Static Code Analysis
Analysis of computer software that is performed without actually executed programs. (source)
Static code analysis can be an ally in producing high quality applications. Scanning source code for vulnerabilites and ensuring new code is tested is like having a constant, automated, unopinionated peer reviewer for all code changes. Create new feedback loops where none existed and reduce bugs by ensuring quality code during continuous integration.
Technical Debt¶
Technical Debt: A concept that reflects the implied cost of additional rework caused by choosing an easy, limited solution now instead of using a better approach that would take longer. (source)
Teams will often forgo unit testing in the name of speed. Additionally, teams often focus on visible elements of their application rather than focusing on non-visible foundational qualitiy activities. In reality, they are building up technical debt which will slow them down in the future.
As soon as code is written, it becomes old code. It is vital to write unit tests along with developer code to maintain good code coverage.
Code Coverage¶
A common metric when determining a team's code quality is the code coverage. This number is a percentage of the application code that is covered by tests. This can be broken down by functional/method coverage, branching/conditional coverage, or line statement coverage. Generally speaking, code coverage refers to the percentage of lines in app code covered by unit tests.
The higher the percentage, the greater confidence a team has to make changes. Ultimately, higher coverage now provides a better platform for changes in the future. The industry benchmark is 80-90% code coverage.
Using a team's current code coverage can be an excellent guide to addressing technical debt. If a team has been operating on a legacy application with a lot of technical debt, the best solution may be to do what we usually do with financial debts, pay the principal off gradually.
Tools¶
For local development, plugins can be added for standard code coverage analysis. When integrated with the pipeline, SonarQube is the industry standard static code analysis tool that scans source code with each build.