.svg){kind=icon}
emailNuanced is an open-source library that generates enriched call graphs with static analysis annotations, providing AI coding tools with deeper understanding of code behavior.
The Open-Source Static Analysis Toolkit.
Write SAST checkers with Globstar and run them in your CI with a single binary. It's fast, easy to write, and MIT-licensed.
Globstar is a fast, feature-rich, and open-source static analysis toolkit for writing and running code checkers. Based on tree-sitter.
Reduce the environmental footprint of your software programs with SonarQube.
creedengo is a collective project aiming to reduce environmental footprint of software at the code level. The goal of the project is to provide a list of static code analyzers to highlight code structures that may have a negative ecological impact: energy and resources over-consumption, "fatware", shortening terminals' lifespan, etc.
A performant type-checker for Python 3.
Pyre is a performant type checker for Python compliant with PEP 484. Pyre can analyze codebases with millions of lines of code incrementally – providing instantaneous feedback to developers as they write code. You can try it out on examples in the Pyre Playground.
Related contents:
Analyze your Ruby scripts with prism. Find Ruby syntax patterns with Prism.
System for collecting, deriving and querying facts about source code.
Glean is a system for working with facts about source code. You can use it for:
-
Collecting and storing detailed information about code structure. Glean is designed around an efficient storage model that enables storing information about code at scale.
-
Querying information about code, to power tools and experiences from online IDE features to offline code analysis.
Source: Indexing code at scale with Glean @ Engineering at Meta.
Missing Patch Scanner.
Vanir is a source code-based static analysis tool that automatically identifies the list of missing security patches in the target system. By default, Vanir pulls up-to-date CVEs from Open Source Vulnerabilities (OSV) together with their corresponding signatures so that users can transparently scan missing patches for an up-to-date list of CVEs.
Optional Static Typing for Python.
Mypy is an optional static type checker for Python that aims to combine the benefits of dynamic (or "duck") typing and static typing. Mypy combines the expressive power and convenience of Python with a powerful type system and compile-time type checking. Mypy type checks standard Python programs; run them using any Python VM with basically no runtime overhead.
Analysis Tools and Linters to Improve Code Quality and Avoid Bugs
We list the best static analysis tools and linters that can help you improve code quality. All tools are peer-reviewed by fellow engineers. Avoid bugs in production, outages, and angry customers.
TwigStan is a static analyzer for Twig templates powered by PHPStan.
TwigStan uses Twig to compile templates to PHP code. It then optimizes the compiled PHP code slightly, allowing PHPStan to analyze it better. It then reports any errors back to the original template and line number.
ar-go-tools (Argot) is a collection of analysis tools for Go
An interpreter for Rust's mid-level intermediate representation.
Miri is an Undefined Behavior detection tool for Rust. It can run binaries and test suites of cargo projects and detect unsafe code that fails to uphold its safety requirements.
grep rough audit - source code auditing tool.
graudit is a simple script and signature sets that allows you to find potential security flaws in source code using the GNU utility grep. It's comparable to other static analysis applications like RATS, SWAAT and flaw-finder while keeping the technical requirements to a minimum and being very flexible.
pylyzer is a static code analyzer / language server for Python, written in Rust.
A tool to detect bugs in Java and C/C++/Objective-C code before it ships
Infer is a static analysis tool - if you give Infer some Java or C/C++/Objective-C code it produces a list of potential bugs. Anyone can use Infer to intercept critical bugs before they have shipped to users, and help prevent crashes or poor performance.
Understand. Improve. Code.
AST Metrics is a blazing-fast static code analyzer that works across programming languages.. It empowers you to gain deep insights into your code structure, identify potential problems early on, and improve code quality. Leveraging the efficiency of Go, AST Metrics delivers exceptional performance for large codebases.
Attributes to define PHP language extensions (to be enforced by static analysis).
This library provides attributes that are used by static analysers to enforce new language features. The intention, at least initially, is that these extra language features are enforced by static analysis tools (such as Psalm, PHPStan and, ideally, PhpStorm) and NOT at runtime.
An extensible multilanguage static code analyzer.
PMD is a source code analyzer. It finds common programming flaws like unused variables, empty catch blocks, unnecessary object creation, and so forth. It supports many languages. It can be extended with custom rules. It uses JavaCC and Antlr to parse source files into abstract syntax trees (AST) and runs rules against them to find violations. Rules can be written in Java or using a XPath query.
Code Analysis Made Easy.
coala provides a unified command-line interface for linting and fixing all your code, regardless of the programming languages you use.