scan-build (Clang Static Analyzer)

scan-build is a command line utility that enables a user to run the static analyzer over their codebase as part of performing a regular build (from the command line).


clang 9.0.0


Debian Stretch

Supported Languages

C C++

Official Documentation

YAML Configuration


  • input:

    Patterns to include in reports.

    Note: The input patterns are not applied when running scan-build since scan-build performs a regular build to analyze and the files excluded by the patterns may be required for the build. Therefore, the files excluded by the patterns are always processed and you may even see logs related to the excluded files in the job console. However, Inspecode eventually ignores any issues detected on the excluded files when generating job reports.

  • ignore:

    Patterns to exclude from reports.

    Note: Just like input:, the ignore patterns are not applied when running scan-build.

  • auto-fix:


  • config-file:


  • machine:

    • cpu:

      Amount of CPU. The default machine has 0.75 CPU with 2880 MiB RAM.

  • options:

    Below is the list of options that are supported:

       Also analyze functions in #included files.  By default, such functions
       are skipped unless they are called by functions within the main source file.
       Tells analyzer to enable assertions in code even if they were disabled
       during compilation to enable more precise results.
       Add a "keep on going" option to the specified build command. This option
       currently supports make and xcodebuild. This is a convenience option; one
       can specify this behavior directly using build options.
       Do not override CC and CXX make variables. Useful when running make in
       autoconf-based (and similar) projects where configure can add extra flags
       to those variables.
     --exclude <path>
       Do not run static analyzer against files found in this
       directory (You can specify this option multiple times).
       Could be useful when project contains 3rd party libraries.
     --use-cc [compiler path]
     --use-cc=[compiler path]
       scan-build analyzes a project by interposing a "fake compiler", which
       executes a real compiler for compilation and the static analyzer for analysis.
       Because of the current implementation of interposition, scan-build does not
       know what compiler your project normally uses.  Instead, it simply overrides
       the CC environment variable, and guesses your default compiler.
       In the future, this interposition mechanism to be improved, but if you need
       scan-build to use a specific compiler for *compilation* then you can use
       this option to specify a path to that compiler.
       If the given compiler is a cross compiler, you may also need to provide
       --analyzer-target option to properly analyze the source code because static
       analyzer runs as if the code is compiled for the host machine by default.
     --use-c++ [compiler path]
     --use-c++=[compiler path]
       This is the same as "--use-cc" but for C++ code.
     --analyzer-target [target triple name for analysis]
     --analyzer-target=[target triple name for analysis]
       This provides target triple information to clang static analyzer.
       It only changes the target for analysis but doesn't change the target of a
       real compiler given by --use-cc and --use-c++ options.
     -maxloop <loop count>
       Specify the number of times a block can be visited before giving up.
       Default is 4. Increase for more comprehensive coverage at a cost of speed.
     A default group of checkers are always run unless explicitly disabled.
     Checkers may be enabled/disabled using the following options:
     -enable-checker [checker name]
     -disable-checker [checker name]

    In addition, -- option is also supported to specify your build commands.

  • thresholds:

    • num-issues:

      No tool specific severity levels are available.

  • incremental:


    Note: The incremental analysis cannot be supported for scan-build. This is because scan-build performs a regular build with requiring all build dependencies and the results on unchanged files can be affected by changed files.

  • experimental:

    No tool specific experimental options are available.

YAML Examples

  • With default options:

        scan-build: default
  • With custom machine:

            cpu: 1.5 # 1.5 CPU, 5760 MiB RAM
  • With custom options:

            - -k
            - --: ./configure
            - --: [make, mytarget]

    With the above configuration, Inspecode runs scan-build twice as shown below:

    scan-build -k ./configure
    scan-build -k make mytarget

Available Toolchain

  • autoconf (GNU Autoconf) 2.69
  • automake (GNU automake) 1.15.1
  • clang 5.0.0
  • cmake 3.9.5
  • gcc 6.4.0
  • g++ 6.4.0
  • make (GNU Make) 4.2.1
  • musl 1.1.18
  • linux-headers 4.4.6

Build Command Detection

If no build commands are explicitly specified via -- option such as when using default built-in configuration, Inspecode recursively scans your repository to detect project directories enabling one of the following build systems, and then run build commands at each directory accordingly.

  • CMake (build commands: cmake . && make)
  • ./configure (build commands: ./configure && make)
  • Make (build commands: make)

If the automatic detection does not suit your project, explicitly specify build commands via -- option.

Resolving Dependencies

scan-build requires all build dependencies to run, so Inspecode tries to download dependencies before running scan-build:

As of now, Inspecode can download:

  • submodules available to the public
  • submodules provided from your private repositories which:
    • belong to the same GitHub organization or Bitbucket team as the repository on which scan-build runs
    • have been already registered to Inspecode
    • can be accessed via http://<hostname>/<path>, https://<hostname>/<path>, ssh://git@<hostname>/<path> or git@<hostname>:<path>

Note: If resolving dependencies fails due to some reasons, you can see the error log, however, Inspecode continues the process unless running scan-build itself fails.

results matching ""

    No results matching ""