I'm on the lookout for static analysis tooling to apply to our toolchain, preferably at code review time. I thought it a good idea to ask the community here. A hosted solution would suit us well, as we try to focus internal engineering and maintenance efforts on our core platform (Kubernetes) and our code.
We utilise GitHub for all of our repositories and have review policies implemented whereby at least 1 approval must be granted for a PR to be merged. I'd like to insert static analysis at this point so that vulnerabilities etc can be fixed before code is merged into the mainline.
To complete the picture, once code is merged, it is picked up by Bamboo, fresh distroless images are built and the code deployed throughout dev/stage/sandbox/production.
I look forward to your recommendations.
Thanks and regards!
To cover most uses, I'd suggest looking at SonarQube (most popular, not a fan), CodeClimate - metrics and quality and Codacy.
You don't have to use the parser libraries I provide. The important thing about a tool like that is the data structure is provides.
Here are some key benefits:
1. The output is table that can be used as a tree. Each parsed token knows what its parent is and where the containing parent ends which allows for walking the tree in an algorithmic fashion.
2. Since the output is a table of arrays it is the fastest non-bytecode parsing scheme to access.
3. The output structure is language agnostic, so provided a proper parser it can represent any language, any combination of languages, and any combination of languages in a nested fashion.
We've used all the tools at work and are running a pretty significant number of applications, in a fully ci / cd environment.
No tool is perfect, but make sure you have the right language support, versions, framework support, etc. Also, make sure you have someone qualified to do static analysis, because the tools all have false positives, as well as can miss things.
Happy to talk via email.