Skip to content

mcandre/linters

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 

Repository files navigation

Linter Community Wiki

Welcome!

What is a linter?

Originally, lint was a tool for scanning C code for potentially risky lines of code.

The C compiler already includes some checks for risky code, such as scanning to making sure that function signatures match. And unit testing adds dynamic checks to verify the behavior of a running program. Beyond these checks, lint adds even more checks, that neither the compiler nor the tests scan.

By statically analyzing the code itself before compilation, programmers could maintain a higher level of code discipline, increasing the reliability of the code in multiple compilers and environments.

As time went on, static code analysis was nearly eclipsed in attention, by dynamic analysis: unit tests, that examine how code behaves for different inputs and corner cases. But the linting practice has restored, and spread to more languages--C++ and beyond.

Today, linters are used to supplement unit tests, serving primarily as low priority style checkers. Linters are being written for many programming languages and document formats, detailed below.

Wikipedia:List of tools for static analysis

This document often interprets the term "linter" in a wide sense, to include resources for SAST, SCA, memory management validators, code formatters, and style guides.

Linters

Many compilers include an option like -Wall to turn on warnings, -Wextra for even more warnings, and also -Werror to treat warnings as errors, preventing dirty code from compiling.

*

actionlint identifies quirks in GitHub Actions CI/CD jobs.

anorack is a specialized spell-checker that finds incorrect indefinite articles.

astyle can help enforce a uniform coding style in a large software project.

check-all-the-things is a command-line tool for automatically running many static analysis and similar tools over packages and upstream codebases.

checkov scans cloud resources for CVE's, including Kubertes and Terraform projects.

cicada scans environments for software components at risk of falling off of LTS security support timelines.

GitHub provides Dependabot and CodeQL (opt-in) to scan GitHub repositories.

GitLab provides Dependency Scanning and SAST to scan GitLab repositories.

Code Climate is a paid web service for automatically generating code quality reports.

eclint can derive the code style used in a project, and save it as a dotfile for use in other projects.

driftwood looks up private keys in common registries.

editorconfig is an editor-agnostic configuration system for code styling.

editorconfig-cli is a Go-based editorconfig linter.

editorconfig-tools is a command line linter against editorconfig rules.

dotenv-linter finds errors and stylistic violations in .env files.

KICS scans Docker and Kubernetes resources.

lint-spaces checks line endings and indentation.

pfff is a collection of tools by Facebook for analyzing code style, with support for multiple programming languages.

proselint is a linter for usage and style errors in English prose.

Snyk provides SCA capabilities to report known vulnerabilities for projects, across a wide variety of programming languages and frameworks.

Note that Snyk Open Source neglects to scan requirements-dev.txt and similar industry conventional configurations for tracking development environment dependencies.

Note that Snyk Open Source neglects to scan JAR files, Ivy, or Ant projects.

Sonarqube is a cross-programming language linting system.

Phabricator Contributing Guide offers coding standards generally, as well as for PHP, and JavaScript code specifically.

google-styleguide is a collection of documents detailing Google's preferred code style, for a variety of programming languages and data formats.

Hemingway is a software application for improving the readability of English text. By using Hemingway, we can make our documentation more understandable for others.

Mozilla Coding Style is a document detailing Mozilla's preferred coding style.

MSDN Library: Coding Techniques and Programming Practices offers general tips for coding.

Microsoft patterns & practices are recommended for .NET projects.

MSDN Library: Design Guidelines for Class Library Developers presents guidelines for .NET library developers.

sunshine validates chmod permissions, such as for SSH files.

trufflehog reports credential exposure.

Vale validates English text against a wide variety of prebuilt style guides, and is easily and highly configurable.

vuls scans assorted computing environments for CVE's.

Web Package Update Checker validates web projects to ensure they use the latest available versions of web packages (like Bootstrap, Font Awesome, JQuery).

write-good validates english prose with the aim of helping developers write better code.

SLOC

sloccount is an older line counter.

cloc is a newer line counter with support for more programming languages.

wc is a line counter for UNIX systems.

.NET

The dotnet build system features built-in SCA to warn on vulnerabilities in project dependencies.

Android

lint is a tool for static analysis of Android projects.

Awk

gawk has a --lint flag that enables some portability checks.

BitTorrent

torrentcheck verifies file download hashes against .torrent files.

C

splint has largely replaced the old lint tool, offering the same old checks, as well as additional security checks.

lint the original C static analysis tool.

gcc offers additional warnings, through its -Wall and -Wextra options.

clang offers even more warnings, through its -Wall, -Wextra, -Wmost, and -Weverything options.

vera++ is a static analysis tool for C/C++ code.

banned.h helps C/C++ programmers identify deprecated, unsafe dependencies.

sparse is designed to find potential sources of program faults, especially in kernel code.

pclint is a classic, non-free C/C++ linter.

Misra C CodeCheck is a demo C linter.

uno is a simple C linter.

Infer is a static program analyzer for Java, C, Objective-C, and Swift, written in OCaml.

C++

cppcheck is an older linter with frequent regressions around suppressing spurious warnings. Not particularly well suited to cross platform development. cppcheck offers a --addon=misra check, although it seems to target only C(99) code.

g++, part of gcc, offers additional checks through its -Wall and -Wextra options. g++ also includes a -Weffc++ option to check against rules in Effective C++.

cpplint is provided as part of the google-styleguide. Note that cpplint is a Python tool, which means you would also want to run Python SCA tools on all environments that install cpplint.

nsiqcppstyle is a South Korean C++ style checker.

flint++ is a cross-platform, zero-dependency port of flint - a linter developed at Facebook.

C++ Coding Standards is a textbook documenting recommended C++ code style.

Bjarne Stroustrup's C++ Style and Technique FAQ is another document detailing Bjarne Stroustrup's C++ code style.

Effective C++ details recommended patterns in C++ code.

Boost Library Requirements and Guidelines is a document detailing community standards for C++ code style.

C#

StyleCop is a C# linter that enforces style guidelines.

Gendarme is a .NET Static analysis tool created by the mono team. Gendarme enforces best practices, and compatibility with the mono runtime.

FxCop is a .NET Static analysis tool created at microsoft. FxCop enforces best practices.

roslyn-analyzers is a collection of static analyzers developed by Microsoft with the Roslyn APIs.

C# Coding Conventions is a document detailing Microsoft's recommended patterns for C# code.

patterns & practices Guidance Explorer presents a graphical checklist of Microsoft style rules.

Chef

foodcritic offers built-in rules for identifying potential problems with Chef cookbooks.

Clojure

core.typed offers annotations for type safety.

eastwood provides a Leiningen plugin for linting Clojure code.

kibit also provides a Leiningen plugin for linting Clojure code.

CoffeeScript

coffeelint for Coffee files.

Common Lisp

lisp-critic is an old analyzer of arbitrary CL code.

xref is an old static analysis tool for CL code.

Conf

Linux .conf configuration files may vary in format, but many popular services offer a way to check the syntax of their particular configuration files.

Apache

apache2 -t

Exim

exim -bV

CUPS

cupsd -f -t

dhcpd

dhcpd (-t -cf) | (-T -lf)

Homebrew

brew doctor

Lighttp

lighttpd -t

MySQL

mysqld --help --verbose --skip-networking

Nagios

nagios -v

named

named-checkconf

named-checkzone

Nginx

nginx -t

ntp

ntpd -n | -d

pf

pfctl -n

Postfix

postfix check

proftpd

proftpd -t

rsyslogd

rsyslogd -c4 -N 1

Samba

testparm -v

slapd

slapd -Tt

SQL (PostgreSQL, MySQL, MSSQL, ...)

  • SQL implementations tend to include an EXPLAIN... statement which can validate syntax for individual statements.
  • prql is a command line SQL syntax validator for SQL scripts.

Squid

squid -k (check | parse)

sshd

sshd -t | -T

syslogd

syslogd -d

tcpd

tcpdchk -a | -d | -i | -v

Upstart

eval `dbus-launch --auto-syntax` &&
  find . -type f -name '*.conf' -print |
  xargs -n 1 init-checkconf

varnishd

varnishd -C

vsftpd

vsftpd -olisten=NO

Ansible

ansible-later checks Ansible playbooks.

ansible-lint is a classic Ansible linter.

Lockdown provides recommendations for securing Ansible playbooks.

steampunk-spotter offers additional checks for Ansible playbooks.

Arch

arch-audit generates CVE reports for Arch Linux.

BSD

pkg-audit generates CVE reports for FreeBSD, DragonflyBSD, and HardenedBSD.

pkg_admin provides an audit subcommand for generating CVE reports on NetBSD.

Coq

Coq is a proof assistant, requiring all programs to be logically valid.

CSS

csslint for CSS files.

minify can help compress, CSS, JS, and HTML files.

csstidy can help compress CSS files.

CSV

csv-validator verifies CSV data against a given CSV schema.

D

gdc offers a built-in -Wall flag for additional warnings.

Dart

pub publish offers a --dry-run option.

Debian packages

Lintian checks for bugs and policy violations in .deb packages.

DNS

Dlint analyzes DNS records.

Docker

Docker features a docker scout cves -e <image> command to scans images for vulnerabilities. As a bonus, docker scout cves fs://<path> recursively scans the given file path for artifact files with known vulnerabilities.

Docker First Aid Kit provides performance and general advice for Docker newbies.

dockerlint

Elisp

elisp-lint

elint

ePUB

epubcheck analyzes .epub files for errors.

Erlang

erl_tidy, a library that comes with Erlang, attempts to automatically change unidiomatic code.

ehrlich provides a safer linter that does NOT automatically change your code.

dialyzer, a tool that comes with Erlang, helps detect type errors.

elvis is an Erlang style checker.

eqWALizer is an Erlang type checker.

F#

fantomas

File systems

fslint can identify and correct errors in file systems.

Disk Utility can repair HFS/HFS+ partitions.

gParted can check for errors in several file systems.

fixmbr Windows is a DOS tool for repairing boot sectors, available in Recovery mode in Windows installation media.

fixmbr Linux is a Linux tool for repairing boot sectors, part of the ms-sys package.

Fortran

fortranlint

GIF

buttery is a GIF loop editor, with an option to validate basic GIF format file integrity.

Go

The standard go command offers go fmt and go vet for styling and checking package integrity.

The standard govulncheck utility scans for vulnerabilities among dependencies and among programming language versions. Note that the tool hides vulnerable packages by default, focusing narrowly only on vulnerabilities triggerable by application code, unless the option -scan package is provided.

deadcode identifies code snippets that appear to be unused, generally recommended for removal.

Note that deadcode has an implicit assumption that at least one main application package is present, or at least one unit test is present and the -test flag is supplied to deadcode. This may not always interact well with Go projects that act as simple convenience wrappers around CLI tools.

errcheck identifies unchecked errors. In particular, the -blank flag (disabled by default) identifies errors assigned to _.

goimports supplements go fmt by organizing imports.

golint was an early stage Go linter, since deprecated in favor of revive + staticcheck.

golang/lint

gosimple recommends more idiomatic code forms.

megacheck runs staticcheck, gosimple, and unused.

nakedret identifies named returns, which often present unexpected behavior that can obfuscate error messages. Recommended usage: nakedret -l 0 ./...

opennota/check includes linters for reducing in-memory and in-transit struct size; identifying unused struct fields; and identifying unused global variables and constants.

revive checks for unused variables and undocumented public API members.

staticcheck adds additional checks compared to the built-in go vet tool.

unconvert detects redundant conversions.

unused reports some unused Go code elements.

Groovy

CodeNarc

Haskell

GHC, the official Haskell compiler, is renown for producing correct programs, though its strict type system.

hlint displays a refactored version of your code, helping users more quickly resolve warnings.

HTML

W3C Validator is an online service for linting HTML, XML, and CSS data.

tidy can lint HTML files.

linklint checks hyperlinks.

Java

Android lint checks Android source files for potential bugs and optimization improvements for correctness, security, performance, usability, accessibility, and internationalization.

CheckStyle, with decent CLI support, as well as decent Maven support, through maven-checkstyle-plugin. Checkstyle also supports identifying undocumented code, through its JavaDoc settings.

Error-prone catches common Java mistakes as compile-time errors.

FindBugs is an old Java linter, but has kept up with Java advances (for example, by offering a standard Gradle plugin).

google-java-format formats Java code according to the Google Style Guide.

Infer is a static program analyzer for Java, C, and Objective-C, written in OCaml.

javac offers a -Xlint option to print additional warnings. The maven-compiler-plugin can be configured to automatically pass -Xlint to the underlying Java compiler every time a project is built.

In Java 8, javac will feature an -Xdoclint option to identify undocumented code.

PMD detects flaws and duplicated code.

JavaScript / ECMAScript / Node.js / altJS

npm includes automatic SCA security scans.

yarn provides a yarn npm audit --all --recursive SCA command.

CLosure Compiler refactors code to improve performance.

Closure Linter checks JavaScript for conformance to the Google Style Guide.

Code Conventions for the JavaScript Programming Language is a document detailing community standards for JavaScript code style.

CoffeeScript is a compiles-to-JavaScript language designed to enforce good JavaScript coding habits at compiler level.

ESLint is a pluggable and configurable javascript linter that aims to fix the non-extensibility issues of JSHint and JSLint.

JSHint is far and away the best modern linter available. It's simultaneously easy to use, and highly customizable; offering global and directory specific .jshintrc files for rule configuration; and global and directory specific .jshintignore files for ignoring certain files and directories, trimming down jshint's output to exactly what you want to see.

JSLint helps coders match the code style described in JavaScript: The Good Parts.

JSLint Errors explains warnings you may see from JSHint or JSLint.

npm-package-json-lint is a configurable linter to enforce standards in npm package.json files.

periscope warns on unscoped NPM packages.

rslint is a fast JavaScript linter.

standardjs is a JavaScript linter and formatter.

JPEG

jpegtran manipulates .jpg files.

JSON

json.py is a built-in Python module, offering a -mjson.tool option for linting JSON files.

jq isn't a linter per-se, but jq can prettify JSON for creating more readable code examples.

jsonschemalint verifies JSON data against a given JSON schema.

LaTeX

lacheck comes with LaTeX.

style-check.rb is a LaTeX checker written in Ruby.

Lua

luac offers a -p option to skip output file generation, useful for checking syntax without altering any files.

luac offers a built-in -p option for syntax validation..

luacheck is a Lua linter.

lualint is an early Lua linter.

lua-checker is another old Lua linter.

luainspect is yet another dead linter.

Make

make offers a -n dry run option, though sometimes commands are still printed. Use make -n 1>/dev/null to suppress this output. Of course, this represents UNIX sh syntax, so redirect stdout to the null device in Windows syntax with 1>NUL when in Windows.

GNU make offers an additional --warn-undefined-variables flag to check for... undefined variables.

unmake is a POSIX makefile linter focusing on portability.

Markdown

markdownlint enforces standards for Markdown and CommonMark files via Node.js or Ruby

remark checks Markdown files for various errors.

MP3

mp3check analyzes .mp3 files for errors.

Objective C

clang offers built-in options -Wall, -Wextra, -Wmost, and -Weverything for showing additional compiler warnings.

OCLint can lint ObjC, C, and C++ code.

Infer is a static program analyzer for Java, C, and Objective-C, written in OCaml.

OCaml

mascot

Pascal

fpc offers a -vw flag to show additional warnings.

Perl

cpan-audit scans Perl projects for CVE's.

perl offers extra warnings through the use warnings; (#!/usr/bin/env perl -w) and use strict; options.

perltidy generates a recommended refactored version of your code.

perlcritic applies rules based on O'Reilly Perl Best Practices.

Perl Best Practices is a textbook of recommended Perl coding conventions.

PHP

php comes with a built-in -l option to check for valid syntax.

PHPMD is a configurable frontend for static checks.

PHP Code Sniffer checks .php, .js, and .css code for style.

PSR-Huh? is a document detailing community standards for PHP code style.

PEAR Coding Standards is a collection of documents detailing community standards for PHP code style.

CodeIgniter General Style and Syntax is another document offering PHP code style tips.

pkgsrc

pkglint checks pkgsrc projects, including BSD makefiles, embedded shell commands, and pkgsrc conventions.

PNG

pngcheck analyzes .png files for errors.

PostgreSQL

pgsanity verifies the correctness of PostgreSQL query syntax.

Puppet

puppet-lint checks Puppet scripts for proper style.

vulnerability checks for Puppet CVE's.

Python

bandit security focused Python static analyzer. Your mileage may vary, regarding the usefulness of its warnings. (For example, if your application intends to open an SSH connection, then it is not particularly helpful for bandit to complain about open SSH connections.)

dlint) is another security focused analyzer.

flake8 is a meta linter for Python, including PyFlakes, pep8, and McCabe.

flake8-quotes is a plugin for flake8 that enforces single vs double quotes.

pep8 checks Python code for PEP8 conformance.

pep257 checks Python code for PEP257 docstring conformance.

PyChecker requires executing code in order to analyze it.

PyLint is fast and customizable.

PyFlakes offers few configuration options.

Python Style Guide is a collection of documents for community standards for Python code style.

refurb recommends Python idioms.

wemake-python-styleguide is the strictest and most opinionated python linter ever.

R

CRAN has a lint package.

Racket

Typed Racket offers additional checks for type safety.

RPM

rpmlint checks .rpm packages for errors.

Ruby

bundler-audit scans dependencies for known vulnerabilities.

contracts.ruby provides a dynamically enforced type safety system.

reek has an extensive list of checks for improving your code.

flay looks for repeated code patterns, recommending ways to reduce boilerplate and increase reliability.

roodi is an old design pattern linter.

cane applies code quality checks, and can be used to fail a build on encountering poor quality code.

excellent is easy to use and configure.

rubocop can help users update Ruby 1.8 style code to Ruby 1.9/2.0.

heckle performs mutation testing.

saikuro examines code complexity. Saikuro is currently incompatible with Ruby 1.9/2.0.

brakeman is a linter for Ruby on Rails projects.

fasterer provides performance tips.

flog identifies the most complex code in your codebase.

churn looks at version control history to look for frequently changing code, often a sign of poor coding.

laser provides basic detection for logic errors.

metric_fu scans with a suite of Ruby linters.

laser is a slightly out of date Ruby linter.

ruby-style-guide is a document describing community standards for Ruby code style.

rails_upgrade helps Rails 2 code upgrade to Rails 3.

ruby-lint relies on the pure Ruby parser, so it may lag behind in supported Ruby version syntaxes.

rubycritic provides HTML and CLI linting.

sorbet is a Ruby type checker.

standard provides a Ruby formatter.

Rust

The Rust package manager provides a cargo check command as a faster, surface level check than full app compilation.

crev assists with dependency reviews.

rustc, the Rust compiler, offers a -Wall option for additional warnings.

clippy is a Rust linter.

cargo-audit scans Rust dependencies for vulnerabilities.

rustfmt for styling.

Sass

sass-lint is a Sass/SCSS linter.

scss-lint is a Sass/SCSS and CSS linter.

Scala

The scalac compiler offers optional -Xlint and -deprecation warnings.

Scalastyle offers CLI, SBT, and Maven interfaces to a flexible, extensible Scala linter.

Wartremover is a flexible Scala code linting tool.

Scapegoat is a compiler plugin for static code analysis.

Abide is a library for quick scala code checking and validation by the compiler developers.

Linter is a static analysis compiler plugin which adds various compile-time checks.

sh / shell / bash

Many shells offer a -n option for validating syntax, e.g. bash -n, zsh -n, ksh -n, ...

Note that sh -n on many systems actually expands to bash -n, ksh -n, etc. as /bin/sh is usually symlinked to superset shells. Observers keen to guarantee that their portable sh scripts are pure POSIX and not bash scripts, can either run sh -n on a system with a bare bones /bin/sh, such as Alpine Linux, Busybox, etc., either on bare metal or Docker.

beltaloada is a convention for writing build systems in pure (POSIX) sh, that enables deeper linting of shell code compared to make and other non-shell build systems.

slick is a cross-platform POSIX -n checker. Substitute for sh -n for more reliable linting!

shlint is a meta-linter, which runs -n checks, for any shells available, as well as checkbashisms.

Shellcheck is a bash linter written in Haskell.

checkbashisms.rb is an unmaintained sh linter that reports bashisms. Because it is unmaintained, it features an inverted ROC curve.

bashate is a pep8-like linter for bash scripts. Note that bashate is a Python tool, which means you would also want to run Python SCA tools on all environments that install bashate.

shfmt provides consistent styling for shell scripts.

stank offers several utilities for A) identifying POSIXy shell scripts among large directories of source files and B) warnings for oddities such as shebang mismatches.

Smalltalk

SmallLint integrates with the OmniBrowser to lint Smalltalk code.

Snort

pulledpork helps manage Snort rulesets.

Swift

swiftlint encourages better Swift style

Terraform

terraform validate provides built-in suport for basic syntactical correctness.

terrascan scans Terraform CVE's.

tflint checks Terraform plans.

tfsec scans Terraform CVE's.

Travis

travis-lint checks .travis.yml for errors.

Typescript

TSLint checks your TypeScript code for readability, maintainability, and functionality errors.

XML

xmllint is provided as part of the libxml2 package.

YAML

yamllint is a syntax checker and linter for YAML source. Note that yamllint is a Python tool, which means you would also want to run Python SCA tools on all environments that install yamllint.

Continuous Integration

A Jenkins server can generate HTML linter reports for each new code commit.

Guard + guard-shell can monitor local code files, automatically outputting linter warnings as the programmer edits his code, simulating a local continuous integration server.

A make task can bundle several linters together (e.g. csslint, HTML tidy, jshint), to lint different kinds of files all at once.

git hooks can be added to a git repo, preventing a programmer from submitting his work until it passes a configured suite of linters.

See Also

About

a community wiki for improving code quality

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published