Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

awfixers-stuff/static-analysis

Name: static-analysis
Author: awfixers-stuff

skills/static-analysis/SKILL.md

npx skillsauth add awfixers-stuff/opencode-config static-analysis

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Static Analysis

Purpose

Guide agents through selecting, running, and triaging static analysis tools for C/C++ — clang-tidy, cppcheck, and scan-build — including suppression strategies and CI integration.

Triggers

"How do I run clang-tidy on my project?"
"What clang-tidy checks should I enable?"
"cppcheck is reporting false positives — how do I suppress them?"
"How do I set up scan-build for deeper analysis?"
"My build is noisy with static analysis warnings"
"How do I generate compile_commands.json for clang-tidy?"

Workflow

1. Generate compile_commands.json

clang-tidy requires a compilation database:

# CMake (preferred)
cmake -S . -B build -DCMAKE_EXPORT_COMPILE_COMMANDS=ON
ln -s build/compile_commands.json .

# Bear (for Make-based projects)
bear -- make

# compiledb (alternative for Make)
pip install compiledb
compiledb make

2. Run clang-tidy

# Single file
clang-tidy src/foo.c -- -std=c11 -I include/

# Whole project via compile_commands.json
run-clang-tidy -p build/ -j$(nproc)

# With specific checks enabled
clang-tidy -checks='bugprone-*,modernize-*,performance-*' src/foo.cpp

# Apply auto-fixes
clang-tidy -checks='modernize-use-nullptr' -fix src/foo.cpp

3. Check category decision tree

Goal?
├── Find real bugs            → bugprone-*, clang-analyzer-*
├── Modernise C++ code        → modernize-*
├── Follow core guidelines    → cppcoreguidelines-*
├── Catch performance issues  → performance-*
├── Security hardening        → cert-*, hicpp-*
└── Readability / style       → readability-*, llvm-*

| Category | Key checks | What it catches | |----------|-----------|-----------------| | bugprone-* | use-after-move, integer-division, suspicious-memset-usage | Likely bugs | | modernize-* | use-nullptr, use-override, use-auto | C++11/14/17 idioms | | cppcoreguidelines-* | avoid-goto, pro-bounds-*, no-malloc | C++ Core Guidelines | | performance-* | unnecessary-copy-initialization, avoid-endl | Performance regressions | | clang-analyzer-* | core.*, unix.*, security.* | Path-sensitive bugs | | cert-* | err34-c, str51-cpp | CERT coding standard |

4. .clang-tidy configuration file

# .clang-tidy — place at project root
Checks: >
  bugprone-*,
  modernize-*,
  performance-*,
  -modernize-use-trailing-return-type,
  -bugprone-easily-swappable-parameters
WarningsAsErrors: 'bugprone-*,clang-analyzer-*'
HeaderFilterRegex: '^(src|include)/.*'
CheckOptions:
  - key: modernize-loop-convert.MinConfidence
    value: reasonable
  - key: readability-identifier-naming.VariableCase
    value: camelCase

5. Suppress false positives

// Suppress a single line
int result = riskyOp(); // NOLINT(bugprone-signed-char-misuse)

// Suppress a block
// NOLINTNEXTLINE(cppcoreguidelines-avoid-magic-numbers)
constexpr int BUFFER_SIZE = 4096;

// Suppress whole function
[[clang::suppress("bugprone-*")]]
void legacy_code() { /* ... */ }

Or in .clang-tidy:

# Exclude third-party directories
HeaderFilterRegex: '^(src|include)/.*'
# Disable specific checks
Checks: '-bugprone-easily-swappable-parameters'

6. Run cppcheck

# Basic run
cppcheck --enable=all --std=c11 src/

# With compile_commands.json
cppcheck --project=build/compile_commands.json

# Include specific checks and suppress noise
cppcheck --enable=warning,performance,portability \
         --suppress=missingIncludeSystem \
         --suppress=unmatchedSuppression \
         --error-exitcode=1 \
         src/

# Generate XML report for CI
cppcheck --xml --xml-version=2 src/ 2> cppcheck-report.xml

| --enable= value | What it checks | |-------------------|----------------| | warning | Undefined behaviour, bad practices | | performance | Redundant operations, inefficient patterns | | portability | Non-portable constructs | | information | Configuration and usage notes | | all | Everything above |

7. Path-sensitive analysis with scan-build

# Intercept a Make build
scan-build make

# Intercept CMake build
scan-build cmake --build build/

# Show HTML report
scan-view /tmp/scan-build-*/

# With specific checkers
scan-build -enable-checker security.insecureAPI.gets \
           -enable-checker alpha.unix.cstring.BufferOverlap \
           make

scan-build finds deeper bugs than clang-tidy: use-after-free across functions, dead stores from logic errors, null dereferences on complex paths.

8. CI integration

# GitHub Actions
- name: Static analysis
  run: |
    cmake -S . -B build -DCMAKE_EXPORT_COMPILE_COMMANDS=ON
    run-clang-tidy -p build -j$(nproc) -warnings-as-errors '*'

- name: cppcheck
  run: |
    cppcheck --enable=warning,performance \
             --suppress=missingIncludeSystem \
             --error-exitcode=1 \
             src/

For clang-tidy check details, see references/clang-tidy-checks.md.

Related skills

Use skills/compilers/clang for Clang toolchain and diagnostic flags
Use skills/compilers/gcc for GCC warnings as complementary analysis
Use skills/runtimes/sanitizers for runtime bug detection alongside static analysis
Use skills/build-systems/cmake for CMAKE_EXPORT_COMPILE_COMMANDS setup

awfixers-stuff/static-analysis

skills/static-analysis/SKILL.md

Static analysis skill for C/C++ codebases. Use when hardening code quality, triaging noisy builds, running clang-tidy, cppcheck, or scan-build, interpreting check categories, suppressing false positives, or integrating static analysis into CI. Activates on queries about clang-tidy checks, cppcheck, scan-build, compile_commands.json, code hardening, or static analysis warnings.

development

Updated Apr 27, 2026

$ install --global

skillsauth

npx skillsauth add awfixers-stuff/opencode-config static-analysis

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 19, 2026, 4:11 AM28.1s2 files scanned

SKILL.md

name:: static-analysis
description:: Static analysis skill for C/C++ codebases. Use when hardening code quality, triaging noisy builds, running clang-tidy, cppcheck, or scan-build, interpreting check categories, suppressing false positives, or integrating static analysis into CI. Activates on queries about clang-tidy checks, cppcheck, scan-build, compile_commands.json, code hardening, or static analysis warnings.

Static Analysis

Purpose

Guide agents through selecting, running, and triaging static analysis tools for C/C++ — clang-tidy, cppcheck, and scan-build — including suppression strategies and CI integration.

Triggers

"How do I run clang-tidy on my project?"
"What clang-tidy checks should I enable?"
"cppcheck is reporting false positives — how do I suppress them?"
"How do I set up scan-build for deeper analysis?"
"My build is noisy with static analysis warnings"
"How do I generate compile_commands.json for clang-tidy?"

Workflow

1. Generate compile_commands.json

clang-tidy requires a compilation database:

# CMake (preferred)
cmake -S . -B build -DCMAKE_EXPORT_COMPILE_COMMANDS=ON
ln -s build/compile_commands.json .

# Bear (for Make-based projects)
bear -- make

# compiledb (alternative for Make)
pip install compiledb
compiledb make

2. Run clang-tidy

# Single file
clang-tidy src/foo.c -- -std=c11 -I include/

# Whole project via compile_commands.json
run-clang-tidy -p build/ -j$(nproc)

# With specific checks enabled
clang-tidy -checks='bugprone-*,modernize-*,performance-*' src/foo.cpp

# Apply auto-fixes
clang-tidy -checks='modernize-use-nullptr' -fix src/foo.cpp

3. Check category decision tree

Goal?
├── Find real bugs            → bugprone-*, clang-analyzer-*
├── Modernise C++ code        → modernize-*
├── Follow core guidelines    → cppcoreguidelines-*
├── Catch performance issues  → performance-*
├── Security hardening        → cert-*, hicpp-*
└── Readability / style       → readability-*, llvm-*

4. .clang-tidy configuration file

# .clang-tidy — place at project root
Checks: >
  bugprone-*,
  modernize-*,
  performance-*,
  -modernize-use-trailing-return-type,
  -bugprone-easily-swappable-parameters
WarningsAsErrors: 'bugprone-*,clang-analyzer-*'
HeaderFilterRegex: '^(src|include)/.*'
CheckOptions:
  - key: modernize-loop-convert.MinConfidence
    value: reasonable
  - key: readability-identifier-naming.VariableCase
    value: camelCase

5. Suppress false positives

// Suppress a single line
int result = riskyOp(); // NOLINT(bugprone-signed-char-misuse)

// Suppress a block
// NOLINTNEXTLINE(cppcoreguidelines-avoid-magic-numbers)
constexpr int BUFFER_SIZE = 4096;

// Suppress whole function
[[clang::suppress("bugprone-*")]]
void legacy_code() { /* ... */ }

Or in .clang-tidy:

# Exclude third-party directories
HeaderFilterRegex: '^(src|include)/.*'
# Disable specific checks
Checks: '-bugprone-easily-swappable-parameters'

6. Run cppcheck

# Basic run
cppcheck --enable=all --std=c11 src/

# With compile_commands.json
cppcheck --project=build/compile_commands.json

# Include specific checks and suppress noise
cppcheck --enable=warning,performance,portability \
         --suppress=missingIncludeSystem \
         --suppress=unmatchedSuppression \
         --error-exitcode=1 \
         src/

# Generate XML report for CI
cppcheck --xml --xml-version=2 src/ 2> cppcheck-report.xml

7. Path-sensitive analysis with scan-build

# Intercept a Make build
scan-build make

# Intercept CMake build
scan-build cmake --build build/

# Show HTML report
scan-view /tmp/scan-build-*/

# With specific checkers
scan-build -enable-checker security.insecureAPI.gets \
           -enable-checker alpha.unix.cstring.BufferOverlap \
           make

scan-build finds deeper bugs than clang-tidy: use-after-free across functions, dead stores from logic errors, null dereferences on complex paths.

8. CI integration

# GitHub Actions
- name: Static analysis
  run: |
    cmake -S . -B build -DCMAKE_EXPORT_COMPILE_COMMANDS=ON
    run-clang-tidy -p build -j$(nproc) -warnings-as-errors '*'

- name: cppcheck
  run: |
    cppcheck --enable=warning,performance \
             --suppress=missingIncludeSystem \
             --error-exitcode=1 \
             src/

For clang-tidy check details, see references/clang-tidy-checks.md.

Related skills

Use skills/compilers/clang for Clang toolchain and diagnostic flags
Use skills/compilers/gcc for GCC warnings as complementary analysis
Use skills/runtimes/sanitizers for runtime bug detection alongside static analysis
Use skills/build-systems/cmake for CMAKE_EXPORT_COMPILE_COMMANDS setup

Related Skills

awfixers-stuff/zmx

development

VerifiedTrustedCommunity

Use when starting dev servers, watchers, tilt, or any process expected to outlive the conversation. Provides zmx session management patterns for long-lived processes.

SKILL.mdUpdated Apr 27, 2026

awfixers-stuff/zig-testing

development

VerifiedTrustedCommunity

Zig testing skill for writing and running tests. Use when using zig build test, writing comptime tests, using test filters, working with test allocators to detect leaks, or using Zig's built-in fuzz testing (0.14+). Activates on queries about Zig tests, zig test, zig build test, comptime testing, test allocators, Zig fuzz testing, or detecting memory leaks in Zig tests.

SKILL.mdUpdated Apr 27, 2026

awfixers-stuff/zig-testing

awfixers-stuff/zig-debugging

development

VerifiedTrustedCommunity

Zig debugging skill. Use when debugging Zig programs with GDB or LLDB, interpreting Zig runtime panics, using std.debug.print for tracing, configuring debug builds, or debugging Zig programs in VS Code. Activates on queries about debugging Zig, Zig panics, zig gdb, zig lldb, std.debug.print, Zig stack traces, or Zig error return traces.

SKILL.mdUpdated Apr 27, 2026

awfixers-stuff/zig-debugging

awfixers-stuff/zig-cross

tools

VerifiedTrustedCommunity

Zig cross-compilation skill. Use when cross-compiling Zig programs to different targets, using Zig's built-in cross-compilation for embedded, WASM, Windows, ARM, or using zig cc to cross-compile C code without a system cross-toolchain. Activates on queries about Zig cross-compilation, zig target triples, zig cc cross-compile, Zig embedded targets, or Zig WASM.

SKILL.mdUpdated Apr 27, 2026

awfixers-stuff/zig-cross

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/awfixers-stuff/opencode-config.git

# Copy into Claude Code skills folder (global)
cp -r opencode-config/skills/static-analysis ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

awfixers-stuff/opencode-config

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT