Best Open Source static analysis Libraries
A curated list of the most popular GitHub repositories tagged with static analysis. Select any project to visualize its architecture and dive into the codebase using RepoMind's AI engine.
#1WerWolv/ImHex
🔍 A Hex Editor for Reverse Engineers, Programmers and people who value their retinas when working at 3 AM.
#2astral-sh/ruff
An extremely fast Python linter and code formatter, written in Rust.
#3koalaman/shellcheck
ShellCheck, a static analysis tool for shell scripts
#4realm/SwiftLint
A tool to enforce Swift style and conventions.
#5nikic/PHP-Parser
A PHP parser written in PHP
#6facebook/infer
A static analyzer for Java, C, C++, and Objective-C
#7Konloch/bytecode-viewer
A Java 8+ Jar & Android APK Reverse Engineering Suite (Decompiler, Editor, Debugger & More)
#8phpstan/phpstan
PHP Static Analysis Tool - discover bugs in your code without running it!
#9OWASP/mastg
The OWASP Mobile Application Security Testing Guide (MASTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes technical processes for verifying the OWASP Mobile Security Weakness Enumeration (MASWE) weaknesses, which are in alignment with the OWASP MASVS.
#10reviewdog/reviewdog
🐶 Automated code review tool integrated with any code analysis tools regardless of programming language
#11checkstyle/checkstyle
Checkstyle is a development tool to help programmers write Java code that adheres to a coding standard. By default it supports the Google Java Style Guide and Sun Code Conventions, but is highly configurable. It can be invoked with an ANT task and a command line program.
#12We5ter/Scanners-Box
A powerful and open-source toolkit for hackers and security automation - 安全行业从业者自研开源扫描器合辑
#13securego/gosec
Go security checker
#14fallow-rs/fallow
Codebase intelligence for TypeScript and JavaScript. Free static layer: unused code, duplication, circular deps, complexity hotspots, architecture boundaries. Optional paid runtime layer: hot-path review and cold-path deletion evidence from real production traffic. Rust-native, sub-second, zero-config framework support.
#15repowise-dev/repowise
Codebase intelligence for AI and humans: code health scores, auto-generated docs, git analytics, dead code detection, and architectural decisions via MCP.
#16pascal-lab/Tai-e
An easy-to-learn/use static analysis framework for Java and Android
#17SonarSource/SonarJS
SonarSource Static Analyzer for JavaScript and TypeScript
#18aviatesk/JET.jl
A code analyzer for Julia. No need for additional type annotations.
#19psalm/psalm-plugin-laravel
Laravel static analysis with built-in security scanning
#20SonarSource/sonarqube-cli
Command-line interface for SonarQube with AI agent integration. Scan for secrets and get fast feedback on code quality and security from your terminal.
#21seqra/opentaint
The open source taint analysis tool for the AI era. AST-pattern rules. Whole-program taint analysis. Formal substrate for AI application security.