Static Evaluation Instruments for C

This repository lists static evaluation instruments for all programming languages, construct instruments, config information and extra. The main focus is on instruments which enhance code high quality equivalent to linters and formatters.
The official web site, analysis-tools.dev is predicated on this repository and provides rankings, consumer feedback, and extra assets like movies for every device.

Meaning of Symbols:

©️ stands for proprietary software program. All different instruments are Open Supply.
ℹ️ signifies that the group doesn’t advocate to make use of this device for brand spanking new tasks anymore. The icon hyperlinks to the dialogue concern.
⚠️ implies that this device was not up to date for greater than 1 yr, or the repo was archived.

Pull requests are very welcome!

Additionally take a look at the sister challenge, awesome-dynamic-analysis.

Programming Languages

Multiple Languages

Other

Present Different

Programming Languages

ABAP

abaplint — Linter for ABAP, written in TypeScript.
abapOpenChecks — Enhances the SAP Code Inspector with new and customizable checks.

Ada

Codepeer ©️ — Detects run-time and logic errors.
Polyspace for Ada ©️ — Present code verification that proves the absence of overflow, divide-by-zero, out-of-bounds array entry, and sure different run-time errors in supply code.
SPARK ©️ — Static evaluation and formal verification toolset for Ada.

Assembly

STOKE ⚠️ — A programming-language agnostic stochastic optimizer for the x86_64 instruction set. It makes use of random search to discover the extraordinarily high-dimensional area of all potential program transformations.

Awk

gawk –lint — Warns about constructs which might be doubtful or nonportable to different awk implementations.

C

Astrée ©️ — Astrée routinely proves the absence of runtime errors and invalid conpresent habits in C/C++ functions. It’s sound for floating-point computations, very quick, and exceptionally exact. The analyzer additionally checks for MISRA/CERT/CWE/Adaptive Autosar coding guidelines and helps qualification for ISO 26262, DO-178C degree A, and different security requirements. Jenkins and Eclipse plugins can be found.
CBMC — Bounded model-checker for C packages, user-defined assertions, normal assertions, a number of protection metric analyses.
clang-tidy — Clang-based C++ linter device with the (restricted) means to repair points, too.
clazy — Qt-oriented static code analyzer based mostly on the Clang framework. clazy is a compiler plugin which permits clang to know Qt semantics. You get greater than 50 Qt associated compiler warnings, starting from unneeded reminiscence allocations to misusage of API, together with fix-its for computerized refactoring.
CMetrics — Measures dimension and complexity for C information.
CPAchecker — A device for configurable software program verification of C packages. The title CPAchecker was chosen to replicate that the device is predicated on the CPA ideas and is used for checking software program packages.
cppcheck — Static evaluation of C/C++ code.
CppDepend ©️ — Measure, question and visualize your code and keep away from sudden points, technical debt and complexity.
cpplint — Automated C++ checker that follows Google’s type information.
cqmetrics — High quality metrics for C code.
CScout ⚠️ — Complexity and high quality metrics for C and C preprocessor code.
ESBMC — ESBMC is an open supply, permissively licensed, context-bounded mannequin checker based mostly on satisfiability modulo theories for the verification of single- and multi-threaded C/C++ packages.
flawfinder — Finds potential safety weaknesses.
flint++ — Cross-platform, zero-dependency port of flint, a lint program for C++ developed and used at Fb.
Frama-C — A sound and extensible static analyzer for C code.
GCC — The GCC compiler has static evaluation capabilities since model 10. This selection is simply obtainable if GCC was configured with analyzer assist enabled. It could additionally output its diagnostics to a JSON file within the SARIF format (from v13).
Goblint — A static analyzer for the evaluation of multi-threaded C packages. Its main focus is the detection of knowledge races, but it surely additionally studies different runtime errors, equivalent to buffer overflows and null-pointer dereferences.
Helix QAC ©️ — Enterprise-grade static evaluation for embedded software program. Helps MISRA, CERT, and AUTOSAR coding requirements.
IKOS — A sound static analyzer for C/C++ code based mostly on LLVM.
Joern — Open-source code evaluation platform for C/C++ based mostly on code property graphs
KLEE — A dynamic symbolic execution engine constructed on high of the LLVM compiler infrastructure. It could auto-generate take a look at instances for packages such that the take a look at instances train as a lot of this system as potential.
LDRA ©️ — A device suite together with static evaluation (TBVISION) to varied requirements together with MISRA C & C++, JSF++ AV, CWE, CERT C, CERT C++ & Customized Guidelines.
MATE — A collection of instruments for interactive program evaluation with a give attention to attempting to find bugs in C and C++ code. MATE unifies application-specific and low-level vulnerability evaluation utilizing code property graphs (CPGs), enabling the invention of extremely application-specific vulnerabilities that rely on each implementation particulars and the high-level semantics of goal C/C++ packages.
PC-lint ©️ — Static evaluation for C/C++. Runs natively underneath Home windows/Linux/MacOS. Analyzes code for just about any platform, supporting C11/C18 and C++17.
Phasar — A LLVM-based static evaluation framework which comes with a taint and sort state evaluation.
Polyspace Bug Finder ©️ — Identifies run-time errors, concurrency points, safety vulnerabilities, and different defects in C and C++ embedded software program.
Polyspace Code Prover ©️ — Present code verification that proves the absence of overflow, divide-by-zero, out-of-bounds array entry, and sure different run-time errors in C and C++ supply code.
scan-build — Frontend to drive the Clang Static Analyzer constructed into Clang through an everyday construct.
splint — Annotation-assisted static program checker.
SVF — A static device that permits scalable and exact interprocedural dependence evaluation for C and C++ packages.
TrustInSoft Analyzer ©️ — Exhaustive detection of coding errors and their related safety vulnerabilities. This encompasses a sound undefined habits detection (buffer overflows, out-of-bounds array accesses, null-pointer dereferences, use-after-free, divide-by-zeros, uninitialized reminiscence accesses, signed overflows, invalid pointer arithmetic, and many others.), information stream and management stream verification in addition to full useful verification of formal specs. All variations of C as much as C18 and C++ as much as C++20 are supported. TrustInSoft Analyzer will purchase ISO 26262 qualification in Q2’2023 (TCL3). A MISRA C checker can also be bundled.
vera++ — Vera++ is a programmable device for verification, evaluation and transformation of C++ supply code.

C#

.NET Analyzers — A company for the event of analyzers (diagnostics and code fixes) utilizing the .NET Compiler Platform.
ArchUnitNET — A C# structure take a look at library to specify and assert structure guidelines in C# for automated testing.
code-cracker — An analyzer library for C# and VB that makes use of Roslyn to provide refactorings, code evaluation, and different niceties.
CSharpEssentials ⚠️ — C# Necessities is a set of Roslyn diagnostic analyzers, code fixes and refactorings that make it simple to work with C# 6 language options.
Designite ©️ — Designite helps detection of varied structure, design, and implementation smells, computation of varied code high quality metrics, and pattern evaluation.
Gendarme — Gendarme inspects packages and libraries that comprise code in ECMA CIL format (Mono and .NET).
Infer# — InferSharp (additionally known as Infer#) is an interprocedural and scalable static code analyzer for C#. By way of the capabilities of Fb’s Infer, this device detects null pointer dereferences and useful resource leaks.
Meziantou.Analyzer — A Roslyn analyzer to implement some good practices in C# by way of design, utilization, safety, efficiency, and magnificence.
NDepend ©️ — Measure, question and visualize your code and keep away from sudden points, technical debt and complexity.
Puma Scan — Puma Scan offers actual time safe code evaluation for frequent vulnerabilities (XSS, SQLi, CSRF, LDAPi, crypto, deserialization, and many others.) as growth groups write code in Visible Studio.
Roslynator — A group of 190+ analyzers and 190+ refactorings for C#, powered by Roslyn.
SonarAnalyzer.CSharp — These Roslyn analyzers help you produce Clear Code that’s protected, dependable, and maintainable by serving to you discover and proper bugs, vulnerabilities, and code smells in your codebase.
VSDiagnostics — A group of static analyzers based mostly on Roslyn that integrates with VS.
Wintellect.Analyzers — .NET Compiler Platform (“Roslyn”) diagnostic analyzers and code fixes.

C++

Astrée ©️ — Astrée routinely proves the absence of runtime errors and invalid conpresent habits in C/C++ functions. It’s sound for floating-point computations, very quick, and exceptionally exact. The analyzer additionally checks for MISRA/CERT/CWE/Adaptive Autosar coding guidelines and helps qualification for ISO 26262, DO-178C degree A, and different security requirements. Jenkins and Eclipse plugins can be found.
CBMC — Bounded model-checker for C packages, user-defined assertions, normal assertions, a number of protection metric analyses.
clang-tidy — Clang-based C++ linter device with the (restricted) means to repair points, too.
clazy — Qt-oriented static code analyzer based mostly on the Clang framework. clazy is a compiler plugin which permits clang to know Qt semantics. You get greater than 50 Qt associated compiler warnings, starting from unneeded reminiscence allocations to misusage of API, together with fix-its for computerized refactoring.
CMetrics — Measures dimension and complexity for C information.
cppcheck — Static evaluation of C/C++ code.
CppDepend ©️ — Measure, question and visualize your code and keep away from sudden points, technical debt and complexity.
cpplint — Automated C++ checker that follows Google’s type information.
cqmetrics — High quality metrics for C code.
CScout ⚠️ — Complexity and high quality metrics for C and C preprocessor code.
ESBMC — ESBMC is an open supply, permissively licensed, context-bounded mannequin checker based mostly on satisfiability modulo theories for the verification of single- and multi-threaded C/C++ packages.
flawfinder — Finds potential safety weaknesses.
flint++ — Cross-platform, zero-dependency port of flint, a lint program for C++ developed and used at Fb.
Frama-C — A sound and extensible static analyzer for C code.
Helix QAC ©️ — Enterprise-grade static evaluation for embedded software program. Helps MISRA, CERT, and AUTOSAR coding requirements.
IKOS — A sound static analyzer for C/C++ code based mostly on LLVM.
Joern — Open-source code evaluation platform for C/C++ based mostly on code property graphs
KLEE — A dynamic symbolic execution engine constructed on high of the LLVM compiler infrastructure. It could auto-generate take a look at instances for packages such that the take a look at instances train as a lot of this system as potential.
LDRA ©️ — A device suite together with static evaluation (TBVISION) to varied requirements together with MISRA C & C++, JSF++ AV, CWE, CERT C, CERT C++ & Customized Guidelines.
MATE — A collection of instruments for interactive program evaluation with a give attention to attempting to find bugs in C and C++ code. MATE unifies application-specific and low-level vulnerability evaluation utilizing code property graphs (CPGs), enabling the invention of extremely application-specific vulnerabilities that rely on each implementation particulars and the high-level semantics of goal C/C++ packages.
PC-lint ©️ — Static evaluation for C/C++. Runs natively underneath Home windows/Linux/MacOS. Analyzes code for just about any platform, supporting C11/C18 and C++17.
Phasar — A LLVM-based static evaluation framework which comes with a taint and sort state evaluation.
Polyspace Bug Finder ©️ — Identifies run-time errors, concurrency points, safety vulnerabilities, and different defects in C and C++ embedded software program.
Polyspace Code Prover ©️ — Present code verification that proves the absence of overflow, divide-by-zero, out-of-bounds array entry, and sure different run-time errors in C and C++ supply code.
scan-build — Frontend to drive the Clang Static Analyzer constructed into Clang through an everyday construct.
splint — Annotation-assisted static program checker.
SVF — A static device that permits scalable and exact interprocedural dependence evaluation for C and C++ packages.
TrustInSoft Analyzer ©️ — Exhaustive detection of coding errors and their related safety vulnerabilities. This encompasses a sound undefined habits detection (buffer overflows, out-of-bounds array accesses, null-pointer dereferences, use-after-free, divide-by-zeros, uninitialized reminiscence accesses, signed overflows, invalid pointer arithmetic, and many others.), information stream and management stream verification in addition to full useful verification of formal specs. All variations of C as much as C18 and C++ as much as C++20 are supported. TrustInSoft Analyzer will purchase ISO 26262 qualification in Q2’2023 (TCL3). A MISRA C checker can also be bundled.
vera++ — Vera++ is a programmable device for verification, evaluation and transformation of C++ supply code.

Clojure

clj-kondo — A linter for Clojure code that sparks pleasure. It informs you about potential errors if you are typing.

CoffeeScript

coffeelint ⚠️ — A method checker that helps preserve CoffeeScript code clear and constant.

ColdFusion

Fixinator ©️ — Static safety code evaluation for ColdFusion or CFML code. Designed to work inside a CI pipeline or from the builders terminal.

Crystal

ameba — A static code evaluation device for Crystal.
crystal — The Crystal compiler has built-in linting performance.

Dart

Dart Code Metrics — Further linter for Dart. Reviews code metrics, checks for anti-patterns and offers extra guidelines for Dart analyzer.
effective_dart — Linter guidelines comparable to the rules in Efficient Dart
lint — An opinionated, community-driven set of lint guidelines for Dart and Flutter tasks. Like pedantic however stricter
Linter for dart — Fashion linter for Dart.

Delphi

Fix Insight ©️ — A free IDE Plugin for static code evaluation. A Professional version features a command line device for automation functions.
Pascal Analyzer ©️ — A static code evaluation device with quite a few studies. A free Lite model is on the market with restricted reporting.
Pascal Expert ©️ — IDE plugin for code evaluation. Features a subset of Pascal Analyzer reporting capabilities and is on the market for Delphi variations 2007 and later.

Dlang

D-scanner — D-Scanner is a device for analyzing D supply code.

Elixir

credo — A static code evaluation device with a give attention to code consistency and instructing.
dialyxir — Combine duties to simplify use of Dialyzer in Elixir tasks.
sobelow — Safety-focused static evaluation for the Phoenix Framework.

Elm

elm-analyse ⚠️ — A device that lets you analyse your Elm code, determine deficiencies and apply finest practices.
elm-review — Analyzes complete Elm tasks, with a give attention to shareable and customized guidelines written in Elm that add ensures the Elm compiler does not offer you.

Erlang

dialyzer — The DIALYZER, a DIscrepancy AnaLYZer for ERlang packages. Dialyzer is a static evaluation device that identifies software program discrepancies, equivalent to particular kind errors, code that has change into useless or unreachable due to programming error, and pointless exams, in single Erlang modules or total (units of) functions.
Dialyzer begins its evaluation from both debug-compiled BEAM bytecode or from Erlang supply code. The file and line variety of a discrepancy is reported together with a sign of what the discrepancy is about. Dialyzer bases its evaluation on the idea of success typings, which permits for sound warnings (no false positives).
elvis — Erlang Fashion Reviewer.
Primitive Erlang Security Tool (PEST) ⚠️ — A device to do a fundamental scan of Erlang supply code and report any perform calls which will trigger Erlang supply code to be insecure.

F#

FSharpLint — Lint device for F#.

Fortran

fprettify — Auto-formatter for contemporary fortran supply code, written in Python.
Fprettify is a device that gives constant whitespace, indentation, and delimiter alignment in code, together with the power to alter letter case and deal with preprocessor directives, all whereas preserving revision historical past and examined for editor integration.
i-Code CNES for Fortran — An open supply static code evaluation device for Fortran 77, Fortran 90 and Shell.

Go

aligncheck — Discover inefficiently packed structs.
bodyclose — Checks whether or not HTTP response physique is closed.
deadcode — Finds unused code.
dingo-hunter — Static analyser for locating deadlocks in Go.
dogsled — Finds assignments/declarations with too many clean identifiers.
dupl ⚠️ — Reviews probably duplicated code.
errcheck — Examine that error return values are used.
errwrap — Wrap and repair Go errors with the brand new %w verb directive. This device analyzes fmt.Errorf() calls and studies calls that comprise a verb directive that is totally different than the brand new %w verb directive launched in Go v1.13. It is also able to rewriting calls to make use of the brand new %w wrap verb directive.
flen — Get data on size of capabilities in a Go bundle.
Go Meta Linter ⚠️ — Concurrently run Go lint instruments and normalise their output. Use golangci-lint for brand spanking new tasks.
go tool vet –shadow — Reviews variables which will have been unintentionally shadowed.
go vet — Examines Go supply code and studies suspicious.
go-consistent — Analyzer that lets you make your Go packages extra constant.
go-critic — Go supply code linter that maintains checks that are presently not carried out in different linters.
go/ast — Package deal ast declares the categories used to signify syntax timber for Go packages.
goast — Go AST (Summary Syntax Tree) based mostly static evaluation device with Rego.
gochecknoglobals — Checks that no globals are current.
goconst — Finds repeated strings that might be changed by a continuing.
gocyclo — Calculate cyclomatic complexities of capabilities in Go supply code.
gofmt -s — Checks if the code is correctly formatted and couldn’t be additional simplified.
gofumpt — Implement a stricter format than gofmt, whereas being backwards-compatible. That’s, gofumpt is proud of a subset of the codecs that gofmt is proud of.
The device is a fork of gofmt as of Go 1.19, and requires Go 1.18 or later. It may be used as a drop-in substitute to format your Go code, and working gofmt after gofumpt ought to produce no modifications.
gofumpt won’t ever add guidelines which disagree with gofmt formatting. So we lengthen gofmt fairly than compete with it.
goimports — Checks lacking or unreferenced bundle imports.
gokart — Golang safety evaluation with a give attention to minimizing false positives. It’s able to tracing the supply of variables and performance arguments to find out whether or not enter sources are protected.
GolangCI-Lint — Various to Go Meta Linter: GolangCI-Lint is a linters aggregator.
golint — Prints out coding type errors in Go supply code.
goreporter — Concurrently runs many linters and normalises their output to a report.
goroutine-inspect — An interactive device to investigate Golang goroutine dump.
gosec (gas) — Inspects supply code for safety issues by scanning the Go AST.
gotype — Syntactic and semantic evaluation just like the Go compiler.
govulncheck — Govulncheck studies recognized vulnerabilities that have an effect on Go code. It makes use of static evaluation of supply code or a binary’s image desk to slim down studies to solely those who might have an effect on the appliance.
By default, govulncheck makes requests to the Go vulnerability database at https://vuln.go.dev. Requests to the vulnerability database comprise solely module paths, not code or different properties of your program.
ineffassign — Detect ineffectual assignments in Go code.
interfacer ⚠️ — Recommend narrower interfaces that can be utilized.
lll ⚠️ — Report lengthy strains.
maligned ⚠️ — Detect structs that may take much less reminiscence if their fields had been sorted.
misspell — Finds generally misspelled English phrases.
nakedret — Finds bare returns.
nargs — Finds unused arguments in perform declarations.
prealloc — Finds slice declarations that would probably be preallocated.
Reviewdog — A device for posting evaluation feedback from any linter in any code internet hosting service.
revive — Quick, configurable, extensible, versatile, and delightful linter for Go. Drop-in substitute of golint.
safesql ⚠️ — Static evaluation device for Golang that protects towards SQL injections.
shisho — A light-weight static code analyzer designed for builders and safety groups. It lets you analyze and rework supply code with an intuitive DSL just like sed, however for code.
staticcheck — Go static evaluation that specialises find bugs, simplifying code and enhancing efficiency.
structcheck — Discover unused struct fields.
structslop — Static analyzer for Go that recommends struct subject rearrangements to offer for max area/allocation effectivity
test — Present location of take a look at failures from the stdlib testing module.
unconvert — Detect redundant kind conversions.
unparam — Discover unused perform parameters.
varcheck — Discover unused world variables and constants.
wsl — Enforces empty strains on the proper locations.

Groovy

CodeNarc — A static evaluation device for Groovy supply code, enabling monitoring and enforcement of many coding requirements and finest practices.

Haskell

brittany — Haskell supply code formatter
HLint — HLint is a device for suggesting potential enhancements to Haskell code.
Liquid Haskell — Liquid Haskell is a refinement kind checker for Haskell packages.
Stan — Stan is a command-line device for analysing Haskell tasks and outputting found vulnerabilities in a useful method with potential options for detected issues.
Weeder — A device for detecting useless exports or bundle imports in Haskell code.

Haxe

Haxe Checkstyle — A static evaluation device to assist builders write Haxe code that adheres to a coding normal.

Java

Checker Framework — Pluggable type-checking for Java.
checkstyle — Checking Java supply code for adherence to a Code Normal or set of validation guidelines (finest practices).
ck — Calculates Chidamber and Kemerer object-oriented metrics by processing the supply Java information.
ckjm — Calculates Chidamber and Kemerer object-oriented metrics by processing the bytecode of compiled Java information.
CogniCrypt — Checks Java supply and byte code for incorrect makes use of of cryptographic APIs.
DesigniteJava ©️ — DesigniteJava helps detection of varied structure, design, and implementation smells together with computation of varied code high quality metrics.
Diffblue ©️ — Diffblue is a software program firm that gives AI-powered code evaluation and testing options for software program growth groups.
Its expertise helps builders automate testing, discover bugs, and scale back guide labor of their software program growth processes. The corporate’s foremost product, Diffblue Cowl, makes use of AI to generate and run unit exams for Java code, serving to to catch errors and enhance code high quality.
Doop — Doop is a declarative framework for static evaluation of Java/Android packages, centered on pointer evaluation algorithms. Doop offers a big number of analyses and likewise the encircling scaffolding to run an evaluation end-to-end (reality era, processing, statistics, and many others.).
Error-prone — Catch frequent Java errors as compile-time errors.
fb-contrib — A plugin for FindBugs with extra bug detectors.
forbidden-apis — Detects and forbids invocations of particular technique/class/subject (like studying from a textual content stream with out a charset). Maven/Gradle/Ant appropriate.
google-java-format — Reformats Java supply code to adjust to Google Java Fashion
HuntBugs ⚠️ — Bytecode static analyzer device based mostly on Procyon Compiler Instruments aimed to supersede FindBugs.
IntelliJ IDEA ©️ — Comes bundled with a number of inspections for Java and Kotlin and contains instruments for refactoring, formatting and extra.
JArchitect ©️ — Measure, question and visualize your code and keep away from sudden points, technical debt and complexity.
JBMC — Bounded model-checker for Java (bytecode), verifies user-defined assertions, normal assertions, a number of protection metric analyses.
Mariana Trench — Our safety targeted static evaluation device for Android and Java functions. Mariana Trench analyzes Dalvik bytecode and is constructed to run quick on massive codebases (10s of hundreds of thousands of strains of code). It could discover vulnerabilities as code modifications, earlier than it ever lands in your repository.
NullAway — Kind-based null-pointer checker with low build-time overhead; an Error Prone plugin.
OWASP Dependency Check — Checks dependencies for recognized, publicly disclosed, vulnerabilities.
qulice — Combines a number of (pre-configured) static evaluation instruments (checkstyle, PMD, Findbugs, …).
RefactorFirst — Identifies and prioritizes God Courses and Extremely Coupled lessons in Java codebases it’s best to refactor first.
Soot — A framework for analyzing and remodeling Java and Android functions.
Spoon — Spoon is a metaprogramming library to investigate and rework Java supply code (incl Java 9, 10, 11, 12, 13, 14). It parses supply information to construct a well-designed AST with highly effective evaluation and transformation API. May be built-in in Maven and Gradle.
SpotBugs — SpotBugs is FindBugs’ successor. A device for static evaluation to search for bugs in Java code.
steady — Analyses your Java functions for open-source dependencies with recognized vulnerabilities, utilizing each static evaluation and testing to find out code context and utilization for larger accuracy.
Violations Lib — Java library for parsing report information from static code evaluation. Utilized by a bunch of Jenkins, Maven and Gradle plugins.

JavaScript

aether ⚠️ — Lint, analyze, normalize, rework, sandbox, run, step via, and visualize consumer JavaScript, in node or the browser.
Closure Compiler — A compiler device to extend effectivity, scale back dimension, and supply code warnings in JavaScript information.
ClosureLinter ⚠️ — Ensures that all your challenge’s JavaScript code follows the rules within the Google JavaScript Fashion Information. It could additionally routinely repair many frequent errors.
complexity-report ⚠️ — Software program complexity evaluation for JavaScript tasks.
DeepScan ©️ — An analyzer for JavaScript which targets runtime errors and high quality points fairly than coding conventions.
es6-plato ⚠️ — Visualize JavaScript (ES6) supply complexity.
escomplex ⚠️ — Software program complexity evaluation of JavaScript-family summary syntax timber.
Esprima ⚠️ — ECMAScript parsing infrastructure for multipurpose evaluation.
flow — A static kind checker for JavaScript.
hegel — A static kind checker for JavaScript with a bias on kind inference and robust kind programs.
jshint ℹ️ — Detect errors and potential issues in JavaScript code and implement your crew’s coding conventions.
JSLint ℹ️ — The JavaScript Code High quality Device.
JSPrime ⚠️ — Static safety evaluation device.
NodeJSScan — A static safety code scanner for Node.js functions powered by libsast and semgrep that builds on the njsscan cli device. It incorporates a UI with varied dashboards about an software’s safety standing.
plato ⚠️ — Visualize JavaScript supply complexity.
Polymer-analyzer — A static evaluation framework for Internet Parts.
Reshift ©️ — A supply code evaluation device for detecting and managing JavaScript safety vulnerabilities.
retire.js — Scanner detecting the usage of JavaScript libraries with recognized vulnerabilities.
RSLint ⚠️ — A (WIP) JavaScript linter written in Rust designed to be as quick as potential, customizable, and simple to make use of.
standard — An npm module that checks for Javascript Styleguide points.
tern — A JavaScript code analyzer for deep, cross-editor language assist.
TypL ⚠️ — With TypL, you simply write utterly normal JS, and the device figures out your varieties through highly effective inferencing.
xo — Opinionated however configurable ESLint wrapper with a number of goodies included. Enforces strict and readable code.
yardstick ⚠️ — Javascript code metrics.

Julia

StaticLint — Static Code Evaluation for Julia

Kotlin

detekt — Static code evaluation for Kotlin code.
diktat — Strict coding normal for Kotlin and a linter that detects and auto-fixes code smells.
ktfmt — A program that reformats Kotlin supply code to adjust to the frequent group normal for Kotlin code conventions.
A ktfmt IntelliJ plugin is on the market from the plugin repository. To put in it, go to your IDE’s settings and choose the Plugins class. Click on the Market tab, seek for the ktfmt plugin, and click on the Set up button.
ktlint — An anti-bikeshedding Kotlin linter with built-in formatter.

Lua

luacheck ⚠️ — A device for linting and static evaluation of Lua code.
lualint — lualint performs luac-based static evaluation of worldwide variable utilization in Lua supply code.
Luanalysis — An IDE for statically typed Lua growth.

MATLAB

mlint ©️ — Examine MATLAB code information for potential issues.

Nim

DrNim — DrNim combines the Nim frontend with the Z3 proof engine as a way to enable confirm / validate software program written in Nim.
nimfmt ⚠️ — Nim code formatter / linter / type checker

Ocaml

Sys — A static/symbolic Device for locating bugs in (browser) code. It makes use of the LLVM AST to seek out bugs like uninitialized reminiscence entry.
VeriFast — A device for modular formal verification of correctness properties of single-threaded and multithreaded C and Java packages annotated with preconditions and postconditions written in separation logic. To specific wealthy specs, the programmer can outline inductive datatypes, primitive recursive pure capabilities over these datatypes, and summary separation logic predicates.

PHP

CakeFuzzer — Internet software safety testing device for CakePHP-based net functions. CakeFuzzer employs a predefined set of assaults which might be randomly modified earlier than execution. Leveraging its deep understanding of the Cake PHP framework, Cake Fuzzer launches assaults on all potential software entry factors.
churn-php — Helps uncover good candidates for refactoring.
dephpend — Dependency evaluation device.
deprecation-detector — Finds usages of deprecated (Symfony) code.
deptrac — Implement guidelines for dependencies between software program layers.
DesignPatternDetector — Detection of design patterns in PHP code.
EasyCodingStandard — Mix PHP_CodeSniffer and PHP-CS-Fixer.
Enlightn — A static and dynamic evaluation device for Laravel functions that gives suggestions to enhance the efficiency, safety and code reliability of Laravel apps. Accommodates 120 automated checks.
exakat — An automatic code reviewing engine for PHP.
GrumPHP — Checks code on each commit.
larastan — Provides static evaluation to Laravel enhancing developer productiveness and code high quality. It’s a wrapper round PHPStan.
Mondrian ⚠️ — A set of static evaluation and refactoring instruments which use graph concept.
Nitpick CI ©️ — Automated PHP code evaluation.
parallel-lint — This device checks syntax of PHP information quicker than serial verify with a fancier output.
Parse — A Static Safety Scanner.
pdepend — Calculates software program metrics like cyclomatic complexity for PHP code.
phan — A contemporary static analyzer from etsy.
PHP Architecture Tester — Simple to make use of structure testing device for PHP.
PHP Assumptions — Checks for weak assumptions.
PHP Coding Standards Fixer — Fixes your code in line with requirements like PSR-1, PSR-2, and the Symfony normal.
PHP Insights — On the spot PHP high quality checks out of your console. Evaluation of code high quality and coding type in addition to overview of code structure and its complexity.
Php Inspections (EA Extended) — A Static Code Analyzer for PHP.
PHP Refactoring Browser — Refactoring helper.
PHP Semantic Versioning Checker — Suggests a subsequent model in line with semantic versioning.
PHP-Parser — A PHP parser written in PHP.
php-speller — PHP spell verify library.
PHP-Token-Reflection ⚠️ — Library emulating the PHP inside reflection.
php7cc ⚠️ — PHP 7 Compatibility Checker.
php7mar ⚠️ — Help builders in porting their code rapidly to PHP 7.
PHP_CodeSniffer — Detects violations of an outlined set of coding requirements.
phpca — Finds utilization of non-built-in extensions.
phpcpd — Copy/Paste Detector for PHP code.
phpdcd ⚠️ — Lifeless Code Detector (DCD) for PHP code.
PhpDependencyAnalysis ⚠️ — Builds a dependency graph for a challenge.
PhpDeprecationDetector — Analyzer of PHP code to go looking points with deprecated performance in newer interpreter variations. It finds eliminated objects (capabilities, variables, constants and ini-directives), deprecated capabilities performance, and utilization of forbidden names or tips (e.g. reserved identifiers in newer variations).
phpdoc-to-typehint ⚠️ — Add scalar kind hints and return varieties to present PHP tasks utilizing PHPDoc annotations.
phpDocumentor — Analyzes PHP supply code to generate documentation.
phploc — A device for rapidly measuring the dimensions and analyzing the construction of a PHP challenge.
PHPMD — Finds potential bugs in your code.
PhpMetrics — Calculates and visualizes varied code high quality metrics.
phpmnd — Helps to detect magic numbers.
PHPQA — A device for working QA instruments (phploc, phpcpd, phpcs, pdepend, phpmd, phpmetrics).
phpqa – jakzal — Many instruments for PHP static evaluation in a single container.
phpqa – jmolivas — PHPQA all-in-one Analyzer CLI device.
phpsa ⚠️ — Static evaluation device for PHP.
PHPStan — PHP Static Evaluation Device – uncover bugs in your code with out working it!
Progpilot — A static evaluation device for safety functions.
Psalm — Static evaluation device for locating kind errors in PHP functions.
Qafoo Quality Analyzer ⚠️ — Visualizes metrics and supply code.
rector — On the spot Upgrades and Automated Refactoring of any PHP 5.3+ code. It upgrades your code for PHP 7.4, 8.0 and past. Rector guarantees a low false-positive price as a result of it seems for narrowly outlined AST (summary syntax tree) patterns. The principle use-case are tackling technical debt in your legacy code and eradicating useless code. Rector offers a set of particular guidelines for Symfony, Doctrine, PHPUnit, and lots of extra.
Reflection — Reflection library to do Static Evaluation for PHP Tasks
Symfony Insight ©️ — Detect safety dangers, discover bugs and supply actionable metrics for PHP tasks.
Tuli — A static evaluation engine.
twig-lint — twig-lint is a lint device on your twig information.
WAP — Device to detect and proper enter validation vulnerabilities in PHP (4.0 or increased) net functions and predicts false positives by combining static evaluation and information mining.

PL/SQL

ZPA — Z PL/SQL Analyzer (ZPA) is an extensible code analyzer for PL/SQL and Oracle SQL. It may be built-in with SonarQube.

Perl

Perl::Analyzer — Perl-Analyzer is a set of packages and modules that enable customers to investigate and visualize Perl codebases by offering details about namespaces and their relations, dependencies, inheritance, and strategies carried out, inherited, and redefined in packages, in addition to calls to strategies from guardian packages through SUPER.
Perl::Critic — Critique Perl supply code for best-practices.
perltidy — Perltidy is a Perl script which indents and reformats Perl scripts to make them simpler to learn.
The formatting could be managed with command line parameters. The default parameter settings roughly observe the strategies within the Perl Fashion Information.
Apart from reformatting scripts, Perltidy is usually a nice assist in monitoring down errors with lacking or further braces, parentheses, and sq. brackets as a result of it is extremely good at localizing errors.
zarn — A light-weight static safety evaluation device for contemporary Perl Apps

Python

autoflake — Autoflake removes unused imports and unused variables from Python code.
autopep8 — A device that routinely codecs Python code to evolve to the PEP 8 type information.
It makes use of the pycodestyle utility to find out what components of the code must be formatted.
bandit — A device to seek out frequent safety points in Python code.
bellybutton — A linting engine supporting customized project-specific guidelines.
Black — The uncompromising Python code formatter.
Bowler — Protected code refactoring for contemporary Python. Bowler is a refactoring device for manipulating Python on the syntax tree degree. It permits protected, massive scale code modifications whereas guaranteeing that the ensuing code compiles and runs. It offers each a easy command line interface and a fluent API in Python for producing complicated code modifications in code.
ciocheck ⚠️ — Linter, formatter and take a look at suite helper. As a linter, it’s a wrapper round pep8, pydocstyle, flake8, and pylint.
cohesion — A device for measuring Python class cohesion.
deal — Design by contract for Python. Write bug-free code. By including a number of decorators to your code, you get free of charge exams, static evaluation, formal verification, and rather more.
Dlint — A device for making certain Python code is safe.
Dodgy — Dodgy is a really fundamental device to run towards your codebase to seek for “dodgy” trying values. It’s a collection of straightforward common expressions designed to detect issues equivalent to unintentional SCM diff checkins, or passwords or secret keys onerous coded into information.
fixit — A framework for creating lint guidelines and corresponding auto-fixes for supply code.
flake8 — A wrapper round pyflakes, pycodestyle and mccabe.
flakeheaven — flakeheaven is a python linter constructed round flake8 to allow inheritable and complicated toml configuration.
InspectorTiger ⚠️ — IT, Inspector Tiger, is a contemporary python code evaluation device / framework. It comes with bunch of pre-defined handlers which warns you about enhancements and potential bugs. Beside these handlers, you’ll be able to write your individual or use group ones.
jedi — Autocompletion/static evaluation library for Python.
linty fresh — Parse lint errors and report them to Github as feedback on a pull request.
mccabe — Examine McCabe complexity.
multilint ⚠️ — A wrapper round flake8, isort and modernize.
mypy — A static kind checker that goals to mix the advantages of duck typing and static typing, regularly used with MonkeyType.
prospector — A wrapper round pylint, pep8, mccabe and others.
py-find-injection ⚠️ — Discover SQL injection vulnerabilities in Python code.
pyanalyze — A device for programmatically detecting frequent errors in Python code, equivalent to references to undefined variables and sort errors. It may be prolonged so as to add extra guidelines and carry out checks particular to specific capabilities.
PyCodeQual ©️ — PyCodeQual offers you insights into complexity and bug dangers. It provides computerized evaluations to your pull requests.
pycodestyle — (Previously pep8) Examine Python code towards a few of the type conventions in PEP 8.
pydocstyle — Examine compliance with Python docstring conventions.
pyflakes — Examine Python supply information for errors.
pylint — Appears to be like for programming errors, helps imposing a coding normal and sniffs for some code smells. It moreover contains pyreverse (an UML diagram generator) and symilar (a similarities checker).
pyre-check — A quick, scalable kind checker for giant Python codebases.
pyright — Static kind checker for Python, created to handle gaps in present instruments like mypy.
pyroma — Charge how nicely a Python challenge complies with the most effective practices of the Python packaging ecosystem, and listing points that might be improved.
Pysa — A device based mostly on Fb’s pyre-check to determine potential safety points in Python code recognized with taint evaluation.
PyT – Python Taint ⚠️ — A static evaluation device for detecting safety vulnerabilities in Python net functions.
pytype — A static kind analyzer for Python code.
pyupgrade — A device (and pre-commit hook) to routinely improve syntax for newer variations of the language.
QuantifiedCode ⚠️ — Automated code evaluation & restore. It lets you preserve monitor of points and metrics in your software program tasks, and could be simply prolonged to assist new varieties of analyses.
radon — A Python device that computes varied metrics from the supply code.
refurb — A device for refurbishing and modernizing Python codebases. Refurb is closely impressed by clippy, the built-in linter for Rust.
ruff — Quick Python linter, written in Rust. 10-100x quicker than present linters. Suitable with Python 3.10. Helps file watcher.
unimport — A linter, formatter for locating and eradicating unused import statements.
vulture — Discover unused lessons, capabilities and variables in Python code.
wemake-python-styleguide — The strictest and most opinionated python linter ever.
wily — A command-line device for archiving, exploring and graphing the complexity of Python supply code.
xenon — Monitor code complexity utilizing radon.
yapf — A formatter for Python information created by Google
YAPF follows a particular methodology, originating from the ‘clang-format’ device created by Daniel Jasper. Basically, this system reframes the code to essentially the most appropriate formatting that abides by the type information, even when the unique code already follows the type information. This idea is just like the Go programming language’s ‘gofmt’ device, which goals to place an finish to debates about formatting by having your complete codebase of a challenge move via YAPF at any time when modifications are made, thereby sustaining a constant type all through the challenge and eliminating the necessity to argue about type in each code evaluation.

R

cyclocomp — Quantifies the cyclomatic complexity of R capabilities / expressions.
goodpractice — Analyses the supply code for R packages and offers best-practice suggestions.
lintr — Static Code Evaluation for R.
styler — Formatting of R supply code information and pretty-printing of R code.

Rego

Regal — Regal is a linter for the coverage language Rego. Regal goals to catch bugs and errors in coverage code, whereas on the similar time serving to folks be taught the language, finest practices and idiomatic constructs.

Ruby

brakeman — A static evaluation safety vulnerability scanner for Ruby on Rails functions.
bundler-audit — Audit Gemfile.lock for gems with safety vulnerabilities reported in Ruby Advisory Database.
cane ⚠️ — Code high quality threshold checking as a part of your construct.
Churn ⚠️ — A Venture to offer the churn file, class, and technique for a challenge for a given checkin. Over time the device provides up the historical past of churns to offer the variety of occasions a file, class, or technique is altering in the course of the lifetime of a challenge.
dawnscanner — A static evaluation safety scanner for ruby written net functions. It helps Sinatra, Padrino and Ruby on Rails frameworks.
ERB Lint — Lint your ERB or HTML information
Fasterer — Frequent Ruby idioms checker.
flay — Flay analyzes code for structural similarities.
flog — Flog studies essentially the most tortured code in a simple to learn ache report. The upper the rating, the extra ache the code is in.
Fukuzatsu — A device for measuring code complexity in Ruby class information. Its evaluation generates scores based mostly on cyclomatic complexity algorithms with no added “opinions”.
htmlbeautifier — A normaliser/beautifier for HTML that additionally understands embedded Ruby. Preferrred for tidying up Rails templates.
laser ⚠️ — Static evaluation and magnificence linter for Ruby code.
MetricFu ⚠️ — MetricFu is a set of instruments to offer studies that present which components of your code would possibly want further work.
pelusa — Static evaluation Lint-type device to enhance your OO Ruby code.
quality — Runs high quality checks in your code utilizing group instruments, and makes certain your numbers do not get any worse over time.
Querly ⚠️ — Sample Based mostly Checking Device for Ruby.
Railroader ⚠️ — An open supply static evaluation safety vulnerability scanner for Ruby on Rails functions.
rails_best_practices — A code metric device for Rails tasks
reek — Code odor detector for Ruby.
Roodi ⚠️ — Roodi stands for Ruby Object Oriented Design Inferometer. It parses your Ruby code and warns you about design points you’ve based mostly on the checks that it has configured.
RuboCop — A Ruby static code analyzer, based mostly on the group Ruby type information.
Rubrowser — Ruby lessons interactive dependency graph generator.
ruby-lint ⚠️ — Static code evaluation for Ruby.
rubycritic — A Ruby code high quality reporter.
rufo — An opinionated ruby formatter, meant for use through the command line as a text-editor plugin, to autoformat information on save or on demand.
Saikuro ⚠️ — A Ruby cyclomatic complexity analyzer.
SandiMeter ⚠️ — Static evaluation device for checking Ruby code for Sandi Metz’ guidelines.
Sorbet — A quick, highly effective kind checker designed for Ruby.
Standard Ruby — Ruby Fashion Information, with linter & computerized code fixer
Steep — Gradual Typing for Ruby.

Rust

C2Rust — C2Rust helps you migrate C99-compliant code to Rust. The translator (or transpiler) produces unsafe Rust code that intently mirrors the enter C code.
cargo udeps — Discover unused dependencies in Cargo.toml. It both prints out a “unused crates” line itemizing the crates, or it prints out a line saying that no crates had been unused.
cargo-audit — Audit Cargo.lock for crates with safety vulnerabilities reported to the RustSec Advisory Database.
cargo-bloat — Discover out what takes many of the area in your executable. helps ELF (Linux, BSD), Mach-O (macOS) and PE (Home windows) binaries.
cargo-breaking — cargo-breaking compares a crate’s public API between two totally different branches, exhibits what modified, and suggests the following model in line with semver.
cargo-call-stack — Complete program static stack evaluation The device produces the total name graph of a program as a dot file.
cargo-deny — A cargo plugin for linting your dependencies. It may be used both as a command line too, a Rust crate, or a Github motion for CI. It checks for legitimate license data, duplicate crates, safety vulnerabilities, and extra.
cargo-expand — Cargo subcommand to indicate results of macro enlargement and #[derive] enlargement utilized to the present crate. This can be a wrapper round a extra verbose compiler command.
cargo-inspect ⚠️ — Examine Rust code with out syntactic sugar to see what the compiler does behind the curtains.
cargo-show-asm — cargo subcommand exhibiting the meeting, LLVM-IR and MIR generated for Rust code
cargo-spellcheck — Checks all of your documentation for spelling and grammar errors with hunspell (prepared) and languagetool (preview)
cargo-unused-features — Discover potential unused enabled characteristic flags and prune them. You’ll be able to generate a easy HTML report from the json to make it simpler to examine outcomes.
It removes a characteristic of a dependency after which compiles the challenge to see if it nonetheless compiles. If it does, the characteristic flag can presumably be eliminated, however it may be a false-positve.
clippy — A code linter to catch frequent errors and enhance your Rust code.
diff.rs — Internet software (WASM) to render a diff between Rust crate variations.
dylint — A device for working Rust lints from dynamic libraries. Dylint makes it simple for builders to take care of their very own private lint collections.
electrolysis ⚠️ — A device for formally verifying Rust packages by transpiling them into definitions within the Lean theorem prover.
herbie ⚠️ — Provides warnings or errors to your crate when utilizing a numerically unstable floating level expression.
linter-rust ⚠️ — Linting your Rust-files in Atom, utilizing rustc and cargo.
lockbud — Statically detects Rust deadlocks bugs. It presently detects two frequent sorts of impasse bugs: doublelock and locks in conflicting order. It’s going to print bugs in JSON format along with the supply code location and a proof of every bug.
MIRAI — And summary interpreter working on Rust’s mid-level intermediate language, and offering warnings based mostly on taint evaluation.
prae — Offers a handy macro that lets you generate kind wrappers that promise to all the time uphold arbitrary invariants that you simply specified.
Prusti — A static verifier for Rust, based mostly on the Viper verification infrastructure. By default Prusti verifies absence of panics by proving that statements equivalent to unreachable!() and panic!() are unreachable.
Rudra ⚠️ — Rust Reminiscence Security & Undefined Conduct Detection. It’s able to analyzing single Rust packages in addition to all of the packages on crates.io.
Rust Language Server ⚠️ — Helps performance equivalent to ‘goto definition’, image search, reformatting, and code completion, and permits renaming and refactorings.
rust-analyzer — Helps performance equivalent to ‘goto definition’, kind inference, image search, reformatting, and code completion, and permits renaming and refactorings.
rust-audit — Audit Rust binaries for recognized bugs or safety vulnerabilities. This works by embedding information concerning the dependency tree (Cargo.lock) in JSON format right into a devoted linker part of the compiled executable.
rustfix — Learn and apply the strategies made by rustc (and third-party lints, like these supplied by clippy).
rustfmt — A device for formatting Rust code in line with type pointers.
RustViz — RustViz is a device that generates visualizations from easy Rust packages to help customers in higher understanding the Rust Lifetime and Borrowing mechanism. It generates SVG information with graphical indicators that combine with mdbook to render visualizations of data-flow in Rust packages.
warnalyzer — Present unused code from multi-crate Rust tasks

SQL

dbcritic — dbcritic finds issues in a database schema, equivalent to a lacking main key constraint in a desk.
holistic — Greater than 1,300 guidelines to investigate SQL queries. Takes an SQL schema definition and the question supply code to generate enchancment suggestions. Detects code smells, unused indexes, unused tables, views, materialized views, and extra.
sleek — Glossy is a CLI device for formatting SQL. It helps you preserve a constant type throughout your SQL code, enhancing readability and productiveness. The heavy lifting is completed by the sqlformat crate.
sqlcheck ⚠️ — Robotically determine anti-patterns in SQL queries.
SQLFluff — A number of dialect SQL linter and formatter.
sqlint — Easy SQL linter.
squawk — Linter for PostgreSQL, targeted on migrations. Prevents sudden downtime brought on by database migrations and encourages finest practices round Postgres schemas and SQL.
tsqllint — T-SQL-specific linter.
TSqlRules ⚠️ — TSQL Static Code Evaluation Guidelines for SQL Server.
Visual Expert ©️ — Code evaluation for PowerBuilder, Oracle, and SQL Server Explores, analyzes, and paperwork Code

Scala

linter ⚠️ — Linter is a Scala static evaluation compiler plugin which provides compile-time checks for varied potential bugs, inefficiencies, and magnificence issues.
Scalastyle — Scalastyle examines your Scala code and signifies potential issues with it.
scapegoat — Scala compiler plugin for static code evaluation.
WartRemover — A versatile Scala code linting device.

Shell

bashate — Code type enforcement for bash packages. The output format goals to observe pycodestyle (pep8) default output format.
i-Code CNES for Shell — An open supply static code evaluation device for Shell and Fortran (77 and 90).
kmdr — CLI device for studying instructions out of your terminal. kmdr delivers a break down of instructions with each attribute defined.
sh — A shell parser, formatter, and interpreter with bash assist; contains shfmt
shellcheck — ShellCheck, a static evaluation device that offers warnings and strategies for bash/sh shell scripts.
shellharden — A syntax highlighter and a device to semi-automate the rewriting of scripts to ShellCheck conformance, primarily targeted on quoting.

Swift

SwiftFormat — A library and command-line formatting device for reformatting Swift code.
SwiftLint — A device to implement Swift type and conventions.
Tailor ⚠️ — A static evaluation and lint device for supply code written in Apple’s Swift programming language.

Tcl

Frink — A Tcl formatting and static verify program (can prettify this system, minimise, obfuscate or simply sanity verify it).
Nagelfar — A static syntax checker for Tcl.
tclchecker — A static syntax evaluation module (as a part of TDK).

TypeScript

Angular ESLint — Linter for Angular tasks
Codelyzer ⚠️ — A set of tslint guidelines for static code evaluation of Angular 2 TypeScript tasks.
stc — Speedy TypeScript kind checker written in Rust
tslint ⚠️ — TSLint has been deprecated as of 2019. Please see this issue for extra particulars. typescript-eslint is now the best choice for linting TypeScript.
TSLint is an extensible static evaluation device that checks TypeScript code for readability, maintainability, and performance errors. It’s broadly supported throughout fashionable editors & construct programs and could be personalized with your individual lint guidelines, configurations, and formatters.
tslint-clean-code — A set of TSLint guidelines impressed by the Clear Code handbook.
tslint-microsoft-contrib ⚠️ — A set of tslint guidelines for static code evaluation of TypeScript tasks maintained by Microsoft.
TypeScript Call Graph — CLI to generate an interactive graph of capabilities and calls out of your TypeScript information
TypeScript ESLint — TypeScript language extension for eslint.
zod — TypeScript-first schema validation with static kind inference. The objective is to remove duplicative kind declarations. With Zod, you declare a validator as soon as and Zod will routinely infer the static TypeScript kind. It’s simple to compose less complicated varieties into complicated information buildings.

Verilog/SystemVerilog

Icarus Verilog — A Verilog simulation and synthesis device that operates by compiling supply code written in IEEE-1364 Verilog into some goal format
svls — A Language Server Protocol implementation for Verilog and SystemVerilog, together with lint capabilities.
verible-linter-action — Automated SystemVerilog linting in github actions with the assistance of Verible Used to lint Verilog and SystemVerilog supply information and remark faulty strains of code in Pull Requests routinely.
Verilator — A device which converts Verilog to a cycle-accurate behavioral mannequin in C++ or SystemC. Performs lint code-quality checks.
vscode-verilog-hdl-support — Verilog HDL/SystemVerilog/Bluespec SystemVerilog assist for VS Code. Offers syntax highlighting and Linting assist from Icarus Verilog, Vivado Logical Simulation, Modelsim and Verilator

Vim Script

vint ⚠️ — Quick and Extremely Extensible Vim script Language Lint carried out by Python.

Multiple languages

ale — Asynchronous Lint Engine for Vim and NeoVim with assist for a lot of languages.
Android Studio — Based mostly on IntelliJ IDEA, and comes bundled with instruments for Android together with Android Lint.
AppChecker ©️ — Static evaluation for C/C++/C#, PHP and Java.
Application Inspector ©️ — Industrial Static Code Evaluation which generates exploits to confirm vulnerabilities.
ApplicationInspector — Creates studies of over 400 rule patterns for characteristic detection (e.g. the usage of cryptography or model management in apps).
ArchUnit — Unit take a look at your Java or Kotlin structure.
Atom-Beautify ⚠️ — Beautify HTML, CSS, JavaScript, PHP, Python, Ruby, Java, C, C++, C#, Goal-C, CoffeeScript, TypeScript, Coldfusion, SQL, and extra in Atom editor.
autocorrect — A linter and formatter that can assist you to enhance copywriting, right areas, phrases, punctuations between CJK (Chinese language, Japanese, Korean).
Axivion Bauhaus Suite ©️ — Tracks down error-prone code areas, type violations, cloned or useless code, cyclic dependencies and extra for C/C++, C#/.NET, Java and Ada 83/Ada 95.
Bearer — Open-Supply static code evaluation device to find, filter and prioritize safety dangers and vulnerabilities resulting in delicate information exposures (PII, PHI, PD). Extremely configurable and simply extensible, constructed for safety and engineering groups.
Better Code Hub ©️ — Higher Code Hub checks your GitHub codebase towards 10 engineering pointers devised by the authority in software program high quality, Software program Enchancment Group.
biome — A toolchain for net tasks, aimed to offer functionalities to take care of them. Biome codecs and lints code in a fraction of a second. It’s the successor to Rome. It’s designed to ultimately change Biome is designed to ultimately change Babel, ESLint, webpack, Prettier, Jest, and others.
BugProve ©️ — BugProve is a firmware evaluation platform that includes each static and dynamic evaluation methods to find reminiscence corruptions, command injections and different lessons or frequent weaknesses in binary code. It additionally detects weak dependencies, weak cryptographic parameters, misconfigurations, and extra.
callGraph — Statically generates a name graph picture and shows it on display.
CAST Highlight ©️ — Industrial Static Code Evaluation which runs regionally, however uploads the outcomes to its cloud for presentation.
Checkmarx CxSAST ©️ — Industrial Static Code Evaluation which does not require pre-compilation.
ClassGraph — A classpath and module path scanner for querying or visualizing class metadata or class relatedness.
Clayton ©️ — AI-powered code evaluations for Salesforce. Safe your developments, implement finest apply and management your technical debt in real-time.
coala ⚠️ — Language impartial framework for creating code evaluation – helps over 60 languages by default.
Cobra ©️ — Structural supply code analyzer by NASA’s Jet Propulsion Laboratory.
Codacy ©️ — Code Evaluation to ship Higher Code, Quicker.
Code Intelligence ©️ — CI/CD-agnostic DevSecOps platform which mixes industry-leading fuzzing engines for locating bugs and visualizing code protection
Codeac ©️ — Automated code evaluation device integrates with GitHub, Bitbucket and GitLab (even self-hosted). Obtainable for JavaScript, TypeScript, Python, Ruby, Go, PHP, Java, Docker, and extra. (open-source free)
codeburner — Offers a unified interface to type and act on the problems it finds.
codechecker — A defect database and viewer extension for the Clang Static Analyzer with net GUI.
CodeFactor ©️ — Automated Code Evaluation for repos on GitHub or BitBucket.
CodeFlow ©️ — Automated code evaluation device to take care of technical depth. Integrates with Bitbucket and Gitlab. (free for Open Supply Tasks)
CodeIt.Right ©️ — CodeIt.Proper™ offers a quick, automated method to make sure that your supply code adheres to (your) predefined design and magnificence pointers in addition to finest coding practices.
CodePatrol ©️ — Automated SAST code evaluations pushed by safety, helps 15+ languages and contains safety coaching.
codeql — Deep code evaluation – semantic queries and dataflow for a number of languages with VSCode plugin assist.
CodeQue — Ecosystem for structural matching JavaScript and TypeScript code. Presents search device that understands code construction. Obtainable as CLI device and Visible Studio Code extension. It helps to go looking code quicker and extra precisely making you workflow simpler. Quickly it is going to supply ESLint plugin to create your individual guidelines in minutes to assist with assuring codebase high quality.
CodeRush ©️ — Code creation, debugging, navigation, refactoring, evaluation and visualization instruments that use the Roslyn engine in Visible Studio 2015 and up.
CodeScan ©️ — Code High quality and Safety for Salesforce Builders. Made solely for the Salesforce platform, CodeScan’s code evaluation options give you complete visibility into your code well being.
CodeScene ©️ — CodeScene is a high quality visualization device for software program. Prioritize technical debt, detect supply dangers, and measure organizational points. Totally automated.
CodeSee ©️ — CodeSee is mapping and automating your app’s providers, directories, file dependencies, and code modifications. It is like Google Map, however for code.t
CodeSonar from GrammaTech ©️ — Superior, complete program, deep path, static evaluation of C, C++, Java and C# with easy-to-understand explanations and code and path visualization.
Codiga ©️ — Automated Code Evaluations and Technical Debt administration platform that helps 12+ languages.
Corrode ⚠️ — Semi-automatic translation from C to Rust. May reveal bugs within the authentic implementation by exhibiting Rust compiler warnings and errors. Outdated by C2Rust.
Coverity ©️ — Synopsys Coverity helps 20 languages and over 70 frameworks together with Ruby on rails, Scala, PHP, Python, JavaScript, TypeScript, Java, Fortran, C, C++, C#, VB.NET.
cpp-linter-action — A Github Motion for linting C/C++ code integrating clang-tidy and clang-format to gather suggestions supplied within the type of thread feedback and/or annotations.
cqc ⚠️ — Examine your code high quality for js, jsx, vue, css, much less, scss, sass and styl information.
DeepCode ⚠️ ©️ — DeepCode was acquired by Snyk is now Snyk Code.
DeepSource ©️ — In-depth static evaluation to seek out points in verticals of bug dangers, safety, anti-patterns, efficiency, documentation and magnificence. Native integrations with GitHub, GitLab and Bitbucket. Lower than 5% false positives.
Depends — Analyses the excellent dependencies of code parts for Java, C/C++, Ruby.
DevSkim — Regex-based static evaluation device for Visible Studio, VS Code, and Elegant Textual content – C/C++, C#, PHP, ASP, Python, Ruby, Java, and others.
dotenet-format — A code formatter for .NET. Preferences shall be learn from an .editorconfig file, if current, in any other case a default set of preferences shall be used. At the moment dotnet-format is ready to format C# and Visible Fundamental tasks with a subset of supported .editorconfig choices.
Embold ©️ — Clever software program analytics platform that identifies design points, code points, duplication and metrics. Helps Java, C, C++, C#, JavaScript, TypeScript, Python, Go, Kotlin and extra.
emerge — Emerge is a supply code and dependency visualizer that can be utilized to collect insights about supply code construction, metrics, dependencies and complexity of software program tasks. After scanning the supply code of a challenge it offers you an interactive net interface to discover and analyze your challenge by utilizing graph buildings.
ESLint — An extensible linter for JS, following the ECMAScript normal.
ezno — A JavaScript compiler and TypeScript checker written in Rust with a give attention to static evaluation and runtime efficiency. Ezno’s kind checker is constructed from scratch. The checker is totally appropriate with TypeScript kind annotations and might work with none kind annotations in any respect.
Find Security Bugs — The SpotBugs plugin for safety audits of Java net functions and Android functions. (Additionally work with Kotlin, Groovy and Scala tasks)
Fortify ©️ — A industrial static evaluation platform that helps the scanning of C/C++, C#, VB.NET, VB6, ABAP/BSP, ActionScript, Apex, ASP.NET, Traditional ASP, VB Script, Cobol, ColdFusion, HTML, Java, JS, JSP, MXML/Flex, Goal-C, PHP, PL/SQL, T-SQL, Python (2.6, 2.7), Ruby (1.9.3), Swift, Scala, VB, and XML.
Goodcheck — Regexp based mostly customizable linter.
goone ⚠️ — Finds N+1 queries (SQL calls in a for loop) in go code
graudit — Grep tough audit – supply code auditing device.
HCL AppScan Source ©️ — Industrial Static Code Evaluation.
Hopper ⚠️ — A static evaluation device written in scala for languages that run on JVM.
Hound CI — Feedback on type violations in GitHub pull requests. Helps Coffeescript, Go, HAML, JavaScript, Ruby, SCSS and Swift.
imhotep — Touch upon commits coming into your repository and verify for syntactic errors and common lint warnings.
include-gardener — A multi-language static analyzer for C/C++/Obj-C/Python/Ruby to create a graph (in dot or graphml format) which exhibits all #embody relations of a given set of information.
Infer — A static analyzer for Java, C and Goal-C
Kiuwan ©️ — Establish and remediate cyber threats in a blazingly quick, collaborative atmosphere, with seamless integration in your SDLC. Python, CC++, Java, C#, PHP and extra.
Klocwork ©️ — High quality and Safety Static evaluation for C/C++, Java and C#.
LGTM ©️ — Discover safety vulnerabilities, variants, and important code high quality points utilizing CodeQL queries over supply code. Automated PR code evaluation; free for open supply. Previously semmle. It helps public Git repositories hosted on Bitbucket Cloud, GitHub.com, GitLab.com.
lizard — Lizard is an extensible Cyclomatic Complexity Analyzer for a lot of programming languages together with C/C++ (does not require all of the header information or Java imports). It additionally does copy-paste detection (code clone detection/code duplicate detection) and lots of different types of static code evaluation. Counts strains of code with out feedback, CCN (cyclomatic complexity quantity), token depend of capabilities, parameter depend of capabilities.
Mega-Linter — Mega-Linter can deal with any kind of challenge because of its 70+ embedded Linters,
its superior reporting, runnable on any CI system or regionally,
with assisted set up and configuration, in a position to apply formatting and fixes
oclint ⚠️ — A static supply code evaluation device to enhance high quality and scale back defects for C, C++ and Goal-C.
Offensive 360 ©️ — Industrial Static Code Evaluation system does not require constructing the supply code or pre-compilation.
OpenRewrite — OpenRewrite fixes common static analysis issues reported via Sonar and different instruments utilizing a Maven and Gradle plugin or the Moderne CLI.
OpenStaticAnalyzer — OpenStaticAnalyzer is a supply code analyzer device, which may carry out deep static evaluation of the supply code of complicated programs.
oxc — The Oxidation Compiler is creating a collection of high-performance instruments for the JavaScript / TypeScript language re-written in Rust.
parasoft ©️ — Automated Software program Testing Options for unit-, API-, and net UI testing. Complies with MISRA, OWASP, and others.
pfff — Fb’s instruments for code evaluation, visualizations, or style-preserving supply transformation for a lot of languages.
PMD — A supply code analyzer for Java, Salesforce Apex, Javascript, PLSQL, XML, XSL and others.
pre-commit — A framework for managing and sustaining multi-language pre-commit hooks.
Prettier — An opinionated code formatter.
Pronto — Fast automated code evaluation of your modifications. Helps greater than 40 runners for varied languages, together with Clang, Elixir, JavaScript, PHP, Ruby and extra.
PT.PM ⚠️ — An engine for looking patterns within the supply code, based mostly on Unified AST or UST. At current time C#, Java, PHP, PL/SQL, T-SQL, and JavaScript are supported. Patterns could be described throughout the code or utilizing a DSL.
Putout — Pluggable and configurable code transformer with built-in eslint, babel plugins assist for js, jsx typescript, stream, markdown, yaml and json.
PVS-Studio ©️ — A (conditionally free for FOSS and particular person builders) static evaluation of C, C++, C# and Java code. For promoting functions you can propose a large FOSS project for analysis by PVS employees. Helps CWE mapping, OWASP ASVS, MISRA, AUTOSAR and SEI CERT coding requirements.
pylama — Code audit device for Python and JavaScript. Wraps pycodestyle, pydocstyle, PyFlakes, Mccabe, Pylint, and extra
Qwiet AI ©️ — Establish vulnerabilities which might be distinctive to your code base earlier than they attain manufacturing. Leverages the Code Property Graph (CPG) to run its analyses concurrently in a single graph of graphs. Robotically finds enterprise logic flaws in dev like hardcoded secrets and techniques and logic bombs
Refactoring Essentials ⚠️ — The free Visible Studio 2015 extension for C# and VB.NET refactorings, together with code finest apply analyzers.
relint — A static file linter that lets you write customized guidelines utilizing common expressions (RegEx).
ReSharper ©️ — Extends Visible Studio with on-the-fly code inspections for C#, VB.NET, ASP.NET, JavaScript, TypeScript and different applied sciences.
RIPS ©️ — A static supply code analyser for vulnerabilities in PHP scripts.
Rome — Rome was a linter, compiler, bundler, and more for JavaScript, TypeScript, JSON, HTML, Markdown, and CSS. It has since been succeeded by biome.
Rome Formatter ⚠️ — A performant and fault-tolerant code formatter for JS/TS written in Rust. Superceded by biome.
Roslyn Analyzers — Roslyn-based implementation of FxCop analyzers.
Roslyn Security Guard — Venture that focuses on the identification of potential vulnerabilities equivalent to SQL injection, cross-site scripting (XSS), CSRF, cryptography weaknesses, hardcoded passwords and lots of extra.
SafeQL — Validate and auto-generate TypeScript varieties from uncooked SQL queries in PostgreSQL. SafeQL is an ESLint plugin for writing SQL queries in a type-safe method.
SAST Online ©️ — Examine the Android Supply code completely to uncover and handle potential safety considerations and vulnerabilities. Static software safety testing (Static Code Evaluation) device On-line
Scanmycode CE (Community Edition) — Scanmycode – Code Scanning/SAST/Linting utilizing many instruments/Scanners with One Report
Scrutinizer ©️ — A proprietary code high quality checker that may be built-in with GitHub.
Security Code Scan — Safety code analyzer for C# and VB.NET. Detects varied safety vulnerability patterns: SQLi, XSS, CSRF, XXE, Open Redirect, and many others. Integrates into Visible Studio 2015 and newer. Detects varied safety vulnerability patterns: SQLi, XSS, CSRF, XXE, Open Redirect, and many others.
Semgrep — A quick, open-source, static evaluation device for locating bugs and imposing code requirements at editor, commit, and CI time. Its guidelines appear like the code you already write; no summary syntax timber or regex wrestling. Helps 17+ languages.
Semgrep Supply Chain ©️ — Shortly discover and remediate high-priority safety points. Semgrep Provide Chain prioritizes the two% of vulnerabilities which might be reachable out of your code.
ShiftLeft Scan — Scan is a free open-source DevSecOps platform for detecting safety points in supply code and dependencies. It helps a broad vary of languages and CI/CD pipelines.
shipshape ⚠️ — Static program evaluation platform that enables customized analyzers to plug in via a standard interface.
Sigrid ©️ — Sigrid lets you enhance your software program by measuring your system’s code high quality, after which compares the outcomes towards a benchmark of 1000’s of {industry} programs to offer you concrete recommendation on areas the place you’ll be able to enhance.
Similarity Tester — A device that finds similarities between or inside information to assist you encountering DRY precept violations.
Snyk Code ©️ — Snyk Code finds safety vulnerabilities based mostly on AI. Its velocity of study enable us to analyse your code in actual time and ship outcomes if you hit the save button in your IDE. Supported languages are Java, JavaScript, Python, PHP, C#, Go and TypeScript. Integrations with GitHub, BitBucket and Gitlab. It’s free to try to a part of the Snyk platform additionally overlaying SCA, containers and IaC.
SonarCloud ©️ — Multi-language cloud-based static code evaluation. Historical past, developments, safety hot-spots, pull request evaluation and extra. Free for open supply.
SonarLint for Visual Studio — SonarLint is an extension for Visible Studio 2015 and 2017 that gives on-the-fly suggestions to builders on new bugs and high quality points injected into .NET code.
SonarQube — SonarQube is an open platform to handle code high quality.
Sonatype ©️ — Reviews recognized vulnerabilities in frequent dependencies and recommends up to date packages to attenuate breaking modifications
Soto Platform ©️ — Suite of static evaluation instruments consisting of the three elements Sotoarc (Structure Evaluation), Sotograph (High quality Evaluation), and Sotoreport (High quality report). Helps discover variations between structure and implementation, interface violations (e.g. exterior entry of personal components of subsystems, detection of all lessons, information, packages and subsystems that are strongly coupled by cyclical relationships and extra. The Sotograph product household runs on Home windows and Linux.
SourceMeter ©️ — Static Code Evaluation for C/C++, Java, C#, Python, and RPG III and RPG IV variations (together with free-form).
sqlvet — Performs static evaluation on uncooked SQL queries in your Go code base to floor potential runtime errors. It checks for SQL syntax error, identifies unsafe queries that would probably result in SQL injections makes certain column depend matches worth depend in INSERT statements and validates table- and column names.
StaticReviewer ©️ — Static Reviewer executes code checks in line with essentially the most related Safe Coding Requirements, OWASP, CWE, CVE, CVSS, MISRA, CERT, for 40+ programming languages, utilizing 1000+ built-in validation guidelines for Safety, Deadcode & Greatest Practices Obtainable a module for Software program Composition Evaluation (SCA) to seek out vulnerabilities in open supply and third social gathering libraries.
Super-Linter — Mixture of a number of linters to put in as a GitHub Motion.
Svace ©️ — Static code evaluation device for Java,C,C++,C#,Go.
Synopsys ©️ — A industrial static evaluation platform that enables for scanning of a number of languages (C/C++, Android, C#, Java, JS, PHP, Python, Node.JS, Ruby, Fortran, and Swift).
Teamscale ©️ — Static and dynamic evaluation device supporting greater than 25 languages and direct IDE integration. Free internet hosting for Open Supply tasks obtainable on request. Free tutorial licenses obtainable.
TencentCodeAnalysis — Tencent Cloud Code Evaluation (TCA for brief, code-named CodeDog inside the corporate early) is a complete platform for code evaluation and concern monitoring. TCA encompass three elements, server, net and shopper. It integrates of various self-developed instruments, and likewise helps dynamic integration of code evaluation instruments in varied programming languages.
ThreatMapper — Vulnerability Scanner and Danger Analysis for containers, serverless and hosts at runtime. ThreatMapper generates runtime BOMs from dependencies and working system packages, matches towards a number of menace feeds, scans for unprotected secrets and techniques, and scores points based mostly on severity and risk-of-exploit.
todocheck — Linter for integrating annotated TODOs along with your concern trackers
trivy — A Easy and Complete Vulnerability Scanner for Containers and different Artifacts, Appropriate for CI. Trivy detects vulnerabilities of OS packages (Alpine, RHEL, CentOS, and many others.) and software dependencies (Bundler, Composer, npm, yarn, and many others.). Checks containers and filesystems.
trunk ©️ — Trendy repositories embody many applied sciences, every with its personal set of linters. With 30+ linters and counting, Trunk makes it dead-simple to determine, set up, configure, and run the appropriate linters, static analyzers, and formatters for all of your repos.
TscanCode — A quick and correct static evaluation resolution for C/C++, C#, Lua codes supplied by Tencent. Utilizing GPLv3 license.
Undebt — Language-independent device for large, computerized, programmable refactoring based mostly on easy sample definitions.
Understand ©️ — Code visualization device that gives code evaluation, requirements testing, metrics, graphing, dependency evaluation and extra for Ada, VHDL, and others.
Unibeautify — Common code beautifier with a GitHub app. Helps HTML, CSS, JavaScript, TypeScript, JSX, Vue, C++, Go, Goal-C, Java, Python, PHP, GraphQL, Markdown, and extra.
Upsource ©️ — Code evaluation device with static code evaluation and code-aware navigation for Java, PHP, JavaScript and Kotlin.
Veracode ©️ — Discover flaws in binaries and bytecode with out requiring supply. Help all main programming languages: Java, .NET, JavaScript, Swift, Goal-C, C, C++ and extra.
WALA — Static evaluation capabilities for Java bytecode and associated languages and for JavaScript.
weggli — A quick and sturdy semantic search device for C and C++ codebases. It’s designed to assist safety researchers determine attention-grabbing performance in massive codebases.
WhiteHat Application Security Platform ©️ — WhiteHat Scout (for Builders) mixed with WhiteHat Sentinel Supply (for Operations) supporting WhiteHat High 40 and OWASP High 10.
Wotan ⚠️ — Pluggable TypeScript and JavaScript linter.
XCode ©️ — XCode offers a reasonably respectable UI for Clang’s static code analyzer (C/C++, Obj-C).

Other

.env

GitGuardian ggshield — ggshield is a CLI software that runs in your native atmosphere or in a CI atmosphere that can assist you detect greater than 350+ varieties of secrets and techniques, in addition to different potential safety vulnerabilities or coverage breaks affecting your codebase.

Ansible

kics — Discover safety vulnerabilities, compliance points, and infrastructure misconfigurations in your infrastructure-as-code. Helps Terraform, Kubernetes, Docker, AWS CloudFormation and Ansible
Steampunk Spotter ©️ — Ansible Playbook Scanning Device that analyzes and affords suggestions on your playbooks.

Azure Resource Manager

AzSK — Safe DevOps package for Azure (AzSK) offers safety IntelliSense, Safety Verification Assessments (SVTs), CICD scan vulnerabilities, compliance points, and infrastructure misconfiguration in your infrastructure-as-code. Helps Azure through ARM.

Binaries

angr — Binary code evaluation device that additionally helps symbolic execution.
binbloom — Analyzes a uncooked binary firmware and determines options like endianness or the loading handle. The device is appropriate with all architectures.
Loading handle: binbloom can parse a uncooked binary firmware and decide its loading handle. Endianness: binbloom can use heuristics to find out the endianness of a firmware. UDS Database: binbloom can parse a uncooked binary firmware and verify if it accommodates an array containing UDS command IDs.
BinSkim — A binary static evaluation device that gives safety and correctness outcomes for Home windows transportable executables.
Black Duck ©️ — Device to investigate supply code and binaries for reusable code, essential licenses and potential safety points.
bloaty — Ever questioned what’s making your binary massive? Bloaty McBloatface will present you a dimension profile of the binary so you’ll be able to perceive what’s taking on area inside. Bloaty performs a deep evaluation of the binary. Utilizing customized ELF, DWARF, and Mach-O parsers, Bloaty goals to precisely attribute each byte of the binary to the image or compileunit that produced it. It’s going to even disassemble the binary in search of references to nameless information. F
cargo-bloat — Discover out what takes many of the area in your executable. helps ELF (Linux, BSD), Mach-O (macOS) and PE (Home windows) binaries.
cwe_checker — cwe_checker finds weak patterns in binary executables.
Ghidra — A software program reverse engineering (SRE) suite of instruments developed by NSA’s Analysis Directorate in assist of the Cybersecurity mission
Hopper ©️ — macOS and Linux reverse engineering device that allows you to disassemble, decompile and debug functions. Hopper shows the code utilizing totally different representations, e.g. the Management Circulation Graph, and the pseudo-code of a process. Helps Apple Silicon.
IDA Free ©️ — Binary code evaluation device.
Jakstab — Jakstab is an Summary Interpretation-based, built-in disassembly and static evaluation framework for designing analyses on executables and recovering dependable management stream graphs.
JEB Decompiler ©️ — Decompile and debug binary code. Break down and analyze doc information. Android Dalvik, MIPS, ARM, Intel x86, Java, WebAssembly & Ethereum Decompilers.
ktool — Totally cross-platform toolkit and library for MachO+Obj-C enhancing/evaluation. Features a cli package, a curses GUI, ObjC header dumping, and rather more.
Manalyze — A static analyzer, which checks transportable executables for malicious content material.
mcsema ⚠️ — Framework for lifting x86, amd64, aarch64, sparc32, and sparc64 program binaries to LLVM bitcode. It interprets (“lifts”) executable binaries from native machine code to LLVM bitcode, which could be very helpful for performing program evaluation strategies.
Nauz File Detector — Static Linker/Compiler/Device detector for Home windows, Linux and MacOS.
rust-audit — Audit Rust binaries for recognized bugs or safety vulnerabilities. This works by embedding information concerning the dependency tree (Cargo.lock) in JSON format right into a devoted linker part of the compiled executable.
Twiggy — Analyzes a binary’s name graph to profile code dimension. The objective is to slim down wasm binary dimension.
VMware chap — chap analyzes un-instrumented ELF core information for leaks, reminiscence progress, and corruption. It’s sufficiently dependable that it may be utilized in automation to catch leaks earlier than they’re dedicated. As an interactive device, it helps clarify reminiscence progress, can determine some types of corruption, and dietary supplements a debugger by giving the standing of varied reminiscence areas.
zydis — Quick and light-weight x86/x86-64 disassembler library

Build tools

checkmake — Linter / Analyzer for Makefiles.
portlint — A verifier for FreeBSD and DragonFlyBSD port directories.

CSS/SASS/SCSS

CSS Stats — Doubtlessly attention-grabbing stats on stylesheets.
CSScomb — A coding type formatter for CSS. Helps personal configurations to make type sheets stunning and constant.
CSSLint — Does fundamental syntax checking and finds problematic patterns or indicators of inefficiency.
GraphMyCSS.com — CSS Specificity Graph Generator.
Nu Html Checker — Helps you catch issues in your HTML/CSS/SVG
Parker ⚠️ — Stylesheet evaluation device.
PostCSS — A device for remodeling kinds with JS plugins. These plugins can lint your CSS, assist variables and mixins, transpile future CSS syntax, inline pictures, and extra.
Project Wallace CSS Analyzer — Analytics for CSS, a part of Project Wallace.
sass-lint ⚠️ — A Node-only Sass linter for each sass and scss syntax.
scsslint — Linter for SCSS information.
Specificity Graph — CSS Specificity Graph Generator.
Stylelint — Linter for SCSS/CSS information.

Config Files

dotenv-linter — Linting dotenv information like a appeal.
dotenv-linter (Rust) — Lightning-fast linter for .env information. Written in Rust
gixy — A device to investigate Nginx configuration. The principle objective is to stop misconfiguration and automate flaw detection.

Configuration Management

ansible-lint — Checks playbooks for practices and behavior that would probably be improved.
AWS CloudFormation Guard — Examine native CloudFormation templates towards policy-as-code guidelines and generate guidelines from present templates.
AzSK — Safe DevOps package for Azure (AzSK) offers safety IntelliSense, Safety Verification Assessments (SVTs), CICD scan vulnerabilities, compliance points, and infrastructure misconfiguration in your infrastructure-as-code. Helps Azure through ARM.
cfn-lint — AWS Labs CloudFormation linter.
cfn_nag — A linter for AWS CloudFormation templates.
checkov — Static evaluation device for Terraform information (tf>=v0.12), stopping cloud misconfigs at construct time.
cookstyle — Cookstyle is a linting device based mostly on the RuboCop Ruby linting device for Chef cookbooks.
foodcritic — A lint device that checks Chef cookbooks for frequent issues.
kics — Discover safety vulnerabilities, compliance points, and infrastructure misconfigurations in your infrastructure-as-code. Helps Terraform, Kubernetes, Docker, AWS CloudFormation and Ansible
metadata-json-lint — Device to verify the validity of Puppet metadata.json information.
Puppet Lint ⚠️ — Examine that your Puppet manifests conform to the type information.
Steampunk Spotter ©️ — Ansible Playbook Scanning Device that analyzes and affords suggestions on your playbooks.
terraform-compliance — A light-weight, compliance- and safety targeted, BDD take a look at framework towards Terraform.
terrascan — Assortment of safety and finest apply exams for static code evaluation of Terraform templates.
tflint — A Terraform linter for detecting errors that may not be detected by terraform plan.
tfsec — Terraform static evaluation device that forestalls potential safety points by checking cloud misconfigurations at construct time and instantly integrates with the HCL parser for higher outcomes. Checks for violations of AWS, Azure and GCP safety finest apply suggestions.

Containers

anchore — Uncover, analyze, and certify container pictures. A service that analyzes Docker pictures and applies user-defined acceptance insurance policies to permit automated container picture validation and certification
clair — Vulnerability Static Evaluation for Containers.
collector ⚠️ — Run arbitrary scripts inside containers, and collect helpful data.
dagda — Carry out static evaluation of recognized vulnerabilities in docker pictures/containers.
Docker Label Inspector ⚠️ — Lint and validate Dockerfile labels.
GitGuardian ggshield — ggshield is a CLI software that runs in your native atmosphere or in a CI atmosphere that can assist you detect greater than 350+ varieties of secrets and techniques, in addition to different potential safety vulnerabilities or coverage breaks affecting your codebase.
Haskell Dockerfile Linter — A wiser Dockerfile linter that helps you construct finest apply Docker pictures.
kics — Discover safety vulnerabilities, compliance points, and infrastructure misconfigurations in your infrastructure-as-code. Helps Terraform, Kubernetes, Docker, AWS CloudFormation and Ansible
krane — Krane is a straightforward Kubernetes RBAC static evaluation device.
It identifies potential safety dangers in K8s RBAC design and makes strategies on how you can mitigate them. Krane dashboard presents present RBAC safety posture and allows you to navigate via its definition.
OpenSCAP — Suite of automated audit instruments to look at the configuration and recognized vulnerabilities following the NIST-certified Safety Content material Automation Protocol (SCAP).
Qualys Container Security ©️ — Container native software safety to offer visibility and management of containerized functions.
sysdig ©️ — A safe DevOps platform for cloud and container forensics. Constructed on an open supply stack, Sysdig offers Docker picture scanning and created Falco, the open normal for runtime menace detection for containers, Kubernetes and cloud.
Vuls — Agent-less Linux vulnerability scanner based mostly on data from NVD, OVAL, and many others. It has some container picture assist, though isn’t a container particular device.

Continuous Integration

actionlint — Static checker for GitHub Actions workflow information. Offers a web based model.
AzSK — Safe DevOps package for Azure (AzSK) offers safety IntelliSense, Safety Verification Assessments (SVTs), CICD scan vulnerabilities, compliance points, and infrastructure misconfiguration in your infrastructure-as-code. Helps Azure through ARM.
Code Climate — The open and extensible static evaluation platform, for everybody.
Codecov ©️ — Codecov is an organization that gives code protection instruments for builders and engineering leaders to achieve visibility into their code protection.
They provide versatile and unified reporting, seamless protection insights, and sturdy protection controls. Codecov helps over 20 languages and is CI/CD agnostic. Over 29,000 organizations and 1 million builders use Codecov. Codecov has not too long ago joined Sentry.
Diffblue ©️ — Diffblue is a software program firm that gives AI-powered code evaluation and testing options for software program growth groups.
Its expertise helps builders automate testing, discover bugs, and scale back guide labor of their software program growth processes. The corporate’s foremost product, Diffblue Cowl, makes use of AI to generate and run unit exams for Java code, serving to to catch errors and enhance code high quality.
exakat — An automatic code reviewing engine for PHP.
GitGuardian ggshield — ggshield is a CLI software that runs in your native atmosphere or in a CI atmosphere that can assist you detect greater than 350+ varieties of secrets and techniques, in addition to different potential safety vulnerabilities or coverage breaks affecting your codebase.
Goblint — A static analyzer for the evaluation of multi-threaded C packages. Its main focus is the detection of knowledge races, but it surely additionally studies different runtime errors, equivalent to buffer overflows and null-pointer dereferences.
Nitpick CI ©️ — Automated PHP code evaluation.
PullRequest ©️ — Code evaluation as a service with built-in static evaluation. Improve velocity and scale back technical debt via high quality code evaluation by skilled engineers backed by best-in-class automation.
quality — Runs high quality checks in your code utilizing group instruments, and makes certain your numbers do not get any worse over time.
QuantifiedCode ⚠️ — Automated code evaluation & restore. It lets you preserve monitor of points and metrics in your software program tasks, and could be simply prolonged to assist new varieties of analyses.
RefactorFirst — Identifies and prioritizes God Courses and Extremely Coupled lessons in Java codebases it’s best to refactor first.
Reviewdog — A device for posting evaluation feedback from any linter in any code internet hosting service.
Symfony Insight ©️ — Detect safety dangers, discover bugs and supply actionable metrics for PHP tasks.
Violations Lib — Java library for parsing report information from static code evaluation. Utilized by a bunch of Jenkins, Maven and Gradle plugins.

Deno

deno_lint — Official linter for Deno.

Embedded

oelint-adv — Linter for bitbake recipes utilized in open-embedded and YOCTO

Embedded Ruby (a.k.a. ERB, eRuby)

ERB Lint — Lint your ERB or HTML information
htmlbeautifier — A normaliser/beautifier for HTML that additionally understands embedded Ruby. Preferrred for tidying up Rails templates.

Gherkin

gherkin-lint — A linter for the Gherkin-Syntax written in Javascript.

HTML

Angular ESLint — Linter for Angular tasks
Bootlint ⚠️ — An HTML linter for Bootstrap tasks.
ERB Lint — Lint your ERB or HTML information
grunt-bootlint ⚠️ — A Grunt wrapper for Bootlint, the HTML linter for Bootstrap tasks.
gulp-bootlint ⚠️ — A gulp wrapper for Bootlint, the HTML linter for Bootstrap tasks.
HTML Inspector ⚠️ — HTML Inspector is a code high quality device that can assist you and your crew write higher markup.
HTML Tidy — Corrects and cleans up HTML and XML paperwork by fixing markup errors and upgrading legacy code to fashionable requirements.
HTML-Validate — Offline HTML5 validator.
htmlbeautifier — A normaliser/beautifier for HTML that additionally understands embedded Ruby. Preferrred for tidying up Rails templates.
HTMLHint — A Static Code Evaluation Device for HTML.
Nu Html Checker — Helps you catch issues in your HTML/CSS/SVG
Polymer-analyzer — A static evaluation framework for Internet Parts.

JSON

jsonlint — A JSON parser and validator with a CLI. Standalone model of jsonlint.com
Spectral — A versatile JSON/YAML linter, with out-of-the-box assist for OpenAPI v2/v3 and AsyncAPI v2.

Kubernetes

chart-testing — ct is the the device for testing Helm charts. It’s meant for use for linting and testing pull requests. It routinely detects charts modified towards the goal department.
clusterlint — Clusterlint queries dwell Kubernetes clusters for assets, executes frequent and platform particular checks towards these assets and offers actionable suggestions to cluster operators. It’s a non invasive device that’s run externally. Clusterlint doesn’t alter the useful resource configurations.
Datree — A CLI device to stop Kubernetes misconfigurations by making certain that manifests and Helm charts observe finest practices in addition to your group’s insurance policies
kics — Discover safety vulnerabilities, compliance points, and infrastructure misconfigurations in your infrastructure-as-code. Helps Terraform, Kubernetes, Docker, AWS CloudFormation and Ansible
klint — A device that listens to modifications in Kubernetes assets and runs linting guidelines towards them. Establish and debug faulty objects and nudge objects consistent with the insurance policies as each change over time. Klint helps us encode checks and proactively alert groups when they should take motion.
krane — Krane is a straightforward Kubernetes RBAC static evaluation device.
It identifies potential safety dangers in K8s RBAC design and makes strategies on how you can mitigate them. Krane dashboard presents present RBAC safety posture and allows you to navigate via its definition.
kube-hunter ⚠️ — Hunt for safety weaknesses in Kubernetes clusters.
kube-lint — A linter for Kubernetes assets with a customizable rule set. You outline an inventory of guidelines that you simply want to validate towards your assets and kube-lint will consider these guidelines towards them.
kube-linter — KubeLinter is a static evaluation device that checks Kubernetes YAML information and Helm charts to make sure the functions represented in them adhere to finest practices.
kube-score — Static code evaluation of your Kubernetes object definitions.
kubeconform — A quick Kubernetes manifests validator with assist for customized assets.
It’s impressed by, accommodates code from and is designed to remain near Kubeval, however with the next enhancements: * excessive efficiency: will validate & obtain manifests over a number of routines, caching downloaded information in reminiscence * configurable listing of distant, or native schemas areas, enabling validating Kubernetes customized assets (CRDs) and offline validation capabilities * makes use of by default a self-updating fork of the schemas registry maintained by the kubernetes-json-schema challenge – which ensures up-to-date schemas for all latest variations of Kubernetes.
KubeLinter — KubeLinter is a static evaluation device that checks Kubernetes YAML information and Helm charts to make sure the functions represented in them adhere to finest practices.
kubeval — Validates your Kubernetes configuration information and helps a number of Kubernetes variations.

LaTeX

ChkTeX — A linter for LaTex which catches some typographic errors LaTeX oversees.
lacheck — A device for locating frequent errors in LaTeX paperwork.
TeXLab — A Language Server Protocol implementation for TeX/LaTeX, together with lint capabilities.

Laravel

Enlightn — A static and dynamic evaluation device for Laravel functions that gives suggestions to enhance the efficiency, safety and code reliability of Laravel apps. Accommodates 120 automated checks.
larastan — Provides static evaluation to Laravel enhancing developer productiveness and code high quality. It’s a wrapper round PHPStan.

Makefiles

checkmake — Linter / Analyzer for Makefiles.
portlint — A verifier for FreeBSD and DragonFlyBSD port directories.

Markdown

markdownlint — Node.js -based type checker and lint device for Markdown/CommonMark information.
mdformat — CommonMark compliant Markdown formatter
mdl — A device to verify Markdown information and flag type points.
remark-lint — Pluggable Markdown code type linter written in JavaScript.
textlint — textlint is an open supply textual content linting utility written in JavaScript.

Metalinter

ciocheck ⚠️ — Linter, formatter and take a look at suite helper. As a linter, it’s a wrapper round pep8, pydocstyle, flake8, and pylint.
flake8 — A wrapper round pyflakes, pycodestyle and mccabe.
flakeheaven — flakeheaven is a python linter constructed round flake8 to allow inheritable and complicated toml configuration.
Go Meta Linter ⚠️ — Concurrently run Go lint instruments and normalise their output. Use golangci-lint for brand spanking new tasks.
goreporter — Concurrently runs many linters and normalises their output to a report.
multilint ⚠️ — A wrapper round flake8, isort and modernize.
prospector — A wrapper round pylint, pep8, mccabe and others.

Mobile

Android Lint — Run static evaluation on Android tasks.
android-lint-summary ⚠️ — Combines lint errors of a number of tasks into one output, verify lint outcomes of a number of sub-projects directly.
FlowDroid — Static taint evaluation device for Android functions.
iblessing ⚠️ — iblessing is an iOS safety exploiting toolkit. It may be used for reverse engineering, binary evaluation and vulnerability mining.
Mariana Trench — Our safety targeted static evaluation device for Android and Java functions. Mariana Trench analyzes Dalvik bytecode and is constructed to run quick on massive codebases (10s of hundreds of thousands of strains of code). It could discover vulnerabilities as code modifications, earlier than it ever lands in your repository.
Oversecured ©️ — Enterprise vulnerability scanner for Android and iOS apps. It permits app house owners and builders to safe every new model of a cell app by integrating Oversecured into the event course of.
paprika ⚠️ — A toolkit to detect some code smells in analyzed Android functions.
qark ⚠️ — Device to search for a number of safety associated Android software vulnerabilities.
redex — Redex offers a framework for studying, writing, and analyzing .dex information, and a set of optimization passes that use this framework to enhance the bytecode. An APK optimized by Redex ought to be smaller and quicker.

Nix

deadnix — Scan Nix information for useless code (unused variable bindings)
statix — Lints and strategies for the Nix programming language. “statix verify” highlights antipatterns in Nix code. “statix repair” can repair a number of such occurrences.

Node.js

lockfile-lint — Lint an npm or yarn lockfile to investigate and detect safety points
njsscan — A static software testing (SAST) device that may discover insecure code patterns in your node.js functions utilizing easy sample matcher from libsast and syntax-aware semantic code sample search device semgrep.
NodeJSScan — A static safety code scanner for Node.js functions powered by libsast and semgrep that builds on the njsscan cli device. It incorporates a UI with varied dashboards about an software’s safety standing.
standard — An npm module that checks for Javascript Styleguide points.

Packages

lintian — Static evaluation device for Debian packages.
rpmlint — Device for checking frequent errors in rpm packages.

Protocol Buffers

buf — Offers a CLI linter that enforces good API design selections and construction
protolint — Pluggable linter and fixer to implement Protocol Buffer type and conventions.

Puppet

metadata-json-lint — Device to verify the validity of Puppet metadata.json information.

Rails

dawnscanner — A static evaluation safety scanner for ruby written net functions. It helps Sinatra, Padrino and Ruby on Rails frameworks.

Security/SAST

AzSK — Safe DevOps package for Azure (AzSK) offers safety IntelliSense, Safety Verification Assessments (SVTs), CICD scan vulnerabilities, compliance points, and infrastructure misconfiguration in your infrastructure-as-code. Helps Azure through ARM.
brakeman — A static evaluation safety vulnerability scanner for Ruby on Rails functions.
Credential Digger — Credential Digger is a GitHub scanning device that identifies hardcoded credentials (Passwords, API Keys, Secret Keys, Tokens, private data, and many others), and filtering the false constructive information via a machine studying mannequin known as Password Model. This scanner is ready to detect passwords and non structured tokens with a low false constructive price.
Datree — A CLI device to stop Kubernetes misconfigurations by making certain that manifests and Helm charts observe finest practices in addition to your group’s insurance policies
detect-secrets — An enterprise pleasant method of detecting and stopping secrets and techniques in code.
It does this by working periodic diff outputs towards heuristically crafted regex statements, to determine whether or not any new secret has been dedicated. This fashion, it avoids the overhead of digging via all git historical past, in addition to the necessity to scan your complete repository each time.
Enlightn — A static and dynamic evaluation device for Laravel functions that gives suggestions to enhance the efficiency, safety and code reliability of Laravel apps. Accommodates 120 automated checks.
GitGuardian ggshield — ggshield is a CLI software that runs in your native atmosphere or in a CI atmosphere that can assist you detect greater than 350+ varieties of secrets and techniques, in addition to different potential safety vulnerabilities or coverage breaks affecting your codebase.
Gitleaks — A SAST device for detecting hardcoded secrets and techniques like passwords, api keys, and tokens in git repos.
gokart — Golang safety evaluation with a give attention to minimizing false positives. It’s able to tracing the supply of variables and performance arguments to find out whether or not enter sources are protected.
HasMySecretLeaked ©️ — HasMySecretLeaked is a challenge from GitGuardian that goals to assist particular person customers and organizations search throughout 20 million uncovered secrets and techniques to confirm if their developer secrets and techniques have leaked on public repositories, gists, and points on GitHub tasks.
iblessing ⚠️ — iblessing is an iOS safety exploiting toolkit. It may be used for reverse engineering, binary evaluation and vulnerability mining.
kics — Discover safety vulnerabilities, compliance points, and infrastructure misconfigurations in your infrastructure-as-code. Helps Terraform, Kubernetes, Docker, AWS CloudFormation and Ansible
ktool — Totally cross-platform toolkit and library for MachO+Obj-C enhancing/evaluation. Features a cli package, a curses GUI, ObjC header dumping, and rather more.
kube-hunter ⚠️ — Hunt for safety weaknesses in Kubernetes clusters.
lockfile-lint — Lint an npm or yarn lockfile to investigate and detect safety points
LunaSec — Open Supply AppSec platform that routinely notifies you the following time vulnerabilities like Log4Shell or node-ipc occur. Monitor your dependencies and builds in a centralized service.
njsscan — A static software testing (SAST) device that may discover insecure code patterns in your node.js functions utilizing easy sample matcher from libsast and syntax-aware semantic code sample search device semgrep.
NodeJSScan — A static safety code scanner for Node.js functions powered by libsast and semgrep that builds on the njsscan cli device. It incorporates a UI with varied dashboards about an software’s safety standing.
Oversecured ©️ — Enterprise vulnerability scanner for Android and iOS apps. It permits app house owners and builders to safe every new model of a cell app by integrating Oversecured into the event course of.
PT Application Inspector ©️ — Identifies code flaws and detects vulnerabilities to stop net assaults. Demonstrates distant code execution by presenting potential exploits.
Qualys Container Security ©️ — Container native software safety to offer visibility and management of containerized functions.
QuantifiedCode ⚠️ — Automated code evaluation & restore. It lets you preserve monitor of points and metrics in your software program tasks, and could be simply prolonged to assist new varieties of analyses.
Rezilion ©️ — Discovers vulnerabilities for all elements in your atmosphere, filters out 85% non-exploitable vulnerabilities and creates a remediation plan and open tickets to improve elements that violate your safety coverage and/or patch routinely in CI.
scorecard — Safety Scorecards – Safety well being metrics for Open Supply
SearchDiggity ©️ — Identifies vulnerabilities in open supply code tasks hosted on Github, Google Code, MS CodePlex, SourceForge, and extra. The device comes with over 130 default searches that determine SQL injection, cross-site scripting (XSS), insecure distant and native file contains, hard-coded passwords, and many others.
tfsec — Terraform static evaluation device that forestalls potential safety points by checking cloud misconfigurations at construct time and instantly integrates with the HCL parser for higher outcomes. Checks for violations of AWS, Azure and GCP safety finest apply suggestions.
trufflehog — Discover credentials in every single place
TruffleHog is an open supply secret-scanning engine that resolves uncovered secrets and techniques throughout your organization’s total tech stack.
Tsunami Security Scanner — A common objective community safety scanner with an extensible plugin system for detecting excessive severity RCE-like vulnerabilities with excessive confidence. Customized detectors for locating vulnerabilities (e.g. open APIs) could be added.

Smart Contracts

mythril — A symbolic execution framework with batteries included, can be utilized to seek out and exploit vulnerabilities in good contracts routinely.
MythX ©️ — MythX is a simple to make use of evaluation platform which integrates a number of evaluation strategies like fuzzing, symbolic execution and static evaluation to seek out vulnerabilities with excessive precision. It may be built-in with toolchains like Remix or VSCode or known as from the command-line.
slither — Static evaluation framework that runs a collection of vulnerability detectors, prints visible details about contract particulars, and offers an API to simply write customized analyses.
solhint — Solhint is an open supply challenge created by https://protofire.io. Its objective is to offer a linting utility for Solidity code.
solium — Solium is a linter to determine and repair type and safety points in Solidity good contracts.

Support

LibVCS4j — A Java library that enables present instruments to analyse the evolution of software program programs by offering a standard API for various model management programs and concern trackers.
RefactorFirst — Identifies and prioritizes God Courses and Extremely Coupled lessons in Java codebases it’s best to refactor first.
Violations Lib — Java library for parsing report information from static code evaluation. Utilized by a bunch of Jenkins, Maven and Gradle plugins.

Template-Languages

ember-template-lint — Linter for Ember or Handlebars templates.
haml-lint — Device for writing clear and constant HAML.
slim-lint — Configurable device for analyzing Slim templates.
yamllint — Checks YAML information for syntax validity, key repetition and beauty issues equivalent to strains size, trailing areas, and indentation.

Terraform

GitGuardian ggshield — ggshield is a CLI software that runs in your native atmosphere or in a CI atmosphere that can assist you detect greater than 350+ varieties of secrets and techniques, in addition to different potential safety vulnerabilities or coverage breaks affecting your codebase.
kics — Discover safety vulnerabilities, compliance points, and infrastructure misconfigurations in your infrastructure-as-code. Helps Terraform, Kubernetes, Docker, AWS CloudFormation and Ansible
shisho — A light-weight static code analyzer designed for builders and safety groups. It lets you analyze and rework supply code with an intuitive DSL just like sed, however for code.

Translation

dennis ⚠️ — A set of utilities for working with PO information to ease growth and enhance high quality.

Vue.js

HTML-Validate — Offline HTML5 validator.
Vetur — Vue tooling for VS Code, powered by vls (vue language server). Vetur has assist for formatting embedded HTML, CSS, SCSS, JS, TypeScript, and extra. Vetur solely has a “complete doc formatter” and can’t format arbitrary ranges.

Webassembly

Twiggy — Analyzes a binary’s name graph to profile code dimension. The objective is to slim down wasm binary dimension.

Writing

After the Deadline ⚠️ — Spell, type and grammar checker.
alex — Catch insensitive, thoughtless writing
codespell — Examine code for frequent misspellings.
languagetool — Fashion and grammar checker for 25+ languages. It finds many errors {that a} easy spell checker can’t detect.
misspell-fixer — Fast device for fixing frequent misspellings, typos in supply code.
Misspelled Words In Context — A spell-checker that teams potential misspellings and exhibits them of their contexts.
proselint — A linter for English prose with a give attention to writing type as a substitute of grammar.
vale — A syntax-aware linter for prose constructed with velocity and extensibility in thoughts.
write-good — A linter with a give attention to eliminating “weasel phrases”.

YAML

Spectral — A versatile JSON/YAML linter, with out-of-the-box assist for OpenAPI v2/v3 and AsyncAPI v2.
yamllint — Checks YAML information for syntax validity, key repetition and beauty issues equivalent to strains size, trailing areas, and indentation.

git

commitlint — checks in case your commit messages meet the traditional commit format
GitGuardian ggshield — ggshield is a CLI software that runs in your native atmosphere or in a CI atmosphere that can assist you detect greater than 350+ varieties of secrets and techniques, in addition to different potential safety vulnerabilities or coverage breaks affecting your codebase.
HasMySecretLeaked ©️ — HasMySecretLeaked is a challenge from GitGuardian that goals to assist particular person customers and organizations search throughout 20 million uncovered secrets and techniques to confirm if their developer secrets and techniques have leaked on public repositories, gists, and points on GitHub tasks.

More Collections

Clean code linters — A group of linters in github collections
Code Quality Checker Tools For PHP Projects — A group of PHP linters in github collections
go-tools — A group of instruments and libraries for working with Go code, together with linters and static evaluation
linters — An introduction to static code evaluation
OWASP Source Code Analysis Tools — Checklist of instruments maintained by the Open Internet Software Safety Venture
php-static-analysis-tools — A reviewed listing of helpful PHP static evaluation instruments
Wikipedia — A listing of instruments for static code evaluation.

License

To the extent potential underneath legislation, Matthias Endler has waived all copyright and associated or neighboring rights to this work.
The underlying supply code used to format and show that content material is licensed underneath the MIT license.

Title picture Designed by Freepik.

Leave a Reply Cancel reply

Most Popular

Quick Link

Blog Posts

How to catch a cheater

Recent Posts