linters: a community wiki for improving code quality
What is a linter?
Originally, lint
was a tool for scanning C code for potentially risky lines of code.
The C compiler already includes some checks for risky code, such as scanning to making sure that function signatures match. And unit testing adds dynamic checks to verify the behavior of a running program. Beyond these checks, lint
adds even more checks, that neither the compiler nor the tests scan.
By statically analyzing the code itself before compilation, programmers could maintain a higher level of code discipline, increasing the reliability of the code in multiple compilers and environments.
As time went on, static code analysis was nearly eclipsed in attention, by dynamic analysis: unit tests, that examine how code behaves for different inputs and corner cases. But the linting practice has restored, and spread to more languages--C++ and beyond.
Today, linters are used to supplement unit tests, serving primarily as low priority style checkers. Linters are being written for many programming languages and document formats, detailed below.
Wikipedia:List of tools for static analysis
This document often interprets the term "linter" in a wide sense, to include resources for SAST, SCA, memory management validators, code formatters, and style guides.
Linters
Many compilers include an option like -Wall
to turn on warnings, -Wextra
for even more warnings, and also -Werror
to treat warnings as errors, preventing dirty code from compiling.
*
anorack is a specialized spell-checker that finds incorrect indefinite articles.
astyle can help enforce a uniform coding style in a large software project.
check-all-the-things is a command-line tool for automatically running many static analysis and similar tools over packages and upstream codebases.
checkov scans cloud resources for CVE's, including Kubertes and Terraform projects.
cicada scans environments for software components at risk of falling off of LTS security support timelines.
Code Climate is a paid web service for automatically generating code quality reports.
eclint can derive the code style used in a project, and save it as a dotfile for use in other projects.
driftwood looks up private keys in common registries.
editorconfig is an editor-agnostic configuration system for code styling.
editorconfig-cli is a Go-based editorconfig linter.
editorconfig-tools is a command line linter against editorconfig rules.
dotenv-linter finds errors and stylistic violations in .env
files.
KICS scans Docker and Kubernetes resources.
lint-spaces checks line endings and indentation.
pfff is a collection of tools by Facebook for analyzing code style, with support for multiple programming languages.
proselint is a linter for usage and style errors in English prose.
Sonarqube is a cross-programming language linting system.
Phabricator Contributing Guide offers coding standards generally, as well as for PHP, and JavaScript code specifically.
google-styleguide is a collection of documents detailing Google's preferred code style, for a variety of programming languages and data formats.
Hemingway is a software application for improving the readability of English text. By using Hemingway, we can make our documentation more understandable for others.
Mozilla Coding Style is a document detailing Mozilla's preferred coding style.
MSDN Library: Coding Techniques and Programming Practices offers general tips for coding.
Microsoft patterns & practices are recommended for .NET projects.
MSDN Library: Design Guidelines for Class Library Developers presents guidelines for .NET library developers.
sunshine validates chmod permissions, such as for SSH files.
trufflehog reports credential exposure.
Vale validates English text against a wide variety of prebuilt style guides, and is easily and highly configurable.
vuls scans assorted computing environments for CVE's.
Web Package Update Checker validates web projects to ensure they use the latest available versions of web packages (like Bootstrap, Font Awesome, JQuery).
write-good validates english prose with the aim of helping developers write better code.
SLOC
sloccount is an older line counter.
cloc is a newer line counter with support for more programming languages.
wc is a line counter for UNIX systems.
Android
lint is a tool for static analysis of Android projects.
Awk
gawk has a --lint
option for checking script compatibility with other awk implementations.
BitTorrent
torrentcheck verifies file download hashes against .torrent files.
C
splint has largely replaced the old lint
tool, offering the same old checks, as well as additional security checks.
lint the original C static analysis tool.
gcc offers additional warnings, through its -Wall
and -Wextra
options.
clang offers even more warnings, through its -Wall
, -Wextra
, -Wmost
, and -Weverything
options.
vera++ is a static analysis tool for C/C++ code.
banned.h helps C/C++ programmers identify deprecated, unsafe dependencies.
sparse is designed to find potential sources of program faults, especially in kernel code.
pclint is a classic, non-free C/C++ linter.
Misra C CodeCheck is a demo C linter.
uno is a simple C linter.
Infer is a static program analyzer for Java, C, Objective-C, and Swift, written in OCaml.
C++
cppcheck can check .cpp
implementation code, as well as .h
definition code.
g++, part of gcc, offers additional checks through its -Wall
and -Wextra
options. g++ also includes a -Weffc++
option to check against rules in Effective C++.
cpplint is provided as part of the google-styleguide
. Note that cpplint is a Python tool, which means you would also want to run Python SCA tools on all environments that install cpplint.
nsiqcppstyle is a South Korean C++ style checker.
flint++ is a cross-platform, zero-dependency port of flint - a linter developed at Facebook.
C++ Coding Standards is a textbook documenting recommended C++ code style.
Bjarne Stroustrup's C++ Style and Technique FAQ is another document detailing Bjarne Stroustrup's C++ code style.
Effective C++ details recommended patterns in C++ code.
Boost Library Requirements and Guidelines is a document detailing community standards for C++ code style.
C#
StyleCop is a C# linter that enforces style guidelines.
Gendarme is a .NET Static analysis tool created by the mono team. Gendarme enforces best practices, and compatibility with the mono runtime.
FxCop is a .NET Static analysis tool created at microsoft. FxCop enforces best practices.
roslyn-analyzers is a collection of static analyzers developed by Microsoft with the Roslyn APIs.
C# Coding Conventions is a document detailing Microsoft's recommended patterns for C# code.
patterns & practices Guidance Explorer presents a graphical checklist of Microsoft style rules.
Chef
foodcritic offers built-in rules for identifying potential problems with Chef cookbooks.
Clojure
core.typed offers annotations for type safety.
eastwood provides a Leiningen plugin for linting Clojure code.
kibit also provides a Leiningen plugin for linting Clojure code.
CoffeeScript
coffeelint for Coffee files.
Common Lisp
lisp-critic is an old analyzer of arbitrary CL code.
xref is an old static analysis tool for CL code.
Conf
Linux .conf configuration files may vary in format, but many popular services offer a way to check the syntax of their particular configuration files.
Apache
apache2 -t
Exim
exim -bV
CUPS
cupsd -f -t
dhcpd
dhcpd (-t -cf) | (-T -lf)
Homebrew
brew doctor
Lighttp
lighttpd -t
MySQL
mysqld --help --verbose --skip-networking
Nagios
nagios -v
named
named-checkconf
named-checkzone
Nginx
nginx -t
ntp
ntpd -n | -d
pf
pfctl -n
Postfix
postfix check
proftpd
proftpd -t
rsyslogd
rsyslogd -c4 -N 1
Samba
testparm -v
slapd
slapd -Tt
SQL (PostgreSQL, MySQL, MSSQL, ...)
- SQL implementations tend to include an
EXPLAIN
... statement which can validate syntax for individual statements. - prql is a command line SQL syntax validator for SQL scripts.
Squid
squid -k (check | parse)
sshd
sshd -t | -T
syslogd
syslogd -d
tcpd
tcpdchk -a | -d | -i | -v
Upstart
eval `dbus-launch --auto-syntax` && \
find . -type f -name '*.conf' -exec init-checkconf {} \;
varnishd
varnishd -C
vsftpd
vsftpd -olisten=NO
Ansible
ansible-later checks Ansible playbooks.
ansible-lint is a classic Ansible linter.
Lockdown provides recommendations for securing Ansible playbooks.
steampunk-spotter offers additional checks for Ansible playbooks.
Arch
arch-audit generates CVE reports for Arch Linux.
BSD
pkg-audit generates CVE reports for FreeBSD, DragonflyBSD, and HardenedBSD.
pkg_admin provides an audit
subcommand for generating CVE reports on NetBSD.
Coq
Coq is a proof assistant, requiring all programs to be logically valid.
CSS
csslint for CSS files.
minify can help compress, CSS, JS, and HTML files.
csstidy can help compress CSS files.
CSV
csv-validator verifies CSV data against a given CSV schema.
D
gdc offers a built-in -Wall
flag for additional warnings.
Dart
pub publish
offers a --dry-run
option.
Debian packages
Lintian checks for bugs and policy violations in .deb packages.
DNS
Dlint analyzes DNS records.
Docker
Docker First Aid Kit provides performance and general advice for Docker newbies.
Elisp
ePUB
epubcheck analyzes .epub files for errors.
Erlang
erl_tidy, a library that comes with Erlang, attempts to automatically change unidiomatic code.
ehrlich provides a safer linter that does NOT automatically change your code.
dialyzer, a tool that comes with Erlang, helps detect type errors.
elvis is an Erlang style checker.
F#
File systems
fslint can identify and correct errors in file systems.
Disk Utility can repair HFS/HFS+ partitions.
gParted can check for errors in several file systems.
fixmbr Windows is a DOS tool for repairing boot sectors, available in Recovery mode in Windows installation media.
fixmbr Linux is a Linux tool for repairing boot sectors, part of the ms-sys package.
Fortran
GIF
buttery is a GIF loop editor, with an option to validate basic GIF format file integrity.
Go
The standard go
command offers go fmt
and go vet
for styling and checking package integrity.
goimports supplements go fmt
by organizing imports.
golint was an early stage Go linter, since deprecated in favor of staticcheck.
errcheck identifies unchecked errors. In particular, the -blank
flag (disabled by default) identifies errors assigned to _
.
nakedret identifies named returns, which often present unexpected behavior that can obfuscate error messages. Recommended usage: nakedret -l 0 ./...
opennota/check includes linters for reducing in-memory and in-transit struct size; identifying unused struct fields; and identifying unused global variables and constants.
megacheck runs staticcheck, gosimple, and unused.
staticcheck adds additional checks compared to the built-in go vet
tool.
gosimple recommends more idiomatic code forms.
unconvert detects redundant conversions.
unused reports some unused Go code elements.
Groovy
Haskell
GHC, the official Haskell compiler, is renown for producing correct programs, though its strict type system.
hlint displays a refactored version of your code, helping users more quickly resolve warnings.
HTML
W3C Validator is an online service for linting HTML, XML, and CSS data.
tidy can lint HTML files.
linklint checks hyperlinks.
Java
Android lint checks Android source files for potential bugs and optimization improvements for correctness, security, performance, usability, accessibility, and internationalization.
CheckStyle, with decent CLI support, as well as decent Maven support, through maven-checkstyle-plugin. Checkstyle also supports identifying undocumented code, through its JavaDoc settings.
Error-prone catches common Java mistakes as compile-time errors.
FindBugs is an old Java linter, but has kept up with Java advances (for example, by offering a standard Gradle plugin).
google-java-format formats Java code according to the Google Style Guide.
Infer is a static program analyzer for Java, C, and Objective-C, written in OCaml.
javac offers a -Xlint
option to print additional warnings. The maven-compiler-plugin can be configured to automatically pass -Xlint
to the underlying Java compiler every time a project is built.
In Java 8, javac will feature an -Xdoclint
option to identify undocumented code.
PMD detects flaws and duplicated code.
JavaScript / Node.js
CLosure Compiler refactors code to improve performance.
Closure Linter checks JavaScript for conformance to the Google Style Guide.
Code Conventions for the JavaScript Programming Language is a document detailing community standards for JavaScript code style.
CoffeeScript is a compiles-to-JavaScript language designed to enforce good JavaScript coding habits at compiler level.
ESLint is a pluggable and configurable javascript linter that aims to fix the non-extensibility issues of JSHint and JSLint.
JSHint is far and away the best modern linter available. It's simultaneously easy to use, and highly customizable; offering global and directory specific .jshintrc
files for rule configuration; and global and directory specific .jshintignore
files for ignoring certain files and directories, trimming down jshint
's output to exactly what you want to see.
JSLint helps coders match the code style described in JavaScript: The Good Parts.
JSLint Errors explains warnings you may see from JSHint or JSLint.
npm-package-json-lint is a configurable linter to enforce standards in npm package.json files.
rslint is a fast JavaScript linter.
standardjs is a JavaScript linter and formatter.
JPEG
jpegtran manipulates .jpg files.
JSON
json.py is a built-in Python module, offering a -mjson.tool
option for linting JSON files.
jq isn't a linter per-se, but jq can prettify JSON for creating more readable code examples.
jsonschemalint verifies JSON data against a given JSON schema.
LaTeX
lacheck comes with LaTeX.
style-check.rb is a LaTeX checker written in Ruby.
Lua
luac
offers a -p
option to skip output file generation, useful for checking syntax without altering any files.
luac offers a built-in -p
option for syntax validation..
luacheck is a Lua linter.
lualint is an early Lua linter.
lua-checker is another old Lua linter.
luainspect is yet another dead linter.
Make
make offers a -n
dry run option, though sometimes commands are still printed. Use make -n 1>/dev/null
to suppress this output. Of course, this represents UNIX sh syntax, so redirect stdout to the null device in Windows syntax with 1>NUL
when in Windows.
GNU make offers an additional --warn-undefined-variables
flag to check for... undefined variables.
unmake is a POSIX makefile linter focusing on portability.
Markdown
markdownlint enforces standards for Markdown and CommonMark files via Node.js or Ruby
remark checks Markdown files for various errors.
MP3
mp3check analyzes .mp3 files for errors.
Objective C
clang offers built-in options -Wall
, -Wextra
, -Wmost
, and -Weverything
for showing additional compiler warnings.
OCLint can lint ObjC, C, and C++ code.
Infer is a static program analyzer for Java, C, and Objective-C, written in OCaml.
OCaml
Pascal
fpc offers a -vw
flag to show additional warnings.
Perl
cpan-audit scans Perl projects for CVE's.
perl offers extra warnings through the use warnings;
(#!/usr/bin/env perl -w
) and use strict;
options.
perltidy generates a recommended refactored version of your code.
perlcritic applies rules based on O'Reilly Perl Best Practices.
Perl Best Practices is a textbook of recommended Perl coding conventions.
PHP
php comes with a built-in -l
option to check for valid syntax.
PHPMD is a configurable frontend for static checks.
PHP Code Sniffer checks .php, .js, and .css code for style.
PSR-Huh? is a document detailing community standards for PHP code style.
PEAR Coding Standards is a collection of documents detailing community standards for PHP code style.
CodeIgniter General Style and Syntax is another document offering PHP code style tips.
pkgsrc
pkglint checks pkgsrc
projects, including BSD makefiles, embedded shell commands, and pkgsrc conventions.
PNG
pngcheck analyzes .png files for errors.
PostgreSQL
pgsanity verifies the correctness of PostgreSQL query syntax.
Puppet
puppet-lint checks Puppet scripts for proper style.
vulnerability checks for Puppet CVE's.
Python
bandit security focused Python static analyzer. Your mileage may vary, regarding the usefulness of its warnings. (For example, if your application intends to open an SSH connection, then it is not particularly helpful for bandit to complain about open SSH connections.)
dlint) is another security focused analyzer.
flake8 is a meta linter for Python, including PyFlakes, pep8, and McCabe.
flake8-quotes is a plugin for flake8 that enforces single vs double quotes.
pep8 checks Python code for PEP8 conformance.
pep257 checks Python code for PEP257 docstring conformance.
PyChecker requires executing code in order to analyze it.
PyLint is fast and customizable.
PyFlakes offers few configuration options.
Python Style Guide is a collection of documents for community standards for Python code style.
refurb recommends Python idioms.
safety identifies installed pip packages known to include vulnerabilities.
wemake-python-styleguide is the strictest and most opinionated python linter ever.
R
CRAN has a lint package.
Racket
Typed Racket offers additional checks for type safety.
RPM
rpmlint checks .rpm packages for errors.
Ruby
contracts.ruby provides a dynamically enforced type safety system.
reek has an extensive list of checks for improving your code.
flay looks for repeated code patterns, recommending ways to reduce boilerplate and increase reliability.
roodi is an old design pattern linter.
cane applies code quality checks, and can be used to fail a build on encountering poor quality code.
excellent is easy to use and configure.
rubocop can help users update Ruby 1.8 style code to Ruby 1.9/2.0.
heckle performs mutation testing.
saikuro examines code complexity. Saikuro is currently incompatible with Ruby 1.9/2.0.
brakeman is a linter for Ruby on Rails projects.
fasterer provides performance tips.
flog identifies the most complex code in your codebase.
churn looks at version control history to look for frequently changing code, often a sign of poor coding.
laser provides basic detection for logic errors.
metric_fu scans with a suite of Ruby linters.
laser is a slightly out of date Ruby linter.
ruby-style-guide is a document describing community standards for Ruby code style.
rails_upgrade helps Rails 2 code upgrade to Rails 3.
ruby-lint relies on the pure Ruby parser, so it may lag behind in supported Ruby version syntaxes.
rubycritic provides HTML and CLI linting.
standard provides a Ruby formatter.
Rust
crev assists with dependency reviews.
rustc, the Rust compiler, offers a -Wall
option for additional warnings.
clippy is a Rust linter.
cargo-audit scans Rust dependencies for vulnerabilities.
rustfmt for styling.
Sass
sass-lint is a Sass/SCSS linter.
scss-lint is a Sass/SCSS and CSS linter.
Scala
The scalac compiler offers optional -Xlint
and -deprecation
warnings.
Scalastyle offers CLI, SBT, and Maven interfaces to a flexible, extensible Scala linter.
Wartremover is a flexible Scala code linting tool.
Scapegoat is a compiler plugin for static code analysis.
Abide is a library for quick scala code checking and validation by the compiler developers.
Linter is a static analysis compiler plugin which adds various compile-time checks.
sh / shell / bash
Many shells offer a -n
option for validating syntax, e.g. bash -n
, zsh -n
, ksh -n
, ...
Note that sh -n
on many systems actually expands to bash -n
, ksh -n
, etc. as /bin/sh
is usually symlinked to superset shells. Observers keen to guarantee that their portable sh scripts are pure POSIX and not bash scripts, can either run sh -n
on a system with a bare bones /bin/sh
, such as Alpine Linux, Busybox, etc., either on bare metal or Docker.
slick is a cross-platform POSIX -n
checker. Substitute for sh -n
for more reliable linting!
shlint is a meta-linter, which runs -n
checks, for any shells available, as well as checkbashisms
.
Shellcheck is a bash linter written in Haskell.
checkbashisms.rb is an unmaintained sh linter that reports bashisms. Because it is unmaintained, it features an inverted ROC curve.
bashate is a pep8-like linter for bash scripts. Note that bashate is a Python tool, which means you would also want to run Python SCA tools on all environments that install bashate.
shfmt provides consistent styling for shell scripts.
stank offers several utilities for A) identifying POSIXy shell scripts among large directories of source files and B) warnings for oddities such as shebang mismatches.
Smalltalk
SmallLint integrates with the OmniBrowser to lint Smalltalk code.
Snort
pulledpork helps manage Snort rulesets.
Swift
swiftlint encourages better Swift style
Terraform
terraform validate
provides built-in suport for basic syntactical correctness.
terrascan scans Terraform CVE's.
tflint checks Terraform plans.
tfsec scans Terraform CVE's.
Travis
travis-lint checks .travis.yml
for errors.
Typescript
TSLint checks your TypeScript code for readability, maintainability, and functionality errors.
XML
xmllint is provided as part of the libxml2
package.
YAML
yamllint is a syntax checker and linter for YAML source. Note that yamllint is a Python tool, which means you would also want to run Python SCA tools on all environments that install yamllint.
Continuous Integration
A Jenkins server can generate HTML linter reports for each new code commit.
Guard + guard-shell can monitor local code files, automatically outputting linter warnings as the programmer edits his code, simulating a local continuous integration server.
A make task can bundle several linters together (e.g. csslint
, HTML tidy
, jshint
), to lint different kinds of files all at once.
git hooks can be added to a git repo, preventing a programmer from submitting his work until it passes a configured suite of linters.