Code Analysis
- Code analysis is done in 3 possible ways
- linting: grammatical evaluation of code majorly with style guides. This is generally done in IDE and during commit as hooks.
- static code analysis: Analyses the source code by parsing source code against best practices, known vulnerabilities.
- dynamic analysis: Analyses the code executions.
- Enterprise Use case:
- Whenever a PR is created, synchronized then
- execute static code analysis
- Run unit tests & measure code coverage
- Ensure Quality Gate (Minimum Approved Code Quality) checks are passed, if failed PR shouldnot be merged.
- Whenever a PR is created, synchronized then
- Tools:
- Static Code Analysis:
- SonarQube, Sonarcloud (Free for opensource repos):
- CodeQL
- Code Coverage:
- SonarQube with additional plugins.
- Static Code Analysis:
SonarCloud
- Create an account Refer Here and login with github
- Refer Here for yaml action based integration.
Codeql
- Refer Here for setting up scanning
