Shipping embedded software isn’t just about “it compiles.” It’s about safety, security, and compliance.
Bugs that slip into production waste engineering time and damage trust. Vulnerabilities expose connected devices. And for regulated markets, missing MISRA or CERT checks can stall releases. The earlier you catch issues, the cheaper and safer it is to fix them.

That’s where Static Code Analysis (SCA) helps: it surfaces defects and non-compliances early, when they’re cheapest to fix. With Zephyr, you can wire SCA straight into your build, no detours.

Static analysis built into Zephyr’s west flow

One of the biggest pain points for embedded teams is trying to bolt analysis tools onto a build process that wasn’t designed for them. Zephyr solves this by letting you plug static analysis tools directly into its west-based build system, no complicated scripting or fragile workarounds.

To select an analysis tool, simply use the ZEPHYR_SCA_VARIANT build setting.
You can set it as a CMake argument or an environment variable:

_{west build -b <board_name> <application_path> -- -DZEPHYR_SCA_VARIANT=<tool>}

Native support for IAR C-STAT

If you need to prove code quality and meet safety/security standards, Zephyr now makes it easier than ever with native support for IAR C-STAT, part of the IAR platform. 

C-STAT is a comprehensive static analysis tool for C and C++ that checks your code against a number of coding standards and known security vulnerabilities :

• MISRA C / MISRA C++
• CERT C / CERT C++
• CWE and security best practices
• Reliability and maintainability checks

Enabling C-STAT in Zephyr is straightforward. Just build as you normally would, adding an extra parameter to select IAR C-STAT as the Zephyr's SCA variant tool:

_{west build -b stm32f429ii_aca samples/basic/blinky -- -DZEPHYR_SCA_VARIANT=iar_c_stat}

Fine-tune your analysis 

Different teams have varying needs, ranging from strict safety compliance to lightweight security checks. C-STAT is flexible and lets you configure the analysis to match your workflow:

• CSTAT_RULESET — choose rulesets (e.g., all, cert, misrac2012, misrac++2008, stdchecks, security)
• CSTAT_ANALYZE_THREADS — number of threads to use
• CSTAT_ANALYZE_OPTS — extra analyzer flags (e.g., --timeout=900;--deterministic;--fpe)
• CSTAT_DB — path to the SQLite database
• CSTAT_CLEANUP — clean the database before analysis

For example, to combine MISRA C:2012 and CERT checks:

_{west build -b stm32f429ii_aca samples/basic/blinky -- \}

_{-DZEPHYR_SCA_VARIANT=iar_c_stat \}

_{-DCSTAT_RULESET=misrac2012,cert}

Why teams adopt SCA in Zephyr

Static analysis isn’t just about compliance, it’s about building better software faster. With SCA built directly into the Zephyr workflow, teams can:

• Catch defects early — null dereferences, buffer overruns, uninitialized data, and more.
• Meet standards faster — MISRA and CERT checks integrated with your builds.
• Keep reviews focused — let tools flag violations so humans can focus on design.
• Build confidence — continuous proof of code health for audits and customers.

Summary

With Zephyr’s SCA infrastructure and native IAR C-STAT support, you can integrate security, safety, and compliance checks into every build, whether running locally, in CI/CD pipelines, or in containers. This helps teams catch issues early, avoid late surprises, and confidently ship cleaner, safer, and standards-compliant code.

For more information, see the official Zephyr documentation on Static Code Analysis with IAR C-STAT. For additional resources and materials, also check out IAR’s Code Quality & Compliance solutions.