Add pvs skill to run PVS-Studio analysis for a board#3695
Conversation
Bundle a run_pvs.sh helper (takes BOARD as its first argument) that follows the PVS-Studio static-analysis flow from AGENTS.md: build all examples with an exported compile_commands.json, run pvs-studio-analyzer against .PVS-Studio/.pvsconfig, then emit errorfile + SARIF reports. https://claude.ai/code/session_015inWmFhRYSq17CxMukdoqX
The AGENTS.md '-S src/foo.c' example was inaccurate: -S takes a plaintext file listing source paths, not paths directly. Drop --dump-files from the documented commands (it scatters .PVS-Studio.i/.cfg dumps across the tree; FP-debugging only) and reference the new pvs skill. https://claude.ai/code/session_015inWmFhRYSq17CxMukdoqX
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: c3b4ef03aa
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| -f "${COMPILE_DB}" \ | ||
| -R .PVS-Studio/.pvsconfig \ | ||
| -o "${REPORT_LOG}" -j"${JOBS}" \ | ||
| --misra-c-version 2023 --misra-cpp-version 2008 --use-old-parser \ |
There was a problem hiding this comment.
Preserve CI security markings in local PVS output
The skill is documented as reproducing the CI SAST+MISRA run, but this analyzer invocation omits the --security-related-issues flag used by the PVS-Studio job in .github/workflows/static_analysis.yml:129; PVS documents that flag as adding SAST markup for potential security warnings. When a developer uses this script to compare with CI security output, the generated SARIF will not carry the same security classification, making local triage diverge from CI.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Good catch — confirmed. Added --security-related-issues to the analyzer invocation (and to the AGENTS.md command blocks) in 65b2aeb so local runs carry the same SAST classification as the CI job in static_analysis.yml.
Generated by Claude Code
| BUILD_DIR="examples/cmake-build-${BOARD}" | ||
| COMPILE_DB="${BUILD_DIR}/compile_commands.json" | ||
| REPORT_LOG="pvs-${BOARD}.log" | ||
| SARIF_OUT="pvs-${BOARD}.sarif" |
There was a problem hiding this comment.
Avoid leaving untracked SARIF after each run
This writes pvs-${BOARD}.sarif in the repository root, but the repo ignore rules only cover *.log and .PVS-Studio, not SARIF files. A successful run therefore leaves an untracked artifact in the worktree even though the script explicitly avoids dump files to keep the tree clean; write it under an ignored output directory or add an ignore pattern for this artifact.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Confirmed — .gitignore only covered *.log/.PVS-Studio, so a run left pvs-<board>.sarif untracked. Added *.sarif to .gitignore in 65b2aeb so the worktree stays clean after a run.
Generated by Claude Code
Code reviewNo issues found. Checked for bugs and CLAUDE.md compliance. |
…output - Add --security-related-issues to run_pvs.sh and AGENTS.md analyze commands so local runs reproduce the CI SAST classification (static_analysis.yml). - Ignore *.sarif so a successful run leaves the worktree clean. Addresses Codex review on #3695.
There was a problem hiding this comment.
Pull request overview
Adds a new pvs agent skill alongside existing .claude/skills/* helpers to reproduce the repository’s PVS‑Studio static-analysis flow locally for a chosen board, and updates contributor docs to explain correct PVS -S usage.
Changes:
- Document PVS‑Studio usage in
AGENTS.md, including correcting-Sto take a plaintext file list. - Add
.claude/skills/pvs/with a skill definition and arun_pvs.shwrapper that builds examples and produces.log+.sarifoutputs. - Align static-analysis documentation with the intended local reproduction workflow.
Reviewed changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| AGENTS.md | Updates PVS-Studio docs (incl. correcting -S usage) and references the new pvs skill. |
| .claude/skills/pvs/SKILL.md | Defines the new pvs skill and documents how to run board-scoped PVS analysis. |
| .claude/skills/pvs/run_pvs.sh | Implements the local wrapper to build examples, run PVS-Studio, and emit errorfile + SARIF output. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| if [ -n "${PVS_STUDIO_CREDENTIALS:-}" ]; then | ||
| echo ">>> Registering PVS-Studio license from PVS_STUDIO_CREDENTIALS" | ||
| # shellcheck disable=SC2086 # credentials expects two whitespace-separated args | ||
| pvs-studio-analyzer credentials $PVS_STUDIO_CREDENTIALS |
There was a problem hiding this comment.
Fixed in dd31ba4 — now parses into two quoted fields with read -r _pvs_name _pvs_key <<< "$PVS_STUDIO_CREDENTIALS" and passes "$_pvs_name" "$_pvs_key", so a key with glob chars or extra spaces can't be expanded/word-split.
Generated by Claude Code
| pvs-studio-analyzer analyze \ | ||
| -f "${COMPILE_DB}" \ | ||
| -R .PVS-Studio/.pvsconfig \ | ||
| -o "${REPORT_LOG}" -j"${JOBS}" \ | ||
| --misra-c-version 2023 --misra-cpp-version 2008 --use-old-parser \ | ||
| "$@" |
| pvs-studio-analyzer analyze \ | ||
| -f examples/cmake-build-raspberry_pi_pico/compile_commands.json \ | ||
| -R .PVS-Studio/.pvsconfig \ | ||
| -o pvs-report.log -j12 --dump-files \ | ||
| -o pvs-report.log -j12 \ | ||
| --misra-c-version 2023 --misra-cpp-version 2008 --use-old-parser |
There was a problem hiding this comment.
Already added in 65b2aeb — --security-related-issues is now in both AGENTS.md command blocks and in run_pvs.sh.
Generated by Claude Code
| pvs-studio-analyzer analyze \ | ||
| -f examples/cmake-build-raspberry_pi_pico/compile_commands.json \ | ||
| -R .PVS-Studio/.pvsconfig \ | ||
| -S src/foo.c -S src/bar.c \ | ||
| -o pvs-report.log -j12 --dump-files \ | ||
| -S files.txt \ | ||
| -o pvs-report.log -j12 \ | ||
| --misra-c-version 2023 --misra-cpp-version 2008 --use-old-parser |
There was a problem hiding this comment.
Already added in 65b2aeb — --security-related-issues is now in this command block too.
Generated by Claude Code
| Requires `compile_commands.json` (CMake `-DCMAKE_EXPORT_COMPILE_COMMANDS=ON`). The | ||
| `pvs` skill (`.claude/skills/pvs/SKILL.md`) wraps the build + analyze flow for a | ||
| board; the commands below are the underlying steps. |
There was a problem hiding this comment.
Confirmed and fixed in dd31ba4 — hw/bsp/family_support.cmake sets CMAKE_EXPORT_COMPILE_COMMANDS ON, so the examples build exports the compile DB by default. Reworded the AGENTS.md note to say so instead of implying -D...=ON is required.
Generated by Claude Code
… default - Parse PVS_STUDIO_CREDENTIALS into two quoted fields (no glob/word-split). - AGENTS.md: examples build sets CMAKE_EXPORT_COMPILE_COMMANDS ON already. Addresses Copilot review on #3695.
|
|
Thanks @copilot — all five points were already addressed (the review was against
(Codex's two P2s — the security flag and the untracked Generated by Claude Code |
Summary
Adds a
pvsagent skill that wraps the PVS-Studio static-analysis flow (SAST + MISRA C:2023 / C++:2008) for a given board, mirroring thestatic_analysis.ymlCI invocation so findings can be reproduced locally.What's included
.claude/skills/pvs/SKILL.md— usage/notes: when to run it, board selection (raspberry_pi_picomirrors CI,stm32f407discois fastest with no external SDK), file-scoping via-S, and timing expectations..claude/skills/pvs/run_pvs.sh— builds all examples for the board withcompile_commands.jsonexported, runspvs-studio-analyzeragainst.PVS-Studio/.pvsconfig, and writespvs-<board>.log+pvs-<board>.sarifplus printed errorfile findings. Uses a license file or$PVS_STUDIO_CREDENTIALS. Extra args pass through to the analyzer.AGENTS.md— corrects the PVS-Studio-S/--dump-filesdocumentation.Sits alongside the existing
code-sizeandhilskills under.claude/skills/.Test
.claude/skills/pvs/run_pvs.sh raspberry_pi_picoend-to-end: builds the example set, exports the compile DB, and produces the.log/.sarifoutputs as documented.https://claude.ai/code/session_015inWmFhRYSq17CxMukdoqX
Generated by Claude Code