Static program analysis is the analysis of computer software that is performed without actually executing programs — Wikipedia

This is a collection of static analysis tools and code quality checkers. Pull requests are very welcome!
Note: ©️ stands for proprietary software. All other tools are Open Source.

Table of Contents

Programming Languages


  • Codepeer - detects run-time and logic errors
  • Polyspace for Ada ©️ - provide code verification that proves the absence of overflow, divide-by-zero, out-of-bounds array access, and certain other run-time errors in source code.
  • Understand ©️ - IDE that provides code analysis, standards testing, metrics, graphing, dependency analysis and more for Ada and VHDL.


  • gawk --lint - warns about constructs that are dubious or nonportable to other awk implementations.


  • clang-tidy - clang static analyser
  • CMetrics7 1 - Measures size and complexity for C files
  • CodeSonar from GrammaTech ©️ - Advanced, whole program, deep path, static analysis of C and C++ with easy-to-understand explanations and code and path visualization.
  • Corrode2k 120 - Semi-automatic translation from C to Rust. Could reveal bugs in the original implementation by showing Rust compiler warnings and errors.
  • cppcheck2k 674 - static analysis of C/C++ code
  • CppDepend ©️ - Measure, query and visualize your code and avoid unexpected issues, technical debt and complexity.
  • cpplint12k 4k - automated C++ checker that follows Google's style guide
  • cqmetrics34 10 - quality metrics for C code
  • CScout - complexity and quality metrics for for C and C preprocessor code
  • flawfinder - finds possible security weaknesses
  • flint++ - cross-platform, zero-dependency port of flint, a lint program for C++ developed and used at Facebook.
  • Frama-C - a sound and extensible static analyzer for C code
  • oclint - static analysis of C/C++ code
  • Polyspace Bug Finder ©️ - identifies run-time errors, concurrency issues, security vulnerabilities, and other defects in C and C++ embedded software.
  • Polyspace Code Prover ©️ - provide code verification that proves the absence of overflow, divide-by-zero, out-of-bounds array access, and certain other run-time errors in C and C++ source code.
  • scan-build - Analyzes C/C++ code using LLVM at compile-time
  • splint - Annotation-assisted static program checker
  • tis-interpreter387 17 - An interpreter for finding subtle bugs in programs written in standard C
  • vera++ - Vera++ is a programmable tool for verification, analysis and transformation of C++ source code.


  • .NET Analyzers - An organization for the development of analyzers (diagnostics and code fixes) using the .NET Compiler Platform.
  • Code Analysis Rule Collection - Contains a set of diagnostics, code fixes and refactorings built on the Microsoft .NET Compiler Platform "Roslyn".
  • code-cracker763 293 - An analyzer library for C# and VB that uses Roslyn to produce refactorings, code analysis, and other niceties.
  • CodeRush ©️ - Code creation, debugging, navigation, refactoring, analysis and visualization tools that use the Roslyn engine in Visual Studio 2015 and up.
  • CSharpEssentials151 33 - C# Essentials is a collection of Roslyn diagnostic analyzers, code fixes and refactorings that make it easy to work with C# 6 language features.
  • Designite ©️ - Designite is a software design quality assessment tool. It supports detection of implementation and design smells, computation of various code quality metrics, and trend analysis.
  • Gendarme - Gendarme inspects programs and libraries that contain code in ECMA CIL format (Mono and .NET).
  • NDepend ©️ - Measure, query and visualize your code and avoid unexpected issues, technical debt and complexity.
  • Puma Scan75 16 - Puma Scan provides real time secure code analysis for common vulnerabilities (XSS, SQLi, CSRF, LDAPi, crypto, deserialization, etc.) as development teams write code in Visual Studio.
  • Refactoring Essentials - The free Visual Studio 2015 extension for C# and VB.NET refactorings, including code best practice analyzers.
  • ReSharper ©️ - Extends Visual Studio with on-the-fly code inspections for C#, VB.NET, ASP.NET, JavaScript, TypeScript and other technologies.
  • Roslyn Security Guard - Project that focus on the identification of potential vulnerabilities such as SQL injection, cross-site scripting (XSS), CSRF, cryptography weaknesses, hardcoded passwords and many more.
  • Roslynator500 56 - A collection of 190+ analyzers and 190+ refactorings for C#, powered by Roslyn.
  • Security Code Scan - Security code analyzer for C# and VB.NET. Detects various security vulnerability patterns: SQLi, XSS, CSRF, XXE, Open Redirect, etc.
  • SonarLint for Visual Studio - SonarLint is an extension for Visual Studio 2015 and 2017 that provides on-the-fly feedback to developers on new bugs and quality issues injected into .NET code.
  • VSDiagnostics47 12 - A collection of static analyzers based on Roslyn that integrate with VS.
  • Wintellect.Analyzers69 16 - .NET Compiler Platform ("Roslyn") diagnostic analyzers and code fixes.


  • ameba35 3 - A static code analysis tool for Crystal
  • crystal - The Crystal compiler has built-in linting functionality.


  • credo2k 194 - A static code analysis tool with a focus on code consistency and teaching.
  • Dogma443 65 - A code style enforcer for Elixir
  • sobelow325 23 - Security-focused static analysis for the Phoenix Framework


  • elvis310 79 - Erlang Style Reviewer


  • deadcode8 6 - Finds unused code.
  • dingo-hunter102 6 - Static analyser for finding deadlocks in Go.
  • dupl84 8 - Reports potentially duplicated code.
  • errcheck842 66 - Check that error return values are used.
  • flen32 2 - Get info on length of functions in a Go package.
  • gas90 17 - Inspects source code for security problems by scanning the Go AST.
  • Go Meta Linter2k 191 - Concurrently run Go lint tools and normalise their output.
  • go tool vet --shadow - Reports variables that may have been unintentionally shadowed.
  • go vet - Examines Go source code and reports suspicious.
  • go-staticcheck1k 48 - go vet on steroids, similar to ReSharper for C#.
  • go/ast - Package ast declares the types used to represent syntax trees for Go packages.
  • goconst2 1 - Finds repeated strings that could be replaced by a constant.
  • gocyclo10 0 - Calculate cyclomatic complexities of functions in Go source code.
  • gofmt -s - Checks if the code is properly formatted and could not be further simplified.
  • goimports - Checks missing or unreferenced package imports.
  • golint839 63 - Prints out coding style mistakes in Go source code.
  • goreporter2k 108 - concurrently runs many linters and normalises their output to a report.
  • goroutine-inspect17 1 - An interactive tool to analyze Golang goroutine dump.
  • gosimple1k 48 - Report simplifications in code.
  • gotype - Syntactic and semantic analysis similar to the Go compiler.
  • ineffassign119 10 - Detect ineffectual assignments in Go code
  • interfacer805 16 - Suggest narrower interfaces that can be used.
  • lll16 3 - Report long lines.
  • maligned121 12 - Detect structs that would take less memory if their fields were sorted.
  • megacheck1k 48 - Run staticcheck, gosimple and unused, sharing work.
  • misspell249 27 - Finds commonly misspelled English words.
  • nakedret13 1 - Finds naked returns.
  • prealloc279 7 - Finds slice declarations that could potentially be preallocated.
  • safesql311 18 - Static analysis tool for Golang that protects against SQL injections.
  • structcheck29 2 - Find unused struct fields.
  • test - Show location of test failures from the stdlib testing module.
  • testify4k 456 - Show location of failed testify assertions.
  • unconvert181 13 - Detect redundant type conversions.
  • unimport - Finds unnecessary import aliases
  • unparam76 1 - Find unused function parameters.
  • unused1k 48 - Find unused variables.
  • varcheck29 2 - Find unused global variables and constants.


  • CodeNarc149 67 - a static analysis tool for Groovy source code, enabling monitoring and enforcement of many coding standards and best practices


  • HLint566 93 - HLint is a tool for suggesting possible improvements to Haskell code.


  • Haxe Checkstyle29 12 - A static analysis tool to help developers write Haxe code that adheres to a coding standard.


  • Checker Framework332 167 - Pluggable type-checking for Java
  • checkstyle3k 2k - checking Java source code for adherence to a Code Standard or set of validation rules (best practices)
  • ckjm - calculates Chidamber and Kemerer object-oriented metrics by processing the bytecode of compiled Java files
  • Error-prone4k 496 - Catch common Java mistakes as compile-time errors
  • fb-contrib53 24 - A plugin for FindBugs with additional bug detectors
  • Find Security Bugs - IDE/SonarQube plugin for security audits of Java web applications.
  • Hopper32 3 - A static analysis tool written in scala for languages that run on JVM
  • HuntBugs265 26 - Bytecode static analyzer tool based on Procyon Compiler Tools aimed to supersede FindBugs.
  • JArchitect ©️ - Measure, query and visualize your code and avoid unexpected issues, technical debt and complexity.
  • NullAway2k 98 - Type-based null-pointer checker with low build-time overhead; an Error Prone plugin
  • OWASP Dependency Check - Checks dependencies for known, publicly disclosed, vulnerabilities.
  • Spoon439 106 - Library to write your own static analyses and architectural rule checkers for Java. Can be integrated in Maven and Gradle.
  • SpotBugs - SpotBugs is FindBugs' successor. A tool for static analysis to look for bugs in Java code.


  • aether147 76 - Lint, analyze, normalize, transform, sandbox, run, step through, and visualize user JavaScript, in node or the browser.
  • ClosureLinter99 25 - ensures that all of your project's JavaScript code follows the guidelines in the Google JavaScript Style Guide. It can also automatically fix many common errors
  • coffeelint930 225 - A style checker that helps keep CoffeeScript code clean and consistent.
  • complexity-report73 3 - Software complexity analysis for JavaScript projects
  • DeepScan ©️ - An analyzer for JavaScript which targets runtime errors and quality issues rather than coding conventions.
  • escomplex75 13 - Software complexity analysis of JavaScript-family abstract syntax trees.
  • eslint12k 3k - A fully pluggable tool for identifying and reporting on patterns in JavaScript
  • Esprima2k 259 - ECMAScript parsing infrastructure for multipurpose analysis
  • flow - A static type checker for JavaScript.
  • jshint8k 2k - detect errors and potential problems in JavaScript code and enforce your team's coding conventions
  • JSLint2k 293 ©️ - The JavaScript Code Quality Tool
  • plato4k 269 - Visualize JavaScript source complexity
  • Prettier18k 1k - An opinionated code formatter.
  • quality - zero configuration code and module linting
  • standard - An npm module that checks for Javascript Styleguide issues
  • XO3k 236 - Enforce strict code style. Never discuss code style on a pull request again!
  • yardstick16 0 - Javascript code metrics


  • detekt849 98 - Static code analysis for Kotlin code.
  • ktlint545 48 - An anti-bikeshedding Kotlin linter with built-in formatter


  • luacheck581 98 - A tool for linting and static analysis of Lua code.


  • mlint ©️ - Check MATLAB code files for possible problems.


  • Perl::Critic - Critique Perl source code for best-practices.


  • dephpend46 4 - Dependency analysis tool
  • deprecation-detector317 47 - Finds usages of deprecated (Symfony) code
  • deptrac1k 105 - Enforce rules for dependencies between software layers.
  • DesignPatternDetector62 6 - detection of design patterns in PHP code
  • EasyCodingStandard76 14 - combine PHP_CodeSniffer4k 1k and PHP-CS-Fixer6k 1k
  • exakat89 16 - An automated code reviewing engine for PHP
  • GrumPHP2k 179 - checks code on every commit
  • Mondrian188 9 - a set of static analysis and refactoring tools which use graph theory
  • parallel-lint294 50 - This tool checks syntax of PHP files faster than serial check with a fancier output.
  • Parse154 19 - A Static Security Scanner
  • pdepend - Calculates software metrics like cyclomatic complexity for PHP code.
  • phan2k 169 - a modern static analyzer from etsy
  • PHP Assumptions43 3 - Checks for weak assumptions
  • PHP Coding Standards Fixer - Fixes your code according to standards like PSR-1, PSR-2, and the Symfony standard.
  • Php Inspections (EA Extended)613 57 - A Static Code Analyzer for PHP.
  • PHP Refactoring Browser566 39 - Refactoring helper
  • PHP Semantic Versioning Checker387 18 - Suggests a next version according to semantic versioning
  • PHP-Parser4k 558 - A PHP parser written in PHP
  • PHP-Token-Reflection153 24 - Library emulating the PHP internal reflection
  • php7cc1k 60 - PHP 7 Compatibility Checker
  • php7mar486 34 - assist developers in porting their code quickly to PHP 7
  • PHP_CodeSniffer4k 1k - detects violations of a defined set of coding standards
  • phpca38 5 - Finds usage of non-built-in extensions
  • phpcf - Finds usage of deprecated PHP features
  • phpcpd1k 157 - Copy/Paste Detector for PHP code.
  • phpdcd159 16 - Dead Code Detector (DCD) for PHP code.
  • PhpDependencyAnalysis276 20 - builds a dependency graph for a project
  • phpdoc-to-typehint188 15 - Add scalar type hints and return types to existing PHP projects using PHPDoc annotations
  • phpDocumentor - Analyzes PHP source code to generate documentation
  • PHPMD - finds possible bugs in your code
  • PhpMetrics - Calculates and visualizes various code quality metrics
  • phpmnd184 11 - Helps to detect magic numbers
  • PHPQA179 31 - A tool for running QA tools (phploc, phpcpd, phpcs, pdepend, phpmd, phpmetrics)
  • phpqa314 34 - PHPQA all-in-one Analyzer CLI tool
  • phpsa634 56 - Static analysis tool for PHP.
  • PHPStan3k 241 - PHP Static Analysis Tool - discover bugs in your code without running it!
  • Progpilot6 2 - A static analysis tool for security purposes
  • Psalm - Static analysis tool for finding type errors in PHP applications
  • Qafoo Quality Analyzer403 36 - Visualizes metrics and source code
  • RIPS150 29 - A static source code analyser for vulnerabilities in PHP scripts
  • Tuli179 10 - A static analysis engine
  • twig-lint65 23 - twig-lint is a lint tool for your twig files.
  • WAP - Tool to detect and correct input validation vulnerabilities in PHP (4.0 or higher) web applications and predicts false positives by combining static analysis and data mining.


  • bandit728 65 - a tool to find common security issues in Python code
  • jedi3k 305 - autocompletion/static analysis library for Python
  • linty fresh133 13 - parse lint errors and report them to Github as comments on a pull request
  • mccabe68 8 - check McCabe complexity
  • mypy3k 407 - an experimental optional static type checker for Python that aims to combine the benefits of dynamic (or "duck") typing and static typing, frequently used with MonkeyType1k 53
  • py-find-injection14 1 - find SQL injection vulnerabilities in Python code
  • pycodestyle966 177 - (formerly pep8) check Python code against some of the style conventions in PEP 8
  • pydocstyle258 52 - check compliance with Python docstring conventions
  • pyflakes314 58 - check Python source files for errors
  • pylint902 242 - looks for programming errors, helps enforcing a coding standard and sniffs for some code smells. It additionally includes pyreverse (an UML diagram generator) and symilar (a similarities checker).
  • pyroma5 3 - rate how well a Python project complies with the best practices of the Python packaging ecosystem, and list issues that could be improved
  • PyT - Python Taint360 40 - A static analysis tool for detecting security vulnerabilities in Python web applications.
  • vulture61 9 - find unused classes, functions and variables in Python code
  • xenon69 10 - monitor code complexity using radon

Python wrappers

  • ciocheck3 2 - linter, formatter and test suite helper. As a linter, it is a wrapper around pep8, pydocstyle, flake8, and pylint.
  • flake8231 44 - a wrapper around pyflakes, pycodestyle and mccabe
  • prospector749 86 - a wrapper around pylint, pep8, mccabe and others


  • lintr377 69 ©️ - Static Code Analysis for R


  • brakeman5k 514 - A static analysis security vulnerability scanner for Ruby on Rails applications
  • cane1k 84 - Code quality threshold checking as part of your build
  • dawnscanner270 37 - a static analysis security scanner for ruby written web applications. It supports Sinatra, Padrino and Ruby on Rails frameworks.
  • flay278 26 - Flay analyzes code for structural similarities.
  • flog334 43 - Flog reports the most tortured code in an easy to read pain report. The higher the score, the more pain the code is in.
  • laser385 15 - Static analysis and style linter for Ruby code.
  • pelusa471 23 - Static analysis Lint-type tool to improve your OO Ruby code
  • quality136 14 - Runs quality checks on your code using community tools, and makes sure your numbers don't get any worse over time.
  • reek3k 246 - Code smell detector for Ruby
  • rubocop9k 2k - A Ruby static code analyzer, based on the community Ruby style guide.
  • Rubrowser144 6 - Ruby classes interactive dependency graph generator.
  • ruby-lint774 51 - Static code analysis for Ruby
  • rubycritic2k 143 - A Ruby code quality reporter
  • SandiMeter712 44 - Static analysis tool for checking Ruby code for Sandi Metz' rules.


  • clippy2k 256 - a code linter to catch common mistakes and improve your Rust code
  • electrolysis107 1 - A tool for formally verifying Rust programs by transpiling them into definitions in the Lean theorem prover.
  • herbie126 2 - Adds warnings or errors to your crate when using a numerically unstable floating point expression.
  • linter-rust46 38 - Linting your Rust-files in Atom, using rustc and cargo
  • Rust Language Server677 92 - Supports functionality such as 'goto definition', symbol search, reformatting, and code completion, and enables renaming and refactorings.
  • rustfix99 5 - read and apply the suggestions made by rustc (and third-party lints, like those offered by clippy).


  • linter249 32 - Linter is a Scala static analysis compiler plugin which adds compile-time checks for various possible bugs, inefficiencies, and style problems.
  • Scalastyle - Scalastyle examines your Scala code and indicates potential problems with it.
  • scapegoat103 19 - Scala compiler plugin for static code analysis
  • WartRemover665 76 - a flexible Scala code linting tool.


  • shellcheck8k 472 - ShellCheck, a static analysis tool that gives warnings and suggestions for bash/sh shell scripts


  • sqlcheck1k 40 - Automatically identify anti-patterns in SQL queries
  • sqlint124 11 - Simple SQL linter


  • SwiftLint9k 970 - A tool to enforce Swift style and conventions
  • Tailor1k 46 - A static analysis and lint tool for source code written in Apple's Swift programming language.


  • Codelyzer2k 166 - A set of tslint rules for static code analysis of Angular 2 TypeScript projects.
  • TSLint3k 706 - An extensible linter for the TypeScript language.
  • tslint-microsoft-contrib218 100 - A set of tslint rules for static code analysis of TypeScript projects maintained by Microsoft.

Multiple languages

  • AppChecker ©️ - Static analysis for C/C++/C#, PHP and Java
  • Application Inspector ©️ - Combined SAST, DAST, IAST security scanner for C#, PHP, Java, SQL languages
  • APPscreener ©️ - Static code analysis for binary and source code - Java/Scala, PHP, Javascript, C#, PL/SQL, Python, T-SQL, C/C++, ObjectiveC/Swift, Visual Basic 6.0, Ruby, Delphi, ABAP, HTML5 and Solidity
  • Axivion Bauhaus Suite ©️ - Tracks down error-prone code locations, style violations, cloned or dead code, cyclic dependencies and more for C/C++, C#/.NET, Java and Ada 83/Ada 95
  • coala - Language independent framework for creating code analysis - supports over 60 languages by default
  • Cobra ©️ - Structural source code analyzer by NASA's Jet Propulsion Laboratory. Supports C, C++, Ada, and Python.
  • codeburner63 16 - Provides a unified interface to sort and act on the issues it finds
  • CodeFactor ©️ - Static Code Analysis for C#, C, C++, CoffeeScript, CSS, Groovy, GO, JAVA, JavaScript, Less, Python, Ruby, Scala, SCSS, TypeScript.
  • CodeIt.Right ©️ - CodeIt.Right™ provides a fast, automated way to ensure that your source code adheres to (your) predefined design and style guidelines as well as best coding practices. Supported languages: C#, VB.NET.
  • cqc224 8 - Check your code quality for js, jsx, vue, css, less, scss, sass and styl files.
  • DevSkim - Regex-based static analysis tool for Visual Studio, VS Code, and Sublime Text - C/C++, C#, PHP, ASP, Python, Ruby, Java, and others.
  • Fortify ©️ A commercial static analysis platform that supports the scanning of C/C++, C#, VB.NET, VB6, ABAP/BSP, ActionScript, Apex, ASP.NET, Classic ASP, VB Script, Cobol, ColdFusion, HTML, Java, JS, JSP, MXML/Flex, Objective-C, PHP, PL/SQL, T-SQL, Python (2.6, 2.7), Ruby (1.9.3), Swift, Scala, VB, and XML.
  • graudit45 9 - Grep rough audit - source code auditing tool - C/C++, PHP, ASP, C#, Java, Perl, Python, Ruby
  • Hound CI - Comments on style violations in GitHub pull requests. Supports Coffeescript, Go, HAML, JavaScript, Ruby, SCSS and Swift.
  • imhotep207 33 - Comment on commits coming into your repository and check for syntactic errors and general lint warnings.
  • Infer8k 1k - A static analyzer for Java, C and Objective-C
  • Klocwork ©️ - Quality and Security Static analysis for C/C++, Java and C#
  • oclint2k 312 - A static source code analysis tool to improve quality and reduce defects for C, C++ and Objective-C
  • pfff2k 189 - Facebook's tools for code analysis, visualizations, or style-preserving source transformation for many languages
  • PMD - A source code analyzer for Java, Javascript, PLSQL, XML, XSL and others
  • pre-commit2k 171 - A framework for managing and maintaining multi-language pre-commit hooks.
  • PVS-Studio ©️ - a (conditionaly free for FOSS) static analysis of C/C++ and C# code. For advertising purposes you can propose a large FOSS project for analysis by PVS employees14 46 .
  • Security Code Scan - Security code analyzer for C# and VB.NET. Detects various security vulnerability patterns: SQLi, XSS, CSRF, XXE, Open Redirect, etc.
  • shipshape179 28 - Static program analysis platform that allows custom analyzers to plug in through a common interface
  • SonarQube - SonarQube is an open platform to manage code quality.
  • STOKE186 26 - a programming-language agnostic stochastic optimizer for the x86_64 instruction set. It uses random search to explore the extremely high-dimensional space of all possible program transformations
  • Synopsys ©️ - A commercial static analysis platform that allows for scanning of multiple languages (C/C++, Android, C#, Java, JS, PHP, Python, Node.JS, Ruby, Fortran, and Swift)
  • Undebt1k 49 - Language-independent tool for massive, automatic, programmable refactoring based on simple pattern definitions
  • WALA - static analysis capabilities for Java bytecode and related languages and for JavaScript
  • XCode ©️ - XCode provides a pretty decent UI for Clang's static code analyzer (C/C++, Obj-C)


Build tools

  • checkmake114 1 - Linter / Analyzer for Makefiles
  • codechecker410 52 - a defect database and viewer extension for the Clang Static Analyzer


  • BinSkim249 64 - A binary static analysis tool that provides security and correctness results for Windows portable executables.
  • Manalyze218 50 - A static analyzer, which checks portable executables for malicious content.


  • clair3k 366 - Vulnerability Static Analysis for Containers
  • collector152 14 - Run arbitrary scripts inside containers, and gather useful information
  • dagda207 14 - Perform static analysis of known vulnerabilities in docker images/containers.
  • Docker Label Inspector - Lint and validate Dockerfile labels
  • Haskell Dockerfile Linter612 37 - A smarter Dockerfile linter that helps you build best practice Docker images

Config Files

  • gixy5k 203 - a tool to analyze Nginx configuration. The main goal is to prevent misconfiguration and automate flaw detection.

Configuration Management

  • ansible-lint959 185 - Checks playbooks for practices and behaviour that could potentially be improved
  • foodcritic - A lint tool that checks Chef cookbooks for common problems.
  • Puppet Lint716 232 - Check that your Puppet manifests conform to the style guide.


  • CSS Stats925 99 - Potentially interesting stats on stylesheets
  • CSScomb2k 411 - a coding style formatter for CSS. Supports own configurations to make style sheets beautiful and consistent
  • CSSLint4k 546 - Does basic syntax checking and finds problematic patterns or signs of inefficiency
  • Parker2k 78 - Stylesheet analysis tool
  • sass-lint1k 593 - A Node-only Sass linter for both sass and scss syntax.
  • scsslint2k 496 - Linter for SCSS files
  • Specificity Graph575 44 - CSS Specificity Graph Generator
  • Stylelint - Linter for SCSS/CSS files


  • gherkin-lint18 16 - A linter for the Gherkin-Syntax written in Javascript.


  • HTML Inspector2k 159 - HTML Inspector is a code quality tool to help you and your team write better markup.
  • HTML Tidy - Corrects and cleans up HTML and XML documents by fixing markup errors and upgrading legacy code to modern standards.
  • HTMLHint2k 226 - A Static Code Analysis Tool for HTML

IDE Plugins

  • ale4k 577 - Asynchronous Lint Engine for Vim and NeoVim with support for many languages
  • Attackflow Extension ©️ - Attackflow plugin for Visual Studio, which enables developers to find critical security bugs at real time in the source code without any prior knowledge.
  • DevSkim94 10 - Inline, realtime security analysis. Works with multiple programming languages and IDEs (VS, VS Code, Sublime Text, ...).
  • Puma Scan75 16 - Puma Scan provides real time secure code analysis for common vulnerabilities (XSS, SQLi, CSRF, LDAPi, crypto, deserialization, etc.) as development teams write code in Visual Studio.
  • Security Code Scan - Security code analyzer for C# and VB.NET that integrates into Visual Studio 2015 and newer. Detects various security vulnerability patterns: SQLi, XSS, CSRF, XXE, Open Redirect, etc.
  • vint289 31 - Fast and Highly Extensible Vim script Language Lint implemented by Python.


  • ChkTeX - A linter for LaTex which catches some typographic errors LaTeX oversees.
  • lacheck - A tool for finding common mistakes in LaTeX documents.


  • portlint - A verifier for FreeBSD and DragonFlyBSD port directories


  • mdl377 51 - A tool to check markdown files and flag style issues.


  • android-lint-summary192 18 - Combines lint errors of multiple projects into one output, check lint results of multiple sub-projects at once.
  • FlowDroid168 145 - static taint analysis tool for Android applications
  • paprika32 4 - A toolkit to detect some code smells in analyzed Android applications.
  • qark1k 318 - Tool to look for several security related Android application vulnerabilities


  • lintian25 15 - Static analysis tool for Debian packages
  • rpmlint23 28 - Tool for checking common errors in rpm packages


  • ember-template-lint111 69 - Linter for Ember or Handlebars templates.
  • haml-lint118 58 - Tool for writing clean and consistent HAML
  • slim-lint89 34 - Configurable tool for analyzing Slim templates
  • yamllint281 39 - Checks YAML files for syntax validity, key repetition and cosmetic problems such as lines length, trailing spaces, and indentation.


  • dennis38 6 - A set of utilities for working with PO files to ease development and improve quality.


  • misspell fixer27 4 - Quick tool for fixing common misspellings, typos in source code
  • proselint3k 163 - a linter for English prose with a focus on writing style instead of grammar.
  • vale72 11 - A customizable, syntax-aware linter for prose.

Web services

  • Attackflow ©️ - Application security testing tool with rules grouped into nine classes including Authorization, Injection, Cryptography, Authentication and Code Quality.
  • Bithound ©️ - Code Analysis beyond Lint, specifically for Node.js.
  • Codacy ©️ - Code Analysis to ship Better Code, Faster.
  • Code Climate ©️ - The open and extensible static analysis platform, for everyone.
  • CodeFactor ©️ - Automated Code Analysis for repos on GitHub or BitBucket.
  • Functor Prevent ©️ - Static code analysis for C code.
  • kiuwan ©️ - Software Analytics in the Cloud supporting more than 22 programming languages.
  • Landscape ©️ - Static code analysis for Python
  • Nitpick CI ©️ - Automated PHP code review
  • Node Security Platform ©️ - Continuous Security monitoring for your node apps (free for Open Source Projects)
  • QuantifiedCode - Automated code review & repair
  • Scrutinizer ©️ - A proprietery code quality checker that can be integrated with GitHub
  • SensioLabs Insight ©️ - Detect security risks, find bugs and provide actionable metrics for PHP projects
  • SideCI ©️ - An automated code reviewing tool. Improving developers' productivity.
  • Snyk ©️ - Vulnerability scanner for dependencies of node.js apps (free for Open Source Projects)
  • Teamscale ©️ - Static and dynamic analysis tool supporting more than 25 languages and direct IDE integration. Free hosting for Open Source projects available on request. Free academic licenses available.
  • Upsource ©️ - Code review tool with static code analysis and code-aware navigation for Java, PHP, JavaScript and Kotlin.

More collections

  • go-tools1k 48 - A collection of tools and libraries for working with Go code, including linters and static analysis
  • linters20 2 - An introduction to static code analysis
  • php-static-analysis-tools863 87 - A reviewed list of useful PHP static analysis tools
  • Tools for C/C++ - A list of static analysis tools for C/C++
  • Wikipedia - A list of tools for static code analysis.



To the extent possible under law, Matthias Endler has waived all copyright and related or neighboring rights to this work. Title image Designed by Freepik.