Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality. Learn more →
Top 23 Static Analysis Open-Source Projects
-
ImHex
🔍 A Hex Editor for Reverse Engineers, Programmers and people who value their retinas when working at 3 AM.
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
Mobile-Security-Framework-MobSF
Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
-
bytecode-viewer
A Java 8+ Jar & Android APK Reverse Engineering Suite (Decompiler, Editor, Debugger & More)
-
static-analysis
⚙️ A curated list of static analysis (SAST) tools and linters for all programming languages, config files, build tools, and more. The focus is on tools which improve code quality.
-
owasp-mastg
The Mobile Application Security Testing Guide (MASTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes the technical processes for verifying the controls listed in the OWASP Mobile Application Security Verification Standard (MASVS).
-
PHP Code Sniffer
PHP_CodeSniffer tokenizes PHP files and detects violations of a defined set of coding standards.
-
semgrep
Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.
-
Checkstyle
Checkstyle is a development tool to help programmers write Java code that adheres to a coding standard. By default it supports the Google Java Style Guide and Sun Code Conventions, but is highly configurable. It can be invoked with an ANT task and a command line program.
-
Scanners-Box
A powerful and open-source toolkit for hackers and security automation - 安全行业从业者自研开源扫描器合辑
-
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
ncurse, dialog, zenity[2]. i/o buffering may be an issue [3a,3b]
Assuming using same account, use history command to show past commands[0a, 0b]
'load random example' on shellcheck using own custom examples from history command.[1]
--------
[3a] : http://www.gnu.org/software/coreutils/manual/html_node/stdbu...
[3b] : http://unix.stackexchange.com/questions/25372/how-to-turn-of...
[2] : http//funprojects.blog/2021/01/25/zenity-command-line-dialogs/
[1] : http://www.shellcheck.net/
[0a] : http://www.tecmint.com/history-command-examples/
[0b] : http://www.tecmint.com/remember-linux-commands/
web based documentation: https://www.tecmint.com/linux-commands-cheat-sheet/
commands grouped by typical usage patterns : https://www.tecmint.com/essential-linux-commands/
Project mention: Ask HN: What Underrated Open Source Project Deserves More Recognition? | news.ycombinator.com | 2024-03-07ImHex
“A Hex Editor for Reverse Engineers, Programmers and people who value their retinas when working at 3 AM.”
I actually used it not too long ago to inspect why a mp4 file wasn’t valid. The pattern language that they have is quite nice and having sections of the hex highlighted and being able to see what structures they represent and what data was on those structures was very useful!
https://github.com/WerWolv/ImHex
Project mention: Ask HN: High quality Python scripts or small libraries to learn from | news.ycombinator.com | 2024-04-19I think I mention this all the time when this comes up, but I learned the most 'best practices' through using ruff.
https://docs.astral.sh/ruff/
I just installed and enabled all the rules by setting
Project mention: A problem when adding Swiftlint as a dependency on my won package? | /r/swift | 2023-10-27
Project mention: An Introduction to Temporal Logic (With Applications to Concurrency Problems) | news.ycombinator.com | 2024-01-22I think most development occurs on problems that can't be formally modeled anyway. Most developers work on things like, "can you add this feature to the e-commerce site? And can the pop-up be blue?" which isn't really model-able.
But that's not to say that formal methods are useless! We can still prove some interesting aspects of programs -- for example, that every lock that gets acquired later gets released. I think tools like Infer[0] could become common in the coming years.
[0]: https://fbinfer.com/
Readers should also peruse the 'Multiple languages' section, many of the big names, Coverity, Klocwork et al. are listed there.
see https://github.com/analysis-tools-dev/static-analysis#multip...
PHP-CS-Fixer automatically fixes PHP coding standard issues, maintaining a clean codebase and adhering to coding standards. It can be integrated into the development workflow to ensure all code complies with defined standards.
As part of the journey to PHP perfection, you should embrace Rector. It's a amazing, free, and open-source tool for migrations, code quality, type coverage, pushing PHPStan to the highest levels, and yes, it can even auto-fix your existing code! It seamlessly integrates into the CI process, making your development workflow smoother than ever.
Project mention: More ways to identify independently security tested apps on Google Play | news.ycombinator.com | 2023-11-03
Project mention: I looked through attacks in my access logs. Here's what I found | news.ycombinator.com | 2024-01-28Besides pointing pentester tools like metasploit at yourself, there are some nice scanners out there.
https://github.com/quay/clair
https://github.com/anchore/grype/
Project mention: A Deep Dive Into Terraform Static Code Analysis Tools: Features and Comparisons | dev.to | 2024-04-16Semgrep OSS Owner/Maintainer: Semgrep Age: First release on GitHub on February 6th, 2020 License: GNU Lesser General Public License v2.1
Project mention: Experience Continuous Integration with Jenkins | Ansible | Artifactory | SonarQube | PHP | dev.to | 2024-02-24SonarQube (Scroll down to the Sonarqube section to see instructions on how to set up and configure SonarQube manually)
6. Gosec
Static Analysis related posts
- Show HN: MicroSCOPE – identify ransomware statically with heuristics
- Ask HN: Is there a GUI for bash shell?
- Pylyzer – A fast static code analyzer and language server for Python
- Semgrep – Find bugs and enforce code standards
- Application Security - Bridging Frontend and Cybersecurity: What is Application Security?
- PMD 7 Is Here
- DevSecOps with AWS- IaC at scale - Building your own platform - Part 1
-
A note from our sponsor - InfluxDB
www.influxdata.com | 23 Apr 2024
Index
What are some of the best open-source Static Analysis projects? This list will help you:
Project | Stars | |
---|---|---|
1 | ShellCheck | 34,934 |
2 | ImHex | 32,832 |
3 | ruff | 26,234 |
4 | SwiftLint | 18,294 |
5 | PHP Parser | 16,826 |
6 | Mobile-Security-Framework-MobSF | 16,289 |
7 | infer | 14,693 |
8 | bytecode-viewer | 14,325 |
9 | static-analysis | 12,811 |
10 | PHP CS Fixer | 12,543 |
11 | PHPStan | 12,526 |
12 | cmake-examples | 11,907 |
13 | owasp-mastg | 11,254 |
14 | awesome-malware-analysis | 11,057 |
15 | PHP Code Sniffer | 10,600 |
16 | clair | 10,030 |
17 | semgrep | 9,688 |
18 | hadolint | 9,677 |
19 | SonarQube | 8,543 |
20 | Checkstyle | 8,121 |
21 | Scanners-Box | 7,967 |
22 | grype | 7,623 |
23 | gosec | 7,441 |
Sponsored