⬤ v0.1 — MISRA C:2023 · CERT C · CWE

Catch MISRA, CERT C & CWE defects
in C — fully local.

Provadyne runs the latest C coding-standard checks on your own machine — with AI-suggested fixes, SARIF for GitHub code scanning, and auditor-ready reports. No cloud upload. No procurement cycle.

Download free View on GitHub

Built on cppcheck 2.20 · runs 100% offline · BYOK OpenAI / Anthropic / Ollama

brake_controller.c — Provadyne

1#include <stdlib.h>

2int g = 0;

MISRA · 8.4 Required — external object needs a compatible declaration. ✦ AI fix ready

3void arm(int *p) {

4 *p = 5;

CERT · EXP34-CCWE-476 Null-pointer dereference of p.

5 if (g = 1) { /* ... */ }

MISRA · 13.4 Advisory — result of an assignment used as a condition.

6}

How it works

Three steps, all on your machine.

No agents to install on a build server, no code leaving your network.

Install

One binary, no daemon farm.
brew install provadyne-daemon — or grab the release for macOS, Linux, or Windows.

Analyze

In your editor, inline on GitHub PRs, or in CI. Pick any mix of MISRA C:2023, CERT C, and CWE per run.

Fix & prove

Apply AI-suggested fixes, upload SARIF to code scanning, and export auditor-ready PDF / CSV reports.

What's in the box

Latest-spec static analysis, built for embedded C.

Multi-standard detection

MISRA C:2023, SEI CERT C, and CWE in a single local pass — every finding tagged with its standard and CWE id so you filter by what your program requires.

AI fix suggestions

One-click diff previews for each violation. Bring your own key (OpenAI / Anthropic) or run fully offline with a local Ollama model.

SARIF & code scanning New

Emit SARIF 2.1.0 and upload it to GitHub code scanning — violations show up inline on the PR and under the Security tab, CWEs included.

Auditor-ready reports

Turn a directory of .c files into a batch PDF with severity rollups and per-file rule citations. CSV / Excel export included. Pro

ISO 26262 traceability

Link Git history to ALM tickets (Codebeamer, Jira) and build a V-model requirement → code → test matrix — the coverage evidence auditors ask for. Pro

100% local & air-gapped

The daemon runs on localhost and works with no network at all. Your source never leaves the machine unless you opt into a BYOK API key.

In your pipeline

Gate every PR — and feed code scanning.

Drop the GitHub Action into a workflow. It installs the engine, runs the checks, fails on the severity you choose, and uploads SARIF.

Native GitHub Action (composite, no Docker)
SARIF upload → inline PR annotations + Security tab
fail-on gate: mandatory / required / advisory / none
Same engine as the desktop app — reproducible results

.github/workflows/misra.yml

# Detect, then upload to code scanning
jobs:
  misra:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    steps:
      - uses: actions/checkout@v4
      - id: scan
        uses: sgchoi/provadyne-action@v1
        with:
          paths: 'src/**/*.c'
          output-format: sarif
      - uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: ${{ steps.scan.outputs.sarif-path }}

Editions

Engineer-friendly. Under the corp-card limit.

No seat counting, no procurement cycle. Pay by card; get a license file by email in minutes.

Free

$0 / forever

MISRA C:2023 single-file analysis
CERT C & CWE detection
SARIF output
AI fix suggestions (BYOK)
Local LLM via Ollama
Batch & multi-file analysis
PDF / CSV / Excel export
ISO 26262 traceability matrix

Download

Pro

$249 / year

Everything in Free
Batch multi-standard analysis
Batch PDF violation reports
CSV / Excel export
ISO 26262-6 traceability matrix
Priority email support
Phase B unlock (C++, stub gen, VectorCAST)

Get Pro

FAQ

Common questions

Does my code leave my machine?

No. The daemon runs on localhost and analysis is fully local. Nothing is uploaded unless you explicitly enable a BYOK API key for AI suggestions — and even then only the relevant snippet is sent to your chosen provider.

Which standards are supported?

For C: MISRA C:2023, SEI CERT C, and CWE — pick any combination per run. Detection is powered by cppcheck. MISRA C++:2023 and AUTOSAR C++ are on the Phase B roadmap.

Can I run it fully offline / air-gapped?

Yes. Use local LLM mode with Ollama, or disable AI suggestions entirely. The daemon needs no network; the optional update check silently skips when offline.

What is the ISO 26262-6 traceability matrix?

A Pro feature that links your Git history to ALM tickets (Codebeamer, Jira) and builds a V-model requirement → design → code → test trace — the bidirectional coverage evidence auditors ask for. It runs locally against your repo; nothing is uploaded.

How does it fit into CI?

A native GitHub Action runs the same engine, fails the job on the severity you choose, and can emit SARIF for upload to GitHub code scanning. See the snippet above.

Which platforms are supported?

The daemon ships as a single binary for macOS (arm64 + amd64), Linux (amd64), and Windows (amd64). The editor and browser integrations work anywhere Chrome or VS Code runs.

Catch MISRA, CERT C & CWE defectsin C — fully local.