Static Analysis

Open-source projects categorized as Static Analysis Edit details

Top 23 Static Analysis Open-Source Projects

  • ShellCheck

    ShellCheck, a static analysis tool for shell scripts

    Project mention: Just learned how to use Linux and Bash over the summer, but Should I add powershell? | reddit.com/r/linuxadmin | 2022-10-05

    Integrate shellcheck with whatever editor you are using so you get real-time feedback, and read the Advanced Bash Scripting Guide (old, but still good).

  • SwiftLint

    A tool to enforce Swift style and conventions.

    Project mention: Ask HN: Xcode users – how do you make it more usable? | news.ycombinator.com | 2022-09-25

    1) Here are some tips & tricks for refactoring: https://developer.apple.com/documentation/xcode/finding-and-...

    The “rename in project” or “rename in scope” functions are quite neat.

    2) Check out SwiftLint: https://github.com/realm/SwiftLint

    I have not used it in a while, but it comes with good defaults and is highly customizable to your own preferred Swift style.

  • talent.io

    Download talent.io’s Tech Salary Report. Median salaries, most in-demand technologies, state of the remote work... all you need to know your worth on the market by tech recruitment platform talent.io

  • PHP Parser

    A PHP parser written in PHP

    Project mention: How PHP engine builds AST | dev.to | 2022-09-05

    nikic/PHP-Parser

  • infer

    A static analyzer for Java, C, C++, and Objective-C

    Project mention: Programming Breakthroughs We Need | news.ycombinator.com | 2022-08-17

    > Maybe you could write tests as queries that would test a whole set of possible programs, not only the current version of your program at the moment.

    I think that the future of programming is more sophisticated static analysis. Programmers will write statements like, "every code path that writes to the Payments database must have called validate_user()." Then, the tooling will confirm that rule with every commit.

    We kind of have this already (for example, Facebook's Infer tool [0]), but I think it will become much more important in the coming decade.

    0: https://github.com/facebook/infer

  • bytecode-viewer

    A Java 8+ Jar & Android APK Reverse Engineering Suite (Decompiler, Editor, Debugger & More)

    Project mention: Reverse Engineering Tools in 2022 | news.ycombinator.com | 2022-09-18

    I think they forgot to google translate the disadvantages of JEB Decompiler

    I haven't used JEB to comment, but I've gotten a lot of mileage out of https://github.com/pxb1988/dex2jar#readme and then feed the normal Java jars it produces into https://github.com/mstrobel/procyon#readme and (of course) one shouldn't overlook picking your favorite tool for dealing with AndroidManifest.xml which often has fun things hiding in it

    While digging up those links, I was reminded that some folks enjoy https://github.com/Konloch/bytecode-viewer#is-there-a-demo because it can be easier to "try out" a few of the decompilation engines, but I don't use it because it's hard to do batch things with it, versus dex2jar into procyon is automation friendly

  • Mobile-Security-Framework-MobSF

    Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.

    Project mention: Can anyone recommend a good tool to pentest mobile apps?, I have the packages locally. Thanks | reddit.com/r/Pentesting | 2022-07-18

    I can say only for android: - General Scanner -> https://github.com/MobSF/Mobile-Security-Framework-MobSF - Decompiler -> https://github.com/skylot/jadx

  • PHP CS Fixer

    A tool to automatically fix PHP Coding Standards issues

    Project mention: How I was able to install php-cs-fixer. Vscode + Linux machine | dev.to | 2022-09-03

    To be bit a elaborate and for a proper updated installtion process, here is what I did: I used the [latest versio]n(https://github.com/FriendsOfPHP/PHP-CS-Fixer/releases/tag/v3.10.0) of php cs fixer then entered the command that followed to install php-cs-fixer.

  • Scout APM

    Truly a developer’s best friend. Scout APM is great for developers who want to find and fix performance issues in their applications. With Scout, we'll take care of the bugs so you can focus on building great things 🚀.

  • PHPStan

    PHP Static Analysis Tool - discover bugs in your code without running it!

    Project mention: Ask HN: Best PHP tools to improve code quality? | news.ycombinator.com | 2022-09-11
  • static-analysis

    ⚙️ A curated list of static analysis (SAST) tools for all programming languages, config files, build tools, and more. The focus is on tools which improve code quality.

    Project mention: From Novice to contributor to Linux Kernel and/or other Low-Level projects | reddit.com/r/kernel | 2022-08-23

    You can for example rely on static analyzers and scan the repositories (just please take care of making sure that any fix you make actually makes sense, sometimes people will just make whatever causes the reports to go away without understanding them). This site lists a bunch of them for different languages -> https://analysis-tools.dev/

  • PHP Code Sniffer

    PHP_CodeSniffer tokenizes PHP files and detects violations of a defined set of coding standards.

    Project mention: How to define the most strict configuration possible for PHP codesniffer ? | reddit.com/r/PHPhelp | 2022-09-21

    You can find a list of the available standards in the Standards directory of CodeSniffer (and there's a lot of 3rd party packages that provide even more options). Each Standards directory contains a ruleset.xml that has the default configuration for that standard.

  • owasp-mastg

    The Mobile Application Security Testing Guide (MASTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes the technical processes for verifying the controls listed in the OWASP Mobile Application Security Verification Standard (MASVS).

    Project mention: Are android bugs mostly api and web ? | reddit.com/r/bugbounty | 2022-09-30

    Have a look at the OWASP Mobile Application Testing Guide https://github.com/OWASP/owasp-mastg

  • cmake-examples

    Useful CMake Examples

    Project mention: How do I link fmt library to my project? | reddit.com/r/cpp_questions | 2022-09-08
  • awesome-malware-analysis

    Defund the Police.

    Project mention: Windows found a trojan called "ravadon.e". Is this a false alarm or what? I can't find anything about it offline except a site that just copy and pastes the trojan name into it's text. | reddit.com/r/antivirus | 2022-08-15
  • clair

    Vulnerability Static Analysis for Containers

    Project mention: Implement DevSecOps to Secure your CI/CD pipeline | dev.to | 2022-09-27

    Open source: Trivy, Gryp and Clair are widely used open source tools for container scanning.

  • hadolint

    Dockerfile linter, validate inline bash, written in Haskell

    Project mention: Checkmake: Experimental Linter/Analyzer for Makefiles | news.ycombinator.com | 2022-08-14

    Some discussion on that here:

    https://github.com/koalaman/shellcheck/issues/58

    The hadolint project does shell checking for Dockerfiles and it uses shellcheck:

    https://github.com/hadolint/hadolint

    So the approach is definitely feasible, but you do need a new project and probably it needs to be written in Haskell.

  • Checkstyle

    Checkstyle is a development tool to help programmers write Java code that adheres to a coding standard. By default it supports the Google Java Style Guide and Sun Code Conventions, but is highly configurable. It can be invoked with an ANT task and a command line program.

    Project mention: 5 easy paths to become a recognized Java expert. Really. For free. | dev.to | 2022-08-25
  • SonarQube

    Continuous Inspection

    Project mention: Implement DevSecOps to Secure your CI/CD pipeline | dev.to | 2022-09-27

    SonarQube allows all developers to write cleaner and safer code. It supports lots of programming languages for scanning (Java, Kotlin, Go, JavaScript). It also supports running unit testing for code coverage. It can be easily integrated with Jenkins and Azure DevOps. Checkmarx, Veracode, and Klocwork also provide similar functionality but these are paid tools.

  • semgrep

    Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.

    Project mention: How to ensure required fields in struct consistently? | reddit.com/r/golang | 2022-08-17

    FWIW you can probably write a semgrep rule or something, to find all struct literals which don't mention a specific field.

  • Scanners-Box

    A powerful and open-source toolkit for hackers and security automation - 安全行业从业者自研开源扫描器合辑

    Project mention: A powerful open-source toolkit for hackers and security automation | news.ycombinator.com | 2022-07-15
  • Brakeman

    A static analysis security vulnerability scanner for Ruby on Rails applications

    Project mention: Github Pre-commit Hook Setup In Ruby On Rails for maintaining coding standards and productive. | dev.to | 2022-08-28

    It’s assumed that you already have a Rails app and use Brakeman to keep your app secure and Rspec to run your test cases.

  • gosec

    Golang security checker

    Project mention: Goast: Generic static analysis for Go Abstract Syntax Tree by OPA/Rego | dev.to | 2022-09-12

    Various static analysis tools are available for the Go language, and existing static analysis tools can check general best practices. For example, gosec is a tool to check secure Go coding, and I use it myself. However, coding rules in software development are not only based on best practices, but can also be software- or team-specific. For example

  • Error Prone

    Catch common Java mistakes as compile-time errors

    Project mention: Picnic loves Error Prone: producing high-quality and consistent Java code | reddit.com/r/java | 2022-10-06

    If only Google didn't suck when it came to Java9+ support... https://github.com/google/error-prone/issues/2649

  • pyre-check

    Performant type-checking for python.

    Project mention: Statically typed Python | reddit.com/r/Python | 2021-11-30

    Facebook/Instagram uses Pyre which is a typechecker for Python.

  • SonarLint

    Clean code begins in your IDE with SonarLint. Up your coding game and discover issues early. SonarLint is a free plugin that helps you find & fix bugs and security issues from the moment you start writing code. Install from your favorite IDE marketplace today.

NOTE: The open source projects on this list are ordered by number of github stars. The number of mentions indicates repo mentiontions in the last 12 Months or since we started tracking (Dec 2020). The latest post mention was on 2022-10-06.

Static Analysis related posts

Index

What are some of the best open-source Static Analysis projects? This list will help you:

Project Stars
1 ShellCheck 30,083
2 SwiftLint 16,583
3 PHP Parser 15,682
4 infer 13,535
5 bytecode-viewer 13,288
6 Mobile-Security-Framework-MobSF 12,176
7 PHP CS Fixer 11,425
8 PHPStan 11,345
9 static-analysis 10,321
10 PHP Code Sniffer 9,728
11 owasp-mastg 9,462
12 cmake-examples 9,200
13 awesome-malware-analysis 9,053
14 clair 9,045
15 hadolint 7,530
16 Checkstyle 7,310
17 SonarQube 7,200
18 semgrep 7,173
19 Scanners-Box 6,723
20 Brakeman 6,500
21 gosec 6,355
22 Error Prone 6,107
23 pyre-check 6,068
Find remote jobs at our new job board 99remotejobs.com. There are 8 new remote jobs listed recently.
Are you hiring? Post a new remote job listing for free.
Build time-series-based applications quickly and at scale.
InfluxDB is the Time Series Data Platform where developers build real-time applications for analytics, IoT and cloud-native services in less time with less code.
www.influxdata.com