Security testing procedure

This page summarizes the reproducible security-focused checks used for argparse-c.

CI evidence

• CI workflow (tests, sanitizers, coverage): https://github.com/yoshihideshirai/argparse-c/actions/workflows/ci.yml
• Pages workflow (coverage publication): https://github.com/yoshihideshirai/argparse-c/actions/workflows/pages.yml
• Fuzz workflow (smoke/long): https://github.com/yoshihideshirai/argparse-c/actions/workflows/fuzz.yml

Local procedure

1. Configure and build:

cmake -S . -B build
cmake --build build --parallel

1. Run tests:

ctest --test-dir build --output-on-failure

1. Run sanitizer configuration (as used in CI):

cmake -S . -B build-sanitizers -DCMAKE_BUILD_TYPE=RelWithDebInfo -DAP_ENABLE_SANITIZERS=ON
cmake --build build-sanitizers --parallel
ctest --test-dir build-sanitizers --output-on-failure

1. Run coverage configuration (as used in CI):

./scripts/coverage_ci_gcovr.sh

This script intentionally matches CI coverage settings (build dir build-coverage, -DAP_ENABLE_COVERAGE=ON, and gcovr root/filter/object-directory/exclude arguments).

1. Optional: include the same coverage measurement in daily quick checks:

./scripts/dev_quick_check.sh --with-coverage

Statement maintenance rule

At each release, the security-related wording in README/FAQ should be reviewed against:

• the latest CI run status,
• this procedure page,
• and any open vulnerability reports.