CodeSonar C/C++

SAST when Safety and Security Matter

 Accelerate Application Security

Software teams are under constant pressure to deliver more content with higher complexity, in shorter timeframes, with increased quality and security. Static Application Security Testing is a proven best practice to help software teams deliver the best code in the shortest timeframe. GrammaTech has been a leader in this field for over 15 years with CodeSonar delivering multi-language SAST capabilities for enterprises where software quality and software security matter.

Download Datasheet

Book an Evaluation

From a TAG Cyber analyst perspective, this suite of tools looks absolutely first-rate. It includes modern DevOps-consistent features with an unequaled foundational base derived from world-class research. » Read More

DevSecOps - Speed and Scale

Software developers need rapid feedback on security vulnerabilities in their code. CodeSonar can be integrated into software development environments, works unobtrusively to the developer and provides rapid feedback.

Functional Safety

Static analysis is an important technology for developing software that needs to achieve high levels of functional safety. CodeSonar is pre-qualified for the highest levels of safety for the IEC 61508, ISO 26262 and CENELEC EN 50128 standards by Exida. Artifacts for qualification according to DO-178C / DO-330 are also available.

Code Understanding

Finding problems is not sufficient, the developer needs to understand the problems that have been uncovered. CodeSonar provides comprehensive code understanding capabilities, helping developers understand and fix issues rapidly.


What is CodeSonar Static Analysis?

1. Textual Descriptions

Easy, clear textual descriptions describe what the problem is.

2. Path Visualization

Shaded background and annotations explain the defect path.

3. Call Tree Visualization

To understand how a function fits in the larger application. Learn more >

Team Support Built In

CodeSonar is designed to support large teams. Defects are persistent and tracked across builds, even if code changes. They can be annotated, ranked, assigned, searched for and compared. Support for many team-tools is provided out of the box.

"It has been without a doubt the easiest tool to integrate to get great quality results out of."
– Crank Software

Read Case Study

Language Support

CodeSonar supports many popular languages, including C/C++, Java, C# and Android, as well as support for native binaries in Intel, ARM and PowerPC instruction set architectures. CodeSonar also supports OASIS SARIF, for exchange of information with other tools in the DevSecOps environment.

Security - Depth

GrammaTech SAST tools use the concept of abstract interpretation to statically examine all the paths through the application, understand the values of variables and how they impact program state.

Standards and Frameworks

Support for MISRA-C and MISRA-C++, AUTOSAR C++-14, CERT, DISA STIG, OWASP, CWE and many other standards.

Examples of Defects Detected

  • Buffer over- and underruns
  • Cast and conversion problems
  • Command injection
  • Copy-paste error
  • Concurrency
  • Ignored return value
  • Memory leak
  • Tainted data
  • Null pointer dereference
  • Dangerous function
  • Unused parameter / value And hundreds more

Metrics and Trends

CodeSonar allows graphing of complexity and quality trends over time to give the management teams the information they need. Data can be visualized and interactively explored inside of the CodeSonar user interface, or programmatically exported via SARIF and/or XML to be used in third party dashboarding applications.


CodeSonar is ultimately scalable, it can do quick scans on subsets of the code on developers desktops, deep and exhaustive checks including concurrency analysis during regression testing and anything in between. It supports incremental builds and analysis and can use highly parallel and distributed compute farms for work offloading. CodeSonar is able to adjust to your software development environment and process.

Book An Evaluation

GrammaTech provides a no-cost evaluation to evaluate CodeSonar on your own code so you can start to see the benefits from first scan.

System Requirements

Host: Windows, Linux, FreeBSD, NetBSD
Hardware: 2+ Cores, 2+GB of RAM, 15+GB of disk
Compilers: Supports most popular and embedded compilers
Languages: C/C++, Java, C#, Binaries
Supported Compilers: Apple xcode, ARM RealView, CodeWarrior, Clang, Free BSD, GCC, G++, Green Hills, HI-TECH, IAR, Intel C/C++, Microsoft Visual Studio, Renesas, Sun C/C++, Texas Instruments CodeComposer, Wind River, Most other compilers easily supported