Manage all types of time series data in a single, purpose-built database. Run at any scale in any environment in the cloud, on-premises, or at the edge. Learn more →
Top 23 Static Analysis Open-Source Projects
ShellCheck, a static analysis tool for shell scriptsProject mention: Regex support to list modules in .cabal? | /r/haskell | 2023-12-04
I have also seen some projects on github like ShellCheck which first make a library, expose all the modules and then simple add that do build-depends of the final executable. Is this the recommended approach than having just one executable and adding all the modules to other-modules:?
🔍 A Hex Editor for Reverse Engineers, Programmers and people who value their retinas when working at 3 AM.Project mention: [Tutorial] How to manually change FOV (SoC, CS, & CoP) | /r/stalker | 2023-08-06
Download a hex editor such as ImHex and open it. I'd recommend downloading the portable version of whatever hex editor you are using if it's offered. That way you don't have to install the program and can instantly delete it off your drive when you're done.
Cloudways' Black Friday Offer - 1st Choice of Developers. Cloudways: Devs' 1st choice for managed hosting! Pick from top-tier Cloud providers like DigitalOcean, AWS, and GCE. Limited-time deal: 40% OFF for 4 Months + 40 Free Migrations.
An extremely fast Python linter and code formatter, written in Rust.Project mention: AST-grep(sg) is a CLI tool for code structural search, lint, and rewriting | news.ycombinator.com | 2023-12-10
I confess I stole the pip recipe from Charlie :D
A tool to enforce Swift style and conventions.Project mention: A problem when adding Swiftlint as a dependency on my won package? | /r/swift | 2023-10-27
A PHP parser written in PHPProject mention: Diff Speeding - Rector and sebastian/diff speed improvements through profiling | /r/PHP | 2023-05-06
Interesting. One of the reasons I stopped considering Rector is because of how memory, CPU, and time intensive it is for a non-trivial project. Instead I've been using Nikita's PHP Parser directly and getting much better results even though it isn't multi-threaded out of the box.
Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.Project mention: Hacking & Gaming :) | /r/hacking | 2023-04-17
the program is from github too lmao https://github.com/MobSF/Mobile-Security-Framework-MobSF 😭
A static analyzer for Java, C, C++, and Objective-CProject mention: Should I Rust or should I Go | news.ycombinator.com | 2023-09-15
Collect and Analyze Billions of Data Points in Real Time. Manage all types of time series data in a single, purpose-built database. Run at any scale in any environment in the cloud, on-premises, or at the edge.
A Java 8+ Jar & Android APK Reverse Engineering Suite (Decompiler, Editor, Debugger & More)Project mention: Java 泛型程式設計的注意事項 | dev.to | 2023-01-02
⚙️ A curated list of static analysis (SAST) tools and linters for all programming languages, config files, build tools, and more. The focus is on tools which improve code quality.Project mention: Static Analysis Tools for C | news.ycombinator.com | 2023-10-26
Readers should also peruse the 'Multiple languages' section, many of the big names, Coverity, Klocwork et al. are listed there.
PHP Static Analysis Tool - discover bugs in your code without running it!Project mention: PHP 8.3 | news.ycombinator.com | 2023-11-24
A tool to automatically fix PHP Coding Standards issuesProject mention: Avoiding empty() in PHP | /r/PHP | 2023-05-11
Useful CMake ExamplesProject mention: Anyone else get frustrated when a block of time you wanted to spend to learning code instead goes into why some software isn’t working right on your computer? | /r/learnprogramming | 2023-02-18
The downside for CMake is that it’s famously crappy in its own way and the internet is full of bad examples. This isn’t terrible: https://github.com/ttroy50/cmake-examples/blob/master/01-basic/H-third-party-library/CMakeLists.txt
The Mobile Application Security Testing Guide (MASTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes the technical processes for verifying the controls listed in the OWASP Mobile Application Security Verification Standard (MASVS).Project mention: More ways to identify independently security tested apps on Google Play | news.ycombinator.com | 2023-11-03
Defund the Police.
PHP_CodeSniffer tokenizes PHP files and detects violations of a defined set of coding standards.Project mention: PHP_CodeSniffer update (package name will NOT be changing... just the repo & ownership) | /r/PHP | 2023-12-06
I don’t know why but that link keeps reloading the page over and over. This one works for me: https://github.com/squizlabs/PHP_CodeSniffer/issues/3932
Vulnerability Static Analysis for ContainersProject mention: Open source container scanning tool to find vulnerabilities and suggest best practice improvements? | /r/selfhosted | 2023-04-15
https://github.com/quay/clair 9.4k stars, updated 17 hours ago
Dockerfile linter, validate inline bash, written in HaskellProject mention: Top 10 common Dockerfile linting issues | dev.to | 2023-09-15
With Depot, we make use of two Dockerfile linters, hadolint and a set of Dockerfile linter rules that Semgrep has written to make a bit of a smarter Dockerfile linter.
Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.Project mention: AST-grep(sg) is a CLI tool for code structural search, lint, and rewriting | news.ycombinator.com | 2023-12-10
Well, when I seach for "semgrep", I get a very nice corporate landing page with a "Book Demo" button. Which is a level of hassle that just isn't worth it for smaller teams, because "Book Demo" usually means "We're going to try to do a dance to see how much money we can extract from you." Which smaller teams may only want to do for a handful of key tools.
(4 years ago, I was more willing to put up with enterprise licensing. But in the last two years, I've seen way too many enterprise vendors try to squeeze every penny they can get from existing clients. An enterprise sales process now often means "Expect 30% annual price hikes once you're in too deep to back out.")
There's also an open source "semgrep" project here: https://github.com/semgrep/semgrep. But this seems to be basically a vulernability scanner, going by the README.
Whereas AST-grep seems to focus heavily on things like:
1. One-off searching: "Search my tree for this pattern."
2. Refactoring: "Replace this pattern with this other pattern."
AST-grep also includes a vulnerability scanning mode like semgrep.
It's possible that semgrep also has nice support for (1) and (2), but it isn't clearly visible on their corporate landing page or the first open source README I found.
Continuous InspectionProject mention: Enterprise level open source react apps? | /r/reactjs | 2023-04-30
Checkstyle is a development tool to help programmers write Java code that adheres to a coding standard. By default it supports the Google Java Style Guide and Sun Code Conventions, but is highly configurable. It can be invoked with an ANT task and a command line program.
A powerful and open-source toolkit for hackers and security automation - 安全行业从业者自研开源扫描器合辑
Go security checkerProject mention: Top 10 Snyk Alternatives for Code Security | dev.to | 2023-08-31
🐶 Automated code review tool integrated with any code analysis tools regardless of programming languageProject mention: Code reviews and Suggestions from SARIF report | dev.to | 2023-05-16
I build a general converter from SARIF to Reviewdog Diagnostic Format (RDFormat), then use Reviewdog to give suggested code changes as well as the context of the changes for PR reviewing.
Learn any GitHub repo in 59 seconds. Onboard AI learns any GitHub repo in minutes and lets you chat with it to locate functionality, understand different parts, and generate new code. Use it for free at www.getonboard.dev.
Static Analysis related posts
AST-grep(sg) is a CLI tool for code structural search, lint, and rewriting
14 projects | news.ycombinator.com | 10 Dec 2023
Flowistry: an IDE plugin that analyzes the information flow of Rust programs, showing whether it's possible for one piece of code to affect another
1 project | /r/rust | 10 Dec 2023
I'm not a Java dev but I'm using it in AoC this year
2 projects | /r/java | 6 Dec 2023
Advent of Code Day 4
3 projects | /r/Clojure | 5 Dec 2023
Regex support to list modules in .cabal?
1 project | /r/haskell | 4 Dec 2023
3 projects | news.ycombinator.com | 24 Nov 2023
Practical nil panic detection for Go
4 projects | news.ycombinator.com | 18 Nov 2023
A note from our sponsor - InfluxDB
www.influxdata.com | 10 Dec 2023
What are some of the best open-source Static Analysis projects? This list will help you:
|11||PHP CS Fixer||12,294|
|15||PHP Code Sniffer||10,509|