Hey, this post got more attention than I thought.
Happy to answer your questions and get some feedback on what to improve.<p>Maybe people are interested in some tech:<p>My colleague Jakub and me built this site with GatsbyJS and Cloudflare Edge Workers. The 99th percentile of response times from the workers is currently 9.7ms, which is impressive.<p>The code is fully open source on Github [1].<p>It is based on submissions by 190 individual contributors so far [2]<p>We went for an open model and completely depend on Github sponsors for the funding. We are not trying to rapidly grow here, rather build a steady business.<p>You can read more about the buisness model in our first blog post [3].
If your company might be interested in sponsoring, let us know or check the offerings here: <a href="https://github.com/sponsors/analysis-tools-dev/" rel="nofollow">https://github.com/sponsors/analysis-tools-dev/</a> <3<p>[1]: <a href="https://github.com/analysis-tools-dev/website/" rel="nofollow">https://github.com/analysis-tools-dev/website/</a>
[2]: <a href="https://github.com/analysis-tools-dev/static-analysis" rel="nofollow">https://github.com/analysis-tools-dev/static-analysis</a>
[3]: <a href="https://analysis-tools.dev/blog/static-analysis-is-broken-lets-fix-it" rel="nofollow">https://analysis-tools.dev/blog/static-analysis-is-broken-le...</a>
It looks like those tools are sorted by votes, but some of them can analyze different languages, and votes are shared between their languages.<p>For example, CodeScene, which supports 12 languages, is the currently most voted tool for PHP, and I've never heard of it. Not saying it's bad or anything, but I highly doubt it's popular in the PHP community, compared to other products.
Shameless self-promotion time: <i>TypeScript Call Graph</i><p>A CLI to generate an interactive graph of functions and calls from your TypeScript files.<p><a href="https://github.com/whyboris/TypeScript-Call-Graph" rel="nofollow">https://github.com/whyboris/TypeScript-Call-Graph</a>
It would be useful to list which tools support the SARIF standardized format (<a href="https://sarifweb.azurewebsites.net/" rel="nofollow">https://sarifweb.azurewebsites.net/</a>).
Doesn't look like my project meets the eligibility requirements yet, too new. So I'll just share here for anyone interested.<p>Luanalysis - An IDE for statically typed Lua development.
<a href="https://github.com/Benjamin-Dobell/IntelliJ-Luanalysis" rel="nofollow">https://github.com/Benjamin-Dobell/IntelliJ-Luanalysis</a>
Sadly, many commercial source auditing tools like Coverity expressly forbid you from publishing any comparison or benchmark of their products, which is why you won't find great information out there.
Great work! I think it would be helpful to tag static analyzer tools that are dedicated to security with a security tag (SAST tools like, Brakeman, Fortify SCA, Checkmarx CxSAST, Coverity, etc.) OWASP lists a bunch here: <a href="https://owasp.org/www-community/Source_Code_Analysis_Tools" rel="nofollow">https://owasp.org/www-community/Source_Code_Analysis_Tools</a>