Flawfinder Alternatives

SonarQube is an open source quality management platform, dedicated to continuously analyze and measure source code quality, from the portfolio to the method. Static code analysis is available in the "Community Edition" (free / open source) for:

A simple tool for finding bugs in shell scripts.

Cppcheck is an static analysis tool for C/C++ code. Unlike C/C++ compilers and many other analysis tools it does not detect syntax errors in the code. Cppcheck primarily detects the types of bugs that the compilers normally do not detect.

Coverity Scan Static Analysis allows to find and fix defects in your Java, C/C++ or C# open source project for free.

Splint is a tool for statically checking C programs for security vulnerabilities and coding mistakes. With minimal effort, Splint can be used as a better lint. If additional effort is invested adding annotations to programs, Splint can perform stronger checking than can be done...

EDoC++ is a C++ source analysis tool designed to identify problems associated with the use of exceptions in C++ code. Additionally EDoC++ can be used to generate detailed documentation

Astrée statically analyzes whether the programming language is used correctly and whether there can be any runtime errors during any execution in any environment. This covers any use of C or C++ that, according to the selected language standard, has undefined behavior or...

VCG is an automated code security review tool that handles C/C++, Java, C#, VB and PL/SQL. It has a few features that should hopefully make it useful to anyone conducting code security reviews, particularly where time is at a premium:

Qodana is a smart code quality platform by JetBrains best suited for working in teams. It can analyze code written in 60+ languages including Java, JavaScript, TypeScript, PHP, Kotlin, Python, Go, and C#.

Parasoft’s C/C++test is the fully-integrated software testing solution for embedded safety-critical industries. Its automated software testing capabilities are also made for today’s high-velocity Agile DevOps environments.

Semgrep is a fast, open-source, static analysis tool that excels at expressing code standards — without complicated queries — and surfacing bugs early at editor, commit, and CI time. Precise rules look like the code you’re searching; no more traversing abstract syntax trees or...

We’re excited to introduce Opengrep, an open-source static code analysis engine built to ensure code security testing remains truly open and accessible to everyone. 🚀