Meta Sca

Layer for static code analysis and security hardening
Alternatives To Meta Sca
Project NameStarsDownloadsRepos Using ThisPackages Using ThisMost Recent CommitTotal ReleasesLatest ReleaseOpen IssuesLicenseLanguage
How To Secure A Linux Server14,766
8 days ago21cc-by-sa-4.0
An evolving how-to guide for securing a Linux server.
4 days ago1February 27, 2018153gpl-3.0Shell
Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.
Yubikey Guide9,587
22 days ago26mitShell
Guide to using YubiKey for GPG and SSH
The Practical Linux Hardening Guide8,217
3 years ago3mit
This guide details creating a secure Linux production system. OpenSCAP (C2S/CIS, STIG).
13 hours ago24apache-2.0Python
Prowler is an Open Source Security tool for AWS, Azure and GCP to perform Cloud Security best practices assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness. Includes CIS, NIST 800, NIST CSF, CISA, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, Well-Architected Security, ENS and more.
a month ago14mitJavaScript
Firefox privacy, security and anti-tracking: a comprehensive user.js template for configuration and hardening
Awesome Security Hardening4,279
2 months ago68
A collection of awesome security hardening guides, tools and other resources
8 hours ago4August 26, 202250agpl-3.0C
🛡️ Make your web services secure by default !
5 months ago50mitJavaScript
user.js -- Firefox configuration hardening
3 months ago2April 06, 202113gpl-3.0Go
Hardentools simply reduces the attack surface on Microsoft Windows computers by disabling low-hanging fruit risky features.
Alternatives To Meta Sca
Select To Compare

Alternative Project Comparisons


Nightly Lastest commit

For the list of current findings from pipelines see meta-sca report

Important note

As announced by this discussion at the end of April 2022 this layer will undergo a major change in support.

Support will be given only for master branch

What can I do when I'm affected by the changes

A maintainers guide can be found here. Feel free to raise pull requests against not officially supported branches.

Support for these branches, including quality control, has to be done fully by the community

Table of content


Purpose of this layer is to provide a proper set of static analysis tools for your YOCTO build. All provided tools can be easily configured and integrated into any CI service (like e.g. Jenkins).

All results are stored to SCA_EXPORT_DIR (which defaults to ${DEPLOY_DIR_IMAGE}/sca). The results will be stored in the raw-format of the corresponding tool and in checkstyle-format.

Getting started

For a quick start how to use this layer see getting started guide


To install clone the needed branch(es) to any path on your local system.


  • You need the current standard poky-layer installed onto your local build environment.

Use of containers

It is recommended to use privkweihmann/yocto-sca-minimal:2004 docker container for building, which has all necessary requirements already installed.

Use in CI

When you're planing to use meta-sca in your CI/CD, it is advised to use the minified layer meta-sca-minified to save you from cloning this fairly large repository.

NOTE meta-sca-minified only offer releases of this layer for releases made after 03/2020


In your bblayers.conf-file add the following line

BBLAYERS += "<full path to sca-layer>/meta-sca"

or with poky layer already setup run in shell

bitbake-layers add-layer "<full path to sca-layer>/meta-sca"


Alternatively you can use kas to setup the workspace. Use conf/kas/scatest-qemux86-64.yaml from this layer

Web monitor

If you're not quite convinced what this layer can do for you, have a look at the web monitor, where all findings from the layer CI pipelines are publically available.


Actively maintained branch is currently only master. Unmaintained branches will only receive package updates on demand. Support for unmaintained branches has to be done by the community.

Status of the branches is described at

It's advised to use the tagged source versions in productive environment.


See for details


If there is a technical issue that might break backward compatibility it will be mentioned in release note of the corresponding milestone release.


This layer does only provide open source tools. The layer itself is licensed under BSD.

If individual files are licensed under different terms, terms and conditions can be found in the individual file header

Zero impact

This layer provides only -native tools, so actually none of the build binaries will be deployed to your target. Everything happens on the build machine.

Available tools

The layer can check on a recipe-level or on an image-level.

  • On image-level the whole root-filesystem could be taken into account, which in most cases can't be granted on a recipe-level.
  • On the other hand some static code analysis does not make any sense on an image-level - so this layer does have different tools for both level available.

Overview of tools

Module Description Homepage Requires Requires inet Run on image Run on recipe Available in SDK C C++ Python Shell Javascript PHP Go Images LUA Spelling Metrics Binaries Packages Other formats Security scope Functional scope Style scope
bandit Scan python code for insecurities PyCQA/bandit x x x x x
bashate Shell script linter x x x x x x
bitbake Bitbake issue handling x x x x x
cbmc C Bounded Model Checker x x x x
checkbashisms Shell script linter x x x x x x
cmake Get cmake errors and warnings x x x x
cppcheck C/C++ linter danmar/cppcheck x x x x x x x
cpplint C/C++ linter cpplint/cpplint x x x x x x x
cvecheck Check for unpatched CVEs clearlinux/cve-check-tool manual enable x x x x
darglint Python docstring linter terrencepreilly/darglint x x x x
dennis I18N linter x x x x x
detectsecrets Detect hardcoded secrets in code Yelp/detect-secrets x x x x x x
flake8 Python linter x x x x x x
flawfinder C/C++ security linter david-a-wheeler/flawfinder x x x x x
flint C/C++ linter JossWhittle/FlintPlusPlus x x x x x
gcc GCC compiler issues and hardening x x x x x
golicensecheck Scan code for license information go-enry/go-license-detector x x x
golint GO linter golang/lint x x x x
it Python linter thg-consulting/it x x x x
jsonlint JSON file linter x x x x x
kconfighard Kernel config hardening checker a13xp0p0v/kconfig-hardened-check x x x x
licensecheck Scan code for license information boyter/lc x x x
looong Find functions with too long arglists anapaulagomes/looong x x x x
msgcheck I18n linter codingjoe/msgcheck x x x x
multimetric Coding metrics priv-kweihmann/multimetric manual enable x x x x x x x x x x x x
mypy Python linter python/mypy x x x x x
oelint Bitbake recipe linter priv-kweihmann/oelint-adv x x x x
perl Perl warnings check x x x x
perlcritic Perl linter x x x x
pkgqaenc Enhanced package QA x x x
protolint Lint protobuf files yoheimuta/protolint x x x x x
pscan Find insecure printfs x x x x
pylint Python linter PyCQA/pylint x x x x x x
pysymcheck Check binaries for forbidden function usage priv-kweihmann/pysymbolcheck x x x
rats Check on insecurities in several languages redNixon/rats x x x x x x x
reuse Scan code for license information fsfe/reuse-tool x x x
revive GO linter mgechev/revive x x x x x
scancode Scan code for license information nexB/scancode-toolkit x x x
setuptoolslint Lint johnnoone/setuptools-pylint x x x x
shellcheck Shell script linter koalaman/shellcheck x x x x x x
slick Shell script linter mcandre/slick x x x x x
sparse C linter x x x x
stank Shell script linter mcandre/stank x x x x x x
systemdlint Systemd unit linter priv-kweihmann/systemdlint x x x x x x x
tlv Find duplicate code priv-kweihmann/tlv manual enable x x x x x x x x x x x
tscancode C and lua linter Tencent/TscanCode x x x x
vulture Find dead python code jendrikseipp/vulture x x x x x
xmllint XML linter x x x x x
yamllint YAML linter adrienverge/yamllint x x x x x

each tool does have it's own benefits and flaws so don't be mad if you have 10k+ findings on the initial run.

Further documentation


Please see the detailed contribution guideline for details

Get involved

To get involved following things can be done

  • create an issue
  • fix an issue and create a pull request
  • see the pinned issues in the bugtracker

Security Policy

For the project's security policy please see here

Popular Hardening Projects
Popular Security Projects
Popular Security Categories
Related Searches

Get A Weekly Email With Trending Projects For These Categories
No Spam. Unsubscribe easily at any time.
Shell Script
Static Code Analysis
Security Hardening