diff --git a/README.md b/README.md index c3af11d1ce..ea48540cad 100644 --- a/README.md +++ b/README.md @@ -17,22 +17,6 @@ This project would not be possible without the generous support of our sponsors. - -
- - - - BugProve - - - - - - - Betterscan - - - @@ -202,7 +186,7 @@ Also check out the sister project, [awesome-dynamic-analysis](https://github.com

Assembly

-- [STOKE](https://github.com/StanfordPL/stoke) :warning: — A programming-language agnostic stochastic optimizer for the x86_64 instruction set. It uses random search to explore the extremely high-dimensional space of all possible program transformations. +- **STOKE** :warning: — A programming-language agnostic stochastic optimizer for the x86_64 instruction set. It uses random search to explore the extremely high-dimensional space of all possible program transformations. @@ -238,13 +222,13 @@ Also check out the sister project, [awesome-dynamic-analysis](https://github.com - [CScout](https://www.spinellis.gr/cscout) — Complexity and quality metrics for C and C preprocessor code. -- [ENRE-cpp](https://github.com/xjtu-enre/ENRE-cpp) :warning: — ENRE (ENtity Relationship Extractor) is a tool for extraction of code entity dependencies or relationships from source code. ENRE-cpp is a ENtity Relationship Extractor for C/C++ based on @eclipse/CDT. (Under development) +- **ENRE-cpp** :warning: — ENRE (ENtity Relationship Extractor) is a tool for extraction of code entity dependencies or relationships from source code. ENRE-cpp is a ENtity Relationship Extractor for C/C++ based on @eclipse/CDT. (Under development) - [ESBMC](http://esbmc.org) — ESBMC is an open source, permissively licensed, context-bounded model checker based on satisfiability modulo theories for the verification of single- and multi-threaded C/C++ programs. -- [flawfinder](http://dwheeler.com/flawfinder/) :warning: — Finds possible security weaknesses. +- **flawfinder** :warning: — Finds possible security weaknesses. -- [flint++](https://github.com/JossWhittle/FlintPlusPlus) :warning: — Cross-platform, zero-dependency port of flint, a lint program for C++ developed and used at Facebook. +- **flint++** :warning: — Cross-platform, zero-dependency port of flint, a lint program for C++ developed and used at Facebook. - [Frama-C](https://www.frama-c.com) — A sound and extensible static analyzer for C code. @@ -262,7 +246,7 @@ Also check out the sister project, [awesome-dynamic-analysis](https://github.com - [LDRA](https://ldra.com) :copyright: — A tool suite including static analysis (TBVISION) to various standards including MISRA C & C++, JSF++ AV, CWE, CERT C, CERT C++ & Custom Rules. -- [MATE](https://galoisinc.github.io/MATE/) :warning: — A suite of tools for interactive program analysis with a focus on hunting for bugs in C and C++ code. MATE unifies application-specific and low-level vulnerability analysis using code property graphs (CPGs), enabling the discovery of highly application-specific vulnerabilities that depend on both implementation details and the high-level semantics of target C/C++ programs. +- **MATE** :warning: — A suite of tools for interactive program analysis with a focus on hunting for bugs in C and C++ code. MATE unifies application-specific and low-level vulnerability analysis using code property graphs (CPGs), enabling the discovery of highly application-specific vulnerabilities that depend on both implementation details and the high-level semantics of target C/C++ programs. - [PC-lint](https://pclintplus.com/) :copyright: — Static analysis for C/C++. Runs natively under Windows/Linux/MacOS. Analyzes code for virtually any platform, supporting C11/C18 and C++17. @@ -280,7 +264,7 @@ Also check out the sister project, [awesome-dynamic-analysis](https://github.com - [TrustInSoft Analyzer](https://trust-in-soft.com) :copyright: — Exhaustive detection of coding errors and their associated security vulnerabilities. This encompasses a sound undefined behavior detection (buffer overflows, out-of-bounds array accesses, null-pointer dereferences, use-after-free, divide-by-zeros, uninitialized memory accesses, signed overflows, invalid pointer arithmetic, etc.), data flow and control flow verification as well as full functional verification of formal specifications. All versions of C up to C18 and C++ up to C++20 are supported. TrustInSoft Analyzer will acquire ISO 26262 qualification in Q2'2023 (TCL3). A MISRA C checker is also bundled. -- [vera++](https://bitbucket.org/verateam/vera/wiki/Introduction) :warning: — Vera++ is a programmable tool for verification, analysis and transformation of C++ source code. +- **vera++** :warning: — Vera++ is a programmable tool for verification, analysis and transformation of C++ source code. @@ -293,13 +277,13 @@ Also check out the sister project, [awesome-dynamic-analysis](https://github.com - [code-cracker](https://code-cracker.github.io) — An analyzer library for C# and VB that uses Roslyn to produce refactorings, code analysis, and other niceties. -- [CSharpEssentials](https://github.com/DustinCampbell/CSharpEssentials) :warning: — C# Essentials is a collection of Roslyn diagnostic analyzers, code fixes and refactorings that make it easy to work with C# 6 language features. +- **CSharpEssentials** :warning: — C# Essentials is a collection of Roslyn diagnostic analyzers, code fixes and refactorings that make it easy to work with C# 6 language features. - [Designite](http://www.designite-tools.com) :copyright: — Designite supports detection of various architecture, design, and implementation smells, computation of various code quality metrics, and trend analysis. - [Gendarme](https://www.mono-project.com/docs/tools+libraries/tools/gendarme) — Gendarme inspects programs and libraries that contain code in ECMA CIL format (Mono and .NET). -- [Infer#](https://github.com/microsoft/infersharp) :warning: — InferSharp (also referred to as Infer#) is an interprocedural and scalable static code analyzer for C#. Via the capabilities of Facebook's Infer, this tool detects null pointer dereferences and resource leaks. +- [Infer#](https://github.com/microsoft/infersharp) — InferSharp (also referred to as Infer#) is an interprocedural and scalable static code analyzer for C#. Via the capabilities of Facebook's Infer, this tool detects null pointer dereferences and resource leaks. - [Meziantou.Analyzer](https://github.com/meziantou/Meziantou.Analyzer) — A Roslyn analyzer to enforce some good practices in C# in terms of design, usage, security, performance, and style. @@ -311,7 +295,7 @@ Also check out the sister project, [awesome-dynamic-analysis](https://github.com - [SonarAnalyzer.CSharp](https://github.com/SonarSource/sonar-dotnet) — These Roslyn analyzers allow you to produce Clean Code that is safe, reliable, and maintainable by helping you find and correct bugs, vulnerabilities, and code smells in your codebase. -- [VSDiagnostics](https://github.com/Vannevelj/VSDiagnostics) :warning: — A collection of static analyzers based on Roslyn that integrates with VS. +- **VSDiagnostics** :warning: — A collection of static analyzers based on Roslyn that integrates with VS. - [Wintellect.Analyzers](https://github.com/Wintellect/Wintellect.Analyzers) — .NET Compiler Platform ("Roslyn") diagnostic analyzers and code fixes. @@ -340,13 +324,13 @@ Also check out the sister project, [awesome-dynamic-analysis](https://github.com - [CScout](https://www.spinellis.gr/cscout) — Complexity and quality metrics for C and C preprocessor code. -- [ENRE-cpp](https://github.com/xjtu-enre/ENRE-cpp) :warning: — ENRE (ENtity Relationship Extractor) is a tool for extraction of code entity dependencies or relationships from source code. ENRE-cpp is a ENtity Relationship Extractor for C/C++ based on @eclipse/CDT. (Under development) +- **ENRE-cpp** :warning: — ENRE (ENtity Relationship Extractor) is a tool for extraction of code entity dependencies or relationships from source code. ENRE-cpp is a ENtity Relationship Extractor for C/C++ based on @eclipse/CDT. (Under development) - [ESBMC](http://esbmc.org) — ESBMC is an open source, permissively licensed, context-bounded model checker based on satisfiability modulo theories for the verification of single- and multi-threaded C/C++ programs. -- [flawfinder](http://dwheeler.com/flawfinder/) :warning: — Finds possible security weaknesses. +- **flawfinder** :warning: — Finds possible security weaknesses. -- [flint++](https://github.com/JossWhittle/FlintPlusPlus) :warning: — Cross-platform, zero-dependency port of flint, a lint program for C++ developed and used at Facebook. +- **flint++** :warning: — Cross-platform, zero-dependency port of flint, a lint program for C++ developed and used at Facebook. - [Frama-C](https://www.frama-c.com) — A sound and extensible static analyzer for C code. @@ -360,7 +344,7 @@ Also check out the sister project, [awesome-dynamic-analysis](https://github.com - [LDRA](https://ldra.com) :copyright: — A tool suite including static analysis (TBVISION) to various standards including MISRA C & C++, JSF++ AV, CWE, CERT C, CERT C++ & Custom Rules. -- [MATE](https://galoisinc.github.io/MATE/) :warning: — A suite of tools for interactive program analysis with a focus on hunting for bugs in C and C++ code. MATE unifies application-specific and low-level vulnerability analysis using code property graphs (CPGs), enabling the discovery of highly application-specific vulnerabilities that depend on both implementation details and the high-level semantics of target C/C++ programs. +- **MATE** :warning: — A suite of tools for interactive program analysis with a focus on hunting for bugs in C and C++ code. MATE unifies application-specific and low-level vulnerability analysis using code property graphs (CPGs), enabling the discovery of highly application-specific vulnerabilities that depend on both implementation details and the high-level semantics of target C/C++ programs. - [PC-lint](https://pclintplus.com/) :copyright: — Static analysis for C/C++. Runs natively under Windows/Linux/MacOS. Analyzes code for virtually any platform, supporting C11/C18 and C++17. @@ -378,7 +362,7 @@ Also check out the sister project, [awesome-dynamic-analysis](https://github.com - [TrustInSoft Analyzer](https://trust-in-soft.com) :copyright: — Exhaustive detection of coding errors and their associated security vulnerabilities. This encompasses a sound undefined behavior detection (buffer overflows, out-of-bounds array accesses, null-pointer dereferences, use-after-free, divide-by-zeros, uninitialized memory accesses, signed overflows, invalid pointer arithmetic, etc.), data flow and control flow verification as well as full functional verification of formal specifications. All versions of C up to C18 and C++ up to C++20 are supported. TrustInSoft Analyzer will acquire ISO 26262 qualification in Q2'2023 (TCL3). A MISRA C checker is also bundled. -- [vera++](https://bitbucket.org/verateam/vera/wiki/Introduction) :warning: — Vera++ is a programmable tool for verification, analysis and transformation of C++ source code. +- **vera++** :warning: — Vera++ is a programmable tool for verification, analysis and transformation of C++ source code. @@ -392,7 +376,7 @@ Also check out the sister project, [awesome-dynamic-analysis](https://github.com

CoffeeScript

-- [coffeelint](https://coffeelint.github.io/) :warning: — A style checker that helps keep CoffeeScript code clean and consistent. +- **coffeelint** :warning: — A style checker that helps keep CoffeeScript code clean and consistent. @@ -415,7 +399,7 @@ Also check out the sister project, [awesome-dynamic-analysis](https://github.com

Dart

-- [Dart Code Metrics](https://pub.dev/packages/dart_code_metrics) :warning: — Additional linter for Dart. Reports code metrics, checks for anti-patterns and provides additional rules for Dart analyzer. +- **Dart Code Metrics** :warning: — Additional linter for Dart. Reports code metrics, checks for anti-patterns and provides additional rules for Dart analyzer. - [effective_dart](https://pub.dev/packages/effective_dart) — Linter rules corresponding to the guidelines in Effective Dart @@ -461,7 +445,7 @@ Also check out the sister project, [awesome-dynamic-analysis](https://github.com

Elm

-- [elm-analyse](https://stil4m.github.io/elm-analyse) :warning: — A tool that allows you to analyse your Elm code, identify deficiencies and apply best practices. +- **elm-analyse** :warning: — A tool that allows you to analyse your Elm code, identify deficiencies and apply best practices. - [elm-review](https://package.elm-lang.org/packages/jfmengels/elm-review/latest) — Analyzes whole Elm projects, with a focus on shareable and custom rules written in Elm that add guarantees the Elm compiler doesn't give you. @@ -475,7 +459,7 @@ Dialyzer starts its analysis from either debug-compiled BEAM bytecode or from E - [elvis](https://github.com/inaka/elvis) — Erlang Style Reviewer. -- [Primitive Erlang Security Tool (PEST)](https://github.com/okeuday/pest) :warning: — A tool to do a basic scan of Erlang source code and report any function calls that may cause Erlang source code to be insecure. +- **Primitive Erlang Security Tool (PEST)** :warning: — A tool to do a basic scan of Erlang source code and report any function calls that may cause Erlang source code to be insecure. @@ -495,7 +479,7 @@ Dialyzer starts its analysis from either debug-compiled BEAM bytecode or from E - [Fortitude](https://fortitude.readthedocs.io) — Fortran linter, inspired by (and built on) Ruff, and based on community best practices. Supports latest Fortran (2023) standard. -- [fprettify](https://pypi.python.org/pypi/fprettify) :warning: — Auto-formatter for modern fortran source code, written in Python. +- **fprettify** :warning: — Auto-formatter for modern fortran source code, written in Python. Fprettify is a tool that provides consistent whitespace, indentation, and delimiter alignment in code, including the ability to change letter case and handle preprocessor directives, all while preserving revision history and tested for editor integration. - [i-Code CNES for Fortran](https://github.com/lequal/i-CodeCNES) — An open source static code analysis tool for Fortran 77, Fortran 90 and Shell. @@ -511,11 +495,11 @@ Fprettify is a tool that provides consistent whitespace, indentation, and delimi - [deadcode](https://github.com/tsenart/deadcode) — Finds unused code. -- [dingo-hunter](https://github.com/nickng/dingo-hunter) :warning: — Static analyser for finding deadlocks in Go. +- **dingo-hunter** :warning: — Static analyser for finding deadlocks in Go. - [dogsled](https://github.com/alexkohler/dogsled) — Finds assignments/declarations with too many blank identifiers. -- [dupl](https://github.com/mibk/dupl) :warning: — Reports potentially duplicated code. +- **dupl** :warning: — Reports potentially duplicated code. - [errcheck](https://github.com/kisielk/errcheck) — Check that error return values are used. @@ -523,7 +507,7 @@ Fprettify is a tool that provides consistent whitespace, indentation, and delimi - [flen](https://github.com/lafolle/flen) — Get info on length of functions in a Go package. -- [Go Meta Linter](https://github.com/alecthomas/gometalinter) :warning: — Concurrently run Go lint tools and normalise their output. Use `golangci-lint` for new projects. +- **Go Meta Linter** :warning: — Concurrently run Go lint tools and normalise their output. Use `golangci-lint` for new projects. - [go tool vet --shadow](https://golang.org/cmd/vet#hdr-Shadowed_variables) — Reports variables that may have been unintentionally shadowed. @@ -535,13 +519,13 @@ Fprettify is a tool that provides consistent whitespace, indentation, and delimi - [go/ast](https://golang.org/pkg/go/ast) — Package ast declares the types used to represent syntax trees for Go packages. -- [goast](https://github.com/m-mizutani/goast) :warning: — Go AST (Abstract Syntax Tree) based static analysis tool with Rego. +- **goast** :warning: — Go AST (Abstract Syntax Tree) based static analysis tool with Rego. - [gochecknoglobals](https://github.com/leighmcculloch/gochecknoglobals) — Checks that no globals are present. - [goconst](https://github.com/jgautheron/goconst) — Finds repeated strings that could be replaced by a constant. -- [gocyclo](https://github.com/fzipp/gocyclo) :warning: — Calculate cyclomatic complexities of functions in Go source code. +- **gocyclo** :warning: — Calculate cyclomatic complexities of functions in Go source code. - [gofmt -s](https://golang.org/cmd/gofmt) — Checks if the code is properly formatted and could not be further simplified. @@ -570,11 +554,11 @@ By default, govulncheck makes requests to the Go vulnerability database at https - [ineffassign](https://github.com/gordonklaus/ineffassign) — Detect ineffectual assignments in Go code. -- [interfacer](https://github.com/mvdan/interfacer) :warning: — Suggest narrower interfaces that can be used. +- **interfacer** :warning: — Suggest narrower interfaces that can be used. -- [lll](https://github.com/walle/lll) :warning: — Report long lines. +- **lll** :warning: — Report long lines. -- [maligned](https://github.com/mdempsky/maligned) :warning: — Detect structs that would take less memory if their fields were sorted. +- **maligned** :warning: — Detect structs that would take less memory if their fields were sorted. - [misspell](https://github.com/client9/misspell) — Finds commonly misspelled English words. @@ -588,9 +572,9 @@ By default, govulncheck makes requests to the Go vulnerability database at https - [revive](https://revive.run) — Fast, configurable, extensible, flexible, and beautiful linter for Go. Drop-in replacement of golint. -- [safesql](https://github.com/stripe/safesql) :warning: — Static analysis tool for Golang that protects against SQL injections. +- **safesql** :warning: — Static analysis tool for Golang that protects against SQL injections. -- [shisho](https://github.com/flatt-security/shisho) :warning: — A lightweight static code analyzer designed for developers and security teams. It allows you to analyze and transform source code with an intuitive DSL similar to sed, but for code. +- **shisho** :warning: — A lightweight static code analyzer designed for developers and security teams. It allows you to analyze and transform source code with an intuitive DSL similar to sed, but for code. - [staticcheck](https://staticcheck.io) — Go static analysis that specialises in finding bugs, simplifying code and improving performance. @@ -620,7 +604,7 @@ By default, govulncheck makes requests to the Go vulnerability database at https

Haskell

-- [brittany](https://github.com/lspitzner/brittany) :warning: — Haskell source code formatter +- **brittany** :warning: — Haskell source code formatter - [HLint](https://github.com/ndmitchell/hlint) — HLint is a tool for suggesting possible improvements to Haskell code. @@ -661,7 +645,7 @@ Its technology helps developers automate testing, find bugs, and reduce manual l - [Doop](https://plast-lab.github.io/doop-pldi15-tutorial/) — Doop is a declarative framework for static analysis of Java/Android programs, centered on pointer analysis algorithms. Doop provides a large variety of analyses and also the surrounding scaffolding to run an analysis end-to-end (fact generation, processing, statistics, etc.). -- [ENRE-java](https://github.com/xjtu-enre/ENRE-java) :warning: — ENRE (ENtity Relationship Extractor) is a tool for extraction of code entity dependencies or relationships from source code. ENRE-java is a ENtity Relationship Extractor for Java projects based on @Eclipse JDT/parser. +- **ENRE-java** :warning: — ENRE (ENtity Relationship Extractor) is a tool for extraction of code entity dependencies or relationships from source code. ENRE-java is a ENtity Relationship Extractor for Java projects based on @Eclipse JDT/parser. - [Error Prone](https://errorprone.info) — Catch common Java mistakes as compile-time errors. @@ -671,7 +655,7 @@ Its technology helps developers automate testing, find bugs, and reduce manual l - [google-java-format](https://github.com/google/google-java-format) — Reformats Java source code to comply with Google Java Style -- [HuntBugs](https://github.com/amaembo/huntbugs) :warning: — Bytecode static analyzer tool based on Procyon Compiler Tools aimed to supersede FindBugs. +- **HuntBugs** :warning: — Bytecode static analyzer tool based on Procyon Compiler Tools aimed to supersede FindBugs. - [IntelliJ IDEA](https://www.jetbrains.com/idea) :copyright: — Comes bundled with a lot of inspections for Java and Kotlin and includes tools for refactoring, formatting and more. @@ -695,7 +679,7 @@ Its technology helps developers automate testing, find bugs, and reduce manual l - [SpotBugs](https://spotbugs.github.io) — SpotBugs is FindBugs' successor. A tool for static analysis to look for bugs in Java code. -- [steady](https://eclipse.github.io/steady/) :warning: — Analyses your Java applications for open-source dependencies with known vulnerabilities, using both static analysis and testing to determine code context and usage for greater accuracy. +- **steady** :warning: — Analyses your Java applications for open-source dependencies with known vulnerabilities, using both static analysis and testing to determine code context and usage for greater accuracy. - [Violations Lib](https://github.com/tomasbjerre/violations-lib) — Java library for parsing report files from static code analysis. Used by a bunch of Jenkins, Maven and Gradle plugins. @@ -704,51 +688,51 @@ Its technology helps developers automate testing, find bugs, and reduce manual l

JavaScript

-- [aether](http://aetherjs.com) :warning: — Lint, analyze, normalize, transform, sandbox, run, step through, and visualize user JavaScript, in node or the browser. +- **aether** :warning: — Lint, analyze, normalize, transform, sandbox, run, step through, and visualize user JavaScript, in node or the browser. - [Closure Compiler](https://developers.google.com/closure/compiler) — A compiler tool to increase efficiency, reduce size, and provide code warnings in JavaScript files. -- [ClosureLinter](https://github.com/google/closure-linter) :warning: — Ensures that all of your project's JavaScript code follows the guidelines in the Google JavaScript Style Guide. It can also automatically fix many common errors. +- **ClosureLinter** :warning: — Ensures that all of your project's JavaScript code follows the guidelines in the Google JavaScript Style Guide. It can also automatically fix many common errors. -- [complexity-report](https://github.com/escomplex/complexity-report) :warning: — Software complexity analysis for JavaScript projects. +- **complexity-report** :warning: — Software complexity analysis for JavaScript projects. - [DeepScan](https://deepscan.io) :copyright: — An analyzer for JavaScript which targets runtime errors and quality issues rather than coding conventions. -- [es6-plato](https://github.com/the-simian/es6-plato) :warning: — Visualize JavaScript (ES6) source complexity. +- **es6-plato** :warning: — Visualize JavaScript (ES6) source complexity. -- [escomplex](https://github.com/jared-stilwell/escomplex) :warning: — Software complexity analysis of JavaScript-family abstract syntax trees. +- **escomplex** :warning: — Software complexity analysis of JavaScript-family abstract syntax trees. -- [Esprima](https://esprima.org) :warning: — ECMAScript parsing infrastructure for multipurpose analysis. +- **Esprima** :warning: — ECMAScript parsing infrastructure for multipurpose analysis. - [flow](https://flow.org) — A static type checker for JavaScript. -- [hegel](https://hegel.js.org) :warning: — A static type checker for JavaScript with a bias on type inference and strong type systems. +- **hegel** :warning: — A static type checker for JavaScript with a bias on type inference and strong type systems. - [jshint](https://jshint.com/about) [:information_source:]() — Detect errors and potential problems in JavaScript code and enforce your team's coding conventions. - [JSLint](https://github.com/douglascrockford/JSLint) [:information_source:]() — The JavaScript Code Quality Tool. -- [JSPrime](https://dpnishant.github.io/jsprime) :warning: — Static security analysis tool. +- **JSPrime** :warning: — Static security analysis tool. - [NodeJSScan](https://opensecurity.in) — A static security code scanner for Node.js applications powered by libsast and semgrep that builds on the njsscan cli tool. It features a UI with various dashboards about an application's security status. -- [plato](https://github.com/es-analysis/plato) :warning: — Visualize JavaScript source complexity. +- **plato** :warning: — Visualize JavaScript source complexity. - [Polymer-analyzer](https://github.com/Polymer/tools/tree/master/packages/analyzer) — A static analysis framework for Web Components. - [retire.js](https://retirejs.github.io/retire.js) — Scanner detecting the use of JavaScript libraries with known vulnerabilities. -- [RSLint](http://rslint.org/) :warning: — A (WIP) JavaScript linter written in Rust designed to be as fast as possible, customizable, and easy to use. +- **RSLint** :warning: — A (WIP) JavaScript linter written in Rust designed to be as fast as possible, customizable, and easy to use. - [standard](http://standardjs.com) — An npm module that checks for Javascript Styleguide issues. - [tern](https://ternjs.net) — A JavaScript code analyzer for deep, cross-editor language support. -- [TypL](https://typl.dev) :warning: — With TypL, you just write completely standard JS, and the tool figures out your types via powerful inferencing. +- **TypL** :warning: — With TypL, you just write completely standard JS, and the tool figures out your types via powerful inferencing. - [xo](https://github.com/xojs/xo) — Opinionated but configurable ESLint wrapper with lots of goodies included. Enforces strict and readable code. -- [yardstick](https://github.com/calmh/yardstick) :warning: — Javascript code metrics. +- **yardstick** :warning: — Javascript code metrics. @@ -782,7 +766,7 @@ A ktfmt IntelliJ plugin is available from the plugin repository. To install it, - [lualint](https://github.com/philips/lualint) — lualint performs luac-based static analysis of global variable usage in Lua source code. -- [Luanalysis](https://plugins.jetbrains.com/plugin/14698-luanalysis) :warning: — An IDE for statically typed Lua development. +- **Luanalysis** :warning: — An IDE for statically typed Lua development. @@ -798,7 +782,7 @@ A ktfmt IntelliJ plugin is available from the plugin repository. To install it, - [DrNim](https://nim-lang.org/docs/drnim.html) — DrNim combines the Nim frontend with the Z3 proof engine in order to allow verify / validate software written in Nim. -- [nimfmt](https://github.com/FedericoCeratto/nimfmt) :warning: — Nim code formatter / linter / style checker +- **nimfmt** :warning: — Nim code formatter / linter / style checker @@ -838,7 +822,7 @@ A ktfmt IntelliJ plugin is available from the plugin repository. To install it, - [EasyCodingStandard](https://www.tomasvotruba.com/blog/2017/05/03/combine-power-of-php-code-sniffer-and-php-cs-fixer-in-3-lines) — Combine [PHP_CodeSniffer](https://github.com/squizlabs/PHP_CodeSniffer) and [PHP-CS-Fixer](https://github.com/FriendsOfPHP/PHP-CS-Fixer). -- [Enlightn](https://www.laravel-enlightn.com/) :warning: — A static and dynamic analysis tool for Laravel applications that provides recommendations to improve the performance, security and code reliability of Laravel apps. Contains 120 automated checks. +- **Enlightn** :warning: — A static and dynamic analysis tool for Laravel applications that provides recommendations to improve the performance, security and code reliability of Laravel apps. Contains 120 automated checks. - [exakat](https://www.exakat.io) — An automated code reviewing engine for PHP. @@ -846,13 +830,13 @@ A ktfmt IntelliJ plugin is available from the plugin repository. To install it, - [larastan](https://github.com/larastan/larastan) — Adds static analysis to Laravel improving developer productivity and code quality. It is a wrapper around PHPStan. -- [Mondrian](https://trismegiste.github.io/Mondrian) :warning: — A set of static analysis and refactoring tools which use graph theory. +- **Mondrian** :warning: — A set of static analysis and refactoring tools which use graph theory. - [parallel-lint](https://github.com/php-parallel-lint/PHP-Parallel-Lint) — This tool checks syntax of PHP files faster than serial check with a fancier output. - [Parse](https://github.com/psecio/parse) — A Static Security Scanner. -- [pdepend](https://pdepend.org) :warning: — Calculates software metrics like cyclomatic complexity for PHP code. +- **pdepend** :warning: — Calculates software metrics like cyclomatic complexity for PHP code. - [phan](https://github.com/phan/phan/wiki) — A modern static analyzer from etsy. @@ -868,33 +852,33 @@ A ktfmt IntelliJ plugin is available from the plugin repository. To install it, - [PHP Refactoring Browser](https://qafoolabs.github.io/php-refactoring-browser) — Refactoring helper. -- [PHP Semantic Versioning Checker](https://github.com/tomzx/php-semver-checker) :warning: — Suggests a next version according to semantic versioning. +- **PHP Semantic Versioning Checker** :warning: — Suggests a next version according to semantic versioning. - [PHP-Parser](https://github.com/nikic/PHP-Parser) — A PHP parser written in PHP. - [php-speller](https://github.com/mekras/php-speller) — PHP spell check library. -- [PHP-Token-Reflection](https://github.com/Andrewsville/PHP-Token-Reflection) :warning: — Library emulating the PHP internal reflection. +- **PHP-Token-Reflection** :warning: — Library emulating the PHP internal reflection. -- [php7cc](https://github.com/sstalle/php7cc) :warning: — PHP 7 Compatibility Checker. +- **php7cc** :warning: — PHP 7 Compatibility Checker. -- [php7mar](https://github.com/Alexia/php7mar) :warning: — Assist developers in porting their code quickly to PHP 7. +- **php7mar** :warning: — Assist developers in porting their code quickly to PHP 7. -- [PHP_CodeSniffer](https://pear.php.net/package/PHP_CodeSniffer) :warning: — Detects violations of a defined set of coding standards. +- **PHP_CodeSniffer** :warning: — Detects violations of a defined set of coding standards. - [PHPArkitect](https://github.com/phparkitect/arkitect) — PHPArkitect helps you to keep your PHP codebase coherent and solid, by permitting to add some architectural constraint check to your workflow. You can express the constraint that you want to enforce, in simple and readable PHP code. -- [phpca](https://github.com/wapmorgan/PhpCodeAnalyzer) :warning: — Finds usage of non-built-in extensions. +- **phpca** :warning: — Finds usage of non-built-in extensions. -- [phpcpd](https://github.com/sebastianbergmann/phpcpd) :warning: — Copy/Paste Detector for PHP code. +- **phpcpd** :warning: — Copy/Paste Detector for PHP code. -- [phpdcd](https://github.com/sebastianbergmann/phpdcd) :warning: — Dead Code Detector (DCD) for PHP code. +- **phpdcd** :warning: — Dead Code Detector (DCD) for PHP code. -- [PhpDependencyAnalysis](https://mamuz.github.io/PhpDependencyAnalysis) :warning: — Builds a dependency graph for a project. +- **PhpDependencyAnalysis** :warning: — Builds a dependency graph for a project. -- [PhpDeprecationDetector](https://github.com/wapmorgan/PhpDeprecationDetector) :warning: — Analyzer of PHP code to search issues with deprecated functionality in newer interpreter versions. It finds removed objects (functions, variables, constants and ini-directives), deprecated functions functionality, and usage of forbidden names or tricks (e.g. reserved identifiers in newer versions). +- **PhpDeprecationDetector** :warning: — Analyzer of PHP code to search issues with deprecated functionality in newer interpreter versions. It finds removed objects (functions, variables, constants and ini-directives), deprecated functions functionality, and usage of forbidden names or tricks (e.g. reserved identifiers in newer versions). -- [phpdoc-to-typehint](https://github.com/dunglas/phpdoc-to-typehint) :warning: — Add scalar type hints and return types to existing PHP projects using PHPDoc annotations. +- **phpdoc-to-typehint** :warning: — Add scalar type hints and return types to existing PHP projects using PHPDoc annotations. - [phpDocumentor](https://www.phpdoc.org) — Analyzes PHP source code to generate documentation. @@ -912,7 +896,7 @@ A ktfmt IntelliJ plugin is available from the plugin repository. To install it, - [phpqa - jmolivas](https://github.com/jmolivas/phpqa) — PHPQA all-in-one Analyzer CLI tool. -- [phpsa](https://github.com/ovr/phpsa) :warning: — Static analysis tool for PHP. +- **phpsa** :warning: — Static analysis tool for PHP. - [PHPStan](https://phpstan.org) — PHP Static Analysis Tool - discover bugs in your code without running it! @@ -920,7 +904,7 @@ A ktfmt IntelliJ plugin is available from the plugin repository. To install it, - [Psalm](https://psalm.dev) — Static analysis tool for finding type errors in PHP applications. -- [Qafoo Quality Analyzer](https://github.com/Qafoo/QualityAnalyzer) :warning: — Visualizes metrics and source code. +- **Qafoo Quality Analyzer** :warning: — Visualizes metrics and source code. - [rector](https://getrector.org) — Instant Upgrades and Automated Refactoring of any PHP 5.3+ code. It upgrades your code for PHP 7.4, 8.0 and beyond. Rector promises a low false-positive rate because it looks for narrowly defined AST (abstract syntax tree) patterns. The main use-case are tackling technical debt in your legacy code and removing dead code. Rector provides a set of special rules for Symfony, Doctrine, PHPUnit, and many more. @@ -974,7 +958,7 @@ It uses the pycodestyle utility to determine what parts of the code needs to be - [Bowler](https://pybowler.io/) — Safe code refactoring for modern Python. Bowler is a refactoring tool for manipulating Python at the syntax tree level. It enables safe, large scale code modifications while guaranteeing that the resulting code compiles and runs. It provides both a simple command line interface and a fluent API in Python for generating complex code modifications in code. -- [ciocheck](https://github.com/ContinuumIO/ciocheck) :warning: — Linter, formatter and test suite helper. As a linter, it is a wrapper around `pep8`, `pydocstyle`, `flake8`, and `pylint`. +- **ciocheck** :warning: — Linter, formatter and test suite helper. As a linter, it is a wrapper around `pep8`, `pydocstyle`, `flake8`, and `pylint`. - [cohesion](https://github.com/mschwager/cohesion) — A tool for measuring Python class cohesion. @@ -984,7 +968,7 @@ It uses the pycodestyle utility to determine what parts of the code needs to be - [Dodgy](https://github.com/landscapeio/dodgy) — Dodgy is a very basic tool to run against your codebase to search for "dodgy" looking values. It is a series of simple regular expressions designed to detect things such as accidental SCM diff checkins, or passwords or secret keys hard coded into files. -- [ENRE-py](https://github.com/xjtu-enre/ENRE-py) :warning: — ENRE (ENtity Relationship Extractor) is a tool for extraction of code entity dependencies or relationships from source code. ENRE-py is a ENtity Relationship Extractor for Python based on Python Language Services of The Standard Library. +- **ENRE-py** :warning: — ENRE (ENtity Relationship Extractor) is a tool for extraction of code entity dependencies or relationships from source code. ENRE-py is a ENtity Relationship Extractor for Python based on Python Language Services of The Standard Library. - [fixit](https://pypi.org/project/fixit) — A framework for creating lint rules and corresponding auto-fixes for source code. @@ -994,7 +978,7 @@ It uses the pycodestyle utility to determine what parts of the code needs to be - [Griffe](https://mkdocstrings.github.io/griffe/) — Signatures for entire Python programs. Extract the structure, the frame, the skeleton of your project, to generate API documentation or find breaking changes in your API. -- [InspectorTiger](https://github.com/thg-consulting/it) :warning: — IT, Inspector Tiger, is a modern python code review tool / framework. It comes with bunch of pre-defined handlers which warns you about improvements and possible bugs. Beside these handlers, you can write your own or use community ones. +- **InspectorTiger** :warning: — IT, Inspector Tiger, is a modern python code review tool / framework. It comes with bunch of pre-defined handlers which warns you about improvements and possible bugs. Beside these handlers, you can write your own or use community ones. - [jedi](https://jedi.readthedocs.io/en/latest) — Autocompletion/static analysis library for Python. @@ -1002,21 +986,21 @@ It uses the pycodestyle utility to determine what parts of the code needs to be - [mbake](https://pypi.org/project/mbake/) — mbake is a Makefile formatter and linter. It only took 50 years! -- [mccabe](https://pypi.org/project/mccabe) :warning: — Check McCabe complexity. +- **mccabe** :warning: — Check McCabe complexity. -- [multilint](https://github.com/adamchainz/multilint) :warning: — A wrapper around `flake8`, `isort` and `modernize`. +- **multilint** :warning: — A wrapper around `flake8`, `isort` and `modernize`. - [mypy](http://www.mypy-lang.org) — A static type checker that aims to combine the benefits of duck typing and static typing, frequently used with [MonkeyType](https://github.com/Instagram/MonkeyType). - [prospector](https://github.com/PyCQA/prospector) — A wrapper around `pylint`, `pep8`, `mccabe` and others. -- [py-find-injection](https://github.com/uber/py-find-injection) :warning: — Find SQL injection vulnerabilities in Python code. +- **py-find-injection** :warning: — Find SQL injection vulnerabilities in Python code. - [pyanalyze](https://pyanalyze.readthedocs.io/en/latest/) — A tool for programmatically detecting common mistakes in Python code, such as references to undefined variables and type errors. It can be extended to add additional rules and perform checks specific to particular functions. - [pycodestyle](https://pycodestyle.pycqa.org/en/latest) — (Formerly `pep8`) Check Python code against some of the style conventions in PEP 8. -- [pydocstyle](http://www.pydocstyle.org) :warning: — Check compliance with Python docstring conventions. +- **pydocstyle** :warning: — Check compliance with Python docstring conventions. - [pyflakes](https://pypi.org/project/pyflakes) — Check Python source files for errors. @@ -1032,13 +1016,13 @@ It uses the pycodestyle utility to determine what parts of the code needs to be - [Pysa](https://pyre-check.org/docs/pysa-basics.html) — A tool based on Facebook's pyre-check to identify potential security issues in Python code identified with taint analysis. -- [PyT - Python Taint](https://github.com/python-security/pyt) :warning: — A static analysis tool for detecting security vulnerabilities in Python web applications. +- **PyT - Python Taint** :warning: — A static analysis tool for detecting security vulnerabilities in Python web applications. - [pytype](https://google.github.io/pytype) — A static type analyzer for Python code. - [pyupgrade](https://pypi.org/project/pyupgrade-docs/) — A tool (and pre-commit hook) to automatically upgrade syntax for newer versions of the language. -- [QuantifiedCode](https://github.com/quantifiedcode/quantifiedcode) :warning: — Automated code review & repair. It helps you to keep track of issues and metrics in your software projects, and can be easily extended to support new types of analyses. +- **QuantifiedCode** :warning: — Automated code review & repair. It helps you to keep track of issues and metrics in your software projects, and can be easily extended to support new types of analyses. - [radon](https://radon.readthedocs.io/en/latest) — A Python tool that computes various metrics from the source code. @@ -1052,7 +1036,7 @@ It uses the pycodestyle utility to determine what parts of the code needs to be - [wemake-python-styleguide](https://wemake-python-styleguide.rtfd.io/) — The strictest and most opinionated python linter ever. -- [wily](https://github.com/tonybaloney/wily) :warning: — A command-line tool for archiving, exploring and graphing the complexity of Python source code. +- **wily** :warning: — A command-line tool for archiving, exploring and graphing the complexity of Python source code. - [xenon](https://xenon.readthedocs.io) — Monitor code complexity using [`radon`](https://github.com/rubik/radon). @@ -1064,7 +1048,7 @@ YAPF follows a distinctive methodology, originating from the 'clang-format' tool

R

-- [CodeDepends](https://github.com/duncantl/CodeDepends) :warning: — Static Code Analysis for R. +- **CodeDepends** :warning: — Static Code Analysis for R. - [cyclocomp](https://github.com/MangoTheCat/cyclocomp) — Quantifies the cyclomatic complexity of R functions / expressions. @@ -1096,9 +1080,9 @@ YAPF follows a distinctive methodology, originating from the 'clang-format' tool - [bundler-audit](https://github.com/rubysec/bundler-audit) — Audit Gemfile.lock for gems with security vulnerabilities reported in [Ruby Advisory Database](https://github.com/rubysec/ruby-advisory-db). -- [cane](https://github.com/square/cane) :warning: — Code quality threshold checking as part of your build. +- **cane** :warning: — Code quality threshold checking as part of your build. -- [Churn](https://github.com/danmayer/churn) :warning: — A Project to give the churn file, class, and method for a project for a given checkin. Over time the tool adds up the history of churns to give the number of times a file, class, or method is changing during the life of a project. +- **Churn** :warning: — A Project to give the churn file, class, and method for a project for a given checkin. Over time the tool adds up the history of churns to give the number of times a file, class, or method is changing during the life of a project. - [dawnscanner](https://github.com/thesp0nge/dawnscanner) — A static analysis security scanner for ruby written web applications. It supports Sinatra, Padrino and Ruby on Rails frameworks. @@ -1106,45 +1090,45 @@ YAPF follows a distinctive methodology, originating from the 'clang-format' tool - [Fasterer](https://github.com/DamirSvrtan/fasterer) — Common Ruby idioms checker. -- [flay](https://ruby.sadi.st/Flay.html) :warning: — Flay analyzes code for structural similarities. +- **flay** :warning: — Flay analyzes code for structural similarities. -- [flog](https://ruby.sadi.st/Flog.html) :warning: — Flog reports the most tortured code in an easy to read pain report. The higher the score, the more pain the code is in. +- **flog** :warning: — Flog reports the most tortured code in an easy to read pain report. The higher the score, the more pain the code is in. - [Fukuzatsu](https://github.com/CoralineAda/fukuzatsu) — A tool for measuring code complexity in Ruby class files. Its analysis generates scores based on cyclomatic complexity algorithms with no added "opinions". - [htmlbeautifier](https://github.com/threedaymonk/htmlbeautifier) — A normaliser/beautifier for HTML that also understands embedded Ruby. Ideal for tidying up Rails templates. -- [laser](https://github.com/michaeledgar/laser) :warning: — Static analysis and style linter for Ruby code. +- **laser** :warning: — Static analysis and style linter for Ruby code. -- [MetricFu](https://github.com/metricfu/metric_fu) :warning: — MetricFu is a set of tools to provide reports that show which parts of your code might need extra work. +- **MetricFu** :warning: — MetricFu is a set of tools to provide reports that show which parts of your code might need extra work. - [pelusa](https://github.com/codegram/pelusa) — Static analysis Lint-type tool to improve your OO Ruby code. -- [quality](https://github.com/apiology/quality) :warning: — Runs quality checks on your code using community tools, and makes sure your numbers don't get any worse over time. +- **quality** :warning: — Runs quality checks on your code using community tools, and makes sure your numbers don't get any worse over time. -- [Querly](https://github.com/soutaro/querly) :warning: — Pattern Based Checking Tool for Ruby. +- **Querly** :warning: — Pattern Based Checking Tool for Ruby. -- [Railroader](https://railroader.org) :warning: — An open source static analysis security vulnerability scanner for Ruby on Rails applications. +- **Railroader** :warning: — An open source static analysis security vulnerability scanner for Ruby on Rails applications. - [rails_best_practices](https://rails-bestpractices.com) — A code metric tool for Rails projects - [reek](https://github.com/troessner/reek) — Code smell detector for Ruby. -- [Roodi](https://github.com/roodi/roodi) :warning: — Roodi stands for Ruby Object Oriented Design Inferometer. It parses your Ruby code and warns you about design issues you have based on the checks that it has configured. +- **Roodi** :warning: — Roodi stands for Ruby Object Oriented Design Inferometer. It parses your Ruby code and warns you about design issues you have based on the checks that it has configured. - [RuboCop](https://docs.rubocop.org/rubocop) — A Ruby static code analyzer, based on the community Ruby style guide. - [Rubrowser](https://github.com/blazeeboy/rubrowser) — Ruby classes interactive dependency graph generator. -- [ruby-lint](https://gitlab.com/yorickpeterse/ruby-lint) :warning: — Static code analysis for Ruby. +- **ruby-lint** :warning: — Static code analysis for Ruby. - [rubycritic](https://github.com/whitesmith/rubycritic) — A Ruby code quality reporter. - [rufo](https://github.com/ruby-formatter/rufo) — An opinionated ruby formatter, intended to be used via the command line as a text-editor plugin, to autoformat files on save or on demand. -- [Saikuro](https://metricfu.github.io/Saikuro) :warning: — A Ruby cyclomatic complexity analyzer. +- **Saikuro** :warning: — A Ruby cyclomatic complexity analyzer. -- [SandiMeter](https://rubygems.org/gems/sandi_meter) :warning: — Static analysis tool for checking Ruby code for Sandi Metz' rules. +- **SandiMeter** :warning: — Static analysis tool for checking Ruby code for Sandi Metz' rules. - [Sorbet](https://sorbet.org) — A fast, powerful type checker designed for Ruby. @@ -1163,7 +1147,7 @@ YAPF follows a distinctive methodology, originating from the 'clang-format' tool - [cargo-audit](https://rustsec.org) — Audit Cargo.lock for crates with security vulnerabilities reported to the [RustSec Advisory Database](https://github.com/RustSec/advisory-db/). -- [cargo-bloat](https://github.com/RazrFalcon/cargo-bloat) :warning: — Find out what takes most of the space in your executable. supports ELF (Linux, BSD), Mach-O (macOS) and PE (Windows) binaries. +- **cargo-bloat** :warning: — Find out what takes most of the space in your executable. supports ELF (Linux, BSD), Mach-O (macOS) and PE (Windows) binaries. - [cargo-breaking](https://github.com/iomentum/cargo-breaking) — cargo-breaking compares a crate's public API between two different branches, shows what changed, and suggests the next version according to semver. @@ -1175,7 +1159,7 @@ YAPF follows a distinctive methodology, originating from the 'clang-format' tool - [cargo-geiger](https://github.com/geiger-rs/cargo-geiger) — A cargo plugin for analysing the usage of unsafe Rust code Provides statistical output to aid security auditing -- [cargo-inspect](https://github.com/mre/cargo-inspect) :warning: — Inspect Rust code without syntactic sugar to see what the compiler does behind the curtains. +- **cargo-inspect** :warning: — Inspect Rust code without syntactic sugar to see what the compiler does behind the curtains. - [cargo-semver-checks](https://crates.io/crates/cargo-semver-checks) — Scan your Rust crate releases for semver violations. It can be used either directly via the CLI, as a GitHub Action in CI, or via release managers like `release-plz`. It found semver violations in [more than 1 in 6 of the top 1000 most-downloaded crates](https://predr.ag/blog/semver-violations-are-common-better-tooling-is-the-answer/) on crates.io. @@ -1192,9 +1176,9 @@ It removes a feature of a dependency and then compiles the project to see if it - [dylint](https://www.trailofbits.com/post/write-rust-lints-without-forking-clippy) — A tool for running Rust lints from dynamic libraries. Dylint makes it easy for developers to maintain their own personal lint collections. -- [electrolysis](https://kha.github.io/electrolysis) :warning: — A tool for formally verifying Rust programs by transpiling them into definitions in the Lean theorem prover. +- **electrolysis** :warning: — A tool for formally verifying Rust programs by transpiling them into definitions in the Lean theorem prover. -- [herbie](https://github.com/mcarton/rust-herbie-lint) :warning: — Adds warnings or errors to your crate when using a numerically unstable floating point expression. +- **herbie** :warning: — Adds warnings or errors to your crate when using a numerically unstable floating point expression. - [kani](https://github.com/model-checking/kani) — The Kani Rust Verifier is a bit-precise model checker for Rust. Kani is particularly useful for verifying unsafe code blocks in Rust, @@ -1207,19 +1191,19 @@ Kani verifies: * The absence of some types of unexpected behavior (e.g., arithmetic overflows) -- [linter-rust](https://github.com/AtomLinter/linter-rust) :warning: — Linting your Rust-files in Atom, using rustc and cargo. +- **linter-rust** :warning: — Linting your Rust-files in Atom, using rustc and cargo. - [lockbud](https://github.com/BurtonQin/lockbud) — Statically detects Rust deadlocks bugs. It currently detects two common kinds of deadlock bugs: doublelock and locks in conflicting order. It will print bugs in JSON format together with the source code location and an explanation of each bug. -- [MIRAI](https://github.com/facebookexperimental/MIRAI) :warning: — And abstract interpreter operating on Rust's mid-level intermediate language, and providing warnings based on taint analysis. +- **MIRAI** :warning: — And abstract interpreter operating on Rust's mid-level intermediate language, and providing warnings based on taint analysis. -- [prae](https://github.com/teenjuna/prae) :warning: — Provides a convenient macro that allows you to generate type wrappers that promise to always uphold arbitrary invariants that you specified. +- **prae** :warning: — Provides a convenient macro that allows you to generate type wrappers that promise to always uphold arbitrary invariants that you specified. -- [Prusti](https://www.pm.inf.ethz.ch/research/prusti.html) :warning: — A static verifier for Rust, based on the Viper verification infrastructure. By default Prusti verifies absence of panics by proving that statements such as unreachable!() and panic!() are unreachable. +- **Prusti** :warning: — A static verifier for Rust, based on the Viper verification infrastructure. By default Prusti verifies absence of panics by proving that statements such as unreachable!() and panic!() are unreachable. -- [Rudra](https://github.com/sslab-gatech/Rudra) :warning: — Rust Memory Safety & Undefined Behavior Detection. It is capable of analyzing single Rust packages as well as all the packages on crates.io. +- **Rudra** :warning: — Rust Memory Safety & Undefined Behavior Detection. It is capable of analyzing single Rust packages as well as all the packages on crates.io. -- [Rust Language Server](https://github.com/rust-lang-nursery/rls) :warning: — Supports functionality such as 'goto definition', symbol search, reformatting, and code completion, and enables renaming and refactorings. +- **Rust Language Server** :warning: — Supports functionality such as 'goto definition', symbol search, reformatting, and code completion, and enables renaming and refactorings. - [rust-analyzer](https://rust-analyzer.github.io) — Supports functionality such as 'goto definition', type inference, symbol search, reformatting, and code completion, and enables renaming and refactorings. @@ -1246,7 +1230,7 @@ Kani verifies: - [sleek](https://github.com/nrempel/sleek) — Sleek is a CLI tool for formatting SQL. It helps you maintain a consistent style across your SQL code, enhancing readability and productivity. The heavy lifting is done by the sqlformat crate. -- [sqlcheck](https://github.com/jarulraj/sqlcheck) :warning: — Automatically identify anti-patterns in SQL queries. +- **sqlcheck** :warning: — Automatically identify anti-patterns in SQL queries. - [SQLFluff](https://www.sqlfluff.com/) — Multiple dialect SQL linter and formatter. @@ -1256,7 +1240,7 @@ Kani verifies: - [tsqllint](https://github.com/tsqllint/tsqllint) — T-SQL-specific linter. -- [TSqlRules](https://github.com/ashleyglee/TSqlRules) :warning: — TSQL Static Code Analysis Rules for SQL Server. +- **TSqlRules** :warning: — TSQL Static Code Analysis Rules for SQL Server. - [Visual Expert](https://www.visual-expert.com) :copyright: — Code analysis for PowerBuilder, Oracle, and SQL Server Explores, analyzes, and documents Code @@ -1265,7 +1249,7 @@ Kani verifies:

Scala

-- [linter](https://github.com/HairyFotr/linter) :warning: — Linter is a Scala static analysis compiler plugin which adds compile-time checks for various possible bugs, inefficiencies, and style problems. +- **linter** :warning: — Linter is a Scala static analysis compiler plugin which adds compile-time checks for various possible bugs, inefficiencies, and style problems. - [Scalastyle](http://www.scalastyle.org) — Scalastyle examines your Scala code and indicates potential problems with it. @@ -1288,7 +1272,7 @@ Kani verifies: - [shellcheck](https://www.shellcheck.net) — ShellCheck, a static analysis tool that gives warnings and suggestions for bash/sh shell scripts. -- [shellharden](https://github.com/anordal/shellharden) :warning: — A syntax highlighter and a tool to semi-automate the rewriting of scripts to ShellCheck conformance, mainly focused on quoting. +- **shellharden** :warning: — A syntax highlighter and a tool to semi-automate the rewriting of scripts to ShellCheck conformance, mainly focused on quoting. @@ -1299,7 +1283,7 @@ Kani verifies: - [SwiftLint](https://realm.github.io/SwiftLint) — A tool to enforce Swift style and conventions. -- [Tailor](https://sleekbyte.github.io/tailor) :warning: — A static analysis and lint tool for source code written in Apple's Swift programming language. +- **Tailor** :warning: — A static analysis and lint tool for source code written in Apple's Swift programming language. @@ -1319,20 +1303,20 @@ Kani verifies: - [Angular ESLint](https://github.com/angular-eslint/angular-eslint#readme) — Linter for Angular projects -- [Codelyzer](http://codelyzer.com) :warning: — A set of tslint rules for static code analysis of Angular 2 TypeScript projects. +- **Codelyzer** :warning: — A set of tslint rules for static code analysis of Angular 2 TypeScript projects. - [ENRE-ts](https://github.com/xjtu-enre/ENRE-ts) — ENRE (ENtity Relationship Extractor) is a tool for extraction of code entity dependencies or relationships from source code. ENRE-ts is a ENtity Relationship Extractor for ECMAScript and TypeScript based on @babel/parser. - [fta](https://ftaproject.dev/) — Rust-based static analysis for TypeScript projects -- [stc](https://stc.dudy.dev) :warning: — Speedy TypeScript type checker written in Rust +- **stc** :warning: — Speedy TypeScript type checker written in Rust -- [tslint](https://palantir.github.io/tslint/) :warning: — TSLint has been deprecated as of 2019. Please see [this issue](https://github.com/palantir/tslint/issues/4534) for more details. `typescript-eslint` is now your best option for linting TypeScript. +- **tslint** :warning: — TSLint has been deprecated as of 2019. Please see [this issue](https://github.com/palantir/tslint/issues/4534) for more details. `typescript-eslint` is now your best option for linting TypeScript. TSLint is an extensible static analysis tool that checks TypeScript code for readability, maintainability, and functionality errors. It is widely supported across modern editors & build systems and can be customized with your own lint rules, configurations, and formatters. - [tslint-clean-code](https://www.npmjs.com/package/tslint-clean-code) — A set of TSLint rules inspired by the Clean Code handbook. -- [tslint-microsoft-contrib](https://github.com/Microsoft/tslint-microsoft-contrib) :warning: — A set of tslint rules for static code analysis of TypeScript projects maintained by Microsoft. +- **tslint-microsoft-contrib** :warning: — A set of tslint rules for static code analysis of TypeScript projects maintained by Microsoft. - [TypeScript Call Graph](https://github.com/whyboris/TypeScript-Call-Graph) — CLI to generate an interactive graph of functions and calls from your TypeScript files @@ -1360,7 +1344,7 @@ TSLint is an extensible static analysis tool that checks TypeScript code for rea

Vim Script

-- [vint](https://github.com/Kuniwak/vint) :warning: — Fast and Highly Extensible Vim script Language Lint implemented by Python. +- **vint** :warning: — Fast and Highly Extensible Vim script Language Lint implemented by Python. @@ -1390,7 +1374,7 @@ TSLint is an extensible static analysis tool that checks TypeScript code for rea - [ast-grep](https://ast-grep.github.io/) — ast-grep is a powerful tool designed for managing code at scale using Abstract Syntax Trees (AST). Think of it as a hybrid of grep, eslint, and codemod, with the ability to search, lint, and rewrite code based on its structure rather than plain text. It supports multiple languages and is designed to be extensible, allowing you to register custom languages. -- [Atom-Beautify](https://atom.io/packages/atom-beautify) :warning: — Beautify HTML, CSS, JavaScript, PHP, Python, Ruby, Java, C, C++, C#, Objective-C, CoffeeScript, TypeScript, Coldfusion, SQL, and more in Atom editor. +- **Atom-Beautify** :warning: — Beautify HTML, CSS, JavaScript, PHP, Python, Ruby, Java, C, C++, C#, Objective-C, CoffeeScript, TypeScript, Coldfusion, SQL, and more in Atom editor. - [autocorrect](https://huacnlee.github.io/autocorrect) — A linter and formatter to help you to improve copywriting, correct spaces, words, punctuations between CJK (Chinese, Japanese, Korean). @@ -1400,11 +1384,11 @@ It supports multiple languages and is designed to be extensible, allowing you to - [Better Code Hub](https://bettercodehub.com) :copyright: — Better Code Hub checks your GitHub codebase against 10 engineering guidelines devised by the authority in software quality, Software Improvement Group. -- [Betterscan CE](https://github.com/tcosolutions/betterscan-ce) :warning: — Checks your code and infra (various Git repositories supported, cloud stacks, CLI, Web Interface platform, integrationss available) for security and quality issues. Code Scanning/SAST/Linting using many tools/Scanners deduplicated with One Report (AI optional). +- **Betterscan CE** :warning: — Checks your code and infra (various Git repositories supported, cloud stacks, CLI, Web Interface platform, integrationss available) for security and quality issues. Code Scanning/SAST/Linting using many tools/Scanners deduplicated with One Report (AI optional). - [biome](https://biomejs.dev) — A toolchain for web projects, aimed to provide functionalities to maintain them. Biome formats and lints code in a fraction of a second. It is the successor to Rome. It is designed to eventually replace Biome is designed to eventually replace Babel, ESLint, webpack, Prettier, Jest, and others. -- [BugProve](https://www.bugprove.com) :warning: :copyright: — BugProve is a firmware analysis platform featuring both static and dynamic analysis techniques to discover memory corruptions, command injections and other classes or common weaknesses in binary code. It also detects vulnerable dependencies, weak cryptographic parameters, misconfigurations, and more. +- **BugProve** :warning: :copyright: — BugProve is a firmware analysis platform featuring both static and dynamic analysis techniques to discover memory corruptions, command injections and other classes or common weaknesses in binary code. It also detects vulnerable dependencies, weak cryptographic parameters, misconfigurations, and more. - [callGraph](https://github.com/koknat/callGraph) — Statically generates a call graph image and displays it on screen. @@ -1416,7 +1400,7 @@ It supports multiple languages and is designed to be extensible, allowing you to - [Clayton](https://www.getclayton.com/) :copyright: — AI-powered code reviews for Salesforce. Secure your developments, enforce best practice and control your technical debt in real-time. -- [coala](https://github.com/coala/coala) :warning: — Language independent framework for creating code analysis - supports over 60 languages by default. +- **coala** :warning: — Language independent framework for creating code analysis - supports over 60 languages by default. - [Cobra](https://spinroot.com/cobra) :copyright: — Structural source code analyzer by NASA's Jet Propulsion Laboratory. @@ -1458,15 +1442,15 @@ It supports multiple languages and is designed to be extensible, allowing you to - [Corgea](https://corgea.com/) :copyright: — Corgea is an AI-powered SAST scanner that helps developers find and fix insecure code. It finds business logic flaws, broken authentication, API vulnerabilities, and more with little false positives. Additionally, it automatically writes security fixes for them to approve. Corgea integrates with GitHub, GitLab, Azure DevOps, IDEs and CLI. It is free to try it. -- [Corrode](https://github.com/jameysharp/corrode) :warning: — Semi-automatic translation from C to Rust. Could reveal bugs in the original implementation by showing Rust compiler warnings and errors. Superseded by C2Rust. +- **Corrode** :warning: — Semi-automatic translation from C to Rust. Could reveal bugs in the original implementation by showing Rust compiler warnings and errors. Superseded by C2Rust. - [Coverity](https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html) :copyright: — Synopsys Coverity supports 20 languages and over 70 frameworks including Ruby on rails, Scala, PHP, Python, JavaScript, TypeScript, Java, Fortran, C, C++, C#, VB.NET. - [cpp-linter-action](https://cpp-linter.github.io/cpp-linter-action/) — A Github Action for linting C/C++ code integrating clang-tidy and clang-format to collect feedback provided in the form of thread comments and/or annotations. -- [cqc](https://github.com/xcatliu/cqc) :warning: — Check your code quality for js, jsx, vue, css, less, scss, sass and styl files. +- **cqc** :warning: — Check your code quality for js, jsx, vue, css, less, scss, sass and styl files. -- [DeepCode](https://snyk.io/platform/deepcode-ai/) :warning: :copyright: — DeepCode was acquired by Snyk is now Snyk Code. +- **DeepCode** :warning: :copyright: — DeepCode was acquired by Snyk is now Snyk Code. - [DeepSource](https://deepsource.com) :copyright: — In-depth static analysis to find issues in verticals of bug risks, security, anti-patterns, performance, documentation and style. Native integrations with GitHub, GitLab and Bitbucket. Less than 5% false positives. @@ -1497,19 +1481,19 @@ It supports multiple languages and is designed to be extensible, allowing you to - [Goodcheck](https://sider.github.io/goodcheck) — Regexp based customizable linter. -- [goone](https://github.com/masibw/goone) :warning: — Finds N+1 queries (SQL calls in a for loop) in go code +- **goone** :warning: — Finds N+1 queries (SQL calls in a for loop) in go code - [graudit](http://www.justanotherhacker.com) — Grep rough audit - source code auditing tool. - [HCL AppScan Source](https://www.hcltechsw.com/products/appscan) :copyright: — Commercial Static Code Analysis. -- [Hopper](https://github.com/cuplv/hopper) :warning: — A static analysis tool written in scala for languages that run on JVM. +- **Hopper** :warning: — A static analysis tool written in scala for languages that run on JVM. -- [Hound CI](https://houndci.com) :warning: — Comments on style violations in GitHub pull requests. Supports Coffeescript, Go, HAML, JavaScript, Ruby, SCSS and Swift. +- **Hound CI** :warning: — Comments on style violations in GitHub pull requests. Supports Coffeescript, Go, HAML, JavaScript, Ruby, SCSS and Swift. -- [imhotep](https://github.com/justinabrahms/imhotep) :warning: — Comment on commits coming into your repository and check for syntactic errors and general lint warnings. +- **imhotep** :warning: — Comment on commits coming into your repository and check for syntactic errors and general lint warnings. -- [include-gardener](https://github.com/feddischson/include_gardener) :warning: — A multi-language static analyzer for C/C++/Obj-C/Python/Ruby to create a graph (in dot or graphml format) which shows all `#include` relations of a given set of files. +- **include-gardener** :warning: — A multi-language static analyzer for C/C++/Obj-C/Python/Ruby to create a graph (in dot or graphml format) which shows all `#include` relations of a given set of files. - [Infer](https://fbinfer.com) — A static analyzer for Java, C and Objective-C @@ -1543,7 +1527,7 @@ It supports multiple languages and is designed to be extensible, allowing you to - [parasoft](https://www.parasoft.com/) :copyright: — Automated Software Testing Solutions for unit-, API-, and web UI testing. Complies with MISRA, OWASP, and others. -- [pfff](https://github.com/facebookarchive/pfff/wiki/Main) :warning: — Facebook's tools for code analysis, visualizations, or style-preserving source transformation for many languages. +- **pfff** :warning: — Facebook's tools for code analysis, visualizations, or style-preserving source transformation for many languages. - [Pixee](https://pixee.ai) :copyright: — Pixeebot finds security and code quality issues in your code and creates merge-ready pull requests with recommended fixes. @@ -1557,7 +1541,7 @@ It supports multiple languages and is designed to be extensible, allowing you to - [Pronto](https://github.com/prontolabs/pronto) — Quick automated code review of your changes. Supports more than 40 runners for various languages, including Clang, Elixir, JavaScript, PHP, Ruby and more. -- [PT.PM](https://github.com/PositiveTechnologies/PT.PM) :warning: — An engine for searching patterns in the source code, based on Unified AST or UST. At present time C#, Java, PHP, PL/SQL, T-SQL, and JavaScript are supported. Patterns can be described within the code or using a DSL. +- **PT.PM** :warning: — An engine for searching patterns in the source code, based on Unified AST or UST. At present time C#, Java, PHP, PL/SQL, T-SQL, and JavaScript are supported. Patterns can be described within the code or using a DSL. - [Putout](https://github.com/coderaiser/putout) — Pluggable and configurable code transformer with built-in eslint, babel plugins support for js, jsx typescript, flow, markdown, yaml and json. @@ -1583,7 +1567,7 @@ It supports multiple languages and is designed to be extensible, allowing you to - [SAST Online](https://sast.online/) :copyright: — Check the Android Source code thoroughly to uncover and address potential security concerns and vulnerabilities. Static application security testing (Static Code Analysis) tool Online -- [Scrutinizer](https://scrutinizer-ci.com) :warning: :copyright: — A proprietary code quality checker that can be integrated with GitHub. +- **Scrutinizer** :warning: :copyright: — A proprietary code quality checker that can be integrated with GitHub. - [Security Code Scan](https://security-code-scan.github.io) — Security code analyzer for C# and VB.NET. Detects various security vulnerability patterns: SQLi, XSS, CSRF, XXE, Open Redirect, etc. Integrates into Visual Studio 2015 and newer. Detects various security vulnerability patterns: SQLi, XSS, CSRF, XXE, Open Redirect, etc. @@ -1593,7 +1577,7 @@ It supports multiple languages and is designed to be extensible, allowing you to - [ShiftLeft Scan](https://github.com/ShiftLeftSecurity/sast-scan) — Scan is a free open-source DevSecOps platform for detecting security issues in source code and dependencies. It supports a broad range of languages and CI/CD pipelines. -- [shipshape](https://github.com/google/shipshape) :warning: — Static program analysis platform that allows custom analyzers to plug in through a common interface. +- **shipshape** :warning: — Static program analysis platform that allows custom analyzers to plug in through a common interface. - [Sigrid](https://www.softwareimprovementgroup.com/solutions/sigrid-software-assurance-platform/) :copyright: — Sigrid helps you to improve your software by measuring your system's code quality, and then compares the results against a benchmark of thousands of industry systems to give you concrete advice on areas where you can improve. @@ -1617,7 +1601,7 @@ It supports multiple languages and is designed to be extensible, allowing you to - [StaticReviewer](https://securityreviewer.atlassian.net/wiki/spaces/KC/pages/196633/Static+Reviewer) :copyright: — Static Reviewer executes code checks according to the most relevant Secure Coding Standards, OWASP, CWE, CVE, CVSS, MISRA, CERT, for 40+ programming languages, using 1000+ built-in validation rules for Security, Deadcode & Best Practices Available a module for Software Composition Analysis (SCA) to find vulnerabilities in open source and third party libraries. -- [Super-Linter](https://github.com/github/super-linter) :warning: — Combination of multiple linters to install as a GitHub Action. +- **Super-Linter** :warning: — Combination of multiple linters to install as a GitHub Action. - [Svace](https://www.ispras.ru/en/technologies/svace/) :copyright: — Static code analysis tool for Java,C,C++,C#,Go. @@ -1654,7 +1638,7 @@ It supports multiple languages and is designed to be extensible, allowing you to - [WhiteHat Application Security Platform](https://source.whitehatsec.com/help/sentinel/sast-service-detail.html) :copyright: — WhiteHat Scout (for Developers) combined with WhiteHat Sentinel Source (for Operations) supporting WhiteHat Top 40 and OWASP Top 10. -- [Wotan](https://github.com/fimbullinter/wotan) :warning: — Pluggable TypeScript and JavaScript linter. +- **Wotan** :warning: — Pluggable TypeScript and JavaScript linter. - [XCode](https://developer.apple.com/xcode) :copyright: — XCode provides a pretty decent UI for [Clang's](https://clang-analyzer.llvm.org/xcode.html) static code analyzer (C/C++, Obj-C). @@ -1686,9 +1670,9 @@ It supports multiple languages and is designed to be extensible, allowing you to - [alquitran](https://github.com/ferivoz/alquitran) — Inspects tar archives and tries to spot portability issues in regard to POSIX 2017 pax specification and common tar implementations. This project is intended to be used by maintainers of projects who want to offer portable source code archives for as many systems as possible. Checking tar archives with alquitran before publishing them should help spotting issues before they reach distributors and users. -- [packj](https://github.com/ossillate-inc/packj) :warning: — Packj (pronounced package) is a command line (CLI) tool to vet open-source software packages for "risky" attributes that make them vulnerable to supply chain attacks. This is the tool behind our large-scale security analysis platform Packj.dev that continuously vets packages and provides free reports. +- **packj** :warning: — Packj (pronounced package) is a command line (CLI) tool to vet open-source software packages for "risky" attributes that make them vulnerable to supply chain attacks. This is the tool behind our large-scale security analysis platform Packj.dev that continuously vets packages and provides free reports. -- [pure](https://github.com/ronomon/pure) :warning: — Pure is a static analysis file format checker that checks ZIP files for dangerous compression ratios, spec deviations, malicious archive signatures, mismatching local and central directory headers, ambiguous UTF-8 filenames, directory and symlink traversals, invalid MS-DOS dates, overlapping headers, overflow, underflow, sparseness, accidental buffer bleeds etc. +- **pure** :warning: — Pure is a static analysis file format checker that checks ZIP files for dangerous compression ratios, spec deviations, malicious archive signatures, mismatching local and central directory headers, ambiguous UTF-8 filenames, directory and symlink traversals, invalid MS-DOS dates, overlapping headers, overflow, underflow, sparseness, accidental buffer bleeds etc. @@ -1713,13 +1697,13 @@ Loading address: binbloom can parse a raw binary firmware and determine its load - [bloaty](https://github.com/google/bloaty) — Ever wondered what's making your binary big? Bloaty McBloatface will show you a size profile of the binary so you can understand what's taking up space inside. Bloaty performs a deep analysis of the binary. Using custom ELF, DWARF, and Mach-O parsers, Bloaty aims to accurately attribute every byte of the binary to the symbol or compileunit that produced it. It will even disassemble the binary looking for references to anonymous data. F -- [cargo-bloat](https://github.com/RazrFalcon/cargo-bloat) :warning: — Find out what takes most of the space in your executable. supports ELF (Linux, BSD), Mach-O (macOS) and PE (Windows) binaries. +- **cargo-bloat** :warning: — Find out what takes most of the space in your executable. supports ELF (Linux, BSD), Mach-O (macOS) and PE (Windows) binaries. - [cwe_checker](https://github.com/fkie-cad/cwe_checker) — cwe_checker finds vulnerable patterns in binary executables. - [Ghidra](https://ghidra-sre.org) — A software reverse engineering (SRE) suite of tools developed by NSA's Research Directorate in support of the Cybersecurity mission -- [Hopper](https://www.hopperapp.com/) :copyright: — macOS and Linux reverse engineering tool that lets you disassemble, decompile and debug applications. Hopper displays the code using different representations, e.g. the Control Flow Graph, and the pseudo-code of a procedure. Supports Apple Silicon. +- **Hopper** :warning: :copyright: — macOS and Linux reverse engineering tool that lets you disassemble, decompile and debug applications. Hopper displays the code using different representations, e.g. the Control Flow Graph, and the pseudo-code of a procedure. Supports Apple Silicon. - [IDA Free](https://www.hex-rays.com/products/ida/support/download_freeware) :copyright: — Binary code analysis tool. @@ -1727,11 +1711,11 @@ Loading address: binbloom can parse a raw binary firmware and determine its load - [JEB Decompiler](https://www.pnfsoftware.com/) :copyright: — Decompile and debug binary code. Break down and analyze document files. Android Dalvik, MIPS, ARM, Intel x86, Java, WebAssembly & Ethereum Decompilers. -- [ktool](https://ktool.cynder.me/en/latest/ktool.html) :warning: — Fully cross-platform toolkit and library for MachO+Obj-C editing/analysis. Includes a cli kit, a curses GUI, ObjC header dumping, and much more. +- **ktool** :warning: — Fully cross-platform toolkit and library for MachO+Obj-C editing/analysis. Includes a cli kit, a curses GUI, ObjC header dumping, and much more. -- [Manalyze](https://github.com/JusticeRage/Manalyze) :warning: — A static analyzer, which checks portable executables for malicious content. +- **Manalyze** :warning: — A static analyzer, which checks portable executables for malicious content. -- [mcsema](https://github.com/lifting-bits/mcsema) :warning: — Framework for lifting x86, amd64, aarch64, sparc32, and sparc64 program binaries to LLVM bitcode. It translates ("lifts") executable binaries from native machine code to LLVM bitcode, which is very useful for performing program analysis methods. +- **mcsema** :warning: — Framework for lifting x86, amd64, aarch64, sparc32, and sparc64 program binaries to LLVM bitcode. It translates ("lifts") executable binaries from native machine code to LLVM bitcode, which is very useful for performing program analysis methods. - [Nauz File Detector](https://github.com/horsicq/Nauz-File-Detector) — Static Linker/Compiler/Tool detector for Windows, Linux and MacOS. @@ -1767,15 +1751,15 @@ Loading address: binbloom can parse a raw binary firmware and determine its load - [Nu Html Checker](https://validator.github.io/validator/) — Helps you catch problems in your HTML/CSS/SVG -- [Parker](https://github.com/katiefenn/parker) :warning: — Stylesheet analysis tool. +- **Parker** :warning: — Stylesheet analysis tool. - [PostCSS](https://postcss.org) — A tool for transforming styles with JS plugins. These plugins can lint your CSS, support variables and mixins, transpile future CSS syntax, inline images, and more. - [Project Wallace CSS Analyzer](https://www.projectwallace.com) — Analytics for CSS, part of [Project Wallace](https://www.projectwallace.com). -- [sass-lint](https://github.com/sasstools/sass-lint) :warning: — A Node-only Sass linter for both sass and scss syntax. +- **sass-lint** :warning: — A Node-only Sass linter for both sass and scss syntax. -- [scsslint](https://github.com/brigade/scss-lint) :warning: — Linter for SCSS files. +- **scsslint** :warning: — Linter for SCSS files. - [Specificity Graph](https://github.com/pocketjoso/specificity-graph) — CSS Specificity Graph Generator. @@ -1817,7 +1801,7 @@ Loading address: binbloom can parse a raw binary firmware and determine its load - [metadata-json-lint](https://github.com/voxpupuli/metadata-json-lint) — Tool to check the validity of Puppet metadata.json files. -- [Puppet Lint](https://github.com/rodjek/puppet-lint) :warning: — Check that your Puppet manifests conform to the style guide. +- **Puppet Lint** :warning: — Check that your Puppet manifests conform to the style guide. - [Steampunk Spotter](https://steampunk.si/spotter/) :copyright: — Ansible Playbook Scanning Tool that analyzes and offers recommendations for your playbooks. @@ -1838,11 +1822,11 @@ Loading address: binbloom can parse a raw binary firmware and determine its load - [clair](https://github.com/coreos/clair) — Vulnerability Static Analysis for Containers. -- [collector](https://github.com/banyanops/collector) :warning: — Run arbitrary scripts inside containers, and gather useful information. +- **collector** :warning: — Run arbitrary scripts inside containers, and gather useful information. -- [dagda](https://github.com/eliasgranderubio/dagda) :warning: — Perform static analysis of known vulnerabilities in docker images/containers. +- **dagda** :warning: — Perform static analysis of known vulnerabilities in docker images/containers. -- [Docker Label Inspector](https://github.com/garethr/docker-label-inspector) :warning: — Lint and validate Dockerfile labels. +- **Docker Label Inspector** :warning: — Lint and validate Dockerfile labels. - [GitGuardian ggshield](https://www.gitguardian.com/ggshield) — ggshield is a CLI application that runs in your local environment or in a CI environment to help you detect more than 350+ types of secrets, as well as other potential security vulnerabilities or policy breaks affecting your codebase. @@ -1898,9 +1882,9 @@ Its technology helps developers automate testing, find bugs, and reduce manual l - [PullRequest](https://www.pullrequest.com) :copyright: — Code review as a service with built-in static analysis. Increase velocity and reduce technical debt through quality code review by expert engineers backed by best-in-class automation. -- [quality](https://github.com/apiology/quality) :warning: — Runs quality checks on your code using community tools, and makes sure your numbers don't get any worse over time. +- **quality** :warning: — Runs quality checks on your code using community tools, and makes sure your numbers don't get any worse over time. -- [QuantifiedCode](https://github.com/quantifiedcode/quantifiedcode) :warning: — Automated code review & repair. It helps you to keep track of issues and metrics in your software projects, and can be easily extended to support new types of analyses. +- **QuantifiedCode** :warning: — Automated code review & repair. It helps you to keep track of issues and metrics in your software projects, and can be easily extended to support new types of analyses. - [RefactorFirst](https://github.com/jimbethancourt/RefactorFirst) — Identifies and prioritizes God Classes and Highly Coupled classes in Java codebases you should refactor first. @@ -1954,15 +1938,15 @@ Its technology helps developers automate testing, find bugs, and reduce manual l - [Angular ESLint](https://github.com/angular-eslint/angular-eslint#readme) — Linter for Angular projects -- [Bootlint](https://github.com/twbs/bootlint) :warning: — An HTML linter for Bootstrap projects. +- **Bootlint** :warning: — An HTML linter for Bootstrap projects. - [ERB Lint](https://github.com/Shopify/erb-lint) — Lint your ERB or HTML files -- [grunt-bootlint](https://github.com/twbs/grunt-bootlint) :warning: — A Grunt wrapper for [Bootlint](https://github.com/twbs/bootlint), the HTML linter for Bootstrap projects. +- **grunt-bootlint** :warning: — A Grunt wrapper for [Bootlint](https://github.com/twbs/bootlint), the HTML linter for Bootstrap projects. -- [gulp-bootlint](https://github.com/tschortsch/gulp-bootlint) :warning: — A gulp wrapper for [Bootlint](https://github.com/twbs/bootlint), the HTML linter for Bootstrap projects. +- **gulp-bootlint** :warning: — A gulp wrapper for [Bootlint](https://github.com/twbs/bootlint), the HTML linter for Bootstrap projects. -- [HTML Inspector](https://github.com/philipwalton/html-inspector) :warning: — HTML Inspector is a code quality tool to help you and your team write better markup. +- **HTML Inspector** :warning: — HTML Inspector is a code quality tool to help you and your team write better markup. - [HTML Tidy](http://www.html-tidy.org) — Corrects and cleans up HTML and XML documents by fixing markup errors and upgrading legacy code to modern standards. @@ -2005,7 +1989,7 @@ Its technology helps developers automate testing, find bugs, and reduce manual l - [krane](https://github.com/appvia/krane) — Krane is a simple Kubernetes RBAC static analysis tool. It identifies potential security risks in K8s RBAC design and makes suggestions on how to mitigate them. Krane dashboard presents current RBAC security posture and lets you navigate through its definition. -- [kube-hunter](https://aquasecurity.github.io/kube-hunter/) :warning: — Hunt for security weaknesses in Kubernetes clusters. +- **kube-hunter** :warning: — Hunt for security weaknesses in Kubernetes clusters. - [kube-lint](https://github.com/viglesiasce/kube-lint) — A linter for Kubernetes resources with a customizable rule set. You define a list of rules that you would like to validate against your resources and kube-lint will evaluate those rules against them. @@ -2024,7 +2008,7 @@ but with the following improvements: - [KubeLinter](https://github.com/stackrox/kube-linter) — KubeLinter is a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure the applications represented in them adhere to best practices. -- [kubeval](https://kubeval.instrumenta.dev) :warning: — Validates your Kubernetes configuration files and supports multiple Kubernetes versions. +- **kubeval** :warning: — Validates your Kubernetes configuration files and supports multiple Kubernetes versions. @@ -2042,7 +2026,7 @@ but with the following improvements:

Laravel

-- [Enlightn](https://www.laravel-enlightn.com/) :warning: — A static and dynamic analysis tool for Laravel applications that provides recommendations to improve the performance, security and code reliability of Laravel apps. Contains 120 automated checks. +- **Enlightn** :warning: — A static and dynamic analysis tool for Laravel applications that provides recommendations to improve the performance, security and code reliability of Laravel apps. Contains 120 automated checks. - [larastan](https://github.com/larastan/larastan) — Adds static analysis to Laravel improving developer productivity and code quality. It is a wrapper around PHPStan. @@ -2066,7 +2050,7 @@ but with the following improvements: - [mdformat](https://mdformat.rtfd.io) — CommonMark compliant Markdown formatter -- [mdl](https://github.com/mivok/markdownlint) :warning: — A tool to check Markdown files and flag style issues. +- **mdl** :warning: — A tool to check Markdown files and flag style issues. - [mdsf](https://github.com/hougesen/mdsf) — Format markdown code blocks using your favorite code formatters. @@ -2079,17 +2063,17 @@ but with the following improvements:

Metalinter

-- [ciocheck](https://github.com/ContinuumIO/ciocheck) :warning: — Linter, formatter and test suite helper. As a linter, it is a wrapper around `pep8`, `pydocstyle`, `flake8`, and `pylint`. +- **ciocheck** :warning: — Linter, formatter and test suite helper. As a linter, it is a wrapper around `pep8`, `pydocstyle`, `flake8`, and `pylint`. - [flake8](https://github.com/PyCQA/flake8) — A wrapper around `pyflakes`, `pycodestyle` and `mccabe`. - [flakeheaven](https://pypi.org/project/flakeheaven/) — flakeheaven is a python linter built around flake8 to enable inheritable and complex toml configuration. -- [Go Meta Linter](https://github.com/alecthomas/gometalinter) :warning: — Concurrently run Go lint tools and normalise their output. Use `golangci-lint` for new projects. +- **Go Meta Linter** :warning: — Concurrently run Go lint tools and normalise their output. Use `golangci-lint` for new projects. - [goreporter](https://github.com/360EntSecGroup-Skylar/goreporter) — Concurrently runs many linters and normalises their output to a report. -- [multilint](https://github.com/adamchainz/multilint) :warning: — A wrapper around `flake8`, `isort` and `modernize`. +- **multilint** :warning: — A wrapper around `flake8`, `isort` and `modernize`. - [prospector](https://github.com/PyCQA/prospector) — A wrapper around `pylint`, `pep8`, `mccabe` and others. @@ -2100,19 +2084,19 @@ but with the following improvements: - [Android Lint](https://developer.android.com/studio/write/lint) — Run static analysis on Android projects. -- [android-lint-summary](https://passy.github.io/android-lint-summary) :warning: — Combines lint errors of multiple projects into one output, check lint results of multiple sub-projects at once. +- **android-lint-summary** :warning: — Combines lint errors of multiple projects into one output, check lint results of multiple sub-projects at once. - [FlowDroid](https://github.com/secure-software-engineering/FlowDroid) — Static taint analysis tool for Android applications. -- [iblessing](https://www.kitploit.com/2020/08/iblessing-ios-security-exploiting.html) :warning: — iblessing is an iOS security exploiting toolkit. It can be used for reverse engineering, binary analysis and vulnerability mining. +- **iblessing** :warning: — iblessing is an iOS security exploiting toolkit. It can be used for reverse engineering, binary analysis and vulnerability mining. - [Mariana Trench](https://mariana-tren.ch/) — Our security focused static analysis tool for Android and Java applications. Mariana Trench analyzes Dalvik bytecode and is built to run fast on large codebases (10s of millions of lines of code). It can find vulnerabilities as code changes, before it ever lands in your repository. - [Oversecured](https://oversecured.com) :copyright: — Enterprise vulnerability scanner for Android and iOS apps. It allows app owners and developers to secure each new version of a mobile app by integrating Oversecured into the development process. -- [paprika](https://github.com/GeoffreyHecht/paprika) :warning: — A toolkit to detect some code smells in analyzed Android applications. +- **paprika** :warning: — A toolkit to detect some code smells in analyzed Android applications. -- [qark](https://github.com/linkedin/qark) :warning: — Tool to look for several security related Android application vulnerabilities. +- **qark** :warning: — Tool to look for several security related Android application vulnerabilities. - [redex](https://fbredex.com) — Redex provides a framework for reading, writing, and analyzing .dex files, and a set of optimization passes that use this framework to improve the bytecode. An APK optimized by Redex should be smaller and faster. @@ -2162,7 +2146,7 @@ but with the following improvements:

Prometheus

-- [promformat](https://github.com/facetoe/promformat) :warning: — Promformat is a PromQL formatter written in Python. +- **promformat** :warning: — Promformat is a PromQL formatter written in Python. - [promval](https://github.com/facetoe/promval) — PromQL validator written in Python. It can be used to validate that PromQL expressions are written as expected. @@ -2207,7 +2191,7 @@ but with the following improvements: - [detect-secrets](https://github.com/Yelp/detect-secrets) — An enterprise friendly way of detecting and preventing secrets in code. It does this by running periodic diff outputs against heuristically crafted regex statements, to identify whether any new secret has been committed. This way, it avoids the overhead of digging through all git history, as well as the need to scan the entire repository every time. -- [Enlightn](https://www.laravel-enlightn.com/) :warning: — A static and dynamic analysis tool for Laravel applications that provides recommendations to improve the performance, security and code reliability of Laravel apps. Contains 120 automated checks. +- **Enlightn** :warning: — A static and dynamic analysis tool for Laravel applications that provides recommendations to improve the performance, security and code reliability of Laravel apps. Contains 120 automated checks. - [GitGuardian ggshield](https://www.gitguardian.com/ggshield) — ggshield is a CLI application that runs in your local environment or in a CI environment to help you detect more than 350+ types of secrets, as well as other potential security vulnerabilities or policy breaks affecting your codebase. @@ -2215,9 +2199,9 @@ It does this by running periodic diff outputs against heuristically crafted rege - [gokart](https://github.com/praetorian-inc/gokart) — Golang security analysis with a focus on minimizing false positives. It is capable of tracing the source of variables and function arguments to determine whether input sources are safe. -- [HasMySecretLeaked](https://gitguardian.com/hasmysecretleaked) :copyright: — HasMySecretLeaked is a project from GitGuardian that aims to help individual users and organizations search across 20 million exposed secrets to verify if their developer secrets have leaked on public repositories, gists, and issues on GitHub projects. +- **HasMySecretLeaked** :warning: :copyright: — HasMySecretLeaked is a project from GitGuardian that aims to help individual users and organizations search across 20 million exposed secrets to verify if their developer secrets have leaked on public repositories, gists, and issues on GitHub projects. -- [iblessing](https://www.kitploit.com/2020/08/iblessing-ios-security-exploiting.html) :warning: — iblessing is an iOS security exploiting toolkit. It can be used for reverse engineering, binary analysis and vulnerability mining. +- **iblessing** :warning: — iblessing is an iOS security exploiting toolkit. It can be used for reverse engineering, binary analysis and vulnerability mining. - [kani](https://github.com/model-checking/kani) — The Kani Rust Verifier is a bit-precise model checker for Rust. Kani is particularly useful for verifying unsafe code blocks in Rust, @@ -2232,13 +2216,13 @@ Kani verifies: - [kics](https://kics.io/) — Find security vulnerabilities, compliance issues, and infrastructure misconfigurations in your infrastructure-as-code. Supports Terraform, Kubernetes, Docker, AWS CloudFormation and Ansible -- [ktool](https://ktool.cynder.me/en/latest/ktool.html) :warning: — Fully cross-platform toolkit and library for MachO+Obj-C editing/analysis. Includes a cli kit, a curses GUI, ObjC header dumping, and much more. +- **ktool** :warning: — Fully cross-platform toolkit and library for MachO+Obj-C editing/analysis. Includes a cli kit, a curses GUI, ObjC header dumping, and much more. -- [kube-hunter](https://aquasecurity.github.io/kube-hunter/) :warning: — Hunt for security weaknesses in Kubernetes clusters. +- **kube-hunter** :warning: — Hunt for security weaknesses in Kubernetes clusters. - [lockfile-lint](https://github.com/lirantal/lockfile-lint) — Lint an npm or yarn lockfile to analyze and detect security issues -- [LunaSec](https://github.com/marketplace/lunatrace-by-lunasec/) :warning: — Open Source AppSec platform that automatically notifies you the next time vulnerabilities like Log4Shell or node-ipc happen. Track your dependencies and builds in a centralized service. +- **LunaSec** :warning: — Open Source AppSec platform that automatically notifies you the next time vulnerabilities like Log4Shell or node-ipc happen. Track your dependencies and builds in a centralized service. - [njsscan](https://opensecurity.in) — A static application testing (SAST) tool that can find insecure code patterns in your node.js applications using simple pattern matcher from libsast and syntax-aware semantic code pattern search tool semgrep. @@ -2252,7 +2236,7 @@ Kani verifies: - [Qualys Container Security](https://www.qualys.com/apps/container-security) :copyright: — Container native application protection to provide visibility and control of containerized applications. -- [QuantifiedCode](https://github.com/quantifiedcode/quantifiedcode) :warning: — Automated code review & repair. It helps you to keep track of issues and metrics in your software projects, and can be easily extended to support new types of analyses. +- **QuantifiedCode** :warning: — Automated code review & repair. It helps you to keep track of issues and metrics in your software projects, and can be easily extended to support new types of analyses. - [Rezilion](https://www.rezilion.com/) :copyright: — Discovers vulnerabilities for all components in your environment, filters out 85% non-exploitable vulnerabilities and creates a remediation plan and open tickets to upgrade components that violate your security policy and/or patch automatically in CI. @@ -2319,14 +2303,14 @@ TruffleHog is an open source secret-scanning engine that resolves exposed secret - [kics](https://kics.io/) — Find security vulnerabilities, compliance issues, and infrastructure misconfigurations in your infrastructure-as-code. Supports Terraform, Kubernetes, Docker, AWS CloudFormation and Ansible -- [shisho](https://github.com/flatt-security/shisho) :warning: — A lightweight static code analyzer designed for developers and security teams. It allows you to analyze and transform source code with an intuitive DSL similar to sed, but for code. +- **shisho** :warning: — A lightweight static code analyzer designed for developers and security teams. It allows you to analyze and transform source code with an intuitive DSL similar to sed, but for code.

Translation

-- [dennis](https://github.com/willkg/dennis) :warning: — A set of utilities for working with PO files to ease development and improve quality. +- **dennis** :warning: — A set of utilities for working with PO files to ease development and improve quality. @@ -2335,14 +2319,14 @@ TruffleHog is an open source secret-scanning engine that resolves exposed secret - [HTML-Validate](https://html-validate.org/) — Offline HTML5 validator. -- [Vetur](https://marketplace.visualstudio.com/items?itemName=octref.vetur) :warning: — Vue tooling for VS Code, powered by vls (vue language server). Vetur has support for formatting embedded HTML, CSS, SCSS, JS, TypeScript, and more. Vetur only has a "whole document formatter" and cannot format arbitrary ranges. +- **Vetur** :warning: — Vue tooling for VS Code, powered by vls (vue language server). Vetur has support for formatting embedded HTML, CSS, SCSS, JS, TypeScript, and more. Vetur only has a "whole document formatter" and cannot format arbitrary ranges.

Writing

-- [After the Deadline](https://open.afterthedeadline.com) :warning: — Spell, style and grammar checker. +- **After the Deadline** :warning: — Spell, style and grammar checker. - [alex](https://alexjs.com) — Catch insensitive, inconsiderate writing @@ -2350,7 +2334,7 @@ TruffleHog is an open source secret-scanning engine that resolves exposed secret - [languagetool](https://languagetool.org) — Style and grammar checker for 25+ languages. It finds many errors that a simple spell checker cannot detect. -- [misspell-fixer](https://github.com/vlajos/misspell-fixer) :warning: — Quick tool for fixing common misspellings, typos in source code. +- **misspell-fixer** :warning: — Quick tool for fixing common misspellings, typos in source code. - [Misspelled Words In Context](https://jwilk.net/software/mwic) — A spell-checker that groups possible misspellings and shows them in their contexts. @@ -2378,7 +2362,7 @@ TruffleHog is an open source secret-scanning engine that resolves exposed secret - [GitGuardian ggshield](https://www.gitguardian.com/ggshield) — ggshield is a CLI application that runs in your local environment or in a CI environment to help you detect more than 350+ types of secrets, as well as other potential security vulnerabilities or policy breaks affecting your codebase. -- [HasMySecretLeaked](https://gitguardian.com/hasmysecretleaked) :copyright: — HasMySecretLeaked is a project from GitGuardian that aims to help individual users and organizations search across 20 million exposed secrets to verify if their developer secrets have leaked on public repositories, gists, and issues on GitHub projects. +- **HasMySecretLeaked** :warning: :copyright: — HasMySecretLeaked is a project from GitGuardian that aims to help individual users and organizations search across 20 million exposed secrets to verify if their developer secrets have leaked on public repositories, gists, and issues on GitHub projects. ## More Collections diff --git a/data/api/tools.json b/data/api/tools.json index 288da6fa4d..a0fe921dbb 100644 --- a/data/api/tools.json +++ b/data/api/tools.json @@ -8990,7 +8990,7 @@ "plans": null, "description": "HasMySecretLeaked is a project from GitGuardian that aims to help individual users and organizations search across 20 million exposed secrets to verify if their developer secrets have leaked on public repositories, gists, and issues on GitHub projects.", "discussion": null, - "deprecated": null, + "deprecated": true, "resources": null, "reviews": null, "demos": null, @@ -11677,7 +11677,7 @@ "plans": null, "description": "Format markdown code blocks using your favorite code formatters.", "discussion": null, - "deprecated": null, + "deprecated": false, "resources": null, "reviews": null, "demos": null, diff --git a/data/render/src/bin/main.rs b/data/render/src/bin/main.rs index 8c20ad51b5..994ac0229d 100644 --- a/data/render/src/bin/main.rs +++ b/data/render/src/bin/main.rs @@ -62,7 +62,10 @@ fn backfill_deprecated(tools: &mut Vec) -> Result<()> { for tool in tools { let id = slugify(&tool.name); if let Some(old_tool) = old_tools_data.get(&id) { - tool.deprecated = old_tool.get("deprecated").and_then(|d| d.as_bool()); + // Only backfill deprecated if it's not already set + if tool.deprecated.is_none() { + tool.deprecated = old_tool.get("deprecated").and_then(|d| d.as_bool()); + } } } Ok(()) diff --git a/data/render/templates/README.md b/data/render/templates/README.md index b4a7a4c3c0..26d81b8383 100644 --- a/data/render/templates/README.md +++ b/data/render/templates/README.md @@ -17,22 +17,6 @@ This project would not be possible without the generous support of our sponsors. - -
- - - - BugProve - - - - - - - Betterscan - - - @@ -98,7 +82,7 @@ Also check out the sister project, [awesome-dynamic-analysis](https://github.com

{{ language.name }}

{% for linter in linters %} -- [{{linter.name }}]({{linter.homepage }}){% if linter.discussion.is_some() %} [:information_source:](<{{linter.discussion.as_ref().unwrap()}}>){% endif %}{% if linter.deprecated.is_some() && linter.deprecated.unwrap() %} :warning:{% endif %}{% if linter.license == "proprietary" %} :copyright:{% endif %} — {{ linter.description }} +- {% if linter.deprecated.is_some() && linter.deprecated.unwrap() %}**{{linter.name }}**{% else %}[{{linter.name }}]({{linter.homepage }}){% endif %}{% if linter.discussion.is_some() %} [:information_source:](<{{linter.discussion.as_ref().unwrap()}}>){% endif %}{% if linter.deprecated.is_some() && linter.deprecated.unwrap() %} :warning:{% endif %}{% if linter.license == "proprietary" %} :copyright:{% endif %} — {{ linter.description }} {% endfor %} {%- endfor %} @@ -106,7 +90,7 @@ Also check out the sister project, [awesome-dynamic-analysis](https://github.com ## Multiple languages {% for linter in multi %} -- [{{linter.name }}]({{linter.homepage }}){% if linter.discussion.is_some() %} [:information_source:](<{{linter.discussion.as_ref().unwrap()}}>){% endif %}{% if linter.deprecated.is_some() && linter.deprecated.unwrap() %} :warning:{% endif %}{% if linter.license == "proprietary" %} :copyright:{% endif %} — {{ linter.description }} +- {% if linter.deprecated.is_some() && linter.deprecated.unwrap() %}**{{linter.name }}**{% else %}[{{linter.name }}]({{linter.homepage }}){% endif %}{% if linter.discussion.is_some() %} [:information_source:](<{{linter.discussion.as_ref().unwrap()}}>){% endif %}{% if linter.deprecated.is_some() && linter.deprecated.unwrap() %} :warning:{% endif %}{% if linter.license == "proprietary" %} :copyright:{% endif %} — {{ linter.description }} {% endfor %} ## Other @@ -117,7 +101,7 @@ Also check out the sister project, [awesome-dynamic-analysis](https://github.com

{{ tag.name }}

{% for other in others %} -- [{{ other.name }}]({{ other.homepage }}){% if other.discussion.is_some() %} [:information_source:](<{{other.discussion.as_ref().unwrap()}}>){% endif %}{% if other.deprecated.is_some() && other.deprecated.unwrap() %} :warning:{% endif %}{% if other.license == "proprietary" %} :copyright:{% endif %} — {{ other.description }} +- {% if other.deprecated.is_some() && other.deprecated.unwrap() %}**{{ other.name }}**{% else %}[{{ other.name }}]({{ other.homepage }}){% endif %}{% if other.discussion.is_some() %} [:information_source:](<{{other.discussion.as_ref().unwrap()}}>){% endif %}{% if other.deprecated.is_some() && other.deprecated.unwrap() %} :warning:{% endif %}{% if other.license == "proprietary" %} :copyright:{% endif %} — {{ other.description }} {% endfor %} {%- endfor %} @@ -140,4 +124,4 @@ To the extent possible under law, [Matthias Endler](https://endler.dev) has waiv The underlying source code used to format and display that content is licensed under the MIT license. -Title image [Designed by Freepik](https://www.freepik.com). +Title image [Designed by Freepik](https://www.freepik.com). \ No newline at end of file