The quality of the JavaScript code is often verified with the traditional activities of unit and functional testing. There are however tools that allow checking code before or during its execution to assess its quality and its adherence to coding standards using a process called code analysis. This article presents a list of open source tools to perform static and dynamic code analysis on JavaScript programs.

If static code analysis can be performed individually on each piece of JavaScript code, modern software development organizations will integrate these tools in their continuous integration or delivery process. This automated approach prevents code that is bad or doesn’t respect the coding standards to reach the production stage. Dynamic code analysis the software when it is performed by executing programs on a real or virtual processor.

The two main know open source tools used for JavaScript code analysis are JSLint and JSHint, the second being a fork of the first one. Developed by the famous Douglas Crockford, JSLint can be considered as the main inspiration of the JavaScript open source code analysis tools family. There are however many different tools that try to achieve the same goal and you might find something more suited to your own needs in the list below, especially if you work in specific JavaScript contexts like Node.js, Angular or TypeScript.

Updates

April 2019

* added Codelyzer, CodeClimmate-Duplication, NodeJsScan, SourceCodeSniffer

* removed JSCS JavaScript Code Style (merged with ESLint)

* updated ESLint (description)

May 9 2018:

* added Iroh.js, SonarJS, ts-simple-ast, twly

* CodeClimmate-Duplication

CodeClimmate-Duplication is an engine that wraps flay and supports Java, Ruby, Python, JavaScript, and PHP. You can run it on the command line using the Code Climate CLI

Website: https://github.com/codeclimate/codeclimate-duplication

* Codelyzer

Codelyzer is an open source project that provides a set of tslint rules for static code analysis of Angular TypeScript projects. You can run the static code analyzer over web apps, NativeScript, Ionic, etc.

Website: http://codelyzer.com/

* Crawljax

Crawljax is an open source Java tool for automatically crawling and testing modern web applications. Crawljax explores JavaScript-based Ajax web application through an event-driven dynamic crawling engine. It automatically creates a state-flow graph of the dynamic DOM states and the event-based transitions between them. This inferred state-flow graph forms a very powerful vehicle for automating many types of web analysis and testing techniques.

Website: http://crawljax.com/

* ESLint

ESLint is an open source tool static analysis tool for identifying and reporting on patterns found in ECMAScript/JavaScript code. In many ways, it is similar to JSLint and JSHint with a few exceptions. ESLint is designed to have all rules completely pluggable. The default rules are written just like any plugin rules would be. They can all follow the same pattern, both for the rules themselves as well as tests. While ESLint will ship with some built-in rules to make it useful from the start, you’ll be able to dynamically load rules at any point in time. ESLint is written using Node.js to provide a fast runtime environment and easy installation via npm.

Web site: http://eslint.org/

* Esprima

Esprima is a high performance, standard-compliant JavaScript parser. Once the full syntax tree is obtained, various static code analysis can be applied to give an insight to the code: syntax visualization, code validation, editing autocomplete with type inferencing and many others.

Web site: http://esprima.org/

* Flow

Flow is an open source static type checker developed by Facebook, designed to find type errors in JavaScript program. Flow adds static typing to JavaScript to improve developer productivity and code quality. In particular, static typing offers benefits like early error checking, which helps you avoid certain kinds of runtime failures, and code intelligence, which aids code maintenance, navigation, transformation, and optimization.

Web site: http://flowtype.org/

* Iroh.js

Iroh is an open source dynamic code analysis tool for JavaScript. Iroh allows to record your code flow in realtime, intercept runtime information and manipulate program behavior on the fly. In contrast to static analysis (e.g. used in Babel and ESlint), dynamic analysis allows to collect data which is only available at runtime. Iroh makes it possible to collect type information of your running program, analyze it’s behavior, capture and manipulate runtime values like parameters or variables – and all this while your code is actually running!

Web site: https://maierfelix.github.io/Iroh/

* JavaScript Lint

JavaScript Lint is an open source tool to check all your JavaScript source code for common mistakes without actually running the script or opening the web page. JavaScript Lint is based on JSLint. JavaScript Lint holds an advantage over competing lints because it is based on the JavaScript engine for the Firefox browser. This provides a robust framework that can not only check JavaScript syntax but also examine the coding techniques used in the script and warn against questionable practices.

Web site: http://www.javascriptlint.com/

* JSHint

JSHint is an open source tool to detect errors in JavaScript code and enforce your team’s coding conventions. It was forked from Douglas Crockford’s JSLint project JavaScript code can be analyzed online on the JSHint web site. There is also an Eclipse plugin at http://github.eclipsesource.com/jshint-eclipse/.

Web site: http://jshint.com

* JSLint

JSLint is an open source JavaScript code quality tool that looks for problems in JavaScript programs. JavaScript code can be analyzed online on the JSLint web site.

Web site: http://www.jslint.com/

* JSPrime

JSPrime is an open source JavaScript static security analysis tool. It’s a very lightweight and very easy to use point-and-click tool based on the popular Esprima ECMAScript parser.

Web site: https://github.com/dpnishant/jsprime

* NodeJsScan

NodeJsScan is a static security code scanner for Node.js applications.

Web site: https://github.com/ajinabraham/NodeJsScan

* PHP_CodeSniffer

PHP_CodeSniffer is a set of two PHP scripts; the main phpcs script that tokenizes PHP, JavaScript and CSS files to detect violations of a defined coding standard, and a second phpcbf script to automatically correct coding standard violations. PHP_CodeSniffer is an essential development tool that ensures your code remains clean and consistent.

Web site: http://pear.php.net/package/PHP_CodeSniffer/

* Plato

Plato is an open source tool that allows JavaScript source code visualization, static and complexity analysis.

Figure source: http://es-analysis.github.io/plato/examples/jquery/

Web site: https://github.com/es-analysis/plato

* SonarJS

SonarJS is an open source static code analyser for the JavaScript language. It will allow you to produce stable and easily supported code by helping you to find and to correct bugs, vulnerabilities and smells in your code.

Web site: https://github.com/SonarSource/SonarJS

* SourceCodeSniffer

The Source Code Sniffer is a poor man’s static code analysis tool (SCA) based on regular expressions. The Source Code Sniffer uses search patterns to score common high risk functions (Injection, LFI/RFI, file uploads etc) across multiple application development languages (C#, C/C++,Java, PHP, Perl, Python, JavaScript, HTML etc) in a highly configurable manner. When performing a source code review, it can help to prioritize the code files that should be reviewed. Source Code Sniffer is written in Python 2.7 and supports both Windows and Linux.

Web site: https://github.com/frizb/SourceCodeSniffer

* srclib

srclib is a polyglot code analysis library, built for hackability. It consists of language analysis toolchains (currently for Go, Java, Python, JavaScript, Ruby, and Haskell) with a common output format, and developer tools (such as editor plugins) that consume this format.

Web site: https://srclib.org

* Tern

Tern is a stand-alone open source code-analysis engine for JavaScript. It is intended to be used with a code editor plugin to enhance the editor’s support for intelligent JavaScript editing.

Web site: http://ternjs.net/

* ts-simple-ast

ts-simple-ast is an open source TypeScript compiler API wrapper. It provides a simple way to navigate and manipulate TypeScript and JavaScript code.

Web site: https://github.com/dsherret/ts-simple-ast

* twly

twly (pronounced “towel-E”) is an open source static analysis tool which can help you keep your code DRY (Don’t Repeat Yourself) by letting you know where you have copy and pasted entire files or portions of them. Run twly on a directory, and twly will magically generate a report for you indicating what has been repeated and in which files. twly is language agnostic and can be used on any text document.

Web site: https://github.com/rdgd/twly

References

List of tools for static code analysis in Wikipedia

Awesome Static Analysis A curated list of static analysis tools, linters and code quality checkers for various programming languages

Source Code Analysis Tools

Videos

Breakthroughs in JavaScript Code Analysis

Static Analysis of Event-Driven Node.js JavaScript Applications

JavaScript Static Security Analysis made easy with JSPrime

PHP_CodeSniffer Static Analysis of PHP and JavaScript

JavaScript Code Analysis with Esprima

srclib: a hackable, polyglot code analysis library

JavaScript Testing and Code Analysis at Facebook