Welcome!
Originally, lint
was a tool for scanning C code for potentially risky lines of code.
The C compiler already includes some checks for risky code, such as scanning to making sure that function signatures match. And unit testing adds dynamic checks to verify the behavior of a running program. Beyond these checks, lint
adds even more checks, that neither the compiler nor the tests scan.
By statically analyzing the code itself before compilation, programmers could maintain a higher level of code discipline, increasing the reliability of the code in multiple compilers and environments.
As time went on, static code analysis was nearly eclipsed in attention, by dynamic analysis: unit tests, that examine how code behaves for different inputs and corner cases. But the linting practice has restored, and spread to more languages--C++ and beyond.
Today, linters are used to supplement unit tests, serving primarily as low priority style checkers. Linters are being written for many programming languages and document formats, detailed below.
Wikipedia:List of tools for static analysis
This document often interprets the term "linter" in a wide sense, to include resources for SAST, SCA, memory management validators, code formatters, and style guides.
Many compilers include an option like -Wall
to turn on warnings, -Wextra
for even more warnings, and also -Werror
to treat warnings as errors, preventing dirty code from compiling.
actionlint identifies quirks in GitHub Actions CI/CD jobs.
anorack is a specialized spell-checker that finds incorrect indefinite articles.
astyle can help enforce a uniform coding style in a large software project.
check-all-the-things is a command-line tool for automatically running many static analysis and similar tools over packages and upstream codebases.
checkov scans cloud resources for CVE's, including Kubertes and Terraform projects.
cicada scans environments for software components at risk of falling off of LTS security support timelines.
GitHub provides Dependabot and CodeQL (opt-in) to scan GitHub repositories.
GitLab provides Dependency Scanning and SAST to scan GitLab repositories.
Code Climate is a paid web service for automatically generating code quality reports.
eclint can derive the code style used in a project, and save it as a dotfile for use in other projects.
driftwood looks up private keys in common registries.
editorconfig is an editor-agnostic configuration system for code styling.
editorconfig-cli is a Go-based editorconfig linter.
editorconfig-tools is a command line linter against editorconfig rules.
dotenv-linter finds errors and stylistic violations in .env
files.
KICS scans Docker and Kubernetes resources.
lint-spaces checks line endings and indentation.
pfff is a collection of tools by Facebook for analyzing code style, with support for multiple programming languages.
proselint is a linter for usage and style errors in English prose.
Snyk provides SCA capabilities to report known vulnerabilities for projects, across a wide variety of programming languages and frameworks.
Note that Snyk Open Source neglects to scan requirements-dev.txt
and similar industry conventional configurations for tracking development environment dependencies.
Note that Snyk Open Source neglects to scan JAR files, Ivy, or Ant projects.
Sonarqube is a cross-programming language linting system.
Phabricator Contributing Guide offers coding standards generally, as well as for PHP, and JavaScript code specifically.
google-styleguide is a collection of documents detailing Google's preferred code style, for a variety of programming languages and data formats.
Hemingway is a software application for improving the readability of English text. By using Hemingway, we can make our documentation more understandable for others.
Mozilla Coding Style is a document detailing Mozilla's preferred coding style.
MSDN Library: Coding Techniques and Programming Practices offers general tips for coding.
Microsoft patterns & practices are recommended for .NET projects.
MSDN Library: Design Guidelines for Class Library Developers presents guidelines for .NET library developers.
sunshine validates chmod permissions, such as for SSH files.
trufflehog reports credential exposure.
Vale validates English text against a wide variety of prebuilt style guides, and is easily and highly configurable.
vuls scans assorted computing environments for CVE's.
Web Package Update Checker validates web projects to ensure they use the latest available versions of web packages (like Bootstrap, Font Awesome, JQuery).
write-good validates english prose with the aim of helping developers write better code.
sloccount is an older line counter.
cloc is a newer line counter with support for more programming languages.
wc is a line counter for UNIX systems.
The dotnet build system features built-in SCA to warn on vulnerabilities in project dependencies.
lint is a tool for static analysis of Android projects.
gawk has a --lint
flag that enables some portability checks.
torrentcheck verifies file download hashes against .torrent files.
splint has largely replaced the old lint
tool, offering the same old checks, as well as additional security checks.
lint the original C static analysis tool.
gcc offers additional warnings, through its -Wall
and -Wextra
options.
clang offers even more warnings, through its -Wall
, -Wextra
, -Wmost
, and -Weverything
options.
vera++ is a static analysis tool for C/C++ code.
banned.h helps C/C++ programmers identify deprecated, unsafe dependencies.
sparse is designed to find potential sources of program faults, especially in kernel code.
pclint is a classic, non-free C/C++ linter.
Misra C CodeCheck is a demo C linter.
uno is a simple C linter.
Infer is a static program analyzer for Java, C, Objective-C, and Swift, written in OCaml.
cppcheck is an older linter with frequent regressions around suppressing spurious warnings. Not particularly well suited to cross platform development. cppcheck offers a --addon=misra
check, although it seems to target only C(99) code.
g++, part of gcc, offers additional checks through its -Wall
and -Wextra
options. g++ also includes a -Weffc++
option to check against rules in Effective C++.
cpplint is provided as part of the google-styleguide
. Note that cpplint is a Python tool, which means you would also want to run Python SCA tools on all environments that install cpplint.
nsiqcppstyle is a South Korean C++ style checker.
flint++ is a cross-platform, zero-dependency port of flint - a linter developed at Facebook.
C++ Coding Standards is a textbook documenting recommended C++ code style.
Bjarne Stroustrup's C++ Style and Technique FAQ is another document detailing Bjarne Stroustrup's C++ code style.
Effective C++ details recommended patterns in C++ code.
Boost Library Requirements and Guidelines is a document detailing community standards for C++ code style.
StyleCop is a C# linter that enforces style guidelines.
Gendarme is a .NET Static analysis tool created by the mono team. Gendarme enforces best practices, and compatibility with the mono runtime.
FxCop is a .NET Static analysis tool created at microsoft. FxCop enforces best practices.
roslyn-analyzers is a collection of static analyzers developed by Microsoft with the Roslyn APIs.
C# Coding Conventions is a document detailing Microsoft's recommended patterns for C# code.
patterns & practices Guidance Explorer presents a graphical checklist of Microsoft style rules.
foodcritic offers built-in rules for identifying potential problems with Chef cookbooks.
core.typed offers annotations for type safety.
eastwood provides a Leiningen plugin for linting Clojure code.
kibit also provides a Leiningen plugin for linting Clojure code.
coffeelint for Coffee files.
lisp-critic is an old analyzer of arbitrary CL code.
xref is an old static analysis tool for CL code.
Linux .conf configuration files may vary in format, but many popular services offer a way to check the syntax of their particular configuration files.
apache2 -t
exim -bV
cupsd -f -t
dhcpd (-t -cf) | (-T -lf)
brew doctor
lighttpd -t
mysqld --help --verbose --skip-networking
nagios -v
named-checkconf
named-checkzone
nginx -t
ntpd -n | -d
pfctl -n
postfix check
proftpd -t
rsyslogd -c4 -N 1
testparm -v
slapd -Tt
- SQL implementations tend to include an
EXPLAIN
... statement which can validate syntax for individual statements. - prql is a command line SQL syntax validator for SQL scripts.
squid -k (check | parse)
sshd -t | -T
syslogd -d
tcpdchk -a | -d | -i | -v
eval `dbus-launch --auto-syntax` &&
find . -type f -name '*.conf' -print |
xargs -n 1 init-checkconf
varnishd -C
vsftpd -olisten=NO
ansible-later checks Ansible playbooks.
ansible-lint is a classic Ansible linter.
Lockdown provides recommendations for securing Ansible playbooks.
steampunk-spotter offers additional checks for Ansible playbooks.
arch-audit generates CVE reports for Arch Linux.
pkg-audit generates CVE reports for FreeBSD, DragonflyBSD, and HardenedBSD.
pkg_admin provides an audit
subcommand for generating CVE reports on NetBSD.
Coq is a proof assistant, requiring all programs to be logically valid.
csslint for CSS files.
minify can help compress, CSS, JS, and HTML files.
csstidy can help compress CSS files.
csv-validator verifies CSV data against a given CSV schema.
gdc offers a built-in -Wall
flag for additional warnings.
pub publish
offers a --dry-run
option.
Lintian checks for bugs and policy violations in .deb packages.
Dlint analyzes DNS records.
Docker features a docker scout cves -e <image>
command to scans images for vulnerabilities. As a bonus, docker scout cves fs://<path>
recursively scans the given file path for artifact files with known vulnerabilities.
Docker First Aid Kit provides performance and general advice for Docker newbies.
epubcheck analyzes .epub files for errors.
erl_tidy, a library that comes with Erlang, attempts to automatically change unidiomatic code.
ehrlich provides a safer linter that does NOT automatically change your code.
dialyzer, a tool that comes with Erlang, helps detect type errors.
elvis is an Erlang style checker.
eqWALizer is an Erlang type checker.
fslint can identify and correct errors in file systems.
Disk Utility can repair HFS/HFS+ partitions.
gParted can check for errors in several file systems.
fixmbr Windows is a DOS tool for repairing boot sectors, available in Recovery mode in Windows installation media.
fixmbr Linux is a Linux tool for repairing boot sectors, part of the ms-sys package.
buttery is a GIF loop editor, with an option to validate basic GIF format file integrity.
The standard go
command offers go fmt
and go vet
for styling and checking package integrity.
The standard govulncheck utility scans for vulnerabilities among dependencies and among programming language versions. Note that the tool hides vulnerable packages by default, focusing narrowly only on vulnerabilities triggerable by application code, unless the option -scan package
is provided.
deadcode identifies code snippets that appear to be unused, generally recommended for removal.
Note that deadcode has an implicit assumption that at least one main
application package is present, or at least one unit test is present and the -test
flag is supplied to deadcode. This may not always interact well with Go projects that act as simple convenience wrappers around CLI tools.
errcheck identifies unchecked errors. In particular, the -blank
flag (disabled by default) identifies errors assigned to _
.
goimports supplements go fmt
by organizing imports.
golint was an early stage Go linter, since deprecated in favor of revive + staticcheck.
gosimple recommends more idiomatic code forms.
megacheck runs staticcheck, gosimple, and unused.
nakedret identifies named returns, which often present unexpected behavior that can obfuscate error messages. Recommended usage: nakedret -l 0 ./...
opennota/check includes linters for reducing in-memory and in-transit struct size; identifying unused struct fields; and identifying unused global variables and constants.
revive checks for unused variables and undocumented public API members.
staticcheck adds additional checks compared to the built-in go vet
tool.
unconvert detects redundant conversions.
unused reports some unused Go code elements.
GHC, the official Haskell compiler, is renown for producing correct programs, though its strict type system.
hlint displays a refactored version of your code, helping users more quickly resolve warnings.
W3C Validator is an online service for linting HTML, XML, and CSS data.
tidy can lint HTML files.
linklint checks hyperlinks.
Android lint checks Android source files for potential bugs and optimization improvements for correctness, security, performance, usability, accessibility, and internationalization.
CheckStyle, with decent CLI support, as well as decent Maven support, through maven-checkstyle-plugin. Checkstyle also supports identifying undocumented code, through its JavaDoc settings.
Error-prone catches common Java mistakes as compile-time errors.
FindBugs is an old Java linter, but has kept up with Java advances (for example, by offering a standard Gradle plugin).
google-java-format formats Java code according to the Google Style Guide.
Infer is a static program analyzer for Java, C, and Objective-C, written in OCaml.
javac offers a -Xlint
option to print additional warnings. The maven-compiler-plugin can be configured to automatically pass -Xlint
to the underlying Java compiler every time a project is built.
In Java 8, javac will feature an -Xdoclint
option to identify undocumented code.
PMD detects flaws and duplicated code.
npm includes automatic SCA security scans.
yarn provides a yarn npm audit --all --recursive
SCA command.
CLosure Compiler refactors code to improve performance.
Closure Linter checks JavaScript for conformance to the Google Style Guide.
Code Conventions for the JavaScript Programming Language is a document detailing community standards for JavaScript code style.
CoffeeScript is a compiles-to-JavaScript language designed to enforce good JavaScript coding habits at compiler level.
ESLint is a pluggable and configurable javascript linter that aims to fix the non-extensibility issues of JSHint and JSLint.
JSHint is far and away the best modern linter available. It's simultaneously easy to use, and highly customizable; offering global and directory specific .jshintrc
files for rule configuration; and global and directory specific .jshintignore
files for ignoring certain files and directories, trimming down jshint
's output to exactly what you want to see.
JSLint helps coders match the code style described in JavaScript: The Good Parts.
JSLint Errors explains warnings you may see from JSHint or JSLint.
npm-package-json-lint is a configurable linter to enforce standards in npm package.json files.
periscope warns on unscoped NPM packages.
rslint is a fast JavaScript linter.
standardjs is a JavaScript linter and formatter.
jpegtran manipulates .jpg files.
json.py is a built-in Python module, offering a -mjson.tool
option for linting JSON files.
jq isn't a linter per-se, but jq can prettify JSON for creating more readable code examples.
jsonschemalint verifies JSON data against a given JSON schema.
lacheck comes with LaTeX.
style-check.rb is a LaTeX checker written in Ruby.
luac
offers a -p
option to skip output file generation, useful for checking syntax without altering any files.
luac offers a built-in -p
option for syntax validation..
luacheck is a Lua linter.
lualint is an early Lua linter.
lua-checker is another old Lua linter.
luainspect is yet another dead linter.
make offers a -n
dry run option, though sometimes commands are still printed. Use make -n 1>/dev/null
to suppress this output. Of course, this represents UNIX sh syntax, so redirect stdout to the null device in Windows syntax with 1>NUL
when in Windows.
GNU make offers an additional --warn-undefined-variables
flag to check for... undefined variables.
unmake is a POSIX makefile linter focusing on portability.
markdownlint enforces standards for Markdown and CommonMark files via Node.js or Ruby
remark checks Markdown files for various errors.
mp3check analyzes .mp3 files for errors.
clang offers built-in options -Wall
, -Wextra
, -Wmost
, and -Weverything
for showing additional compiler warnings.
OCLint can lint ObjC, C, and C++ code.
Infer is a static program analyzer for Java, C, and Objective-C, written in OCaml.
fpc offers a -vw
flag to show additional warnings.
cpan-audit scans Perl projects for CVE's.
perl offers extra warnings through the use warnings;
(#!/usr/bin/env perl -w
) and use strict;
options.
perltidy generates a recommended refactored version of your code.
perlcritic applies rules based on O'Reilly Perl Best Practices.
Perl Best Practices is a textbook of recommended Perl coding conventions.
php comes with a built-in -l
option to check for valid syntax.
PHPMD is a configurable frontend for static checks.
PHP Code Sniffer checks .php, .js, and .css code for style.
PSR-Huh? is a document detailing community standards for PHP code style.
PEAR Coding Standards is a collection of documents detailing community standards for PHP code style.
CodeIgniter General Style and Syntax is another document offering PHP code style tips.
pkglint checks pkgsrc
projects, including BSD makefiles, embedded shell commands, and pkgsrc conventions.
pngcheck analyzes .png files for errors.
pgsanity verifies the correctness of PostgreSQL query syntax.
puppet-lint checks Puppet scripts for proper style.
vulnerability checks for Puppet CVE's.
bandit security focused Python static analyzer. Your mileage may vary, regarding the usefulness of its warnings. (For example, if your application intends to open an SSH connection, then it is not particularly helpful for bandit to complain about open SSH connections.)
dlint) is another security focused analyzer.
flake8 is a meta linter for Python, including PyFlakes, pep8, and McCabe.
flake8-quotes is a plugin for flake8 that enforces single vs double quotes.
pep8 checks Python code for PEP8 conformance.
pep257 checks Python code for PEP257 docstring conformance.
PyChecker requires executing code in order to analyze it.
PyLint is fast and customizable.
PyFlakes offers few configuration options.
Python Style Guide is a collection of documents for community standards for Python code style.
refurb recommends Python idioms.
wemake-python-styleguide is the strictest and most opinionated python linter ever.
CRAN has a lint package.
Typed Racket offers additional checks for type safety.
rpmlint checks .rpm packages for errors.
bundler-audit scans dependencies for known vulnerabilities.
contracts.ruby provides a dynamically enforced type safety system.
reek has an extensive list of checks for improving your code.
flay looks for repeated code patterns, recommending ways to reduce boilerplate and increase reliability.
roodi is an old design pattern linter.
cane applies code quality checks, and can be used to fail a build on encountering poor quality code.
excellent is easy to use and configure.
rubocop can help users update Ruby 1.8 style code to Ruby 1.9/2.0.
heckle performs mutation testing.
saikuro examines code complexity. Saikuro is currently incompatible with Ruby 1.9/2.0.
brakeman is a linter for Ruby on Rails projects.
fasterer provides performance tips.
flog identifies the most complex code in your codebase.
churn looks at version control history to look for frequently changing code, often a sign of poor coding.
laser provides basic detection for logic errors.
metric_fu scans with a suite of Ruby linters.
laser is a slightly out of date Ruby linter.
ruby-style-guide is a document describing community standards for Ruby code style.
rails_upgrade helps Rails 2 code upgrade to Rails 3.
ruby-lint relies on the pure Ruby parser, so it may lag behind in supported Ruby version syntaxes.
rubycritic provides HTML and CLI linting.
sorbet is a Ruby type checker.
standard provides a Ruby formatter.
The Rust package manager provides a cargo check
command as a faster, surface level check than full app compilation.
crev assists with dependency reviews.
rustc, the Rust compiler, offers a -Wall
option for additional warnings.
clippy is a Rust linter.
cargo-audit scans Rust dependencies for vulnerabilities.
rustfmt for styling.
sass-lint is a Sass/SCSS linter.
scss-lint is a Sass/SCSS and CSS linter.
The scalac compiler offers optional -Xlint
and -deprecation
warnings.
Scalastyle offers CLI, SBT, and Maven interfaces to a flexible, extensible Scala linter.
Wartremover is a flexible Scala code linting tool.
Scapegoat is a compiler plugin for static code analysis.
Abide is a library for quick scala code checking and validation by the compiler developers.
Linter is a static analysis compiler plugin which adds various compile-time checks.
Many shells offer a -n
option for validating syntax, e.g. bash -n
, zsh -n
, ksh -n
, ...
Note that sh -n
on many systems actually expands to bash -n
, ksh -n
, etc. as /bin/sh
is usually symlinked to superset shells. Observers keen to guarantee that their portable sh scripts are pure POSIX and not bash scripts, can either run sh -n
on a system with a bare bones /bin/sh
, such as Alpine Linux, Busybox, etc., either on bare metal or Docker.
beltaloada is a convention for writing build systems in pure (POSIX) sh, that enables deeper linting of shell code compared to make and other non-shell build systems.
slick is a cross-platform POSIX -n
checker. Substitute for sh -n
for more reliable linting!
shlint is a meta-linter, which runs -n
checks, for any shells available, as well as checkbashisms
.
Shellcheck is a bash linter written in Haskell.
checkbashisms.rb is an unmaintained sh linter that reports bashisms. Because it is unmaintained, it features an inverted ROC curve.
bashate is a pep8-like linter for bash scripts. Note that bashate is a Python tool, which means you would also want to run Python SCA tools on all environments that install bashate.
shfmt provides consistent styling for shell scripts.
stank offers several utilities for A) identifying POSIXy shell scripts among large directories of source files and B) warnings for oddities such as shebang mismatches.
SmallLint integrates with the OmniBrowser to lint Smalltalk code.
pulledpork helps manage Snort rulesets.
swiftlint encourages better Swift style
terraform validate
provides built-in suport for basic syntactical correctness.
terrascan scans Terraform CVE's.
tflint checks Terraform plans.
tfsec scans Terraform CVE's.
travis-lint checks .travis.yml
for errors.
TSLint checks your TypeScript code for readability, maintainability, and functionality errors.
xmllint is provided as part of the libxml2
package.
yamllint is a syntax checker and linter for YAML source. Note that yamllint is a Python tool, which means you would also want to run Python SCA tools on all environments that install yamllint.
A Jenkins server can generate HTML linter reports for each new code commit.
Guard + guard-shell can monitor local code files, automatically outputting linter warnings as the programmer edits his code, simulating a local continuous integration server.
A make task can bundle several linters together (e.g. csslint
, HTML tidy
, jshint
), to lint different kinds of files all at once.
git hooks can be added to a git repo, preventing a programmer from submitting his work until it passes a configured suite of linters.