Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality. Learn more โ
Top 23 Static Analysis Open-Source Projects
-
ImHex
๐ A Hex Editor for Reverse Engineers, Programmers and people who value their retinas when working at 3 AM.
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
Mobile-Security-Framework-MobSF
Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.
-
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
-
bytecode-viewer
A Java 8+ Jar & Android APK Reverse Engineering Suite (Decompiler, Editor, Debugger & More)
-
static-analysis
โ๏ธ A curated list of static analysis (SAST) tools and linters for all programming languages, config files, build tools, and more. The focus is on tools which improve code quality.
-
owasp-mastg
The Mobile Application Security Testing Guide (MASTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes the technical processes for verifying the controls listed in the OWASP Mobile Application Security Verification Standard (MASVS).
-
PHP Code Sniffer
PHP_CodeSniffer tokenizes PHP files and detects violations of a defined set of coding standards.
-
semgrep
Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.
-
Checkstyle
Checkstyle is a development tool to help programmers write Java code that adheres to a coding standard. By default it supports the Google Java Style Guide and Sun Code Conventions, but is highly configurable. It can be invoked with an ANT task and a command line program.
-
Scanners-Box
A powerful and open-source toolkit for hackers and security automation - ๅฎๅ จ่กไธไปไธ่ ่ช็ ๅผๆบๆซๆๅจๅ่พ
-
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
These projects use Caddy as my local development server, Dart Sass for converting my Sass files to CSS, elm, elm-format, elm-optimize-level-2, elm-review, elm-test (only in Calculator), ShellCheck to find bugs in my shell scripts, and Terser to mangle and compress JavaScript code.
Project mention: Ask HN: What Underrated Open Source Project Deserves More Recognition? | news.ycombinator.com | 2024-03-07ImHex
โA Hex Editor for Reverse Engineers, Programmers and people who value their retinas when working at 3 AM.โ
I actually used it not too long ago to inspect why a mp4 file wasnโt valid. The pattern language that they have is quite nice and having sections of the hex highlighted and being able to see what structures they represent and what data was on those structures was very useful!
https://github.com/WerWolv/ImHex
Ruff is an open-source Python linter created by Astral Sh that stands out for its impressive speed, adaptability, and wide-ranging features.
Project mention: A problem when adding Swiftlint as a dependency on my won package? | /r/swift | 2023-10-27
Project mention: An Introduction to Temporal Logic (With Applications to Concurrency Problems) | news.ycombinator.com | 2024-01-22I think most development occurs on problems that can't be formally modeled anyway. Most developers work on things like, "can you add this feature to the e-commerce site? And can the pop-up be blue?" which isn't really model-able.
But that's not to say that formal methods are useless! We can still prove some interesting aspects of programs -- for example, that every lock that gets acquired later gets released. I think tools like Infer[0] could become common in the coming years.
[0]: https://fbinfer.com/
Readers should also peruse the 'Multiple languages' section, many of the big names, Coverity, Klocwork et al. are listed there.
see https://github.com/analysis-tools-dev/static-analysis#multip...
PHP-CS-Fixer automatically fixes PHP coding standard issues, maintaining a clean codebase and adhering to coding standards. It can be integrated into the development workflow to ensure all code complies with defined standards.
As part of the journey to PHP perfection, you should embrace Rector. It's a amazing, free, and open-source tool for migrations, code quality, type coverage, pushing PHPStan to the highest levels, and yes, it can even auto-fix your existing code! It seamlessly integrates into the CI process, making your development workflow smoother than ever.
Project mention: More ways to identify independently security tested apps on Google Play | news.ycombinator.com | 2023-11-03
Project mention: I looked through attacks in my access logs. Here's what I found | news.ycombinator.com | 2024-01-28Besides pointing pentester tools like metasploit at yourself, there are some nice scanners out there.
https://github.com/quay/clair
https://github.com/anchore/grype/
3. Hadolint: https://github.com/hadolint/hadolint Hadolint is a Dockerfile linter that helps you build best practice Docker images, reducing vulnerabilities in your container configurations.
2. SonarQube: https://github.com/SonarSource/sonarqube SonarQube enhances code quality and security. It performs automatic reviews to detect bugs, vulnerabilities, and code smells in your code.
Trivy Operator : A simple and comprehensive vulnerability scanner for containers and other artifacts. It detects vulnerabilities of OS packages (Alpine, Debian, CentOS, etc.) and application dependencies (pip, npm, yarn, composer, etc.) (Alternatives : Grype, Snyk, Clair, Anchore, Twistlock)
For those unaware, gosec (and by extension golangci-lint) will warn about uses of `math/rand`
https://github.com/securego/gosec/blob/d3b2359ae29fe344f4df5...
Static Analysis related posts
-
We Have Code Quality At Home: Open Source Java Code Quality Tools
-
Open source software maintenance is difficult: examples with Go math/rand/v2 and testify
-
Cloud Security and Resilience: DevSecOps Tools and Practices
-
Handling EI_EXPOSE_REP & EI_EXPOSE_REP2 ๐จ๐ปโ๐ป
-
Semgrep: Semantic Grep for Code
-
Show HN: MicroSCOPE โ identify ransomware statically with heuristics
-
Ask HN: Is there a GUI for bash shell?
-
A note from our sponsor - InfluxDB
www.influxdata.com | 12 May 2024
Index
What are some of the best open-source Static Analysis projects? This list will help you:
Project | Stars | |
---|---|---|
1 | ShellCheck | 35,098 |
2 | ImHex | 33,108 |
3 | ruff | 26,896 |
4 | SwiftLint | 18,349 |
5 | PHP Parser | 16,850 |
6 | Mobile-Security-Framework-MobSF | 16,386 |
7 | infer | 14,730 |
8 | bytecode-viewer | 14,359 |
9 | static-analysis | 12,904 |
10 | PHP CS Fixer | 12,575 |
11 | PHPStan | 12,564 |
12 | cmake-examples | 11,978 |
13 | owasp-mastg | 11,304 |
14 | awesome-malware-analysis | 11,085 |
15 | PHP Code Sniffer | 10,604 |
16 | clair | 10,056 |
17 | semgrep | 9,775 |
18 | hadolint | 9,772 |
19 | SonarQube | 8,610 |
20 | Checkstyle | 8,144 |
21 | Scanners-Box | 8,002 |
22 | grype | 7,730 |
23 | gosec | 7,468 |
Sponsored