What Is Static Analysis? | Datadog
What Is Static Analysis?

Applications

What is Static Analysis & How Does it Work?

Discover how to leverage Static Analysis solutions to improve the quality of your organization's code.

What is Static Analysis?

As software engineers develop applications, they need to test how their programs will perform and fix any issues related to the software’s performance, code quality, and security. However, when testing is conducted late in the Software Development Lifecycle (SDLC), it increases the likelihood that errors will be introduced into production.

Running automated tests earlier in the SDLC encourages developers to improve the security, code quality, and performance of their code while they’re writing it, rather than after it’s already been released to end users. Ultimately, testing early and often can help engineering organizations ship higher quality code faster and reduce time spent on troubleshooting issues.

Static analysis (also known as static code analysis) is a software testing methodology that analyzes code without executing it and reports any issue related to security, performance, design, coding style or best practices. Software engineering teams use static analysis to detect issues as early as possible in the development process, so they can proactively identify critical issues and prevent them from being pushed into production. For example, a static analysis tool may compare your code’s formatting to defined standards and suggest the use of inclusive language, fixes to infrastructure-as-code configurations, or revisions of outdated practices. Static analysis tools may also be able to quickly highlight possible security vulnerabilities in code.

What is Dynamic Analysis and How Does Static Analysis Compare?

Dynamic analysis is the traditional process of analyzing and testing code by running it. While static analysis can be significantly faster at catching issues, dynamic analysis may be more accurate, as running the code live can help you determine how it interacts with your wider systems. Both static and dynamic analysis are essential parts of developers’ toolkits.

Similarly, SAST (Static Application Security Testing) and DAST (Dynamic Application Security Testing) differ in that SAST identifies potential vulnerabilities in code without running it, while DAST runs applications in order to analyze them for vulnerabilities from the outside.

When Should Engineers and Organizations Use Static Analysis?

Oftentimes, developers enforce coding guidelines directly within IDE settings rather than incorporating static analysis, but this approach only remediates code formatting concerns and does not address any security concerns or enforcement of best practices. When developers are using different IDEs, this approach also makes it difficult to enforce organization-wide standards because their IDE settings cannot be shared.

Static analysis cuts back on these types of issues by scanning code for multiple performance and vulnerability issues all at once. The most common use cases are:

  1. Identifying software issues as early as possible. Static analysis does not need to execute your program to detect potential issues. It can be used without writing additional code or tests, and requires minimal configuration.

  2. Shifting the software development lifecycle (SDLC) left: Static analysis tools typically work with your IDE, Git hooks, source code management, or your CI/CD pipelines. These tools can block problematic pull requests from being merged into production and surface important information to developers before issues impact end users.

  3. Detecting a wider variety of problems: Static analysis tools can detect a wide range of issues, including code style and naming convention violations related to case, inclusivity, comments, code structure, and nested loops. They can also highlight error-prone code and security issues, such as code that is vulnerable to SQL injections.

  4. Expanding the number of languages supported: Static analysis tools are available for every major programming language. They also work with infrastructure-as-code (IaC) languages, such as Terraform or Puppet, enabling SREs to find misconfigurations and security vulnerabilities before deploying them to their infrastructure, while encouraging developers to be mindful of infrastructure configurations.

  5. Implementing DevSecOps practices: Security teams regularly scan projects’ source code and find vulnerabilities only once they are merged in production. However, by adopting static analysis earlier in the software development lifecycle and integrating it within the developer environment, teams can enforce rules to eliminate issues like SQL injection vulnerabilities, insecure library dependencies, exposure of sensitive ports, and hard-coded secrets before insecure code gets pushed to production.

How Do Static Analysis Programs Work?

The first step of static analysis is to parse the source code. Next, the static analyzer typically builds an Abstract Syntax Tree (AST), a representation of the source code that it can analyze.

As it builds the AST, the analyzer precisely distinguishes each program element and categorizes each element according to its semantics (e.g., function call or argument), reducing the number of false positives. Finally, the static analyzer takes the AST, applies analysis rules, and produces code violations.

What Are the Benefits of Static Analysis?

  1. Mitigate security issues before they are released to production: Static analysis detects security vulnerabilities in code, such as the use of weak encryption algorithms. By detecting these issues early in the development process, static analysis improves the security posture of your applications can prevent security incidents from occurring.

  2. Enforce coding guidelines: Static analysis helps organizations enforce coding guidelines for quality and maintainability, for example, by preventing the use of specific (e.g., non-inclusive) words and checking the complexity of code. It can also guarantee consistency of naming conventions at each commit, preventing style inconsistencies from reaching the codebase and improving code legibility.

  3. Promote use of best practices: Static analysis detects use of deprecated code or code smells (e.g., code patterns to avoid). By flagging such issues, developers are encouraged to adhere to best practices.

  4. Improve code quality over time: By monitoring and tracking static analysis results, you can measure the quality of your codebase against objective test metrics. This helps highlight better approaches for junior developers and reinforces good coding habits.

What Are the Challenges of Static Analysis?

A study in 2018 from Stripe found that the average developer spends more than 17 hours a week fixing bad code and reducing technical debt. Static analysis helps developers decrease this number, but it can also present several challenges.

  1. Updating workflows to use static analysis as early as possible: Bugs and security issues found in the IDE and initial pull requests are orders of magnitude cheaper and faster to resolve as opposed to later in the SDLC or in production. However, large-scale organizations may need to coordinate across teams to ensure that static analysis is consistently applied early in the development process.

  2. Lack of compatibility with existing workflows and tools: When adopting a new static analysis tool, it’s essential that your developers can get access to the results and feedback wherever they’re currently working, in order to minimize disruptions and context switching. In practice, this means that the static analyzer should integrate with your developers’ IDEs, Git hooks, and code review platform.

  3. Unnecessary slowdowns in the SDLC: Static analyzers can detect a wide variety of issues, and without the right rules in place, they can create unnecessary roadblocks for developers. Teams can integrate static analysis tools in the CI/CD pipeline and configure them to block specific pull requests from being merged when issues are found. To avoid unnecessary slowdowns, you can choose to only block pull requests when the static analyzer finds certain types of errors, like critical security issues.

What Should You Look for in a Static Analysis Solution?

When searching for a static code analysis solution, keep the following feature sets in mind to maximize the value of your static analysis tool:

  1. IDE integrations: Organizations should look for a static analyzer that integrates with their developers’ IDEs. This is essential to organization- and team-wide adoption—staying within the developers’ critical path eliminates context switching and improves the overall workflow for finding and resolving issues.

  2. Pull request integration: Teams that use source code managers like GitHub should ensure that their users can see their static analysis results directly in their pull requests. GitHub comments and console logs can help developers identify and fix issues as part of the code review process. This data can also help managers gather context for identifying the upstream source of issues.

  3. Code fix suggestions. Static analyzers should provide code fixes when possible—ideally, directly in the IDE as developers are writing code, or as a suggested fixes in pull requests, with the ability to directly commit suggestions. This speeds up the remediation process because developers don’t need to look up documentation or get up to speed with security best practices in order to resolve their issues.

Learn More about Static Analysis

Static analysis is an essential part of modern software engineering and testing. It can help developers catch code quality, performance, and security issues earlier in the development cycle, which ultimately enables them to improve development velocity and codebase maintainability over time.

In order to ensure a smooth and comprehensive adoption of static analysis tools, organizations must consider the ways in which developers will most effectively utilize these tools. When looking to implement static analysis, organizations should use analyzers that support a wide variety of languages, provide well-documented and extensive rulesets, and use techniques to mitigate false positives and improve the signal-to-noise ratio. Static analyzers should also integrate seamlessly into developers’ IDEs, GitOps strategy, and CI/CD workflows.

Datadog Code Analysis (currently in beta) provides out-of-the-box rules to evaluate your code for security, performance, quality, best practices, and style, without executing the code. It also provides plugins that automatically detect and suggest fixes for certain types of violations, so your developers can resolve these issues directly in their IDEs prior to pushing code to production. You can learn more about Datadog Static Analysis by reading our documentation or Static Analysis setup guide.

Related Content

Learn about Datadog at your own pace with these on-demand resources.

products/ci-visibility/ci-visibility-dashboard-v2

product

CI Visibility

/blog/datadog-code-analysis/code-analysis-hero

BLOG

Ship high-quality, secure code faster with Datadog Code Analysis

/blog/datadog-quality-gates/quality_gates_hero

BLOG

Enhance code reliability with Datadog Quality Gates