Static Analysis Workflow Guide

🔒 Cppcheck Security Analysis

The Static Analysis workflow runs cppcheck via Docker for comprehensive C/C++ code analysis with configurable strictness.

📋 Table of Contents

🎯 Overview

Purpose: Security and quality analysis with cppcheck Key Features:

  • Docker-based cppcheck execution
  • XML and text output formats
  • Configurable strictness levels
  • Artifact storage

Use Case: Security scanning and bug detection in C/C++ code

⚙️ Inputs

📁 Analysis Scope

Input Type Required Default Description
paths string src inc examples Space-separated directories to analyze

⚙️ Analysis Configuration

Input Type Required Default Description
std string c++17 C++ standard for analysis
strict boolean false Fail job if issues found

📤 Outputs

Output Description
cppcheck_report.xml XML format analysis report
cppcheck_output.txt Human-readable output
Artifacts Uploaded reports for review

🚀 Usage Examples

Basic Usage 

1
2
3
4
5
6
7

jobs:
  static:
    uses: N3b3x/hf-general-ci-tools/.github/workflows/c-cpp-static-analysis.yml@v1
    with:
      paths: "src include"
      std: "c++17"
      strict: false

Strict Mode 

1
2
3
4
5
6
7

jobs:
  static:
    uses: N3b3x/hf-general-ci-tools/.github/workflows/c-cpp-static-analysis.yml@v1
    with:
      paths: "src include"
      std: "c++20"
      strict: true  # Fail on any issues

Custom Paths 

1
2
3
4
5
6
7

jobs:
  static:
    uses: N3b3x/hf-general-ci-tools/.github/workflows/c-cpp-static-analysis.yml@v1
    with:
      paths: "src lib tests"
      std: "c++14"
      strict: false

⚙️ Configuration

cppcheck Configuration

The workflow uses these cppcheck options:

1
2
3
4
5
6
7

cppcheck \
  --enable=warning,style,performance,portability \
  --suppress=missingIncludeSystem \
  --inline-suppr \
  --std=c++17 \
  --xml \
  --output-file=cppcheck_report.xml

Suppression Files

Create a .cppcheck-suppressions file for false positives:

1
2
3

// Suppress specific warnings
// unusedFunction:src/legacy.c
// missingInclude:src/third_party.h

🔧 Troubleshooting

Common Issues

Analysis Fails

  • Verify source directories exist
  • Check Docker is available
  • Ensure paths are space-separated

Too Many False Positives

  • Use suppression files
  • Adjust enabled checks
  • Review cppcheck configuration

Strict Mode Too Restrictive

  • Set strict: false for development
  • Review issues before enabling strict mode
  • Use suppressions for known false positives

📚 Related Workflows

🔗 Related Resources

← Previous: C/C++ Lint Workflow Next: Documentation Workflow →
📚 All Documentation 🏠 Main README