DEV Community

Cover image for Simple setup for Static Code Analysis
Yannick Rehberger
Yannick Rehberger

Posted on

Simple setup for Static Code Analysis

When I'm working on small to medium-sized private development projects it happens from time to time that I look at my code I have developed over weeks and months and ask myself - is that a good thing?

My impulsive answer is yes, because I put a lot of time and passion into this code. But sometimes I would like someone to confirm that or someone who gives me tips on what I can improve. You don't always have someone available to do a review.

I don't necessarily want to know whether the capabilities are good, real users can tell me that later, but at this point I want to know whether the code is technically clean.

One tool that has helped me with this problem is Static Code Analysis.

Static Code Analysis

Static program analysis is the analysis of computer software that is performed without actually executing programs, in contrast with dynamic analysis, which is analysis performed on programs while they are executing.[1] In most cases the analysis is performed on some version of the source code, and in the other cases, some form of the object code.

The term is usually applied to the analysis performed by an automated tool, with human analysis being called program understanding, program comprehension, or code review. Software inspections and software walkthroughs are also used in the latter case.

Source: Wikipedia

So this static analysis of your code can't tell us how the runtime behaviour of our program exactly is, but it can tell us that we are using features in a way, that e.g. could degrade performance. It can't say something about the dynamic behaviour of the program in a specific environment, but it can say a lot about our static code. It's about the following:

  • Reliability - "You have some Bugs in your code."
  • Security - "There is a vulnerability that could be exploited."
  • Maintainability - "Please have a look at that code smells."
  • Coverage - "Write some more unit tests, your test coverage is too low."
  • Duplications - "Put that code duplication into a function."

You can also understand why an improvement is proposed and see some compliance and not compliant examples. If it's something you accept, you can configure the rules that are checked.

There are actually many implementations of Static Code Analysis, but I would like to take SonarQube as an example. Interest in it has grown steadily since 2013 and it supports many different languages.

SonarQube Stats
Source: Google Trends

Annotation: SonarQube is my example because it's well known in my perimeter, it's OpenSource and there is a Community Edition. I have made no comparisons between different tools. I would rather encourage you to present other implementations of Static Code Analysis as a comment here.

Setup SonarQube with Docker locally

Docker makes it easy to setup SonarQube locally and you can use an image from Docker Hub.

docker pull sonarqube
Enter fullscreen mode Exit fullscreen mode

Once you've pulled the image, you can run your SonarQube Container.

docker run -d --name sonarqube -p 9000:9000 sonarqube
Enter fullscreen mode Exit fullscreen mode

Now meet SonarQube at http://localhost:9000. You can login with admin as username and password.

Java - Example

You can analyse Java projects using Maven or Gradle. In my example I use Maven. So I create a project in SonarQube called java-sample and generate a key for it. To analyse my Java project I simply have to run the Maven sonar goal.

mvn sonar:sonar \
  -Dsonar.projectKey=java-sample \ \
Enter fullscreen mode Exit fullscreen mode

You can select the Bugs or the Code Smells to have a closer look to the affected lines of code. And if you want to understand why SonarQube gives you a hint for that specific case, you can click on See Rule and you get the more specific explanation.

Rule Sample

There is also a code example for noncompliant code and one for compliant code.

For most of the other languages you need sonar scanner. My example for this is a python project.


You can install sonar scanner on all operating systems. In my case it's MacOS.

brew install sonar-scanner
Enter fullscreen mode Exit fullscreen mode

I create a new project in SonarQube, call it python-sample and generate a new key for it. To analyse my Python project I simply have to run sonar scanner inside my python project root.

sonar-scanner \
  -Dsonar.projectKey=python-sample \
  -Dsonar.sources=. \ \
Enter fullscreen mode Exit fullscreen mode

As you can see here, sonar scanner does not simply analyse the Python code but every code that it can understand. In this project we have for example 19k lines of JavaScript code, which were also analysed.

Different Languages Sample


So you have seen how simple it is to setup a static code analysis tool, which analyses your Code and gives you helpful hints to make it better. I think it's a good way to get some sort of an external perspective. If you want to go one step further with a persistent database to have a historic analysis of your code you can do that too. But before it gets too complex I think you should consider to integrate this static code analysis inside a CI/CD pipeline like you would do in a larger context.

SonarQube and other tools for static code analysis have much more features than we've seen in this short post. Maybe there is a more lightweight one for local quality checks. If you know one, leave a comment. There may also be many plugins for IDE's that gives you the same functionality without setting up a separate Docker Container for static code analysis. If you have recommendations, please leave a comment.

Top comments (4)

camelcaseguy profile image
Shubhendra Singh Chauhan

Hey @yannick_rest πŸ‘‹ , It's a nice blog about setting up a static code analysis tool.

You should give it a try to DeepSource. It has a single file configuration setup that nearly takes a couple of minutes. 😎

I'd love to know what you think about it.

yannick_rest profile image
Yannick Rehberger

Hey @withshubh , thank you for the tip - DeepSource looks pretty nice, simple but powerful. I will give it a try :)

camelcaseguy profile image
Shubhendra Singh Chauhan • Edited

Sure @yannick_rest ! I'd love to know your feedback 😊 ✨

yannick_rest profile image
Yannick Rehberger • Edited

The current IDE of my choice is VSCode and for this I have now installed the SonarLint Extension. It is also available for other popular IDEs:

I find it very nice that issues are displayed directly in the code and the SonarLint Rule is referenced.

The advantages of SonarQube as a Docker container are that there is a more detailed report with filters and graphics and, if you add a database, the issues can also be managed via SonarQube.