-
Notifications
You must be signed in to change notification settings - Fork 0
Code Analysis
Code Analysis is the process of debugging and catching errors by examining the source code of an application. Aside from tests and code reviews, it is one of the most useful tools for catching errors before/as you deploy.
The Core Infrastructure Initiative Criteria require you implement at least Static Code Analysis tools and recommends Dynamic Code Analysis
Static code analysis examines the source code before the application is running. This checks if the code passes defined rules or has any commonly recognized patterns that typically result in errors. These can common provide "coverage reports" that can be used to measure any changes caused by the changes
List of Static Code Analysis Tools:
- https://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis
- https://github.com/analysis-tools-dev/static-analysis
- Github Dependabot
- Github CodeQL
Dynamic code analysis examines the source code before or after it has run. These need to be implemented in or around your application to catch/log and analyze errors. These can be very useful in production applications to help debug any user facing errors as they typically attempt to answer what/when/why something happens.
Enabling Code Analysis usually requires configuration of the processes you want to use for analysis and the files that you want to cover. For each process this will probably require a bespoke setup, so these can be anywhere from simple to complicated to set up.
- ESLint/PrettierJS
- FlowJS/Typescript
- Copy Paste Detectors (CPD)
- SonarCloud
- LGTM (Looks Good To Me)