Why Static Code Analysis Should Also Be Used In Your Code Review Process



One of the most useful practices for minimizing bugs and vulnerabilities is to deploy static code analysis at every stage of your development process. We’ve seen great progress in these tools in recent years. Many of them offer excellent integrations with popular IDEs to be a seamless part of your workflow.

Doing static code analysis early helps to identify and solve potential problems, before the cost snowball.

However, for many organizations static code analysis is only done by individual developers or hidden away in build server logs . And that brings some specific obstacles:

  • It is a challenge to enforce their usage across teams because of the intricacies around tools, configurations, rule sets, and the like.

  • It is difficult to prioritize which issues to focus on because of the lack of collaboration tooling that enables team communication.

  • You also can’t track the results of your analyses over time – making it harder to keep improving an existing code base.

  • Lastly, you don’t have any gatekeepers in place, meaning that serious bugs can still squeeze through the cracks and make their way into production.

It’s for these reasons that static code analysis needs to be deployed continuously, and specifically during the code review process. When this is done effectively, there are a wide range of benefits that you can unlock:

  • Their usage is more easily enforced across your teams because they are integrated into the CI/CD pipeline

  • Any issues that are discovered can be prioritized and discussed in pull requests during the code review process

  • The results of your analyses are stored within the pull requests themselves, which allows you to go back at any time and follow how the issue developed.

  • Merge checks within the pull requests make it possible to put reasonable gatekeepers in place – helping to minimize the chances of bugs getting through.

Code Review Assistant helps to integrate the results of static code analyses and compilers into the code review process – allowing for much better usage of the code analysis results.

If you look at the example below, you’ll see some bugs detected by PMD as well as some Java compiler warnings. Once these have been identified, they can be discussed and prioritized within the pull request. Using Bitbucket Code Insights to annotate the pull request, you can then enforce merge checks like limiting the number of serious bugs to 0 before the pull request can be merged.

Static Code 1 Static Code 2

The issues will only be shown on the changed and new lines of the corresponding pull request, meaning that engineers can focus their attention on the changes – rather than having to sift through other issues that aren’t relevant at that moment.

Lastly, it’s also worth mentioning that Code Review Assistant also supports showing vulnerable dependencies found during builds in pull requests which makes it a comprehensive and fully-featured tool for improving the quality of your development process.

Get it working in your code review process and you'll see just how powerful it can be.

Give it a try and let us know what you think.