Yeah, its frightingly common CI not doing static analysis checks on C/C++ code. The compiler defaults being really bad doesn't help either. The nice thing about zig is that it defaults to "safe" behaviour, and even if you use it as C/C++ compiler it has saner defaults and compiles with ubsan.
You can guide compiler to check printf style format strings using __attribute__((format)) btw, also checks you are not using a variable as a format string
You can guide compiler to check printf style format strings using __attribute__((format)) btw, also checks you are not using a variable as a format string