Revolutionize your code reviews with AI. CodeRabbit offers PR summaries, code walkthroughs, 1-click suggestions, and AST-based analysis. Boost productivity and code quality across all major languages with each PR. Learn more →
Top 23 Static Analysis Open-Source Projects
-
ImHex
🔍 A Hex Editor for Reverse Engineers, Programmers and people who value their retinas when working at 3 AM.
-
CodeRabbit
CodeRabbit: AI Code Reviews for Developers. Revolutionize your code reviews with AI. CodeRabbit offers PR summaries, code walkthroughs, 1-click suggestions, and AST-based analysis. Boost productivity and code quality across all major languages with each PR.
-
Unfortunately, this did mean that configuration began to sprawl. At this point, I had configurations not just for Vite (shared with Vitest) and tsc, but also for Prettier, ESLint and even ShellCheck. Many of these files had shared settings that needed to match each other. This was somewhat manageable, until Vite was also in the mix.
-
At work I often switched to VSCode because I couldn't get pyright to work with our django project. The errors everywhere were just annoying to look at. So I looked around and found "ruff" and "jedi_language_server". This combination seems to do the trick. I don't have to configure anything. I source my venv and it "just works". I assume our python codebase is something around the 10k LOC, too. I am not mainly responsible for the python part, so I don't spent excessive amount of time in there, but for the time I do, it works nicely
- https://github.com/pappasam/jedi-language-server
- https://github.com/astral-sh/ruff
-
if [[ "$(uname -m)" == arm64 ]]; then export PATH="/opt/homebrew/bin:$PATH" fi if which swiftlint > /dev/null; then swiftlint --fix && swiftlint else echo "warning: SwiftLint not installed, download from https://github.com/realm/SwiftLint" fi
-
Mobile-Security-Framework-MobSF
Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.
-
Once rector gets 8.4 rules out, this will be pretty awesome:
https://github.com/rectorphp/rector/issues/8701
https://github.com/nikic/PHP-Parser/commit/7b0384cdbe03431c4...
-
-
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
-
bytecode-viewer
A Java 8+ Jar & Android APK Reverse Engineering Suite (Decompiler, Editor, Debugger & More)
-
static-analysis
⚙️ A curated list of static analysis (SAST) tools and linters for all programming languages, config files, build tools, and more. The focus is on tools which improve code quality.
-
Project mention: Build a Symfony 7 boilerplate using FrankenPHP, Docker, PostgreSQL and php 8.4 | dev.to | 2024-12-23
To do so simply install the runtime/frankenphp-symfony composer package. Then we install the bare minimum for a kick ass developer experience, a linter using Code Sniffer, phpstan as code quality audit tool, Rector to ease and automate code maintenance, some useful Symfony components and package and of course the Doctrine ORM. Here the composer.json file located at the symfony folder root.
-
Project mention: Automate Your PHP Code Formatting with PHP-CS-Fixer | news.ycombinator.com | 2024-08-15
-
-
-
owasp-mastg
The Mobile Application Security Testing Guide (MASTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes the technical processes for verifying the controls listed in the OWASP Mobile Application Security Verification Standard (MASVS).
The OWASP Mobile Application Security (MAS) flagship project provides a robust security standard for mobile apps, known as the OWASP MASVS, along with a comprehensive testing guide (OWASP MASTG). These resources cover the processes, techniques, and tools used during a mobile app security test, ensuring consistent and complete results.
-
semgrep
Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.
-
One such linter is hadolint. It parses a Dockerfile and shows a warning for any errors that do not match its best practice rules.
-
Project mention: Dockerfile Best Practices: Building Efficient and Secure Containers | dev.to | 2024-08-16
Regularly scan your Docker images for vulnerabilities using tools like Trivy or Clair.
-
-
Project mention: Top 12 AI Test Automation Tools for Smarter Software Testing in 2025 | dev.to | 2025-01-13
SonarQube - Multi-language code analysis for maintainability and quality.
-
Checkstyle
Checkstyle is a development tool to help programmers write Java code that adheres to a coding standard. By default it supports the Google Java Style Guide and Sun Code Conventions, but is highly configurable. It can be invoked with an ANT task and a command line program.
We had a list of suggested code formation tools, as my code was written in Java I decided to use suggested formatter GoogleJavaFormat. However, I didn't decide to pick suggested tool for Linter. I picked Checkstyle; for the reason, that SpotBugs wasn't available for JDK 22.
-
Scanners-Box
A powerful and open-source toolkit for hackers and security automation - 安全行业从业者自研开源扫描器合辑
-
reviewdog
🐶 Automated code review tool integrated with any code analysis tools regardless of programming language
-
-
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
Static Analysis discussion
Static Analysis related posts
-
Análise Estática de Código com AST
-
Lessons Learned #3: Is your random UUID really random? (Account takeover with the sandwich 🥪 attack)
-
Zizmor – static analysis for GitHub Actions
-
Bill requiring US agencies to share source code with each other becomes law
-
CrossHair: Analysis [Python] that blurs the line between testing and [types]
-
Symbolic Execution by Overloading __bool__
-
What are some common strategies for preventing SQL injection vulnerabilities in Rails beyond ActiveRecord?
-
A note from our sponsor - CodeRabbit
coderabbit.ai | 9 Feb 2025
Index
What are some of the best open-source Static Analysis projects? This list will help you:
# | Project | Stars |
---|---|---|
1 | ImHex | 46,941 |
2 | ShellCheck | 36,872 |
3 | ruff | 35,459 |
4 | SwiftLint | 18,793 |
5 | Mobile-Security-Framework-MobSF | 18,004 |
6 | PHP Parser | 17,160 |
7 | infer | 15,085 |
8 | bytecode-viewer | 14,835 |
9 | static-analysis | 13,559 |
10 | PHPStan | 13,199 |
11 | PHP CS Fixer | 12,991 |
12 | cmake-examples | 12,580 |
13 | awesome-malware-analysis | 12,226 |
14 | owasp-mastg | 11,943 |
15 | semgrep | 10,981 |
16 | hadolint | 10,656 |
17 | clair | 10,487 |
18 | grype | 9,332 |
19 | SonarQube | 9,281 |
20 | Checkstyle | 8,446 |
21 | Scanners-Box | 8,388 |
22 | reviewdog | 8,140 |
23 | Detect-It-Easy | 7,993 |