# Cppcheck — Static Analysis Tool for C and C++ Code > Detect bugs, undefined behavior, and dangerous coding patterns in C/C++ projects without false-positive noise. ## Install Save as a script file and run: # Cppcheck — Static Analysis Tool for C and C++ Code ## Quick Use ```bash # Install sudo apt install cppcheck # Debian/Ubuntu brew install cppcheck # macOS # Analyze a project cppcheck --enable=all --std=c++17 src/ # Specific file with XML output cppcheck --xml --output-file=report.xml main.cpp ``` ## Introduction Cppcheck is a static analysis tool for C and C++ code that focuses on detecting real bugs rather than stylistic issues. It catches undefined behavior, memory leaks, buffer overflows, and null pointer dereferences with a low false-positive rate, making it practical for daily use in CI pipelines. ## What Cppcheck Does - Detects undefined behavior, out-of-bounds access, and use-after-free errors - Finds memory leaks, resource leaks, and missing deallocations - Identifies null pointer dereferences through path-sensitive analysis - Checks for MISRA C and MISRA C++ compliance in safety-critical projects - Supports custom rules and suppressions to reduce noise for specific codebases ## Architecture Overview Cppcheck parses C/C++ source files into an abstract syntax tree and applies a library of checkers that perform flow-sensitive analysis. Value flow tracking propagates known values through assignments and branches to detect issues at specific code paths. The tool does not use a full preprocessor; instead, it analyzes all possible preprocessor configurations by default. Check libraries describe the behavior of standard and third-party APIs (like POSIX, Qt, OpenSSL) so the analyzer understands function contracts without seeing their source. ## Self-Hosting & Configuration - Install via system package managers (apt, brew, choco) or build from source with CMake - Configure check severity levels: error, warning, style, performance, and portability - Use `--suppress` and inline comments to silence known false positives - Add check libraries (XML files) for project-specific APIs and frameworks - Integrate with CI via XML, SARIF, or plain-text output and the `--error-exitcode` flag ## Key Features - Low false-positive rate by design: every reported issue should be a real problem - MISRA C/C++ compliance checking for automotive, medical, and safety-critical software - Multi-threaded analysis with `-j` flag for faster scanning of large codebases - IDE integrations for VS Code, CLion, Visual Studio, and Eclipse - Check library system that models external API contracts without needing their source code ## Comparison with Similar Tools - **Clang-Tidy** — part of the LLVM project with broader refactoring capabilities; Cppcheck focuses on bug detection with fewer false positives - **PVS-Studio** — commercial analyzer with deeper analysis; Cppcheck is free and open-source - **Coverity** — enterprise-grade with CI integration; Cppcheck runs locally with zero setup - **GCC -fanalyzer** — built into GCC 10+; Cppcheck works across compilers and has a wider checker set - **SonarQube C++** — platform-based with dashboards; Cppcheck is a standalone CLI tool ## FAQ **Q: Does Cppcheck replace compiler warnings?** A: No. Use both. Cppcheck finds issues that compilers miss, like cross-function null pointer dereferences and resource leaks. **Q: How do I integrate Cppcheck with CI?** A: Run `cppcheck --error-exitcode=1` in your CI script. It returns non-zero if errors are found. Use `--xml` for machine-readable output. **Q: Can Cppcheck analyze C++ header-only libraries?** A: Yes. Point it at the header files. It will parse templates and inline functions. **Q: Does it support C++20 and later?** A: Yes. Cppcheck supports modern C++ standards including C++20. Use the `--std` flag to specify the standard version. ## Sources - https://github.com/danmar/cppcheck - https://cppcheck.sourceforge.io/ --- Source: https://tokrepo.com/en/workflows/asset-105edd89 Author: Script Depot