Skip to content
This repository was archived by the owner on Apr 5, 2026. It is now read-only.
This repository was archived by the owner on Apr 5, 2026. It is now read-only.

CI: add static analysis (clang-tidy, cppcheck) #52

Closed
Closed
CI: add static analysis (clang-tidy, cppcheck)#52
@dvershinin

Description

@dvershinin
dvershinin
opened on Mar 24, 2026

Problem

We have basic GitHub Actions CI but no static analysis. For a C codebase handling network protocols, static analysis catches buffer overflows, null pointer dereferences, and memory leaks that testing alone may miss.

Prior Art

  • mtg: CodeQL + govulncheck in GitHub Actions
  • Industry standard for C projects: clang-tidy, cppcheck, Coverity

Proposed Tools

clang-tidy (recommended)

  • Best integration with Clang/LLVM toolchain
  • Checks: bugprone-*, security-*, cert-*, clang-analyzer-*
  • Can fix some issues automatically

cppcheck

  • Standalone, no build system integration needed
  • Good at finding buffer overflows and undefined behavior
  • Low false positive rate

CodeQL (GitHub-native)

  • Free for open-source repos
  • Runs as GitHub Action
  • Catches security-relevant patterns (CWEs)

Proposed CI Addition

- name: Static Analysis
  run: |
    apt-get install -y cppcheck
    cppcheck --enable=warning,security --error-exitcode=1 \
      --suppress=missingInclude \
      net/ mtproto/ common/ crypto/ engine/

Priority

Low-effort addition to existing CI. Can start with cppcheck (zero config) and add clang-tidy later.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions