Included Analyzers
Lift leverages a broad range of analyzers that can be tailored to your code-base. Below is a list of the analyzers we’ve incorporated and made available within the Lift platform.
If you're looking for details on vulnerability scanning, see Open Source Vulnerability Analysis instead.
Want us to add your favorite open-source analysis tool to Lift? Visit our community and let us know what other tools you would like to use via Lift.
If you need to add a new tool right away, use our API to add your tool and Lift will automatically include it in every analysis run.
Infer
Languages: Java, C, C++
Website: https://fbinfer.com
Error Patterns: https://fbinfer.com/docs/all-issue-types
Infer was developed at Facebook and uses advanced compositional analysis techniques to provide deep insight into code behavior while keeping analysis times low. Infer checks Java for null pointer exceptions, resource leaks, performance issues, command injection and other information flow vulnerabilities, annotation consistency, and concurrency errors such as race conditions and deadlocks. Infer checks C/C++/ObjectiveC code for null pointer dereferences, memory leaks, coding convention violations, and API misuse errors.
Below is the custom command Lift uses:
infer analyze -r --no-parameter-not-null-checked --pulse --quandary
ErrorProne
Languages: Java
Website: https://errorprone.info
Error Patterns: https://errorprone.info/bugpatterns
Developed by Google, this Java bug detection tool looks for language-specific error patterns and API mis-use errors. It is implemented as a compiler extension, and so has access to type information, class hierarchies, and dependency data. This gives it deeper insight into the code than most linters and allows it to detect more bugs while maintaining a low false positive rate. ErrorProne can also be extended with custom rules.
FindSecBugs
Languages: Java
Website: https://find-sec-bugs.github.io
Error Patterns: https://find-sec-bugs.github.io/bugs.htm
This tool provides static analysis for security audits of Java web applications and Android applications targeting many of the OWASP Top Ten.
Quandary
Languages: Java, C, C++
Website: https://fbinfer.com/docs/checker-quandary
Error Patterns: https://fbinfer.com/docs/checker-quandary#list-of-issue-types
Quandary is an extension of Infer that detects flows of values between sources and sinks that don’t pass through a “sanitizer”. It has a small list of built-in sources and sinks, but also provides a means for defining custom sources and sinks via an .inferconfig
file included in the same directory as the build files (see an example here). Quandary can be used to detect cross-site scripting, shell/sql injection, untrusted data use, and logging of private data.
ESLint
Languages: JavaScript
Website: https://eslint.org
Error Patterns: https://eslint.org/docs/rules
ESLint is an open source JavaScript linting utility that helps find problematic patterns or code that doesn’t adhere to certain style guidelines.
Semgrep
Languages: Python, JavaScript, Java, Golang, C/C++/C# and Ruby
Website: https://github.com/returntocorp/semgrep
Lightweight static analysis for many languages. Find and block bug variants with rules that look like source code.
Staticcheck
Languages: Golang
Website: https://staticcheck.io
Staticcheck is a state of the art linter for the Go programming language that finds bugs and performance issues, offers simplifications, and enforces style rules.
Golangci-lint
Languages: Golang
Website: https://github.com/golangci/golangci-lint
Our golangci-lint configuration aggregates and runs 9 Golang linters to catch a broad range of common Go errors.
Pyre
Languages: Python
Website: https://pyre-check.org
Error Patterns: https://pyre-check.org/docs/error-types.html
Pyre is a fast, scalable type checker for large Python 3 codebases, designed to help improve code quality and development speed by flagging type errors, following the typing standards introduced in PEP484 and PEP526. Pyre also includes the Pysa information flow analysis tool which can be configured to detect and warn on flows between functions labeled as sources and sinks.
Pyright
Languages: Python
Website: https://github.com/microsoft/pyright
Pyright is a full-featured, standards-based static type checker for Python. It is designed for high performance and can be used with large Python source bases.
Pylint
Languages: Python
Website: https://pypi.org/project/pylint/
Pylint analyses code, checks for errors, enforces a coding standard and looks for code smells, and can make suggestions about how the code could be refactored. This is done using type inference (rather than trusting exisiting type annotations). As Pylint can be quite noisy on code bases that are not actively following its linting rules, it is configured to only report errors.
Bandit
Languages: Python
Website: https://pypi.org/project/bandit
Bandit is a security linter from PyCQA designed to find common security issues in Python code. To do this Bandit processes each file, builds an AST from it, and runs appropriate plugins against the AST nodes.
Flake8
Languages: Python
Website: https://pypi.org/project/flake8
Flake8 is a tool for style guide enforcement from PyCQA. Flake8 is a wrapper around PyFlakes, pycodestyle and McCabe that checks Python source code for errors and violations of some of the PEP8 style conventions.
Rubocop
Languages: Ruby
Website: https://rubocop.org
RuboCop is a Ruby code style checker (linter) and formatter based on the community-driven Ruby Style Guide.
Security Code Scan
Languages: C# and VB.NET
Website: https://security-code-scan.github.io/
Error Patterns: https://security-code-scan.github.io/#rules
Security Code Scan is a static code analyzer for .NET, detecting vulnerabilities in C# and VB.NET, such as SQL injections, Cross-Site Scripting, and more.
Detekt
Languages: Kotlin
Website: https://github.com/detekt/detekt
Detekt a static code analysis tool for the Kotlin programming language. It operates on the abstract syntax tree provided by the Kotlin compiler.
ShellCheck
Languages: Bash, Shell
Website: https://www.shellcheck.net
Error Patterns: https://github.com/koalaman/shellcheck/wiki/Checks
ShellCheck is a code analyzer for your shell scripts.
Cobra
Langauges: C/++
Website: http://spinroot.com/cobra/
Cobra is a structural source code analyzer. Fast and easy to configure, Cobra is an ideal choice for enforcing API rules without needing compilation.
Clippy
Languages: Rust
Website: https://github.com/rust-lang/rust-clippy
Clippy is a Rust linting tool with hundreds of lints to surface a broad range of issues in Rust code.
HLint
Languages: Haskell
Website: https://github.com/ndmitchell/hlint#readme
HLint is a tool for analysing Haskell projects and outputting discovered short-comings in a helpful way with possible solutions for detected problems. HLint is searching for not only performance or error-prone code pieces, but it also can help with establishing and applying best-practices from the whole Haskell ecosystem.
Psalm
Languages: PHP
Website: https://psalm.dev/
Error Patterns: https://psalm.dev/docs/running_psalm/issues/
Psalm is a static analysis tool for finding errors in PHP applications, including not just stylistic issues, but can also perform taint analysis to catch command injection vulnerabilities. Psalm also suggests fixes to many common issues it surfaces.
CodeNarc
Languages: Groovy
Website: https://codenarc.org
Error Patterns: https://codenarc.org/codenarc-rule-index.html
CodeNarc analyzes Groovy code for defects, bad practices, inconsistencies, style issues and more. A flexible framework for rules, rulesets and custom rules means it’s easy to configure CodeNarc to fit into your project.
LuaCheck
Languages: Lua
Website: https://github.com/mpeterv/luacheck
Error Patterns: https://luacheck.readthedocs.io/en/stable/warnings.html
Luacheck is a static analyzer and a linter that detects various issues such as usage of undefined global variables, unused variables and values, accessing uninitialized variables and unreachable code.
JSHint
Languages: Javascript
Website: https://jshint.com/about/
JSHint is a community-driven tool that detects errors and potential problems in JavaScript code. JSHint scans a program written in JavaScript and reports about commonly made mistakes and potential bugs. The potential problem could be a syntax error, a bug due to an implicit type conversion, a leaking variable, or something else entirely.
Gosec
Languages: Go
Website: https://github.com/securego/gosec
Inspects source code for security problems by scanning the Go AST.
Markdownlint - MDL (Disabled by Default)
Languages: Markdown
Website: https://github.com/markdownlint/markdownlint
MDL is a tool to check markdown files and flag style issues.
PMD (Disabled by Default)
Languages: Java, JavaScript, and others
Website: https://pmd.github.io
Error Patterns: https://pmd.github.io/pmd-6.23.0/pmd_rules_java.html
The tool finds common programming flaws like unused variables, empty catch blocks, unnecessary object creation, and so forth.
PMD is not enabled by default. To add it, copy this line into your Lift configuration file:
customTools = [ "https://help.sonatype.com/lift/files/78578763/78578764/1/1623180860953/pmd.sh rulesets/java/quickstart.xml" ]
Click here to learn how to create a Lift configuration file.
Checkov (Disabled by Default)
Languages: Infrastructure Code (Terraform, Cloudformation, K8S)
Website: https://checkov.io
Error Patterns: https://github.com/bridgecrewio/checkov/blob/master/docs/5.Policy%20Index/all.md
Checkov is a static code analysis tool for infrastructure-as-code. It scans cloud infrastructure managed in Terraform, Cloudformation, Kubernetes, Arm templates or Serverless Framework and detects misconfigurations.
Checkov is not enabled by default. To add it, copy this line into your Lift configuration file:
customTools = ["/extra-tools/checkov.py"]
Closure Compiler (Disabled by Default)
Languages: Javascript
Website: https://developers.google.com/closure/compiler/
Error Patterns: https://developers.google.com/closure/compiler/docs/limitations
The Closure Compiler is a tool for making JavaScript download and run faster. Instead of compiling from a source language to machine code, it compiles from JavaScript to better JavaScript. It parses your JavaScript, analyzes it, removes dead code and rewrites and minimizes what's left. It also checks syntax, variable references, and types, and warns about common JavaScript pitfalls.
Closure Compiler is not enabled by default. To add it, copy this line into your Lift configuration file:
customTools = ["/extra-tools/closure-compiler.sh"]