Coverity Scan
Coverity Scan is a free static analysis service for open source projects to detect critical software defects and security vulnerabilities. It is easy to use and provides high quality results.
static-analysis
defect-detection
security
open-source
Coverity Scan: Free Static Analysis Service
Detect critical software defects and security vulnerabilities in open source projects with Coverity Scan, a free static analysis service providing high quality results.
What is Coverity Scan?
Coverity Scan is a free static analysis service provided by Synopsys for the open source community. It helps open source projects find and fix defects in their C/C++ or Java code before releasing their software.
Some key benefits of Coverity Scan include:
- Easy to use: simply configure your build to upload binaries, no code changes needed
- High quality results: industry-leading analysis engine finds critical defects including memory corruption, crashing bugs, and security vulnerabilities
- Actionable reports: clear, prioritized issues with descriptions and remediation guidance
- Free for open source projects: funded by Coverity and the Department of Homeland Security to improve open source software quality and security
- Trusted by over 1500 open source projects including the Linux kernel, Apache, Python, PostgreSQL, and more
Overall, Coverity Scan helps open source projects improve code quality and security with little effort by providing professional-grade static analysis for free.
Coverity Scan Features
Features
- Static analysis to find defects in C/C++ and Java code
- Integrates with GitHub and Travis CI for easy scanning of open source projects
- Provides detailed reports on issues found including code snippets and severity
- Can scan code before check-in with a plugin for developers
- Has high accuracy with low false positive rates
Pricing
- Free
- Open Source
Pros
Free for open source projects
Finds critical security vulnerabilities
Easy to set up and use
Detailed and actionable reports
High quality results
Cons
Only focused on defect detection
Limited language support (C/C++ and Java only)
Not available for private repositories
Requires uploading code to Coverity servers
Official Links
The Best Coverity Scan Alternatives
Top Development and Code Analysis and other similar apps like Coverity Scan
Here are some alternatives to Coverity Scan:
Suggest an alternative ❐
SonarQube
SonarQube is an open source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells and security vulnerabilities on 20+ programming languages. It supports Java, JavaScript, C#, C/C++, Objective-C, TypeScript, VB.NET, Python, PHP, Flex, Go, Kotlin,...
PVS-Studio
PVS-Studio is a powerful static code analysis tool for C, C++, C#, and Java development. It helps developers detect and fix bugs, security vulnerabilities, and code quality issues early in the development process.PVS-Studio analyzes source code and looks for potential errors such as null pointer dereferences, use of uninitialized variables,...
Semgrep
Semgrep is an open-source tool developed by r2c for finding bugs and security vulnerabilities in source code. It works by using pattern matching to scan codebases and match code snippets against a set of predefined patterns that correspond to known vulnerabilities, bugs, and anti-patterns.Some key features and capabilities of Semgrep...
Parasoft C/C++test
Parasoft C/C++test is a comprehensive C and C++ development testing solution designed to help teams improve software quality. It automates code analysis and testing tasks to reduce the time and effort required to deliver reliable C/C++ applications.Key features include:Static code analysis to enforce coding guidelines and standardsUnit testing frameworks to...
Clang Static Analyzer
The Clang Static Analyzer is an open source tool that automatically finds bugs in C, C++, and Objective-C programs. It is part of the Clang compiler infrastructure project. The analyzer works by doing control and data flow analysis on the source code to find potential bugs that could lead to...
Cppcheck
Cppcheck is an open source, static analysis tool for analyzing C and C++ code to detect bugs and security flaws. It is designed to be fast, accurate, and easy to use. Key features of Cppcheck include:Detects a wide range of issues in C/C++ code like memory leaks, null pointer dereferences,...
Lgtm.com
LGTM.com is an automated code review and analysis platform for finding security vulnerabilities and quality issues in source code. It uses a combination of deep semantic code analysis and data-flow analysis techniques to find bugs and security weaknesses that could lead to crashes, unauthorized access, or data leakage.Some key features...
EDoC++
EDoC++ is an open-source, web-based document management system that helps businesses and organizations store, organize, collaborate on, share, and track documents and files. It was created to be an affordable yet full-featured alternative to paid solutions like SharePoint or Documentum.Some key features of EDoC++ include:Document version control - Track changes...
Shellcheck
Shellcheck is an open source static analysis and linting tool for shell scripts. It can analyze scripts written in Bash, Dash, ksh, and other shell languages. Shellcheck will analyze a script to identify common bugs and errors such as:Syntax errorsUnused variablesParameter expansion issuesRace conditionsSecurity issuesPortability problemsSome key features and benefits...
