Re: RFC v2: Static Analysis in edk2 CI

Michael D Kinney

I have Coverity scan builds running in a GitHub Action and then uploaded to Coverity.

We should be able to configure a GitHub Action to run other analyzers.


-----Original Message-----
From: <> On Behalf Of Pedro Falcato
Sent: Tuesday, June 14, 2022 1:00 PM
To:; POLUDOV, FELIX <felixp@...>
Cc: Rebecca Cran <rebecca@...>; edk2-devel-groups-io <>
Subject: Re: [edk2-rfc] RFC v2: Static Analysis in edk2 CI

(Re-adding devel@ since Felix dropped it)

On Tue, Jun 14, 2022 at 8:59 PM Pedro Falcato <pedro.falcato@...>

Just want to note that if we want to go ahead with fuzzing (I detailed a
possible plan to do so in the mailing list a month or so ago) we will
definitely need somewhere to run fuzzing (even if it's Google's syzbot).
Getting somewhere where we can run static analysis, fuzzing just makes
sense IMO (hell, who knows, maybe even CI or something like Gerrit for
mailing list-less code reviews).

On Tue, Jun 14, 2022 at 7:43 PM Felix Polyudov via <felixp=> wrote:

Yes, LLVM/CLANG Static Analyzer is another possibility. I've mentioned it
in the first version of the RFC.
CodeChecker ( is an open
source front-end for the scan-build and clang-tidy.
It simplifies analyzer configuration and provides web-based report
storage. However, it has to be hosted somewhere.
If somebody has an idea on how edk2 community can host the CodeChecker,
that's definitely an option to consider.

Pedro Falcato

Pedro Falcato

Join to automatically receive all group messages.