DEV.co
Open-Source Security · analysis-tools-dev

static-analysis

static-analysis is a curated, community-maintained directory of SAST tools and linters across all programming languages and configuration formats. It serves as a discovery and reference hub rather than a tool itself, aggregating metadata and links to hundreds of analyzers with a focus on code quality.

Source: GitHub — github.com/analysis-tools-dev/static-analysis
14.7k
GitHub stars
1.5k
Forks
Rust
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryanalysis-tools-dev/static-analysis
Owneranalysis-tools-dev
Primary languageRust
LicenseMIT — OSI-approved
Stars14.7k
Forks1.5k
Open issues30
Latest releaseUnknown
Last updated2026-06-10
Sourcehttps://github.com/analysis-tools-dev/static-analysis

What static-analysis is

The repository is a taxonomy-organized, YAML-backed catalog of static analysis tools indexed by language, domain (config, build, security), and tool type. It powers the analysis-tools.dev website with rankings, community feedback, and resource links. Primary content is non-executable documentation; the repo itself is written in Rust but functions as a curated list generator.

Quickstart

Get the static-analysis source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/analysis-tools-dev/static-analysis.gitcd static-analysis# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Tool evaluation and selection

Engineers and architects evaluating SAST/linting strategies can reference this catalog to compare available tools by language, license, maintenance status, and community recommendations across their entire tech stack.

Standardizing code quality across teams

Engineering leads building or updating organizational static analysis policies can use this curated list to justify tool selection, identify emerging alternatives, and ensure coverage across multiple languages and config formats.

Onboarding new projects to existing toolchains

When adopting a new language or framework, teams can query this directory to identify vetted, actively maintained linters and analyzers that fit their existing CI/CD and code-quality infrastructure.

Implementation considerations

  • Treat the catalog as a starting point for research, not a purchasing or adoption decision. Verify tool maintenance status, feature coverage, and licensing against your own requirements before selection.
  • The :warning: (unmaintained for 1+ year) and :information_source: (deprecated) symbols are heuristic markers only. Independently confirm tool viability by checking GitHub activity, issue age, and security patches.
  • License metadata is provided but requires manual review for commercial, closed-source, or GPL-governed projects. The README mentions proprietary tools with © but does not evaluate terms—review licensing directly with vendors.
  • The catalog spans open-source and proprietary tools; integration effort varies widely. Budget for tool-specific onboarding, rule customization, and CI/CD pipeline configuration regardless of source.
  • Use the companion website (analysis-tools.dev) for ranked results, community comments, and video tutorials; the GitHub repo is the authoritative source data but the website provides curated presentation.

When to avoid it — and what to weigh

  • You need a tool that runs analysis — static-analysis is a reference directory, not an executable analyzer. It does not perform code scanning itself; you must adopt and configure individual tools from the catalog.
  • You require vendor support or SLAs — This is a community-driven, volunteer-maintained project. There is no commercial support, service guarantees, or incident response. Sponsors may offer their own tools but not the repository itself.
  • You need real-time threat intelligence or CVE integration — The catalog is a static, curated list updated via PR. It does not feed live security advisories, CVE databases, or dynamic threat feeds. For that, use dedicated SAST/SCA platforms.
  • You expect automated tool updates or version tracking — Tool metadata and links are manually curated and updated. There is no automatic version pinning, release tracking, or deprecation alerts. Community contributors update entries reactively.

License & commercial use

Licensed under MIT (Massachusetts Institute of Technology License), a permissive OSI-approved license. The license applies to the repository's documentation, metadata, and any aggregation/presentation code. Individual tools listed in the catalog retain their own licenses (open-source and proprietary); the MIT license does not override or grant permissions for those tools.

Commercial use of the static-analysis repository itself is permitted under the MIT license (copying, redistributing, and modifying the catalog for internal or resale purposes is allowed, with attribution). However, this does not grant commercial rights to proprietary tools listed in the catalog; those must be licensed separately. If you intend to create a derivative directory service or resell the data, consult the MIT license terms and consider trademark/attribution obligations to the original maintainers.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationStrong
License clarityClear
Deployment complexityLow
DEV.co fitGood
Assessment confidenceHigh
Security considerations

This catalog does not perform security analysis; it is a reference directory. When evaluating SAST tools from the catalog, independently assess: (1) the tool's own security posture and update frequency—outdated analyzers may miss new vulnerability patterns, (2) false-positive/false-negative rates for your codebase—not all tools are equally reliable, (3) vendor or maintainer credibility and data handling (e.g., cloud-based vs. on-premise analyzers), and (4) integration with your supply-chain security (SLSA, SBOM) requirements. No guarantees are made about the security quality of listed tools.

Alternatives to consider

OWASP Top 10 & CWE Top 25 (direct resources)

If you need authoritative security vulnerability guidance rather than a tools catalog, consult these standards directly. They define threat priorities but do not recommend specific tools.

Awesome-Dynamic-Analysis (sister project)

Complements static-analysis by covering runtime testing, fuzzing, and dynamic analysis tools. Use both catalogs to build a holistic code-quality and security strategy.

Commercial SAST/SCA platforms (Snyk, Checkmarx, Fortify, Synopsys)

If you need vendor support, SLAs, unified dashboards, and integrated supply-chain security, enterprise platforms offer opinionated tool suites and professional services beyond this open-source catalog.

Software development agency

Build on static-analysis with DEV.co software developers

Explore the full static-analysis catalog to identify the right SAST and linting tools for your tech stack. Start with our curated recommendations and integrate proven analyzers into your CI/CD pipeline today.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

static-analysis FAQ

Can I use this repository to automatically scan my code?
No. static-analysis is a reference directory, not a scanner. You must select and deploy individual tools from the catalog. The repository provides metadata and links; execution and integration are your responsibility.
Are all tools in the catalog actively maintained?
No. Tools marked with :warning: have not been updated for 1+ years or are archived. Tools marked with :information_source: are deprecated but listed for reference. Always verify tool status independently before adoption.
Can I fork or redistribute this catalog commercially?
The repository itself is MIT-licensed, so redistribution is permitted with attribution. However, this does not grant commercial rights to proprietary tools listed in the catalog; those must be licensed separately from their vendors.
How often is the catalog updated?
The catalog is maintained by community contributions and the core team. Update frequency varies; new tools and metadata are added via pull requests. There is no fixed release schedule or automated version tracking.

Custom software development services

Need help beyond evaluating static-analysis? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source security integrations — and maintain them long-term.

Build a Stronger Code-Quality Strategy

Explore the full static-analysis catalog to identify the right SAST and linting tools for your tech stack. Start with our curated recommendations and integrate proven analyzers into your CI/CD pipeline today.