static-analysis
static-analysis is a curated, community-maintained directory of SAST tools and linters across all programming languages and configuration formats. It serves as a discovery and reference hub rather than a tool itself, aggregating metadata and links to hundreds of analyzers with a focus on code quality.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | analysis-tools-dev/static-analysis |
| Owner | analysis-tools-dev |
| Primary language | Rust |
| License | MIT — OSI-approved |
| Stars | 14.7k |
| Forks | 1.5k |
| Open issues | 30 |
| Latest release | Unknown |
| Last updated | 2026-06-10 |
| Source | https://github.com/analysis-tools-dev/static-analysis |
What static-analysis is
The repository is a taxonomy-organized, YAML-backed catalog of static analysis tools indexed by language, domain (config, build, security), and tool type. It powers the analysis-tools.dev website with rankings, community feedback, and resource links. Primary content is non-executable documentation; the repo itself is written in Rust but functions as a curated list generator.
Get the static-analysis source
Clone the repository and explore it locally.
git clone https://github.com/analysis-tools-dev/static-analysis.gitcd static-analysis# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Treat the catalog as a starting point for research, not a purchasing or adoption decision. Verify tool maintenance status, feature coverage, and licensing against your own requirements before selection.
- The :warning: (unmaintained for 1+ year) and :information_source: (deprecated) symbols are heuristic markers only. Independently confirm tool viability by checking GitHub activity, issue age, and security patches.
- License metadata is provided but requires manual review for commercial, closed-source, or GPL-governed projects. The README mentions proprietary tools with © but does not evaluate terms—review licensing directly with vendors.
- The catalog spans open-source and proprietary tools; integration effort varies widely. Budget for tool-specific onboarding, rule customization, and CI/CD pipeline configuration regardless of source.
- Use the companion website (analysis-tools.dev) for ranked results, community comments, and video tutorials; the GitHub repo is the authoritative source data but the website provides curated presentation.
When to avoid it — and what to weigh
- You need a tool that runs analysis — static-analysis is a reference directory, not an executable analyzer. It does not perform code scanning itself; you must adopt and configure individual tools from the catalog.
- You require vendor support or SLAs — This is a community-driven, volunteer-maintained project. There is no commercial support, service guarantees, or incident response. Sponsors may offer their own tools but not the repository itself.
- You need real-time threat intelligence or CVE integration — The catalog is a static, curated list updated via PR. It does not feed live security advisories, CVE databases, or dynamic threat feeds. For that, use dedicated SAST/SCA platforms.
- You expect automated tool updates or version tracking — Tool metadata and links are manually curated and updated. There is no automatic version pinning, release tracking, or deprecation alerts. Community contributors update entries reactively.
License & commercial use
Licensed under MIT (Massachusetts Institute of Technology License), a permissive OSI-approved license. The license applies to the repository's documentation, metadata, and any aggregation/presentation code. Individual tools listed in the catalog retain their own licenses (open-source and proprietary); the MIT license does not override or grant permissions for those tools.
Commercial use of the static-analysis repository itself is permitted under the MIT license (copying, redistributing, and modifying the catalog for internal or resale purposes is allowed, with attribution). However, this does not grant commercial rights to proprietary tools listed in the catalog; those must be licensed separately. If you intend to create a derivative directory service or resell the data, consult the MIT license terms and consider trademark/attribution obligations to the original maintainers.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Strong |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Good |
| Assessment confidence | High |
This catalog does not perform security analysis; it is a reference directory. When evaluating SAST tools from the catalog, independently assess: (1) the tool's own security posture and update frequency—outdated analyzers may miss new vulnerability patterns, (2) false-positive/false-negative rates for your codebase—not all tools are equally reliable, (3) vendor or maintainer credibility and data handling (e.g., cloud-based vs. on-premise analyzers), and (4) integration with your supply-chain security (SLSA, SBOM) requirements. No guarantees are made about the security quality of listed tools.
Alternatives to consider
OWASP Top 10 & CWE Top 25 (direct resources)
If you need authoritative security vulnerability guidance rather than a tools catalog, consult these standards directly. They define threat priorities but do not recommend specific tools.
Awesome-Dynamic-Analysis (sister project)
Complements static-analysis by covering runtime testing, fuzzing, and dynamic analysis tools. Use both catalogs to build a holistic code-quality and security strategy.
Commercial SAST/SCA platforms (Snyk, Checkmarx, Fortify, Synopsys)
If you need vendor support, SLAs, unified dashboards, and integrated supply-chain security, enterprise platforms offer opinionated tool suites and professional services beyond this open-source catalog.
Build on static-analysis with DEV.co software developers
Explore the full static-analysis catalog to identify the right SAST and linting tools for your tech stack. Start with our curated recommendations and integrate proven analyzers into your CI/CD pipeline today.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
static-analysis FAQ
Can I use this repository to automatically scan my code?
Are all tools in the catalog actively maintained?
Can I fork or redistribute this catalog commercially?
How often is the catalog updated?
Custom software development services
Need help beyond evaluating static-analysis? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source security integrations — and maintain them long-term.
Build a Stronger Code-Quality Strategy
Explore the full static-analysis catalog to identify the right SAST and linting tools for your tech stack. Start with our curated recommendations and integrate proven analyzers into your CI/CD pipeline today.