static analysis
1.0.0
This repository lists static analysis tools for all programming languages, build tools, config files and more. The focus is on tools which improve code quality such as linters and formatters. The official website, analysis-tools.dev is based on this repository and adds rankings, user comments, and additional resources like videos for each tool.
This project would not be possible without the generous support of our sponsors.
|
|
|
|
If you also want to support this project, head over to our Github sponsors page.
Pull requests are very welcome!
Also check out the sister project, awesome-dynamic-analysis.
abaplint — Linter for ABAP, written in TypeScript.
abapOpenChecks — Enhances the SAP Code Inspector with new and customizable checks.
Codepeer ©️ — Detects run-time and logic errors.
Polyspace for Ada ©️ — Provide code verification that proves the absence of overflow, divide-by-zero, out-of-bounds array access, and certain other run-time errors in source code.
SPARK ©️ — Static analysis and formal verification toolset for Ada.
Astrée ©️ — Astrée automatically proves the absence of runtime errors and invalid concurrent behavior in C/C++ applications. It is sound for floating-point computations, very fast, and exceptionally precise. The analyzer also checks for MISRA/CERT/CWE/Adaptive Autosar coding rules and supports qualification for ISO 26262, DO-178C level A, and other safety standards. Jenkins and Eclipse plugins are available.
CBMC — Bounded model-checker for C programs, user-defined assertions, standard assertions, several coverage metric analyses.
clang-tidy — Clang-based C++ linter tool with the (limited) ability to fix issues, too.
clazy — Qt-oriented static code analyzer based on the Clang framework. clazy is a compiler plugin which allows clang to understand Qt semantics. You get more than 50 Qt related compiler warnings, ranging from unneeded memory allocations to misusage of API, including fix-its for automatic refactoring.
CMetrics — Measures size and complexity for C files.
CPAchecker — A tool for configurable software verification of C programs. The name CPAchecker was chosen to reflect that the tool is based on the CPA concepts and is used for checking software programs.
cppcheck — Static analysis of C/C++ code.
CppDepend ©️ — Measure, query and visualize your code and avoid unexpected issues, technical debt and complexity.
cpplint — Automated C++ checker that follows Google's style guide.
cqmetrics — Quality metrics for C code.
CScout — Complexity and quality metrics for C and C preprocessor code.
ENRE-cpp — ENRE (ENtity Relationship Extractor) is a tool for extraction of code entity dependencies or relationships from source code. ENRE-cpp is a ENtity Relationship Extractor for C/C++ based on @eclipse/CDT. (Under development)
ESBMC — ESBMC is an open source, permissively licensed, context-bounded model checker based on satisfiability modulo theories for the verification of single- and multi-threaded C/C++ programs.
flawfinder
flint++
Frama-C — A sound and extensible static analyzer for C code.
GCC — The GCC compiler has static analysis capabilities since version 10. This option is only available if GCC was configured with analyzer support enabled. It can also output its diagnostics to a JSON file in the SARIF format (from v13).
Goblint — A static analyzer for the analysis of multi-threaded C programs. Its primary focus is the detection of data races, but it also reports other runtime errors, such as buffer overflows and null-pointer dereferences.
Helix QAC ©️ — Enterprise-grade static analysis for embedded software. Supports MISRA, CERT, and AUTOSAR coding standards.
IKOS — A sound static analyzer for C/C++ code based on LLVM.
Joern — Open-source code analysis platform for C/C++ based on code property graphs
KLEE — A dynamic symbolic execution engine built on top of the LLVM compiler infrastructure. It can auto-generate test cases for programs such that the test cases exercise as much of the program as possible.
LDRA ©️ — A tool suite including static analysis (TBVISION) to various standards including MISRA C & C++, JSF++ AV, CWE, CERT C, CERT C++ & Custom Rules.
MATE
PC-lint ©️ — Static analysis for C/C++. Runs natively under Windows/Linux/MacOS. Analyzes code for virtually any platform, supporting C11/C18 and C++17.
Phasar — A LLVM-based static analysis framework which comes with a taint and type state analysis.
Polyspace Bug Finder ©️ — Identifies run-time errors, concurrency issues, security vulnerabilities, and other defects in C and C++ embedded software.
Polyspace Code Prover ©️ — Provide code verification that proves the absence of overflow, divide-by-zero, out-of-bounds array access, and certain other run-time errors in C and C++ source code.
scan-build — Frontend to drive the Clang Static Analyzer built into Clang via a regular build.
splint — Annotation-assisted static program checker.
SVF — A static tool that enables scalable and precise interprocedural dependence analysis for C and C++ programs.
TrustInSoft Analyzer ©️ — Exhaustive detection of coding errors and their associated security vulnerabilities. This encompasses a sound undefined behavior detection (buffer overflows, out-of-bounds array accesses, null-pointer dereferences, use-after-free, divide-by-zeros, uninitialized memory accesses, signed overflows, invalid pointer arithmetic, etc.), data flow and control flow verification as well as full functional verification of formal specifications. All versions of C up to C18 and C++ up to C++20 are supported. TrustInSoft Analyzer will acquire ISO 26262 qualification in Q2'2023 (TCL3). A MISRA C checker is also bundled.
vera++
.NET Analyzers — An organization for the development of analyzers (diagnostics and code fixes) using the .NET Compiler Platform.
ArchUnitNET — A C# architecture test library to specify and assert architecture rules in C# for automated testing.
code-cracker — An analyzer library for C# and VB that uses Roslyn to produce refactorings, code analysis, and other niceties.
CSharpEssentials
Designite ©️ — Designite supports detection of various architecture, design, and implementation smells, computation of various code quality metrics, and trend analysis.
Gendarme — Gendarme inspects programs and libraries that contain code in ECMA CIL format (Mono and .NET).
Infer#
Meziantou.Analyzer — A Roslyn analyzer to enforce some good practices in C# in terms of design, usage, security, performance, and style.
NDepend ©️ — Measure, query and visualize your code and avoid unexpected issues, technical debt and complexity.
Puma Scan — Puma Scan provides real time secure code analysis for common vulnerabilities (XSS, SQLi, CSRF, LDAPi, crypto, deserialization, etc.) as development teams write code in Visual Studio.
Roslynator — A collection of 190+ analyzers and 190+ refactorings for C#, powered by Roslyn.
SonarAnalyzer.CSharp — These Roslyn analyzers allow you to produce Clean Code that is safe, reliable, and maintainable by helping you find and correct bugs, vulnerabilities, and code smells in your codebase.
VSDiagnostics
Wintellect.Analyzers — .NET Compiler Platform ("Roslyn") diagnostic analyzers and code fixes.
Astrée ©️ — Astrée automatically proves the absence of runtime errors and invalid concurrent behavior in C/C++ applications. It is sound for floating-point computations, very fast, and exceptionally precise. The analyzer also checks for MISRA/CERT/CWE/Adaptive Autosar coding rules and supports qualification for ISO 26262, DO-178C level A, and other safety standards. Jenkins and Eclipse plugins are available.
CBMC — Bounded model-checker for C programs, user-defined assertions, standard assertions, several coverage metric analyses.
clang-tidy — Clang-based C++ linter tool with the (limited) ability to fix issues, too.
clazy — Qt-oriented static code analyzer based on the Clang framework. clazy is a compiler plugin which allows clang to understand Qt semantics. You get more than 50 Qt related compiler warnings, ranging from unneeded memory allocations to misusage of API, including fix-its for automatic refactoring.
CMetrics — Measures size and complexity for C files.
cppcheck — Static analysis of C/C++ code.
CppDepend ©️ — Measure, query and visualize your code and avoid unexpected issues, technical debt and complexity.
cpplint — Automated C++ checker that follows Google's style guide.
cqmetrics — Quality metrics for C code.
CScout — Complexity and quality metrics for C and C preprocessor code.
ENRE-cpp — ENRE (ENtity Relationship Extractor) is a tool for extraction of code entity dependencies or relationships from source code. ENRE-cpp is a ENtity Relationship Extractor for C/C++ based on @eclipse/CDT. (Under development)
ESBMC — ESBMC is an open source, permissively licensed, context-bounded model checker based on satisfiability modulo theories for the verification of single- and multi-threaded C/C++ programs.
flawfinder
flint++
Frama-C — A sound and extensible static analyzer for C code.
Helix QAC ©️ — Enterprise-grade static analysis for embedded software. Supports MISRA, CERT, and AUTOSAR coding standards.
IKOS — A sound static analyzer for C/C++ code based on LLVM.
Joern — Open-source code analysis platform for C/C++ based on code property graphs
KLEE — A dynamic symbolic execution engine built on top of the LLVM compiler infrastructure. It can auto-generate test cases for programs such that the test cases exercise as much of the program as possible.
LDRA ©️ — A tool suite including static analysis (TBVISION) to various standards including MISRA C & C++, JSF++ AV, CWE, CERT C, CERT C++ & Custom Rules.
MATE
PC-lint ©️ — Static analysis for C/C++. Runs natively under Windows/Linux/MacOS. Analyzes code for virtually any platform, supporting C11/C18 and C++17.
Phasar — A LLVM-based static analysis framework which comes with a taint and type state analysis.
Polyspace Bug Finder ©️ — Identifies run-time errors, concurrency issues, security vulnerabilities, and other defects in C and C++ embedded software.
Polyspace Code Prover ©️ — Provide code verification that proves the absence of overflow, divide-by-zero, out-of-bounds array access, and certain other run-time errors in C and C++ source code.
scan-build — Frontend to drive the Clang Static Analyzer built into Clang via a regular build.
splint — Annotation-assisted static program checker.
SVF — A static tool that enables scalable and precise interprocedural dependence analysis for C and C++ programs.
TrustInSoft Analyzer ©️ — Exhaustive detection of coding errors and their associated security vulnerabilities. This encompasses a sound undefined behavior detection (buffer overflows, out-of-bounds array accesses, null-pointer dereferences, use-after-free, divide-by-zeros, uninitialized memory accesses, signed overflows, invalid pointer arithmetic, etc.), data flow and control flow verification as well as full functional verification of formal specifications. All versions of C up to C18 and C++ up to C++20 are supported. TrustInSoft Analyzer will acquire ISO 26262 qualification in Q2'2023 (TCL3). A MISRA C checker is also bundled.
vera++
ameba — A static code analysis tool for Crystal.
crystal — The Crystal compiler has built-in linting functionality.
Dart Code Metrics
effective_dart — Linter rules corresponding to the guidelines in Effective Dart
lint
Linter for dart — Style linter for Dart.
DelphiLint — A Delphi IDE package providing on-the-fly code analysis and linting, powered by SonarDelphi.
Fix Insight ©️ — A free IDE Plugin for static code analysis. A Pro edition includes a command line tool for automation purposes.
Pascal Analyzer ©️ — A static code analysis tool with numerous reports. A free Lite version is available with limited reporting.
Pascal Expert ©️ — IDE plugin for code analysis. Includes a subset of Pascal Analyzer reporting capabilities and is available for Delphi versions 2007 and later.
SonarDelphi — Delphi static analyzer for the SonarQube code quality platform.
credo — A static code analysis tool with a focus on code consistency and teaching.
dialyxir — Mix tasks to simplify use of Dialyzer in Elixir projects.
sobelow — Security-focused static analysis for the Phoenix Framework.
elm-analyse
elm-review — Analyzes whole Elm projects, with a focus on shareable and custom rules written in Elm that add guarantees the Elm compiler doesn't give you.
dialyzer — The DIALYZER, a DIscrepancy AnaLYZer for ERlang programs. Dialyzer is a static analysis tool that identifies software discrepancies, such as definite type errors, code that has become dead or unreachable because of programming error, and unnecessary tests, in single Erlang modules or entire (sets of) applications. Dialyzer starts its analysis from either debug-compiled BEAM bytecode or from Erlang source code. The file and line number of a discrepancy is reported along with an indication of what the discrepancy is about. Dialyzer bases its analysis on the concept of success typings, which allows for sound warnings (no false positives).
elvis — Erlang Style Reviewer.
Primitive Erlang Security Tool (PEST) — A tool to do a basic scan of Erlang source code and report any function calls that may cause Erlang source code to be insecure.
fantomas — F# source code formatter.
FSharpLint — Lint tool for F#.
ionide-analyzers — A collection of F# analyzers, built with the FSharp.Analyzers.SDK.
fprettify — Auto-formatter for modern fortran source code, written in Python. Fprettify is a tool that provides consistent whitespace, indentation, and delimiter alignment in code, including the ability to change letter case and handle preprocessor directives, all while preserving revision history and tested for editor integration.
i-Code CNES for Fortran — An open source static code analysis tool for Fortran 77, Fortran 90 and Shell.
aligncheck — Find inefficiently packed structs.
bodyclose — Checks whether HTTP response body is closed.
deadcode — Finds unused code.
dingo-hunter
dogsled — Finds assignments/declarations with too many blank identifiers.
dupl
errcheck — Check that error return values are used.
errwrap — Wrap and fix Go errors with the new %w verb directive. This tool analyzes fmt.Errorf() calls and reports calls that contain a verb directive that is different than the new %w verb directive introduced in Go v1.13. It's also capable of rewriting calls to use the new %w wrap verb directive.
flen — Get info on length of functions in a Go package.
Go Meta Linter golangci-lint for new projects.
go tool vet --shadow — Reports variables that may have been unintentionally shadowed.
go vet — Examines Go source code and reports suspicious.
go-consistent — Analyzer that helps you to make your Go programs more consistent.
go-critic — Go source code linter that maintains checks which are currently not implemented in other linters.
go/ast — Package ast declares the types used to represent syntax trees for Go packages.
goast
gochecknoglobals
goconst — Finds repeated strings that could be replaced by a constant.
gocyclo
gofmt -s — Checks if the code is properly formatted and could not be further simplified.
gofumpt — Enforce a stricter format than gofmt, while being backwards-compatible. That is, gofumpt is happy with a subset of the formats that gofmt is happy with.
The tool is a fork of gofmt as of Go 1.19, and requires Go 1.18 or later. It can be used as a drop-in replacement to format your Go code, and running gofmt after gofumpt should produce no changes.
gofumpt will never add rules which disagree with gofmt formatting. So we extend gofmt rather than compete with it.
goimports — Checks missing or unreferenced package imports.
gokart — Golang security analysis with a focus on minimizing false positives. It is capable of tracing the source of variables and function arguments to determine whether input sources are safe.
GolangCI-Lint — Alternative to Go Meta Linter: GolangCI-Lint is a linters aggregator.
golint — Prints out coding style mistakes in Go source code.
goreporter — Concurrently runs many linters and normalises their output to a report.
goroutine-inspect — An interactive tool to analyze Golang goroutine dump.
gosec (gas) — Inspects source code for security problems by scanning the Go AST.
gotype — Syntactic and semantic analysis similar to the Go compiler.
govulncheck — Govulncheck reports known vulnerabilities that affect Go code. It uses static analysis of source code or a binary's symbol table to narrow down reports to only those that could affect the application. By default, govulncheck makes requests to the Go vulnerability database at https://vuln.go.dev. Requests to the vulnerability database contain only module paths, not code or other properties of your program.
ineffassign — Detect ineffectual assignments in Go code.
interfacer
lll
maligned
misspell — Finds commonly misspelled English words.
nakedret — Finds naked returns.
nargs — Finds unused arguments in function declarations.
prealloc — Finds slice declarations that could potentially be preallocated.
Reviewdog — A tool for posting review comments from any linter in any code hosting service.
revive — Fast, configurable, extensible, flexible, and beautiful linter for Go. Drop-in replacement of golint.
safesql
shisho
staticcheck — Go static analysis that specialises in finding bugs, simplifying code and improving performance.
structcheck — Find unused struct fields.
structslop — Static analyzer for Go that recommends struct field rearrangements to provide for maximum space/allocation efficiency
test — Show location of test failures from the stdlib testing module.
unconvert
unparam — Find unused function parameters.
varcheck — Find unused global variables and constants.
wsl — Enforces empty lines at the right places.
brittany
HLint — HLint is a tool for suggesting possible improvements to Haskell code.
Liquid Haskell — Liquid Haskell is a refinement type checker for Haskell programs.
Stan — Stan is a command-line tool for analysing Haskell projects and outputting discovered vulnerabilities in a helpful way with possible solutions for detected problems.
Weeder — A tool for detecting dead exports or package imports in Haskell code.
Checker Framework — Pluggable type-checking for Java. This is not just a bug-finder, but a verification tool that gives a guarantee of correctness. It comes with 27 pre-built type systems, and it enables users to define their own type system; the manual lists over 30 user-contributed type systems.
checkstyle — Checking Java source code for adherence to a Code Standard or set of validation rules (best practices).
ck — Calculates Chidamber and Kemerer object-oriented metrics by processing the source Java files.
ckjm — Calculates Chidamber and Kemerer object-oriented metrics by processing the bytecode of compiled Java files.
CogniCrypt — Checks Java source and byte code for incorrect uses of cryptographic APIs.
Dataflow Framework — An industrial-strength dataflow framework for Java. The Dataflow Framework is used in the Checker Framework, Google’s Error Prone, Uber’s NullAway, Meta’s Nullsafe, and in other contexts. It is distributed with the Checker Framework.
DesigniteJava ©️ — DesigniteJava supports detection of various architecture, design, and implementation smells along with computation of various code quality metrics.
Diffblue ©️ — Diffblue is a software company that provides AI-powered code analysis and testing solutions for software development teams. Its technology helps developers automate testing, find bugs, and reduce manual labor in their software development processes. The company's main product, Diffblue Cover, uses AI to generate and run unit tests for Java code, helping to catch errors and improve code quality.
Doop — Doop is a declarative framework for static analysis of Java/Android programs, centered on pointer analysis algorithms. Doop provides a large variety of analyses and also the surrounding scaffolding to run an analysis end-to-end (fact generation, processing, statistics, etc.).
ENRE-java — ENRE (ENtity Relationship Extractor) is a tool for extraction of code entity dependencies or relationships from source code. ENRE-java is a ENtity Relationship Extractor for Java projects based on @Eclipse JDT/parser.
Error Prone — Catch common Java mistakes as compile-time errors.
fb-contrib — A plugin for FindBugs with additional bug detectors.
forbidden-apis — Detects and forbids invocations of specific method/class/field (like reading from a text stream without a charset). Maven/Gradle/Ant compatible.
google-java-format — Reformats Java source code to comply with Google Java Style
HuntBugs
IntelliJ IDEA ©️ — Comes bundled with a lot of inspections for Java and Kotlin and includes tools for refactoring, formatting and more.
JArchitect ©️ — Measure, query and visualize your code and avoid unexpected issues, technical debt and complexity.
JBMC — Bounded model-checker for Java (bytecode), verifies user-defined assertions, standard assertions, several coverage metric analyses.
Mariana Trench — Our security focused static analysis tool for Android and Java applications. Mariana Trench analyzes Dalvik bytecode and is built to run fast on large codebases (10s of millions of lines of code). It can find vulnerabilities as code changes, before it ever lands in your repository.
NullAway — Type-based null-pointer checker with low build-time overhead; an Error Prone plugin.
OWASP Dependency Check — Checks dependencies for known, publicly disclosed, vulnerabilities.
qulice — Combines a few (pre-configured) static analysis tools (checkstyle, PMD, Findbugs, ...).
RefactorFirst — Identifies and prioritizes God Classes and Highly Coupled classes in Java codebases you should refactor first.
Soot — A framework for analyzing and transforming Java and Android applications.
Spoon — Spoon is a metaprogramming library to analyze and transform Java source code (incl Java 9, 10, 11, 12, 13, 14). It parses source files to build a well-designed AST with powerful analysis and transformation API. Can be integrated in Maven and Gradle.
SpotBugs — SpotBugs is FindBugs' successor. A tool for static analysis to look for bugs in Java code.
steady — Analyses your Java applications for open-source dependencies with known vulnerabilities, using both static analysis and testing to determine code context and usage for greater accuracy.
Violations Lib — Java library for parsing report files from static code analysis. Used by a bunch of Jenkins, Maven and Gradle plugins.
aether
Closure Compiler — A compiler tool to increase efficiency, reduce size, and provide code warnings in JavaScript files.
ClosureLinter
complexity-report
DeepScan ©️ — An analyzer for JavaScript which targets runtime errors and quality issues rather than coding conventions.
es6-plato
escomplex
Esprima
flow — A static type checker for JavaScript.
hegel — A static type checker for JavaScript with a bias on type inference and strong type systems.
jshint — Detect errors and potential problems in JavaScript code and enforce your team's coding conventions.
JSLint — The JavaScript Code Quality Tool.
JSPrime
NodeJSScan — A static security code scanner for Node.js applications powered by libsast and semgrep that builds on the njsscan cli tool. It features a UI with various dashboards about an application's security status.
plato
Polymer-analyzer — A static analysis framework for Web Components.
retire.js — Scanner detecting the use of JavaScript libraries with known vulnerabilities.
RSLint
standard — An npm module that checks for Javascript Styleguide issues.
tern — A JavaScript code analyzer for deep, cross-editor language support.
TypL
xo — Opinionated but configurable ESLint wrapper with lots of goodies included. Enforces strict and readable code.
yardstick
JET — Static type inference system to detect bugs and type instabilities.
StaticLint — Static Code Analysis for Julia
detekt — Static code analysis for Kotlin code.
diktat — Strict coding standard for Kotlin and a linter that detects and auto-fixes code smells.
ktfmt — A program that reformats Kotlin source code to comply with the common community standard for Kotlin code conventions. A ktfmt IntelliJ plugin is available from the plugin repository. To install it, go to your IDE's settings and select the Plugins category. Click the Marketplace tab, search for the ktfmt plugin, and click the Install button.
ktlint — An anti-bikeshedding Kotlin linter with built-in formatter.
luacheck — A tool for linting and static analysis of Lua code.
lualint — lualint performs luac-based static analysis of global variable usage in Lua source code.
Luanalysis
DrNim — DrNim combines the Nim frontend with the Z3 proof engine in order to allow verify / validate software written in Nim.
nimfmt — Nim code formatter / linter / style checker
Sys — A static/symbolic Tool for finding bugs in (browser) code. It uses the LLVM AST to find bugs like uninitialized memory access.
VeriFast — A tool for modular formal verification of correctness properties of single-threaded and multithreaded C and Java programs annotated with preconditions and postconditions written in separation logic. To express rich specifications, the programmer can define inductive datatypes, primitive recursive pure functions over these datatypes, and abstract separation logic predicates.
CakeFuzzer — Web application security testing tool for CakePHP-based web applications. CakeFuzzer employs a predefined set of attacks that are randomly modified before execution. Leveraging its deep understanding of the Cake PHP framework, Cake Fuzzer launches attacks on all potential application entry points.
churn-php — Helps discover good candidates for refactoring.
composer-dependency-analyser — Fast detection of composer dependency issues.
dephpend — Dependency analysis tool.
deprecation-detector — Finds usages of deprecated (Symfony) code.
deptrac — Enforce rules for dependencies between software layers.
DesignPatternDetector — Detection of design patterns in PHP code.
EasyCodingStandard — Combine PHP_CodeSniffer and PHP-CS-Fixer.
Enlightn — A static and dynamic analysis tool for Laravel applications that provides recommendations to improve the performance, security and code reliability of Laravel apps. Contains 120 automated checks.
exakat — An automated code reviewing engine for PHP.
GrumPHP — Checks code on every commit.
larastan — Adds static analysis to Laravel improving developer productivity and code quality. It is a wrapper around PHPStan.
Mondrian
Nitpick CI ©️ — Automated PHP code review.
parallel-lint — This tool checks syntax of PHP files faster than serial check with a fancier output.
Parse — A Static Security Scanner.
pdepend — Calculates software metrics like cyclomatic complexity for PHP code.
phan — A modern static analyzer from etsy.
PHP Architecture Tester — Easy to use architecture testing tool for PHP.
PHP Assumptions — Checks for weak assumptions.
PHP Coding Standards Fixer — Fixes your code according to standards like PSR-1, PSR-2, and the Symfony standard.
PHP Insights — Instant PHP quality checks from your console. Analysis of code quality and coding style as well as overview of code architecture and its complexity.
Php Inspections (EA Extended) — A Static Code Analyzer for PHP.
PHP Refactoring Browser — Refactoring helper.
PHP Semantic Versioning Checker
PHP-Parser — A PHP parser written in PHP.
php-speller — PHP spell check library.
PHP-Token-Reflection
php7cc
php7mar
PHP_CodeSniffer — Detects violations of a defined set of coding standards.
PHPArkitect — PHPArkitect helps you to keep your PHP codebase coherent and solid, by permitting to add some architectural constraint check to your workflow. You can express the constraint that you want to enforce, in simple and readable PHP code.
phpca
phpcpd
phpdcd
PhpDependencyAnalysis
PhpDeprecationDetector — Analyzer of PHP code to search issues with deprecated functionality in newer interpreter versions. It finds removed objects (functions, variables, constants and ini-directives), deprecated functions functionality, and usage of forbidden names or tricks (e.g. reserved identifiers in newer versions).
phpdoc-to-typehint
phpDocumentor — Analyzes PHP source code to generate documentation.
phploc — A tool for quickly measuring the size and analyzing the structure of a PHP project.
PHPMD — Finds possible bugs in your code.
PhpMetrics — Calculates and visualizes various code quality metrics.
phpmnd — Helps to detect magic numbers.
PHPQA
phpqa - jakzal — Many tools for PHP static analysis in one container.
phpqa - jmolivas — PHPQA all-in-one Analyzer CLI tool.
phpsa
PHPStan — PHP Static Analysis Tool - discover bugs in your code without running it!
Progpilot — A static analysis tool for security purposes.
Psalm — Static analysis tool for finding type errors in PHP applications.
Qafoo Quality Analyzer
rector — Instant Upgrades and Automated Refactoring of any PHP 5.3+ code. It upgrades your code for PHP 7.4, 8.0 and beyond. Rector promises a low false-positive rate because it looks for narrowly defined AST (abstract syntax tree) patterns. The main use-case are tackling technical debt in your legacy code and removing dead code. Rector provides a set of special rules for Symfony, Doctrine, PHPUnit, and many more.
Reflection — Reflection library to do Static Analysis for PHP Projects
Symfony Insight ©️ — Detect security risks, find bugs and provide actionable metrics for PHP projects.
Tuli — A static analysis engine.
twig-lint — twig-lint is a lint tool for your twig files.
WAP — Tool to detect and correct input validation vulnerabilities in PHP (4.0 or higher) web applications and predicts false positives by combining static analysis and data mining.
Perl::Analyzer — Perl-Analyzer is a set of programs and modules that allow users to analyze and visualize Perl codebases by providing information about namespaces and their relations, dependencies, inheritance, and methods implemented, inherited, and redefined in packages, as well as calls to methods from parent packages via SUPER.
Perl::Critic — Critique Perl source code for best-practices.
perltidy — Perltidy is a Perl script which indents and reformats Perl scripts to make them easier to read. The formatting can be controlled with command line parameters. The default parameter settings approximately follow the suggestions in the Perl Style Guide. Besides reformatting scripts, Perltidy can be a great help in tracking down errors with missing or extra braces, parentheses, and square brackets because it is very good at localizing errors.
zarn — A lightweight static security analysis tool for modern Perl Apps
autoflake — Autoflake removes unused imports and unused variables from Python code.
autopep8 — A tool that automatically formats Python code to conform to the PEP 8 style guide. It uses the pycodestyle utility to determine what parts of the code needs to be formatted.
bandit — A tool to find common security issues in Python code.
bellybutton — A linting engine supporting custom project-specific rules.
Black — The uncompromising Python code formatter.
Bowler — Safe code refactoring for modern Python. Bowler is a refactoring tool for manipulating Python at the syntax tree level. It enables safe, large scale code modifications while guaranteeing that the resulting code compiles and runs. It provides both a simple command line interface and a fluent API in Python for generating complex code modifications in code.
ciocheck pep8, pydocstyle, flake8, and pylint.
cohesion
deal — Design by contract for Python. Write bug-free code. By adding a few decorators to your code, you get for free tests, static analysis, formal verification, and much more.
Dlint — A tool for ensuring Python code is secure.
Dodgy — Dodgy is a very basic tool to run against your codebase to search for "dodgy" looking values. It is a series of simple regular expressions designed to detect things such as accidental SCM diff checkins, or passwords or secret keys hard coded into files.
ENRE-py
fixit — A framework for creating lint rules and corresponding auto-fixes for source code.
flake8 — A wrapper around pyflakes, pycodestyle and mccabe.
flakeheaven — flakeheaven is a python linter built around flake8 to enable inheritable and complex toml configuration.
Griffe — Signatures for entire Python programs. Extract the structure, the frame, the skeleton of your project, to generate API documentation or find breaking changes in your API.
InspectorTiger
jedi — Autocompletion/static analysis library for Python.
linty fresh — Parse lint errors and report them to Github as comments on a pull request.
mccabe — Check McCabe complexity.
multilint flake8, isort and modernize.
mypy — A static type checker that aims to combine the benefits of duck typing and static typing, frequently used with MonkeyType.
prospector — A wrapper around pylint, pep8, mccabe and others.
py-find-injection
pyanalyze — A tool for programmatically detecting common mistakes in Python code, such as references to undefined variables and type errors. It can be extended to add additional rules and perform checks specific to particular functions.
PyCodeQual ©️ — PyCodeQual gives you insights into complexity and bug risks. It adds automatic reviews to your pull requests.
pycodestyle — (Formerly pep8) Check Python code against some of the style conventions in PEP 8.
pydocstyle
pyflakes — Check Python source files for errors.
pylint — Looks for programming errors, helps enforcing a coding standard and sniffs for some code smells. It additionally includes pyreverse (an UML diagram generator) and symilar (a similarities checker).
pylyzers — A static code analyzer / language server for Python, written in Rust, focused on type checking and readable output.
pyre-check — A fast, scalable type checker for large Python codebases.
pyright — Static type checker for Python, created to address gaps in existing tools like mypy.
pyroma
Pysa — A tool based on Facebook's pyre-check to identify potential security issues in Python code identified with taint analysis.
PyT - Python Taint
pytype — A static type analyzer for Python code.
pyupgrade — A tool (and pre-commit hook) to automatically upgrade syntax for newer versions of the language.
QuantifiedCode
radon — A Python tool that computes various metrics from the source code.
refurb — A tool for refurbishing and modernizing Python codebases. Refurb is heavily inspired by clippy, the built-in linter for Rust.
ruff — Fast Python linter, written in Rust. 10-100x faster than existing linters. Compatible with Python 3.10. Supports file watcher.
unimport — A linter, formatter for finding and removing unused import statements.
vulture — Find unused classes, functions and variables in Python code.
wemake-python-styleguide — The strictest and most opinionated python linter ever.
wily
