Klocwork Static Analysis for Quality and Security

‘State Of the Art’ Static Code Analysis for C/C++, Java and C#

Klocwork provides comprehensive ‘always on’ detection of critical security vulnerabilities, quality defects and coding standards violations quickly and accurately, and throughout the development life cycle

The Klocwork analysis engine is the culmination of over 15 years of static analysis research. At the core of its technology is the ability to monitor the lifecycles of objects and infer their run time behaviour without executing the code. This allows a broad range of quality, reliability, security, and maintainability issues to be identified, with high accuracy.


Shift Left

At the developer desktop, Klocwork will seamlessly connect to the IDE, text editor, CI platform or command
line interface. It provides continuous ‘on-the-fly’ analysis of developers’ code, allowing any defective code to be instantly rectified.


Developer Learning

Having an easy to use, ‘always on’, analysis engine looking out for your mistakes in a non-conflictive and automated review process, makes Klocwork the perfect platform for developer learning. Couple that with comprehensive help, including text and references from industrially and internationally recognized coding guidelines and even links to specialist security material such as provide by Secure Code Warrior, and you have the perfect ‘on-the-job’ training school for developers.


Security Standards

Klocwork has out of the box support for a range of industrially and internationally recognized security standards, including: CERT, CWE, OWASP, DISA-STIG (DoD), PCI and more, to assist in the development of secure code from the ground up.


MISRA Conformance

Klocwork has out of the box support for MISRA C 2004, MISRA C++ 2008, MISRA C 2012 (C90 and C99) and MISRA C 2012 Amendment 1 (C90 and C99).


Functional Safety

This complementary technology has led to Klocwork’s success in safety-critical and high-integrity embedded systems where system faults are simply not acceptable and, in many cases, compliance with industry standards is required (IEC 61508, ISO 26262, EN 51208, IEC 62304, DO-178B/C, etc).



The Klocwork checkers can complemented with your own specific rules, perhaps to enforce an organisational, departmental or project coding standard, and these rules can be built up to form the overall project requirements.



The Klocwork engine provides hundreds of coding metrics to give a deeper insight into the quality, maintainability and cleanliness of your code. It also supports the checking of specific metrics thresholds, such as is defined by the HIS Metriken set.

Enterprise Level Static Analysis

In today’s modern age of complex, safety-critical embedded software systems, utilising static code analysis techniques that can detect potential critical runtime issues should be considered as a fundamental practice in staying ahead of the market.

Build Comprehension

The core of any accurate static code analysis rests on the ability to reproduce a native build environment (e.g. compiler, includes, macro definitions). Klocwork reproduces your build process to ensure a build-identical analysis.


Model Extraction

Klocwork’s internal parser utilizes the build comprehension to accurately extract abstract model representations of your entire system.


Intermediate Representation (IR)

Klocwork’s unique IR enables a “run-time simulation” analysis to detect complex issues which would otherwise only be found through program execution.



Klocwork’s dual analysis engine enables detection of both syntactical and logical issues. This covers the full range of checks; from coding guidelines compliance (e.g. MISRA-C/C++, in-house) to whole-program path analysis.



An SQL database is used to manage and report whole-program analysis results. Complementing this are integrated developer tools used to identify, fix and suppress issues as the code is being written.