static-code-analyzer
An Intelligent Python Code Quality Analyzer.
Building with Cursor, Claude, or ChatGPT? pyscn performs structural analysis to keep your codebase maintainable.
Terrascan is a static code analyzer for Infrastructure as Code.
Detect compliance and security violations across Infrastructure as Code (IaC) to mitigate risk before provisioning cloud native infrastructure.
Paralegal is a static analyzer for Rust code that enforces privacy and security policies on programs.
Related contents:
Antidote to VibeCoding. Offline-First, AI-Centric SAST & Code Intelligence Platform.
Unlike traditional SAST tools, TheAuditor is designed specifically for AI-assisted development workflows, providing ground truth that both developers and AI assistants can trust.
Related contents:
AI-assisted SAST, SCA and Secrets Detection. Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.
Semgrep is a fast, open-source, static analysis tool that searches code, finds bugs, and enforces secure guardrails and coding standards. Semgrep supports 30+ languages and can run in an IDE, as a pre-commit check, and as part of CI/CD workflows.
Related contents:
A source code analyzer built for surfacing features of interest and other characteristics to answer the question 'What's in the code?' quickly using static analysis with a json based rules engine. Ideal for scanning components before use or detecting feature level changes.
Microsoft Application Inspector is a software source code characterization tool that helps identify coding features of first or third party software components based on well-known library/API calls and is helpful in security and non-security use cases.
zizmor is a static analysis tool for GitHub Actions. It can find many common security issues in typical GitHub Actions CI/CD setups.
Related contents:
Nuanced is an open-source library that generates enriched call graphs with static analysis annotations, providing AI coding tools with deeper understanding of code behavior.
The Open-Source Static Analysis Toolkit.
Write SAST checkers with Globstar and run them in your CI with a single binary. It's fast, easy to write, and MIT-licensed. Globstar is a fast, feature-rich, and open-source static analysis toolkit for writing and running code checkers. Based on tree-sitter.
Reduce the environmental footprint of your software programs with SonarQube.
creedengo is a collective project aiming to reduce environmental footprint of software at the code level. The goal of the project is to provide a list of static code analyzers to highlight code structures that may have a negative ecological impact: energy and resources over-consumption, "fatware", shortening terminals' lifespan, etc.
A performant type-checker for Python 3.
Pyre is a performant type checker for Python compliant with PEP 484. Pyre can analyze codebases with millions of lines of code incrementally – providing instantaneous feedback to developers as they write code. You can try it out on examples in the Pyre Playground.
Related contents:
Analyze your Ruby scripts with prism. Find Ruby syntax patterns with Prism.
System for collecting, deriving and querying facts about source code.
Glean is a system for working with facts about source code. You can use it for:
-
Collecting and storing detailed information about code structure. Glean is designed around an efficient storage model that enables storing information about code at scale.
-
Querying information about code, to power tools and experiences from online IDE features to offline code analysis.
Source: Indexing code at scale with Glean @ Engineering at Meta.
Missing Patch Scanner.
Vanir is a source code-based static analysis tool that automatically identifies the list of missing security patches in the target system. By default, Vanir pulls up-to-date CVEs from Open Source Vulnerabilities (OSV) together with their corresponding signatures so that users can transparently scan missing patches for an up-to-date list of CVEs.
Optional Static Typing for Python.
Mypy is an optional static type checker for Python that aims to combine the benefits of dynamic (or "duck") typing and static typing. Mypy combines the expressive power and convenience of Python with a powerful type system and compile-time type checking. Mypy type checks standard Python programs; run them using any Python VM with basically no runtime overhead.
Analysis Tools and Linters to Improve Code Quality and Avoid Bugs
We list the best static analysis tools and linters that can help you improve code quality. All tools are peer-reviewed by fellow engineers. Avoid bugs in production, outages, and angry customers.
TwigStan is a static analyzer for Twig templates powered by PHPStan.
TwigStan uses Twig to compile templates to PHP code. It then optimizes the compiled PHP code slightly, allowing PHPStan to analyze it better. It then reports any errors back to the original template and line number.
ar-go-tools (Argot) is a collection of analysis tools for Go
An interpreter for Rust's mid-level intermediate representation.
Miri is an Undefined Behavior detection tool for Rust. It can run binaries and test suites of cargo projects and detect unsafe code that fails to uphold its safety requirements.
grep rough audit - source code auditing tool.
graudit is a simple script and signature sets that allows you to find potential security flaws in source code using the GNU utility grep. It's comparable to other static analysis applications like RATS, SWAAT and flaw-finder while keeping the technical requirements to a minimum and being very flexible.
pylyzer is a static code analyzer / language server for Python, written in Rust.
A tool to detect bugs in Java and C/C++/Objective-C code before it ships
Infer is a static analysis tool - if you give Infer some Java or C/C++/Objective-C code it produces a list of potential bugs. Anyone can use Infer to intercept critical bugs before they have shipped to users, and help prevent crashes or poor performance.
Understand. Improve. Code.
AST Metrics is a blazing-fast static code analyzer that works across programming languages.. It empowers you to gain deep insights into your code structure, identify potential problems early on, and improve code quality. Leveraging the efficiency of Go, AST Metrics delivers exceptional performance for large codebases.
Related contents:
Attributes to define PHP language extensions (to be enforced by static analysis).
This library provides attributes that are used by static analysers to enforce new language features. The intention, at least initially, is that these extra language features are enforced by static analysis tools (such as Psalm, PHPStan and, ideally, PhpStorm) and NOT at runtime.
An extensible multilanguage static code analyzer.
PMD is a source code analyzer. It finds common programming flaws like unused variables, empty catch blocks, unnecessary object creation, and so forth. It supports many languages. It can be extended with custom rules. It uses JavaCC and Antlr to parse source files into abstract syntax trees (AST) and runs rules against them to find violations. Rules can be written in Java or using a XPath query.
Code Analysis Made Easy.
coala provides a unified command-line interface for linting and fixing all your code, regardless of the programming languages you use.