SqC Developer Guide

SqC (Software Code Quality) is a terminal-based static analysis tool that validates C code compliance with SEI CERT C Coding Standards. It implements 285 rules across 17 CERT C categories, using tree-sitter for fast AST-based analysis with cross-file context, control-flow graphs, and inter-procedural reasoning.

This guide covers advanced usage, CI/CD integration, the interactive console UI, testing methodology, project internals, and contributing.

Contents

• Advanced CLI Usage
  • Full Command Reference
  • Cross-File Analysis
  • Export Formats
  • Severity Filtering
  • Rule Filtering
  • Diff Mode
  • Exit Codes
• Suppression System
  • Inline Comment Suppression
  • External Suppression File
  • Wildcard Suppression
  • Hash Details
• Configuration
  • Manifest File
  • Custom Manifest Format
  • Supported CERT C Rules
• CI/CD Integration
  • General Strategy
  • GitHub Actions
  • Azure DevOps
  • SARIF Integration Tips
  • CI/CD Readiness
• Interactive Console UI
  • Violations Tab
  • Configuration Tab
  • Keyboard Reference
    • Navigation (both tabs)
    • Tab Switching
    • Violations Tab – Selection
    • Violations Tab – Actions
    • Violations Tab – Sorting / Grouping
    • Configuration Tab
• Testing Methodology
  • Benchmark Strategy
  • Unit Tests
  • NIST Juliet Test Suite Benchmarking
    • How Juliet Benchmarking Works
    • Current Results (v0.3.119)
    • FP Reduction History
  • Real-World Code Analysis
  • Cross-Tool Comparison Methodology
    • Apples-to-Apples Concerns
    • Recommended Comparison Workflow
    • Published CERT-C Results
  • Test Infrastructure Details
    • Build-Time Test Generation
    • Test File Naming Conventions
    • Test Distribution by Rule Size
    • What Tests Do NOT Cover
    • Coverage Gate
    • Embedded Rust Unit Tests
    • Known Rule Implementation Gaps
• Analysis Architecture
  • Analysis Modules
  • Current Capabilities
  • Known Limitations
  • Architectural Ceiling
  • Competitor Landscape
• Benchmark Setup
  • Installing Comparison Tools
    • cppcheck
    • clang-tidy
    • bear (for compile_commands.json)
    • Facebook Infer
    • Frama-C
  • Juliet Test Suite Setup
  • Third-Party Library Headers
    • Per-Project Include Paths
  • Real-World Project Setup
    • Pinned Source Commits
    • Clone and Pin
  • Running Each Tool Manually
    • sqc
    • cppcheck
    • clang-tidy
  • Per-Project Commands
    • libcrc
    • sqlite
    • mosquitto
    • curl
    • hostap
  • Verifying Results
    • Known Pitfalls
  • Output Format Reference
  • Distributed Benchmarking with GNU Parallel
• Running Benchmarks (MCP Server)
  • Benchmark Infrastructure
    • SQLite Schema
  • Benchmark Workflow Protocol
    • Pre-Benchmark Checklist
  • Juliet Benchmark Tools
    • CLI Alternative
  • Real-World Benchmark Tools
  • Comparing Across Runs
    • Juliet
    • Real-World
  • Competitor Benchmarks (Infer / Frama-C)
    • Infrastructure
    • Running
    • Timing Estimates
    • Classification Logic
  • Troubleshooting
    • Resolved Issues
• Project Structure
• Future Rulesets Beyond CERT C
  • The Power of 10 Rules (NASA JPL, 2006)
  • JPL Institutional Coding Standard (2009)
    • Multi-threading / Concurrency
    • Other Key Rules
    • Earlier Standards Referenced by JPL
  • BARR-C Embedded C Coding Standard
  • Candidate Rules for Implementation
    • Core Safety Rules (Pre-MISRA)
    • Embedded-Specific Rules
    • Multi-threading Safety (JPL-specific)
• Contributing
  • Adding a New CERT C Rule
  • Build Requirements
• Bibliography
  • Juliet & Vulnerability Detection Studies
  • NIST SATE Reports
  • Tool Comparison & Industry Studies
  • False Positive Rate Benchmarks
    • Industry FP Rate Context
  • Standards & Specifications
  • NASA & Aerospace