How to get the most out of Coverity, decreasing the amount of invalid issues it brings up? We can:

• exclude analysis of 3rd-party code, examples and tests
• annotate false-positives - just prepend line with // coverity[event_tag_id]
• develop modeling files for patterns that trigger false positives https://scan.coverity.com/tune

Some links

• Quick Start Guide: cov-configure, cov-build and cov-commit
• Coverity Checker Reference Documentation https://scan3.coverity.com/doc/en/cov_checker_ref.html
• https://community.synopsys.com/s/article/How-to-write-a-function-model-to-eliminate-a-false-positive-in-a-C-applilcation
• https://devguide.python.org/coverity/ (python)
• https://github.com/qemu/qemu/blob/master/scripts/coverity-model.c (qemu's model)
• https://events.static.linuxfound.org/sites/events/files/slides/LinuxCon-EU-2015-Coverity.pdf
• Travis-CI integration: https://scan.coverity.com/travis_ci  https://docs.travis-ci.com/user/coverity-scan/
• Github Actions Integration: https://community.synopsys.com/s/article/Synopsys-Detect-GitHub-Action  https://www.synopsys.com/blogs/software-security/synopsys-detect-github-action-sast-sca/  example on Ruby repo
• Gitlab-CI https://www.synopsys.com/blogs/software-security/integrating-coverity-scan-with-gitlab-ci/