There are a number of options for finding issues via static analysis, whether via self-run tooling or via SaaS, e.g.,

Specific tools

• CppCheck — open-source, self-managed
• Coverity Scan — commercial SaaS, free for open-source GitHub repos — most of their success stories are for C/C++ repositories!
• Clang static analyzer — open-source, self-managed
• FlawFinder — a new one I found, but haven't heard much about it in the past

Collections, lists, reviews, etc.

• a list of static analysis tools (Wikipedia)
• another list of tools (via GitHub repo)
• yet another list of tools which separates tools into 3 categories: (i) free/open-source, (ii) free for academic use, and (iii) commercial
• a Stack Overflow discussion about C++ static analysis tools
• a review of C++ static analyzers (June 2017)
• static code analysis comparison by John Carmack (of Quake fame); posted on the PVS-Studio blog because his original article is no longer available

I think we should start with enabling Coverity Scan and integrating Clang analyzers (since we're going to use Clang for building our code anyway).

Adding CppCheck and FlawFinders are also a good idea, but if they don't support C++11 (or C++14, if/when we upgrade this repo's minimum C++ requirements), that might become an issue.