Skip to content

Add pvs skill to run PVS-Studio analysis for a board#3695

Merged
hathach merged 4 commits into
masterfrom
claude/adoring-pasteur-kbaFa
Jun 11, 2026
Merged

Add pvs skill to run PVS-Studio analysis for a board#3695
hathach merged 4 commits into
masterfrom
claude/adoring-pasteur-kbaFa

Conversation

@hathach

@hathach hathach commented Jun 11, 2026

Copy link
Copy Markdown
Owner

Summary

Adds a pvs agent skill that wraps the PVS-Studio static-analysis flow (SAST + MISRA C:2023 / C++:2008) for a given board, mirroring the static_analysis.yml CI invocation so findings can be reproduced locally.

What's included

  • .claude/skills/pvs/SKILL.md — usage/notes: when to run it, board selection (raspberry_pi_pico mirrors CI, stm32f407disco is fastest with no external SDK), file-scoping via -S, and timing expectations.
  • .claude/skills/pvs/run_pvs.sh — builds all examples for the board with compile_commands.json exported, runs pvs-studio-analyzer against .PVS-Studio/.pvsconfig, and writes pvs-<board>.log + pvs-<board>.sarif plus printed errorfile findings. Uses a license file or $PVS_STUDIO_CREDENTIALS. Extra args pass through to the analyzer.
  • AGENTS.md — corrects the PVS-Studio -S / --dump-files documentation.

Sits alongside the existing code-size and hil skills under .claude/skills/.

Test

  • Ran .claude/skills/pvs/run_pvs.sh raspberry_pi_pico end-to-end: builds the example set, exports the compile DB, and produces the .log/.sarif outputs as documented.

https://claude.ai/code/session_015inWmFhRYSq17CxMukdoqX


Generated by Claude Code

claude added 2 commits June 5, 2026 07:27
Bundle a run_pvs.sh helper (takes BOARD as its first argument) that
follows the PVS-Studio static-analysis flow from AGENTS.md: build all
examples with an exported compile_commands.json, run pvs-studio-analyzer
against .PVS-Studio/.pvsconfig, then emit errorfile + SARIF reports.

https://claude.ai/code/session_015inWmFhRYSq17CxMukdoqX
The AGENTS.md '-S src/foo.c' example was inaccurate: -S takes a plaintext
file listing source paths, not paths directly. Drop --dump-files from the
documented commands (it scatters .PVS-Studio.i/.cfg dumps across the tree;
FP-debugging only) and reference the new pvs skill.

https://claude.ai/code/session_015inWmFhRYSq17CxMukdoqX
Copilot AI review requested due to automatic review settings June 11, 2026 14:48

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c3b4ef03aa

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

-f "${COMPILE_DB}" \
-R .PVS-Studio/.pvsconfig \
-o "${REPORT_LOG}" -j"${JOBS}" \
--misra-c-version 2023 --misra-cpp-version 2008 --use-old-parser \

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Preserve CI security markings in local PVS output

The skill is documented as reproducing the CI SAST+MISRA run, but this analyzer invocation omits the --security-related-issues flag used by the PVS-Studio job in .github/workflows/static_analysis.yml:129; PVS documents that flag as adding SAST markup for potential security warnings. When a developer uses this script to compare with CI security output, the generated SARIF will not carry the same security classification, making local triage diverge from CI.

Useful? React with 👍 / 👎.

Copy link
Copy Markdown
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch — confirmed. Added --security-related-issues to the analyzer invocation (and to the AGENTS.md command blocks) in 65b2aeb so local runs carry the same SAST classification as the CI job in static_analysis.yml.


Generated by Claude Code

BUILD_DIR="examples/cmake-build-${BOARD}"
COMPILE_DB="${BUILD_DIR}/compile_commands.json"
REPORT_LOG="pvs-${BOARD}.log"
SARIF_OUT="pvs-${BOARD}.sarif"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Avoid leaving untracked SARIF after each run

This writes pvs-${BOARD}.sarif in the repository root, but the repo ignore rules only cover *.log and .PVS-Studio, not SARIF files. A successful run therefore leaves an untracked artifact in the worktree even though the script explicitly avoids dump files to keep the tree clean; write it under an ignored output directory or add an ignore pattern for this artifact.

Useful? React with 👍 / 👎.

Copy link
Copy Markdown
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Confirmed — .gitignore only covered *.log/.PVS-Studio, so a run left pvs-<board>.sarif untracked. Added *.sarif to .gitignore in 65b2aeb so the worktree stays clean after a run.


Generated by Claude Code

@claude

claude Bot commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

Code review

No issues found. Checked for bugs and CLAUDE.md compliance.

…output

- Add --security-related-issues to run_pvs.sh and AGENTS.md analyze commands
  so local runs reproduce the CI SAST classification (static_analysis.yml).
- Ignore *.sarif so a successful run leaves the worktree clean.

Addresses Codex review on #3695.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a new pvs agent skill alongside existing .claude/skills/* helpers to reproduce the repository’s PVS‑Studio static-analysis flow locally for a chosen board, and updates contributor docs to explain correct PVS -S usage.

Changes:

  • Document PVS‑Studio usage in AGENTS.md, including correcting -S to take a plaintext file list.
  • Add .claude/skills/pvs/ with a skill definition and a run_pvs.sh wrapper that builds examples and produces .log + .sarif outputs.
  • Align static-analysis documentation with the intended local reproduction workflow.

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated 5 comments.

File Description
AGENTS.md Updates PVS-Studio docs (incl. correcting -S usage) and references the new pvs skill.
.claude/skills/pvs/SKILL.md Defines the new pvs skill and documents how to run board-scoped PVS analysis.
.claude/skills/pvs/run_pvs.sh Implements the local wrapper to build examples, run PVS-Studio, and emit errorfile + SARIF output.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .claude/skills/pvs/run_pvs.sh Outdated
Comment on lines +40 to +43
if [ -n "${PVS_STUDIO_CREDENTIALS:-}" ]; then
echo ">>> Registering PVS-Studio license from PVS_STUDIO_CREDENTIALS"
# shellcheck disable=SC2086 # credentials expects two whitespace-separated args
pvs-studio-analyzer credentials $PVS_STUDIO_CREDENTIALS

Copy link
Copy Markdown
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in dd31ba4 — now parses into two quoted fields with read -r _pvs_name _pvs_key <<< "$PVS_STUDIO_CREDENTIALS" and passes "$_pvs_name" "$_pvs_key", so a key with glob chars or extra spaces can't be expanded/word-split.


Generated by Claude Code

Comment on lines +68 to +73
pvs-studio-analyzer analyze \
-f "${COMPILE_DB}" \
-R .PVS-Studio/.pvsconfig \
-o "${REPORT_LOG}" -j"${JOBS}" \
--misra-c-version 2023 --misra-cpp-version 2008 --use-old-parser \
"$@"
Comment thread AGENTS.md
Comment on lines 162 to 166
pvs-studio-analyzer analyze \
-f examples/cmake-build-raspberry_pi_pico/compile_commands.json \
-R .PVS-Studio/.pvsconfig \
-o pvs-report.log -j12 --dump-files \
-o pvs-report.log -j12 \
--misra-c-version 2023 --misra-cpp-version 2008 --use-old-parser

Copy link
Copy Markdown
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Already added in 65b2aeb--security-related-issues is now in both AGENTS.md command blocks and in run_pvs.sh.


Generated by Claude Code

Comment thread AGENTS.md
Comment on lines 170 to 175
pvs-studio-analyzer analyze \
-f examples/cmake-build-raspberry_pi_pico/compile_commands.json \
-R .PVS-Studio/.pvsconfig \
-S src/foo.c -S src/bar.c \
-o pvs-report.log -j12 --dump-files \
-S files.txt \
-o pvs-report.log -j12 \
--misra-c-version 2023 --misra-cpp-version 2008 --use-old-parser

Copy link
Copy Markdown
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Already added in 65b2aeb--security-related-issues is now in this command block too.


Generated by Claude Code

Comment thread AGENTS.md Outdated
Comment on lines +156 to +158
Requires `compile_commands.json` (CMake `-DCMAKE_EXPORT_COMPILE_COMMANDS=ON`). The
`pvs` skill (`.claude/skills/pvs/SKILL.md`) wraps the build + analyze flow for a
board; the commands below are the underlying steps.

Copy link
Copy Markdown
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Confirmed and fixed in dd31ba4hw/bsp/family_support.cmake sets CMAKE_EXPORT_COMPILE_COMMANDS ON, so the examples build exports the compile DB by default. Reworded the AGENTS.md note to say so instead of implying -D...=ON is required.


Generated by Claude Code

… default

- Parse PVS_STUDIO_CREDENTIALS into two quoted fields (no glob/word-split).
- AGENTS.md: examples build sets CMAKE_EXPORT_COMPILE_COMMANDS ON already.

Addresses Copilot review on #3695.
@github-actions

Copy link
Copy Markdown

MemBrowse Memory Report

No memory changes detected across 2362 targets. View Project Dashboard →

@hathach

hathach commented Jun 11, 2026

Copy link
Copy Markdown
Owner Author

Thanks @copilot — all five points were already addressed (the review was against c3b4ef0, before the fixes landed):

  • --security-related-issues missing in run_pvs.sh and both AGENTS.md command blocks (run_pvs.sh:73, AGENTS.md:166/175) → added in 65b2aeb
  • Unquoted $PVS_STUDIO_CREDENTIALS word-split/glob risk (run_pvs.sh:43) → now read -r into two quoted args in dd31ba4
  • AGENTS.md implying -DCMAKE_EXPORT_COMPILE_COMMANDS=ON is required (AGENTS.md:158) → reworded to note family_support.cmake exports it by default, in dd31ba4

(Codex's two P2s — the security flag and the untracked *.sarif — were the same/adjacent and are covered by those commits + a *.sarif gitignore entry.)


Generated by Claude Code

@hathach hathach merged commit 5014146 into master Jun 11, 2026
293 checks passed
@hathach hathach deleted the claude/adoring-pasteur-kbaFa branch June 11, 2026 16:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants