SCALe (Source Code Analysis Lab) is a static analysis aggregator/correlator which enables a source code analyst to combine static analysis results from multiple tools into one interface, and also provides mappings for diagnostics from the tools to the SEI CERT Secure Coding standards.
Clone or download
Latest commit 05a7373 Nov 19, 2018
Type Name Latest commit message Commit time
Failed to load latest commit information. update version numbers Nov 19, 2018
ABOUT update version numbers Nov 19, 2018
COPYRIGHT update version numbers Nov 19, 2018 update support email in README files Sep 4, 2018

Source Code Analysis Lab (SCALe)

Copyright (c) 2007-2018 Carnegie Mellon University. All Rights Reserved. See the ./COPYRIGHT file for details.

Installation Instructions (VM)

If the SCALe web app is provided via a virtual machine (VM), then the SCALe app will be configured to run automatically when the machine boots.

Installation Instructions (Zip)

If the SCALe web app is provided via a zip archive, it is referred to as <scale_webapp_archive>.zip below. This archive should be extracted on your web app server in a location of your choosing.

We will refer to this location as SCALE_HOME. You may find it useful to define this environment variable in your system to point to the root of your SCALe installation.

If the zip is downloaded from Github, the folder will be inside another folder like "SCALe-Master". In this case, SCALe-Master would be the location of SCALE_HOME.

Extracting the archive might look something like this:

export SCALE_HOME="/location/of/SCALe/install"
mkdir -p $SCALE_HOME
unzip /location/of/<scale_webapp_archive>.zip

Use the instructions for installing and managing SCALe by opening the following file in a web browser:


If you are running the offline version, the SEI CERT Coding rules and the Common Weakness Enumeration (CWEs) that accompany the distribution may not be up-to-date. The current version of the SEI CERT Coding rules are available online at: The current version of the CWEs is available at:

Relevant Known Issues

  • During the quick start demonstration, the following superfluous error is generated in the web app console: ".../ no such file or directory".

  • The digest_diagnostics script does not follow symlinks in source directories.

  • The pathnames in Rosecheckers output are incorrect when executed on a project that compiles files outside of the directories they live in. This affects the web app's ability to display the source code associated with a diagnostic.

  • Some of the links in the exported secure coding rule documentation point to online pages, and will fail on a machine with no Internet connection.


Questions and comments can be sent to