Best Static Code Analysis Software

Static code analysis is the analysis of computer software performed without actually executing the code. Static code analysis software scans all code in a project and seeks out vulnerabilities, validates code against industry best practices, and some software tools validate against company-specific project specifications. Static code analysis software is used by software development and quality assurance teams to ensure the quality and security of code, and that project requirements are met. Static code analysis is a type of source code management and can integrate with version control systems and through build automation tasks using continuous integration software.

To qualify as a static code analysis system, a product must:

  • Scan code without executing that code
  • List security vulnerabilities after scanning
  • Validate code against industry best practices
  • Provide recommendations on where and how to fix issues

Static Code Analysis Software Grid® Overview

The best Static Code Analysis Software products are determined by customer satisfaction (based on user reviews) and market presence (based on products’ scale, focus, and influence) and placed into four categories on the Grid®:
  • Products in the Leader quadrant are rated highly by G2 Crowd users and have substantial Market Presence scores. Leaders include: ReSharper, PyCharm, and Coverity
  • High Performers are highly rated by their users, but have not yet achieved the Market Presence of the Leaders High Performers include: SonarQube
  • Contenders have significant Market Presence and resources, but have received below average user Satisfaction ratings or have not yet received a sufficient number of reviews to validate the solution. Contenders include: CheckMarx, Black Duck Hub, and Micro Focus Fortify
  • Niche solutions do not have the Market Presence of the Leaders. They may have been rated positively on customer Satisfaction, but have not yet received enough reviews to validate them. Niche products include: WhiteSource Software and JSHint
G2 Crowd Grid® for Static Code Analysis
Leaders
High Performers
Contenders
Niche
Market Presence
Satisfaction
Compare Static Code Analysis Software
    Results: 53

    Filters
    Star Rating

    Static Code Analysis reviews by real, verified users. Find unbiased ratings on user satisfaction, features, and price based on the most reviews available anywhere.

    PyCharm is an IDE for Python developed by JetBrains. PyCharm is built for professional Python developers, and comes with many features to deal with large code bases: code navigation, automatic refactoring, and other productivity tools, in a single unified interface.


    Coverity, a Synopsys software testing solution, is a leading provider of software quality and security analysis.


    ReSharper is a renowned productivity tool that turns Microsoft Visual Studio into a much better IDE. Both individual .NET developers and teams rely on ReSharper to write and maintain code in a more manageable and enjoyable way, adopt best coding practices and deliver higher-quality applications faster.


    SonarSource products have innovative features to maximize quality and manage risk for both small and large software portfolios.


    Software security solutions from Micro Focus Fortify cover your entire software development lifecycle (SDLC) for mobile, third party and website security.


    Organizations worldwide use Black Duck’s industry-leading products to secure and manage open source software, eliminating the pain related to security vulnerabilities, compliance and operational risk. Black Duck is headquartered in Burlington, MA, and has offices in San Jose, CA, Vancouver, London, Frankfurt, Hong Kong, Tokyo, Seoul and Beijing. For more information, visit www.blackducksoftware.com. com.


    Identify software security vulnerabilities & fix them


    JSHint is a community-driven tool to detect errors and potential problems in JavaScript code.


    WhiteSource helps business to develop better software by harnessing the power of open source. WhiteSource becomes part of your software development lifecycle (SDLC) and automates the entire process of open source components selection, approval, and management, including finding and fixing vulnerable components. We provide software development and security teams full control and visibility over their open source usage and helps them drive open source adoption


    IBM Security AppScan Standard protects against web application attacks and expensive data breaches by automating application security vulnerability testing. Avoid security vulnerabilities Use automated dynamic security testing and advanced static analysis – “black box” and “white box” – to detect developing security issues. Empower accurate scanning Scan websites to identify embedded vulnerabilities. Simplify interpretation of scan results with scan-specific explanations of each issue. Get quick remediation Fix high-priority problems first with streamlined remediation. Make fixes quickly with the provided remediation steps – including code examples and a task list.


    codebeat is an automated review for web and mobile that gathers the results of static code analysis into a single, real-time report that gives all project stakeholders the information required to identify code smells, security holes and improve code quality.


    Klocwork brings social collaboration to solving coding issues, combining skillsets and sharing this learning across teams.


    Semmle makes the management of software development easier than ever before. By giving you complete visibility _ for every project, location, team, developer, timeframe and cost _ Semmle is engineering intelligence at its most advanced.


    Veracode is the world's best automated, on-demand application security testing and code review solution.


    Pylint is a tool that checks for errors in Python code, tries to enforce a coding standard and looks for bad code smells.


    ReSharper C++ makes Visual Studio a better IDE for C++ developers, providing on-the-fly code analysis, quick-fixes, powerful search and navigation, smart code completion, refactorings, a variety of code generation options and other features to help increase your everyday productivity.



    JavaScript Source Analysis


    Gamma supports developers and development teams by finding critical code issues before they become roadblocks. It is the perfect tool to analyze, diagnose, transform, and sustain your software efficiently. With the use of A.I. and machine learning technologies, Gamma can immediately prioritize issues, suggest ways to best solve them, and re-factor software where necessary. Run it within your current Dev-Ops stack, on premise or in the cloud privately or publicly.


    StyleCop analyzes C# source code to enforce a set of style and consistency rules.


    Checkstyle is a development tool to help programmers write Java code that adheres to a coding standard.


    The Closure Compiler is a tool for making JavaScript download and run faster. Instead of compiling from a source language to machine code, it compiles from JavaScript to better JavaScript.


    The CodeRush .NET Test Runner is up to 30% faster than the closest competitor so you can get back to coding sooner.


    Cppcheck is a static analysis tool for C/C++ code. Unlike C/C++ compilers and many other analysis tools it does not detect syntax errors in the code. Cppcheck primarily detects the types of bugs that the compilers normally do not detect. The goal is to detect only real errors in the code (i.e. have zero false positives).


    dotPeek is a free-of-charge standalone tool based on ReSharper's bundled decompiler. It can reliably decompile any .NET assembly into equivalent C# or IL code.


    Static analysis tool for finding bugs in Java code.


    FxCop is intended for class library developers.


    OCLint is a static code analysis tool for improving quality and reducing defects by inspecting C, C++ and Objective-C code.


    Parasoft Development Testing Platform (DTP) enables Continuous Testing. Leveraging policies, DTP consistently applies software quality practices across teams and throughout the SDLC. It enables your quality efforts to shift left_delivering a platform for automated defect prevention and the uniform measurement of risk.


    The .NET Compiler Platform ("Roslyn") provides open-source C# and Visual Basic compilers with rich code analysis APIs.


    Yasca is an open source program which looks for security vulnerabilities, code-quality, performance, and conformance to best practices in program source code, integrating with other open-source tools as needed.


    Babel is a JavaScript compiler. It helps shape the future of the JavaScript language itself.


    Write better code. With a Definition of Done. Better Code Hub checks your code base for compliance against 10 software engineering guidelines - and gives you immediate feedback on where to focus for quality improvements. https://github.com/marketplace/better-code-hub


    CA Veracode static analysis enables you to quickly identify and remediate application security flaws at scale and efficiency. Our SaaS-based platform integrates with your development and security tools, making security testing a seamless part of your development process. Once flaws are identified, leverage in-line remediation advice and one-to-one coaching to reduce your mean time resolve. CA Veracode static analysis is the competitive advantage you need to securely bring your applications to market at the speed of DevOps.


    CodeDynamics cuts right to the chase, quickly identifying the cause of the crash, allowing you to have complete control over breakpoints and stepping commands.


    CodeIt.Right provides a fast, automated way to ensure that your source code adheres to (your) predefined design and style guidelines as well as best coding practices. We take static code quality analysis to the next level by enabling rule violations to be automatically refactored into conforming code. CodeIt.Right helps to improve your software quality, ensure code correctness, find issues early and resolve them quickly.


    CodeSonar, GrammaTech's flagship static analysis SAST tool, identifies bugs that can result in system crashes, unexpected behavior, and security breaches.


    ConQAT is a toolkit for rapid development and execution of software quality analyses.


    JArchitect simplifies managing a complex Java code base. You can analyze code structure, specify design rules, do effective code reviews and master evolution by comparing different versions of the code.


    Jtest helps development teams produce better code, test it more efficiently, and consistently monitor progress toward quality goals.


    Software analytics technology with a breadth of third party integrations that takes into account the wealth of applications your teams are currently using. We facilitate and encourage work between unlocalized teams. We understand the complexity of working on multi technology environments, constantly striving to increase the number of programming languages and technologies we support.


    The LDRA tool suite helps you build quality into your software development life-cycle. Our software standards compliance, testing, and verification tools are based on industry best practices to help you develop high quality safety- and security-critical products. Many users of the LDRA tool suite are required to certify their software. The LDRA tool suite’s open and extensible platform is unique in its integration of software life-cycle traceability, static and dynamic analysis, unit test and system-level testing on virtually any host or target platform.


    Manta Checker automates code reviews, helps you quickly fix errors and improves your data governance. HOW IT WORKS 1. Manta Checker analyzes everything n your repository. 2. Finds errors and other issues. 3. Reports everything in reports, ready for people or other quality assurance solutions. AND THAT HELPS OUR CUSTOMERS TO 1. Save on expensive labor 2. Detect production errors early 3. Correct errors quickly and automatically Manta Checker is available in cloud or on premise for Teradata, Informatica and Oracle. To learn more about Manta Checker or get a full Manta Checker Trial for free, visit our webpage: getmanta.com/manta-checker


    Manta allows companies to get end-to-end data lineage including custom SQL. We are trusted by dozens of enterprises all around the world such as PayPal, Comcast, OBI, Vodafone or US Banking Big Four. Our capabilities helped them to improve data governance, fulfill compliance regulations and unlock the potential of existing metadata solutions. And how does it work? 1. Manta Flow, our core product, crunches custom SQL code (Teradata, Oracle, Informatica and other). 2. Documents data lineage along the way. 3. Visualizes data lineage in an interactive map or pushes it into 3rd party metadata solution (Informatica Metadata Manager or IBM Information Governance Catalog). See? Simple, yet elegant. Try our demo live on our website or just ask for a free trial.


    Fortify Static Code Analyzer is designed to identify security vulnerabilities in the user's source code early in the software development lifecycle and provides best practices so developers can code more securely.


    Moose is a platform for software and data analysis. It helps programmers craft custom analyses cheaply. It's based on Pharo and it's open source under BSD/MIT. Install


    Measure quality with metrics, see design with diagrams and enforce decisions with code rules, right into Visual Studio.


    RIPS is a tool written in PHP to find vulnerabilities in PHP applications using static code analysis.


    RIPS is the code analysis solution dedicated to the PHP language. It supports all major PHP frameworks, SDLC integration, relevant industry standards and can be deployed as a self-hosted software or used as a cloud service.


    SourceMeter is an innovative tool built for the precise static source code analysis of C/C++, Java, C#, Python, and RPG projects.


    Sparrow SAST is designed to detect security weaknesses in source code with its semantic based static program analysis engine.


    Provides automated security testing and security scan of web applications to identify vulnerabilities, scans your network and devices and suggest to you recommendations on how they can be fixed, and provides a source code analysis to identify and resolve security weaknesses and vulnerabilities


    Understand is very efficient at collecting metrics about the code and providing different ways for you to view it.


    Kate from G2 Crowd

    Learning about Static Code Analysis?

    I can help.