Klocwork: Best Static Code Analyzer for Developer Productivity, SAST, and DevOps/DevSecOps
Klocwork static code analysis and SAST tool for C, C++, C#, Java, JavaScript, Python, and Kotlin identifies software security, quality, and reliability issues helping to enforce compliance with standards.
Built for enterprise DevOps and DevSecOps, Klocwork scales to projects of any size, integrates with large complex environments, a wide range of developer tools, and provides control, collaboration, and reporting for the entire enterprise. This has made Klocwork the preferred static analyzer that keeps development velocity high while enforcing continuous compliance for security and quality.
Secure, Safe, and Reliable Code
C, C++, C#, Java, JavaScript, Python, Kotlin
DevSecOps and AppSec
Speed, Productivity, and Compliance
Klocwork Key Features
Find Security Vulnerabilities with SAST
Use Klocwork static application security testing (SAST) for DevOps (DevSecOps). Our security standards identify security vulnerabilities – helping to find and fix security issues early and proving compliance to internationally recognized security standards.
- DevSecOps: Klocwork integrates with CI/CD tools, containers, cloud services, and machine provisioning making automated security testing easy.
- Security Standards: CWE, OWASP, CERT, PCI DSS, DISA STIG, and ISO/IEC TS 17961.
- Security Vulnerability Detection: SQL Injection, Tainted Data, Buffer Overflow, Vulnerable Coding Practices, and many more.
- Bug, Quality Issue, and Code Smell Detection: Null Pointer Dereferences/Exceptions, Memory/Resource Leaks, Uncaught Exceptions, and many more.
Project Streams
Project Streams provides easy management of shared code bases that have multiple variants or branches by simplifying project rule configuration, issue management, defect citing, reporting, and efficient data storage of analysis data.
Creating streams provides the following benefits:
- Assign a single project rule configuration to all variants.
- Issues common to multiple variants are automatically kept in sync and only require citing once.
- Easily identify identical issues across multiple streams and issues unique to a specific stream.
- Generate reports on individual streams for compliance, functional safety, or other evidential purposes.
- More convenient organization and efficient storage of analysis data.
DevOps Ready
Klocwork tools are designed with Continuous Integration and Continuous Delivery foremost in our thinking, which makes it easy to include static code analysis as part of your CI/CD pipelines.
Differential Analysis: Using system context data from the Klocwork Server, it is possible to analyze only the files that changed while also providing differential analysis results as if the entire system had been analyzed. This provides you with the shortest possible analysis times.
Easy to Automate: Klocwork tools have common command line interfaces, the Klocwork defect data can be accessed via a REST API and all output formats use standard formats, such as XML, JSON, and PDF.
Containerized Builds: Klocwork can be run within containerized and Cloud build systems and supports the provisioning of machine instances as required. Providing maximum flexibility and opportunity to use internal or external Cloud services for code analysis.
Control, Collaboration, and Reporting
The Klocwork Validate platform is a centralized store of analysis data, trends, metrics, and configurations for codebases across the organization — accessed through a web browser.
- Define global or project-specific QA and security objectives and rule configurations.
- Control access permissions and approval workflows.
- View trending and metrics data for project quality and compliance.
- Produce compliance and security reports.
- Prioritize defects based on severity, location, and lifecycle.
- Use Smart Rank to assist developers in prioritizing fixes based on defect likelihood, which when combined with issue severity, provides an overall vulnerability risk score.
- Distinguish new issues from legacy code issues.
- Push backlog issues to Change Control systems.
- Import and integrate Helix QAC findings to the Validate platform to view and manage consolidated analysis results in a single dashboard.
Designed for Developers
By seamlessly integrating static code analysis with the rest of your development toolset, Klocwork will shift-left defect detection and improve developer adoption as a tool for developer training and increasing productivity.
No User Configuration: Klocwork provides out of the box support for hundreds of compilers and cross-compilers, so build integration is automatic.
Easy to Use: Plugins for popular IDEs (including Microsoft Visual Studio, Eclipse, IntelliJ, and more).
Connected Desktop: Local code changes made using the connected desktop plugins provide immediate differential analysis results within IDEs.
Detailed Feedback and Help: Intraprocedural defects and coding violations are identified by severity of risk. For each defect and coding violation, you will receive detailed information of cause with rich, context-sensitive help and guidance on remediation. This allows for easily accessible opportunities for understanding and learning.
In addition, Klocwork features a Secure Code Warrior integration, which provides you with software security lessons and training tools for many common development languages as you write code.
Custom Rules: A graphical custom checker creation tool makes the implementation of project- or organization-specific rule quick and easy — further enriching the learning opportunities.
Architectural Analysis: Klocwork also integrates with architectural visualization and enforcement tools like Structure 101 to allow users to further improve the overall quality and maintainability of their codebase through clean and correct dependencies.
Security |  |  |  |  | |
|---|---|---|---|---|---|
| Secure coding standards help to safeguard your code from potential cyberthreats and other coding vulnerabilities. (Note: The complete set of security standards may not be available with older versions of Klocwork.) | |||||
| CERT | ✔ | ✔ | ✔ | ||
| CWE | ✔ | ✔ | ✔ | ✔ | |
| CWE Top 25 | ✔ | ✔ | ✔ | ✔ | |
| OWASP | ✔ | ||||
| DISA STIG | ✔ | ✔ | ✔ | ||
| PCI DSS | ✔ | ✔ | ✔ | ✔ | |
| ISO/IEC TS 17961 (C secure) | ✔ |
Safety | | | | | |
|---|---|---|---|---|---|
| Safety standards help to ensure that the software powered by your code is reliable and functionally safe. (Note: The complete set of safety standards may not be available with older versions of Klocwork.) | |||||
| MISRA C 2004 | ✔ | ||||
| MISRA C 2012 | ✔ | ||||
| MISRA C 2012 AMD 1 | ✔ | ||||
| MISRA C 2012 AMD 2 | ✔ | ||||
| MISRA C++ 2008 | ✔ | ||||
| AUTOSAR C++ 14 | ✔ | ||||
| JSF AV C++ | ✔ |
Quality | | | | | |
|---|---|---|---|---|---|
| Quality standards help to ensure that your code is reliable and free of errors. (Note: The complete set of quality standards may not be available with older versions of Klocwork.) | |||||
| NASA's 10 Rules | ✔ | ✔ | |||
| Klocwork Quality | ✔ | ✔ | ✔ | ✔ |
Customize | | | | | |
|---|---|---|---|---|---|
| You can create and customize your own rules or project/business coding standard for C, C++, C#, Java, JavaScript, and Python. | |||||
| Create Your Own Standard | ✔ | ✔ | ✔ | ✔ | |
| Create Your Own Rules | ✔ | ✔ | ✔ | ✔ |
Who Uses Klocwork?
Certified for ISO, IEC, and EN Compliance
Klocwork is independently certified for compliance.
TÜV-SÜD Certified
Klocwork is TÜV-SÜD certified for compliance with key functional safety standards:
- ISO 26262 (automotive) up to ASIL level D.
- IEC 61508 (general industry) up to SIL 4.
- EN 50128 (railways) up to SW-SIL 4.
- IEC 62304 (medical devices) up to Software Safety Class C.
Additional Resources
DevOps Automation Best Practices for Embedded Software Development
