Manage all types of time series data in a single, purpose-built database. Run at any scale in any environment in the cloud, on-premises, or at the edge. Learn more →
Top 23 Static Analysis Open-Source Projects
-
I have also seen some projects on github like ShellCheck which first make a library, expose all the modules and then simple add that do build-depends of the final executable. Is this the recommended approach than having just one executable and adding all the modules to other-modules:?
-
ImHex
🔍 A Hex Editor for Reverse Engineers, Programmers and people who value their retinas when working at 3 AM.
Project mention: [Tutorial] How to manually change FOV (SoC, CS, & CoP) | /r/stalker | 2023-08-06Download a hex editor such as ImHex and open it. I'd recommend downloading the portable version of whatever hex editor you are using if it's offered. That way you don't have to install the program and can instantly delete it off your drive when you're done.
-
Cloudways
Cloudways' Black Friday Offer - 1st Choice of Developers. Cloudways: Devs' 1st choice for managed hosting! Pick from top-tier Cloud providers like DigitalOcean, AWS, and GCE. Limited-time deal: 40% OFF for 4 Months + 40 Free Migrations.
-
Project mention: AST-grep(sg) is a CLI tool for code structural search, lint, and rewriting | news.ycombinator.com | 2023-12-10
I confess I stole the pip recipe from Charlie :D
https://github.com/astral-sh/ruff/blob/main/.github/workflow...
-
Project mention: A problem when adding Swiftlint as a dependency on my won package? | /r/swift | 2023-10-27
-
Project mention: Diff Speeding - Rector and sebastian/diff speed improvements through profiling | /r/PHP | 2023-05-06
Interesting. One of the reasons I stopped considering Rector is because of how memory, CPU, and time intensive it is for a non-trivial project. Instead I've been using Nikita's PHP Parser directly and getting much better results even though it isn't multi-threaded out of the box.
-
Mobile-Security-Framework-MobSF
Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.
the program is from github too lmao https://github.com/MobSF/Mobile-Security-Framework-MobSF 😭
-
-
InfluxDB
Collect and Analyze Billions of Data Points in Real Time. Manage all types of time series data in a single, purpose-built database. Run at any scale in any environment in the cloud, on-premises, or at the edge.
-
bytecode-viewer
A Java 8+ Jar & Android APK Reverse Engineering Suite (Decompiler, Editor, Debugger & More)
-
static-analysis
⚙️ A curated list of static analysis (SAST) tools and linters for all programming languages, config files, build tools, and more. The focus is on tools which improve code quality.
Readers should also peruse the 'Multiple languages' section, many of the big names, Coverity, Klocwork et al. are listed there.
see https://github.com/analysis-tools-dev/static-analysis#multip...
-
-
friendsofphp/php-cs-fixer
-
Project mention: Anyone else get frustrated when a block of time you wanted to spend to learning code instead goes into why some software isn’t working right on your computer? | /r/learnprogramming | 2023-02-18
The downside for CMake is that it’s famously crappy in its own way and the internet is full of bad examples. This isn’t terrible: https://github.com/ttroy50/cmake-examples/blob/master/01-basic/H-third-party-library/CMakeLists.txt
-
owasp-mastg
The Mobile Application Security Testing Guide (MASTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes the technical processes for verifying the controls listed in the OWASP Mobile Application Security Verification Standard (MASVS).
Project mention: More ways to identify independently security tested apps on Google Play | news.ycombinator.com | 2023-11-03 -
-
PHP Code Sniffer
PHP_CodeSniffer tokenizes PHP files and detects violations of a defined set of coding standards.
Project mention: PHP_CodeSniffer update (package name will NOT be changing... just the repo & ownership) | /r/PHP | 2023-12-06I don’t know why but that link keeps reloading the page over and over. This one works for me: https://github.com/squizlabs/PHP_CodeSniffer/issues/3932
-
Project mention: Open source container scanning tool to find vulnerabilities and suggest best practice improvements? | /r/selfhosted | 2023-04-15
https://github.com/quay/clair 9.4k stars, updated 17 hours ago
-
With Depot, we make use of two Dockerfile linters, hadolint and a set of Dockerfile linter rules that Semgrep has written to make a bit of a smarter Dockerfile linter.
-
semgrep
Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.
Project mention: AST-grep(sg) is a CLI tool for code structural search, lint, and rewriting | news.ycombinator.com | 2023-12-10Well, when I seach for "semgrep", I get a very nice corporate landing page with a "Book Demo" button. Which is a level of hassle that just isn't worth it for smaller teams, because "Book Demo" usually means "We're going to try to do a dance to see how much money we can extract from you." Which smaller teams may only want to do for a handful of key tools.
(4 years ago, I was more willing to put up with enterprise licensing. But in the last two years, I've seen way too many enterprise vendors try to squeeze every penny they can get from existing clients. An enterprise sales process now often means "Expect 30% annual price hikes once you're in too deep to back out.")
There's also an open source "semgrep" project here: https://github.com/semgrep/semgrep. But this seems to be basically a vulernability scanner, going by the README.
Whereas AST-grep seems to focus heavily on things like:
1. One-off searching: "Search my tree for this pattern."
2. Refactoring: "Replace this pattern with this other pattern."
AST-grep also includes a vulnerability scanning mode like semgrep.
It's possible that semgrep also has nice support for (1) and (2), but it isn't clearly visible on their corporate landing page or the first open source README I found.
-
-
Checkstyle
Checkstyle is a development tool to help programmers write Java code that adheres to a coding standard. By default it supports the Google Java Style Guide and Sun Code Conventions, but is highly configurable. It can be invoked with an ANT task and a command line program.
-
Scanners-Box
A powerful and open-source toolkit for hackers and security automation - 安全行业从业者自研开源扫描器合辑
-
6. Gosec
-
reviewdog
🐶 Automated code review tool integrated with any code analysis tools regardless of programming language
I build a general converter from SARIF to Reviewdog Diagnostic Format (RDFormat), then use Reviewdog to give suggested code changes as well as the context of the changes for PR reviewing.
-
Onboard AI
Learn any GitHub repo in 59 seconds. Onboard AI learns any GitHub repo in minutes and lets you chat with it to locate functionality, understand different parts, and generate new code. Use it for free at www.getonboard.dev.
NOTE:
The open source projects on this list are ordered by number of github stars.
The number of mentions indicates repo mentiontions in the last 12 Months or
since we started tracking (Dec 2020).
The latest post mention was on 2023-12-10.
Static Analysis related posts
- AST-grep(sg) is a CLI tool for code structural search, lint, and rewriting
- Flowistry: an IDE plugin that analyzes the information flow of Rust programs, showing whether it's possible for one piece of code to affect another
- I'm not a Java dev but I'm using it in AoC this year
- Advent of Code Day 4
- Regex support to list modules in .cabal?
- PHP 8.3
- Practical nil panic detection for Go
-
A note from our sponsor - InfluxDB
www.influxdata.com | 10 Dec 2023
Index
What are some of the best open-source Static Analysis projects? This list will help you:
| Project | Stars | |
|---|---|---|
| 1 | ShellCheck | 33,844 |
| 2 | ImHex | 30,937 |
| 3 | ruff | 21,054 |
| 4 | SwiftLint | 17,948 |
| 5 | PHP Parser | 16,388 |
| 6 | Mobile-Security-Framework-MobSF | 15,429 |
| 7 | infer | 14,491 |
| 8 | bytecode-viewer | 14,085 |
| 9 | static-analysis | 12,361 |
| 10 | PHPStan | 12,300 |
| 11 | PHP CS Fixer | 12,294 |
| 12 | cmake-examples | 11,468 |
| 13 | owasp-mastg | 10,888 |
| 14 | awesome-malware-analysis | 10,509 |
| 15 | PHP Code Sniffer | 10,509 |
| 16 | clair | 9,819 |
| 17 | hadolint | 9,244 |
| 18 | semgrep | 9,127 |
| 19 | SonarQube | 8,224 |
| 20 | Checkstyle | 7,954 |
| 21 | Scanners-Box | 7,738 |
| 22 | gosec | 7,212 |
| 23 | reviewdog | 6,871 |
Learn any GitHub repo in 59 seconds
Onboard AI learns any GitHub repo in minutes and lets you chat with it to locate functionality, understand different parts, and generate new code. Use it for free at www.getonboard.dev.
getonboard.dev