diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml
new file mode 100644
index 0000000..9395d92
--- /dev/null
+++ b/.github/workflows/static.yml
@@ -0,0 +1,82 @@
+---
+name: Static analysis
+
+on: [push, pull_request, workflow_dispatch]
+
+jobs:
+  cppcheck:
+    runs-on: ubuntu-latest
+    permissions: read-all
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install build dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get -y install \
+            build-essential \
+            autoconf \
+            automake \
+            gnutls-dev \
+            libkeyutils-dev \
+            libnl-3-dev \
+            libnl-genl-3-dev \
+            libglib2.0-dev
+
+      - name: Install tools
+        run: |
+          sudo apt-get install -y bear cppcheck
+
+      - name: Configure
+        run: |
+          ./autogen.sh
+          ./configure --with-systemd
+
+      - name: Generate compile commands
+        run: |
+          bear -- make
+
+      - name: Run Cppcheck
+        run: |
+          echo "::group::Cppcheck Analysis"
+          cppcheck --enable=all -I. \
+            --suppress=missingIncludeSystem \
+            --suppress=unusedFunction \
+            src/
+          echo "::endgroup::"
+
+  lizard:
+    runs-on: ubuntu-latest
+    permissions: read-all
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install build dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get -y install \
+            build-essential \
+            autoconf \
+            automake \
+            gnutls-dev \
+            libkeyutils-dev \
+            libnl-3-dev \
+            libnl-genl-3-dev \
+            libglib2.0-dev
+
+      - name: Install tools
+        run: |
+          pip3 install lizard bandit[toml]
+
+      - name: Configure
+        run: |
+          ./autogen.sh
+          ./configure --with-systemd
+
+      - name: Run Lizard Complexity Analysis
+        run: |
+          echo "::group::Complexity Analysis"
+          lizard --CCN 15 src/ || true
+          echo "::endgroup::"
diff --git a/src/tlshd/client.c b/src/tlshd/client.c
index 04d1b9f..20d0cf9 100644
--- a/src/tlshd/client.c
+++ b/src/tlshd/client.c
@@ -20,7 +20,7 @@
  * 02110-1301, USA.
  */
 
-#include "config.h"
+#include <config.h>
 
 #include <sys/types.h>
 #include <sys/socket.h>
@@ -171,7 +171,7 @@ static void tlshd_x509_log_issuers(const gnutls_datum_t *req_ca_rdn, int nreqs)
 {
 	char issuer_dn[256];
 	size_t len;
-	int i, ret;
+	int i;
 
 	if (nreqs < 1)
 		return;
@@ -179,6 +179,8 @@ static void tlshd_x509_log_issuers(const gnutls_datum_t *req_ca_rdn, int nreqs)
 	tlshd_log_debug("Server's trusted authorities:");
 
 	for (i = 0; i < nreqs; i++) {
+		int ret;
+
 		len = sizeof(issuer_dn);
 		ret = gnutls_x509_rdn_get(&req_ca_rdn[i], issuer_dn, &len);
 		if (ret >= 0)
diff --git a/src/tlshd/config.c b/src/tlshd/config.c
index 4c54d37..029dbcc 100644
--- a/src/tlshd/config.c
+++ b/src/tlshd/config.c
@@ -18,7 +18,7 @@
  * 02110-1301, USA.
  */
 
-#include "config.h"
+#include <config.h>
 
 #include <sys/types.h>
 #include <sys/socket.h>
diff --git a/src/tlshd/handshake.c b/src/tlshd/handshake.c
index ed5c13b..5a28939 100644
--- a/src/tlshd/handshake.c
+++ b/src/tlshd/handshake.c
@@ -19,7 +19,7 @@
  * 02110-1301, USA.
  */
 
-#include "config.h"
+#include <config.h>
 
 #include <sys/types.h>
 #include <sys/socket.h>
@@ -64,7 +64,7 @@ static void tlshd_save_nagle(gnutls_session_t session, int *saved)
 			 IPPROTO_TCP, TCP_NODELAY, saved, &len);
 	if (ret < 0) {
 		tlshd_log_perror("getsockopt (NODELAY)");
-		saved = 0;
+		*saved = 0;
 		return;
 	}
 
diff --git a/src/tlshd/keyring.c b/src/tlshd/keyring.c
index 6aac02e..32f2d27 100644
--- a/src/tlshd/keyring.c
+++ b/src/tlshd/keyring.c
@@ -18,7 +18,7 @@
  * 02110-1301, USA.
  */
 
-#include "config.h"
+#include <config.h>
 
 #include <sys/types.h>
 #include <sys/socket.h>
diff --git a/src/tlshd/ktls.c b/src/tlshd/ktls.c
index 40a26a4..883256a 100644
--- a/src/tlshd/ktls.c
+++ b/src/tlshd/ktls.c
@@ -19,7 +19,7 @@
  * 02110-1301, USA.
  */
 
-#include "config.h"
+#include <config.h>
 
 #include <sys/types.h>
 #include <sys/socket.h>
@@ -540,7 +540,7 @@ int tlshd_gnutls_priority_init(void)
  * Returns GNUTLS_E_SUCCESS on success, otherwise an error code.
  */
 int tlshd_gnutls_priority_set(gnutls_session_t session,
-			      struct tlshd_handshake_parms *parms,
+			      const struct tlshd_handshake_parms *parms,
 			      unsigned int psk_len)
 {
 	gnutls_priority_t priority = tlshd_gnutls_priority_x509;
diff --git a/src/tlshd/log.c b/src/tlshd/log.c
index 849027e..ad39d36 100644
--- a/src/tlshd/log.c
+++ b/src/tlshd/log.c
@@ -18,7 +18,7 @@
  * 02110-1301, USA.
  */
 
-#include "config.h"
+#include <config.h>
 
 #include <stdbool.h>
 #include <unistd.h>
diff --git a/src/tlshd/main.c b/src/tlshd/main.c
index 649fe3f..b570526 100644
--- a/src/tlshd/main.c
+++ b/src/tlshd/main.c
@@ -19,7 +19,7 @@
  * 02110-1301, USA.
  */
 
-#include "config.h"
+#include <config.h>
 
 #include <sys/types.h>
 #include <sys/socket.h>
@@ -56,7 +56,7 @@ static const struct option longopts[] = {
 	{ NULL,		0,			NULL,	 0 }
 };
 
-static void usage(char *progname)
+static void usage(const char *progname)
 {
 	fprintf(stderr, "usage: %s [-chsv]\n", progname);
 }
diff --git a/src/tlshd/netlink.c b/src/tlshd/netlink.c
index c08e5e5..fbbee56 100644
--- a/src/tlshd/netlink.c
+++ b/src/tlshd/netlink.c
@@ -18,7 +18,7 @@
  * 02110-1301, USA.
  */
 
-#include "config.h"
+#include <config.h>
 
 #include <sys/types.h>
 #include <sys/stat.h>
@@ -283,8 +283,8 @@ static int tlshd_genl_valid_handler(struct nl_msg *msg, void *arg)
 	struct tlshd_handshake_parms *parms = arg;
 	struct sockaddr_storage addr;
 	struct sockaddr *sap = NULL;
+	const char *peername = NULL;
 	socklen_t salen, optlen;
-	char *peername = NULL;
 	int err;
 
 	tlshd_log_debug("Parsing a valid netlink message\n");
@@ -390,8 +390,8 @@ static const struct tlshd_handshake_parms tlshd_default_handshake_parms = {
  */
 int tlshd_genl_get_handshake_parms(struct tlshd_handshake_parms *parms)
 {
+	const struct nlmsghdr *hdr;
 	int family_id, err, ret;
-	struct nlmsghdr *hdr;
 	struct nl_sock *nls;
 	struct nl_msg *msg;
 
@@ -480,9 +480,10 @@ static int tlshd_genl_put_remote_peerids(struct nl_msg *msg,
 {
 	key_serial_t peerid;
 	guint i;
-	int err;
 
 	for (i = 0; i < parms->remote_peerids->len; i++) {
+		int err;
+
 		peerid = g_array_index(parms->remote_peerids, key_serial_t, i);
 		err = nla_put_s32(msg, HANDSHAKE_A_DONE_REMOTE_AUTH, peerid);
 		if (err < 0) {
@@ -500,7 +501,7 @@ static int tlshd_genl_put_remote_peerids(struct nl_msg *msg,
  */
 void tlshd_genl_done(struct tlshd_handshake_parms *parms)
 {
-	struct nlmsghdr *hdr;
+	const struct nlmsghdr *hdr;
 	struct nl_sock *nls;
 	struct nl_msg *msg;
 	int family_id, err;
diff --git a/src/tlshd/quic.c b/src/tlshd/quic.c
index 36b8cee..f19e1db 100644
--- a/src/tlshd/quic.c
+++ b/src/tlshd/quic.c
@@ -18,6 +18,8 @@
  * 02110-1301, USA.
  */
 
+#include <config.h>
+
 #include <gnutls/abstract.h>
 #include <sys/socket.h>
 #include <linux/tls.h>
@@ -26,7 +28,6 @@
 #include <unistd.h>
 #include <glib.h>
 
-#include "config.h"
 #include "tlshd.h"
 
 #ifdef HAVE_GNUTLS_QUIC
@@ -106,7 +107,7 @@ static int quic_secret_func(gnutls_session_t session, gnutls_record_encryption_l
 	struct tlshd_quic_conn *conn = gnutls_session_get_ptr(session);
 	gnutls_cipher_algorithm_t type  = gnutls_cipher_get(session);
 	struct quic_crypto_secret secret = {};
-	int sockfd, ret, len = sizeof(secret);
+	int sockfd, len = sizeof(secret);
 
 	if (conn->completed)
 		return 0;
@@ -134,6 +135,8 @@ static int quic_secret_func(gnutls_session_t session, gnutls_record_encryption_l
 		}
 		if (secret.level == QUIC_CRYPTO_APP) {
 			if (conn->is_serv) {
+				int ret;
+
 				ret = gnutls_session_ticket_send(session, 1, 0);
 				if (ret) {
 					tlshd_log_gnutls_error(ret);
@@ -383,13 +386,14 @@ static int quic_handshake_recvmsg(int sockfd, struct tlshd_quic_msg *msg)
 	return ret;
 }
 
-static int quic_handshake_completed(struct tlshd_quic_conn *conn)
+static int quic_handshake_completed(const struct tlshd_quic_conn *conn)
 {
 	return conn->completed || conn->errcode;
 }
 
-static int quic_handshake_crypto_data(struct tlshd_quic_conn *conn, uint8_t level,
-				      const uint8_t *data, size_t datalen)
+static int quic_handshake_crypto_data(const struct tlshd_quic_conn *conn,
+				      uint8_t level, const uint8_t *data,
+				      size_t datalen)
 {
 	gnutls_session_t session = conn->session;
 	int ret;
diff --git a/src/tlshd/server.c b/src/tlshd/server.c
index e80f2fd..250f0ac 100644
--- a/src/tlshd/server.c
+++ b/src/tlshd/server.c
@@ -19,7 +19,7 @@
  * 02110-1301, USA.
  */
 
-#include "config.h"
+#include <config.h>
 
 #include <sys/types.h>
 #include <sys/socket.h>
@@ -80,8 +80,7 @@ static void tlshd_x509_server_put_privkey(void)
 static void tlshd_x509_log_issuers(const gnutls_datum_t *req_ca_rdn, int nreqs)
 {
 	char issuer_dn[256];
-	size_t len;
-	int i, ret;
+	int i;
 
 	if (nreqs < 1)
 		return;
@@ -89,6 +88,9 @@ static void tlshd_x509_log_issuers(const gnutls_datum_t *req_ca_rdn, int nreqs)
 	tlshd_log_debug("Server's trusted authorities:");
 
 	for (i = 0; i < nreqs; i++) {
+		size_t len;
+		int ret;
+
 		len = sizeof(issuer_dn);
 		ret = gnutls_x509_rdn_get(&req_ca_rdn[i], issuer_dn, &len);
 		if (ret >= 0)
diff --git a/src/tlshd/tlshd.h b/src/tlshd/tlshd.h
index a0dd47e..2857804 100644
--- a/src/tlshd/tlshd.h
+++ b/src/tlshd/tlshd.h
@@ -85,7 +85,7 @@ extern int tlshd_keyring_link_session(const char *keyring);
 extern unsigned int tlshd_initialize_ktls(gnutls_session_t session);
 extern int tlshd_gnutls_priority_init(void);
 extern int tlshd_gnutls_priority_set(gnutls_session_t session,
-				     struct tlshd_handshake_parms *parms,
+				     const struct tlshd_handshake_parms *parms,
 				     unsigned int psk_len);
 extern void tlshd_gnutls_priority_deinit(void);