Skip to main content
Video Thumbnail
 

Coco

From Assumed Test Quality to Measured Code Coverage

Coco is a modern code coverage tool for software teams developing desktop applications and embedded systems. It instruments your code during the build process and captures exactly which statements, branches, and conditions were executed during testing without changing your compilers, build system, or test suite. It supports C, C++, C#, QML, Python and Tcl, providing instrumentation and precise test coverage analysis. With Coco, you can generate audit-ready reports aligned with international safety and compliance standards such as ISO 26262 and DO-330.

Try Coco for Free Contact us

Coco-interface-simplified-01

Most Teams Measure Code Coverage. Few Use it to Make Decisions.

A percentage tells you what was touched, not what's dangerously untested, what changed without verification, or where one test would cut the most risk. Coco makes those gaps visible and actionable, so release decisions are based on evidence, not instinct.

In regulated industries, that evidence has to hold up, as auditors need structural coverage at MC/DC level, traceable to your standard. Most tools stop at branch level, but Coco doesn't.

Trusted by Siemens · Bosch · LG · Metso · PolyWorks · SGS TÜV Saar Certified · ASIL D
Download a Product Overview PDF
What Becomes Possible with Code Coverage

Five Things that Change When Coverage is Measured

Coverage measurement tells you what was tested. Once you have the evidence, these are the decisions, conversations, and outcomes that follow:

Visibility

See exactly what your tests cover. CoverageBrowser in Coco colour-codes every line, branch, and condition, so you will know what is executed, and what has never been touched.

Risk Prioritisation

Know which untested code carries the most risk. The CRAP (Change Risk Anti-Patterns) metric in Coco ranks every function by complexity and coverage gap, so that you can ensure that your testing effort goes to the code most likely to cause failures.

Patch Coverage

See which tests cover your patch without re-running everything. Patch analysis maps your diff against existing coverage data and shows which lines in the change are covered by existing tests, and which tests executed them.

Embedded Systems

Collect coverage from both real hardware and emulators. Runtime instrumentation works on actual embedded targets including RTOS-based systems. Instead of simulation artefacts, Coco reflects production behaviour.

Distributed Teams

Distribute testing without distributing source code: With Coco, you can share instrumented binaries with outsourced teams, collect results, and merge into centralised coverage reports.

CRAP Metric and Patch Analysis Change How Your Team Approaches Testing

Know exactly which existing tests cover the code you just changed

When a developer introduces a patch, Coco takes the diff and your existing coverage data and produces a precise report: which lines in the patch are covered by existing tests, which are not, and which tests executed those specific code paths without re-running the full test suite.

  • Import a diff in unified format: Coco maps it against existing coverage execution data
  • Every line in the patch is annotated: covered, not covered, or unknown, with a test count per line
  • Generate HTML or CSV reports for code reviews, release gates, and certification evidence

The CRAP metric tells you which untested code to test next

Knowing you have 80% coverage does not tell you whether the untested 20% is trivial or critical. CRAP metrics, or Change Risk Anti-Patterns, combines cyclomatic complexity with coverage data into a risk score per function. The higher the complexity and the lower the coverage, the higher the score.

  • Functions scoring above 30 are flagged as high risk and surface to the top of a ranked list in CoverageBrowser
  • Engineers know exactly where a new test reduces the most risk without reviewing the entire codebase
  • Results are sortable and exportable for sprint planning, QA reviews, and management reporting

Built for the Standards Your Industry Requires

From function coverage to MC/DC, every level your standard demands, on every platform your team uses

Measure and Improve Your Code Coverage

Coverage levels supported by Coco

Coco supports every major structural coverage metric, from basic function and line coverage through to the MC/DC level required by the most demanding safety standards. Each level gives you a different lens on your test quality. The right level depends on your standard, your integrity level, and how much confidence you need before you release.

 

Dive deeper into Coverage Levels supported by Coco

Function Coverage

Function coverage confirms that each function in your codebase was called at least once during testing, including member functions in C++. It is a straightforward first check that tells you whether key logic units are being exercised at all. If a function never runs during your test suite, it is untested by definition. Coco counts how many functions were called and how often, giving you a clear picture of coverage at the architectural level.

STANDARDS
IEC 61508 SIL 1–4

INDUSTRIES
Automotive Aerospace Industrial Railway Medical

Read more from documentation

Statement Block Coverage

Statement block coverage checks whether all executable statements in your program were run during testing. Coco groups statements that always execute together into blocks, so the metric stays consistent regardless of how the code is formatted. This makes it a reliable baseline for understanding test thoroughness, and a more stable alternative to line coverage for teams working across different coding styles.

STANDARDS
ISO 26262 ASIL A–B IEC 61508 SIL 1–4 EN 50128 SIL 0

INDUSTRIES
Automotive Industrial Railway Medical

Read more from documentation

Line Coverage

Line coverage checks whether each line of code was executed during testing. It is a simple and familiar way to spot gaps in your test suite and get a quick sense of how thoroughly your code is being exercised. Coco supports line coverage and it works well as a starting point for teams new to coverage analysis or working on general-purpose projects. That said, Coco does not recommend it for safety-critical or regulated development. Because results vary depending on how code is formatted, the metric is not stable enough to meet the evidence requirements of standards like ISO 26262 or IEC 61508. For those contexts, statement block coverage gives you the same visibility with consistent, formatting-independent results.

STANDARDS
Not mapped to safety standards

INDUSTRIES
General use Non-regulated projects

Read more from documentation

Branch and Decision Coverage

Branch and decision coverage goes beyond statement coverage by checking that every decision point in your code produces all possible outcomes. Each condition is counted once for true and once for false, so edge cases that only surface under specific inputs get caught during testing rather than in production. Coco verifies both outcomes for every if, while, for and switch statement, making it easier to spot paths your tests are missing.

STANDARDS
ISO 26262 ASIL A–D DO-178C DAL A–B IEC 61508 SIL 1–4 EN 50128 SIL 1–4

INDUSTRIES
Automotive Aerospace Industrial Railway Medical

Read more from documentation

Condition Coverage

Condition coverage takes decision coverage a step further by splitting complex boolean expressions into their individual parts. Each subexpression connected by an and or or operator is evaluated independently for both true and false. This reveals gaps that decision coverage alone will not catch, particularly in decisions with multiple conditions where some combinations may never be tested. In Coco, condition coverage is the natural stepping stone toward MC/DC and gives you a deeper view of logical test completeness before you move to the full independence requirement.

STANDARDS
Stepping stone to MC/DC — not a standalone standard requirement

INDUSTRIES
Automotive Aerospace Industrial Railway Medical

Read more from documentation

MC/DC and MCC Coverage

Modified Condition/Decision Coverage (MC/DC) requires that every condition in a decision must independently affect the outcome. For each condition, there must be two test executions where only that condition changes and everything else stays the same. This is the level of rigor that safety auditors expect at the highest integrity levels, and it is what Coco is certified to support up to ASIL D. Multiple Condition Coverage (MCC) goes even further by requiring all possible combinations of truth values in every decision, and is accepted as an alternative to MC/DC under IEC 61508 and EN 50128 at SIL 3 and 4.

MC/DC STANDARDS
ISO 26262 ASIL A–D DO-178C DAL A IEC 61508 SIL 1–4 EN 50128 SIL 1–4

MCC STANDARDS
IEC 61508 SIL 3–4 (alt.) EN 50128 SIL 3–4 (alt.)

QUALIFICATION KIT
IEC 62304 Class C

INDUSTRIES
Automotive Aerospace Industrial Railway Medical

MC/DC documentation  MCC documentation

Test Timing & Performance Metrics

Beyond coverage, Coco also tracks how long each test takes to run and how often each part of your code gets executed. This helps teams identify slow tests, spot code that gets hit far more than necessary, and optimise the order in which tests run across your CI pipeline. It is not a coverage standard requirement, but it is a practical tool for keeping test suites lean and fast without sacrificing the coverage you need.

STANDARDS
CI and pipeline optimisation — not a coverage standard requirement

INDUSTRIES
All industries

document

Whitepaper: Code Coverage for Safety-Critical Programs

Read Now

Coco Gives Every Role on Your Team Something They Actually Need

QA_icon_persona
For QA Engineer

See exactly which functions, branches, and conditions your tests are hitting, and which they are not. Coco shows coverage gaps directly in the source code so untested paths get caught early, not in production.

CoverageBrowser Branch / Decision Condition / MC/DC Redundant test detection

QA icon persona 2

For QA Manager

Get objective evidence of test effectiveness across your codebase. Coverage trends and gap analysis by module give you what you need to make confident release decisions without manual overhead.

Coverage reporting Trend analysis MC/DC 

QA icon persona 1
For DevOps Engineer

Coco plugs into your CI/CD pipeline and runs only the tests relevant to what changed. Coverage data stays current on every build, with no extra tooling needed.

CI/CD integration Patch analysis Cobertura / SonarQube / JUnit Jenkins / GitHub / GitLab

QA icon 4
For Compliance Lead

Audit-ready coverage reports aligned with ISO 26262, DO-178C, IEC 62304, IEC 61508, and EN 50128. MC/DC evidence is traceable to your standard, and the Qualification Kit means certification closes faster.

MC/DC coverage Qualification Kit Audit-ready reports SGS TÜV Saar Certified

Certified for the Most Demanding Safety Standards

Untitled design-23 1

Coco is independently certified by SGS TÜV Saar — approved for verification of safety-related software up to ASIL D under ISO 26262. That is the highest automotive safety integrity level, confirmed by external audit, not a self-declaration.

 See certification details

Certified to ASIL D

Most coverage tools claim to support safety-critical workflows. Coco has been independently verified to do so. SGS TÜV Saar has assessed and certified Coco under ISO 26262-8:2018 for safety-related software verification up to ASIL D. In practice that means when your safety engineer is asked to justify the coverage tool in a safety case, the answer is a certificate from a body their auditors already recognise, and not an internal document they had to produce themselves. That is a conversation that used to take weeks, and with Coco it takes minutes.

A credential your auditors can verify — not just a feature on a datasheet

Procurement sign-off, supplier audits, certification milestones — these are the moments when the qualification status of your toolchain gets scrutinised — and the moments when most teams discover their coverage tool creates more paperwork than it solves. Coco's SGS TÜV Saar certificate — No. FS/71/220/26/2113 — is a named, externally issued result your compliance team can cite directly in project documentation and present at any of those moments without further justification. Other tools ask your team to make the case. Coco arrives with the case already made.

Spend less time qualifying your tools, more time building your product

Every tool in a safety-critical verification toolchain needs to be qualified for the level being targeted. Without a pre-validated tool, that qualification falls entirely on your team,  adding weeks of effort before the tool can even be used in a safety context. Coco's TÜV Saar certification removes that initial burden. For projects that require full tool qualification under a specific standard, Coco's per-standard Qualification Kits for ISO 26262, DO-178C, IEC 62304, and EN 50128 complete the process, delivering the targeted documentation, pre-built test cases, and safety manuals your standard demands, so your team closes out qualification in days rather than months.

Product Demo

Watch James Vance, Senior Software Engineer at Qt Group, walk through the Coco code coverage interface and show how to measure coverage and identify untested code.
 

“[Coco] code coverage is a relevant tool for us, because you do not know how good your [software] quality is until you understand the code coverage and testing coverage.” 

Jaakko Palokangas, Director of Digital Technology Development, Metso

Code Coverage Tool that Works With Your Setup

Coco plugs into your CI/CD, IDE, and quality tools to make coverage insights instantly usable where you work. Streamline your path from test data to quality improvements.

 

Deploy Anywhere

Run Coco natively or cross-compile to any target, covering everything from desktop to bare-metal embedded systems
Native Compatibility
Run on the systems your teams already use
 Linux, Windows (32/64-bit), macOS 64-bit — Intel & ARM via Rosetta 2
 UNIX variants: Solaris, AIX (enterprise, on request)
Cross-Compilation
Target embedded & constrained environments
 Embedded Linux/Windows — industrial & automotive
 RTOS: QNX, VxWorks, FreeRTOS
 Bare-metal microcontrollers for safety-critical devices
Supported Compilers
Mainstream and specialized toolchains*
 GCC, Clang, MS Visual Studio, Intel, Mono
 QNX, ARM (Keil), Green Hills, HighTec, Diab, TI, and more
*Some toolchains require the Coco Cross-Compilation Add-on
Target Hardware
Run qualification on real, production hardware
 Intel x86/x64, ARM, PowerPC, MIPS, SPARC, AURIX™, and more
 General-purpose CPUs to safety-grade microcontrollers

Develop & Build Faster

Build systems without needing to change your tools or refactor your code. Coco fits right in

Report & Stay Compliant

Export in the formats your teams and auditors already know

Test with What You Already Use

Coco works right alongside your existing frameworks: GoogleTest, Boost.Test, NUnit

Automate & Release

Get automated coverage feedback in your CI/CD pipeline

“Coco brings together the missing link between code and tests. Coco seemed like a regular code coverage tool at first, but after we started using it, we found some very advanced features.” 

InnovMetric

tool qualification
Tool Qualification for Regulated Industries

Avoid Months of Manual Work

If you need to certify your software, you need to qualify your tools.

The Coco Qualification Kit gives you everything needed to prove Coco is safe and reliable for use in safety-critical development. No need to build test suites or write justification from scratch, we’ve done it for you.

  • Pre-built test cases and expected results

  • Tool classification and safety manuals

  • Ready for ISO 26262, DO-178C, IEC 62304, EN 50128, and more

Designed to support a wide range of industries, Coco simplifies compliance and quality assurance by providing ready-to-use validation reports, process documentation, and certification templates

Learn more about Tool Qualification Kit
QA_latest_releases-min

What’s new in Coco? Always something.

From better coverage insights to faster tooling and broader language support, Coco releases bring continuous improvements for test and compliance teams. Explore recent updates and changelogs here.

Latest Release

Qualification Kit

A custom, comprehensive qualification tool to gain the confidence you need to ensure your test processes meet safety standards.

Read more

Documentation

Take a deep dive into the technical aspects of Coco.

Learn more

Coco Evaluation Guide

Evaluation Guide is here to support you throughout the process of an evaluation, from downloading the tool to the point of installing and starting the use.

Learn more

Blog

Is 70%, 80%, 90%, or 100% Code Coverage Good Enough?

Numbers like 70%, 80%, or even 100% do not tell the whole story, and sometimes they can create a false sense of security. In our deep dive, “Is 70%, 80%, 90%, or 100% Code Coverage Good Enough?”, we break down what those metrics really say about your tests, why 100% statement coverage can still leave dangerous gaps.

Read more

Tutorial

Using AI Code Assistants to Generate Unit Tests and Maximize Coverage

See how you can use GitHub Copilot + Coco Code Coverage to raise test coverage from 65% to 78%, and how this approach can be adapted for other frameworks and industries, including safety-critical domains.

Read more

The complete guide to quality assurance in software development

Read the guide

Frequently Asked Questions

How do I measure code coverage for embedded C/C++ systems?
Measuring code coverage for embedded C/C++ systems requires a tool that can instrument code for cross-compiled targets and collect execution data from real hardware. Coco uses compiler-level instrumentation — it wraps the compiler (GCC, Clang, IAR, ARM/Keil, Green Hills, and others) and inserts measurement points during the build process. Coverage data is collected during test execution on the actual embedded target — including RTOS-based systems running QNX, VxWorks, and FreeRTOS, as well as bare-metal microcontrollers — and then analysed in CoverageBrowser. Results from multiple targets and configurations can be merged into a single coverage report.

What is the difference between MC/DC and branch coverage?
Branch coverage (also called decision coverage) verifies that every decision, such as an if statement, has evaluated to both true and false. Modified Condition/Decision Coverage (MC/DC) goes further: it requires that every individual condition within a decision independently affects the decision outcome, with each condition shown to be independently capable of changing the result. MC/DC requires more test cases than branch coverage but provides significantly stronger assurance, which is why it is expected at ASIL D under ISO 26262 and required at DAL A under DO-178C.

What is a good code coverage tool for C++ and embedded systems?
Coco is a code coverage analysis tool specifically designed for C and C++ development across desktop and embedded systems. It supports compiler-level instrumentation for GCC, Clang, IAR, ARM/Keil, and Green Hills compilers, and works on embedded targets including QNX, VxWorks, FreeRTOS, and bare-metal microcontrollers. For teams working under safety standards such as ISO 26262, DO-178C, or IEC 62304, Coco is independently certified by SGS TÜV Saar to ASIL D and provides per-standard Qualification Kits.

Can code coverage be collected without source code access?
Yes. Coco supports black-box testing through a facility that separates instrumentation from source code access. A developer with source code creates a black-box instrumentation database — an instrumented binary that contains no source code. This binary is distributed to QA engineers or outsourced teams who run tests and generate execution reports (.csexe files). The execution reports are returned to the developer who merges them into the master coverage database without the QA team ever seeing source code. This is particularly useful for distributed teams, outsourced testing, and IP-sensitive projects.

How do I measure code coverage on embedded C and C++ targets?
Coco uses compiler-level instrumentation — it wraps your existing compiler and inserts measurement points during the build. Coverage data is collected during test execution on the actual embedded target, including RTOS-based systems running QNX, VxWorks, and FreeRTOS, and bare-metal microcontrollers. Results from multiple targets and configurations can be merged into a single coverage report in CoverageBrowser. No toolchain migration is required.

How does Coco integrate with CI/CD pipelines?
Coco integrates natively with Jenkins, GitHub Actions, and GitLab CI. Coverage data is collected automatically during pipeline execution and exported in CI-compatible formats including Cobertura XML, SonarQube XML, JUnit, and EMMA-XML. Coverage thresholds can be set as quality gates to block merges when coverage drops below defined levels. The cmreport command-line tool enables automated report generation in any build script without a GUI.

What is code coverage in software testing?
Code coverage analysis records which statements, branches, and conditions in source code are executed during a test run, expressed as a percentage of total executable code. It is distinct from test coverage (which measures requirement coverage) and test effectiveness (which measures whether tests catch real defects)

What code coverage is required for ISO 26262 ASIL D?
ISO 26262 Part 6, Table 14 classifies structural coverage requirements by ASIL level. At ASIL D, Modified Condition/Decision Coverage (MC/DC) is classified as highly recommended (++), meaning certification bodies expect it and will require justification for its absence. At ASIL C, MC/DC is recommended (+). Statement and branch coverage are expected at ASIL A and B. Note that 'highly recommended' in ISO 26262 language is not a hard mandate in the same way as some DO-178C requirements, but in practice auditors treat it as effectively required at ASIL D. Coco is certified by SGS TÜV Saar (Certificate No. FS/71/220/26/2113) for use in ISO 26262 projects up to ASIL D.

What code coverage does IEC 62304 Class C require?
IEC 62304 classifies medical device software by safety risk level. Class C software (where failure could cause death or serious injury) requires comprehensive software unit verification with coverage reports demonstrating that all code related to risk control measures has been tested. Regulatory submissions for Class C devices are expected to include structural coverage evidence. Coco generates audit-ready coverage reports aligned to IEC 62304 requirements and provides an IEC 62304 Qualification Kit.

Does code coverage need to be tool-qualified for safety-critical software?
Yes. Under ISO 26262, DO-178C, IEC 62304, IEC 61508, and EN 50128, every tool used in safety-critical software verification must be qualified for the integrity level being targeted. Without a pre-qualified tool, the qualification burden falls entirely on the development team — typically requiring months of effort to produce tool behaviour documentation, validation test suites, and qualification reports. Coco reduces this burden significantly. Coco Version 7.4.0 is independently certified by SGS TÜV Saar (Certificate No. FS/71/220/26/2113) under ISO 26262-8:2018, clause 11. Per-standard Qualification Kits for ISO 26262, DO-178C, IEC 62304, and EN 50128 deliver the remaining documentation, pre-built test cases, and safety manuals so tool qualification closes in days rather than months.

Is Coco certified for use in ISO 26262 safety-critical development?
Yes. Coco Version 7.4.0 has been independently assessed and certified by SGS TÜV Saar (Certificate No. FS/71/220/26/2113) against ISO 26262-8:2018, clause 11. It is confirmed suitable for verification of safety-related software up to ASIL D, the highest automotive safety integrity level. Per-standard Qualification Kits are available for ISO 26262, DO-178C, IEC 62304, and EN 50128.

What coverage levels does Coco support?
Coco supports function coverage, line coverage, statement block coverage, decision/branch coverage, condition coverage, Modified Condition/Decision Coverage (MC/DC), and Multiple Condition Coverage (MCC). MC/DC is the level required at ASIL C/D under ISO 26262 and DAL A/B under DO-178C. All levels are visualised in CoverageBrowser with colour-coded source code annotation.

Does Coco work with embedded systems and real hardware targets?
Yes. Coco supports coverage collection from actual embedded targets, not only emulators. It works with GCC, Clang, IAR, ARM/Keil, Green Hills, and other embedded compilers. Supported platforms include Embedded Linux, QNX, VxWorks, FreeRTOS, and bare-metal microcontrollers. Coverage data from real hardware execution is merged with results from other targets and analysed together in CoverageBrowser.

What is the CRAP metric in Coco?
CRAP stands for Change Risk Anti-Patterns. It combines cyclomatic complexity with coverage data to produce a risk score for every function. The higher the complexity and the lower the coverage, the higher the score. Functions scoring above 30 are flagged as high risk in CoverageBrowser. This allows QA teams to prioritise new test writing by objective risk rank rather than by instinct, and to export ranked results for sprint planning and management reporting.

How does Coco patch analysis work?
Patch analysis takes a diff file in unified format and maps it against existing coverage execution data (.csmes and .csexe files) from your test suite. It produces an annotated report showing which lines in the patch are covered by existing tests, which are not covered, and which tests executed the changed code paths without re-running the test suite against the patched version. Output is available as HTML or CSV for code reviews, release gates, and certification evidence.

Does code coverage tooling need to be qualified for safety-critical projects?
Yes. Under ISO 26262, DO-178C, IEC 62304, IEC 61508, and EN 50128, every tool used in safety-critical software verification must be qualified for the integrity level being targeted. Without a pre-qualified tool, the qualification burden falls entirely on the development team, typically requiring months of effort. Coco's TÜV Saar certification removes the initial qualification burden. Per-standard Qualification Kits for ISO 26262, DO-178C, IEC 62304, and EN 50128 close out the remainder in days rather than months.

Does Coco work with languages other than C and C++?
Yes. Coco supports C, C++, C#, QML, Tcl, and Python (via coverage.py integration for Python modules, with Coco handling instrumentation for native C/C++/C#/QML/Tcl layers). Coco is not a Qt-only tool, as it works with any codebase using these languages regardless of framework. Coverage results across all supported languages can be merged and analysed together in a single report.

Your First Real Coverage Report Is Only One Component Away

Coco's evaluation license lets you instrument components against your existing build system and test suite. Within the same day you have a real coverage report. It is not a demo, not sample data, but actual execution results from your own code showing exactly where your tests fall short.
Generate Report Talk to an Expert