Coverity is an enterprise-grade static application security testing (SAST) platform known for its deep analysis capabilities and accuracy in detecting complex vulnerabilities.
Now operating under Black Duck Software, Coverity has been a pioneer in static analysis since its founding in 2002 and remains a top choice for organizations with large, complex codebases requiring thorough security analysis.
What is Coverity?
Coverity performs deep static analysis that examines source code to find security vulnerabilities, quality defects, and compliance issues without executing the code.
The platform uses sophisticated techniques including interprocedural dataflow analysis, path-sensitive analysis, and abstract interpretation to detect issues that simpler tools miss.
Originally developed from research at Stanford University, Coverity gained recognition for finding critical bugs in open-source projects and has since evolved into a comprehensive enterprise security platform.
The tool is particularly strong in analyzing C/C++ codebases, embedded systems, and safety-critical applications where the consequences of undetected vulnerabilities can be severe.
After the acquisition of Synopsys Software Integrity Group, Coverity now operates independently under Black Duck Software, continuing to receive investment in its core analysis engine while integrating more closely with Black Duck SCA for comprehensive application security.
Key Features
Deep Static Analysis Engine
Coverity’s analysis goes beyond pattern matching:
- Interprocedural analysis follows code paths across function boundaries
- Path-sensitive analysis understands conditions and constraints along execution paths
- Context-sensitive analysis tracks values through different calling contexts
- Whole-program analysis considers the entire codebase for accurate results
- Abstract interpretation models program behavior mathematically
Comprehensive Vulnerability Detection
Coverage for critical security and quality issues:
- Buffer overflows and memory corruption
- Use-after-free and double-free errors
- Null pointer dereferences
- Resource leaks (memory, file handles, locks)
- SQL injection and command injection
- Cross-site scripting (XSS)
- Insecure cryptography
- Authentication and authorization flaws
- Concurrency issues (race conditions, deadlocks)
- Integer overflows and underflows
Multi-Language Support
Comprehensive coverage across 22+ languages:
- Systems languages: C, C++, CUDA, Fortran
- Enterprise languages: Java, C#, VB.NET, Scala, Kotlin
- Web languages: JavaScript, TypeScript, PHP, Ruby, Python
- Mobile languages: Swift, Objective-C, Kotlin
- Specialized: Apex (Salesforce), Go, ASP.NET
Incremental Analysis
Optimize scan times in CI/CD pipelines:
- Analyze only changed files and their dependencies
- Full analysis on demand or scheduled
- Differential results showing new vs. existing issues
- Integration with source control for change detection
Installation and Setup
Coverity Analysis Platform
The on-premises deployment includes:
# Download Coverity Analysis from Black Duck customer portal
# Extract and configure the installation
tar -xzf cov-analysis-linux64-*.tar.gz
cd cov-analysis-linux64-*
# Configure license
./bin/cov-configure --license /path/to/license.dat
# Configure compilers (example for GCC)
./bin/cov-configure --gcc
./bin/cov-configure --java
./bin/cov-configure --javascript
# Verify configuration
./bin/cov-configure --list-configured-compilers
Build Integration
Coverity intercepts your build process to understand code structure:
# Capture build (C/C++ example with make)
cov-build --dir cov-int make clean all
# Capture build (Java with Maven)
cov-build --dir cov-int mvn clean package
# Capture build (Gradle)
cov-build --dir cov-int ./gradlew clean build
# Capture build (.NET)
cov-build --dir cov-int msbuild /t:Clean,Build MyProject.sln
Analysis and Commit
# Run analysis on captured build
cov-analyze --dir cov-int \
--all \
--aggressiveness-level high \
--enable-constraint-fpp \
--enable-fnptr \
--enable-virtual
# Commit results to Coverity Connect server
cov-commit-defects --dir cov-int \
--url https://coverity-server.example.com:8443 \
--user admin \
--password $COVERITY_PASSPHRASE \
--stream "MyProject-main"
Configuration File
Create a coverity.conf for project-specific settings:
# coverity.conf
project:
name: my-application
stream: my-application-main
analysis:
aggressiveness: high
checkers:
- BUFFER_SIZE
- FORWARD_NULL
- RESOURCE_LEAK
- SQL_INJECTION
- XSS
- HARDCODED_CREDENTIALS
build:
capture:
- make clean all
incremental: true
commit:
url: https://coverity-server.example.com:8443
ssl_verify: true
Integration
GitHub Actions
name: Coverity Analysis
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
- cron: '0 2 * * 1' # Weekly full scan
jobs:
coverity:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up JDK
uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: '17'
- name: Download Coverity
run: |
curl -L \
-u "${{ secrets.COVERITY_USER }}:${{ secrets.COVERITY_PASSPHRASE }}" \
-o coverity.tar.gz \
"https://${{ secrets.COVERITY_SERVER }}/downloadFile.htm?fn=cov-analysis-linux64.tar.gz"
tar -xzf coverity.tar.gz
echo "$PWD/cov-analysis-linux64-*/bin" >> $GITHUB_PATH
- name: Build with Coverity
run: |
cov-build --dir cov-int mvn clean package -DskipTests
- name: Run Coverity Analysis
run: |
cov-analyze --dir cov-int \
--all \
--aggressiveness-level high
- name: Commit Results
run: |
cov-commit-defects --dir cov-int \
--url "https://${{ secrets.COVERITY_SERVER }}" \
--user "${{ secrets.COVERITY_USER }}" \
--password "${{ secrets.COVERITY_PASSPHRASE }}" \
--stream "${{ github.repository }}-${{ github.ref_name }}"
- name: Check for New Defects
run: |
# Query for new high-impact defects
curl -s -u "${{ secrets.COVERITY_USER }}:${{ secrets.COVERITY_PASSPHRASE }}" \
"https://${{ secrets.COVERITY_SERVER }}/api/v2/defects?stream=${{ github.repository }}-${{ github.ref_name }}&impact=High&status=New" \
| jq '.totalCount' \
| xargs -I {} test {} -eq 0
GitLab CI
stages:
- build
- security
coverity-scan:
stage: security
image: ubuntu:22.04
variables:
COVERITY_STREAM: "${CI_PROJECT_NAME}-${CI_COMMIT_REF_NAME}"
before_script:
- apt-get update && apt-get install -y curl openjdk-17-jdk maven
- |
curl -L \
-u "${COVERITY_USER}:${COVERITY_PASSPHRASE}" \
-o coverity.tar.gz \
"https://${COVERITY_SERVER}/downloadFile.htm?fn=cov-analysis-linux64.tar.gz"
tar -xzf coverity.tar.gz
export PATH="${PWD}/cov-analysis-linux64-2024.3.0/bin:${PATH}"
script:
- cov-build --dir cov-int mvn clean package -DskipTests
- cov-analyze --dir cov-int --all --aggressiveness-level high
- |
cov-commit-defects --dir cov-int \
--url "https://${COVERITY_SERVER}" \
--user "${COVERITY_USER}" \
--password "${COVERITY_PASSPHRASE}" \
--stream "${COVERITY_STREAM}"
artifacts:
paths:
- cov-int/output/analysis-log.txt
expire_in: 7 days
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
when: manual
Jenkins Pipeline
pipeline {
agent any
environment {
COVERITY_SERVER = credentials('coverity-server')
COVERITY_USER = credentials('coverity-user')
COVERITY_PASSPHRASE = credentials('coverity-passphrase')
COVERITY_STREAM = "${JOB_NAME}-${BRANCH_NAME}"
}
stages {
stage('Checkout') {
steps {
checkout scm
}
}
stage('Setup Coverity') {
steps {
sh '''
curl -L \
-u "${COVERITY_USER}:${COVERITY_PASSPHRASE}" \
-o coverity.tar.gz \
"https://${COVERITY_SERVER}/downloadFile.htm?fn=cov-analysis-linux64.tar.gz"
tar -xzf coverity.tar.gz
'''
}
}
stage('Build with Coverity') {
steps {
sh '''
export PATH="${WORKSPACE}/cov-analysis-linux64-*/bin:${PATH}"
cov-build --dir cov-int mvn clean package -DskipTests
'''
}
}
stage('Analyze') {
steps {
sh '''
export PATH="${WORKSPACE}/cov-analysis-linux64-*/bin:${PATH}"
cov-analyze --dir cov-int \
--all \
--aggressiveness-level high \
--security
'''
}
}
stage('Commit Results') {
steps {
sh '''
export PATH="${WORKSPACE}/cov-analysis-linux64-*/bin:${PATH}"
cov-commit-defects --dir cov-int \
--url "https://${COVERITY_SERVER}" \
--user "${COVERITY_USER}" \
--password "${COVERITY_PASSPHRASE}" \
--stream "${COVERITY_STREAM}"
'''
}
}
stage('Quality Gate') {
steps {
script {
def defects = sh(
script: """
curl -s -u '${COVERITY_USER}:${COVERITY_PASSPHRASE}' \
"https://${COVERITY_SERVER}/api/v2/defects?stream=${COVERITY_STREAM}&impact=High&status=New" \
| jq '.totalCount'
""",
returnStdout: true
).trim().toInteger()
if (defects > 0) {
error("Found ${defects} new high-impact defects")
}
}
}
}
}
}
When to Use Coverity
Coverity is the right choice for organizations that:
- Have large, complex codebases especially in C/C++ or mixed-language environments
- Require deep analysis accuracy with low false positive rates
- Build safety-critical systems in automotive, medical, aerospace, or embedded
- Need compliance support for standards like MISRA, CERT, and CWE
- Want on-premises deployment with full control over analysis infrastructure
- Already use Black Duck SCA and want unified vulnerability management
Consider alternatives if you:
- Need cloud-native SaaS without on-premises infrastructure
- Have smaller codebases that don’t require enterprise tooling
- Need faster time-to-value with lighter-weight scanning
Coverity integrates with Black Duck SCA for comprehensive application security coverage, combining source code analysis with open-source component security in a unified platform.
Note: Formerly Synopsys Software Integrity Group. Acquired by Clearlake Capital and Francisco Partners in 2024, now operating independently as Black Duck Software.