← All posts
Ivan Homola Wednesday, November 30, 2022

Ultimate Guide To Automated Code Analysis

Share

AUTHOR

Ivan Homola, Author

Indie maker with a passion for SEO working on web projects. Ex-mobile dev-agency owner. Now, helping early stage founders turn their side projects into businesses.

See all articles

Do you want to avoid big code quality problems, dangerous bugs, bad coding practices, and vulnerabilities in your code? Then, you need a tool to help you automate this process.

Automated code analysis is an essential part of modern software development. It will save you time and keep your code clean according to standards.

In this guide, you will learn about code analysis techniques and a tool that can help you to perform such automation with a few easy steps.

What is code analysis?

Code analysis examines source code to determine how it works, evaluate its structure, detect errors, and identify security vulnerabilities and other potential problems that could lead to system crashes or data loss.

It is a critical part of software development and helps ensure software quality and integrity.

A programmer or reviewer can perform it manually or by using automated tools. Mostly tools help create a high-level overview of code metrics.

The metrics are on some attributes, such as code size, the number of lines of code, security issues, dependencies deprecation, or the number of unique and duplicate functions.

The 5 most common code analysis techniques

You can use several code analysis techniques to do manual or automated code quality checks and identify potential issues.

The most common techniques include static and dynamic analysis, automated and manual review, and security analysis.

Static code analysis

A powerful debugging method identifies potential source code issues without running the program.

Dynamic analysis

It is the process of analyzing code while it is running.

It involves monitoring the execution of the code and looking for patterns that indicate potential problems, instrumenting the code to add logging or other features that make it easier to understand what is happening.

Manual review

Manual code review is the process of manually inspecting source code.

A team of developers or code reviewers typically does it. It can be time-consuming and error-prone, but it is still an important part of software development.

Automated review

These operations use automated source code analysis tools to check code for bugs, security vulnerabilities, and other quality issues. It supplements or replaces manual code review.

Security analysis

It is the task of auditing source code to find security vulnerabilities. You can do it manually or using automated tools. It helps to prevent attacks and improve application security.

Core benefits of Automated Code Analysis

Automated code analysis reduces human error by automating the process of checking source code for defects and vulnerabilities.

Thanks to tools, the errors a human reviewer would have caught have now been automatically corrected.

Below are some of the core benefits:

Scan codebase quickly

You can analyze thousands of lines of code in minutes and get instant feedback on code quality and best practices, saving you plenty of time.

Early detection of Bugs & Security risks

It can help you identify potential vulnerabilities and bugs early in the software development process. So you can fix them before they become a real security threat.

Improve code quality

Code analysis tools provide feedback on coding style and best standards. It helps to ensure that code is readable, maintainable, and error-free.

Also, it allows the team members to improve the code quality over time.

Difference between code review and code analysis

In the code review process, normally, a developer goes through the code line-by-line, reviewing each line of code for potential issues.

Whereas code analysis uses pre-written checks to determine potential problems with your code, saving you time while ensuring accuracy. The process typically involves automated code analysis tools that search for coding problems and other issues.

Perform automated code analysis with Codiga

Many code analyzers support the features of automating this coding process, like Lint, PMD, FindBugs, CheckStylem, and much more.

But Codiga shines more as a static analysis tool because of its flexibility, feature-richness, and all-in-one solution.

It includes:

  • Get an Instant feedback report inside your IDE.
  • CI/CD pipeline.
  • Supports VS Code, JetBrains, GitHub, GitLab and Bitbucket.
  • You can create your own custom code analysis rules.
  • Quick feedback on each code review about bugs, maintainability, and security.
  • Auto-check according to best security standards like OWASP, CWE, and Mitre.

Let's take a look at some practical examples.

Example:

I've just created a new script and pushed it to the GitHub repository.

The goal of this script is to run the node server and allow a user to access the website's home page.

Custom Codiga rules preview

To connect the Codiga code analysis tool with your repo, you will need to follow below steps:

Note: If you don't have an account, create one for free here.

Codiga's Code Analysis Dashboard

Step 1:

First, go to the code analysis tab.

Here, you will see the list of projects you've created previously.

Otherwise, create a new project.

Codiga code analysis tool - step 1 1

Note: To create a project, you must create a group and link your repository account.

Codiga code analysis tool - step 1 2

You can use GitHub, GitLab or BitBucket. Just select one and move forward.

Codiga code analysis tool - step 1 3

After that, you need to link your account and install the Codiga app.

Codiga code analysis tool - step 1 4

Codiga code analysis tool - step 1 5

After successfully creating the group, you will see an option to join that group.

Codiga code analysis tool - step 1 6

Step 2:

Now come back and create a new project.

Select your repository and create a project.

Codiga code analysis tool - step 2 1

Step 3:

Here you will need to configure your project. Just click Start Wizard.

Codiga code analysis tool - step 3 1

A project wizard appears from where you will have options like:

Open source rules:

You can select your preferred programming language. In my case, it's purely JavaScript.

Codiga code analysis tool - step 3 2

Codiga rules from the community:

These rules are from the Codiga community, and you can use them inside your IDE and CI/CD pipeline.

Codiga code analysis tool - step 3 3

Configure Preference:

You can select:

  • Secret Detection: Scan repository leaked secrets (e.g., Password, API keys, etc.)
  • Dependency Analysis: (Detects any outdated dependencies)
  • Analysis Notification: (Send notifications to email when the project completes or if there are any issues)

Codiga code analysis tool - step 3 4

Branches Configurations:

Here, you can choose which branches should be analyzed.

Codiga code analysis tool - step 3 5

Pull Request:

You can detect the pull and merge requests.

Codiga code analysis tool - step 3 6

Integrations:

Select your desired CI/CD integrations pipeline. For example, if you're planning to use any like GitHub actions, AWS build Circle CI or Custom CI/CD.

Codiga code analysis tool - step 3 7

Invite Collaborators:

You can add any team member to the group and the project.

Codiga code analysis tool - step 3 8

Hurrah! Successfully configured the project.

Codiga code analysis tool - step 3 9

Step 4:

From the code analysis dashboard, you can view and improve the following:

  • Quality Score
  • Total Lines of Code
  • Programming languages of the code base.
  • Functions that are more than 40 lines of code.
  • Distribution Violations
  • Functions that are high complexity with high chances of bugs.
  • Identical pieces of code.
  • Dependency management.

Codiga code analysis tool - step 4 1

From dependencies, you can check the recommendations if you need to upgrade the package, which version you are using, and which version is the latest.

Codiga code analysis tool - step 4 2

Step 5:

You can also check the source tree (files and source code).

Codiga code analysis tool - step 5 1

Create a custom rule

A rule for patterns allows you to detect and emit violations or errors.

Some pre-defined python rules are already available on the Codiga Hub, like python-security, python-best-practices, etc.

Note: Right now, there is only support for python rulesets which you can create in JavaScript.

Here, I will show you how to create custom rules from scratch.

Example:

I will write a rule to detect the presence of assert foo and replace it with an assert bar.

Step 1:

In this step, you will create a ruleset.

A ruleset is a collection of different rules, so any rule inside it will adopt its settings.

Note: If you are setting the ruleset's privacy to private. Then, you need to put the Codiga's access token inside your IDE.

Codiga custom rules for code analysis - step 1 1

Step 2:

After creating a ruleset, we will create a rule.

There are two types of rules inside Codiga AST and Pattern. Today we will look into pattern mode.

Codiga custom rules for code analysis - step 2 1

In the input box, define the pattern like assert ${something}, where something represents the typed value.

Below, you can see a piece of code where:

  • nodeOrPattern represents the pattern that matches.
  • filename is the name of the file that will be analyzed.
  • code is the format of code in text form.

Codiga custom rules for code analysis - step 2 2

Now, let's start writing a rule code.

First, we need to get the value of something variable by using the following:

const exceptionName = nodeOrPattern.variables.get("something");

You can also see the object that returns with this code.

Codiga custom rule example code

Next, we check if the pattern exists along with the value.

Inside that, we create the buildError as well as the edit.

These two will show when we type something inside our IDE. It's like feedback and the fix.

So, the final code will look like this:

Codiga custom rule example code 2

Step 3:

You can test the script from the right panel by passing the file name and the code.

Codiga custom rules for code analysis - step 3

Step 4:

Just go to your VS Code IDE where Codiga's extension is installed, and inside your project's root, create a codiga.yml file:

We created the foo-to-bar ruleset. Our yml file will look like this:

Codiga custom rules for code analysis - step 4

Step 5:

Finally, to see if our custom rule is working or not. Create any python file and type assert foo.

You will see something like this:

Codiga custom rules for code analysis - step 5

Conclusion

So, you learned that automated code analysis is becoming a standard development process.

It helps developers spot errors quickly, improve processes, and reduce the time required to release new versions of software products.

If you want to learn more about creating custom rules inside Codiga, follow the analysis rule tutorial.

Schedule a demo

Code analyzed in seconds with Codiga Automated Code Reviews.

Write code faster with the Codiga Coding Assistant.

Let's talk!