Static Analysis Purpose Guide agents through selecting, running, and triaging static analysis tools for C/C++ — clang-tidy, cppcheck, and scan-build — including suppression strategies and CI integration. Triggers "How do I run clang-tidy on my project?" "What clang-tidy checks should I enable?" "cppcheck is reporting false positives — how do I suppress them?" "How do I set up scan-build for deeper analysis?" "My build is noisy with static analysis warnings" "How do I generate compile_commands.json for clang-tidy?" Workflow 1. Generate compile_commands.json clang-tidy requires a compilation database:
CMake (preferred)
cmake -S . -B build -DCMAKE_EXPORT_COMPILE_COMMANDS = ON ln -s build/compile_commands.json .
Bear (for Make-based projects)
bear -- make
compiledb (alternative for Make)
pip install compiledb compiledb make 2. Run clang-tidy
Single file
clang-tidy src/foo.c -- -std = c11 -I include/
Whole project via compile_commands.json
run-clang-tidy -p build/ -j $( nproc )
With specific checks enabled
clang-tidy -checks = 'bugprone-,modernize-,performance-*' src/foo.cpp
Apply auto-fixes
clang-tidy -checks = 'modernize-use-nullptr' -fix src/foo.cpp 3. Check category decision tree Goal? ├── Find real bugs → bugprone-, clang-analyzer- ├── Modernise C++ code → modernize- ├── Follow core guidelines → cppcoreguidelines- ├── Catch performance issues → performance- ├── Security hardening → cert-, hicpp- └── Readability / style → readability-, llvm- Category Key checks What it catches bugprone- use-after-move , integer-division , suspicious-memset-usage Likely bugs modernize- use-nullptr , use-override , use-auto C++11/14/17 idioms cppcoreguidelines- avoid-goto , pro-bounds- , no-malloc C++ Core Guidelines performance- unnecessary-copy-initialization , avoid-endl Performance regressions clang-analyzer- core. , unix. , security. Path-sensitive bugs cert-* err34-c , str51-cpp CERT coding standard 4. .clang-tidy configuration file
.clang-tidy — place at project root
Checks :
bugprone-, modernize-, performance-, -modernize-use-trailing-return-type, -bugprone-easily-swappable-parameters WarningsAsErrors : 'bugprone-,clang-analyzer-' HeaderFilterRegex : '^(src|include)/.' CheckOptions : - key : modernize - loop - convert.MinConfidence value : reasonable - key : readability - identifier - naming.VariableCase value : camelCase 5. Suppress false positives // Suppress a single line int result = riskyOp ( ) ; // NOLINT(bugprone-signed-char-misuse) // Suppress a block // NOLINTNEXTLINE(cppcoreguidelines-avoid-magic-numbers) constexpr int BUFFER_SIZE = 4096 ; // Suppress whole function [ [ clang :: suppress ( "bugprone-" ) ] ] void legacy_code ( ) { / ... */ } Or in .clang-tidy :
Exclude third-party directories
HeaderFilterRegex : '^(src|include)/.*'
Disable specific checks
Checks : '-bugprone-easily-swappable-parameters' 6. Run cppcheck
Basic run
cppcheck --enable = all --std = c11 src/
With compile_commands.json
cppcheck --project = build/compile_commands.json
Include specific checks and suppress noise
cppcheck --enable = warning,performance,portability \ --suppress = missingIncludeSystem \ --suppress = unmatchedSuppression \ --error-exitcode = 1 \ src/
Generate XML report for CI
cppcheck --xml --xml-version = 2 src/ 2
cppcheck-report.xml --enable= value What it checks warning Undefined behaviour, bad practices performance Redundant operations, inefficient patterns portability Non-portable constructs information Configuration and usage notes all Everything above 7. Path-sensitive analysis with scan-build
Intercept a Make build
scan-build make
Intercept CMake build
scan-build cmake --build build/
Show HTML report
scan-view /tmp/scan-build-*/
With specific checkers
scan-build -enable-checker security.insecureAPI.gets \ -enable-checker alpha.unix.cstring.BufferOverlap \ make scan-build finds deeper bugs than clang-tidy: use-after-free across functions, dead stores from logic errors, null dereferences on complex paths. 8. CI integration
GitHub Actions
- name : Static analysis run : | cmake -S . -B build -DCMAKE_EXPORT_COMPILE_COMMANDS=ON run-clang-tidy -p build -j$(nproc) -warnings-as-errors '*' - name : cppcheck run : | cppcheck --enable=warning,performance \ --suppress=missingIncludeSystem \ --error-exitcode=1 \ src/ For clang-tidy check details, see references/clang-tidy-checks.md .