an introduction to static code analysis
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information. Merge pull request #42 from pabs3/master Jul 27, 2018

linters - an introduction to static code analysis

What is a linter?

Originally, lint was a tool for scanning .c code for additional, stricter warnings. By statically analyzing the code itself before compilation, programmers could maintain a higher level of code discipline, increasing the reliability of the code in multiple compilers and environments.

As time went on, static code analysis was eclipsed by dynamic analysis: unit tests, that examine how code behaves for different inputs and corner cases.

Today, linters are used to supplement unit tests, serving primarily as low priority style checkers. Linters are being written for many programming languages and document formats, detailed below.

Wikipedia:List of tools for static analysis


Many compilers include an option like -Wall to turn on warnings, -Wextra for even more warnings, and also -Werror to treat warnings as errors, preventing dirty code from compiling.


check-all-the-things is a command-line tool for automatically running many static analysis and similar tools over packages and upstream codebases.

anorack is a specialized spell-checker that finds incorrect indefinite articles.

aspelllint provides spell checking for large projects.

astyle can help enforce a uniform coding style in a large software project.

cowl identifies lines wider than n columns (typically 80), with help from grep.

eclint can derive the code style used in a project, and save it as a dotfile for use in other projects.

editorconfig is an editor-agnostic configuration system for code styling.

editorconfig-cli is a Go-based editorconfig linter.

editorconfig-tools is a command line linter against editorconfig rules.

enlint helps identify strangely encoded text files, with help from programs like Unix find and enca.

gtdlint identifies TODO notes left in code comments, with help from grep.

lili scans projects for strange line endings.

line-detector identifies line ending formats.

lint-spaces checks line endings and indentation.

pfff is a collection of tools by Facebook for analyzing code style, with support for multiple programming languages.

proselint is a linter for usage and style errors in English prose.

sloccount calculates sources lines of code and extrapolates project man-hours and development cost based on industry averages.

Sonarqube is a cross-programming language linting system.

Phabricator Contributing Guide offers coding standards generally, as well as for PHP, and JavaScript code specifically.

google-styleguide is a collection of documents detailing Google's preferred code style, for a variety of programming languages and data formats.

Hemingway is a software application for improving the readability of English text. By using Hemingway, we can make our documentation more understandable for others.

Mozilla Coding Style is a document detailing Mozilla's preferred coding style.

MSDN Library: Coding Techniques and Programming Practices offers general tips for coding.

Microsoft patterns & practices are recommended for .NET projects.

MSDN Library: Design Guidelines for Class Library Developers presents guidelines for .NET library developers.

Code Climate is a paid web service for automatically generating code quality reports.

Web Package Update Checker validates web projects to ensure they use the latest available versions of web packages (like Bootstrap, Font Awesome, JQuery).


lint is a tool for static analysis of Android projects.


gawk has a --lint option for checking script compatibility with other awk implementations.


torrentcheck verifies file download hashes against .torrent files.


splint has largely replaced the old lint tool, offering the same old checks, as well as additional security checks.

lint the original.

gcc offers additional warnings, through its -Wall and -Wextra options.

clang offers even more warnings, through its -Wall, -Wextra, -Wmost, and -Weverything options.

vera++ is a static analysis tool for C/C++ code.

banned.h helps C/C++ programmers identify deprecated, unsafe dependencies.

sparse is designed to find potential sources of program faults, especially in kernel code.

pclint is a classic, non-free C/C++ linter.

Misra C CodeCheck is a demo C linter.

uno is a simple C linter.

Infer is a static program analyzer for Java, C, Objective-C, and Swift, written in OCaml.


cppcheck can check .cpp implementation code, as well as .h definition code.

g++, part of gcc, offers additional checks through its -Wall and -Wextra options. g++ also includes a -Weffc++ option to check against rules in Effective C++.

cpplint is provided as part of the google-styleguide.

nsiqcppstyle is a South Korean C++ style checker.

flint++ is a cross-platform, zero-dependency port of flint - a linter developed at Facebook.

C++ Coding Standards is a textbook documenting recommended C++ code style.

Bjarne Stroustrup's C++ Style and Technique FAQ is another document detailing Bjarne Stroustrup's C++ code style.

Effective C++ details recommended patterns in C++ code.

Boost Library Requirements and Guidelines is a document detailing community standards for C++ code style.


StyleCop is a C# linter that enforces style guidelines.

Gendarme is a .NET Static analysis tool created by the mono team. Gendarme enforces best practices, and compatibility with the mono runtime.

FxCop is a .NET Static analysis tool created at microsoft. FxCop enforces best practices.

C# Coding Conventions is a document detailing Microsoft's recommended patterns for C# code.

patterns & practices Guidance Explorer presents a graphical checklist of Microsoft style rules.


foodcritic offers built-in rules for identifying potential problems with Chef cookbooks.


core.typed offers annotations for type safety.

eastwood provides a Leiningen plugin for linting Clojure code.

kibit also provides a Leiningen plugin for linting Clojure code.


coffeelint for Coffee files.

Common Lisp

lisp-critic is an old analyzer of arbitrary CL code.

xref is an old static analysis tool for CL code.


Linux .conf configuration files may vary in format, but many popular services offer a way to check the syntax of their particular configuration files.


apache2 -t


exim -bV


cupsd -f -t


dhcpd (-t -cf) | (-T -lf)


lighttpd -t


mysqld --help --verbose --skip-networking


nagios -v





nginx -t


ntpd -n | -d


pfctl -n


postfix check


proftpd -t


rsyslogd -c4 -N 1


testparm -v


slapd -Tt


squid -k (check | parse)


sshd -t | -T


syslogd -d


tcpdchk -a | -d | -i | -v


eval `dbus-launch --auto-syntax` && \
  find . -type f -name '*.conf' -exec init-checkconf {} \;


varnishd -C


vsftpd -olisten=NO


Coq is a proof assistant, requiring all programs to be logically valid.


csslint for CSS files.

minify can help compress, CSS, JS, and HTML files.

csstidy can help compress CSS files.


csv-validator verifies CSV data against a given CSV schema.


gdc offers a built-in -Wall flag for additional warnings.


pub publish offers a --dry-run option.

Debian packages

Lintian checks for bugs and policy violations in .deb packages.


Dlint analyzes DNS records.







epubcheck analyzes .epub files for errors.


erl_tidy, a library that comes with Erlang, attempts to automatically change unidiomatic code.

ehrlich provides a safer linter that does NOT automatically change your code.

dialyzer, a tool that comes with Erlang, helps detect type errors.

elvis is an Erlang style checker.



File systems

fslint can identify and correct errors in file systems.

Disk Utility can repair HFS/HFS+ partitions.

gParted can check for errors in several file systems.

fixmbr Windows is a DOS tool for repairing boot sectors, available in Recovery mode in Windows installation media.

fixmbr Linux is a Linux tool for repairing boot sectors, part of the ms-sys package.




The standard go command offers go fmt and go vet for styling and checking package integrity.

goimports supplements go fmt by organizing imports.

golint was an early stage Go linter.


errcheck identifies unchecked errors. In particular, the -blank flag (disabled by default) identifies errors assigned to _.

nakedret identifies named returns, which often present unexpected behavior that can obfuscate error messages. Recommended usage: nakedret -l 0 ./...

opennota/check includes linters for reducing in-memory and in-transit struct size; identifying unused struct fields; and identifying unused global variables and constants.

megacheck runs staticcheck, gosimple, and unused.

staticcheck adds additional checks compared to the built-in go vet tool.

gosimple recommends more idiomatic code forms.

unused reports some unused Go code elements.

gometalinter incorporates several linters in one, though one sub-linter gotype appears to be broken for vendor/ed Go 1.5+ code, so ensure that gotype is disabled, such as with gometalinter --disable=gotype.




GHC, the official Haskell compiler, is renown for producing correct programs, though its strict type system.

hlint displays a refactored version of your code, helping users more quickly resolve warnings.


W3C Validator is an online service for linting HTML, XML, and CSS data.

tidy can lint HTML files.

linklint checks hyperlinks.


javac offers a -Xlint option to print additional warnings. The maven-compiler-plugin can be configured to automatically pass -Xlint to the underlying Java compiler every time a project is built.

In Java 8, javac will feature an -Xdoclint option to identify undocumented code.

CheckStyle, with decent CLI support, as well as decent Maven support, through maven-checkstyle-plugin. Checkstyle also supports identifying undocumented code, through its JavaDoc settings.

FindBugs is an old Java linter, but has kept up with Java advances (for example, by offering a standard Gradle plugin).

PMD detects flaws and duplicated code.

Error-prone catches common Java mistakes as compile-time errors.

Android lint checks Android source files for potential bugs and optimization improvements for correctness, security, performance, usability, accessibility, and internationalization.

Infer is a static program analyzer for Java, C, and Objective-C, written in OCaml.

JavaScript / Node.js

ESLint is a pluggable and configurable javascript linter that aims to fix the non-extensibility issues of JSHint and JSLint.

JSHint is far and away the best modern linter available. It's simultaneously easy to use, and highly customizable; offering global and directory specific .jshintrc files for rule configuration; and global and directory specific .jshintignore files for ignoring certain files and directories, trimming down jshint's output to exactly what you want to see.

JSLint helps coders match the code style described in JavaScript: The Good Parts.

JSLint Errors explains warnings you may see from JSHint or JSLint.

CLosure Compiler refactors code to improve performance.

Closure Linter checks JavaScript for conformance to the Google Style Guide.

Code Conventions for the JavaScript Programming Language is a document detailing community standards for JavaScript code style.

CoffeeScript is a compiles-to-JavaScript language designed to enforce good JavaScript coding habits at compiler level.

npm-package-json-lint is a configurable linter to enforce standards in npm package.json files.


jpegtran manipulates .jpg files.

JSON is a built-in Python module, offering a -mjson.tool option for linting JSON files.

jq isn't a linter per-se, but jq can prettify JSON for creating more readable code examples.

jsonschemalint verifies JSON data against a given JSON schema.


lacheck comes with LaTeX.

style-check.rb is a LaTeX checker written in Ruby.


luac offers a -p option to skip output file generation, useful for checking syntax without altering any files.

luac offers a built-in -p option for syntax validation..

lualint is an early Lua linter.

lua-checker is another old Lua linter.

luainspect is yet another dead linter.


make offers a -n dry run option, though sometimes commands are still printed. Use make -n 1>/dev/null to suppress this output. Of course, this represents UNIX sh syntax, so redirect stdout to the null device in Windows syntax with 1>NUL when in Windows.

Ironically, make -n would fail as a lint: task if the Makefile does happen to contain syntax errors. If this paradox bothers you, consider linting this Makefile from a separate Makefile, process, build system, etc. Or realize that you will receive an appropriate exist status either way!

make also offers a --warn-undefined-variables flag, often paired with -n, for warning when make variables are referenced but not defined.

checkmake provides experimental analysis for Makefiles.

mint is another linter for Makefiles.


mp3check analyzes .mp3 files for errors.

Objective C

clang offers built-in options -Wall, -Wextra, -Wmost, and -Weverything for showing additional compiler warnings.

OCLint can lint ObjC, C, and C++ code.

Infer is a static program analyzer for Java, C, and Objective-C, written in OCaml.




fpc offers a -vw flag to show additional warnings.


perl offers extra warnings through the use warnings; (#!/usr/bin/env perl -w) and use strict; options.

perltidy generates a recommended refactored version of your code.

perlcritic applies rules based on O'Reilly Perl Best Practices.

Perl Best Practices is a textbook of recommended Perl coding conventions.


php comes with a built-in -l option to check for valid syntax.

PHPMD is a configurable frontend for static checks.

PHP Code Sniffer checks .php, .js, and .css code for style.

PSR-Huh? is a document detailing community standards for PHP code style.

PEAR Coding Standards is a collection of documents detailing community standards for PHP code style.

CodeIgniter General Style and Syntax is another document offering PHP code style tips.


pngcheck analyzes .png files for errors.


pgsanity verifies the correctness of PostgreSQL query syntax.


puppet-lint checks Puppet scripts for proper style.


PyLint is fast and customizable.

PyFlakes offers few configuration options.

PyChecker requires executing code in order to analyze it.

flake8 is a meta linter for Python, including PyFlakes, pep8, and McCabe.

flake8-quotes is a plugin for flake8 that enforces single vs double quotes.

bandit security focused Python static analyzer

pep8 checks Python code for PEP8 conformance.

pep257 checks Python code for PEP257 docstring conformance.

Python Style Guide is a collection of documents for community standards for Python code style.


CRAN has a lint package.


Typed Racket offers additional checks for type safety.


rpmlint checks .rpm packages for errors.


contracts.ruby provides a dynamically enforced type safety system.

reek has an extensive list of checks for improving your code.

flay looks for repeated code patterns, recommending ways to reduce boilerplate and increase reliability.

roodi is an old design pattern linter.

cane applies code quality checks, and can be used to fail a build on encountering poor quality code.

excellent is easy to use and configure.

rubocop can help users update Ruby 1.8 style code to Ruby 1.9/2.0.

heckle performs mutation testing.

saikuro examines code complexity. Saikuro is currently incompatible with Ruby 1.9/2.0.

brakeman is a linter for Ruby on Rails projects.

pelusa is a linter for specifically Rubinius Ruby code.

flog identifies the most complex code in your codebase.

churn looks at version control history to look for frequently changing code, often a sign of poor coding.

metric_fu scans with a suite of Ruby linters.

laser is a slightly out of date Ruby linter.

ruby-style-guide is a document describing community standards for Ruby code style.

rails_upgrade helps Rails 2 code upgrade to Rails 3.

ruby-lint relies on the pure Ruby parser, so it may lag behind in supported Ruby version syntaxes.


rustc, the Rust compiler, offers a -Wall option for additional warnings.

clippy is a Rust linter.


sass-lint is a Sass/SCSS linter.

scss-lint is a Sass/SCSS and CSS linter.


The scalac compiler offers optional -Xlint and -deprecation warnings.

Scalastyle offers CLI, SBT, and Maven interfaces to a flexible, extensible Scala linter.

Wartremover is a flexible Scala code linting tool.

Scapegoat is a compiler plugin for static code analysis.

Abide is a library for quick scala code checking and validation by the compiler developers.

Linter is a static analysis compiler plugin which adds various compile-time checks.

sh / shell / bash

Many shells offer a -n option for validating syntax, e.g. bash -n, zsh -n, ksh -n, ...

Note that sh -n on many systems actually expands to bash -n, ksh -n, etc. as /bin/sh is usually symlinked to superset shells. Observers keen to guarantee that their portable sh scripts are pure POSIX and not bash scripts, can either run sh -n on a system with a bare bones /bin/sh, such as Alpine Linux, Busybox, etc., either on bare metal or Docker.

slick is a cross-platform POSIX -n checker. Substitute for sh -n for more reliable linting!

shlint is a meta-linter, which runs -n checks, for any shells available, as well as checkbashisms.

Shellcheck is a bash linter written in Haskell.

checkbashisms.rb is a sh linter that reports bashisms.

Bashate is a pep8-like linter for bash scripts.

shfmt provides consistent styling for shell scripts.

stank offers several utilities for A) identifying POSIXy shell scripts among large directories of source files and B) warnings for oddities such as shebang mismatches.


SmallLint integrates with the OmniBrowser to lint Smalltalk code.


pulledpork helps manage Snort rulesets.


swiftlint encourages better Swift style


travis-lint checks .travis.yml for errors.


TSLint checks your TypeScript code for readability, maintainability, and functionality errors.


xmllint is provided as part of the libxml2 package.


yamllint is a syntax checker and linter for YAML source.

Continuous Integration

A Jenkins server can generate HTML linter reports for each new code commit.

Guard + guard-shell can monitor local code files, automatically outputting linter warnings as the programmer edits his code, simulating a local continuous integration server.

A make task can bundle several linters together (e.g. csslint, HTML tidy, jshint), to lint different kinds of files all at once.

git hooks can be added to a git repo, preventing a programmer from submitting his work until it passes a configured suite of linters.

See Also