It's been two months since this profile received a new review

Klocwork Reviews & Product Details

Perforce Klocwork is an enterprise grade SAST solution for C, C++, C#, Rust (support coming March 2026), Java, JavaScript, Python, and Kotlin. It helps development teams detect security vulnerabilities, quality issues, and reliability defects early, while supporting compliance with industry and regulatory standards. Klocwork is purpose built to analyze very large, complex codebases and scales to hundreds of millions of lines of code, well beyond the practical limits of many traditional SAST tools. This makes it especially suited for organizations developing long lived, safety critical, or security critical systems. Designed for DevOps and DevSecOps, Klocwork integrates with complex build systems, CI/CD pipelines, cloud and containerized environments, and common developer tools—enabling consistent security and quality enforcement without slowing development. Static Application Security Testing (SAST) Klocwork identifies a wide range of security vulnerabilities, including SQL injection, tainted data flows, buffer overflows, and other insecure coding practices. It also detects bugs and quality issues such as null pointer dereferences, memory and resource leaks, uncaught exceptions, and code smells. The solution supports compliance with internationally recognized standards including CWE, OWASP, CERT, PCI DSS, DISA STIG, and ISO/IEC TS 17961. Automated CI/CD integrations make continuous security testing practical even for very large systems. AI Assisted Code Remediation with MCP Klocwork extends static analysis with AI assisted code remediation, designed to help developers resolve findings faster and with greater confidence. Using MCP based capabilities, Klocwork securely exposes rich static analysis context—defect data, rule knowledge, and precise fix guidance—to supported AI code assist tools directly within the IDE. Rather than relying on generic AI suggestions, Klocwork’s remediation feature combines deep static analysis insights with comprehensive documentation and exact fix instructions, enabling AI assistants to propose accurate, context aware corrections for security vulnerabilities, quality defects, and coding standard violations. Fixes are presented as clear diffs and require developer review and approval, making the approach suitable for safety and security critical environments. By integrating remediation into the developer workflow, Klocwork reduces time spent interpreting analysis results, researching fixes, and switching between tools. Developers stay in their IDE, receive guided remediation aligned with secure coding standards and project specific rules, and can immediately re analyze code to validate fixes. This completes the optimal shift left approach—helping teams not only find issues early, but fix them efficiently and consistently. Project Streams and Enterprise Scalability Klocwork’s Project Streams feature simplifies managing shared codebases with multiple variants or branches. A single rule configuration can be applied across streams, issues common to multiple variants stay synchronized, and stream specific findings are clearly identified for reporting and compliance. Developer Focused and Centralized Klocwork integrates directly into popular IDEs to deliver fast, contextual feedback as developers write code. Out of the box compiler support eliminates manual setup, while centralized dashboards provide visibility into trends, risk, and compliance across projects of any size.

Seller

Perforce

Discussions

Klocwork Community

Overview by

Megan Palkert

Value at a Glance

Averages based on real user reviews.

Perceived Cost

$$$$$

View More Pricing Information

Top-Rated Alternatives

View All Alternatives

G2 reviews are authentic and verified.

Here's how.

April M.

Technology Integration Safety Intern

Small-Business (50 or fewer emp.)

12/14/2021

"Klocwork Review"

5/5

What do you like best about Klocwork?

There are a lot of built-in checkers that were helpful. There are so many of them, and they are all very well documented, so using them was straightforward. Creating checkers was also easy because they have a guide on getting started and links that explain the different checkers. Customer support always got back to me quickly. There is an entire library of information on the portal. If you need help or information it's probably already documented and it's easy to find. Review collected by and hosted on G2.com.

What do you dislike about Klocwork?

At first, getting started was confusing. I wasted a lot of time trying to set up and install. It was much easier and faster when I had a link to a setup/install guide. Review collected by and hosted on G2.com.

Recommendations to others considering Klocwork:

Reach out when you need assistance; the customer support team is phenomenal and always responded quickly and followed up with me before closing out a support ticket. The videos and tutorials help a lot if you're having any trouble. If you need information, it's either located on their website or the portal. It's much easier to use Klocwork on your local machine than a virtual machine. There are many built-in checkers, so make sure you look at those before implementing new ones. Review collected by and hosted on G2.com.

What problems is Klocwork solving and how is that benefiting you?

Our organization has specific requirements for each system. I needed a way to report on these requirements to ensure implementation. Klocwork has many built-in checkers that meet these requirements, and for the ones that weren't there, we built them. Review collected by and hosted on G2.com.

Chris W.

Software Assurance Tools Program Manager/Static Analysis Domain Expert

Mid-Market (51-1000 emp.)

12/9/2021

"Klocwork is a very mature, robust and helpful static code analysis tool"

5/5

What do you like best about Klocwork?

Klocwork does a really good job of finding the most critical defects. The incremental build capabilities to compare results between different versions of the software is very helpful. The web review interface is intuitive and supports effective review of any analysis results. Review collected by and hosted on G2.com.

What do you dislike about Klocwork?

It would be great to have continued improvements in creating possible custom checkers tailored to your specific software under analysis. It would also be helpful to provide even more robust export and reporting capabilities for the results so that we can more readily incorporate analysis results into other business processes where appropriate in the organization. Review collected by and hosted on G2.com.

Recommendations to others considering Klocwork:

The most important thing is always to focus on making the tool work for your specific business needs, so don't get hung up on every particular feature of the tool itself. Make the tool work for what is essential to your business.

It would be wise to consider integrating it into an automated development operations pipeline if possible. We use Docker to containerize specific software builds. We use Jenkins as our build automation server to provide a complete end-to-end pipeline for supporting the automated use of Klocwork and other tools for analysis against our target software.

We have found it helpful to review the default checker configuration with our software team before analyzing the target software. This approach helps us to understand better what results are of most interest to us before starting the process of generating multiple analysis builds for review. It is also helpful to review the initial set of generated results to determine if any particular checkers may be causing some "noise" in terms of a significant number of results or possible false positives. We may decide to disable a select number of checkers for the following analysis build.

Finally, it is crucial to maintain awareness of new features and any patches that the vendor may release to best support the tool for any users. Review collected by and hosted on G2.com.

What problems is Klocwork solving and how is that benefiting you?

We perform independent verification and validation of mission-critical software. Klocwork helps us to prioritize our analysis efforts in the areas of most concern to start, including any possible security aspects, which have been a significant focus recently. Review collected by and hosted on G2.com.

Markus N.

Expert SW integration and toolchain

Small-Business (50 or fewer emp.)

12/5/2021

"Static code analysis fit for modern CI/CD"

4.5/5

What do you like best about Klocwork?

Klocwork helps us to analyze source code against coding standards like MISRA C as well as standards like CVE which we look forward to use for cyber security analysis. Klocwork also integrates well with our CI/CD toolchain and provides nice integrations with popular IDE's. But most importatnly perhaps is the awesome support and quick feedback Perforce provides to the customers. Review collected by and hosted on G2.com.

What do you dislike about Klocwork?

Perforce could improve the REST API. More functions to allow creation of projects and other administrative tasks, which are done with the kwadmin tool for us to improve automation even further. A docker container on docker hub would also be nice to get. Review collected by and hosted on G2.com.

Recommendations to others considering Klocwork:

Consider using a docker container for the server. The upgrade process will be more straightforward when using migration: old server to new server in docker. Review collected by and hosted on G2.com.

What problems is Klocwork solving and how is that benefiting you?

The main benefit Klocwork provides (in a CI/CD context) is that we are catching issues early in the development cycle. Many bugs, e.g., array out of bounds, are challenging to find in HIL testing and can be avoided. Furthermore, the developers do not need to worry about coding standards as Klocwork provides the checks for them. Review collected by and hosted on G2.com.

Daniel P.

Senior Firmware Engineer

Enterprise (> 1000 emp.)

12/2/2021

"Great tool for static analysis on embedded projects"

5/5

What do you like best about Klocwork?

The provided tools, documentation, and support make static analysis report creation an easy task. Also, the MISRA C checkers add to get complete reports fulfills customer requirements. With the Klocwork reports, we have been able to prevent and fix critical issues, and improve our source code. Review collected by and hosted on G2.com.

What do you dislike about Klocwork?

I consider that the report creation can be improved. Being able to customize better which data and charts are added. The report can be obtained on PDF format, but this document does not include detailed information about the build. Review collected by and hosted on G2.com.

What problems is Klocwork solving and how is that benefiting you?

When we started using Klocwork, as a customer requirement to obtain static analysis reports, multiple potential (and real) risks were avoided. As must of the issues detected on static analysis were cleaned, we use it now to prevent new issues and to create static analysis reports, based on MISRA checkers. Review collected by and hosted on G2.com.

Verified User in Defense & Space

Small-Business (50 or fewer emp.)

11/30/2021

"Leading with Cyber Excellence using Klocwork"

4/5

What do you like best about Klocwork?

A complete solution, desktop, server, API, reports, compliance tailoring, CI/CD integration with JIRA, JENKINS and Github. The support team is the best! Review collected by and hosted on G2.com.

What do you dislike about Klocwork?

A narrow set of computer languages supported, out-of-the-box works but can result in false positives or false negatives if not configured correctly. Review collected by and hosted on G2.com.

Recommendations to others considering Klocwork:

Make sure with your customer's IA team the checkers used meet the IA requirements. Review collected by and hosted on G2.com.

What problems is Klocwork solving and how is that benefiting you?

NIST and PCI compliance gives us the confidence to tell our customers that the product delivered has a low risk of containing a vulnerability and a low risk of adverse consequences as a result. Removing vulnerabilities and weaknesses improves the integrity of the delivered product. Klocwork use also lowers latent defects discovered post-delivery reducing the cost of development and adoption. Review collected by and hosted on G2.com.

Verified User in Automotive

Mid-Market (51-1000 emp.)

12/3/2021

"Klocwork review"

2.5/5

What do you like best about Klocwork?

Included links to how to fix found issues. Review collected by and hosted on G2.com.

What do you dislike about Klocwork?

Inexistent traceability of developer's issue suppression from their desktop. The way of working proposed by Klocwork is to have dedicated team that reviews suppressions but this becomes a bottleneck when this team needs to overwatch many small embedded projects. Therefore in such situation everyone gets allowed to suppress issues in order to maintain development agility. This in turn leads to people suppressing issues without discussing them with a peer programmer. With the possibility to trace that an issue was suppresed by a developer from the desktop it would help discover issues that were suppressed despite they should not been suppressed.

It is a good feature to be able to configure that the issues can be suppressed from the portal only but it is not possible today to configure the tool to hinder developers suppressing issues from the desktop tool. Review collected by and hosted on G2.com.

Response from Steve Howard of Klocwork

edit

Dear Reviewer.

Thank you for taking the time to review Klocwork.

Klocwork will actually trace all defects throughout the codebase and even suppressions made on the desktop, PROVIDED that you 'connect' those local desktop projects in the developer IDEs or on the command line, etc. to the central server project for the Master branch, etc. Once you are using 'connected' local projects, all status changes made by the developers on their local feature branches will be stored within the Klocwork defect database and tracked with a full audit trail of who made the change, when and why.

It is also possible, using the granular Klocwork permissions structure to setup a compliance workflow, whereby different project personnel (developers, QA, build engineers) have different permissions in terms of moving the defects between states. i.e. you can require that only QA team members have the right to change a status from, say 'defer' (indicating a deviation request) to 'ignore' (indicating a deviation approval'). This means that you won't then suffer with the problem you mention that this "leads to people suppressing issues without discussing them".

It additionally means that when you get into the release stream for the project, you will know that all deviations to the required standard (e.g. MISRA) have already been approved by QA through the cycle and the generated standards compliance reports will be correct and ready for certification, so no further review are required, saving time.

I hope this is useful information but please feel free to raise a support ticket via the portal should you encounter further issues.

Kind regards

Steve

See how Klocwork improved

Verified User in Defense & Space

Mid-Market (51-1000 emp.)

12/7/2021

"Using Klockwork as our main static code analysis tool."

4/5

What do you like best about Klocwork?

Build a successful product by minimizing code issues at any stage of development. Modern UI, Quality Gates. We can manage each project's configuration and rules. Also, KW taxemonics has a lot of built-in known ones. Review collected by and hosted on G2.com.

What do you dislike about Klocwork?

The web UI looks and feels outdated, and the scanner on the build machine does not return a non-zero value when project rules are not met. Review collected by and hosted on G2.com.

Verified User in Industrial Automation

Small-Business (50 or fewer emp.)

12/3/2021

"Good practice for static code review, not so easy to use"

3.5/5

What do you like best about Klocwork?

inline analisys of C++ code directly from Eclipse. Review collected by and hosted on G2.com.

What do you dislike about Klocwork?

unprofiled Visual Studio plugin, that let VS crash quite often. Review collected by and hosted on G2.com.

Vikash K.

Validation, Quality, DevOps, SW Legal compliance, SW Security & Cloud Performance

Enterprise (> 1000 emp.)

1/19/2021

"Klocwork has improved our code quality. Checkers have kept our code quality at very high note."

5/5

What do you like best about Klocwork?

Wide range of checkers. valuable issue segregation and easy report visibility for all type is issues/warnings. User friendly commands for building and analysis. Awesome commands to automate klocwork scan activities. It integrates with CI/CD tools, containers, cloud services, and machine provisioning making automated security testing easy. Security Standards: CWE, OWASP, CERT, PCI DSS, DISA STIG, and ISO/IEC TS 17961.

It analyzes source code in real time, simplifies peer code reviews, and extends the life of complex software. Review collected by and hosted on G2.com.

What do you dislike about Klocwork?

Only few programming languages are supported. Few more security checks required. strong filtering and report analysis features required. would like to see better codes between projects and a more user-friendly desktop in the next release. Issue we have is that whenever we need to get the code we have to build it first. Then we can get the report. I would like to see a dashboard added to provide a clear look and feel. The dashboard would then supplement the users to enable them to get a quick view of the content, as long is it is clear. A presentational dashboard would be good. Review collected by and hosted on G2.com.

Recommendations to others considering Klocwork:

Klocwork is industry leading and proven static code analysis tool. Use it to improve Application security and code quality. It works like spell check for developers. Review collected by and hosted on G2.com.

What problems is Klocwork solving and how is that benefiting you?

Resolving all static code issues, syntax issues, security issues and null issues. solution is scalable. It improves Application security and code quality. Review collected by and hosted on G2.com.

Verified User in Defense & Space

Mid-Market (51-1000 emp.)

7/24/2020

"klockworks is great"

5/5

What do you like best about Klocwork?

It's easy to use and customize to flag just the items you will to catch. Also you can omit files you know have issues (lots of time commercial software you don't want to change) Review collected by and hosted on G2.com.

What do you dislike about Klocwork?

Nothing really its so easy to use. We use it to catch potential coding errors Review collected by and hosted on G2.com.