a static analysis tool for finding vulnerabilities in C/C++ source code
Go to file
George Sokianos 248c4449fb Added amiga makefile for creating the releases 2022-07-25 14:43:59 +01:00
.github/workflows scan specific file so the workflow will not report any error 2021-06-24 12:02:17 -07:00
release_files Added release files 2022-07-25 14:41:56 +01:00
simplejson Added simplejson 2022-07-25 13:06:59 +01:00
test Changed code to be compatible with python 2.5 2022-07-25 13:33:00 +01:00
.gitignore Broaden an ignore rule 2018-03-15 22:49:45 -06:00
CONTRIBUTING.md Fix typos in markdown docs (#64) 2022-01-30 18:04:53 -05:00
COPYING Initial import 2007-01-16 02:44:45 +00:00
ChangeLog Version 2.0.19 2021-08-29 16:26:59 -04:00
Dockerfile update actions files and readme. 2021-06-24 11:56:59 -07:00
INSTALL.md Update documentation 2019-01-21 17:30:28 -05:00
MANIFEST.in Fix SourceForge #18 Renamed file still referenced by other files 2018-10-06 18:46:09 -04:00
Makefile.amiga Added amiga makefile for creating the releases 2022-07-25 14:43:59 +01:00
README.md Merge branch 'master' of https://github.com/david-a-wheeler/flawfinder 2022-01-30 18:05:51 -05:00
action.yml Rename GitHub Action Flawfinder -> flawfinder_scan 2021-07-17 16:45:24 -04:00
announcement Initial import 2007-01-16 02:44:45 +00:00
cwe.l Add ability to list CWEs in source code 2014-07-13 09:44:34 -04:00
entrypoint.sh entrypoint.sh: Make minor improvements (#54) 2021-06-29 18:51:44 -04:00
flawfinder.1 Update flawfinder.1 date 2021-06-03 11:11:21 -04:00
flawfinder.py Added amiga makefile for creating the releases 2022-07-25 14:43:59 +01:00
flawfinder.spec Version 2.0.19 2021-08-29 16:26:59 -04:00
makefile Version 2.0.19 2021-08-29 16:26:59 -04:00
pylintrc Mass reformat of flawfinder source code to better comply with PEP 8 2017-07-30 20:06:39 -04:00
release_process.md Change version 2.0.15->2.0.16 2021-05-31 15:31:37 -04:00
setup.cfg Fix SourceForge #18 Renamed file still referenced by other files 2018-10-06 18:46:09 -04:00
setup.py Version 2.0.19 2021-08-29 16:26:59 -04:00



This is "flawfinder" by David A. Wheeler.

Flawfinder is a simple program that scans C/C++ source code and reports potential security flaws. It can be a useful tool for examining software for vulnerabilities, and it can also serve as a simple introduction to static source code analysis tools more generally. It is designed to be easy to install and use. Flawfinder supports the Common Weakness Enumeration (CWE) and is officially CWE-Compatible.

For more information, see the project website


Flawfinder is designed for use on Unix/Linux/POSIX systems (including Cygwin, Linux-based systems, MacOS, and various BSDs) as a command line tool. It requires either Python 2.7 or Python 3.


If you just want to use it, you can install flawfinder with Python's "pip" or with your system's package manager (flawfinder has packages for many systems). It also supports easy installation following usual make install source installation conventions. The file INSTALL.md has more detailed installation instructions. You don't HAVE to install it to run it, but it's easiest that way.


To run flawfinder, just give it a list of source files or directories to example. For example, to examine all files in "src/" and down recursively:

flawfinder src/

To examine all files in the current directory and down recursively:

flawfinder ./

Hits (findings) are given a risk level from 0 (very low risk) to 5 (high risk), By default, findings of risk level 1 or higher are shown. You can show only the hits of risk level 4 or higher in the current directory and down this way:

flawfinder --minlevel 4 ./

The manual page (flawfinder.1 or flawfinder.pdf) describes how to use flawfinder (including its various options) and related information (such as how it supports CWE). For example, the --html option generates output in HTML format. The --help option gives a brief list of options.

Character Encoding Errors

Flawfinder must be able to correctly interpret your source code's character encoding. In the vast majority of cases this is not a problem, especially if the source code is correctly encoded using UTF-8 and your system is configured to use UTF-8 (the most common situation by far).

However, it's possible for flawfinder to halt if there is a character encoding problem and you're running Python3. The usual symptom is error messages like this: Error: encoding error in FILENAME 'ENCODING' codec can't decode byte ... in position ...: invalid start byte

Unfortunately, Python3 fails to provide useful built-ins to deal with this. Thus, it's non-trivial to deal with this problem without depending on external libraries (which we're trying to avoid).

If you have this problem, see the flawfinder manual page for a collection of various solutions. One of the simplest is to simply convert the source code and system configuration to UTF-8. You can convert source code to UTF-8 using tools such as the system tool iconv or the Python program cvt2utf; you can install cvt2utf using pip install cvt2utf.

Under the hood

More technically, flawfinder uses lexical scanning to find tokens (such as function names) that suggest likely vulnerabilities, estimates their level of risk (e.g., by the text of function calls), and reports the results. Flawfinder does not use or have access to information about control flow, data flow, or data types. Thus, flawfinder will necessarily produce many false positives for vulnerabilities and fail to report many vulnerabilities. On the other hand, flawfinder can find vulnerabilities in programs that cannot be built or cannot be linked. Flawfinder also doesn't get as confused by macro definitions and other oddities that more sophisticated tools have trouble with.

Flawfinder GitHub Action

There's a GitHub action available for those who use GitHub.


See action.yml

Create a .yml file under .github/workflows with the following contents:

Basic demo:

- name: flawfinder_scan
  uses: david-a-wheeler/flawfinder@2.0.19
    arguments: '--sarif ./'
    output: 'flawfinder_results.sarif'

You can add many other additions to the arguments. For example, --error-level=4 will cause an error to be returned if flawfinder finds a vulnerability of level 4 or higher. Notice the version number after the @ symbol; you can select a different version.

You can find the action name and version string from Marketplace by clicking "Use latest/xxx version" button.

Input options:


We love contributions! For more information on contributing, see the file CONTRIBUTING.md.


Flawfinder is released under the GNU GPL license version 2 or later (GPL-2.0+). See the COPYING file for license information.