Just want to note that if we want to go ahead with fuzzing (I detailed a possible plan to do so in the mailing list a month or so ago) we will definitely need somewhere to run fuzzing (even if it's Google's syzbot).Getting somewhere where we can run static analysis, fuzzing just makes sense IMO (hell, who knows, maybe even CI or something like Gerrit for mailing list-less code reviews).Yes, LLVM/CLANG Static Analyzer is another possibility. I've mentioned it in the first version of the RFC.
CodeChecker (https://codechecker.readthedocs.io/en/latest/) is an open source front-end for the scan-build and clang-tidy.
It simplifies analyzer configuration and provides web-based report storage. However, it has to be hosted somewhere.
If somebody has an idea on how edk2 community can host the CodeChecker, that's definitely an option to consider.
--Pedro Falcato