May 30, 2025

10 Easy Steps to Add Static Analysis to Your Firmware Build

When it comes to embedded system applications, security is one of the most important requirements. In addition to embedded security topics such as Bluetooth encryption, SSH, and TLS, modern firmware developers use a static analysis tool that checks for vulnerabilities in your source code. There are many existing static analysis tools (Cppcheck, Clang Sanitizers, etc.) that can do the job, but today I’d like to focus on one of our favorites, Flawfinder.

Flawfinder is an open-source tool developed by David A. Wheeler, a security expert. Like all static analysis tools, this tool scans your C/C++ source codes to look for weaknesses or flaws.

Book a Call with Dojo Five Embedded Experts

Installation

Since Flawfinder is written in Python it can be used on most platforms. You can install Flawfinder by using the Python pip installer as shown below.

pip3 install flawfinder

To use Flawfinder, it is as easy as calling the following command.

# Scan a single file
flawfinder <SOURCE_CODE>

OR

# Scan all files in a directory
flawfinder <SOURCE_CODE_DIRECTORY>

Calling the command above prints the results on the terminal. and it is only useful at the moment you run it. If Flawfinder is integrated into a CI pipeline, the outputs will be saved for further review. To refer back to the previous Flawfinder outputs, all you have to do is to look at the pipeline’s build log.

There are command-line options that you can use to customize the scanning experience. The combination of options we recommend is minlevel, html, and context. The minlevel option lets you choose the minimum risk level from 0 (very low risk) to 5 (high risk) to be shown on the terminal. By default, the results of level 1 or higher are shown. If we are only concerned about high-risk outputs, we can set the minlevel to 4. The html and context options will put the output in HTML format and show the lines of code that are potential security vulnerabilities. With these options, the command will now look like the following.

flawfinder --minlevel=4 --html --context <SOURCE_CODE> > flawfinder_report.html

Add the Security Screening to Your Automated Build

If you’ve never heard of automated builds or are not sure how to get started using them, take a look at our blog on setting up automated firmware builds as a quick tutorial.

Then, consider this: In the airport, you can only get on the plane after passing through a number of stages, check-in, security, terminals, and then entering the plane itself. This is the same concept for your build – you have to take several steps before deployment. Therefore, we want to create a job for running Flawfinder (security screening) on your code before deploying it (enter the plane).

First, we want to create an isolated environment for this job. This can be done by creating a simple Flawfinder Docker image.

# A base image with Python is needed to install Flawfinder   
FROM python:3.8.5-slim-buster

ARG FLAWFINDER_VERSION=2.0.11

# Install a specific version Flawfinder
# I'm using version 2.0.11
RUN pip3 install flawfinder==$FLAWFINDER_VERSION

Once the Flawfinder Docker image is created, you can now use it in your automated pipelines. In the script section of your YAML file, call the Flawfinder command and provide the path to the source directory you want to check. A snippet of a Flawfinder job in a .gitllab-ci.yml file is shown below.

flawfinder:
	stage: static analysis
	image: flawfinder:v2.0.11
	script:
		- mkdir flawfinder_report
		- flawfinder --minlevel=4 --html --context src/ > flawfinder_report/flawfinder_test_report.html
	artifacts:
		paths:
			- flawfinder_report/

With the job above, it’d be like running bags through the scanner and no one looking at the screen to see what’s in them. We can set up the job to fail if the number of items (flaws) found is over a threshold, go check out our blog on how CI pipeline scripts and exit codes interact to learn more about it.

So, there you have it. Setting up a static analysis for your code can be as easy as a line of command. Having Flawfinder in your software development cycle not only makes you more confident with your source code, but also protects your end product from potential criminals.

Next Steps

If you’d like to make sure your firmware is secure, reach out! At DojoFive, we have talented engineers on hand ready to help you with all aspects of your EmbedOps journey. We are always happy to help with interesting problems that need solving, from security audits to firmware development.

You can book a call with us to start the conversation. We have tools and experience to help you along the way.

Discover why Dojo Five EmbedOps is the embedded enterprise choice for build tool and test management.

Connect a repo
Use Dev Containers with your Continuous Integration (CI) provider
Analyze memory usage
Integrate and visualize static analysis results
Perform Hardware-in-the-Loop (HIL) tests
Install the Command Line Interface for a developer-friendly experience

Subscribe to our Monthly Newsletter

Subscribe to our monthly newsletter for development insights delivered straight to your inbox.

The Ultimate Guide to Modern Embedded Firmware Development

From the smart devices in our homes to life-saving medical equipment, embedded systems are everywhere—and at the heart of each one lies embedded firmware. But as these systems become more powerful and connected, developing efficient, secure, and scalable firmware is more challenging than ever.

In thius conmprehensive guide, we dive into the latest tools, languages, and workflows reshaping embedded firmware development. Whether you’re wrestling with limited hardware resources, debugging complex systems, or scaling across multiple platforms, you’ll find practical strategies and expert insights to help you build better firmware–faster.

Interested in learning more?

Best-in-class embedded firmware content, resources and best practices

I want to write my first embedded program. Where do I start?

The boom in the Internet of Things (IoT) commercial devices and hobbyist platforms like the Raspberry Pi and Arduino have created a lot of options, offering inexpensive platforms with easy to use development tools for creating embedded projects. You have a lot of options to choose from. An embedded development platform is typically a microcontroller chip mounted on a circuit board designed to show off its features. There are typically two types out there: there are inexpensive versions, sometimes called

August 7, 2020

IEC-62304 Medical Device Software – Software Life Cycle Processes Primer – Part 1

IEC-62304 Software Lifecycle requires a lot of self-reflection to scrutinize and document your development processes. There is an endless pursuit of perfection when it comes to heavily regulated industries. How can you guarantee something will have zero defects? That’s a pretty hefty task. The regulatory approach for the medical device industry is process control. The concept essentially states that if you document how every step must be completed, and provide checks to show every step has been completed properly, you

August 10, 2020

Operating room filled with medical devices

IEC-62304 Medical Device Software – Software Life Cycle Processes Primer – Part II

Part I provides some background to IEC-62304. Part II provides a slightly more in-depth look at some of the specifics. The IEC 62304 Medical Device Software – Software Lifecycle Processes looks into your development processes for creating and maintaining your software. The standard is available for purchase here. So what activities does the standard look at? Here are some of the major topics. For any given topic, there will be a lot more specifics. This will look at a few

August 12, 2020