Hi Ioannis,

Thanks for bringing up the important topic up. Believe Karl will comment the details of it in TF-M but you could be interested watch his presentation on Tech Forum from Feb 4th. https://www.trustedfirmware.org/docs/tech_forum_20210204_TF-M_openCI_static_... Forum records are here: https://www.trustedfirmware.org/meetings/tf-m-technical-forum/

And yes, the check we have now is not enough so any improvements are welcome.

Hope it helps, Anton

From: TF-M tf-m-bounces@lists.trustedfirmware.org On Behalf Of Glaropoulos, Ioannis via TF-M Sent: Wednesday, March 17, 2021 11:15 AM To: tf-m@lists.trustedfirmware.org Subject: [TF-M] Static analysic checking & reporting - inquiry about interest

Hi everyone,

I would like to ask whether there is an interest in the Project for integrating static code analysis tools with the rest of CI, on the TF-M code base. To the best of my knowledge, this is not available today. In short, a simple process would involve maintaining and running static analysis checking (e.g. using Coverity or any other licensed tool) in nightly/weekly/etc. CI runs, reporting the found issues in the Project, triaging them, and tracking the progress of fixing the issues that are identified as real bugs. Has this topic been raised already in the Project? If not, is this something the project members would consider adding as part of the TF-M Project QA/release process?

Thanks! Ioannis Glaropoulos Nordic Semiconductor