | Spotbugs | 3,311 |
22 | Flake8 | 3,231 |
23 | eslint-config-standard | 2,547 |