feat(cpp): expand coverage with tooling, security, and dependency analysis#50
Merged
Conversation
alxxjohn
added a commit
that referenced
this pull request
Jul 17, 2026
🤖 I have created a release *beep* *boop* --- ## [1.1.0](v1.0.0...v1.1.0) (2026-07-17) ### Features * **cpp:** add tooling and security analysis ([b93d681](b93d681)) * **cpp:** expand checks across all categories ([29ea77e](29ea77e)) * **cpp:** expand coverage with tooling, security, and dependency analysis ([#50](#50)) ([16e8146](16e8146)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR substantially expands CodeGuard’s C++ coverage, bringing it closer to the coverage currently available for Go
across quality, design, performance, security, CI/CD, contracts, and supply-chain checks.
It also adds opt-in native Clang tooling, safe
compile_commands.jsonsupport, bounded C++ taint/SSRF analysis, andstatic dependency extraction from CMake and
conanfile.py.What changed
C++ quality and native tooling
clang-formatvalidation.clang++ -fsyntax-onlycompiler validation.off,auto, andrequiredmodes.compile_commands.jsondiscovery from:build/cmake-build-debug/cmake-build-release/Safe compilation-database handling
Compilation databases are treated as untrusted metadata.
CodeGuard does not execute:
Instead, CodeGuard constructs a fixed
clang++ -fsyntax-onlyinvocation using only:-Dand-Upreprocessor metadataExternal and ambiguous include paths are ignored. Symlink containment is also enforced and covered by regression
tests.
Configured executable overrides remain protected by CodeGuard’s existing config-command trust gate.
C++ dependency and design analysis
C++ performance coverage
Adds or expands checks for:
The rebuild-cascade analysis uses the same configurable thresholds as the existing Go package analysis.
C++ security analysis
Adds checks for:
Recognized taint sources include:
argvandenvpRecognized SSRF sinks include common APIs from:
New security rules include:
security.taint.cpp, mapped to OWASP A03 Injectionsecurity.ssrf.cpp, mapped to OWASP A10 SSRFThe analysis is deliberately conservative and bounded to same-file assignments and function summaries.
C++ contract checks
include/public/api/Contract checks run in diff mode and follow the existing contracts-family defaults.
C++ CI and test-quality checks
assertcallsC++ supply-chain analysis
Expands manifest normalization and dependency analysis for:
vcpkg.jsonconanfile.txtconanfile.pyCMakeLists.txt*.cmakefilesCMake
Statically recognizes:
find_packageFetchContent_DeclareExternalProject_AddCPMAddPackageset()variable indirectionConan Python
Statically recognizes:
requiresandtool_requiresself.requires()andself.tool_requires()callsCMake and Python files are never executed or imported during analysis.
Dynamic expressions, custom wrappers, cross-file variable propagation, and imported helpers are not evaluated.
Unresolved declarations are exposed through the supply-chain artifact’s
analysis_limitationsfield.Configuration and documentation
quality_rules.cpp_tooling.security_rules.taint_cpptoggle.Safety and compatibility
off.compile_commands.jsonis never treated as an executable command source.conanfile.pyanalysis is static and never executes repository code.Known limitations
Verification
make cipasses.golangci-lintpasses with0 issues.0 findings.100.git diff --checkpasses.Release impact
This is a feature-level change and uses Conventional Commit formatting so Release Please can include it in the next
release.