Improve code quality and security with static Code Analysis

Using Static Code Analysis tools can help improve code quality and security drastically. Let's learn how as a developer or engineering lead you can ensure clean and secure code during development.

Every developer strives to write the best code possible. It ensures that code is readable, maintainable, scalable, and consistent. Usually, developers follow best practices, industry standards, unit testing, manual PR reviews, etc.

However, code quality and security can drastically improve by incorporating static code analysis into your projects and a code base that performs code quality checks automatically.

What is static code analysis?

In plain English, static code analysis refers to analyzing the code before it’s running to see if it meets certain standards and rules defined.

How does static code analysis help improve code quality?

1. Making code less complex: A case of cognitive complexity

   Who likes code that takes hours to understand because it comprises hundreds of lines and all business logic is put inside a single function? More complex code might make it more prone to bugs and less scalable

   .

   The complexity of software is measured by the most popular method, cyclomatic complexity. It counts the number of distinct routes that can be taken through a piece of code, assisting programmers in determining how intricate and potentially error-prone their software might be. A more complex and difficult-to-maintain codebase is often indicated by a higher cyclomatic complexity.

   

   A static analysis tool such as SonarLint or ESLint will provide cognitive complexity to code to ensure it is readable and divided into smaller chunks.

2. Formatting and Styling Code

   Every software developer has a personal preference for formatting and styling conventions. Some like single quotes, others double, etc. Apply this to a project with tens of developers, and this will create a complete mess.

   Even if developers are asked to apply the conventions, they can’t be expected to remember all the rules. All programming languages provide linting tools to adhere to conventions.

3. Type Checking

   Let’s assume a use case where a function expected a boolean, but that boolean was passed wrapped in a string. We know the app will break for sure.

   The type checking rescues here. In the case of JavaScript, Flow, and TypeScript can ensure that the written code is actually predictable.

   It ensures that all the parameters passed and their children, if any, are all defined at the level of the actual values as well.

4. Detecting Bugs and Errors

   Let’s say you add a duplicate variable to the code, and the code is shipped to production. Though the issue can be found in the unit tests, it can be caught earlier by using static analysis tools. Similarly, redundant and unused code can be timely identified by analyzing the code.

5. Security issues

   Often, bad coding practices introduce vulnerabilities into the codebase and the application, which can be exploited later via XSS, privilege escalation, etc.

How do you implement static code analysis in your project?

1. IDE: First line of defense

   Almost all linting tools can be installed in the IDE, ensuring that all standards are followed while you code.

2. Git Pre-hooks

   Run all lint tools before pushing the code to the remote repo by integrating with pre-hooks tools such as Husky to ensure that all standards are being followed.

   Tools such as ESLint also provide methods such as —fix to fix most of the issues found by ESLint.

3. CI Pipelines

   The static analysis tools can be run just after a PR is raised or before pushing the code to production. It should fail the pipeline, PR, and push to the production environment if it fails.

Tools for static code analysis

1. ESLint

   The most widely used lint tool for JavaScript maintains conventions across the codebase and captures inconsistent formatting and styling. It comes with predefined rules, which can be modified.

   Pylint

2. Prettier

   Prettier is the most popular formatting and styling tool to ensure consistency and uniformity across the codebase.

   

3. SonarLint, SonarCloud and SonarQube

   SonarCloud is a popular cloud-based code analysis tool that can be integrated with the GitHub repo. SonarQube, a self-hosted tool, can be added to your pipelines.

   Similarly, SonarLint can be added to the IDE and provide the same configuration and enforce rules directly in your IDE.

4. LGTM

   GitHub provides a tool called LGTM to directly inspect the codebase via GitHub Actions. Further details can be found on the Github LGTM

   Some other best and most popular tools are:

5. DeepSource

6. DeepScan

7. Codacy

8. JSHint

9. JSLint

10. Dependabot

11. npm-audit

12. pytype

13. pylint

Thanks for reading.