Ask HN: Static Code Analysis Tools
Good day HN
I'm on the lookout for static analysis tooling to apply to our toolchain, preferably at code review time. I thought it a good idea to ask the community here. A hosted solution would suit us well, as we try to focus internal engineering and maintenance efforts on our core platform (Kubernetes) and our code.
We utilise GitHub for all of our repositories and have review policies implemented whereby at least 1 approval must be granted for a PR to be merged. I'd like to insert static analysis at this point so that vulnerabilities etc can be fixed before code is merged into the mainline.
To complete the picture, once code is merged, it is picked up by Bamboo, fresh distroless images are built and the code deployed throughout dev/stage/sandbox/production.
I look forward to your recommendations.
Thanks and regards! You might want to check this out: https://github.com/mre/awesome-static-analysis Well, what kind of stack are you using? To cover most uses, I'd suggest looking at SonarQube (most popular, not a fan), CodeClimate - metrics and quality and Codacy. Thanks. Having a look at Codacy. Commenting to add languages: Java, Go, JavaScript, PHP and C# primarily. gRPC in Java services, tooling in Go and SDK's in all languages. Not much in the way of typical frameworks. I created a parsing scheme to address a variety of static analysis concern. https://sparser.io/ You don't have to use the parser libraries I provide. The important thing about a tool like that is the data structure is provides. Here are some key benefits: 1. The output is table that can be used as a tree. Each parsed token knows what its parent is and where the containing parent ends which allows for walking the tree in an algorithmic fashion. 2. Since the output is a table of arrays it is the fastest non-bytecode parsing scheme to access. 3. The output structure is language agnostic, so provided a proper parser it can represent any language, any combination of languages, and any combination of languages in a nested fashion. Based on the programming languages, and the lack of a stated preference for open source / free vs. proprietary, I'd strongly consider checkmarx or veracode for a corporate environment. We've used all the tools at work and are running a pretty significant number of applications, in a fully ci / cd environment. No tool is perfect, but make sure you have the right language support, versions, framework support, etc. Also, make sure you have someone qualified to do static analysis, because the tools all have false positives, as well as can miss things. Happy to talk via email. For which programming language???