Choose skills by scenario, quality, and trust signals.

Static Value-Flow Analysis Framework for Source Code

Interactive architecture diagrams for codebases

Node.js dependency tracing utility

Next-gen phpDoc parser with support for intersection types and generics

PHP_CodeSniffer tokenizes PHP files and detects violations of a defined set of coding standards.

Security risk analysis for Kubernetes resources

Radare2 and Frida better together.

Horusec is an open source tool that improves identification of vulnerabilities in your project with just one command.

Docker image that provides static analysis tools for PHP

An analysis tool for Python that blurs the line between testing and type systems.

SonarSource Static Analyzer for JavaScript and TypeScript

:coffee: SonarSource Static Analyzer for Java Code Quality and Security

Semgrep Community Edition rules, maintained by Semgrep and the community. Free to use under the Semgrep Rules License.

A powerful C# Roslyn analyzer that uses static analysis to detect bugs, surface security issues, and enforce best practices—helping developers and AI write more reliable code.

OpenSCA is an open source software supply chain security solution that supports the detection of open source dependencies, vulnerabilities and license compliance with a widely noticed accuracy by the community.

An artifact of fully-specified annotations to power static-analysis checks, beginning with nullness analysis.

Python Type Checker / Language Server

Protect against malicious open source packages 🤖

A LLVM-based static analysis framework.

An Intelligent Python Code Quality Analyzer

An easy-to-learn/use static analysis framework for Java

Appshark is a static taint analysis platform to scan vulnerabilities in an Android app.

PySonar2: a semantic indexer for Python with interprocedual type inference

A reactive Python kernel for Jupyter notebooks.

✔️ PHP Architecture Tester - Easy architecture testing for PHP

FlowDroid Static Data Flow Tracker

Code analyzer for C# and VB.NET projects

A code analyzer for Julia. No need for additional type annotations.

All-in-one devtool to automatically analyze, search and visualize project modules and dependencies from JavaScript, TypeScript (JSX/TSX) and Node.js (ES6, CommonJS)

T.J. Watson Libraries for Analysis, with front ends for Java, Android, and JavaScript, and many common static program analyses.

Code style checking for RSpec files.

A new version of Soot with a completely overhauled architecture

Symfony extension for PHPStan

Extra strict and opinionated rules for PHPStan

Cake a C23 front end and transpiler written in C

Doctrine extensions for PHPStan

SonarQube plugin for JetBrains IDEs providing code quality and security feedback directly in the IDE

A GitHub :octocat: app to automatically review Python code style over Pull Requests

SonarQube extension for Visual Studio Code providing code quality and security feedback directly in the editor

CodeCompass is a software comprehension tool for large scale software written in C/C++, C# and Python.

:ab: Tool to compare two revisions of a class API to check for BC breaks

Protect your secrets using Gitleaks-Action

A common base representation of python source code for pylint and other projects

Generate interactive call graphs for various languages

Tai-e assignments for static program analysis

My collection of various security tools created mostly in Python and Bash. For CTFs and Bug Bounty.

A collection of my Semgrep rules to facilitate vulnerability research.

mobsfscan is a static analysis tool that can find insecure code patterns in your Android and iOS source code. Supports Java, Kotlin, Swift, and Objective C Code. mobsfscan uses MobSF static analysis rules and is powered by semgrep and libsast pattern matcher.

Packj stops :zap: Solarwinds-, ESLint-, and PyTorch-like attacks by flagging malicious/vulnerable open-source dependencies ("weak links") in your software supply-chain

prealloc is a Go static analysis tool to find slice declarations that could potentially be preallocated.

PHP Magic Number Detector

Security-focused static analysis for the Phoenix Framework