diff --git a/.github/filter_sarif.py b/.github/filter_sarif.py
new file mode 100644
index 0000000..45a4073
--- /dev/null
+++ b/.github/filter_sarif.py
@@ -0,0 +1,48 @@
+#!/usr/bin/env python3
+
+import argparse
+import copy
+import json
+import typing
+
+
+def process(in_file: typing.TextIO, out_file: typing.TextIO, include_prefix_list: typing.List[str]) -> None:
+    in_json = json.load(in_file)
+    if len(in_json['runs']) != 1:
+        raise NotImplementedError('Only 1 run is supported')
+    in_results = in_json['runs'][0]['results']
+    out_results = []
+    for result in in_results:
+        locations = result['locations']
+        if len(locations) != 1:
+            raise NotImplementedError('Only 1 location is supported')
+        artifact_location = locations[0]['physicalLocation']['artifactLocation']
+        uri = artifact_location['uri']
+        new_uri = None
+        for include_prefix in include_prefix_list:
+            if uri.startswith(include_prefix):
+                new_uri = uri.replace(include_prefix, '')
+                break
+        if not new_uri:
+            continue
+        new_result = copy.deepcopy(result)
+        new_result['locations'][0]['physicalLocation']['artifactLocation']['uri'] = new_uri
+        out_results.append(new_result)
+
+    out_json = copy.deepcopy(in_json)
+    out_json['runs'][0]['results'] = out_results
+    json.dump(out_json, out_file, indent=True)
+
+
+def main():
+    parser = argparse.ArgumentParser()
+    parser.add_argument('-o', '--output', type=argparse.FileType('w'), help='Output filtered SARIF file')
+    parser.add_argument('--include-prefix', required=True, action='append',
+                        help='File prefix for source code to include in analysis')
+    parser.add_argument('input_file', type=argparse.FileType('r'), help='Input SARIF file')
+    args = parser.parse_args()
+    process(args.input_file, args.output, args.include_prefix)
+
+
+if __name__ == '__main__':
+    main()
diff --git a/.github/workflows/clang-tidy.yml b/.github/workflows/clang-tidy.yml
new file mode 100644
index 0000000..16de4b9
--- /dev/null
+++ b/.github/workflows/clang-tidy.yml
@@ -0,0 +1,51 @@
+name: Run clang-tidy
+
+on:
+  pull_request:
+  push:
+    branches:
+      - master
+
+jobs:
+  build:
+    name: Run clang-tidy
+    runs-on: ubuntu-20.04
+    container: espressif/idf:latest
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          submodules: 'true'
+      - name: Run code analysis
+        shell: bash
+        env:
+          IDF_TOOLCHAIN: clang
+          IDF_TARGET: esp32
+        working-directory: test_app
+        run: |
+          ${IDF_PATH}/tools/idf_tools.py --non-interactive install xtensa-clang
+          . ${IDF_PATH}/export.sh
+          which -a clang-tidy || true
+          pip install pyclang codereport
+          curl -sSL https://raw.githubusercontent.com/espressif/llvm-project/xtensa_release_12.0.1/clang-tools-extra/clang-tidy/tool/run-clang-tidy.py -o run-clang-tidy.py
+          chmod +x run-clang-tidy.py
+          curl -sSL https://github.com/psastras/sarif-rs/releases/download/clang-tidy-sarif-latest/clang-tidy-sarif-x86_64-unknown-linux-gnu -o clang-tidy-sarif
+          chmod +x clang-tidy-sarif
+          export PATH=$PWD:$PATH
+          idf.py clang-check
+          idf.py clang-html-report
+          ./clang-tidy-sarif -o results.sarif.raw warnings.txt
+          python3 $GITHUB_WORKSPACE/.github/filter_sarif.py -o results.sarif --include-prefix ${GITHUB_WORKSPACE}/test_app/managed_components/espressif__  --include-prefix ${GITHUB_WORKSPACE}/ results.sarif.raw
+          cp results.sarif ../
+          cp results.sarif.raw ../
+          cp warnings.txt ../
+      - uses: actions/upload-artifact@v2
+        with:
+          path: |
+            warnings.txt
+            results.sarif
+            results.sarif.raw
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: results.sarif
+          category: clang-tidy
diff --git a/README.md b/README.md
index 26dd725..9301302 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,6 @@
 [![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit&logoColor=white)](https://github.com/pre-commit/pre-commit)
-[![Build and Run Test Application](https://github.com/espressif/idf-extra-components/actions/workflows/build_and_run_test_app.yml/badge.svg)](https://github.com/espressif/idf-extra-components/actions/workflows/build_and_run_test_app.yml)
+[![Build and Run Test Application](https://github.com/espressif/idf-extra-components/actions/workflows/build_and_run_test_app.yml/badge.svg?branch=master)](https://github.com/espressif/idf-extra-components/actions/workflows/build_and_run_test_app.yml)
+[![Clang-Tidy](https://github.com/espressif/idf-extra-components/actions/workflows/clang-tidy.yml/badge.svg?branch=master)](https://github.com/espressif/idf-extra-components/security/code-scanning?query=is%3Aopen+branch%3Amaster)
 
 # Espressif IDF Extra Components