This is a list of notable tools for static program analysis (program analysis is a synonym for code analysis).
Static code analysis tools[edit] Tool Latest release Free software Supported languages Notes Ada C, C++, C#, Objective-C JVM JaScript, TypeScript .NET, VB.NET Python Other languages Astrée 2024-10 (24.10) No; proprietary — C, C++ — — — — — Finds all potential runtime errors and data races by abstract interpretation, can prove their absence, and can prove functional assertions; tailored towards safety-critical C/C++ code (e.g. ionics and automotive). Includes MISRA checker. Axivion Suite 2025-05-19(7.10)
No; proprietary — C, C++, C# — — — — QML, Axivion CUDA Static code analysis suite designed for safety-critical and security-focused software development with certification support for ISO 26262, IEC 61508, IEC 62304, EN 50128, and EN 50657. Comprehensive analysis includes coding standards compliance (MISRA C/C++, AUTOSAR, CERT, CWE), clone detection, dead code analysis, architecture verification, cycle detection, and metrics monitoring. Includes qualification kit for regulated environments such as automotive, aerospace, medical devices, and security applications. BLAST (retired) 2015-10-30 (2.7.3) Yes; ASL 2 — C — — — — — An open-source software model checker for C programs based on lazy abstraction (follow-on project is CPAchecker.[1]). Clang 2025-08-30 (21.1.0-rc3) Yes; ASL 2 with LLVM Exceptions — C, C++, Objective-C — — — — — An open-source compiler that includes a static analyzer. As of version 3.2, this analyzer is included in Xcode.[2][3] Coccinelle 2021-09-06 (1.1.1) Yes; GPLv2 — C — — — — — An open-source source code pattern matching and transformation. Code Dx (Defunct 2021) 2015-01-15 No; proprietary — C, C++, C# Ja, JSP, Scala JaScript VB.NET Python PHP, Rails, Ruby, XML[4] Software application vulnerability correlation and management system that uses multiple SAST and DAST tools, as well as the results of manual code reviews. Can calculate cyclomatic complexity. CodePeer 2021-05-07 (21) No; proprietary Ada — — — — — — An advanced static analysis tool that detects potential run-time logic errors in Ada programs. CodeScene 2023-10-13(6.3.5)
No; proprietary — C, C++, C#, Objective-C Ja, Groovy, Scala JaScript, TypeScript VB.NET Python Swift, Go, PHP, Ruby Behioral analysis of code. Helps identify, prioritize, and manage technical debt. Measures organizational aspects of developer teams. Automated pull request integrations. CodeQL 2023-02-07 (CLI: 2.12.2) No; proprietary — C, C++, C# Ja, Kotlin JaScript, TypeScript .NET Python Go, Ruby A code searching tool with an emphasis on finding software bugs. Search patterns are written in a query language which can search the AST and graphs (CFG, DFG, etc.) of supported languages. A plugin is ailable for Visual Studio. ConQAT (retired) 2015-02-01 Yes; ASL 2 Ada C#, C++ Ja JaScript — — ABAP Continuous quality assessment toolkit that allows flexible configuration of quality analyses (architecture conformance, clone detection, quality metrics, etc.) and dashboards. Coverity 2023-04-29 (2022.12)[5] No; proprietary — C, C++, C#, Objective-C Ja JaScript, TypeScript — Python Ruby, PHP Multi-language tool for security and quality issues. Supports compliance standards (MISRA, ISO 26262 and others). Free to use for open-source projects. ECLAIR 2021-07-15 (3.11)[6] No; proprietary — C, C++ — — — — — Multi-language tool for software verification. Applications range from coding rule validation, to automatic generation of testcases, to the proof of absence of run-time errors or generation of counterexamples, and to the specification of code matchers and rewriters based both syntactic and semantic conditions. Supports compliance standards (MISRA, Embedded C Coding Standard and others). CPAchecker 2022-01-24 (2.1.1) Yes; ASL 2 — C — — — — — A configurable software verification tool for execution path checking of C. Cppcheck 2025-02-23 (2.17) Yes; GPLv3 — C, C++ — — — — — Open-source tool that checks for several types of errors, including use of STL. MISRA support is being added. Cppdepend 2023-03-01 (2023.1)[7] No; proprietary — C, C++ — — — — — Simplifies managing a complex C/C++ code base by analyzing and visualizing code dependencies, by defining design rules, by doing impact analysis, and comparing different versions of the code. Cpplint 2020-07-29 Yes; CC-BY-3.0[8] — C++ — — — — — An open-source tool that checks for compliance with Google's style guide for C++ coding. Fluctuat 2001 No; proprietary Ada95 C — — — — — Abstract interpreter for the validation of numerical properties of programs. Frama-C 2022-06-21 Yes; LGPL v2.1, BSD, QPL — C — — — — — An open-source extensible analysis framework for C with several analyzers and a specification language common to all of them. Includes analyses based on abstract interpretation, deductive verification and runtime monitoring. GrammaTech CodeSonar 2020-06-01 (5.3) No; proprietary — C, C++, Objective-C Ja — — — — Defect detection (buffer overruns, memory leaks, etc.), concurrency and security checks, architecture visualization and software metrics. GCC 2023-4-26 (13.1) Yes; GPLv3+ with GCC Runtime Library Exception — C — — — — — Compiling with -fanalyzer flag (ailable from GCC 10) enables the static analyzer functionality[9] HCL Security AppScan Source 2020-12-01 (10.0.3) No; proprietary — C, C++ Ja, JSP JaScript .NET Python ColdFusion, ASP, PHP, Perl, Visual Basic 6, PL/SQL, T-SQL, COBOL Analyzes source code to identify security vulnerabilities while integrating security testing with software development processes and systems. Helix QAC 2023-04 (2023.1) No; proprietary — C, C++ — — — — — Formerly PRQA QA·C and QA·C++, deep static analysis of C/C++ for quality assurance and guideline/coding standard enforcement with MISRA support. Infer Static Analyzer 2024-06-21 (1.2.0) Yes; MIT — C, C++, Objective-C Ja — — — — Targets null pointer problems, leaks, concurrency issues and API usage for Facebook's mobile apps. Available as open source on GitHub. Sometimes referred as Facebook Infer. Imagix 4D 2020-10-01 (10.1.0) No; proprietary — C, C++ Ja — — — — Windows and Linux versions. Kiuwan 2020-07-22 No; proprietary — C, C++, C#, Objective-C Ja, JSP JaScript VB.NET — ABAP, COBOL, PHP, PL/SQL, T-SQL, SQL, Visual Basic, Android Software Analytics end-to-end platform for static code analysis and automated code review. It covers defect detection, application security & IT Risk Management, with enhanced life cycle and application governance features. Support for over 20 languages. Klocwork 2023-04-04 (2023.1) No; proprietary — C, C++, C# Ja JaScript — Python Kotlin Provides security vulnerability, standards compliance (MISRA, ISO 26262 and others), defect detection and build-over-build trend analysis LDRA Testbed 2021-05-07 (v9.8.6) No; proprietary Ada83, Ada95 C, C++ — — — — Assembler (Intel, Freescale, Texas Instruments) A software analysis and testing tool suite, that performs static analysis, standards enforcement (eg. MISRA C/C++), dynamic analysis, unit testing and requirements traceability. Lint 1978-07-26 Yes; permissive BSD-like[10] — C — — — — — The original, from 1978, static code analyzer for C. MALPAS No; proprietary Ada C — — — — Pascal, Assembler (Intel, PowerPC and Motorola) A software static analysis toolset for a variety of languages. Used primarily for safety critical applications in Nuclear and Aerospace industries. Moose 2021-01-21 (7.0.3) Yes; MIT — C, C++ Ja — .NET — Smalltalk Moose started as a software analysis platform with many tools to manipulate, assess or visualize software. It can evolve to a more generic data analysis platform. NDepend 2022-03-16 (2022.1)[11] No; proprietary — C# — — VB.NET .NET — — Simplifies managing a complex .NET code base by analyzing and visualizing code dependencies, by defining design rules, by doing impact analysis, and by comparing different versions. Integrates into Visual Studio. .NET Compiler Platform (Roslyn) 2020-12-08 (3.8.0) Yes; MIT — C# — — VB.NET — — Open-source compiler framework for C# and Visual Basic .NET developed by Microsoft .NET. Provides an API for analyzing and manipulating syntax. FxCop rules were implemented into Roslyn. Parasoft C/C++test 2024-12-03 (2024.2) No; proprietary — C, C++ — — — — — A C/C++ tool with AI that does static analysis, unit testing, code review, and runtime error detection along with enforcement of safety and security standards; plugins ailable for Visual Studio, Visual Studio Code and Eclipse-based IDEs as well as Github integration. Parasoft Jtest 2024-12-03 (2024.2) No; proprietary — — Ja — — — — A Ja tool with AI that does static analysis and unit testing as well as enforcement of safety and security standards; plugins ailable for IntelliJ IDEA, Visual Studio Code and Eclipse-based IDEs as well as Github integration. PC-lint Plus 2022-08-02 (2.0 Beta 2) No; proprietary — C, C++ — — — — — A static analysis tool used to detect a wide range of defects, identify suspicious code, enforce various coding standards (MISRA/AUTOSAR/etc), calculate and report complex metrics, and implement user-defined checks. PMD 2023-2-25 (6.55.0) Yes; BSD-like — C, C++ Ja, JSP JaScript — — ColdFusion, PHP duplicate code detection (e.g.)[12] code. Polyspace 2022-09-15 No; proprietary Ada C, C++ — — — — — Uses abstract interpretation to detect and prove the absence of certain run time errors and dead code in source code as well as used to check all MISRA (2004, 2012) rules (directives, non directives). Pretty Diff 2019-04-21 (101.0.0) Yes; CC0 — — — JaScript, TypeScript — — Markup, script and style languages (like XML, CSS) A language-specific code comparison tool that features language-specific analysis reporting in addition to language-specific minification and beautification algorithms. PVS-Studio 2024-08-16 (7.32) No; proprietary — C, C++, C++/CLI, C++/CX, C# Ja — — — — A software analysis tool. Qodana 2023-07-23 (2023.2) No; proprietary — C# Ja, Kotlin JaScript, TypeScript VB.NET Python Go, HTML, PHP, CSS, Android, Vue.js A code quality analysis tool that uses static code analysis. RIPS 2020-02-17 (3.4) No; proprietary — — Ja — — — PHP A static code analysis solution with many integration options for the automated detection of complex security vulnerabilities. SAST Online 2022-03-07 (1.1.0) No; proprietary — — Ja — — — Kotlin, APK Check the Android Source code thoroughly to uncover and address potential security concerns and vulnerabilities. Static application security testing (Static Code Analysis) tool Online Semgrep 2025-08-14 (1.132.0) Yes; LGPL v2.1 — — Ja JaScript, TypeScript — Python Go, JSON, PHP, Ruby, language-agnostic mode A static analysis tool that helps expressing code standards and surfacing bugs early. It also has experimental support for eleven other languages. A CI service and a rule library is also ailable. Sider 2021-02-02 No; proprietary — — — JaScript, CoffeeScript — Python Ruby, PHP, Go Static code analysis based automated code review tool working on GitHub and GitLab. Checks style, quality, dependencies, security and bugs. It integrates a number of open source static analysis tools. SLAM project 2010-07-14 No; proprietary — C — — — — — A project of Microsoft Research for checking that software (drivers) satisfies critical behioral properties of the interfaces it uses. SofCheck Inspector, Codepeer 2020-08-24 (21.x) No; proprietary Ada — Ja — — — — Static detection of logic errors, race conditions, and redundant code. automatically extracts pre-postconditions from code. SonarQube 2024-02-05 (10.4) Partly; framework is LGPL v3.0, but some features can be proprietary — C, C#, C++, Objective-C Ja, Kotlin, Scala JaScript, TypeScript VB.NET Python ABAP, Apex, CSS, COBOL, Flex, Go, HTML, PHP, PLI, PL/SQL, Ruby, Swift, TSQL, Visual Basic 6, XML A continuous inspection engine that finds vulnerabilities, bugs and code smells. Also tracks code complexity, unit test coverage and duplication. Offers branch analysis and C/C++/Objective-C support via commercial licenses. SourceMeter 2016-12-16 (8.2) No; proprietary — C, C++ Ja — — Python RPG IV (AS/400) A platform-independent, command-line static source code analyzer. Integrates with PMD and SpotBugs. Sourcetrail (retired) 2021-04 (2021.4.19) Yes; GPL — C, C++ Ja — — Python Perl An open-source source code explorer that provides interactive dependency graphs and supports multiple programming languages. Sparse 2021-09-06 (0.6.4) Yes; MIT — C — — — — GCC extensions An open-source tool designed to find faults in the Linux kernel. Splint 2007-07-12 (3.1.2) Yes; GPLv2 — C — — — — — An open-source tool statically checking C programs for security vulnerabilities and coding mistakes. StyleCop 2016-05-02 (2016.1.0) Yes; Ms-PL — C# — — .NET — — Analyzes C# source code to enforce a set of style and consistency rules. It can be run from inside of Microsoft Visual Studio or integrated into an MSBuild project. Squore 2020-11-27 (20.1) No; proprietary Ada C, C++, C#, Objective-C Ja JaScript, TypeScript VB.NET Python Fortran, PHP, PL/SQL, Swift, T-SQL, XAML A multi-purpose and multi-language monitoring tool for software projects. It integrates with other scanners. Understand 2023-01-19 (6.3) No; proprietary Ada C, C++, C#, Objective-C Ja JaScript — Python FORTRAN, Jovial, Pascal, VHDL, HTML, PHP, XML A multi-platform tool for code analysis and comprehension of large code bases. Can recognize multiple dialects of C, C++ and C# like ANSI, K&R and Objective C++. Visual Expert 2021-09-10 No; proprietary — — — — — — PowerBuilder, Oracle PL/SQL, SQL Server Transact-SQL (T-SQL) Continuous Code inspection, reports on quality and security issues, helps understand complex code (cross-references, source code documentation, code comparison, code performance analysis). Visual Studio 2021-10-12 (16.11) No; proprietary — C, C++, C# — — — — VB.NET An IDE that provides static code analysis for C/C++ both in the editor environment and from the compiler command line. Also includes the .NET Compiler Platform (Roslyn) which provides C# and VB.NET analysis. Yasca (retired) 2010-11-01 (2.21) Yes; multiple licenses — C, C++ Ja JaScript — — ASP, PHP, HTML, CSS, ColdFusion, COBOL Yet Another Source Code Analyzer, a plugin-based framework to scan arbitrary file types, with plugins. It integrates with other scanners, including FindBugs, PMD, and Pixy. Tool Release Free software Supported languages Notes Languages[edit] Ada[edit] This section is a sublist. Links here will take you to the full list on the top of this article. CodePeer ConQAT Fluctuat LDRA Testbed MALPAS Polyspace SofCheck Inspector Squore Understand C, C++[edit] This section is a sublist. Links here will take you to the full list on the top of this article. Astree Axivion Suite (Bauhaus) BLAST Clang Coccinelle Coverity CPAchecker Cppcheck Cppdepend Cpplint ECLAIR Eclipse Fluctuat Frama-C GCC Helix QAC Facebook Infer Klocwork Lint LDRA Testbed Parasoft C/C++test PC-lint Plus Polyspace PVS-Studio SLAM project Sparse SonarQube Splint Understand Visual Studio C#[edit] This section is a sublist. Links here will take you to the full list on the top of this article. Axivion Suite (Bauhaus) Code Dx CodeScene CodeQL Coverity Kiuwan Klocwork .NET Compiler Platform PVS-Studio SonarQube Sotoarc StyleCop Squore Understand Visual Studio IEC 61131-3[edit] CODESYS Static Analysis – integrated add-on for CODESYS (application code realized e.g. in ST, FBD, LD) Ja[edit] Tool Latest release Free software Duplicatecode Notes Checkstyle 2020-01-26 Yes; LGPL No Besides some static code analysis, it can be used to show violations of a configured coding standard. Duplicate code detection was removed[13] from Checkstyle. Eclipse 2017-06-28 Yes; EPL No Cross-platform IDE with own set of several hundred code inspections ailable for analyzing code on-the-fly in the editor and bulk analysis of the whole project. Plugins for Checkstyle, FindBugs, and PMD. FindBugs 2015-03-06 Yes; LGPL Based on Jakarta BCEL from the University of Maryland. SpotBugs is the spiritual successor of FindBugs, carrying on from the point where it left off with support of its community. IntelliJ IDEA 2021-04-06 Yes; ASL 2 Yes A leading Ja IDE with built-in code inspection and analysis. Plugins for Checkstyle, FindBugs, and PMD. JArchitect 2017-06-11 No; proprietary Simplifies managing a complex code base by analyzing and visualizing code dependencies, defining design rules, doing impact analysis, and by comparing different versions of the code. Jtest 2024-11-01 (2024.2) No; proprietary Yes Testing and static code analysis product by Parasoft. Soot 2020-10-28 Yes; LGPL A language manipulation and optimization framework consisting of intermediate languages. PMD 2021-01-30 Yes; BSD License Yes Static code analyzer with support for plugins, including CPD. PMD supports checking of several languages. Squale 2011-05-26 Yes; LGPL A platform to manage software quality. ThreadSafe 2014-03-28 No; proprietary A static analysis tool focused on finding concurrency bugs. This section is a sublist. Links here will take you to the full list on the top of this article. Coverity Facebook Infer Klocwork LDRA Testbed PMD RIPS Semgrep SourceMeter Understand JaScript[edit] ESLint – JaScript syntax checker and formatter. Google's Closure Compiler – JaScript optimizer that rewrites code to be faster and smaller, and checks use of native JaScript functions. CodeScene – Behioral analysis of code. JSHint – A community driven fork of JSLint. JSLint – JaScript syntax checker and validator. Klocwork Semgrep – A static analysis tool that helps expressing code standards and surfacing bugs early. A CI service and a rule library is also ailable. Understand Objective-C, Objective-C++[edit] Clang – The free Clang project includes a static analyzer. As of version 3.2, this analyzer is included in Xcode.[14] Infer – Developed by an engineering team at Facebook with open-source contributors. Targets null pointers, leaks, API usage and other lint checks. Available as open source on github. Understand Opa[edit] Opa includes its own static analyzer. As the language is intended for web application development, the strongly statically typed compiler checks the validity of high-level types for web data, and prevents by default many vulnerabilities such as XSS attacks and database code injections. Packaging[edit] Lintian – Checks Debian software packages for common inconsistencies and errors. Rpmlint – Checks for common problems in rpm packages. Perl[edit] Perl::Critic – A tool to help enforce common Perl best practices. Most best practices are based on Damian Conway's Perl Best Practices book. PerlTidy – Program that acts as a syntax checker and tester/enforcer for coding practices in Perl. Padre – An IDE for Perl that also provides static code analysis to check for common beginner errors. PL/SQL[edit] TOAD – A PL/SQL development environment with a Code xPert component that reports on general code efficiency as well as specific programming issues. Visual Expert – A PL/SQL code analysis tool[15] that reports on programming issues and helps understand and maintain complex code (Impact Analysis, Source Code documentation, Call trees, CRUD matrix, etc.). PowerBuilder, PowerScript[edit] Visual Expert – A tool scanning PowerBuilder libraries (PBLs) for code inspection, Impact Analysis, Source Code documentation, Call trees, CRUD matrix. Python[edit] PyCharm – Cross-platform Python IDE with code inspections ailable for analyzing code on-the-fly in the editor and bulk analysis of the whole project. PyDev – Eclipse-based Python IDE with code analysis ailable on-the-fly in the editor or at se time. Pylint – Static code analyzer. Quite stringent; includes many stylistic warnings as well. Klocwork Semgrep – Static code analyzer that helps expressing code standards and surfacing bugs early. A CI service and a rule library is also ailable. Understand Transact-SQL[edit] Visual Expert – A SQLServer code analysis tool[16] that reports on programming issues and helps understand and maintain complex code (Impact Analysis, source code documentation, call trees, CRUD matrix, etc.). Tools with duplicate code detection[edit] For broader coverage of this topic, see Duplicate code. This section is a sublist. Links here will take you to the full list on the top of this article. Axivion Suite (Bauhaus) Code Dx CodeScene PMD SofCheck Inspector SonarQube SourceMeter Understand Formal methods tools[edit]Tools that use sound, i.e. over-approximating a rigorous model, formal methods approach to static analysis (e.g., using static program assertions). Sound methods contain no false negatives for bug-free programs, at least with regards to the idealized mathematical model they are based on (there is no "unconditional" soundness). Note that there is no guarantee they will report all bugs for buggy programs, they will report at least one.
Astrée – finds all potential runtime errors by abstract interpretation, can prove the absence of runtime errors and can prove functional assertions; tailored towards safety-critical C code (e.g. ionics). CodePeer – Statically determines and documents pre- and post-conditions for Ada subprograms; statically checks preconditions at all call sites. ECLAIR – Uses formal methods-based static code analysis techniques such as abstract interpretation and model checking combined with constraint satisfaction techniques to detect or prove the absence of certain run time errors in source code. ESC/Ja and ESC/Ja2 – Based on Ja Modeling Language, an enriched version of Ja Frama-C – An open-source analysis framework for C, based on the ANSI/ISO C Specification Language (ACSL). Its main techniques include abstract interpretation, deductive verification and runtime monitoring. KeY – analysis platform for Ja based on theorem proving with specifications in the Ja Modeling Language; can generate test cases as counterexamples; stand-alone GUI or Eclipse integration MALPAS – A formal methods tool that uses directed graphs and regular algebra to prove that software under analysis correctly meets its mathematical specification. Polyspace – Uses abstract interpretation, a formal methods based technique,[17] to detect and prove the absence of certain run time errors in source code for C/C++, and Ada SPARK Toolset including the SPARK Examiner – Based on the SPARK language, a subset of Ada. See also[edit] Automated code review Best Coding Practices List of software development philosophies Dynamic program analysis Software metrics Integrated development environment (IDE) and comparison of integrated development environments. IDEs will usually come with built-in support for static program analysis, or with an option to integrate such support. Eclipse offers such integration mechanism for most different types of extensions (plug-ins). References[edit] ^ "CPAchecker". 2015-02-08. ^ "Static Analysis in Xcode". Apple. Archived from the original on 2009-09-05. Retrieved 2009-09-03. ^ "Running the analyzer within Xcode". Archived from the original on 5 December 2021. Retrieved 14 January 2022. ^ "Supported Application Security Testing Tools and Languages". codedx.com. Retrieved Apr 25, 2017. ^ "Coverity Scan website". Retrieved 2023-08-23. ^ "ECLAIR website". Retrieved 2021-10-07. ^ "CppDepend what's new". cppdepend.com. Retrieved 1 March 2023. ^ "Readme.md of Google Style Guides". GitHub. Retrieved 8 November 2021. ^ Malcolm, Did (2020-03-26). "Static analysis in GCC 10". Red Hat Developer. Retrieved 2022-04-13. ^ "UNIX is free!". lemis.com. 2002-01-24. ^ "NDepend what's new". ndepend.com. Retrieved 15 June 2022. ^ "PMD - Browse /pmd/5.0.0 at SourceForge.net". Retrieved Dec 9, 2012. ^ "Remove StrictDuplicateCodeCheck and whole package · Issue #523 · checkstyle/Checkstyle". GitHub. ^ "Static Analysis in Xcode". Apple. Retrieved 2009-09-03. ^ "Visual Expert for Oracle - PL/SQL Code Analyzer". www.visual-expert.com. 2017-08-24. ^ "Visual Expert for SQL Server - Transact SQL Code Analyzer". www.visual-expert.com. 2017-08-24. ^ Cousot, Patrick (2007). "The Role of Abstract Interpretation in Formal Methods". Fifth IEEE International Conference on Software Engineering and Formal Methods (SEFM 2007). IEEE International Conference on Software Engineering and Formal Methods. pp. 135–140. doi:10.1109/SEFM.2007.42. ISBN 978-0-7695-2884-7. S2CID 67212. External links[edit] The Web Application Security Consortium's Static Code Analysis Tool List SAMATE-Source Code Security Analyzers SATE – Static Analysis Tool Exposition "A Comparison of Bug Finding Tools for Ja", by Nick Rutar, Christian Almazan, and Jeff Foster, University of Maryland. Compares Bandera, ESC/Ja 2, FindBugs, JLint, and PMD. "Mini-review of Ja Bug Finders", by Rick Jelliffe, O'Reilly Media.