diff --git a/.github/workflows/code-scan-coverity.yml b/.github/workflows/code-scan-coverity.yml
new file mode 100644
index 0000000000..4de50a15c7
--- /dev/null
+++ b/.github/workflows/code-scan-coverity.yml
@@ -0,0 +1,43 @@
+name: "security-coverity-scan"
+
+on:
+ workflow_dispatch:
+ push:
+ branches: [main]
+ paths:
+ - "main/**"
+ - ".github/workflows/code-scan-coverity.yml"
+
+permissions: # added using https://github.com/step-security/secure-workflows
+ contents: read
+
+env:
+ XIAOZHI_VERSION: "2.0.4"
+
+jobs:
+ coverity-cpp-code-scan:
+ runs-on: ubuntu-latest
+ container: espressif/idf:release-v5.5
+
+ steps:
+ - name: Harden Runner
+ uses: step-security/harden-runner@v2
+ with:
+ egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
+ - name: Checkout Github code
+ uses: actions/checkout@v5
+
+ - name: Install missing tools for Coverity scan
+ run: |
+ apt-get update
+ apt-get install -y file
+
+ - name: Coverity scan with build command
+ uses: vapier/coverity-scan-action@v1
+ with:
+ project: esp32-xiaozhi
+ token: ${{ secrets.COVERITY_SCAN_TOKEN }}
+ email: ${{ secrets.COVERITY_SCAN_EMAIL }}
+ version: ${{ env.XIAOZHI_VERSION }}
+ command: bash -c "source $IDF_PATH/export.sh && python scripts/release.py jiuchuan-s3 --name jiuchuan-s3"
diff --git a/README.md b/README.md
index 9026ec9fe1..7ea6b7f7b2 100644
--- a/README.md
+++ b/README.md
@@ -166,3 +166,10 @@ v1 的稳定版本为 1.9.2,可以通过 `git checkout v1` 来切换到 v1 版
+
+## Coverity scan
+
+
+ 
+
diff --git a/README_en.md b/README_en.md
index d3ad0f0558..129f50f522 100644
--- a/README_en.md
+++ b/README_en.md
@@ -169,4 +169,11 @@ If you have any ideas or suggestions, please feel free to raise Issues or join t
-
+
+
+## Coverity scan
+
+
+
+
diff --git a/README_ja.md b/README_ja.md
index c7dd029e6e..77ffeb1131 100644
--- a/README_ja.md
+++ b/README_ja.md
@@ -165,4 +165,11 @@ Feishuドキュメントチュートリアルをご覧ください:
-
+
+
+## Coverity scan
+
+
+
+