Any smart folks out there know of a good Static Code analyzer for C code?

Preferably understands GCC, and is under the GNU license.

Thanks in advance!

@craigmaloney define good? Personally, I just use a good IDE/Text editor for code review. Most of the scanners out there will throw so many false positives they're just not worth running for the low hanging fruit they find.

@tduehr This was more for automated checking of an existing codebase without having to edit every single file.

@craigmaloney That's depend's on how thorough you need to be.

If you're just looking for a sniff test, all I can add is cppcheck. Though, I haven't used it myself. It also seems like gcc and clang have added some analysis features.

Just remember, analysis tools will only catch flaws in the programs logic and even then they're only going to do so well. They'll never catch business logic flaws (e.g., authz/authn) and usually are limited to the most glaring of logic issues.

@tduehr Thanks. This is for a friend who was planning on writing a regex pattern to check array lengths which brought up the question and the "there has to be a better way". 😁


@craigmaloney if you're just looking for that type of bug then something like cppcheck should work well.

The biggest problem w regexes is the number of false positives in comments.

@tduehr Yeah, using regex to parse anything related to code or XML is a blunt instrument (and a fool's errand IMHO).

@craigmaloney again, that depends on your goals... if you have a specific string you need to find, regex can be useful for code. If you'd like to waken the Old Ones, by all means, go ahead and use regex to parse XML.

Sign in to participate in the conversation

Everyone is welcome as long as you follow our code of conduct! Thank you. is maintained by Sujitech, LLC.