Static Code and Static Application Security Testing

The Best SAST Tool for Accelerating Time-to-Market & Delivering Quality Code. Streamline development and ensure DevSecOps best practices with Klocwork.

Best Static Code Analyzer for Developer Productivity, SAST, and DevOps/DevSecOps

Perforce Klocwork static analysis and SAST tool for C, C++, Java, JavaScript, Python, and Kotlin identifies software security, quality, and reliability issues, helping to enforce compliance with standards.

Why Perforce Klocwork

Built for enterprise DevOps and DevSecOps, Perforce Klocwork scales to projects of any size, integrates with large complex environments and a wide range of developer tools, and provides control, collaboration, and reporting for the entire enterprise. This has made Perforce Klocwork the preferred static code analyzer that keeps development velocity high while enforcing continuous compliance for security and quality.

Perforce Klocwork Key Features

Find Security Vulnerabilities with SAST

Use Klocwork static application security testing (SAST) for DevOps and DevSecOps. Our security standards identify security vulnerabilities — helping to find and fix security issues early and proving compliance to internationally recognized security standards. 

• DevSecOps: Klocwork integrates with CI/CD tools, containers, cloud services, and machine provisioning, making automated security testing easy.
• Security Standards:  CWE, OWASP, CERT, PCI DSS, DISA STIG, and ISO/IEC TS 17961.
• Security Vulnerability Detection: SQL Injection, Tainted Data, Buffer Overflow, Vulnerable Coding Practices, and many more.
• Bug, Quality Issue, and Code Smell Detection: Null Pointer Deferences/Exceptions, Memory/Resource Leaks, Uncaught Exceptions, and more. 

Project Streams

Project Streams provides easy management of shared code bases that have multiple variants or branches by simplifying project rule configuration, issue management, defect citing, reporting, and efficient data storage of analysis data. Creating streams provides the following benefits:

• Assign a single project rule configuration to all variants.
• Issues common to multiple variants are automatically kept in sync and only require citing once.
• Easily identify identical issues across multiple streams and issues unique to a specific stream.
• Generate reports on individual streams for compliance, functional safety, or other evidential purposes.
• More convenient organization and efficient storage of analysis data.

DevOps Ready

Perforce Klocwork tools are designed with Continuous Integration and Continuous Delivery foremost in our thinking, which makes it easy to include static analysis as part of your CI/CD pipelines.

Perforce Validate Platform

Perforce Validate platform is a centralized store of analysis results from Perforce Helix QAC and Perforce Klocwork Static Analysis products. Validate provides analysis data, trends, and configurations for codebases across the organization — accessed through a web browser. It is also highly customizable, enabling your team to easily define specific QA and compliance rule configurations, identify issues and deviations, and review the entirety of the code by project and section to adequately meet your team’s needs.

Designed for Developers

By seamlessly integrating static analysis with the rest of your development toolset, Klocwork will shift-left defect detection and improve developer adoption as a tool for developer training and increasing productivity.

No User Configuration

Klocwork provides out of the box support for hundreds of compilers and cross-compilers, so build integration is automatic.

Easy to Use

Plugins for popular IDEs (including Microsoft Visual Studio, Eclipse, IntelliJ, and more).

Connected Desktop

Local code changes made using the connected desktop plugins provide immediate differential analysis results within IDEs.

Detailed Feedback and Help

Intraprocedural defects and coding violations are identified by severity of risk. For each defect and coding violation, you will receive detailed information of cause with rich, context-sensitive help and guidance on remediation. This allows for easily accessible opportunities for understanding and learning. In addition, Klocwork features a Secure Code Warrior integration, which provides you with software security lessons and training tools for many common development languages as you write code.

Custom Rules

A graphical custom checker creation tool makes the implementation of project- or organization-specific rules quick and easy — further enriching the learning opportunities.

Architectural Analysis

Klocwork also integrates with architectural visualization and enforcement tools like Structure 101 to allow users to further improve the overall quality and maintainability of their code base through clean and correct dependencies.