Scout APM is great for developers who want to find and fix performance issues in their applications. With Scout, we'll take care of the bugs so you can focus on building great things 🚀. Learn more →
Top 23 Static Analysis Open-Source Projects
ShellCheck, a static analysis tool for shell scriptsProject mention: Just learned how to use Linux and Bash over the summer, but Should I add powershell? | reddit.com/r/linuxadmin | 2022-10-05
Integrate shellcheck with whatever editor you are using so you get real-time feedback, and read the Advanced Bash Scripting Guide (old, but still good).
A tool to enforce Swift style and conventions.Project mention: Ask HN: Xcode users – how do you make it more usable? | news.ycombinator.com | 2022-09-25
1) Here are some tips & tricks for refactoring: https://developer.apple.com/documentation/xcode/finding-and-...
The “rename in project” or “rename in scope” functions are quite neat.
2) Check out SwiftLint: https://github.com/realm/SwiftLint
I have not used it in a while, but it comes with good defaults and is highly customizable to your own preferred Swift style.
Download talent.io’s Tech Salary Report. Median salaries, most in-demand technologies, state of the remote work... all you need to know your worth on the market by tech recruitment platform talent.io
A PHP parser written in PHPProject mention: How PHP engine builds AST | dev.to | 2022-09-05
A static analyzer for Java, C, C++, and Objective-CProject mention: Programming Breakthroughs We Need | news.ycombinator.com | 2022-08-17
> Maybe you could write tests as queries that would test a whole set of possible programs, not only the current version of your program at the moment.
I think that the future of programming is more sophisticated static analysis. Programmers will write statements like, "every code path that writes to the Payments database must have called validate_user()." Then, the tooling will confirm that rule with every commit.
We kind of have this already (for example, Facebook's Infer tool ), but I think it will become much more important in the coming decade.
A Java 8+ Jar & Android APK Reverse Engineering Suite (Decompiler, Editor, Debugger & More)Project mention: Reverse Engineering Tools in 2022 | news.ycombinator.com | 2022-09-18
I think they forgot to google translate the disadvantages of JEB Decompiler
I haven't used JEB to comment, but I've gotten a lot of mileage out of https://github.com/pxb1988/dex2jar#readme and then feed the normal Java jars it produces into https://github.com/mstrobel/procyon#readme and (of course) one shouldn't overlook picking your favorite tool for dealing with AndroidManifest.xml which often has fun things hiding in it
While digging up those links, I was reminded that some folks enjoy https://github.com/Konloch/bytecode-viewer#is-there-a-demo because it can be easier to "try out" a few of the decompilation engines, but I don't use it because it's hard to do batch things with it, versus dex2jar into procyon is automation friendly
Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.Project mention: Can anyone recommend a good tool to pentest mobile apps?, I have the packages locally. Thanks | reddit.com/r/Pentesting | 2022-07-18
I can say only for android: - General Scanner -> https://github.com/MobSF/Mobile-Security-Framework-MobSF - Decompiler -> https://github.com/skylot/jadx
A tool to automatically fix PHP Coding Standards issuesProject mention: How I was able to install php-cs-fixer. Vscode + Linux machine | dev.to | 2022-09-03
To be bit a elaborate and for a proper updated installtion process, here is what I did: I used the [latest versio]n(https://github.com/FriendsOfPHP/PHP-CS-Fixer/releases/tag/v3.10.0) of php cs fixer then entered the command that followed to install php-cs-fixer.
Truly a developer’s best friend. Scout APM is great for developers who want to find and fix performance issues in their applications. With Scout, we'll take care of the bugs so you can focus on building great things 🚀.
PHP Static Analysis Tool - discover bugs in your code without running it!Project mention: Ask HN: Best PHP tools to improve code quality? | news.ycombinator.com | 2022-09-11
⚙️ A curated list of static analysis (SAST) tools for all programming languages, config files, build tools, and more. The focus is on tools which improve code quality.Project mention: From Novice to contributor to Linux Kernel and/or other Low-Level projects | reddit.com/r/kernel | 2022-08-23
You can for example rely on static analyzers and scan the repositories (just please take care of making sure that any fix you make actually makes sense, sometimes people will just make whatever causes the reports to go away without understanding them). This site lists a bunch of them for different languages -> https://analysis-tools.dev/
PHP_CodeSniffer tokenizes PHP files and detects violations of a defined set of coding standards.Project mention: How to define the most strict configuration possible for PHP codesniffer ? | reddit.com/r/PHPhelp | 2022-09-21
You can find a list of the available standards in the Standards directory of CodeSniffer (and there's a lot of 3rd party packages that provide even more options). Each Standards directory contains a ruleset.xml that has the default configuration for that standard.
The Mobile Application Security Testing Guide (MASTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes the technical processes for verifying the controls listed in the OWASP Mobile Application Security Verification Standard (MASVS).Project mention: Are android bugs mostly api and web ? | reddit.com/r/bugbounty | 2022-09-30
Have a look at the OWASP Mobile Application Testing Guide https://github.com/OWASP/owasp-mastg
Useful CMake ExamplesProject mention: How do I link fmt library to my project? | reddit.com/r/cpp_questions | 2022-09-08
Defund the Police.Project mention: Windows found a trojan called "ravadon.e". Is this a false alarm or what? I can't find anything about it offline except a site that just copy and pastes the trojan name into it's text. | reddit.com/r/antivirus | 2022-08-15
Vulnerability Static Analysis for ContainersProject mention: Implement DevSecOps to Secure your CI/CD pipeline | dev.to | 2022-09-27
Open source: Trivy, Gryp and Clair are widely used open source tools for container scanning.
Dockerfile linter, validate inline bash, written in HaskellProject mention: Checkmake: Experimental Linter/Analyzer for Makefiles | news.ycombinator.com | 2022-08-14
Some discussion on that here:
The hadolint project does shell checking for Dockerfiles and it uses shellcheck:
So the approach is definitely feasible, but you do need a new project and probably it needs to be written in Haskell.
Checkstyle is a development tool to help programmers write Java code that adheres to a coding standard. By default it supports the Google Java Style Guide and Sun Code Conventions, but is highly configurable. It can be invoked with an ANT task and a command line program.Project mention: 5 easy paths to become a recognized Java expert. Really. For free. | dev.to | 2022-08-25
Continuous InspectionProject mention: Implement DevSecOps to Secure your CI/CD pipeline | dev.to | 2022-09-27
Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.Project mention: How to ensure required fields in struct consistently? | reddit.com/r/golang | 2022-08-17
FWIW you can probably write a semgrep rule or something, to find all struct literals which don't mention a specific field.
A powerful and open-source toolkit for hackers and security automation - 安全行业从业者自研开源扫描器合辑Project mention: A powerful open-source toolkit for hackers and security automation | news.ycombinator.com | 2022-07-15
A static analysis security vulnerability scanner for Ruby on Rails applicationsProject mention: Github Pre-commit Hook Setup In Ruby On Rails for maintaining coding standards and productive. | dev.to | 2022-08-28
It’s assumed that you already have a Rails app and use Brakeman to keep your app secure and Rspec to run your test cases.
Golang security checkerProject mention: Goast: Generic static analysis for Go Abstract Syntax Tree by OPA/Rego | dev.to | 2022-09-12
Various static analysis tools are available for the Go language, and existing static analysis tools can check general best practices. For example, gosec is a tool to check secure Go coding, and I use it myself. However, coding rules in software development are not only based on best practices, but can also be software- or team-specific. For example
Catch common Java mistakes as compile-time errorsProject mention: Picnic loves Error Prone: producing high-quality and consistent Java code | reddit.com/r/java | 2022-10-06
If only Google didn't suck when it came to Java9+ support... https://github.com/google/error-prone/issues/2649
Performant type-checking for python.Project mention: Statically typed Python | reddit.com/r/Python | 2021-11-30
Facebook/Instagram uses Pyre which is a typechecker for Python.
Clean code begins in your IDE with SonarLint. Up your coding game and discover issues early. SonarLint is a free plugin that helps you find & fix bugs and security issues from the moment you start writing code. Install from your favorite IDE marketplace today.
Static Analysis related posts
Picnic loves Error Prone: producing high-quality and consistent Java code
1 project | reddit.com/r/java | 6 Oct 2022
Just learned how to use Linux and Bash over the summer, but Should I add powershell?
1 project | reddit.com/r/linuxadmin | 5 Oct 2022
I made an install script
5 projects | reddit.com/r/archlinux | 4 Oct 2022
suggestions for resources or best practices about packaging internal shell scripts
1 project | reddit.com/r/devops | 3 Oct 2022
New Kotlin Native Kafka client released! 🥳
2 projects | reddit.com/r/Kotlin | 3 Oct 2022
Slither for automatic smart contract auditing
1 project | reddit.com/r/ethdev | 2 Oct 2022
3 ways to improve your OSS project's resilience for Hacktoberfest
1 project | dev.to | 30 Sep 2022
A note from our sponsor - Scout APM
scoutapm.com | 7 Oct 2022
What are some of the best open-source Static Analysis projects? This list will help you:
|7||PHP CS Fixer||11,425|
|10||PHP Code Sniffer||9,728|
Are you hiring? Post a new remote job listing for free.