Integrating Cppcheck Static Code Analysis into Jenkins Pipelines

Due to legacy warnings in the repository, the author wants to prevent new warnings from being introduced by adding C/C++ static analysis at the Pull Request stage. Commercial tools like SonarQube require paid licenses, so an open‑source alternative is needed.

The chosen tool is Cppcheck because it is one of the few free C/C++ static analysers, it integrates with Jenkins, and it supports Jenkins Pipeline.

Installation on Linux

sudo yum install cppcheck.x86_64

If a package manager is unavailable, the source can be built manually:

cd /opt && mkdir cppcheck && cd cppcheck
# download source
wget https://github.com/danmar/cppcheck/archive/1.90.tar.gz
# extract
tar -xvf 1.90.tar.gz
cd cppcheck-1.90
mkdir build && cd build
cmake ..
make
sudo ln -s /opt/cppcheck-1.90/cppcheck /usr/bin/cppcheck
which cppcheck
cppcheck --version

Running Cppcheck

cppcheck src/public src/themes --xml 2> cppcheck.xml

Jenkins integration

The Cppcheck Jenkins plugin provides the publishCppcheck pattern: 'cppcheck.xml' step, but two issues were encountered: XML parsing failures on some agents (likely JDK version differences) and the inability to jump directly from the report to the source code.

These problems are tracked by Jenkins tickets JENKINS‑60077, JENKINS‑42613, and JENKINS‑54209. The author switched to the Warnings Next Generation plugin, which aggregates many static‑analysis tools and resolves the display issues.

Using the recordIssues step, the pipeline can publish the Cppcheck results:

recordIssues tools: [cppCheck(pattern: 'cppcheck.xml')]

Complete pipeline example

pipeline {
  agent { node { label 'cppcheck' customWorkspace '/agent/workspace/cppcheck' } }
  parameters { string(name: 'Branch', defaultValue: 'develop', description: 'Which branch do you want to do cppcheck?') }
  options { timestamps(); buildDiscarder(logRotator(numToKeepStr: '50')) }
  stage('Checkout') {
    steps {
      checkout([$class: 'GitSCM', branches: [[name: '*/${Branch}']],
        userRemoteConfigs: [[credentialsId: 'd1cbab74-823d-41aa-abb7',
        url: 'https://git.yourcompany.com/scm/cppcheck-example.git']]])
    }
  }
  stage('Cppcheck') {
    steps { sh 'cppcheck src/public src/themes --xml 2> cppcheck.xml' }
  }
  stage('Publish results') {
    steps { recordIssues tools: [cppCheck(pattern: 'cppcheck.xml')] }
  }
}

The report shows three dimensions: severity distribution (High, Normal, Low), reference comparison (New, Outstanding, Fixed), and historical trend. Clicking a warning links directly to the offending line in the source code.

Overall, the integration provides continuous visibility of C/C++ warnings in every Pull Request, helping maintain code quality without incurring additional licensing costs.