List of tools for static code analysis
In-game article clicks load inline without leaving the challenge.
This is a list of notable tools for static program analysis (program analysis is a synonym for code analysis).
Static code analysis tools
| Tool | Latest release | Free software | Languages supported | Notes | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Ada | C, C++, C#, Objective-C | JVM | JavaScript, TypeScript | .NET, VB.NET | Python | Other languages | ||||
| Astrée | 2024-10 (24.10) | No; proprietary | — | C, C++ | — | — | — | — | — | Finds all potential runtime errors and data races by abstract interpretation, can prove their absence and functional assertions; tailored toward safety-critical C, C++ code (e.g., avionics and automotive); includes MISRA checker |
| Axivion Suite | 2025-05-19 (7.10) | No; proprietary | — | C, C++, C# | — | — | — | — | QML, Axivion CUDA | Static code analysis suite designed for safety-critical and security-focused software development with certification support for ISO 26262, IEC 61508, IEC 62304, EN 50128, and EN 50657; comprehensive analysis includes coding standards compliance (MISRA C/C++, AUTOSAR, CERT, CWE), clone detecting, dead code analysis, architecture verifying, cycle detecting, and metrics monitoring; includes qualification kit for regulated environments as in automotive, aerospace, medical devices, security |
| BLAST (retired) | 2015-10-30 (2.7.3) | Yes; ASL 2 | — | C | — | — | — | — | — | Open-source software model checker for C programs based on lazy abstraction (successor project is CPAchecker) |
| Clang | 2026-04-11 (22.1.3) | Yes; ASL 2 with LLVM Exceptions | — | C, C++, Objective-C | — | — | — | — | — | Open-source compiler that includes static analyzer, as of version 3.2, analyzer is included in Xcode |
| Coccinelle | 2021-09-06 (1.1.1) | Yes; GPLv2 | — | C | — | — | — | — | — | Open-source source code pattern matching and transforming |
| Code Dx (Defunct 2021) | 2015-01-15 | No; proprietary | — | C, C++, C# | Java, JSP, Scala | JavaScript | VB.NET | Python | PHP, Rails, Ruby, XML | Software application vulnerability correlation and management system; uses multiple SAST and DAST tools, and results of manual code reviews; can calculate cyclomatic complexity |
| CodePeer | 2021-05-07 (21) | No; proprietary | Ada | — | — | — | — | — | — | Advanced static analysis tool; detects potential run-time logic errors in Ada programs |
| CodeScene | 2023-10-13 (6.3.5) | No; proprietary | — | C, C++, C#, Objective-C | Java, Groovy, Scala | JavaScript, TypeScript | VB.NET | Python | Swift, Go, PHP, Ruby | Behavioral analysis of code; helps identify, prioritize, and manage technical debt; measures organizational aspects of developer teams; automated pull request integrations |
| CodeQL | 2026-02-05 (CLI: 2.24.1) | No; proprietary | — | C, C++, C# | Java, Kotlin | JavaScript, TypeScript | .NET | Python | Swift, Go, Ruby, Rust | Code search tool, focus on finding software bugs; search patterns written in query language that can search the AST and graphs (CFG, DFG, etc.) of supported languages; plugin available for Visual Studio Code |
| ConQAT (retired) | 2015-02-01 | Yes; ASL 2 | Ada | C#, C++ | Java | JavaScript | — | — | ABAP | Continuous quality assessment toolkit; allows flexible configuration of quality analyses (architecture conformance, clone detection, quality metrics, etc.) and dashboards |
| Coverity | 2023-04-29 (2022.12) | No; proprietary | — | C, C++, C#, Objective-C | Java | JavaScript, TypeScript | — | Python | Ruby, PHP | Multi-language tool for security and quality issues; supports compliance standards (MISRA, ISO 26262 and others); free use for open-source projects |
| ECLAIR | 2025-05-12 (3.14.0) | No; proprietary | — | C, C++ | — | — | — | — | — | Multi-language tool for software verification. Applications range from coding rule validation, to automatic generation of testcases, to the proof of absence of run-time errors or generation of counterexamples, and to the specification of code matchers and rewriters based both syntactic and semantic conditions. Supports compliance standards (MISRA, Embedded C Coding Standard and others). |
| CPAchecker | 2022-01-24 (2.1.1) | Yes; ASL 2 | — | C | — | — | — | — | — | Configurable software verification tool for execution path checking of C |
| Cppcheck | 2025-02-23 (2.17) | Partly; framework is GPL v3, with some proprietary features | — | C, C++ | — | — | — | — | — | Open-source tool; checks for several types of errors, including use of STL; MISRA support being added |
| Cppdepend | 2023-03-01 (2023.1) | No; proprietary | — | C, C++ | — | — | — | — | — | Simplifies managing a complex C/C++ code base by analyzing and visualizing code dependencies, by defining design rules, by doing impact analysis, and comparing different versions of the code. |
| Cpplint | 2020-07-29 | Yes; CC-BY-3.0 | — | C++ | — | — | — | — | — | Open-source tool; checks compliance with C++ coding Google style guide |
| Fluctuat | 2001 | No; proprietary | Ada95 | C | — | — | — | — | — | Abstract interpreter to validate program numerical properties |
| Fluid Attacks | 2026-01-07 | No; proprietary | — | C# | Java, Kotlin, Scala | JavaScript, TypeScript | — | Python | PHP, Dart, Go, HCL, HTML, JSON, Ruby, Swift, XML, YAML | SAST tool; supports many programming languages and frameworks; based on graph algorithms using Tree-sitter, can be integrated into CI/CD pipelines from providers supporting Docker |
| Frama-C | 2022-06-21 | Yes; LGPL v2.1, BSD, QPL | — | C | — | — | — | — | — | Open-source extensible analysis framework for C with several analyzers and a specification language common to all; includes analyses based on abstract interpretation, deductive verification, runtime monitoring |
| GrammaTech CodeSonar | 2020-06-01 (5.3) | No; proprietary | — | C, C++, Objective-C | Java | — | — | — | — | Defect detection (buffer overruns, memory leaks, etc.), concurrency and security checks, architecture visualizing, software metrics |
| GCC | 2023-4-26 (13.1) | Yes; GPLv3+ with GCC Runtime Library Exception | — | C | — | — | — | — | — | Compiling with -fanalyzer flag (available from GCC 10) enables the static analyzer functionality |
| HCL Security AppScan Source | 2020-12-01 (10.0.3) | No; proprietary | — | C, C++ | Java, JSP | JavaScript | .NET | Python | ColdFusion, ASP, PHP, Perl, Visual Basic 6, PL/SQL, T-SQL, COBOL | Analyzes source code to identify security vulnerabilities while integrating security testing with software development processes and systems |
| Helix QAC | 2023-04 (2023.1) | No; proprietary | — | C, C++ | — | — | — | — | — | Formerly PRQA QA·C and QA·C++, deep static analysis of C/C++ for quality assurance and guideline/coding standard enforcement with MISRA support |
| Infer Static Analyzer | 2024-06-21 (1.2.0) | Yes; MIT | — | C, C++, Objective-C | Java | — | — | — | — | Targets null pointer problems, leaks, concurrency issues and API usage for Facebook's mobile apps, available as open source on GitHub; sometimes called Facebook Infer |
| Imagix 4D | 2020-10-01 (10.1.0) | No; proprietary | — | C, C++ | Java | — | — | — | — | Windows and Linux versions |
| Kiuwan | 2020-07-22 | No; proprietary | — | C, C++, C#, Objective-C | Java, JSP | JavaScript | VB.NET | — | ABAP, COBOL, PHP, PL/SQL, T-SQL, SQL, Visual Basic, Android | Software Analytics end-to-end platform for static code analysis and automated code review; covers defect detection, application security & IT risk management, with enhanced life cycle and application governance features; supports over 20 languages |
| Klocwork | 2023-04-04 (2023.1) | No; proprietary | — | C, C++, C# | Java | JavaScript | — | Python | Kotlin | Provides security vulnerability, standards compliance (MISRA, ISO 26262 and others), defect detection and build-over-build trend analysis |
| Lint | 1978-07-26 | Yes; permissive BSD-like | — | C | — | — | — | — | — | The original, from 1978, static code analyzer for C |
| MALPAS | No; proprietary | Ada | C | — | — | — | — | Pascal, Assembler (Intel, PowerPC and Motorola) | Software static analysis toolset for many languages; main use is for safety criticality in nuclear and aerospace industries | |
| Moose | 2021-01-21 (7.0.3) | Yes; MIT | — | C, C++ | Java | — | .NET | — | Smalltalk | Begun as software analysis platform with many tools to manipulate, assess or visualize software; evolving to a more generic data analysis platform |
| NDepend | 2022-03-16 (2022.1) | No; proprietary | — | C# | — | — | VB.NET .NET | — | — | Simplifies managing a complex .NET code base by analyzing and visualizing code dependencies, by defining design rules, doing impact analysis, comparing different versions; integrates into Visual Studio |
| .NET Compiler Platform (Roslyn) | 2020-12-08 (3.8.0) | Yes; MIT | — | C# | — | — | VB.NET | — | — | Open-source compiler framework for C# and Visual Basic (.NET) developed by Microsoft .NET, provides an API to analyze and manipulate syntax; FxCop rules were implemented into Roslyn |
| Parasoft C/C++test | 2024-12-03 (2024.2) | No; proprietary | — | C, C++ | — | — | — | — | — | C/C++ tool with AI; does static analysis, unit tests, code review, runtime error detecting, enforcing safety and security standards; plugins available for Visual Studio, Visual Studio Code, Eclipse-based IDEs, and GitHub integrating |
| Parasoft Jtest | 2024-12-03 (2024.2) | No; proprietary | — | — | Java | — | — | — | — | Java tool with AI; does static analysis, unit tests, enforces safety and security standards; plugins available for IntelliJ IDEA, Visual Studio Code and Eclipse-based IDEs, GitHub integration |
| PC-lint Plus | 2022-08-02 (2.0 Beta 2) | No; proprietary | — | C, C++ | — | — | — | — | — | Static analysis tool used to detect wide range of defects, identify suspicious code, enforce various coding standards (MISRA/AUTOSAR/etc), calculate and report complex metrics, and implement user-defined checks |
| PMD | 2025-11-28 (7.19.0) | Yes; BSD-like | — | C, C++ | Java, Kotlin, Scala, JSP, Apache Velocity Template Language (VTL) | JavaScript | — | — | Apex, ColdFusion, HTML, PHP, PLSQL, Swift, Visualforce, XML, Maven POM, WSDL, XSL | Duplicate code detector |
| Polyspace | 2022-09-15 | No; proprietary | Ada | C, C++ | — | — | — | — | — | Uses abstract interpretation to detect and prove absence of some runtime errors and dead code in source code; used to check all MISRA (2004, 2012) rules (directives, non directives) |
| Pretty Diff | 2019-04-21 (101.0.0) | Yes; CC0 | — | — | — | JavaScript, TypeScript | — | — | Markup, script and style languages (like XML, CSS) | Language-specific code comparing tool; features analysis reporting, minification, and beautification algorithms |
| PVS-Studio | 2024-08-16 (7.32) | No; proprietary | — | C, C++, C++/CLI, C++/CX, C# | Java | — | — | — | — | Software analysis tool |
| Qodana | 2023-07-23 (2023.2) | No; proprietary | — | C# | Java, Kotlin | JavaScript, TypeScript | VB.NET | Python | Go, HTML, PHP, CSS, Android, Vue.js | Code quality analysis tool; uses static code analysis |
| RIPS | 2020-02-17 (3.4) | No; proprietary | — | — | Java | — | — | — | PHP | Static code analysis tool with many integration options for automated detection of complex security vulnerabilities |
| Semgrep | 2026-04-10 (1.159.0) | Yes; LGPL v2.1 | — | — | Java | JavaScript, TypeScript | — | Python | Go, JSON, PHP, Ruby, language-agnostic mode | Static analysis tool; helps expressing code standards and surfacing bugs early; experimental support for 11 other languages; CI service and rule library available |
| Sider | 2021-02-02 | No; proprietary | — | — | — | JavaScript, CoffeeScript | — | Python | Ruby, PHP, Go | Static code analysis based automated code review tool working on GitHub and GitLab; checks style, quality, dependencies, security and bugs; integrates several open source static analysis tools |
| SLAM project | 2010-07-14 | No; proprietary | — | C | — | — | — | — | — | Microsoft Research project for checking that software (drivers) satisfies critical behavioral properties of interfaces it uses |
| SofCheck Inspector, Codepeer | 2020-08-24 (21.x) | No; proprietary | Ada | — | Java | — | — | — | — | Static detection of logic errors, race conditions, redundant code; automatically extracts pre-postconditions from code |
| SonarQube | 2024-02-05 (10.4) | Partly; framework is LGPL v3.0, but some features can be proprietary | — | C, C#, C++, Objective-C | Java, Kotlin, Scala | JavaScript, TypeScript | VB.NET | Python | ABAP, Apex, CSS, COBOL, Flex, Go, HTML, PHP, PLI, PL/SQL, Ruby, Swift, TSQL, Visual Basic 6, XML | Continuous inspection engine that finds vulnerabilities, bugs, code smells, and tracks code complexity, unit test coverage, duplication; offers branch analysis and C, C++, Objective-C support via commercial licenses |
| SourceMeter | 2016-12-16 (8.2) | No; proprietary | — | C, C++ | Java | — | — | Python | RPG IV (AS/400) | Cross-platform, command-line static source code analyzer; integrates with PMD and SpotBugs |
| Sourcetrail (retired) | 2021-04 (2021.4.19) | Yes; GPL | — | C, C++ | Java | — | — | Python | Perl | Open-source source code explorer; provides interactive dependency graphs, supports several programming languages |
| Sparse | 2021-09-06 (0.6.4) | Yes; MIT | — | C | — | — | — | — | GCC extensions | Open-source tool designed to find faults in Linux kernel |
| Splint | 2007-07-12 (3.1.2) | Yes; GPLv2 | — | C | — | — | — | — | — | Open-source tool statically checking C programs for security vulnerabilities and coding errors |
| StyleCop | 2016-05-02 (2016.1.0) | Yes; Ms-PL | — | C# | — | — | .NET | — | — | Analyzes C# source code to enforce a set of style and consistency rules; can be run from inside of Visual Studio or integrated into an MSBuild project |
| Squore | 2020-11-27 (20.1) | No; proprietary | Ada | C, C++, C#, Objective-C | Java | JavaScript, TypeScript | VB.NET | Python | Fortran, PHP, PL/SQL, Swift, T-SQL, XAML | Multi-purpose and multi-language monitoring tool for software projects; integrates with other scanners |
| Understand | 2023-01-19 (6.3) | No; proprietary | Ada | C, C++, C#, Objective-C | Java | JavaScript | — | Python | FORTRAN, Jovial, Pascal, VHDL, HTML, PHP, XML | Multi-platform tool for code analysis and comprehension of large code bases; recognizes many dialects of C, C++, C# like ANSI, K&R and Objective-C++ |
| Visual Expert | 2021-09-10 | No; proprietary | — | — | — | — | — | — | PowerBuilder, Oracle PL/SQL, SQL Server Transact-SQL (T-SQL) | Continuous code inspecting, reports on quality and security issues, helps understand complex code (cross-references, source code documenting and comparing, code performance analysis) |
| Visual Studio | 2021-10-12 (16.11) | No; proprietary | — | C, C++, C# | — | — | — | — | VB.NET | IDE; provides static code analysis for C/C++ in editor environment and from compiler command line; includes .NET Compiler Platform (Roslyn) which provides C# and VB.NET analysis |
| Yasca (retired) | 2010-11-01 (2.21) | Yes; multiple licenses | — | C, C++ | Java | JavaScript | — | — | ASP, PHP, HTML, CSS, ColdFusion, COBOL | Yet Another Source Code Analyzer; plugin-based framework to scan arbitrary file types, with plugins; integrates with other scanners, including FindBugs, PMD, Pixy |
| Tool | Release | Free software | Languages supported | Notes |
Languages
Ada
- CodePeer
- ConQAT
- Fluctuat
- LDRA Testbed
- MALPAS
- Polyspace
- SofCheck Inspector
- Squore
- Understand
C , C++
- Astree
- Axivion Suite (Bauhaus)
- BLAST
- Clang
- Coccinelle
- Coverity
- CPAchecker
- Cppcheck
- Cppdepend
- Cpplint
- ECLAIR
- Eclipse
- Fluctuat
- Frama-C
- GCC
- Helix QAC
- Facebook Infer
- Klocwork
- Lint
- LDRA Testbed
- Parasoft C/C++test
- PC-lint Plus
- Polyspace
- PVS-Studio
- SLAM project
- Sparse
- SonarQube
- Splint
- Understand
- Visual Studio
C#
- Axivion Suite (Bauhaus)
- Code Dx
- CodeScene
- CodeQL
- Coverity
- Fluid Attacks
- Kiuwan
- Klocwork
- .NET Compiler Platform
- PVS-Studio
- SonarQube
- Sotoarc
- StyleCop
- Squore
- Understand
- Visual Studio
IEC 61131-3
- CODESYS Static Analysis – integrated add-on for CODESYS (application code realized e.g. in ST, FBD, LD)
Java
| Tool | Latest release | Free software | Duplicate code | Notes |
|---|---|---|---|---|
| Checkstyle | 2020-01-26 | Yes; LGPL | No | Besides some static code analysis, it can be used to show violations of a configured coding standard. Duplicate code detection was removed from Checkstyle. |
| Eclipse | 2017-06-28 | Yes; EPL | No | Cross-platform IDE with own set of several hundred code inspections available for analyzing code on-the-fly in the editor and bulk analysis of the whole project. Plugins for Checkstyle, FindBugs, and PMD. |
| FindBugs | 2015-03-06 | Yes; LGPL | Based on Jakarta BCEL from the University of Maryland. SpotBugs is the spiritual successor of FindBugs, carrying on from the point where it left off with support of its community. | |
| IntelliJ IDEA | 2021-04-06 | Yes; ASL 2 | Yes | A leading Java IDE with built-in code inspection and analysis. Plugins for Checkstyle, FindBugs, and PMD. |
| JArchitect | 2017-06-11 | No; proprietary | Simplifies managing a complex code base by analyzing and visualizing code dependencies, defining design rules, doing impact analysis, and by comparing different versions of the code. | |
| Jtest | 2024-11-01 (2024.2) | No; proprietary | Yes | Testing and static code analysis product by Parasoft. |
| Soot | 2020-10-28 | Yes; LGPL | A language manipulation and optimization framework consisting of intermediate languages. | |
| PMD | 2025-11-28 | Yes; BSD License | Yes | Static code analyzer with support for plugins, including CPD. PMD supports checking of several languages. |
| Squale | 2011-05-26 | Yes; LGPL | A platform to manage software quality. | |
| ThreadSafe | 2014-03-28 | No; proprietary | A static analysis tool focused on finding concurrency bugs. |
- Coverity
- Facebook Infer
- Fluid Attacks
- Klocwork
- LDRA Testbed
- PMD
- RIPS
- Semgrep
- SourceMeter
- Understand
JavaScript
- ESLint – JavaScript syntax checker and formatter.
- Google's Closure Compiler – JavaScript optimizer that rewrites code to be faster and smaller, and checks use of native JavaScript functions.
- CodeScene – Behavioral analysis of code.
- Fluid Attacks
- JSHint – A community driven fork of JSLint.
- JSLint – JavaScript syntax checker and validator.
- Klocwork
- Semgrep – A static analysis tool that helps expressing code standards and surfacing bugs early. A CI service and a rule library is also available.
- Understand
Objective-C , Objective-C++
- Clang – The free Clang project includes a static analyzer. As of version 3.2, this analyzer is included in Xcode.
- Infer – Developed by an engineering team at Facebook with open-source contributors. Targets null pointers, leaks, API usage and other lint checks. Available as open source on github.
- Understand
Opa
- Opa includes its own static analyzer. As the language is intended for web application development, the strongly statically typed compiler checks the validity of high-level types for web data, and prevents by default many vulnerabilities such as XSS attacks and database code injections.
Packaging
- Lintian – Checks Debian software packages for common inconsistencies and errors.
- Rpmlint – Checks for common problems in rpm packages.
Perl
- Perl::Critic – A tool to help enforce common Perl best practices. Most best practices are based on Damian Conway's Perl Best Practices book.
- PerlTidy – Program that acts as a syntax checker and tester/enforcer for coding practices in Perl.
- Padre – An IDE for Perl that also provides static code analysis to check for common beginner errors.
PL/SQL
- TOAD – A PL/SQL development environment with a Code xPert component that reports on general code efficiency as well as specific programming issues.
- Visual Expert – A PL/SQL code analysis tool that reports on programming issues and helps understand and maintain complex code (Impact Analysis, Source Code documentation, Call trees, CRUD matrix, etc.).
PowerBuilder , PowerScript
- Visual Expert – A tool scanning PowerBuilder libraries (PBLs) for code inspection, Impact Analysis, Source Code documentation, Call trees, CRUD matrix.
Python
- PyCharm – Cross-platform Python IDE with code inspections available for analyzing code on-the-fly in the editor and bulk analysis of the whole project.
- PyDev – Eclipse-based Python IDE with code analysis available on-the-fly in the editor or at save time.
- Pylint – Static code analyzer. Quite stringent; includes many stylistic warnings as well.
- Fluid Attacks
- Klocwork
- Semgrep – Static code analyzer that helps expressing code standards and surfacing bugs early. A CI service and a rule library is also available.
- Understand
Transact-SQL
- Visual Expert – A SQLServer code analysis tool that reports on programming issues and helps understand and maintain complex code (Impact Analysis, source code documentation, call trees, CRUD matrix, etc.).
Tools with duplicate code detection
- Axivion Suite (Bauhaus)
- Code Dx
- CodeScene
- PMD
- SofCheck Inspector
- SonarQube
- SourceMeter
- Understand
Formal methods tools
Tools that use sound, i.e. over-approximating a rigorous model, formal methods approach to static analysis (e.g., using static program assertions). Sound methods contain no false negatives for bug-free programs, at least with regards to the idealized mathematical model they are based on (there is no "unconditional" soundness). Note that there is no guarantee they will report all bugs for buggy programs, they will report at least one.
- Astrée – finds all potential runtime errors by abstract interpretation, can prove the absence of runtime errors and can prove functional assertions; tailored towards safety-critical C code (e.g. avionics).
- CodePeer – Statically determines and documents pre- and post-conditions for Ada subprograms; statically checks preconditions at all call sites.
- ECLAIR – Uses formal methods-based static code analysis techniques such as abstract interpretation and model checking combined with constraint satisfaction techniques to detect or prove the absence of certain run time errors in source code.
- ESC/Java and ESC/Java2 – Based on Java Modeling Language, an enriched version of Java
- Frama-C – An open-source analysis framework for C, based on the ANSI/ISO C Specification Language (ACSL). Its main techniques include abstract interpretation, deductive verification and runtime monitoring.
- KeY – analysis platform for Java based on theorem proving with specifications in the Java Modeling Language; can generate test cases as counterexamples; stand-alone GUI or Eclipse integration
- MALPAS – A formal methods tool that uses directed graphs and regular algebra to prove that software under analysis correctly meets its mathematical specification.
- Polyspace – Uses abstract interpretation, a formal methods based technique, to detect and prove the absence of certain run time errors in source code for C/C++, and Ada
- SPARK Toolset including the SPARK Examiner – Based on the SPARK language, a subset of Ada.
See also
- Automated code review
- Best Coding Practices
- List of software development philosophies
- Dynamic program analysis
- Software metrics
- Integrated development environment (IDE) and comparison of integrated development environments. IDEs will usually come with built-in support for static program analysis, or with an option to integrate such support. Eclipse offers such integration mechanism for most different types of extensions (plug-ins).
External links
- , by Nick Rutar, Christian Almazan, and Jeff Foster, University of Maryland. Compares Bandera, ESC/Java 2, FindBugs, JLint, and PMD.
- , by Rick Jelliffe, O'Reilly Media.