The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning. Learn more →
Top 23 static-code-analysis Open-Source Projects
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
static-analysis
⚙️ A curated list of static analysis (SAST) tools and linters for all programming languages, config files, build tools, and more. The focus is on tools which improve code quality.
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
-
biome
A toolchain for web projects, aimed to provide functionalities to maintain them. Biome offers formatter and linter, usable via CLI and LSP.
-
semgrep
Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.
-
Checkstyle
Checkstyle is a development tool to help programmers write Java code that adheres to a coding standard. By default it supports the Google Java Style Guide and Sun Code Conventions, but is highly configurable. It can be invoked with an ANT task and a command line program.
-
reviewdog
🐶 Automated code review tool integrated with any code analysis tools regardless of programming language
-
datree
Prevent Kubernetes misconfigurations from reaching production (again 😤 )! From code to cloud, Datree provides an E2E policy enforcement solution to run automatic checks for rule violations. See our docs: https://hub.datree.io
-
phan
Phan is a static analyzer for PHP. Phan prefers to avoid false-positives and attempts to prove incorrectness rather than correctness.
-
revive
🔥 ~6x faster, stricter, configurable, extensible, and beautiful drop-in replacement for golint
-
NullAway
A tool to help eliminate NullPointerExceptions (NPEs) in your Java code with low build-time overhead
-
Flake8
flake8 is a python tool that glues together pycodestyle, pyflakes, mccabe, and third-party plugins to check the style and quality of some python code.
-
kube-score
Kubernetes object analysis with recommendations for improved reliability and security. kube-score actively prevents downtime and bugs in your Kubernetes YAML and Charts. Static code analysis for Kubernetes.
-
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
I picked up standard[1] a while back for this reason, I don't want to have to think about it. It works fine, I have no complaints (took me a while to get used to not using semi-colons but now I prefer it) Same reason I use `cargo fmt` as well.
Ruff is a Python linter that helps to identify and remove code smells. Over 700 built-in rules: Ruff includes native re-implementations of popular Flake8 plugins, like flake8-bugbear. And also built-in caching to avoid re-analyzing unchanged files.
If you're a developer, you're surely familiar with Prettier and ESLint. With over 8 years of existence, they have established themselves as references in the JavaScript ecosystem.
Project mention: An Introduction to Temporal Logic (With Applications to Concurrency Problems) | news.ycombinator.com | 2024-01-22I think most development occurs on problems that can't be formally modeled anyway. Most developers work on things like, "can you add this feature to the e-commerce site? And can the pop-up be blue?" which isn't really model-able.
But that's not to say that formal methods are useless! We can still prove some interesting aspects of programs -- for example, that every lock that gets acquired later gets released. I think tools like Infer[0] could become common in the coming years.
[0]: https://fbinfer.com/
Readers should also peruse the 'Multiple languages' section, many of the big names, Coverity, Klocwork et al. are listed there.
see https://github.com/analysis-tools-dev/static-analysis#multip...
As part of the journey to PHP perfection, you should embrace Rector. It's a amazing, free, and open-source tool for migrations, code quality, type coverage, pushing PHPStan to the highest levels, and yes, it can even auto-fix your existing code! It seamlessly integrates into the CI process, making your development workflow smoother than ever.
gem "rubocop" - https://github.com/rubocop/rubocop | Set up code guidelines for your dev team, I recommend using whatever Standard recommends.
Project mention: Fast, Declarative, Reproduble and Composable Developer Environments Using Nix | news.ycombinator.com | 2024-04-12
Project mention: A Deep Dive Into Terraform Static Code Analysis Tools: Features and Comparisons | dev.to | 2024-04-16Semgrep OSS Owner/Maintainer: Semgrep Age: First release on GitHub on February 6th, 2020 License: GNU Lesser General Public License v2.1
6. Gosec
I build a general converter from SARIF to Reviewdog Diagnostic Format (RDFormat), then use Reviewdog to give suggested code changes as well as the context of the changes for PR reviewing.
Bandit is a tool designed to find common security issues in Python code. It was developed by the OpenStack Security Project and is a great addition to any serious Python project.
Besides what others have already advised, you can also get Phan to scan your project. Set the target to 8.1 and let it run its analysis. Check GitHub repo and docs there for more verbose instructions: https://github.com/phan/phan/
A little introduction about pylint. Pylint is a static code analyzer, it analyses your code without actually running it. Pylint looks for potential errors, gives suggestions on coding standards that your code is not adhering to, potential places where refactoring might help, and also warnings about smelly code.
The v1.3.4 of revive, the fast, configurable, extensible, flexible, and beautiful linter for Go, is available.
Pytype checks and infers types for your Python code - without requiring type annotations. Pytype can catch type errors in your Python code before you even run it.
Flake8. This library is a wrapper around pycodestyle (PEP8), pyflakes, and Ned Batchelder’s McCabe script. It is a great toolkit for checking your code base against coding style (PEP8), programming errors (like SyntaxError, NameError, etc) and to check cyclomatic complexity.
static-code-analysis related posts
- Semgrep – Find bugs and enforce code standards
- Application Security - Bridging Frontend and Cybersecurity: What is Application Security?
- PMD 7 Is Here
- Creating a DevSecOps pipeline with Jenkins — Part 1
- Tree-Sitter
- Rubberduck – A free and open-source VBIDE add-in
- An Introduction to Temporal Logic (With Applications to Concurrency Problems)
-
A note from our sponsor - WorkOS
workos.com | 19 Apr 2024
Index
What are some of the best open-source static-code-analysis projects? This list will help you:
Project | Stars | |
---|---|---|
1 | Standard | 28,856 |
2 | ruff | 26,234 |
3 | ESLint | 24,231 |
4 | infer | 14,688 |
5 | static-analysis | 12,811 |
6 | PHPStan | 12,526 |
7 | rubocop | 12,489 |
8 | biome | 9,966 |
9 | semgrep | 9,688 |
10 | Checkstyle | 8,121 |
11 | gosec | 7,426 |
12 | reviewdog | 7,329 |
13 | datree | 6,403 |
14 | bandit | 5,964 |
15 | phan | 5,495 |
16 | Pylint | 5,104 |
17 | PMD | 4,654 |
18 | revive | 4,595 |
19 | pytype | 4,536 |
20 | NullAway | 3,521 |
21 | Spotbugs | 3,326 |
22 | Flake8 | 3,252 |
23 | kube-score | 2,568 |