How to Use Tencent’s TscanCode for Static Code Analysis on Linux and Windows

Static code scanning

Static code scanning analyzes source code without execution using lexical, syntactic, control‑flow and data‑flow techniques. It can detect mismatched parameters, ambiguous nesting, illegal recursion, null‑pointer dereferences, memory leaks, array out‑of‑bounds writes, and other hidden defects.

TscanCode

TscanCode is a Tencent‑developed static analysis tool. It originated from cppcheck and was later rewritten to support C/C++, C# and Lua. The tool can detect automatic variable misuse, out‑of‑bounds accesses, class‑constructor issues, memory leaks, null pointers and usage of deprecated functions.

https://github.com/Tencent/TscanCode

Package layout

release – compiled binaries for Linux, macOS and Windows.

samples – example source files for C++, C# and Lua.

trunk – source code of TscanCode.

Linux usage

The Linux binary is located at:

TscanCode-master/release/linux/TscanCodeV2.14.2395.linux

Make the binary executable: chmod +x TscanCodeV2.14.2395.linux Example 1: Scan C++ sample code

./TscanCodeV2.14.2395.linux --xml --enable=all -q ../../../samples/cpp/ >scan_result.xml 2>&1

The command produces scan_result.xml, which can be opened with a spreadsheet viewer for a readable report.

Example 2: Scan a C file with an out‑of‑bounds write

#include <stdio.h>

void test(void)
{
    char buf[5] = {0};
    for (size_t i = 0; i < 10; i++)
    {
        buf[i] = 1; // out‑of‑bounds write
    }
}

int main(int argc, char **argv)
{
    test();
    return 0;
}

Run the scan:

./TscanCodeV2.14.2395.linux --xml --enable=all -q ./test.c >scan_result.xml 2>&1

The generated report highlights the out‑of‑bounds write to buf.

Windows usage

Recent releases no longer include a Windows executable. Use version V2.14.24 (file TscanCodeV2.14.24.windows.exe) from the release archive.

https://blog.csdn.net/m0_53168002/article/details/126596565