Static Analysis

Top 23 Static Analysis Open-Source Projects

  • ShellCheck

    ShellCheck, a static analysis tool for shell scripts

    Project mention: Regex support to list modules in .cabal? | /r/haskell | 2023-12-04

    I have also seen some projects on github like ShellCheck which first make a library, expose all the modules and then simple add that do build-depends of the final executable. Is this the recommended approach than having just one executable and adding all the modules to other-modules:?

  • ImHex

    🔍 A Hex Editor for Reverse Engineers, Programmers and people who value their retinas when working at 3 AM.

    Project mention: [Tutorial] How to manually change FOV (SoC, CS, & CoP) | /r/stalker | 2023-08-06

    Download a hex editor such as ImHex and open it. I'd recommend downloading the portable version of whatever hex editor you are using if it's offered. That way you don't have to install the program and can instantly delete it off your drive when you're done.

  • Cloudways

    Cloudways' Black Friday Offer - 1st Choice of Developers. Cloudways: Devs' 1st choice for managed hosting! Pick from top-tier Cloud providers like DigitalOcean, AWS, and GCE. Limited-time deal: 40% OFF for 4 Months + 40 Free Migrations.

  • ruff

    An extremely fast Python linter and code formatter, written in Rust.

    Project mention: AST-grep(sg) is a CLI tool for code structural search, lint, and rewriting | | 2023-12-10

    I confess I stole the pip recipe from Charlie :D

  • SwiftLint

    A tool to enforce Swift style and conventions.

    Project mention: A problem when adding Swiftlint as a dependency on my won package? | /r/swift | 2023-10-27
  • PHP Parser

    A PHP parser written in PHP

    Project mention: Diff Speeding - Rector and sebastian/diff speed improvements through profiling | /r/PHP | 2023-05-06

    Interesting. One of the reasons I stopped considering Rector is because of how memory, CPU, and time intensive it is for a non-trivial project. Instead I've been using Nikita's PHP Parser directly and getting much better results even though it isn't multi-threaded out of the box.

  • Mobile-Security-Framework-MobSF

    Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.

    Project mention: Hacking & Gaming :) | /r/hacking | 2023-04-17

    the program is from github too lmao 😭

  • infer

    A static analyzer for Java, C, C++, and Objective-C

    Project mention: Should I Rust or should I Go | | 2023-09-15
  • InfluxDB

    Collect and Analyze Billions of Data Points in Real Time. Manage all types of time series data in a single, purpose-built database. Run at any scale in any environment in the cloud, on-premises, or at the edge.

  • bytecode-viewer

    A Java 8+ Jar & Android APK Reverse Engineering Suite (Decompiler, Editor, Debugger & More)

    Project mention: Java 泛型程式設計的注意事項 | | 2023-01-02
  • static-analysis

    ⚙️ A curated list of static analysis (SAST) tools and linters for all programming languages, config files, build tools, and more. The focus is on tools which improve code quality.

    Project mention: Static Analysis Tools for C | | 2023-10-26

    Readers should also peruse the 'Multiple languages' section, many of the big names, Coverity, Klocwork et al. are listed there.


  • PHPStan

    PHP Static Analysis Tool - discover bugs in your code without running it!

    Project mention: PHP 8.3 | | 2023-11-24
  • PHP CS Fixer

    A tool to automatically fix PHP Coding Standards issues

    Project mention: Avoiding empty() in PHP | /r/PHP | 2023-05-11


  • cmake-examples

    Useful CMake Examples

    Project mention: Anyone else get frustrated when a block of time you wanted to spend to learning code instead goes into why some software isn’t working right on your computer? | /r/learnprogramming | 2023-02-18

    The downside for CMake is that it’s famously crappy in its own way and the internet is full of bad examples. This isn’t terrible:

  • owasp-mastg

    The Mobile Application Security Testing Guide (MASTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes the technical processes for verifying the controls listed in the OWASP Mobile Application Security Verification Standard (MASVS).

    Project mention: More ways to identify independently security tested apps on Google Play | | 2023-11-03
  • awesome-malware-analysis

    Defund the Police.

  • PHP Code Sniffer

    PHP_CodeSniffer tokenizes PHP files and detects violations of a defined set of coding standards.

    Project mention: PHP_CodeSniffer update (package name will NOT be changing... just the repo & ownership) | /r/PHP | 2023-12-06

    I don’t know why but that link keeps reloading the page over and over. This one works for me:

  • clair

    Vulnerability Static Analysis for Containers

    Project mention: Open source container scanning tool to find vulnerabilities and suggest best practice improvements? | /r/selfhosted | 2023-04-15 9.4k stars, updated 17 hours ago

  • hadolint

    Dockerfile linter, validate inline bash, written in Haskell

    Project mention: Top 10 common Dockerfile linting issues | | 2023-09-15

    With Depot, we make use of two Dockerfile linters, hadolint and a set of Dockerfile linter rules that Semgrep has written to make a bit of a smarter Dockerfile linter.

  • semgrep

    Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.

    Project mention: AST-grep(sg) is a CLI tool for code structural search, lint, and rewriting | | 2023-12-10

    Well, when I seach for "semgrep", I get a very nice corporate landing page with a "Book Demo" button. Which is a level of hassle that just isn't worth it for smaller teams, because "Book Demo" usually means "We're going to try to do a dance to see how much money we can extract from you." Which smaller teams may only want to do for a handful of key tools.

    (4 years ago, I was more willing to put up with enterprise licensing. But in the last two years, I've seen way too many enterprise vendors try to squeeze every penny they can get from existing clients. An enterprise sales process now often means "Expect 30% annual price hikes once you're in too deep to back out.")

    There's also an open source "semgrep" project here: But this seems to be basically a vulernability scanner, going by the README.

    Whereas AST-grep seems to focus heavily on things like:

    1. One-off searching: "Search my tree for this pattern."

    2. Refactoring: "Replace this pattern with this other pattern."

    AST-grep also includes a vulnerability scanning mode like semgrep.

    It's possible that semgrep also has nice support for (1) and (2), but it isn't clearly visible on their corporate landing page or the first open source README I found.

  • SonarQube

    Continuous Inspection

    Project mention: Enterprise level open source react apps? | /r/reactjs | 2023-04-30
  • Checkstyle

    Checkstyle is a development tool to help programmers write Java code that adheres to a coding standard. By default it supports the Google Java Style Guide and Sun Code Conventions, but is highly configurable. It can be invoked with an ANT task and a command line program.

  • Scanners-Box

    A powerful and open-source toolkit for hackers and security automation - 安全行业从业者自研开源扫描器合辑

  • gosec

    Go security checker

    Project mention: Top 10 Snyk Alternatives for Code Security | | 2023-08-31

    6. Gosec

  • reviewdog

    🐶 Automated code review tool integrated with any code analysis tools regardless of programming language

    Project mention: Code reviews and Suggestions from SARIF report | | 2023-05-16

    I build a general converter from SARIF to Reviewdog Diagnostic Format (RDFormat), then use Reviewdog to give suggested code changes as well as the context of the changes for PR reviewing.

  • Onboard AI

    Learn any GitHub repo in 59 seconds. Onboard AI learns any GitHub repo in minutes and lets you chat with it to locate functionality, understand different parts, and generate new code. Use it for free at

NOTE: The open source projects on this list are ordered by number of github stars. The number of mentions indicates repo mentiontions in the last 12 Months or since we started tracking (Dec 2020). The latest post mention was on 2023-12-10.

Static Analysis related posts


What are some of the best open-source Static Analysis projects? This list will help you:

Project Stars
1 ShellCheck 33,844
2 ImHex 30,937
3 ruff 21,054
4 SwiftLint 17,948
5 PHP Parser 16,388
6 Mobile-Security-Framework-MobSF 15,429
7 infer 14,491
8 bytecode-viewer 14,085
9 static-analysis 12,361
10 PHPStan 12,300
11 PHP CS Fixer 12,294
12 cmake-examples 11,468
13 owasp-mastg 10,888
14 awesome-malware-analysis 10,509
15 PHP Code Sniffer 10,509
16 clair 9,819
17 hadolint 9,244
18 semgrep 9,127
19 SonarQube 8,224
20 Checkstyle 7,954
21 Scanners-Box 7,738
22 gosec 7,212
23 reviewdog 6,871
Learn any GitHub repo in 59 seconds
Onboard AI learns any GitHub repo in minutes and lets you chat with it to locate functionality, understand different parts, and generate new code. Use it for free at