eclipse-score · rmaddikery · May 22, 2026 · Feb 16, 2026 · Feb 16, 2026 · Feb 25, 2026
@@ -82,3 +82,43 @@ coverage --combined_report=lcov
 coverage --test_env=COVERAGE_GCOV_OPTIONS=-bcu
 coverage --features=coverage
 coverage --cache_test_results=no
+
+# ==============================================================================
+# Dynamic analysis (sanitizers) for Linux host builds/tests
+# ==============================================================================
+
+# Debug symbols for sanitizer stack traces  
+test:with_debug_symbols --cxxopt=-g1
+test:with_debug_symbols --strip=never
+
+# AddressSanitizer + UndefinedBehaviorSanitizer + LeakSanitizer (Combined)
+build:asan_ubsan_lsan --config=x86_64-linux
+build:asan_ubsan_lsan --features=asan
+build:asan_ubsan_lsan --features=ubsan
+build:asan_ubsan_lsan --features=lsan
+build:asan_ubsan_lsan --platform_suffix=asan_ubsan_lsan
+test:asan_ubsan_lsan --config=with_debug_symbols
+test:asan_ubsan_lsan --test_tag_filters=-no-asan,-no-lsan,-no-ubsan
+test:asan_ubsan_lsan --@score_cpp_policies//sanitizers/flags:sanitizer=asan_ubsan_lsan
+test:asan_ubsan_lsan --run_under=@score_cpp_policies//sanitizers:wrapper
+
+# Shortcuts for individual sanitizers
+build:asan  --config=asan_ubsan_lsan
+test:asan   --test_tag_filters=-no-asan
+build:ubsan --config=asan_ubsan_lsan
+test:ubsan  --test_tag_filters=-no-ubsan
+build:lsan  --config=asan_ubsan_lsan
+test:lsan   --test_tag_filters=-no-lsan
+
+# ThreadSanitizer (cannot be combined with ASan/LSan)
+build:tsan --config=x86_64-linux
+build:tsan --features=tsan
+build:tsan --platform_suffix=tsan
+# GCC 12 promotes TSan limitation on atomic_thread_fence to -Werror=tsan.
+# Downgrade to warning so external deps (score_baselibs) compile; TSan still runs.
+build:tsan --cxxopt=-Wno-error=tsan
+test:tsan --config=with_debug_symbols
+test:tsan --cxxopt=-O1
+test:tsan --test_tag_filters=-no-tsan
+test:tsan --@score_cpp_policies//sanitizers/flags:sanitizer=tsan
+test:tsan --run_under=@score_cpp_policies//sanitizers:wrapper
@@ -63,3 +63,7 @@ jobs:
       - name: Build with Bazel
         run: |
           bazel build --lockfile_mode=error --config x86_64-linux //...
+
+      - name: Test with Bazel
+        run: |
+          bazel test --lockfile_mode=error --config x86_64-linux //score/... --test_tag_filters=-no_ci
@@ -11,19 +11,33 @@
 # SPDX-License-Identifier: Apache-2.0
 # *******************************************************************************
 
-name: CPP/C++
+name: CPP coverage
 
 on:
   pull_request:
     types: [opened, reopened, synchronize]
+  merge_group:
+    types: [checks_requested]
   push:
     branches:
       - main
-  merge_group:
-    types: [checks_requested]
 
 jobs:
+  approval:
+    name: coverage approval gate
+    if: github.event_name == 'pull_request'
+    environment: workflow-approval
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+    steps:
+      - name: Blocking on approval
+        run: 'true'
+
   coverage-report:
+    if: ${{ !cancelled() }}
+    needs: approval
     uses: eclipse-score/cicd-workflows/.github/workflows/cpp-coverage.yml@main
     with:
       bazel-target: "//..."

@@ -0,0 +1,69 @@
+# *******************************************************************************
+# Copyright (c) 2026 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Apache License Version 2.0 which is available at
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# SPDX-License-Identifier: Apache-2.0
+# *******************************************************************************
+
+name: Sanitizers
+
+on:
+  pull_request:
+    types: [opened, reopened, synchronize]
+  merge_group:
+    types: [checks_requested]
+
+permissions:
+  contents: read
+
+jobs:
+  sanitizer-tests:
+    name: Bazel Tests (${{ matrix.sanitizer_config }})
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        sanitizer_config: [asan_ubsan_lsan, tsan]
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4.2.2
+        with:
+          ref: ${{ github.head_ref || github.event.pull_request.head.ref || github.ref }}
+          repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }}
+
+      - name: Setup Bazel with shared caching
+        uses: bazel-contrib/setup-bazel@0.18.0
+        with:
+          bazelisk-version: 1.26.0
+          disk-cache: true
+          repository-cache: true
+          bazelisk-cache: true
+          cache-save: ${{ github.event_name == 'push' }}
+
+      - name: Run sanitizer tests via Bazel
+        run: |
 # Config dedicated to host platform CPU:x86_64 and OS:Linux 
 # Config dedicated to host platform CPU:x86_64 and OS:Linux 
+          set -euo pipefail
+          echo "Running: bazel test --config=${{ matrix.sanitizer_config }} //score/..."
+          # Note: Scoped to C/C++ targets only. Rust targets require Rust-specific
+          # sanitizer handling and are excluded via tag filters.
+          bazel test \
+            --config=${{ matrix.sanitizer_config }} \
+            //score/... \
+            --build_tag_filters=-rust \
+            --test_tag_filters=-rust \
+            --verbose_failures
+
+      - name: Upload Bazel test logs (always)
+        if: always()
+        uses: actions/upload-artifact@v6
+        with:
+          name: bazel-testlogs-${{ matrix.sanitizer_config }}
+          path: bazel-testlogs/**/test.log
+          if-no-files-found: warn
@@ -42,6 +42,12 @@ bazel_dep(name = "score_platform", version = "0.5.5", dev_dependency = True)
 # Toolchains and extensions
 bazel_dep(name = "score_bazel_cpp_toolchains", version = "0.5.1", dev_dependency = True)
 bazel_dep(name = "score_toolchains_rust", version = "0.8.0", dev_dependency = True)
+bazel_dep(name = "score_cpp_policies", version = "0.0.0", dev_dependency = True)
+git_override(
+    module_name = "score_cpp_policies",
+    commit = "6348b27",
+    remote = "https://github.com/eclipse-score/score_cpp_policies.git",
+)
 
 # S-CORE crates
 bazel_dep(name = "score_crates", version = "0.0.6")

@@ -0,0 +1,23 @@
+# *******************************************************************************
+# Copyright (c) 2026 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Apache License Version 2.0 which is available at
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# SPDX-License-Identifier: Apache-2.0
+# *******************************************************************************
+
+filegroup(
+    name = "repo_suppressions",
+    srcs = [
+        "asan.supp",
+        "lsan.supp",
+        "tsan.supp",
+        "ubsan.supp",
+    ],
+    visibility = ["//visibility:public"],
+)
@@ -0,0 +1,17 @@
+# *******************************************************************************
+# Copyright (c) 2026 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Apache License Version 2.0 which is available at
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# SPDX-License-Identifier: Apache-2.0
+# *******************************************************************************
+
+# Suppressions for the AddressSanitizer
+# See: https://clang.llvm.org/docs/AddressSanitizer.html#issue-suppression
+# Every suppression requires a justification.
+# Suppressions that share the same justification may be organized in a single block.
@@ -0,0 +1,17 @@
+# *******************************************************************************
+# Copyright (c) 2026 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Apache License Version 2.0 which is available at
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# SPDX-License-Identifier: Apache-2.0
+# *******************************************************************************
+
+# Suppressions for the LeakSanitizer
+# See: https://github.com/google/sanitizers/wiki/AddressSanitizerLeakSanitizer#suppressions
+# Every suppression requires a justification.
+# Suppressions that share the same justification may be organized in a single block.
@@ -0,0 +1,17 @@
+# *******************************************************************************
+# Copyright (c) 2026 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Apache License Version 2.0 which is available at
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# SPDX-License-Identifier: Apache-2.0
+# *******************************************************************************
+
+# Suppressions for the ThreadSanitizer
+# See: https://github.com/google/sanitizers/wiki/ThreadSanitizerSuppressions
+# Every suppression requires a justification.
+# Suppressions that share the same justification may be organized in a single block.
@@ -0,0 +1,17 @@
+# *******************************************************************************
+# Copyright (c) 2026 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Apache License Version 2.0 which is available at
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# SPDX-License-Identifier: Apache-2.0
+# *******************************************************************************
+
+# Suppressions for the UndefinedBehaviorSanitizer
+# See: https://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html#runtime-suppressions
+# Every suppression requires a justification.
+# Suppressions that share the same justification may be organized in a single block.
@@ -307,7 +307,10 @@ cc_test(
         "//score/datarouter/test/ut/etc:fg_socket_server_log_channels_test_json",
     ],
     features = FEAT_COMPILER_WARNINGS_AS_ERRORS,
-    tags = ["unit"],
+    tags = [
+        "no_ci",
+        "unit",
+    ],
     deps = [
         "//score/datarouter/src/persistency:mock",
         "@googletest//:gtest_main",

@@ -101,6 +101,11 @@ rust_test(
     edition = "2021",
     rustc_flags = RUSTC_FLAGS,
     tags = [
+        "no-asan",  # Rust tests with C++ FFI require sanitizer-instrumented stdlib
+        "no-lsan",
+        "no-tsan",
+        "no-ubsan",
+        "rust",
         "unit_tests",
         "ut",
     ],
@@ -118,6 +123,7 @@ rust_binary(
     ],
     edition = "2021",
     rustc_flags = RUSTC_FLAGS,
+    tags = ["rust"],
     visibility = ["//visibility:public"],
     deps = [
         ":score_log_bridge",