Code analysis with clang-tidy in Red Hat Enterprise Linux

Clang-tidy is a standalone linter tool for checking C and C++ source code files. It provides an additional set of compiler warnings—called checks—that go above and beyond what is typically included in a C or C++ compiler. Clang-tidy comes with a large set of built-in checks and a framework for writing your own checks, as well.

Clang-tidy uses the same front-end libraries as the Clang C language compiler. However, because it only takes source files as input, you can use clang-tidy for any C or C++ codebase no matter what compiler you are using.

This article is a quick introduction to code analysis with clang-tidy, including how to check for rule violations in a simple C-based program and how to integrate clang-tidy with your build system.

Using clang-tidy in Red Hat Enterprise Linux

In Red Hat Enterprise Linux (RHEL), clang-tidy is included as part of the LLVM toolset:

# RHEL7
$ yum install llvm-toolset-10.0-clang-tools-extra

# RHEL8
$ yum install clang-tools-extra

The best way to get started with clang-tidy is to review the list of included checks to see which ones might be useful for your codebase. The Clang-tidy project page includes a summary of the different kinds of checks available. You can see a list of the individual checks available by running:

$ clang-tidy -checks=* -list-checks

Today, we are going to focus on the checks for the SEI CERT Secure Coding Standard, which are denoted in clang-tidy by the cert- prefix.

Note: The SEI CERT Secure Coding Standard is maintained by the computer emergency response team (CERT) for the Software Engineering Institute (SEI).

Checking for errors with clang-tidy

The following example program violates two of the CERT Secure Coding Standard rules, ENV33-C and ERR34-C:

#include <stdlib.h>

int string_to_int(const char *num) {
  return atoi(num);
}

void ls() {
  system("ls");
}

Let's see what happens when we run clang-tidy on this code:

$ clang-tidy -checks=cert-* -warnings-as-errors=* cert-err.c

2 warnings generated.
cert-err.c:4:10: error: 'atoi' used to convert a string to an integer value, but function will not report conversion errors; consider using 'strtol' instead [cert-err34-c,-warnings-as-errors]
  return atoi(num);
         ^
cert-err.c:8:3: error: calling 'system' uses a command processor [cert-env33-c,-warnings-as-errors]
  system("ls");
  ^

The -checks=cert-* option tells clang-tidy to enable all of the CERT Secure Coding Standard checks, and the -warnings-as-errors=* option tells it to treat all warnings as errors. The -warnings-as-errors takes a wildcard argument, so you can choose which warnings to promote to errors. For example, if you wanted to enable all checks, but only generate an error on the CERT checks, you could do this:

$ clang-tidy -checks=* -warnings-as-errors=cert-* cert-err.c

Integrate clang-tidy into your build system

In addition to manually running clang-tidy on your source files, you can also integrate the tool into your build system. Build integration makes it easier to automate the checks and include them in a continuous integration (CI) system. A simple way to integrate clang-tidy into your build is to run the checks as part of a check target, using make or a similar build tool.

Looking back at our previous example, we can construct a simple makefile with a clang-tidy integration:

SOURCES=cert-err.c
OBJS=cert-err.o

all: $(OBJS)

%.o: %.c
        $(CC) -c -o $@ $< $(CPPFLAGS) $(CFLAGS)

check: $(SOURCES)
        clang-tidy $(CPPFLAGS) -checks=cert-* --warnings-as-errors=* $(SOURCES)

Now, we can run ourclang-tidy checks using make check.

Using a compilation database

If you are using a CMake base build system, clang-tidy can employ a compilation database. That way, you don't need to manually pass the same CPPFLAGS you used while compiling. To generate the compilation database, you just need to pass the -DCMAKE_EXPORT_COMPILE_COMMANDS=ON option to CMake when configuring. Here's an example CMake configuration for using the compilation database:

set(sources ${CMAKE_SOURCE_DIR}/cert-err.c)

add_library(cert-err ${sources})

add_custom_target(
    clang-tidy-check clang-tidy -p ${CMAKE_BINARY_DIR}/compile_commands.json -checks=cert* ${sources}
    DEPENDS ${sources})

add_custom_target(check DEPENDS clang-tidy-check)

When you configure with CMake, it will generate a file called compile_commands.json, which clang-tidy uses to determine which compiler flags to employ:

$ cmake . -DCMAKE_EXPORT_COMPILE_COMMANDS=ON
$ make clang-tidy-check

Conclusion

This was a basic introduction to clang-tidy, but there is much more that you can do with it. For more information, read the upstream Clang-tidy project page.

Last updated: October 7, 2022

Get started with clang-tidy in Red Hat Enterprise Linux

Using clang-tidy in Red Hat Enterprise Linux

Checking for errors with clang-tidy

Integrate clang-tidy into your build system

Using a compilation database

Conclusion

Every layer counts: Defense in depth for AI agents with Red Hat AI

Fun in the RUN instruction: Why container builds with distroless images can surprise you

Trusted software factory: Building trust in the agentic AI era

Build a zero trust AI pipeline with OpenShift and RHEL CVMs

Red Hat Hardened Images: Top 5 benefits for software developers

Platforms

Build

Quicklinks

Communicate

RED HAT DEVELOPER

Red Hat legal and privacy links

Red Hat legal and privacy links