DEV.co
Open-Source Databases · Ericsson

codechecker

CodeChecker is a static analysis infrastructure that wraps LLVM/Clang toolchain analyzers (Clang-Tidy, Clang Static Analyzer, Cppcheck, GCC Static Analyzer, Facebook Infer) with a web-based defect database and viewer. It captures compilation databases via build process instrumentation, runs analysis incrementally, and stores/visualizes results across thousands of reports with GitLab and Gerrit integration.

Source: GitHub — github.com/Ericsson/codechecker
2.6k
GitHub stars
469
Forks
Python
Primary language
Apache-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
RepositoryEricsson/codechecker
OwnerEricsson
Primary languagePython
LicenseApache-2.0 — OSI-approved
Stars2.6k
Forks469
Open issues429
Latest releasev6.28.2 (2026-06-25)
Last updated2026-07-07
Sourcehttps://github.com/Ericsson/codechecker

What codechecker is

Python-based tool that instruments build commands to generate JSON compilation databases, orchestrates multiple static analyzers (Clang, Cppcheck, Infer, GCC SA), applies cross-translation-unit and statistical analysis, and persists findings to PostgreSQL or SQLite via Thrift-based server-client communication. Supports result filtering, diffing, suppression, and review workflows.

Quickstart

Get the codechecker source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/Ericsson/codechecker.gitcd codechecker# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Enterprise C/C++ static analysis at scale

Organizations analyzing large C/C++ codebases across multiple projects need centralized result storage, historical tracking, and team-based review. CodeChecker's web UI, defect comparison, and multi-analyzer orchestration enable enterprise-grade governance without replacing individual analyzer workflows.

CI/CD integration with code review gates

Teams using Gerrit or GitLab can embed CodeChecker analysis results directly into code review workflows. Analysis diffs show newly introduced issues per commit, enabling reviewers to assess and suppress findings before merge.

Incremental analysis in large monorepos

Monorepo or multi-project environments benefit from CodeChecker's incremental re-analysis (only changed files and dependencies), reducing feedback cycles in developer workflows and CI pipelines.

Implementation considerations

  • Requires LLVM/Clang toolchain (and optionally GCC, Facebook Infer, Cppcheck) installed and configured on analysis machines; cross-compiler detection is supported but environmental setup is non-trivial.
  • Build process must be instrumented via CodeChecker log to capture compilation commands; projects with non-standard, cmake-only, or bazel-based builds may require build system adaptation.
  • Database backend (PostgreSQL or SQLite) must be provisioned, configured, and maintained separately; PostgreSQL recommended for multi-user, high-volume deployments.
  • False positive suppression and review comments require manual workflow; large codebases may need processes to triage and manage suppression policy across teams.
  • Incremental analysis optimization depends on accurate change detection; CI/CD pipelines must be configured to preserve build artifacts and state between runs for benefit.

When to avoid it — and what to weigh

  • Single-language (non-C/C++) codebase focus — CodeChecker is designed around C/C++ via LLVM/Clang. While it claims support for Java (Infer, Spotbugs), Python (Pylint), JavaScript (ESLint), the primary architecture and maintenance effort target compiled languages. Standalone linters for dynamic languages may be simpler.
  • Minimal operational overhead required — CodeChecker requires database setup (PostgreSQL or SQLite), server deployment, build process instrumentation (compilation database capture), and analyzer availability (LLVM/Clang toolchain). Teams seeking lightweight out-of-the-box analysis should consider simpler tools.
  • Real-time, on-demand analysis without build instrumentation — CodeChecker mandates capturing a compilation database via build instrumentation. Projects unable to standardize build processes or requiring ad-hoc file-level analysis may find this constraint limiting.
  • Closed-source or proprietary analyzer embedding — CodeChecker integrates open analyzers (Clang, Cppcheck, Infer, GCC SA, etc.). If your strategy requires proprietary analyzers or closed integrations, this architecture does not support that.

License & commercial use

Licensed under Apache License 2.0 (Apache-2.0), a permissive OSI-approved license allowing commercial use, modification, and distribution with attribution and liability disclaimers.

Apache 2.0 permits commercial use, proprietary modification, and redistribution. No license review is required for commercial deployment. Verify that any bundled or integrated analyzers (Clang, Infer, Cppcheck) meet your commercial licensing requirements independently.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityModerate
DEV.co fitGood
Assessment confidenceHigh
Security considerations

CodeChecker processes untrusted C/C++ source code via multiple external analyzers (Clang, Infer, Cppcheck, GCC SA); ensure analyzers themselves are up-to-date for known vulnerabilities. Database backend (PostgreSQL/SQLite) must be secured (authentication, TLS, network isolation). Web UI and Thrift server should be protected by network policies and authentication (login subcommand available). Build instrumentation may capture or log compiler flags containing secrets; sanitize before storage. OpenSSF Scorecard badge present but details unknown.

Alternatives to consider

SonarQube (with C/C++ plugin)

Enterprise-grade static analysis platform with broader language support, cloud hosting options, and more mature UI/UX. Higher operational cost but less infrastructure setup than CodeChecker.

Clang Static Analyzer + scan-build (standalone)

Lightweight, minimal dependencies, no database or web UI overhead. Suitable for small teams or projects; sacrifices centralized storage, historical tracking, and team review workflows.

Coverity (Synopsys)

Commercial enterprise SCA platform with advanced AI-driven false positive filtering, proprietary analyzers, and managed hosting. Higher cost; best for regulated industries (automotive, medical, aerospace).

Software development agency

Build on codechecker with DEV.co software developers

Review deployment architecture, build instrumentation requirements, and database setup with your DevOps team. Deploy the demo instance or pilot on a non-critical codebase to assess incremental analysis performance and team workflow fit.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

codechecker FAQ

Does CodeChecker replace my existing Clang Static Analyzer workflow?
CodeChecker wraps Clang Static Analyzer and other analyzers; it does not replace them. It provides orchestration, result persistence, web UI, and team collaboration on top of standard LLVM/Clang toolchain. You can run CodeChecker instead of scan-build for centralized analysis.
Can CodeChecker analyze Java, Python, or JavaScript code?
Yes, CodeChecker can store and visualize results from analyzers like Facebook Infer (Java), Pylint (Python), and ESLint (JavaScript). However, the core architecture and primary effort focus on C/C++ via LLVM/Clang. Setup and support for other languages may be less mature.
What database backend should I use—PostgreSQL or SQLite?
SQLite is suitable for single-user or small-team deployments with light concurrent load. PostgreSQL is recommended for multi-user, enterprise, or high-volume environments. Consult deployment documentation for performance characteristics and migration guidance.
How does CodeChecker handle false positives?
Findings can be suppressed via web UI or command-line tools; suppressions are stored in the database alongside review comments. Suppression policies must be managed manually; there is no built-in machine-learning false positive filter (unlike commercial SCA tools).

Software development & web development with DEV.co

Adopting codechecker is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source databases software in production.

Evaluate CodeChecker for your C/C++ analysis pipeline

Review deployment architecture, build instrumentation requirements, and database setup with your DevOps team. Deploy the demo instance or pilot on a non-critical codebase to assess incremental analysis performance and team workflow fit.