Bundled OSS scanners

Paid tiers ship with six open-source scanners pre-wired. No BYO-connector fee. Enable them per project; results flow into the traceability matrix and the per-release evidence pack alongside any commercial findings.

Scanner	Domain	Output format
cppcheck	C/C++ static analysis	SARIF
clang-tidy	C/C++ lint and bug-finding	SARIF (via `clang-tidy-sarif`)
Bandit	Python security	SARIF
Semgrep	Multi-language patterns	SARIF
trivy	Container/image vulnerability + SBOM	SARIF + CycloneDX
syft	SBOM generation	CycloneDX + SPDX

All six emit SARIF (and, for trivy/syft, an SBOM); Roboticks ingests via the standard SARIF and SBOM paths.

What “bundled” means

The runner images for hosted-ros2-cpu, hosted-gazebo-gpu, and hosted-webots-cpu come with all six scanners preinstalled.
For self-hosted runners, you can opt in to the bundled image (ghcr.io/roboticks-io/runner-base:scanners) or install them yourself.
No per-tool license fee. No $149/connector/month line.
Roboticks does not run the scanners for you. You wire them into your CI; we ingest the results.

Enabling per project

The platform-side toggle is just a notification preference: Settings → Findings → OSS scanners Toggling on:

Surfaces a per-tool tab in the Findings view
Includes the tool in PR Check Run summaries
Includes the tool’s appendix in the release evidence pack

Toggling off keeps ingest working but hides the tool from the UI surfaces (use for tools you’re trialling).

Per-tool config

Each tool has a standard config file conventionally checked into the repo. Roboticks does not need to read these — but here’s the table for reference.

Tool	Config file	Notes
cppcheck	none (CLI flags) or `cppcheck.cfg`	Use `--enable=warning,style,performance,portability,unusedFunction,missingInclude` for the broad set
clang-tidy	`.clang-tidy`	Use `Checks: bugprone-,cert-,clang-analyzer-,misc-,modernize-,performance-,portability-,readability-` for the broad set
Bandit	`bandit.yaml` (`.bandit`)	Recipe: `bandit -r . -f sarif -o bandit.sarif`
Semgrep	`.semgrep.yml` or `--config=auto`	Auto downloads community rule packs
trivy	`trivy.yaml`	Scans filesystem, container images, IaC, secrets
syft	`.syft.yaml` (rare)	Default config is usually enough

CI recipe — all six in one workflow

# .github/workflows/oss-scanners.yml
name: OSS Scanners
on: { pull_request: {} }

jobs:
  scanners:
    runs-on: ubuntu-latest
    permissions: { id-token: write, contents: read }
    steps:
      - uses: actions/checkout@v4

      - name: cppcheck
        run: |
          sudo apt-get install -y cppcheck
          cppcheck --enable=all --output-file=cppcheck.sarif --output-format=sarif .

      - name: clang-tidy
        run: |
          pip install clang-tidy-sarif
          find . -name '*.cpp' | xargs clang-tidy --export-fixes=clang-tidy.yaml
          clang-tidy-sarif clang-tidy.yaml > clang-tidy.sarif

      - name: Bandit
        run: |
          pip install bandit
          bandit -r . -f sarif -o bandit.sarif || true

      - name: Semgrep
        run: |
          pip install semgrep
          semgrep --config=auto --sarif --output semgrep.sarif . || true

      - name: trivy
        run: |
          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh \
            | sh -s -- -b /usr/local/bin
          trivy fs --format sarif --output trivy.sarif .
          trivy fs --format cyclonedx --output trivy.sbom.cdx.json .

      - name: syft
        run: |
          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh \
            | sh -s -- -b /usr/local/bin
          syft . -o cyclonedx-json=syft.cdx.json
          syft . -o spdx-json=syft.spdx.json

      - run: pipx install roboticks-cli
      - run: rbtk auth oidc-from-github

      - name: Upload findings
        run: |
          rbtk findings upload --tool cppcheck     cppcheck.sarif
          rbtk findings upload --tool clang-tidy   clang-tidy.sarif
          rbtk findings upload --tool bandit       bandit.sarif
          rbtk findings upload --tool semgrep      semgrep.sarif
          rbtk findings upload --tool trivy        trivy.sarif

      - name: Upload SBOMs
        run: |
          rbtk sbom upload --tool trivy trivy.sbom.cdx.json
          rbtk sbom upload --tool syft  syft.cdx.json syft.spdx.json

Findings vs metrics

Scanner	Roboticks treats as
cppcheck, clang-tidy	`finding` (per rule violation)
Bandit, Semgrep	`finding` (per security issue)
trivy (vuln)	`finding` (per CVE)
trivy (SBOM), syft	`sbom` (SPDX or CycloneDX) — lands in evidence pack

Severity mapping (per tool)

The defaults match upstream’s severity conventions; override at Settings → Findings → Severity mapping → OSS scanners.

Tool	Upstream severity	Roboticks default
cppcheck	error / warning / style / performance	error / warning / info / info
clang-tidy	warning (uniform)	warning (use rule prefix for finer mapping)
Bandit	High / Medium / Low	critical / error / warning
Semgrep	ERROR / WARNING / INFO	error / warning / info
trivy (vuln)	CRITICAL / HIGH / MEDIUM / LOW / UNKNOWN	critical / error / warning / info / info

Where findings appear

Traceability matrix — findings tied to source files annotated with @confirms link to the requirement.
Findings view — one tab per tool, plus an All tab.
Release evidence pack — one appendix per tool with active findings; raw SARIF in the ZIP.
PR Check Run — Roboticks · OSS Scanners summary with per-tool delta vs base.

When to upgrade to BYO

OSS scanners cover the common ground; you’d switch to a BYO commercial connector when:

You need formal-methods soundness — Polyspace Code Prover
You need MISRA / AUTOSAR / JSF compliance reports with formal deviation workflow — LDRA
You need enterprise-grade triage with named owners and a Connect server — Coverity

You can run OSS scanners and a commercial tool in parallel — findings dedupe by partialFingerprints and rule ID across tools.

Troubleshooting

cppcheck finds nothing

By default cppcheck only checks for the most-conservative issues. Add --enable=all --suppress=missingIncludeSystem to get the broad set.

clang-tidy SARIF conversion fails

clang-tidy-sarif expects the YAML output from --export-fixes. If you redirected stdout instead, the YAML is missing some keys. Use --export-fixes=<file>, not stdout redirection.

trivy SARIF has no fingerprints

Older trivy versions omitted partialFingerprints. Upgrade to trivy ≥ 0.45.

SBOM ingest

syft and trivy SBOMs feed the evidence pack.

BYO connectors

When you need commercial-grade analysis.

Bundled OSS Scanners

Bundled OSS scanners

What “bundled” means

Enabling per project

Per-tool config

CI recipe — all six in one workflow

Findings vs metrics

Severity mapping (per tool)

Where findings appear

When to upgrade to BYO

Troubleshooting

Next

SBOM ingest

BYO connectors

Documentation Index

​Bundled OSS scanners

​What “bundled” means

​Enabling per project

​Per-tool config

​CI recipe — all six in one workflow

​Findings vs metrics

​Severity mapping (per tool)

​Where findings appear

​When to upgrade to BYO

​Troubleshooting

​Next

SBOM ingest

BYO connectors

Bundled OSS scanners

What “bundled” means

Enabling per project

Per-tool config

CI recipe — all six in one workflow

Findings vs metrics

Severity mapping (per tool)

Where findings appear

When to upgrade to BYO

Troubleshooting

Next