Embedded systems development teams face a persistent challenge: maintaining development velocity while meeting stringent functional safety and code quality requirements. Standards like ISO 26262, IEC 62304, DO-178C, and IEC 61508 demand rigorous verification processes that are often manual and time-consuming. Compliance reviews against coding standards like MISRA C/C++, isolated scanning workflows, and post-development verification create bottlenecks. Teams are forced to choose between speed and safety.

GitLab's integration with CodeSonar (from AdaCore) addresses this challenge by automating compliance workflows and enabling continuous verification throughout the development lifecycle.

Specialized scanning for safety-critical systems

Safety-critical systems require deep analysis of C/C++ code compiled with specialized embedded tools. These systems must demonstrate compliance with coding standards (MISRA C/C++, CERT C/C++, AUTOSAR C++) and functional safety frameworks (ISO 26262, DO-178C, IEC 61508) that require detailed evidence trails. Beyond aligning with coding standards, teams also need to address security concerns. This means testing for memory problems as well as a host of other problems like uninitialized variables and command injection.

CodeSonar performs whole program analysis with specialized scanning capabilities for these standards. Pairing CodeSonar with GitLab enables teams to automate compliance workflows and maintain comprehensive audit trails throughout the development lifecycle.

Automating compliance from commit to merge

The GitLab and CodeSonar integration provides a compliance-as-code approach that automates policy enforcement from the earliest stages of development. CodeSonar functions as an additional scanner within GitLab CI/CD pipelines, analyzing code in every commit and merge request.

Because CodeSonar was purpose-built for embedded systems, it performs deep control flow and data flow analysis across entire programs, identifying vulnerabilities like buffer overruns, data taint, uninitialized variables, use-after-free conditions, and command injection — the root causes of most security incidents in embedded systems.

The integration works through GitLab's CI/CD configuration. When developers push code changes, the pipeline triggers CodeSonar scanning. For C and C++ firmware, CodeSonar observes compiler invocations during the actual build process, creating an internal representation of the code that enables sophisticated analysis. Results are converted from SARIF format to GitLab's Static Application Security Testing (SAST) format and surfaced directly in merge requests, where they feed into GitLab Ultimate's Security Dashboard, Vulnerability Management, and Compliance Frameworks.

Example workflow: ISO 26262 ASIL-D compliance

The demo video below shows the complete workflow for an embedded system subject to ISO 26262 ASIL-D requirements. The scenario illustrates how embedded development teams can implement continuous compliance without compromising development velocity.

`

The workflow begins with a developer submitting a merge request for firmware changes. GitLab's CI/CD pipeline automatically triggers CodeSonar scanning, which performs deep C/C++ analysis against custom ISO 26262 policies configured in the pipeline. When CodeSonar identifies an ASIL-D relevant vulnerability, the pipeline halts automatically per the compliance policy, with clear documentation explaining the issue. The complete scan results, issue tracking, and approval workflow are maintained in GitLab as a single source of truth for audit trails.

Developers can use both the CodeSonar hub interface and GitLab Duo AI to understand the vulnerability. CodeSonar provides detailed information about the path through the source code that leads to the problem, along with code navigation features to isolate the root cause. GitLab Duo explains the vulnerability and provides specific remediation recommendations. After the developer implements the fix and validates the resolution, the code merges successfully with full compliance evidence automatically collected throughout the process.

Benefits of the integration

Organizations implementing this integrated compliance with GitLab and CodeSonar will see significant improvements in both development velocity and compliance confidence.

• Efficiency gains: Development teams reduce time-to-market by catching coding standard compliance issues early when they're less expensive to fix. Automated security policy enforcement decreases manual security review overhead, freeing specialists to focus on complex problems rather than routine checks. Audit readiness improves through automated evidence collection. Compliance artifacts are generated as a by-product of normal development rather than through separate documentation efforts.

• Compliance maturity: This integrated approach helps organizations maintain continuous compliance with industry standards and regulations. By embedding verification into every code change, teams build comprehensive audit trails that demonstrate adherence to ISO 26262, DO-178C, MISRA C/C++, and other requirements. The automated workflow transforms compliance from a periodic checkpoint into an ongoing verification process.

Implementation considerations

Implementing the GitLab and CodeSonar integration requires access to GitLab Ultimate, a CodeSonar hub, GitLab runners where code can be compiled and analyzed, and appropriate mechanisms for managing analysis data files. Both GitLab and CodeSonar fully support on-premises and air-gapped environments and can be deployed to auto-scalable cloud environments as well.

Teams should configure Custom Compliance Frameworks in GitLab to define specific policies for their relevant standards: ISO 26262 for automotive, DO-178C for aerospace, IEC 62304 for medical devices, and others. These frameworks enable automated enforcement of compliance requirements through merge request approval rules, vulnerability thresholds, and scan policy gates.

Get started

The CodeSonar GitLab CI component is available through GitLab's CI/CD Catalog. Detailed integration documentation provides platform-specific setup instructions for Linux, Docker, and Windows environments. For organizations evaluating this solution, the implementation demonstrates how specialized embedded systems tools can integrate with a modern DevSecOps platform to deliver both development velocity and compliance rigor.

For more information about implementing GitLab with CodeSonar for your embedded systems development, visit the CodeSonar integration documentation. You can also request a trial of CodeSonar.