Static Code Analysis Tools

Question

Good day HNI'm on the lookout for static analysis tooling to apply to our toolchain, preferably at code review time. I thought it a good idea to ask the community here. A hosted solution would suit us well, as we try to focus internal engineering and maintenance efforts on our core platform (Kubernetes) and our code.We utilise GitHub for all of our repositories and have review policies implemented whereby at least 1 approval must be granted for a PR to be merged. I'd like to insert static analysis at this point so that vulnerabilities etc can be fixed before code is merged into the mainline.To complete the picture, once code is merged, it is picked up by Bamboo, fresh distroless images are built and the code deployed throughout dev/stage/sandbox/production.I look forward to your recommendations.Thanks and regards!

humaid · Accepted Answer

You might want to check this out: https://github.com/mre/awesome-static-analysis

thecupisblue · Answer

Well, what kind of stack are you using?To cover most uses, I'd suggest looking at SonarQube (most popular, not a fan), CodeClimate - metrics and quality and Codacy.

psnosignaluk · Answer

Commenting to add languages: Java, Go, JavaScript, PHP and C# primarily. gRPC in Java services, tooling in Go and SDK's in all languages. Not much in the way of typical frameworks.

relaunched · Answer

Based on the programming languages, and the lack of a stated preference for open source / free vs. proprietary, I'd strongly consider checkmarx or veracode for a corporate environment.
We've used all the tools at work and are running a pretty significant number of applications, in a fully ci / cd environment.
No tool is perfect, but make sure you have the right language support, versions, framework support, etc. Also, make sure you have someone qualified to do static analysis, because the tools all have false positives, as well as can miss things.
Happy to talk via email.

jerome-jh · Answer

For which programming language???