LLVM-powered C/C++ analysis toolchain
Static analysis · Runtime instrumentation · Developer diagnostics · CI policy gates
CoreTrace is a modular toolchain that helps teams ship safer and more predictable C/C++ systems. It orchestrates multiple static and dynamic analysis tools into a unified pipeline, producing standardized reports (JSON, SARIF) ready for automation and security workflows.
| Repository | License | Description | |
|---|---|---|---|
| coretrace | Apache 2.0 | Main CLI orchestrator — static/dynamic analysis, tool invocation, SARIF export, server mode | |
| coretrace-compiler | Apache 2.0 | Clang/LLVM compiler wrapper — IR emission, binary build, instrumentation modules |
| Repository | License | Description | |
|---|---|---|---|
| coretrace-stack-analyzer | Apache 2.0 | Stack and resource analysis engine with SARIF output and CI adapters | |
| coretrace-concurrency-analyzer | Apache 2.0 | Threading and race condition detection |
| Repository | License | Description | |
|---|---|---|---|
| coretrace-gui | Apache 2.0 | Web and desktop interface | |
| coretrace-vscode | Apache 2.0 | VS Code extension |
| Repository | License | Description | |
|---|---|---|---|
| coretrace-log | MIT | Lightweight C++20 logging library | |
| coretrace-testkit | Apache 2.0 | Python testing framework for the ecosystem | |
| coretrace-ci-consumer-demo | Apache 2.0 | CI/CD integration reference and demo |
| Repository | Description | |
|---|---|---|
| coretrace.wiki | CLI usage and project documentation | |
| coretrace-compiler.wiki | Compiler wrapper documentation | |
| coretrace-stack-analyzer.wiki | Analyzer workflows and integration notes |
┌──────────────────────────────────────────────────────┐
│ coretrace CLI │
│ orchestration · config · SARIF export │
├────────────┬─────────────────────┬───────────────────┤
│ compiler │ stack-analyzer │ concurrency- │
│ wrapper │ │ analyzer │
│ (Clang) │ (LLVM analysis) │ (thread safety) │
├────────────┴─────────────────────┴───────────────────┤
│ LLVM / Clang toolchain │
└──────────────────────────────────────────────────────┘
▲ │
│ C/C++ source ▼
Developer JSON / SARIF reports
→ CI gates, IDE, GUI
Principles:
- Separation of concerns — analysis engines stay independent from CI policy logic
- Composable pipeline — compiler, analyzers, and orchestration layer work independently or together
- CI-first outputs — JSON and SARIF are first-class artifacts
- Generic by default — externalized models and configuration over hardcoded behavior
# 1. Run end-to-end analysis locally (coretrace)
./ctrace --input main.cpp --entry-points=main --verbose --static --dyn
# 2. Use the compiler wrapper for IR-level workflows (coretrace-compiler)
./cc -S -emit-llvm test.cc
# 3. Add stack analysis in CI with SARIF output (coretrace-stack-analyzer)
python3 scripts/ci/run_code_analysis.py \
--analyzer ./build/stack_usage_analyzer \
--compdb ./build/compile_commands.json \
--fail-on error \
--json-out artifacts/stack-usage.json \
--sarif-out artifacts/stack-usage.sarif| Language | C++20 |
| Toolchain | LLVM / Clang 20 |
| Build | CMake |
| Output | JSON, SARIF |
| CI | clang-format enforcement, SARIF policy gates |
Most repositories are licensed under Apache 2.0 — permissive, patent-safe, and compatible with the LLVM toolchain. Standalone libraries (coretrace-log) use the MIT license for maximum integration flexibility.
Contributions are welcome through issues and pull requests on each repository.