The latest innovations in the automotive sector have triggered a massive digital transformation in how vehicles are built. A modern automotive vehicle is composed of interconnected systems with millions of lines of code leveraged by drivers in their day-to-day lives around the globe. As such, development teams in this sector are responsible for ensuring the utmost quality and safety controls while innovating to deliver better user experiences.

To help ensure this software is safe and reliable, the community has built governance standards, such as ISO 26262, to ensure each software component is built free of errors that could trigger any critical failures. More recently, the community expanded this regulation through ISO 21434 to minimize the risk of cybersecurity-related incidents in this software.

Today, GitHub, in partnership with Woven Planet, is excited to announce the release of CodeQL queries that implement the standards CERT C++ and AUTOSAR C++. These queries can aid developers looking to demonstrate ISO 26262 Part 6 process compliance. GitHub’s code scanning capabilities leverage the CodeQL analysis engine to find security bugs in source code and surface alerts in pull requests—before the vulnerable code gets merged and released. Implementing these checks within GitHub enables automotive development teams to ship compliant and secure software without sacrificing collaboration or agility.

Additionally, in alignment with GitHub’s commitment to fostering global innovation and collaboration through open source, GitHub plans to open source these CodeQL queries. GitHub believes that by empowering open source maintainers and developers to innovate on software that complies with the coding standards requirements of ISO 26262, we can together accelerate innovation in embedded software development.

How does static analysis help meet ISO standard requirements?

While software analysis tools cannot, on their own, fully ensure compliance with the automotive ISO 26262, they can aid developers looking to demonstrate compliance under Part 6, which covers “Product Development at the Software Level.” Part 6 of the standard seeks to ensure the functional safety of road vehicles and examines the correctness of software design and implementation. With GitHub code scanning, developers can find and fix security bugs and critical defects the moment they’re introduced into code. CERT C++ and AUTOSAR C++,  C++11, and 14 coding standard violations can be automatically reported using GitHub code scanning and its extensions.

How to contribute a CodeQL query

If you would like to extend the capabilities of the CodeQL queries, you can contribute to the CodeQL packs, and make your contribution available to the world! Once published, CodeQL packs are easily shared with others and executed in their CI/CD pipeline. If you have a query to contribute that you think is general purpose and applicable to all repositories in all situations, you can then contribute it to our open source CodeQL query repository, and your query will run on every pull request of every repository that has GitHub code scanning enabled.

How to leverage code scanning

To use the new CodeQL queries on your code, set up code scanning under the security tab of your repository. This will prompt you through a quick workflow to start scanning that repository immediately!


Learn more about GitHub’s coding standard and security features

GitHub is a cloud-native software development leader, empowering more than 83 million developers to collaborate using open source and inner source. GitHub is committed to helping build safer and more secure software without compromising on the developer experience. To learn more or enable GitHub’s security features in repositories, check out the getting started guide.