diff --git a/.cppcheck b/.cppcheck
new file mode 100644
index 0000000..069b8fe
--- /dev/null
+++ b/.cppcheck
@@ -0,0 +1,29 @@
+// Cppcheck bug: does not validate loop constraints properly...
+arrayIndexOutOfBounds:printer-driver.c
+
+// Bad CERT recommendation: C memory layout not determined by variable locations
+cert-API01-C
+
+// Don't report non-const casts.  Inline suppression comments are not working,
+// otherwise we'd be more selective...
+cert-EXP05-C:device.c
+cert-EXP05-C:device-network.c
+cert-EXP05-C:device-usb.c
+cert-EXP05-C:link.c
+cert-EXP05-C:mainloop-subcommands.c
+cert-EXP05-C:resource.c
+cert-EXP05-C:system-webif.c
+cert-EXP05-C:util.c
+
+// Not handling "(unsigned)~CONSTANT" properly...
+cert-INT31-c
+
+// fopen_s is NOT supported on POSIX platforms and DOES NOT APPLY for reading
+// of files!
+cert-MSC24-C:job-filter.c
+
+// char something[###] = "constant" should not result in an error!
+cert-STR05-C:system-webif.c
+
+// Not sure why this is a thing...
+preprocessorErrorDirective
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 0cadcbc..f72a966 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -18,11 +18,15 @@ jobs:
     - name: install prerequisites
       run: sudo apt-get install -y zlib1g-dev
     - name: make
-      run: make 'COMMONFLAGS=-g -fsanitize=address'
+      run: make "COMMONFLAGS=-g -fsanitize=address"
     - name: test
       env:
         ASAN_OPTIONS: leak_check_at_exit=false
       run: make test
+    - name: clang static analyzer
+      run: cd pappl && make CC=clang "GHA_ERROR=::error::" clang
+    - name: cppcheck
+      run: cd pappl && make "GHA_ERROR=::error::" cppcheck
 
   build-macos:
 
@@ -31,6 +35,10 @@ jobs:
     steps:
     - uses: actions/checkout@v2
     - name: make
-      run: make 'COMMONFLAGS=-g -fsanitize=address'
+      run: make "COMMONFLAGS=-g -fsanitize=address"
     - name: test
       run: make test
+    - name: clang static analyzer
+      run: cd pappl && make CC=clang "GHA_ERROR=::error::" clang
+    - name: cppcheck
+      run: cd pappl && make "GHA_ERROR=::error::" cppcheck
diff --git a/.gitignore b/.gitignore
index da4ccf0..6d7e84a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,7 +1,8 @@
 *.1.dylib
 *.a
+*.log
 *.o
-*.so
+*.so.1
 /testpdfio
-/testpdfio-*.pdf
+/testpdfio-out.pdf
 
diff --git a/Makefile b/Makefile
index 70fa498..82d12e9 100644
--- a/Makefile
+++ b/Makefile
@@ -147,3 +147,16 @@ doc:
 	codedoc $(DOCFLAGS) --title "PDFio Programming Manual v$(VERSION)" pdfio.h $(LIBOBJS:.o=.c) --body doc/pdfio.md --coverimage doc/pdfio-512.png pdfio.xml >doc/pdfio.html
 	codedoc $(DOCFLAGS) --title "pdf read/write library" --man pdfio --section 3 --body doc/pdfio.md pdfio.xml >doc/pdfio.3
 	rm -f pdfio.xml
+
+
+# Analyze code with the Clang static analyzer <https://clang-analyzer.llvm.org>
+clang:
+	clang $(CPPFLAGS) --analyze $(OBJS:.o=.c) 2>clang.log
+	rm -rf $(OBJS:.o=.plist)
+	test -s clang.log && (echo "$(GHA_ERROR)Clang detected issues."; echo ""; cat clang.log; exit 1) || exit 0
+
+
+# Analyze code using Cppcheck <http://cppcheck.sourceforge.net>
+cppcheck:
+	cppcheck $(CPPFLAGS) --template=gcc --addon=cert.py --suppressions-list=.cppcheck $(OBJS:.o=.c) 2>cppcheck.log
+	test -s cppcheck.log && (echo "$(GHA_ERROR)Cppcheck detected issues."; echo ""; cat cppcheck.log; exit 1) || exit 0