Add sanitizer support via score_cpp_policies

.bazelrc

@@ -93,3 +93,41 @@ build:build_qnx8 --config=arm64-qnx
 ## default is a stdout logger which looks like dlt logs
 ## uncomment below to use score::mw::log instead of the stdout logger
 # build --cxxopt=-DLC_LOG_SCORE_MW_LOG
+
+# ==============================================================================
+# Sanitizer configurations — powered by score_cpp_policies runtime infrastructure
+# (wrapper, suppression files, env templates)
+# ==============================================================================
+
+# Minimal debug info (-g1) for sanitizer stack traces; stripping disabled
+build:with_debug_symbols --copt=-g1
+build:with_debug_symbols --strip=never
+
+# AddressSanitizer + UndefinedBehaviorSanitizer + LeakSanitizer (recommended)
+build:asan_ubsan_lsan --config=with_debug_symbols
+build:asan_ubsan_lsan --copt=-fsanitize=undefined,address,leak
+build:asan_ubsan_lsan --linkopt=-fsanitize=undefined,address,leak
+build:asan_ubsan_lsan --platform_suffix=asan_ubsan_lsan
+build:asan_ubsan_lsan --@score_cpp_policies//sanitizers/flags:sanitizer=asan_ubsan_lsan
+test:asan_ubsan_lsan --run_under=@score_cpp_policies//sanitizers:wrapper
+test:asan_ubsan_lsan --test_tag_filters=-no-asan,-no-lsan,-no-ubsan
+test:asan_ubsan_lsan --build_tests_only
+
+# Convenience aliases (all resolve to asan_ubsan_lsan)
+build:asan  --config=asan_ubsan_lsan
+build:ubsan --config=asan_ubsan_lsan
+build:lsan  --config=asan_ubsan_lsan
+
+# ThreadSanitizer (cannot be combined with ASan/LSan)
+build:tsan --config=with_debug_symbols
+build:tsan --copt=-fsanitize=thread
+build:tsan --copt=-O1
+build:tsan --linkopt=-fsanitize=thread
+# GCC TSan doesn't instrument atomic_thread_fence; suppress the resulting -Wtsan
+# warning so it doesn't become a build error in external deps that use -Werror.
+build:tsan --cxxopt=-Wno-tsan
+build:tsan --platform_suffix=tsan
+build:tsan --@score_cpp_policies//sanitizers/flags:sanitizer=tsan
+test:tsan --run_under=@score_cpp_policies//sanitizers:wrapper
+test:tsan --test_tag_filters=-no-tsan
+test:tsan --build_tests_only

.github/workflows/sanitizers.yml

@@ -0,0 +1,60 @@
+# *******************************************************************************
+# Copyright (c) 2026 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Apache License Version 2.0 which is available at
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# SPDX-License-Identifier: Apache-2.0
+# *******************************************************************************
+name: Sanitizers
+
+permissions:
+  contents: read
+
+on:
+  pull_request:
+    types: [opened, reopened, synchronize]
+  merge_group:
+    types: [checks_requested]
+  push:
+    branches:
+      - main
+
+jobs:
+  sanitizers:
+    runs-on: ubuntu-24.04
+    strategy:
+      fail-fast: false
+      matrix:
+        config: [asan_ubsan_lsan, tsan]
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4.2.2
+
+      - name: Setup Bazel
+        uses: bazel-contrib/setup-bazel@0.18.0
+        with:
+          bazelisk-cache: true
+          disk-cache: ${{ github.workflow }}-${{ matrix.config }}
+          repository-cache: true
+          cache-save: ${{ github.event_name == 'push' }}
+
+      - name: Configure kernel for TSan (ASLR breaks TSan shadow memory layout)
+        if: matrix.config == 'tsan'
+        run: sudo sysctl -w kernel.randomize_va_space=0
+
+      - name: Run tests with sanitizers
+        run: |
+          bazel test --lockfile_mode=error --config=${{ matrix.config }} --config=x86_64-linux //score/... //tests/... --verbose_failures
+
+      - name: Upload test logs on failure
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: bazel-testlogs-${{ matrix.config }}-${{ github.run_id }}
+          path: bazel-testlogs/
+          retention-days: 7

MODULE.bazel

@@ -35,6 +35,7 @@ bazel_dep(name = "score_bazel_platforms", version = "0.1.2", dev_dependency = Tr
 bazel_dep(name = "score_docs_as_code", version = "4.0.3", dev_dependency = True)
 bazel_dep(name = "score_tooling", version = "1.2.0", dev_dependency = True)
 bazel_dep(name = "score_rust_policies", version = "0.0.5", dev_dependency = True)
+bazel_dep(name = "score_cpp_policies", version = "0.0.1", dev_dependency = True)
 bazel_dep(name = "score_process", version = "1.5.4", dev_dependency = True)
 bazel_dep(name = "score_platform", version = "0.5.5", dev_dependency = True)
 

README.md

@@ -44,12 +44,17 @@ bazel build --config=x86_64-linux //...
 
 To test launch_manager and health_monitor with the sanitizers enabled use one of the following
 
+ASan + UBSan + LSan (recommended):
+
+```sh
+bazel test --config=asan_ubsan_lsan --config=x86_64-linux //score/... //tests/...
 ```
-bazel test --config=x86_64-linux --define sanitize=thread //...
 
-bazel test --config=x86_64-linux --define sanitize=address //...
+TSan (requires ASLR to be in conservative mode):
 
-bazel test --config=x86_64-linux --define sanitize=undefined //...
+```sh
+sudo sysctl -w kernel.randomize_va_space=0
+bazel test --config=tsan --config=x86_64-linux //score/... //tests/...
 ```
 
 To build all components with ``score::mw::log`` enabled, use this command:

score/health_monitor/src/cpp/BUILD

@@ -76,6 +76,10 @@ cc_gtest_unit_test(
         "@platforms//os:qnx": ["-lsocket"],
         "@platforms//os:linux": [],
     }),
+    tags = [
+        "no-asan",
+        "no-tsan",
+    ],
     deps = [
         "//score/health_monitor/src/cpp:health_monitoring_cc_stub_supervisor",
         "//score/health_monitor/src/cpp/details:log_init",

score/health_monitor/src/rust/BUILD

@@ -69,6 +69,10 @@ rust_test(
             "-Clink-arg=-lstdc++",
         ],
     }),
+    tags = [
+        "no-asan",
+        "no-tsan",
+    ],
     deps = ["@score_baselibs_rust//src/log/stdout_logger"],
 )
 
@@ -90,7 +94,11 @@ rust_test(
             "-Clink-arg=-lstdc++",
         ],
     }),
-    tags = ["loom"],
+    tags = [
+        "loom",
+        "no-asan",
+        "no-tsan",
+    ],
     target_compatible_with = ["@platforms//os:linux"],
     deps = [
         "@score_baselibs_rust//src/log/stdout_logger",

score/launch_manager/daemon/src/common/concurrency/BUILD

@@ -49,6 +49,8 @@ cc_library(
 cc_test(
     name = "mpmc_concurrent_queue_test",
     srcs = ["mpmc_concurrent_queue_test.cpp"],
+    tags = ["no-asan"],
+    visibility = ["//tests:__subpackages__"],
     deps = [
         ":mpmc_concurrent_queue",
         "@googletest//:gtest_main",
@@ -79,6 +81,7 @@ cc_test(
     ],
     linkopts = ["-fsanitize=thread"],
     tags = [
+        "no-asan",
         "no-coverage",
         "tsan",
     ],

score/launch_manager/daemon/src/process_state_client/BUILD

@@ -75,6 +75,7 @@ cc_library(
 cc_test(
     name = "process_state_client_ut",
     srcs = ["process_state_client_ut.cpp"],
+    tags = ["no-tsan"],
     deps = [
         ":process_state_client",
         "//score/launch_manager/daemon/src/process_state_client/details:process_state_receiver",

tests/utils/bazel/integration.bzl

@@ -27,9 +27,14 @@ def integration_test(name, srcs, test_binaries, args = [], deps = [], data = [],
         "//conditions:default": ["//tests/utils/environments:test_environment"],
     })
 
+    # The test container does not ship the sanitizer runtime; daemon fails to start.
+    sanitizer_tags = ["no-asan", "no-tsan"]
+    tags = kwargs.pop("tags", []) + sanitizer_tags
+
     py_itf_test(
         name = name,
         srcs = srcs,
+        tags = tags,
         deps = deps + all_requirements + ["@score_tooling//python_basics/score_pytest:attribute_plugin"],
         data = merged_data,
         args = args + [