Static code analysis in Zephyr: Build safer, cleaner code with IAR C-STAT
- By Rafael Taubinger
- 3 min read

Shipping embedded software isn’t just about “it compiles.” It’s about safety, security, and compliance.
Bugs that slip into production waste engineering time and damage trust. Vulnerabilities expose connected devices. And for regulated markets, missing MISRA or CERT checks can stall releases. The earlier you catch issues, the cheaper and safer it is to fix them.
That’s where Static Code Analysis (SCA) helps: it surfaces defects and non-compliances early, when they’re cheapest to fix. With Zephyr, you can wire SCA straight into your build, no detours.
Static analysis built into Zephyr’s west flow
One of the biggest pain points for embedded teams is trying to bolt analysis tools onto a build process that wasn’t designed for them. Zephyr solves this by letting you plug static analysis tools directly into its west-based build system, no complicated scripting or fragile workarounds.
To select an analysis tool, simply use the ZEPHYR_SCA_VARIANT
build setting.
You can set it as a CMake argument or an environment variable:
west build -b <board_name> <application_path> -- -DZEPHYR_SCA_VARIANT=<tool>
Native support for IAR C-STAT
If you need to prove code quality and meet safety/security standards, Zephyr now makes it easier than ever with native support for IAR C-STAT, part of the IAR platform.
C-STAT is a comprehensive static analysis tool for C and C++ that checks your code against a number of coding standards and known security vulnerabilities :
- MISRA C / MISRA C++
- CERT C / CERT C++
- CWE and security best practices
- Reliability and maintainability checks
Enabling C-STAT in Zephyr is straightforward. Just build as you normally would, adding an extra parameter to select IAR C-STAT as the Zephyr's SCA variant tool:
west build -b stm32f429ii_aca samples/basic/blinky -- -DZEPHYR_SCA_VARIANT=iar_c_stat
Fine-tune your analysis
Different teams have varying needs, ranging from strict safety compliance to lightweight security checks. C-STAT is flexible and lets you configure the analysis to match your workflow:
CSTAT_RULESET
— choose rulesets (e.g., all, cert, misrac2012, misrac++2008, stdchecks, security)CSTAT_ANALYZE_THREADS
— number of threads to useCSTAT_ANALYZE_OPTS
— extra analyzer flags (e.g., --timeout=900;--deterministic;--fpe)CSTAT_DB
— path to the SQLite databaseCSTAT_CLEANUP
— clean the database before analysis
For example, to combine MISRA C:2012 and CERT checks:
west build -b stm32f429ii_aca samples/basic/blinky -- \
-DZEPHYR_SCA_VARIANT=iar_c_stat \
-DCSTAT_RULESET=misrac2012,cert
Why teams adopt SCA in Zephyr
Static analysis isn’t just about compliance, it’s about building better software faster. With SCA built directly into the Zephyr workflow, teams can:
- Catch defects early — null dereferences, buffer overruns, uninitialized data, and more.
- Meet standards faster — MISRA and CERT checks integrated with your builds.
- Keep reviews focused — let tools flag violations so humans can focus on design.
- Build confidence — continuous proof of code health for audits and customers.
Summary
With Zephyr’s SCA infrastructure and native IAR C-STAT support, you can integrate security, safety, and compliance checks into every build, whether running locally, in CI/CD pipelines, or in containers. This helps teams catch issues early, avoid late surprises, and confidently ship cleaner, safer, and standards-compliant code.
For more information, see the official Zephyr documentation on Static Code Analysis with IAR C-STAT. For additional resources and materials, also check out IAR’s Code Quality & Compliance solutions.