In Debian, compiler flags are implemented to protect their archive though dpkg. They expressly avoid changing gcc defaults. References in this repo point to Debian's gcc configs, I'd check dpkg-buildflags.

Ubuntu inherits these dpkg flags. Flags from gcc and dpkg and are used to build the Ubuntu Archive.

GCC flags are required to build artifacts, like software users compile or snaps, or anything not the Ubuntu Archive. What is listed on https://wiki.ubuntu.com/ToolChain/CompilerFlags applies to GCC.

So, in a way, all dpkg compiler flags in Debian apply to Ubuntu and Ubuntu is additionally setting GCC hardening flags* (there are probably exceptions to this). I'm not sure how you want to track this, but I wanted to let you know.

Also, the Debian and Ubuntu archive recently received -mbranch-protection https://bugs.launchpad.net/ubuntu/+source/gcc-13/+bug/2040321 through dpkg. And Debian recently received -fcf-protection (which Ubuntu GCC acquired in 19.10) https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=8f5aca71c1435c9913d5562b8cae68b751dff663

1. Explain what c/c++ compilers the flags are compatible with (clang and gcc most likely). The title reads like the flags are general, whereas in C/C++ land there is no such thing for compiler flags.
2. -fsanitize=signed-integer-overflow -fsanitize-undefined-trap-on-error creates better code due to using the compiler_rt builtins xor cpu intrinsics, see https://gist.github.com/jrelo/f5c976fdc602688a0fd40288fde6d886
3. Please link best practice checks for known CVEs (ie clang-tidy) and/or other tools without noise or configuration effort.

Personal opinion:

• -Wstring-conversion could be added, because implicit std::sting -> bool & conversions, especially during function calls, are outright evil and not covered by -Wall, -Werror, -Wpedantic etc

Nice link also covering msvc: https://airbus-seclab.github.io/c-compiler-security/