Code scanning you can trust

Built for developers and backed by security teams, Coverity® Static Analysis provides unparalleled code scanning to help you deliver high-quality software that meets security, functional safety, and industry standards.

Uncover complex defects

Find and fix code quality and security issues across files and libraries.

Ensure compliance

Track and prioritize issues by security, functional safety, and industry standards.

Scan with confidence

Analyze large-scale applications with high accuracy.

Compliance simplified, intelligence empowered

Built-in reports identify issue types and severity level across standards to improve remediation efforts. This compliance intelligence is embedded in ContextAI™, enriching the security intelligence behind our AppSec solutions.

Improve code quality and security

Coverity provides in-depth support for 22 programming languages, more than 200 frameworks, and many popular infrastructure-as-code platforms. Learn about CWE coverage.

Build high-quality software, faster

The Code Sight™ IDE Plug-in helps developers find and fix code quality defects, security vulnerabilities, and hardcoded secrets as they code with real-time results, issue summaries, and code fixes for faster remediation.

Automate within developer workflows

Integrate your existing tools

IDE, SCM, and CI integrations help you find and fix defects within dev workflows.

Automate code scanning

Trigger scans on code commits and pull requests to uncover issues early.

Scale static analysis scanning

Expand to cover your full portfolio of applications and the teams that support them.
Using Coverity has helped enhance our mandate to ensure code quality and security as well as to enforce coding standards.”

Nicolas Leclercq

Product Security Officer for Software Engineering, Thales Alenia Space

Trusted analysis for complex software

Discover how Coverity customers reduce risk, ensure application resiliency, and rapidly deliver new functionality to market.

Coverity Static Analysis resources

  • What is Black Duck Coverity?

    Black Duck Coverity® is an enterprise-grade static analysis solution that finds and fixes security vulnerabilities and code quality defects before your software ships. Built for developers and backed by security teams, Coverity scans source code without executing it — analyzing entire codebases across files and libraries to uncover complex defects that span multiple components.

    Coverity builds an in-depth structural model of each application, combining insights into dependencies, compilers, and language semantics to achieve a depth of analysis that competitors cannot approach. It supports 22 programming languages, more than 250 frameworks, and a wide range of infrastructure-as-code platforms — with particular strength in C and C++ analysis for safety-critical and embedded software development. Black Duck has been recognized as a Gartner Magic Quadrant Leader for Application Security Testing for eight consecutive years, and is a leader in Gartner’s inaugural Magic Quadrant for Software Supply Chain Security.

  • What compliance and coding standards does Coverity support?

    Coverity provides best-in-class coverage across security, functional safety, and industry standards — a critical differentiator for regulated industries. Supported standards include:

    Security: OWASP Top 10 (Web and Mobile), SANS/CWE Top 25, PCI DSS, DISA STIG

    Functional Safety: MISRA C (2004, 2012, 2023, 2025), MISRA C++ (2008, 2023), AUTOSAR C++ 14, CERT C/C++/Java, ISO 26262, IEC 61508, EN 50128, EN 50657, DO-178C, ISO 23434, ISO/IEC TS 17961, Hyundai Secure Coding Standards

    Coverity is certified by TÜV SÜD as meeting requirements for support tools under IEC 61508-3, qualified for use up to ASIL D under ISO 26262 and Level A under DO-178C. The Coverity Qualification Kit (Q-Kit) ensures correct configuration for safety-critical projects. Compliance reports are downloadable as PDFs, and trend reports demonstrate remediation progress per standard over time — essential for auditors and regulatory submissions.

  • Why do organizations choose Coverity for safety-critical and embedded software?

    Three capabilities that are difficult or impossible to replicate in competing tools make Coverity the default choice for automotive, aerospace, medical device, and industrial control system development:

    Depth of C/C++ analysis: Coverity's path-sensitive engine builds a full structural model of each application — tracking pointer arithmetic, memory aliasing, and thread synchronization across the entire codebase and its dependencies — enabling a depth of analysis that surfaces complex, multi-component defects no comparable tool can reach. The accuracy of results is a critical differentiator: Coverity is built to surface more true positives than competing tools, catching dangerous defects and vulnerabilities that others miss, while ensuring your remediation budget goes toward actual defects, not triage noise.

    TÜV SÜD safety certification: Coverity is certified for use up to ASIL D (ISO 26262) and Level A (DO-178C), backed by a formal Qualification Kit that documents tool operation, failure modes, and self-test procedures required by safety standards.

    Air-gapped deployment: For classified, defense, and regulated environments that cannot connect to external networks, Coverity's fully air-gapped on-premises deployment — including Kubernetes cluster support — is a hard requirement that most SaaS-first competitors simply cannot meet.

  • How do I buy Coverity or get started with an evaluation?

    Contact the Black Duck sales team directly through the Coverity pricing page to request a no-obligation quote or a guided evaluation scoped to your codebase, language mix, and deployment requirements.

    When structuring your evaluation, focus on six dimensions that separate high-quality static analysis tools from commodity alternatives: depth of language and framework support for your specific stack, accuracy of results, compliance standard coverage, deployment flexibility, developer workflow integration, and total cost of ownership including remediation time and audit overhead.

    Coverity is also available through Black Duck's partner network and managed service providers. For organizations that want the Coverity analysis engine with cloud-native delivery, Polaris fAST Static delivers the same engine through a SaaS subscription bundled with Black Duck SCA and DAST on the Polaris Platform. Coverity can also be bundled with Black Duck SCA and Polaris to maximize coverage across your entire software portfolio, while optimizing cost efficiency.

  • How much does Black Duck Coverity cost?

    Coverity pricing is delivered through a custom enterprise quote model. Coverity can be bundled with Black Duck SCA and Polaris to maximize coverage across your entire software portfolio. Contact Black Duck through the Coverity pricing page to get a quote customized to your team size and codebase.