SaaSHub helps you find the best software and product alternatives Learn more β
Top 23 Static Analysis Open-Source Projects
-
ImHex
π A Hex Editor for Reverse Engineers, Programmers and people who value their retinas when working at 3 AM.
ImHex (https://imhex.werwolv.net/) is also a really nice Hex editor with tons of plugins (patterns, file support, etc.) and even an embedded language for adding more patterns easily
-
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
-
Now that I have started my Python project devto-followers2md, I have recently started checking my code with Ruff, a fast Rust-based Python linter and code formatter. I also started using pyright, (yes, I know it is very ironic, it is made by Microsoft), and will be working on making sure the project aligns with its standards too.
-
Project mention: π Lambda Deployments v2: Taking the Lambda deployment pipeline from MVP to production-ready | dev.to | 2026-03-16
I added ShellCheck to the CI pipeline. It catches common shell scripting mistakes like unquoted variables, unused variables, and POSIX compliance issues. It runs on every push against all scripts in the scripts/ directory.
-
Mobile-Security-Framework-MobSF
Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.
Project mention: Mobile-Security-Framework-MobSF VS exodus - a user suggested alternative | libhunt.com/r/Mobile-Security-Framework-MobSF | 2025-07-12 -
-
code-review-graph
Local-first code intelligence graph for MCP and CLI. Builds a persistent map of your codebase so AI coding tools read only what matters, with benchmarked context reductions on reviews and large-repo workflows.
Project mention: Code-review-graphv 2.1.0, 8Γ fewer tokens for code reviews via structural graph | news.ycombinator.com | 2026-04-03β’ True zero-config install β one command across 7 platforms
Tech: Python + Tree-sitter + SQLite (WAL) + FastMCP. 572 tests.
https://code-review-graph.com
GitHub: https://github.com/tirth8205/code-review-graph
pip install code-review-graph && code-review-graph install
-
-
Project mention: A rogue AI led to a serious security incident at Meta | news.ycombinator.com | 2026-03-20
-
bytecode-viewer
A Java 8+ Jar & Android APK Reverse Engineering Suite (Decompiler, Editor, Debugger & More)
-
semgrep
Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.
β 15k stars Β· semgrep.dev
-
static-analysis
βοΈ A curated list of static analysis (SAST) tools and linters for all programming languages, config files, build tools, and more. The focus is on tools which improve code quality.
-
The previous post covered how we structured the codebase: Effect conventions, ast-grep enforcement, Drift, and CLAUDE.md to collaborate with Claude Code. You describe what you want, review the output, iterate. That works well. This post is about what happens when you step away entirely: giving the agent a list of issues and letting it work through them while you do something else. In autonomous mode, there's no mid-session correction. Anything the enforcement layer doesn't catch compounds across commits which is why clean issue tracking, issue review and end-of-session QA matter more, not less.
-
Project mention: Running Rust Binaries on Shared Hosting: A Practical Approach to Type Safety on a Budget | dev.to | 2025-10-17
I was tired of PHP's type system. Even with PHPStan and Psalm, there's no substitute for real compile-time guarantees. But I'm also practical - I don't want to pay for a VPS, maintain a server, manage security updates, configure databases, set up backups, and babysit infrastructure when shared hosting costs < $10/month and handles all of that for me.
-
-
One of the tools you can use for formatting your PHP code is PHP CS Fixer. It's an incredibly popular tool and, at the time of writing, has over 214 million downloads on Packagist.
-
-
mastg
The OWASP Mobile Application Security Testing Guide (MASTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes technical processes for verifying the OWASP Mobile Security Weakness Enumeration (MASWE) weaknesses, which are in alignment with the OWASP MASVS.
-
Project mention: Performance Test: Grype 0.70 vs Trivy 0.50 Scan Times β 15% Faster for Alpine Images | dev.to | 2026-04-28
After 120+ benchmark runs across 6 Alpine image variants, 2 hardware configurations, and 3 CI environments, our verdict is clear: Grype 0.70 is 15% faster than Trivy 0.50 for Alpine-based container images, with identical vulnerability detection parity. For teams scanning Alpine images at scale, this speedup translates to thousands of dollars in CI compute savings and hundreds of engineer hours reclaimed per month. If you're only scanning Alpine images, migrate to Grype todayβthe 15% speedup is worth the migration effort for any team with more than 100 daily scans. For heterogeneous image stacks, Trivy remains the better all-in-one option. We recommend running the benchmark script we provided earlier on your own images to validate the speedup for your specific workload.
-
What bugged me was the asymmetry. Kubernetes and Terraform have a deep bench of scanners: Checkov, Trivy, kube-bench, Kubescape. Compose is an afterthought in most of them. The Compose-specific tools I found solved adjacent problems instead. Hadolint lints Dockerfiles, not Compose files. dclint checks Compose structure and style, not security.
-
Project mention: Performance Test: Grype 0.70 vs Trivy 0.50 Scan Times β 15% Faster for Alpine Images | dev.to | 2026-04-28
How does Clair compare to Grype and Trivy for Alpine image scans?
-
-
Automated analysis tools: SonarQube, CodeClimate, and Codacy detect code-level debt automatically: cyclomatic complexity, code duplication, dependency staleness, and coverage gaps. These tools supplement but don't replace the architectural and business-logic debt that requires human judgment to identify and document.
-
reviewdog
πΆ Automated code review tool integrated with any code analysis tools regardless of programming language
github.com - reviewdog/reviewdog
NOTE:
The open source projects on this list are ordered by number of github stars.
The number of mentions indicates repo mentiontions in the last 12 Months or
since we started tracking (Dec 2020).
Static Analysis discussion
Static Analysis related posts
-
No, everyone is not using AI for everything
-
How to Build a CI/CD Pipeline from Scratch
-
Coding is solved. The factory isn't.
-
AI Smart Contract Review: The Finding Is Not the Audit
-
Codeboarding β Interactive architecture diagrams for codebases
-
Avoid Cross Module Dependencies with Dependency Cruiser
-
A curated list of static analysis (SAST) tools
-
A note from our sponsor - SaaSHub
www.saashub.com | 15 Jun 2026
Index
What are some of the best open-source Static Analysis projects? This list will help you:
| # | Project | Stars |
|---|---|---|
| 1 | ImHex | 53,859 |
| 2 | ruff | 47,950 |
| 3 | ShellCheck | 39,569 |
| 4 | Mobile-Security-Framework-MobSF | 21,181 |
| 5 | SwiftLint | 19,624 |
| 6 | code-review-graph | 18,375 |
| 7 | PHP Parser | 17,439 |
| 8 | infer | 15,640 |
| 9 | bytecode-viewer | 15,532 |
| 10 | semgrep | 15,484 |
| 11 | static-analysis | 14,620 |
| 12 | ast-grep | 14,461 |
| 13 | PHPStan | 13,996 |
| 14 | awesome-malware-analysis | 13,812 |
| 15 | PHP CS Fixer | 13,528 |
| 16 | cmake-examples | 13,061 |
| 17 | mastg | 12,963 |
| 18 | grype | 12,394 |
| 19 | hadolint | 12,211 |
| 20 | clair | 11,005 |
| 21 | Detect-It-Easy | 10,948 |
| 22 | SonarQube | 10,658 |
| 23 | reviewdog | 9,353 |
Sponsored
SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com