Analysis updated 2026-05-18
Scan a Yocto layer for hardcoded credentials, insecure HTTP URLs, and floating source revisions.
Enforce OpenEmbedded style conventions like required SUMMARY fields and colon-based override syntax.
Run headless in a CI pipeline and export results as JSON or SARIF for code review tooling.
| prashantdivate/yocto-lens | gizmodata/adbc-driver-quack | gokele/ovh | |
|---|---|---|---|
| Stars | 14 | 14 | 14 |
| Language | Go | Go | Go |
| Setup difficulty | easy | moderate | moderate |
| Complexity | 2/5 | 3/5 | 3/5 |
| Audience | developer | developer | ops devops |
Figures from each repo's GitHub metadata at analysis time.
Single cross-platform binary, no Docker or running Yocto build required.
Yocto Lens is a command-line tool that checks Yocto and OpenEmbedded layers for problems before they cause build failures or security issues. Yocto is the build system most commonly used to create custom Linux distributions for embedded hardware (routers, industrial devices, automotive systems, and similar). The layers it analyzes are the structured folder hierarchies that contain the recipes, patches, and configuration files describing what software to build and how. The tool scans three types of files: BitBake recipe files (.bb and .bbappend), patch files (.patch), and layer configuration files. For each, it runs different kinds of checks and reports findings through an interactive terminal interface with tabs for static analysis, style, and recipe health. You can also run it without the UI for use in automated build pipelines. The static analysis checks look for things that can cause real problems: a recipe that pins its source to a floating revision (which can silently change between builds), insecure HTTP URLs in source downloads, hardcoded credentials or API tokens left in metadata, absolute paths that would only work on the developer's machine, missing or broken layer compatibility declarations, and licenses that need attention such as GPLv3 inclusions or absent license checksums. The style checks enforce OpenEmbedded conventions: recipes should have SUMMARY and DESCRIPTION fields, variable assignments should follow a standard ordering, line lengths should stay within limits, and old-style override syntax (like _append and _prepend) should be updated to the newer colon-based form. Patch files are checked for required Upstream-Status and Signed-off-by headers. A single binary download covers Linux, macOS, and Windows. Pointing it at a layer folder is enough to start, no Docker, no environment variables, and no connection to a running Yocto build are required. Results can be exported as JSON or SARIF for integration with code-review and CI tooling.
Yocto Lens is a command-line tool that scans Yocto and OpenEmbedded build layers for security issues, style problems, and recipe errors before they break a build.
Mainly Go. The stack also includes Go, BitBake, JSON.
Setup difficulty is rated easy, with roughly 5min to a first successful run.
Mainly developer.
This repo across BitVibe Labs
Verify against the repo before relying on details.