scan-build (Clang Static Analyzer)

scan-build is a command line utility that enables a user to run the static analyzer over their codebase as part of performing a regular build (from the command line).


clang 7.0.1


Debian Stretch

Supported Languages

C C++

Official Documentation

YAML Configuration


  • input:

    Patterns to include in reports.

    Note: The input patterns are not applied when running scan-build since scan-build performs a regular build to analyze and the files excluded by the patterns may be required for the build. Therefore, the files excluded by the patterns are always processed and you may even see logs related to the excluded files in the job console. However, Inspecode eventually ignores any issues detected on the excluded files when generating job reports.

  • ignore:

    Patterns to exclude from reports.

    Note: Just like input:, the ignore patterns are not applied when running scan-build.

  • auto-fix:


  • config-file:


  • machine:

    • cpu:

      Amount of CPU. The default machine has 0.75 CPU with 2880 MiB RAM.

  • options:

    Below is the list of options that are supported:

       Also analyze functions in #included files.  By default, such functions
       are skipped unless they are called by functions within the main source file.
       Tells analyzer to enable assertions in code even if they were disabled
       during compilation to enable more precise results.
       Add a "keep on going" option to the specified build command. This option
       currently supports make and xcodebuild. This is a convenience option; one
       can specify this behavior directly using build options.
       Do not override CC and CXX make variables. Useful when running make in
       autoconf-based (and similar) projects where configure can add extra flags
       to those variables.
     -maxloop <loop count>
       Specify the number of times a block can be visited before giving up.
       Default is 4. Increase for more comprehensive coverage at a cost of speed.
     A default group of checkers are always run unless explicitly disabled.
     Checkers may be enabled/disabled using the following options:
     -enable-checker [checker name]
     -disable-checker [checker name]

    In addition, -- option is also supported to specify your build commands.

  • thresholds:

    • num-issues:

      No tool specific severity levels are available.

  • experimental:

    • incremental:


      Note: The incremental analysis cannot be supported for scan-build. This is because scan-build performs a regular build with requiring all build dependencies and the results on unchanged files can be affected by changed files.

YAML Examples

  • With default options:

      scan-build: default
  • With custom machine:

          cpu: 1.5 # 1.5 CPU, 5760 MiB RAM
  • With custom options:

          - -k
          - --: ./configure
          - --: [make, mytarget]

    With the above configuration, Inspecode runs scan-build twice as shown below:

    scan-build -k ./configure
    scan-build -k make mytarget

Available Toolchain

  • autoconf (GNU Autoconf) 2.69
  • automake (GNU automake) 1.15.1
  • clang 5.0.0
  • cmake 3.9.5
  • gcc 6.4.0
  • g++ 6.4.0
  • make (GNU Make) 4.2.1
  • musl 1.1.18
  • linux-headers 4.4.6

Build Command Detection

If no build commands are explicitly specified via -- option such as when using default built-in configuration, Inspecode recursively scans your repository to detect project directories enabling one of the following build systems, and then run build commands at each directory accordingly.

  • CMake (build commands: cmake . && make)
  • ./configure (build commands: ./configure && make)
  • Make (build commands: make)

If the automatic detection does not suit your project, explicitly specify build commands via -- option.

Resolving Dependencies

scan-build requires all build dependencies to run, so Inspecode tries to download dependencies before running scan-build:

As of now, Inspecode can download:

  • submodules available to the public
  • submodules provided from your private repositories which:
    • belong to the same GitHub organization or Bitbucket team as the repository on which scan-build runs
    • have been already registered to Inspecode
    • can be accessed via http://<hostname>/<path>, https://<hostname>/<path>, ssh://git@<hostname>/<path> or git@<hostname>:<path>

Note: If resolving dependencies fails due to some reasons, you can see the error log, however, Inspecode continues the process unless running scan-build itself fails.

results matching ""

    No results matching ""