Where I work we use SonarQube [1] for static code analysis. You can customize specific rule profiles for different projects and in the site they say it's available for many programming languages [2]. We only use it for Java so I don't know how good is the support for the other languages listed.<p>My experience with these tools is that they are a great way to see how the code evolves during a project, help you keep it clean in maintenance mode, and may even teach you a couple of things about good coding practices. Just don't let it fall into the hands of management. They will love all those metrics and graphs, and soon enough you will have goals and performance reviews based on it.<p>[1] <a href="http://www.sonarqube.org" rel="nofollow">http://www.sonarqube.org</a><p>[2] <a href="http://docs.sonarqube.org/display/SONAR/Plugin+Library" rel="nofollow">http://docs.sonarqube.org/display/SONAR/Plugin+Library</a>
So far I haven't used much manual code review, but I do use static code analysis to find possible bugs once in a while.<p>Up until recently a big pain point for me was finding code which could block within a time constrained function (aka realtime safety). There weren't any tools out there, so I ended up making one with llvm named stoat[1] (originally static function property verification, sfpv). It's hard to say if this tool would really have wider usefulness as it essentially is just checking function attributes on the transitive closure of the callgraph, but it works for me.<p>[1] <a href="https://github.com/fundamental/stoat" rel="nofollow">https://github.com/fundamental/stoat</a>