Skip to end of metadata
Go to start of metadata


For a few weeks beginning 23 October 2017, we will be performing occasional maintenance on this CERT Secure Coding wiki.  This is a general notification announcing our maintenance plans.

We are planning the maintenance to minimize the impact to users. There will be several phases of maintenance, and we will provide more detailed information for each phase, such as expected maintenance periods and expected impacts.  During the most significant periods of maintenance, we will provide a read-only version of the wiki, but not allow editing.  That should only affect contributors, and not the vast majority of users of the system.  

When the maintenance is complete, user accounts and histories will be retained for registered users.  But, registered users will need to reset your password through the site’s “forgot password” mechanism.  We will provide more information and instructions before and after that phase of the maintenance.

We expect all maintenance to be complete by early November.  If you have any concerns, please send email to info@sei.cmu.edu, referencing the Secure Coding wiki.



The C rules and recommendations in this wiki are a work in progress and reflect the current thinking of the secure coding community. Because this is a development website, many pages are incomplete or contain errors. As rules and recommendations mature, they are published in report or book form as official releases. These releases are issued as dictated by the needs and interests of the secure software development community.

Create a sign-in account if you want to comment on existing content. If you wish to be more involved and directly edit content on the site, you still need an account, but you'll also need to request edit privileges.

Front Matter  


Secure C Coding Books and Downloads
SEI CERT C Coding StandardThe CERT C Coding Standard, 2016 Edition provides rules to help programmers ensure that their code complies with the new C11 standard and earlier standards, including C99.  It is downloadable as a PDF.  (errata)


Secure Coding in C and C++ identifies the root causes of today's most widespread software vulnerabilities, shows how they can be exploited, reviews the potential consequences, and presents secure alternatives.

Source Code Analysis Laboratory (SCALe)
SCALe offers conformance testing of C  language software systems against the CERT C Secure Coding Standard.
Contact Us

Contact us if you

  • have questions about the Secure Coding wiki
  • have recommendations for standards in development
  • want to request privileges to participate in standards development
Thank You!

We acknowledge the contributions of the following folks , and we look forward to seeing your name here as well.  

Rules vs. Recomendations

This coding standard consists of rules and recommendations, collectively referred to as guidelines. Rules are meant to provide normative requirements for code, whereas recommendations are meant to provide guidance that, when followed, should improve the safety, reliability, and security of software systems. Learn more about the differences.

Linking to Our Pages

Link to guidelines using the Tiny Link under Tools→Link to this Page... (This URL will not change if the name of the guideline changes.)   

Information for Editors

  • To eliminate a section from the lists above, label it section and void.
  • To have a section listed as a recommendation, label it section and recommendation.
  • To have a section listed as a rule, label it section and rule.  



  1. Try to post comments on leaf nodes, or as close as possible. If you have a comment about a specific rule or recommendation, for example, please post a comment on that page. If you think that we should add a new rule or recommendation to a particular section, please post a comment on the section heading.


  2. Has anyone found a Cert C Lint file for (FlexeLint/PC-Lint) to execute static code analysis? Gimple Flexelint and PC-Lint provide MISRA rules files for both C and C++. However, I have been unable to locate a Cert C/C++ rules file. 

    1. Don,

      I'll leave this up for a little while, but then I'm going to delete it, since it isn't in a very appropriate place.  The Back Matter Analyzers section might be more appropriate.  But, I understand you are looking for visibility to your question, so I'll leave it up a little bit.

      I'm not aware of files like that, and I'm not sure they would be shareable under the tool licenses.  Since PC-Lint and FlexeLint are both commercial tools, I suggest you contact Gimpel and inform them of your request.  If there's enough customer interest, they may add the support.