askill
static-analysis

static-analysisSafety 100Repository

Static analysis skill for C/C++ codebases. Use when hardening code quality, triaging noisy builds, running clang-tidy, cppcheck, or scan-build, interpreting check categories, suppressing false positives, or integrating static analysis into CI. Activates on queries about clang-tidy checks, cppcheck, scan-build, compile_commands.json, code hardening, or static analysis warnings.

static-analysismohitmishra786
17 stars
1.2k downloads
Updated 2/20/2026

Package Files

Loading files...
SKILL.md

Static Analysis

Purpose

Guide agents through selecting, running, and triaging static analysis tools for C/C++ — clang-tidy, cppcheck, and scan-build — including suppression strategies and CI integration.

Triggers

  • "How do I run clang-tidy on my project?"
  • "What clang-tidy checks should I enable?"
  • "cppcheck is reporting false positives — how do I suppress them?"
  • "How do I set up scan-build for deeper analysis?"
  • "My build is noisy with static analysis warnings"
  • "How do I generate compile_commands.json for clang-tidy?"

Workflow

1. Generate compile_commands.json

clang-tidy requires a compilation database:

# CMake (preferred)
cmake -S . -B build -DCMAKE_EXPORT_COMPILE_COMMANDS=ON
ln -s build/compile_commands.json .

# Bear (for Make-based projects)
bear -- make

# compiledb (alternative for Make)
pip install compiledb
compiledb make

2. Run clang-tidy

# Single file
clang-tidy src/foo.c -- -std=c11 -I include/

# Whole project via compile_commands.json
run-clang-tidy -p build/ -j$(nproc)

# With specific checks enabled
clang-tidy -checks='bugprone-*,modernize-*,performance-*' src/foo.cpp

# Apply auto-fixes
clang-tidy -checks='modernize-use-nullptr' -fix src/foo.cpp

3. Check category decision tree

Goal?
├── Find real bugs            → bugprone-*, clang-analyzer-*
├── Modernise C++ code        → modernize-*
├── Follow core guidelines    → cppcoreguidelines-*
├── Catch performance issues  → performance-*
├── Security hardening        → cert-*, hicpp-*
└── Readability / style       → readability-*, llvm-*
CategoryKey checksWhat it catches
bugprone-*use-after-move, integer-division, suspicious-memset-usageLikely bugs
modernize-*use-nullptr, use-override, use-autoC++11/14/17 idioms
cppcoreguidelines-*avoid-goto, pro-bounds-*, no-mallocC++ Core Guidelines
performance-*unnecessary-copy-initialization, avoid-endlPerformance regressions
clang-analyzer-*core.*, unix.*, security.*Path-sensitive bugs
cert-*err34-c, str51-cppCERT coding standard

4. .clang-tidy configuration file

# .clang-tidy — place at project root
Checks: >
  bugprone-*,
  modernize-*,
  performance-*,
  -modernize-use-trailing-return-type,
  -bugprone-easily-swappable-parameters
WarningsAsErrors: 'bugprone-*,clang-analyzer-*'
HeaderFilterRegex: '^(src|include)/.*'
CheckOptions:
  - key: modernize-loop-convert.MinConfidence
    value: reasonable
  - key: readability-identifier-naming.VariableCase
    value: camelCase

5. Suppress false positives

// Suppress a single line
int result = riskyOp(); // NOLINT(bugprone-signed-char-misuse)

// Suppress a block
// NOLINTNEXTLINE(cppcoreguidelines-avoid-magic-numbers)
constexpr int BUFFER_SIZE = 4096;

// Suppress whole function
[[clang::suppress("bugprone-*")]]
void legacy_code() { /* ... */ }

Or in .clang-tidy:

# Exclude third-party directories
HeaderFilterRegex: '^(src|include)/.*'
# Disable specific checks
Checks: '-bugprone-easily-swappable-parameters'

6. Run cppcheck

# Basic run
cppcheck --enable=all --std=c11 src/

# With compile_commands.json
cppcheck --project=build/compile_commands.json

# Include specific checks and suppress noise
cppcheck --enable=warning,performance,portability \
         --suppress=missingIncludeSystem \
         --suppress=unmatchedSuppression \
         --error-exitcode=1 \
         src/

# Generate XML report for CI
cppcheck --xml --xml-version=2 src/ 2> cppcheck-report.xml
--enable= valueWhat it checks
warningUndefined behaviour, bad practices
performanceRedundant operations, inefficient patterns
portabilityNon-portable constructs
informationConfiguration and usage notes
allEverything above

7. Path-sensitive analysis with scan-build

# Intercept a Make build
scan-build make

# Intercept CMake build
scan-build cmake --build build/

# Show HTML report
scan-view /tmp/scan-build-*/

# With specific checkers
scan-build -enable-checker security.insecureAPI.gets \
           -enable-checker alpha.unix.cstring.BufferOverlap \
           make

scan-build finds deeper bugs than clang-tidy: use-after-free across functions, dead stores from logic errors, null dereferences on complex paths.

8. CI integration

# GitHub Actions
- name: Static analysis
  run: |
    cmake -S . -B build -DCMAKE_EXPORT_COMPILE_COMMANDS=ON
    run-clang-tidy -p build -j$(nproc) -warnings-as-errors '*'

- name: cppcheck
  run: |
    cppcheck --enable=warning,performance \
             --suppress=missingIncludeSystem \
             --error-exitcode=1 \
             src/

For clang-tidy check details, see references/clang-tidy-checks.md.

Related skills

  • Use skills/compilers/clang for Clang toolchain and diagnostic flags
  • Use skills/compilers/gcc for GCC warnings as complementary analysis
  • Use skills/runtimes/sanitizers for runtime bug detection alongside static analysis
  • Use skills/build-systems/cmake for CMAKE_EXPORT_COMPILE_COMMANDS setup

Install

Download ZIP
Requires askill CLI v1.0+

AI Quality Score

94/100Analyzed 2/24/2026

Excellent static analysis skill with comprehensive coverage of clang-tidy, cppcheck, and scan-build. Provides 8 detailed workflow steps with actionable commands, configuration examples, check category decision tree, suppression strategies, and CI integration. Located in proper skills folder structure. Only minor issue is the misplaced 'database' tag which doesn't match the content. Very high reusability and actionability."

100
95
90
95
95

Metadata

Licenseunknown
Version-
Updated2/20/2026
Publishermohitmishra786

Tags

ci-cddatabasegithubgithub-actionssecurity