Skip to content

Fix cppcheck CI: actionable output, fail-on-error-only, suppressions file#2

Draft
nevinshine with Copilot wants to merge 2 commits into
mainfrom
copilot/update-cppcheck-setup
Draft

Fix cppcheck CI: actionable output, fail-on-error-only, suppressions file#2
nevinshine with Copilot wants to merge 2 commits into
mainfrom
copilot/update-cppcheck-setup

Conversation

Copilot AI commented Apr 18, 2026

Copy link
Copy Markdown

The cppcheck step in security.yml exited with code 1 due to --enable=all generating information-severity noise (e.g., checkersReport) which --error-exitcode=1 treats as a failure, and output lacked file/line context making findings unactionable.

Changes

.github/workflows/security.yml

  • --enable=all--enable=warning,style,performance,portability — drops information severity; error is always on by default
  • Removed --error-exitcode=1; replaced with an explicit grep that fails the step only on error-severity findings:
    src/ 2>&1 | tee cppcheck.log
    if grep -qE '^[^:]+:[0-9]+:error:' cppcheck.log; then exit 1; fi
  • Added --template='{file}:{line}:{severity}:{id}:{message}' for parseable, location-anchored output
  • Added --suppressions-list=cppcheck.suppress and --inline-suppr
  • Inline --suppress=missingIncludeSystem and --suppress=unusedFunction removed in favour of the suppressions file
  • CodeQL and Gitleaks jobs untouched

cppcheck.suppress (new)

Repo-root suppressions file wired into the workflow:

missingIncludeSystem   # system headers absent in CI
unusedFunction         # false positives across translation units
Original prompt

Repository: nevinshine/sentinel-vmi
Ref (failing job): 4c3e25f
Workflow: .github/workflows/security.yml
Failing job: 71957934624 (cppcheck step exits with code 1)

Task:

  1. Make the cppcheck GitHub Actions step produce actionable output in logs (file:line:severity:id:message), and ensure output is captured in the job log.
  2. Reduce flakiness/noise: avoid failing the build due solely to informational messages from --enable=all; prefer enabling warning/style/performance/portability/error (or similar) but still fail on error severity.
  3. Add a suppressions file at repo root named cppcheck.suppress (currently missing) and wire it into the workflow via --suppressions-list.
  4. Keep other jobs (CodeQL, Gitleaks) unchanged.

Acceptance:

  • security.yml updated accordingly.
  • cppcheck.suppress added.
  • CI should provide clear error location if cppcheck finds issues.

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: Please find a solution for failing job 71957934624. Use the logs, job definition, and any referenced files where the failure occurred. Keep your response focused on the solution and include code suggestions when appropriate.

Assistant: The failing job 71957934624 is the cppcheck step in .github/workflows/security.yml (ref: 4c3e25feb33bf9d7e5e53781087931c3433be0e2). The workflow runs:

cppcheck \
  --enable=all \
  --error-exitcode=1 \
  --suppress=missingIncludeSystem \
  --suppress=unusedFunction \
  --std=c11 \
  -I include \
  src/

and exits with code 1, meaning cppcheck found at least one issue it considers an error. The log snippet you provided is truncated right where cppcheck would normally print the actual finding, so the fix is to (a) make the workflow print the full error details, and (b) either address the underlying code issue or suppress the specific rule intentionally.

Solution (make the failure actionable + fix policy)

1) Update the workflow to print full cppcheck output

Change the cppcheck invocation to produce verbose, parseable output and to fail only on actual “error” severity (not “warning/performance/style” noise that --enable=all can elevate unexpectedly).

In .github/workflows/security.yml (ref above), replace the Run cppcheck command with:

- name: Run cppcheck
  run: |
    cppcheck \
      --std=c11 \
      --enable=warning,style,performance,portability,error \
      --error-exitcode=1 \
      --inline-suppr \
      --suppress=missingIncludeSystem \
      --suppress=unusedFunction \
      --template='{file}:{line}:{severity}:{id}:{message}' \
      -I include \
      src/ 2>&1 | tee cppcheck.log

Why this works:

  • --template ensures the log always includes which file/line triggered the failure.
  • 2>&1 | tee ... ensures GitHub Actions captures the diagnostics even if stderr is involved.
  • Narrowing --enable avoids “informational”/low-signal checkers from breaking CI unless you explicitly want that.

If you do want --enable=all, at least add --verbose --template=... and 2>&1 | tee ... so you can see what is failing.

2) Add a suppression file (optional but recommended)

Your run tries to fetch cppcheck.suppress and it does not exist in the repo at that ref. Add one and wire it into the workflow so you can intentionally suppress known false-positives (with comments in the file).

Create cppcheck.suppress in the repo root, for example:

# System headers / third-party noise
missingIncludeSystem

# If you have known benign patterns, add them with file scoping, e.g.:
# uninitvar:src/memory.c

Then update the workflow step to include:

--suppressions-list=cppcheck.suppress \

This makes suppressions explicit and reviewable.

3) Fix the underlying cppcheck finding in code

Because the cppcheck output is cut off in the provided logs, I can’t point to the exact file/line yet. After applying step (1), re-run the job and it will print something like:

src/foo.c:123:error:...:...

Then fix it in the indicated file. Common cppcheck “error” severity fixes in C include:

  • Initialize variables before use (uninitvar)
  • Check return values (checkReturnValue)
  • Null checks before dereference (nullPointer)
  • Correct buffer bounds (bufferAccessOutOfBounds)

If you paste the new cppcheck.log contents (or the specific file:line:id it reports), I can propose the exact code patch for the failing location.

Minimal alternative (policy-only change)

If you simply want CI to stop failing on non-critical findings, the smallest change is:

- --enable=all \
+ --enable=warning,error \

This typically keeps the job focused on actionable problems while still catching real defects.

User: fix this

Assistant: I’ve queued up the fix, but I’m currently blocked waiting for your approval/confirmation in the dialog before I can apply the changes and proceed.

This pull request was created from Copilot chat.

Copilot AI changed the title [WIP] Update cppcheck step in security workflow for better logging Fix cppcheck CI: actionable output, fail-on-error-only, suppressions file Apr 18, 2026
Copilot AI requested a review from nevinshine April 18, 2026 16:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants