Linting

5 open source tools compared. Sorted by stars. Scroll down for our analysis.

Tool	Stars	Velocity	Language	License	Score
Prettier Opinionated code formatter	51.9k	+15/wk	JavaScript	MIT License	88
ShellCheck Static analysis for shell scripts	39.4k	+37/wk	Haskell	GNU General Public License v3.0	76
ESLint Find and fix problems in your JavaScript code	27.2k	+11/wk	JavaScript	MIT License	85
sonarqube Continuous Inspection	10.5k	+23/wk	Java	-	71
qlty	3.1k	+5/wk	Rust	MIT License	69

Stay ahead of the category

New tools and momentum shifts, every Wednesday.

Our Analysis

Prettier51.9k★

Prettier ends the formatting debate by automatically formatting JavaScript, TypeScript, CSS, HTML, JSON, and Markdown. It's opinionated on purpose: fewer config options means everyone's code looks the same. MIT license, JavaScript. The most widely adopted code formatter in the JS ecosystem. Supports JS, TS, JSX, CSS, SCSS, Less, HTML, Vue, Angular, GraphQL, Markdown, YAML, and more. Integrates with every editor, runs in CI, and has plugins for additional languages. Fully free. No paid tier, no premium plugins, no hosted service. Every language, every integration, every feature: $0. Every JavaScript/TypeScript team should use this. That's not a suggestion, it's the industry default at this point. Solo to enterprise: install it, add it to your editor's format-on-save, add it to CI. Done. The catch: "opinionated" means you don't get to customize much. If you hate Prettier's formatting choices (and some people really do), your options are limited to a handful of config flags. It also doesn't lint; it formats. You still need ESLint for catching actual bugs. And occasionally a new Prettier version reformats your entire codebase, creating massive diffs that pollute git history.

ShellCheck39.4k★

ShellCheck finds bugs in your shell scripts before they bite you in production. It's a linter that reads your shell scripts and tells you about quoting errors, unsafe variable expansions, and portability issues. The kind of bugs that work fine on your machine and explode on the server. GPL v3. Written in Haskell but you don't need to know or care about that; it's a standalone binary. Integrates with every major editor (VS Code, Vim, Emacs), runs in CI, and has a web version at shellcheck.net for quick checks. Fully free. No paid tier, no premium rules, no hosted service beyond the free web checker. Every rule, every check, every integration, $0. Every team that writes shell scripts should use this. Solo or enterprise, the answer is the same: install it, add it to CI, stop shipping broken bash. Takes 5 minutes to set up. The catch: ShellCheck only handles sh/bash/dash/ksh. If you're writing Zsh scripts, coverage is limited. And it catches syntax and common pitfalls but won't validate your script's logic; it'll tell you your variable is unquoted, not that your deployment script deletes the wrong directory. Also, GPL v3 means you can't embed it in proprietary tools without licensing implications.

ESLint27.2k★

ESLint catches bugs, enforces code standards, and fixes problems automatically before your JavaScript or TypeScript code ever runs. It's a spell checker for code. It reads your files, finds problems (unused variables, missing error handling, inconsistent formatting), and can auto-fix many of them. What's free: Everything. MIT license. The core linter, every built-in rule, the plugin system, the flat config format. All free, forever. ESLint is funded by donations and sponsorships, not by gating features. ESLint is non-negotiable for JavaScript projects. Used in essentially every professional JS/TS codebase. The plugin ecosystem covers React, Vue, TypeScript, accessibility, import ordering. Whatever your stack, there's an ESLint plugin for it. The catch: configuration. ESLint recently moved to a 'flat config' system that's simpler than the old `.eslintrc` approach, but migrating existing configs takes effort. The sheer number of rules and plugins can be overwhelming. And for pure formatting (tabs vs spaces, semicolons), Prettier is better. Use both together: ESLint for logic bugs, Prettier for formatting.

sonarqube10.5k★

SonarQube analyzes your code for bugs, security vulnerabilities, and code smells across 30+ languages. It integrates with every major CI/CD pipeline and gives you a quality gate you can fail builds on. The Community Edition is free and self-hosted. Deploy via Docker or a dedicated server. You need 2GB+ RAM for the process, plus a Postgres database. The Docker Compose setup handles it in minutes. The web interface is comprehensive and developers actually use it without being forced. Quality gates plug directly into your CI pipeline. Solo developers and small teams run the Community Edition free. The Developer Edition adds branch analysis and deeper security rules starting at around 150 USD/year per developer. Enterprise Edition adds datacenter mode and portfolio management. The catch: Community Edition does not do branch analysis. You analyze main only. If your team uses feature branches heavily, you either upgrade to Developer Edition or run multiple SonarQube instances.

qlty3.1k★

Qlty orchestrates dozens of existing tools under one CLI. Instead of configuring ESLint, Pylint, Rubocop, and Semgrep separately, qlty runs them all with a single command and unified output. The CLI is free. It auto-detects your languages, installs the right linters, and runs them. Supports 20+ languages and wraps established tools (ESLint, Ruff, Clippy, etc.) rather than reinventing analysis from scratch. That's smart: you get battle-tested rules without learning each tool's config format. The cloud dashboard (qlty.sh) adds PR-level quality gates, trend tracking, and team analytics. Free for open source, paid plans for private repos starting at $30/mo per seat. The catch: qlty is still early. The tool orchestration approach means you're depending on qlty to correctly configure and update the underlying linters. When an underlying tool changes its output format or rules, qlty needs to adapt. And the cloud pricing at $30/seat/mo puts it in SonarCloud territory: you're paying for the unified dashboard, not the analysis itself.