All modern software development teams are using static analysis tools such as SonarQube and incorporating them into continuous integration, continuous deployment (CI/CD) pipelines. These tools provide the benefit of automated code review to detect potential issues with code quality, security, and maintainability. More specifically, static analysis tools scan for common issues and provide measurements for:
Security Vulnerabilities and Hot Spots
With multiple developers adding hundreds of lines of code daily, the results of these scans are often ignored, causing issues to pile up quickly. There are a couple of ways to effectively utilize static analysis tools to increase the overall quality of your code base.
1. Set Thresholds for Warnings or Build Breaking
Many development shops fail to add preventative measures in the CI/CD pipelines as they are hesitant to slow down the pace of development. This results in rigid, highly vulnerable spaghetti code. Adding warnings or causing the build to break if quality measures are not met will ensure the long‐term quality, maintainability, and security of your code base. I recommend setting the code coverage threshold at 85% and measures for security and maintainability as close to zero as possible.
2. Automate the Delivery of Data and Dashboards
I wrote a script that scans the SonarQube report every morning. Whenever there is a new finding, a Microsoft Teams webhook posts a notification in our development channel. The automated message contains a link to the SonarQube dashboard so any developer can investigate the issue independently or effectively collaborate on the solution with someone who is more familiar with that part of the code base. This has resulted in higher visibility of issues, increased collaboration on a resolution, and reduced duration and quantity of issues in our code base.