Static code analysis consists of a series of automated checks performed on source code. A static analysis tool scans code for common known errors and vulnerabilities, such as memory leaks or buffer overflows. The analysis can also enforce coding standards.
Where security is a priority, specialist Static Application Security Testing (SAST) tools can check for known security flaws. Because static analysis is performed on the source code, without executing the program, it can either be run at the very start of the CI/CD pipeline or directly from your IDE before you commit your changes.
Like all forms of automated testing, static code analysis ensures that checks are performed consistently and provides rapid feedback on your latest changes. Static analysis tools integrated into your IDE offer immediate and targeted feedback so that you can address issues as you go.
However, static analysis can only identify instances where programmed rules are broken – it cannot find every flaw solely from reading the source. There is also a risk of false-positives, so the results need to be interpreted.
In that sense, static code analysis is a valuable complement to code reviews, as it highlights known issues and frees up time for more interesting tasks, such as reviewing the overall design and approach.
Static code analysis forms part of the arsenal of automated checks that you can use to maintain code quality and should be used in combination with other forms of dynamic analysis (which executes your code to check for known issues) and automated testing.