List of tools for static code analysis

This is a list of notable tools for static code analysis.

Static code analysis tools[]

Tool	Latest release	Free software	Supported languages							Notes
Tool	Latest release	Free software	Ada	C / C++ / C# / Objective‑C	Java	JavaScript / TypeScript	.NET / VB.NET	Python	Other languages	Notes
Apache Yetus	2020-12-17 (0.13.0)	Yes; ASL 2	—	C, C++	Java	—	—	Python	Perl, Ruby, Shell, XML	A collection of build and release tools. Included is the 'precommit' module that is used to execute full and partial/patch CI builds that provides static analysis of code via other tools as part of a configurable report. Built-in support may be extended with plug-ins.
Axivion Bauhaus Suite		No; Proprietary	Ada	C, C++, C#	Java	—	—	—	—	A static code analysis tool suite that performs various analyses such as architecture checking, interface analyses, MISRA checking, and clone detection.
Code Dx		No; Proprietary	—	C, C++, C#	Java, JSP	JavaScript	VB.NET	Python	PHP, Rails, Ruby, Scala, XML^[1]	Software application vulnerability correlation and management system that uses multiple SAST and DAST tools, as well as the results of manual code reviews. Can calculate cyclomatic complexity.
CodeQL	2021-07-26 (CLI: 2.5.8)	No; Proprietary	—	C, C++, C#	Java	JavaScript, TypeScript	.NET	Python	Go	A code searching tool with an emphasis on finding software bugs. Search patterns are written in a query language which can search the AST and graphs (CFG, DFG, etc.) of supported languages. A plugin is available for Visual Studio.
CodeRush	2021-05-04 (20.2.11)	No; Proprietary	—	C#	—	JavaScript	VB.NET	—	ASP, HTML, XML, XAML	A plugin for Visual Studio which alerts users to violations of best practices.
CodeScene	2021-01-01	No; Proprietary	—	C, C++, C#, Objective‑C	Java, Groovy	JavaScript, TypeScript	VB.NET	Python	Scala, Swift, Go, PHP, Ruby	Behavioral analysis of code. Helps identify, prioritize, and manage technical debt. Measures organizational aspects of developer teams. Automated pull request integrations.
ConQAT (retired)	2015-02-01	Yes; ASL 2	Ada	C#, C++	Java	JavaScript	—	—	ABAP	Continuous quality assessment toolkit that allows flexible configuration of quality analyses (architecture conformance, clone detection, quality metrics, etc.) and dashboards.
Coverity	2021-01-23 (2020.09)^[2]	No; Proprietary	—	C, C++, C#, Objective‑C	Java	JavaScript	—	Python	node.JS, Ruby, PHP	Multi-language tool for security and quality issues. Supports compliance standards (MISRA, ISO 26262 and others). Free to use for open-source projects.
GrammaTech CodeSonar	2020-06-01 (5.3)	No; Proprietary	—	C, C++, Objective‑C	Java	—	—	—	—	Defect detection (buffer overruns, memory leaks, etc.), concurrency and security checks, architecture visualization and software metrics.
HCL Security AppScan Source	2020-12-01 (10.0.3)	No; Proprietary	—	C, C++	Java, JSP	JavaScript	.NET	Python	ColdFusion, ASP, PHP, Perl, Visual Basic 6, PL/SQL, T-SQL, COBOL	Analyzes source code to identify security vulnerabilities while integrating security testing with software development processes and systems.
Infer Static Analyzer	2021-03-26 (1.1.0)	Yes; MIT	—	C, C++, Objective‑C	Java	—	—	—	—	Targets null pointer problems, leaks, concurrency issues and API usage for Facebook's mobile apps. Available as open source on GitHub. Sometimes referred as Facebook Infer.
Imagix 4D	2020-10-01 (10.1.0)	No; Proprietary	—	C, C++	Java	—	—	—	—	Windows and Linux versions.
Kiuwan	2020-07-22	No; Proprietary	—	C, C++, C#, Objective‑C	Java, JSP, JCL	JavaScript	VB.NET	—	ABAP, COBOL, PHP, PL/SQL, T-SQL, SQL, Visual Basic, Android	Software Analytics end-to-end platform for static code analysis and automated code review. It covers defect detection, application security & IT Risk Management, with enhanced life cycle and application governance features. Support for over 20 languages.
Klocwork	2020-12-01 (2020.4)	No; Proprietary	—	C, C++, C#	Java	—	—	—	—	Provides security vulnerability, standards compliance (MISRA, ISO 26262 and others), defect detection and build-over-build trend analysis
LDRA Testbed	2021-05-07 (v9.8.6)	No; Proprietary	Ada83, Ada95	C, C++	—	—	—	—	Assembler (Intel, Freescale, Texas Instruments)	A software analysis and testing tool suite.
MALPAS		No; Proprietary	Ada	C	—	—	—	—	Pascal, Assembler (Intel, PowerPC and Motorola)	A software static analysis toolset for a variety of languages. Used primarily for safety critical applications in Nuclear and Aerospace industries.
Moose	2021-01-21 (7.0.3)	Yes; MIT	—	C, C++	Java	—	.NET	—	Smalltalk	Moose started as a software analysis platform with many tools to manipulate, assess or visualize software. It can evolve to a more generic data analysis platform.
NDepend	2021-01-28 (2021.1.0)^[3]	No; Proprietary	—	—	—	—	.NET	—	—	Simplifies managing a complex .NET code base by analyzing and visualizing code dependencies, by defining design rules, by doing impact analysis, and by comparing different versions. Integrates into Visual Studio.
.NET Compiler Platform (Roslyn)	2020-12-08 (3.8.0)	Yes; MIT	—	C#	—	—	VB.NET	—	—	Open-source compiler framework for C# and Visual Basic .NET developed by Microsoft .NET. Provides an API for analyzing and manipulating syntax. FxCop rules were implemented into Roslyn.
PMD	2021-01-30 (6.31.0)	Yes; BSD-like	—	C, C++	Java, JSP	JavaScript	—	—	ColdFusion, PHP	duplicate code detection (e.g.)^[4] code.
Polyspace		No; Proprietary	Ada	C, C++	—	—	—	—	—	Uses abstract interpretation to detect and prove the absence of certain run time errors in source code.
Pretty Diff	2019-04-21 (101.0.0)	Yes; CC0	—	—	—	JavaScript, TypeScript	—	—	Markup, script and style languages (like XML, Javascript, CSS)	A language-specific code comparison tool that features language-specific analysis reporting in addition to language-specific minification and beautification algorithms.
PVS-Studio	2020-11-05 (7.10)	No; Proprietary	—	C, C++, C++/CLI, C++/CX, C#	Java	—	—	—	—	A software analysis tool.
RIPS	2020-02-17 (3.4)	No; Proprietary	—	—	Java	—	—	—	PHP, Node.js	A static code analysis solution with many integration options for the automated detection of complex security vulnerabilities.
Semgrep	2021-05-19 (0.52.0)	Yes; LGPL v2.1	—	—	Java	JavaScript, TypeScript	—	Python	Go, JSON, Ruby, language-agnostic mode	A static analysis tool that helps expressing code standards and surfacing bugs early. It also has experimental support for eleven other languages. A CI service and a rule library is also available.
Sider	2021-02-02	No; Proprietary	—	—	—	JavaScript, CoffeeScript	—	Python	Ruby, PHP, Go	Static code analysis based automated code review tool working on GitHub and GitLab. Checks style, quality, dependencies, security and bugs. It integrates a number of open source static analysis tools.
SofCheck Inspector / Codepeer	2020-08-24 (21.x)	No; Proprietary	Ada	—	Java	—	—	—	—	Static detection of logic errors, race conditions, and redundant code. automatically extracts pre-postconditions from code.
SonarQube	2021-04-01 (8.8)	Yes; LGPL v3.0	—	C, C#, C++, Objective‑C	Java	JavaScript, TypeScript	VB.NET	Python	ABAP, Apex, CSS, COBOL, Flex, Go, HTML, Kotlin, PHP, PLI, PL/SQL, Ruby, Scala, Swift, TSQL, Visual Basic 6, XML	A continuous inspection engine that finds vulnerabilities, bugs and code smells. Also tracks code complexity, unit test coverage and duplication.
Sotoarc-Sotograph	2018-12-03 (5.0)	No; Proprietary	—	C, C++, C#	Java	—	—	—	ABAP	Architecture and quality in-depth analysis and monitoring.
SourceMeter	2016-12-16 (8.2)	No; Proprietary	—	C, C++	Java	—	—	Python	RPG IV (AS/400)	A platform-independent, command-line static source code analyzer. Integrates with PMD and SpotBugs.
StyleCop	2016-05-02 (2016.1.0)	Yes; Ms-PL	—	C#	—	—	.NET	—	—	Analyzes C# source code to enforce a set of style and consistency rules. It can be run from inside of Microsoft Visual Studio or integrated into an MSBuild project.
Squore	2020-11-27 (20.1)	No; Proprietary	Ada	C, C++, C#, Objective‑C	Java	JavaScript, TypeScript	VB.NET	Python	Fortran, PHP, PL/SQL, Swift, T-SQL, XAML	A multi-purpose and multi-language monitoring tool for software projects. It integrates with other scanners.
Understand	2020-09-21 (6.0)	No; Proprietary	Ada	C, C++, C#, Objective‑C	Java	JavaScript	—	Python	Cobol, FORTRAN, Jovial, Pascal, PL/M, VHDL, HTML, PHP, XML	A multi-platform tool for code analysis and comprehension of large code bases. Can recognize multiple dialects of C, C++ and C# like ANSI, K&R and Objective C++.
Yasca (retired)	2010-11-01 (2.21)	Yes; multiple licenses	—	C, C++	Java	JavaScript	—	—	JavaScript, ASP, PHP, HTML-CSS, ColdFusion, COBOL	Yet Another Source Code Analyzer, a plugin-based framework to scan arbitrary file types, with plugins. It integrates with other scanners, including FindBugs, PMD, and Pixy.
Tool	Release	Free software	Supported languages							Notes

Languages[]

Ada[]

Tool	Latest release	Free software	Notes
AdaControl	2019-10-30 (1.21r6b)	Yes; GPLv2	A tool to control occurrences of various entities or programming patterns in Ada code, used for checking coding standards, enforcement of safety related rules, and support for various manual inspections. Features automatic fixing of violations.
CodePeer			An advanced static analysis tool that detects potential run-time logic errors in Ada programs.
Fluctuat			Abstract interpreter for the validation of numerical properties of programs.
LDRA Testbed		No; Proprietary	A software analysis and testing tool suite for Ada83/95.
Polyspace		No; Proprietary	Uses abstract interpretation to detect and prove the absence of certain run time errors in source code.
SofCheck Inspector (Bought by AdaCore)			Static detection of logic errors, race conditions, and redundant code for Ada; automatically extracts pre-postconditions from code.
SPARK Toolset			Verification tools for SPARK 2014 – a subset of Ada 2012 that leverages Ada's support for contracts. Designed to offer soundness, depth, modularity and efficiency of verification.

C, C++[]

Tool	Latest release	Free software	Duplicate code	Notes
Astrée		No; Proprietary		finds all potential runtime errors and data races by abstract interpretation, can prove their absence, and can prove functional assertions; tailored towards safety-critical C code (e.g. avionics and automotive). Includes MISRA checker.
BLAST (retired)	2015-10-30 (2.7.3)	Yes; ASL 2		An open-source software model checker for C programs based on lazy abstraction (follow-on project is CPAchecker.^[5]).
Clang	2021-01-14 (11.0.1)	Yes; ASL 2 with LLVM Exceptions (v9.0.0<)		An open-source compiler that includes a static analyzer.
Coccinelle	2021-02-25 (1.1.0)	Yes; GPLv2		An open-source source code pattern matching and transformation.
Coverity	2019-12-14 (2020.12)^[6]	No; Proprietary		A static analysis tool for C/C++.
CPAchecker		Yes; ASL 2		A tool for execution path checking of C.
Cppcheck	2021-03-23 (2.4.1)	Yes; GPL	No	Open-source tool that checks for several types of errors, including use of STL. MISRA support is being added.
Cppdepend	2021-01-01 (2021.1)	No; Proprietary		Simplifies managing a complex C/C++ code base by analyzing and visualizing code dependencies, by defining design rules, by doing impact analysis, and comparing different versions of the code.
cpplint		Yes; ASL 2		An open-source tool that checks for compliance with Google's style guide for C++ coding.
ECLAIR		No; Proprietary		A platform for the automatic analysis, verification, testing and transformation of C and C++ programs.
Eclipse		Yes		An open-source IDE that includes a static code analyzer.
Fluctuat		No; Proprietary		Abstract interpreter for the validation of numerical properties of programs.
Frama-C		Yes		An open-source extensible analysis framework for C with several analyzers and a specification language common to all of them. Includes analyses based on abstract interpretation, deductive verification and runtime monitoring.
Helix QAC	2020.1			Formerly PRQA QA·C and QA·C++, deep static analysis of C/C++ for quality assurance and guideline/coding standard enforcement with MISRA support.
Infer	2020-10-12 (1.0.0)	Yes; MIT		Developed by an engineering team at Facebook with open-source contributors. Targets null pointer and other memory problems. Available as open-source on github.
Lint	1978-07-26	Yes; Permissive BSD-like^[7]	No	The original, from 1978, static code analyzer for C.
LDRA Testbed	2021-05-07 (v9.8.6)			A software analysis and testing tool suite for C/C++, that performs static analysis, standards enforcement (eg MISRA C/C++), dynamic analysis, unit testing and requirements traceability.
Parasoft C/C++test	10.4.2	No; Proprietary		A C/C++ tool that does static analysis, unit testing, code review, and runtime error detection; plugins available for Visual Studio and Eclipse-based IDEs.
PC-Lint		No		A software analysis tool for C with partial support for C++2011.
Polyspace		No		Uses abstract interpretation to detect and prove the absence of run time errors, Dead Code in source code as well as used to check all MISRA (2004, 2012) rules (directives, non directives).
SLAM project				a project of Microsoft Research for checking that software satisfies critical behavioral properties of the interfaces it uses.
Sparse	2020-10-18 (0.6.3)	Yes		An open-source tool designed to find faults in the Linux kernel.
SonarQube	2021-04-01 (8.8)	Yes; LGPL v3.0	Yes	An open-source tool which offers C/C++ support via a commercial license. Able to calculate cyclomatic complexity.
Splint	3.1.2	Yes		An open-source tool statically checking C programs for security vulnerabilities and coding mistakes.
Visual Studio		No		An IDE that provides static code analysis for C/C++ both in the editor environment and from the compiler command line.

Fortran[]

Fortran-Lint^[8] (Information Processing Techniques, Inc)

IEC 61131-3[]

CODESYS Static Analysis - integrated add-on for CODESYS (application code realized e.g. in ST, FBD, LD)

Java[]

Tool	Latest release	Free software	Duplicate code	Notes
Checkstyle	2020-01-26	Yes; LGPL	No	Besides some static code analysis, it can be used to show violations of a configured coding standard. Duplicate code detection was removed^[9] from Checkstyle.
Coverity	2017-01-19	No; Proprietary		Coverity is a static analysis and Static Application Security Testing (SAST) platform that finds critical defects and security weaknesses in code as it’s written before they become vulnerabilities, crashes, or maintenance headaches.
Eclipse	2017-06-28	Yes; EPL	No	Cross-platform IDE with own set of several hundred code inspections available for analyzing code on-the-fly in the editor and bulk analysis of the whole project. Plugins for Checkstyle, FindBugs, and PMD.
FindBugs	2015-03-06	Yes; LGPL		Based on Jakarta BCEL from the University of Maryland. SpotBugs is the spiritual successor of FindBugs, carrying on from the point where it left off with support of its community.
Infer	2017-10-19	Yes; BSD with additio- nal patent clause		Developed by an engineering team at Facebook with open-source contributors. Targets null pointer exceptions, leaks, and thread safety issues.
IntelliJ IDEA	2021-04-06	Yes; ASL 2	Yes	A leading Java IDE with built-in code inspection and analysis. Plugins for Checkstyle, FindBugs, and PMD.
JArchitect	2017-06-11	No; Proprietary		Simplifies managing a complex code base by analyzing and visualizing code dependencies, defining design rules, doing impact analysis, and by comparing different versions of the code.
Jtest	2019-05-21	No; Proprietary	Yes	Testing and static code analysis product by Parasoft.
LDRA Testbed		No; Proprietary		Analysis and testing tool suite.
PMD	2020-10-24	Yes; BSD, ASL 2, LGPL	Yes	A static ruleset based source code analyzer that identifies potential problems.
RIPS	2019-01-07	No; Proprietary		Language-specific source code analysis solution with many integration options for accurate detection of complex security and quality issues.
Semgrep	2021-03-16 (0.43.0)	Yes; LGPL v2.1	No	A static analysis tool that helps expressing code standards and surfacing bugs early. A CI service and a rule library is also available.
Soot	2020-10-28	Yes; LGPL		A language manipulation and optimization framework consisting of intermediate languages.
Squale	2011-05-26	Yes; LGPL		A platform to manage software quality.
SourceMeter	2016-02-01	No; Proprietary	Yes	A platform-independent, command-line static source code analyzer.
ThreadSafe	2014-03-28	No; Proprietary		A static analysis tool focused on finding concurrency bugs.

JavaScript[]

ESLint – JavaScript syntax checker and formatter.
Google's Closure Compiler – JavaScript optimizer that rewrites code to be faster and smaller, and checks use of native JavaScript functions.
JSHint – A community driven fork of JSLint.
JSLint – JavaScript syntax checker and validator.
Semgrep – A static analysis tool that helps expressing code standards and surfacing bugs early. A CI service and a rule library is also available.

Objective-C, Objective-C++[]

Clang – The free Clang project includes a static analyzer. As of version 3.2, this analyzer is included in Xcode.^[10]
Infer – Developed by an engineering team at Facebook with open-source contributors. Targets null pointers, leaks, API usage and other lint checks. Available as open source on github.

Opa[]

Opa includes its own static analyzer. As the language is intended for web application development, the strongly statically typed compiler checks the validity of high-level types for web data, and prevents by default many vulnerabilities such as XSS attacks and database code injections.

Packaging[]

Lintian – Checks Debian software packages for common inconsistencies and errors.
Rpmlint – Checks for common problems in rpm packages.

Perl[]

Perl::Critic – A tool to help enforce common Perl best practices. Most best practices are based on Damian Conway's Perl Best Practices book.
PerlTidy – Program that acts as a syntax checker and tester/enforcer for coding practices in Perl.
Padre – An IDE for Perl that also provides static code analysis to check for common beginner errors.

PL/SQL[]

TOAD – A PL/SQL development environment with a Code xPert component that reports on general code efficiency as well as specific programming issues.
Visual Expert – A PL/SQL code analysis tool^[11] that reports on programming issues and helps understand and maintain complex code (Impact Analysis, Source Code documentation, Call trees, CRUD matrix, etc.).

Python[]

PyCharm – Cross-platform Python IDE with code inspections available for analyzing code on-the-fly in the editor and bulk analysis of the whole project.
PyDev – Eclipse-based Python IDE with code analysis available on-the-fly in the editor or at save time.
Pylint – Static code analyzer. Quite stringent; includes many stylistic warnings as well.
Semgrep – Static code analyzer that helps expressing code standards and surfacing bugs early. A CI service and a rule library is also available.

Transact-SQL[]

Visual Expert – A SQLServer code analysis tool^[12] that reports on programming issues and helps understand and maintain complex code (Impact Analysis, source code documentation, call trees, CRUD matrix, etc.).

Formal methods tools[]

Tools that use sound, i.e. over-approximating a rigorous model, formal methods approach to static analysis (e.g., using static program assertions). Sound methods contain no false negatives for bug-free programs, at least with regards to the idealized mathematical model they are based on (there is no "unconditional" soundness). Note that there is no guarantee they will report all bugs for buggy programs, they will report at least one.

Astrée – finds all potential runtime errors by abstract interpretation, can prove the absence of runtime errors and can prove functional assertions; tailored towards safety-critical C code (e.g. avionics).
CodePeer – Statically determines and documents pre- and post-conditions for Ada subprograms; statically checks preconditions at all call sites.
ECLAIR – Uses formal methods-based static code analysis techniques such as abstract interpretation and model checking combined with constraint satisfaction techniques to detect or prove the absence of certain run time errors in source code.
ESC/Java and ESC/Java2 – Based on Java Modeling Language, an enriched version of Java
Frama-C – An open-source analysis framework for C, based on the ANSI/ISO C Specification Language (ACSL). Its main techniques include abstract interpretation, deductive verification and runtime monitoring.
KeY – analysis platform for Java based on theorem proving with specifications in the Java Modeling Language; can generate test cases as counterexamples; stand-alone GUI or Eclipse integration
MALPAS – A formal methods tool that uses directed graphs and regular algebra to prove that software under analysis correctly meets its mathematical specification.
Polyspace – Uses abstract interpretation, a formal methods based technique,^[13] to detect and prove the absence of certain run time errors in source code for C/C++, and Ada
SPARK Toolset including the SPARK Examiner – Based on the SPARK language, a subset of Ada.

References[]

^ "Supported Application Security Testing Tools and Languages". codedx.com. Retrieved Apr 25, 2017.
^ "Coverity Scan website". Retrieved 2021-02-02.
^ "NPendend release notes". ndepend.com. Retrieved 9 May 2021.
^ "PMD - Browse /pmd/5.0.0 at SourceForge.net". Retrieved Dec 9, 2012.
^ "CPAchecker". 2015-02-08.
^ "SIG Customer Community". community.synopsys.com. Retrieved 2021-02-02.
^ "UNIX is free!". lemis.com. 2002-01-24.
^ Lint for FortranDenis W. Haskin (May 2, 1988). "Shaking down your FORTRAN programs". Digital Review. pp. 41–47. similar to DEC's Source Code Analyzer, .. comes into play much earlier .. before users compile their programs
^ https://github.com/checkstyle/checkstyle/issues/523
^ "Static Analysis in Xcode". Apple. Retrieved 2009-09-03.
^ "Visual Expert for Oracle - PL/SQL Code Analyzer". www.visual-expert.com. 2017-08-24.
^ "Visual Expert for SQL Server - Transact SQL Code Analyzer". www.visual-expert.com. 2017-08-24.
^ Cousot, Patrick (2007). "The Role of Abstract Interpretation in Formal Methods". Fifth IEEE International Conference on Software Engineering and Formal Methods (SEFM 2007). IEEE International Conference on Software Engineering and Formal Methods. pp. 135–140. doi:10.1109/SEFM.2007.42. ISBN 978-0-7695-2884-7.

External links[]

The Web Application Security Consortium's Static Code Analysis Tool List
Java Static Checkers at Curlie
SAMATE-Source Code Security Analyzers
SATE – Static Analysis Tool Exposition
"A Comparison of Bug Finding Tools for Java", by Nick Rutar, Christian Almazan, and Jeff Foster, University of Maryland. Compares Bandera, ESC/Java 2, FindBugs, JLint, and PMD.
"Mini-review of Java Bug Finders", by Rick Jelliffe, O'Reilly Media.

[1] "Supported Application Security Testing Tools and Languages". codedx.com. Retrieved Apr 25, 2017.

[2] "Coverity Scan website". Retrieved 2021-02-02.

[3] "NPendend release notes". ndepend.com. Retrieved 9 May 2021.

[4] "PMD - Browse /pmd/5.0.0 at SourceForge.net". Retrieved Dec 9, 2012.

[5] "CPAchecker". 2015-02-08.

[6] "SIG Customer Community". community.synopsys.com. Retrieved 2021-02-02.

[7] "UNIX is free!". lemis.com. 2002-01-24.

[8] Lint for FortranDenis W. Haskin (May 2, 1988). "Shaking down your FORTRAN programs". Digital Review. pp. 41–47. similar to DEC's Source Code Analyzer, .. comes into play much earlier .. before users compile their programs

[9] ttps://github.com/checkstyle/checkstyle/issues/523

[10] "Static Analysis in Xcode". Apple. Retrieved 2009-09-03.

[11] "Visual Expert for Oracle - PL/SQL Code Analyzer". www.visual-expert.com. 2017-08-24.

[12] "Visual Expert for SQL Server - Transact SQL Code Analyzer". www.visual-expert.com. 2017-08-24.

[13] Cousot, Patrick (2007). "The Role of Abstract Interpretation in Formal Methods". Fifth IEEE International Conference on Software Engineering and Formal Methods (SEFM 2007). IEEE International Conference on Software Engineering and Formal Methods. pp. 135–140. doi:10.1109/SEFM.2007.42. ISBN 978-0-7695-2884-7.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]