> ## Documentation Index
> Fetch the complete documentation index at: https://docs.roboticks.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Bundled OSS Scanners

> cppcheck, clang-tidy, Bandit, Semgrep, trivy, syft come pre-wired in paid tiers. Enable per-project, configure via per-tool config files, results land in the matrix and evidence pack.

# Bundled OSS scanners

Paid tiers ship with six open-source scanners pre-wired. **No BYO-connector fee.** Enable them per project; results flow into the traceability matrix and the per-release evidence pack alongside any commercial findings.

| Scanner                                                    | Domain                               | Output format                  |
| ---------------------------------------------------------- | ------------------------------------ | ------------------------------ |
| [**cppcheck**](https://cppcheck.sourceforge.io/)           | C/C++ static analysis                | SARIF                          |
| [**clang-tidy**](https://clang.llvm.org/extra/clang-tidy/) | C/C++ lint and bug-finding           | SARIF (via `clang-tidy-sarif`) |
| [**Bandit**](https://bandit.readthedocs.io/)               | Python security                      | SARIF                          |
| [**Semgrep**](https://semgrep.dev/)                        | Multi-language patterns              | SARIF                          |
| [**trivy**](https://trivy.dev/)                            | Container/image vulnerability + SBOM | SARIF + CycloneDX              |
| [**syft**](https://github.com/anchore/syft)                | SBOM generation                      | CycloneDX + SPDX               |

All six emit SARIF (and, for trivy/syft, an SBOM); Roboticks ingests via the standard [SARIF](/integrations/sarif) and [SBOM](/integrations/sbom) paths.

## What "bundled" means

* The runner images for `hosted-ros2-cpu`, `hosted-gazebo-gpu`, and `hosted-webots-cpu` come with all six scanners preinstalled.
* For self-hosted runners, you can opt in to the bundled image (`ghcr.io/roboticks-io/runner-base:scanners`) or install them yourself.
* **No per-tool license fee.** No `$149/connector/month` line.
* Roboticks does not run the scanners for you. You wire them into your CI; we ingest the results.

## Enabling per project

The platform-side toggle is just a notification preference:

**Settings → Findings → OSS scanners**

Toggling on:

* Surfaces a per-tool tab in the **Findings** view
* Includes the tool in PR Check Run summaries
* Includes the tool's appendix in the release evidence pack

Toggling off keeps ingest working but hides the tool from the UI surfaces (use for tools you're trialling).

## Per-tool config

Each tool has a standard config file conventionally checked into the repo. Roboticks does not need to read these — but here's the table for reference.

| Tool       | Config file                        | Notes                                                                                                                           |
| ---------- | ---------------------------------- | ------------------------------------------------------------------------------------------------------------------------------- |
| cppcheck   | none (CLI flags) or `cppcheck.cfg` | Use `--enable=warning,style,performance,portability,unusedFunction,missingInclude` for the broad set                            |
| clang-tidy | `.clang-tidy`                      | Use `Checks: bugprone-*,cert-*,clang-analyzer-*,misc-*,modernize-*,performance-*,portability-*,readability-*` for the broad set |
| Bandit     | `bandit.yaml` (`.bandit`)          | Recipe: `bandit -r . -f sarif -o bandit.sarif`                                                                                  |
| Semgrep    | `.semgrep.yml` or `--config=auto`  | Auto downloads community rule packs                                                                                             |
| trivy      | `trivy.yaml`                       | Scans filesystem, container images, IaC, secrets                                                                                |
| syft       | `.syft.yaml` (rare)                | Default config is usually enough                                                                                                |

## CI recipe — all six in one workflow

```yaml theme={null}
# .github/workflows/oss-scanners.yml
name: OSS Scanners
on: { pull_request: {} }

jobs:
  scanners:
    runs-on: ubuntu-latest
    permissions: { id-token: write, contents: read }
    steps:
      - uses: actions/checkout@v4

      - name: cppcheck
        run: |
          sudo apt-get install -y cppcheck
          cppcheck --enable=all --output-file=cppcheck.sarif --output-format=sarif .

      - name: clang-tidy
        run: |
          pip install clang-tidy-sarif
          find . -name '*.cpp' | xargs clang-tidy --export-fixes=clang-tidy.yaml
          clang-tidy-sarif clang-tidy.yaml > clang-tidy.sarif

      - name: Bandit
        run: |
          pip install bandit
          bandit -r . -f sarif -o bandit.sarif || true

      - name: Semgrep
        run: |
          pip install semgrep
          semgrep --config=auto --sarif --output semgrep.sarif . || true

      - name: trivy
        run: |
          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh \
            | sh -s -- -b /usr/local/bin
          trivy fs --format sarif --output trivy.sarif .
          trivy fs --format cyclonedx --output trivy.sbom.cdx.json .

      - name: syft
        run: |
          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh \
            | sh -s -- -b /usr/local/bin
          syft . -o cyclonedx-json=syft.cdx.json
          syft . -o spdx-json=syft.spdx.json

      - run: pipx install roboticks-cli
      - run: rbtk auth oidc-from-github

      - name: Upload findings
        run: |
          rbtk findings upload --tool cppcheck     cppcheck.sarif
          rbtk findings upload --tool clang-tidy   clang-tidy.sarif
          rbtk findings upload --tool bandit       bandit.sarif
          rbtk findings upload --tool semgrep      semgrep.sarif
          rbtk findings upload --tool trivy        trivy.sarif

      - name: Upload SBOMs
        run: |
          rbtk sbom upload --tool trivy trivy.sbom.cdx.json
          rbtk sbom upload --tool syft  syft.cdx.json syft.spdx.json
```

## Findings vs metrics

| Scanner              | Roboticks treats as                                 |
| -------------------- | --------------------------------------------------- |
| cppcheck, clang-tidy | `finding` (per rule violation)                      |
| Bandit, Semgrep      | `finding` (per security issue)                      |
| trivy (vuln)         | `finding` (per CVE)                                 |
| trivy (SBOM), syft   | `sbom` (SPDX or CycloneDX) — lands in evidence pack |

## Severity mapping (per tool)

The defaults match upstream's severity conventions; override at **Settings → Findings → Severity mapping → OSS scanners**.

| Tool         | Upstream severity                        | Roboticks default                           |
| ------------ | ---------------------------------------- | ------------------------------------------- |
| cppcheck     | error / warning / style / performance    | error / warning / info / info               |
| clang-tidy   | warning (uniform)                        | warning (use rule prefix for finer mapping) |
| Bandit       | High / Medium / Low                      | critical / error / warning                  |
| Semgrep      | ERROR / WARNING / INFO                   | error / warning / info                      |
| trivy (vuln) | CRITICAL / HIGH / MEDIUM / LOW / UNKNOWN | critical / error / warning / info / info    |

## Where findings appear

* **Traceability matrix** — findings tied to source files annotated with `@confirms` link to the requirement.
* **Findings view** — one tab per tool, plus an **All** tab.
* **Release evidence pack** — one appendix per tool with active findings; raw SARIF in the ZIP.
* **PR Check Run** — `Roboticks · OSS Scanners` summary with per-tool delta vs base.

## When to upgrade to BYO

OSS scanners cover the common ground; you'd switch to a BYO commercial connector when:

* You need **formal-methods soundness** — [Polyspace Code Prover](/integrations/polyspace)
* You need **MISRA / AUTOSAR / JSF compliance reports** with formal deviation workflow — [LDRA](/integrations/ldra)
* You need **enterprise-grade triage** with named owners and a Connect server — [Coverity](/integrations/coverity)

You can run OSS scanners and a commercial tool in parallel — findings dedupe by `partialFingerprints` and rule ID across tools.

## Troubleshooting

<AccordionGroup>
  <Accordion title="cppcheck finds nothing">
    By default cppcheck only checks for the most-conservative issues. Add `--enable=all --suppress=missingIncludeSystem` to get the broad set.
  </Accordion>

  <Accordion title="clang-tidy SARIF conversion fails">
    `clang-tidy-sarif` expects the YAML output from `--export-fixes`. If you redirected stdout instead, the YAML is missing some keys. Use `--export-fixes=<file>`, not stdout redirection.
  </Accordion>

  <Accordion title="trivy SARIF has no fingerprints">
    Older trivy versions omitted `partialFingerprints`. Upgrade to trivy ≥ 0.45.
  </Accordion>
</AccordionGroup>

## Next

<CardGroup cols={2}>
  <Card title="SBOM ingest" icon="boxes-stacked" href="/integrations/sbom">
    syft and trivy SBOMs feed the evidence pack.
  </Card>

  <Card title="BYO connectors" icon="microscope" href="/integrations/byo-connectors">
    When you need commercial-grade analysis.
  </Card>
</CardGroup>
