30 open-source projects similar to github/codeql, ranked by how many features they have in common. Compare stars, activity and what each one does to find the best Codeql alternative.
gosec is a static analysis security tool designed to scan Go source code for vulnerabilities and common coding flaws. It functions as a security analyzer that inspects the abstract syntax tree to identify insecure function calls, API usage, and potential security risks. The tool distinguishes itself by mapping detected vulnerabilities to Common Weakness Enumeration identifiers for standardized reporting and integrating with external AI models to suggest code fixes for identified issues. Its capabilities cover the detection of injection vulnerabilities, hardcoded credentials, weak cryptograph
Pyre is a high-performance static type checker and analysis tool for Python. It identifies type errors and ensures type safety without executing the program, utilizing a static type inference engine to maintain consistency across functions. The project is distinguished by an incremental type analysis engine that operates as a background daemon. This system monitors filesystem changes to re-validate only modified parts of a project, reducing the time required for repeated analysis. It also includes a static analysis security tool that uses taint analysis to track untrusted data flows and ident
Bearer is a static analysis security testing tool and privacy compliance auditor. It identifies security vulnerabilities, hard-coded secrets, and privacy risks in source code through static analysis and data flow tracing. The tool distinguishes itself by tracking the movement of sensitive data through code to identify leaks and by mapping personal and health-related information flows to generate evidence for privacy impact assessments. It also provides differential scanning for pull requests and uses fingerprint-based suppression to exclude known false positives from reports. The platform co
ApplicationInspector is a multi-language static analysis tool designed to detect specific features and characteristics within source code. It utilizes a declarative JSON rules engine to identify patterns and structural tags across project directories without requiring the analyzer to be recompiled. The system distinguishes itself through a code version differ that compares two different source paths to report changes in detected features. It also provides utilities for creating and validating custom JSON-based rules, including a validation pipeline to verify syntax and identifier uniqueness.
🐊 Pluggable and configurable JavaScript Linter, code transformer and formatter with superpowers 💪: built-in support of js, jsx, ts, markdown, yaml, toml, json and ignore. Write declarative codemods in a simplest possible way 😏
PMD is a multi-language static code analyzer used to identify programming flaws, unused variables, and dead code without executing the program. It functions as a code smell detector and coding standard enforcer, ensuring source code adheres to specific naming conventions, structural requirements, and project style guides. The project features an XPath-based rule engine that allows users to define custom analysis patterns using queries against an abstract syntax tree. It also includes a copy-paste detector to identify duplicated code blocks across multiple files and a visual rule designer for
SonarQube is a static code analysis platform used to scan source code and infrastructure scripts across multiple languages. It detects bugs, security vulnerabilities, and maintainability issues to ensure software meets reliability and security standards. The platform implements automated quality gates for continuous integration and delivery pipelines, verifying code against defined rules during merge or pull requests. It also integrates directly with code editors to provide real-time analysis results and quick-fix guidance during development. The system covers broad functional areas includin
JSHint is a JavaScript static analysis tool and linter designed to detect errors and enforce coding standards. It functions as a syntax validator that scans source code to identify potential logic problems and programming mistakes before the code is executed. The tool provides a command line interface for analyzing files and directories. It supports the export of analysis results into standardized formats such as Checkstyle for integration with external build tools. Analysis is managed through a system of linting rule management and environment global configuration. This includes the ability
Potpie is an LLM codebase analysis platform and multi-agent orchestration framework designed to act as an AI software engineer. It parses repositories into a structured code knowledge graph, enabling AI agents to perform multi-hop reasoning, dependency tracing, and grounded technical analysis across large codebases. The system distinguishes itself through a spec-driven development framework where agents generate detailed technical specifications and architecture plans before implementing multi-file code changes. It utilizes a durable execution engine to coordinate specialized AI personas for
Esprima is a JavaScript parser that converts source code into a structured abstract syntax tree. It implements a specification-driven grammar to ensure compliance with ECMAScript standards, enabling the programmatic analysis and transformation of JavaScript programs. The project provides capabilities for lexical tokenization to break source code into individual symbols and static syntax validation to verify that scripts are well-formed without executing the code. Its functional surface covers JavaScript static analysis, lexical analysis, and the generation of abstract syntax trees.
Gixy is a static configuration analyzer and security auditor for Nginx. It functions as an infrastructure-as-code security scanner and web server configuration linter designed to identify vulnerabilities and misconfigurations in server definitions before deployment. The tool focuses on detecting high-risk security flaws, including host header spoofing, server-side request forgery, and path traversal. It specifically audits Nginx configurations for risks such as HTTP splitting, multiline header issues, and unauthorized third-party access resulting from incorrect Referer or Origin header patter
code2flow is a static program flow mapper and source code call graph generator. It analyzes source code to produce visual flow diagrams that map function call relationships and execution paths. The project includes an asynchronous call trace visualizer that follows execution paths through async and await calls to map the logic of asynchronous programs. It also provides a programmable code analysis interface, allowing the call graph generation logic to be integrated into other software applications. The system handles static code analysis by converting source code into abstract syntax trees t
This project is an AI-powered code reviewer and static analysis server that identifies low-quality files and generates automated critiques. It functions as an automated quality scoring tool that evaluates source code structure and complexity through local parsing. The system utilizes a standardized context protocol to stream analysis results to AI agents and editors. It integrates large language models to produce automated reviews and suggestions for improvement based on quantitative quality metrics. The tool includes a weight-based scoring engine and an asynchronous analysis pipeline for pr
nodejsscan is a static analysis security tool and vulnerability detection engine designed to scan Node.js source code for security flaws and common coding vulnerabilities. It functions as a static application security testing tool that analyzes code without executing the program. The tool operates as a security linter that can be integrated into continuous integration pipelines to block insecure code from merging into main branches. It automates the auditing process through rule-based detection and pattern-based static analysis. The project provides capabilities for vulnerability alert autom
This project is an interactive learning resource and tutorial for implementing the Apollo GraphQL client. It provides a guided instructional experience to teach frontend data management, specifically focusing on how to connect web applications to GraphQL data sources. The platform uses a sequenced path of hands-on lessons and interactive code walkthroughs. These modules combine instructional text with executable code blocks to demonstrate real-time API behavior and the integration of GraphQL into frontend frameworks. The curriculum covers the use of declarative queries and schema-driven data
Skill Seekers is a toolset for generating large language model knowledge bases, featuring a multi-source content scraper and a dedicated RAG data pipeline. It extracts technical data from documentation, code, and video to create structured assets and configuration files for AI-powered IDE extensions. The project distinguishes itself through the ability to transform raw data into polished tutorials and specialized skills for AI plugin marketplaces. It utilizes abstract syntax tree parsing and optical character recognition to analyze GitHub repositories, PDFs, and video frames, converting these
Security-101 is a vendor-agnostic, foundational cybersecurity learning curriculum organized into modular, framework-aligned modules. It is designed to build core knowledge across multiple security domains without tying content to specific products or platforms, making it suitable for both beginners and professionals seeking a structured introduction to the field. The curriculum is built around established security frameworks, including the MITRE ATT&CK framework for standardized threat analysis and the NIST Cybersecurity Framework for incident response workflows. It covers a broad range of do
weggli is a fast and robust semantic search tool for C and C++ codebases. It is designed to help security researchers identify interesting functionality in large codebases.
Linter for dangerous Postgres migration patterns in Diesel and SQLx. Prevents downtime caused by unsafe schema changes.
DevSkim is a set of IDE plugins, language analyzers, and rules that provide security "linting" capabilities.
Open source local-first PR scanner that finds dead code, security bugs, secrets, quality regressions, and AI-code mistakes before merge. For first timers refer to https://duriantaco.github.io/skylos/repo-map/
Ale is a Neovim LSP client and asynchronous linter wrapper designed to integrate language servers and syntax checkers into the editor. It provides infrastructure for background syntax validation and automated code fixing without blocking the editor interface. The project implements the Language Server Protocol to enable advanced semantic navigation, including symbol renaming, definition jumping, and the application of automatic refactoring changes. It functions as an automatic code fixer that applies formatting and repairs based on feedback from linting tools and language servers. The plugin
Tools for code analysis, visualizations, or style-preserving source transformation.
T.J. Watson Libraries for Analysis, with front ends for Java, Android, and JavaScript, and many common static program analyses.
Instant is a real-time backend as a service and relational graph database designed to synchronize data across clients automatically. It functions as a data synchronization layer that provides authentication, permissions, and relational data storage for web and mobile applications. The platform includes an optimistic UI framework that updates local interfaces immediately during writes and handles automatic server rollbacks. It also features a real-time presence system to broadcast transient user states, such as cursor positions and online status, to other connected clients. The system manages
Brakeman is a static analysis security tool and scanner specifically designed for Ruby on Rails source code. It identifies common security vulnerabilities, such as injection and cross-site scripting, by analyzing the application codebase without executing the application. The tool functions as a security auditor that detects mass assignment risks and template vulnerabilities. It evaluates the final output of rendered views and identifies unrestricted assignment patterns that could allow unauthorized modification of model attributes. The system provides vulnerability management through the us
Mago is a PHP static analysis tool, linter, and code formatter. It detects type errors, dead code, and logic bugs through advanced type inference and flow analysis, while providing a deterministic engine to rewrite source files according to style guides. The project distinguishes itself with a WebAssembly runtime that enables PHP analysis to execute entirely within a web browser, allowing results to be shared via URL. It also provides a minimal Dockerized toolchain distributed as a scratch image for consistent execution across different processor architectures. The toolset covers architectur
Checkstyle is a Java static analysis tool and linter designed to identify and enforce coding standards and best practices. It functions as a code quality auditor and Javadoc validation tool, checking source code against configurable rulesets to ensure structural and stylistic consistency. The project allows for the creation of custom linting rules by extending a core API to inspect the abstract syntax tree. It further enables specialized validation through the use of XPath expressions to query the syntax tree for specific code patterns and violations. Capability areas include the enforcement
LogonTracer is a security auditing tool designed for logon analysis and forensic log auditing. It functions as a dockerized security auditor that utilizes a security event graph database to map account names and network addresses, allowing for the visualization of complex system compromise patterns and authentication paths. The system features a Sigma detection engine that scans imported event logs against standardized rule sets to identify known malicious activity. It also includes an anomalous behavior detector that applies statistical analysis, graph algorithms, and hidden Markov models to