
Ask HN: Static Code Analysis Tools - psnosignaluk
Good day HN<p>I&#x27;m on the lookout for static analysis tooling to apply to our toolchain, preferably at code review time. I thought it a good idea to ask the community here. A hosted solution would suit us well, as we try to focus internal engineering and maintenance efforts on our core platform (Kubernetes) and our code.<p>We utilise GitHub for all of our repositories and have review policies implemented whereby at least 1 approval must be granted for a PR to be merged. I&#x27;d like to insert static analysis at this point so that vulnerabilities etc can be fixed before code is merged into the mainline.<p>To complete the picture, once code is merged, it is picked up by Bamboo, fresh distroless images are built and the code deployed throughout dev&#x2F;stage&#x2F;sandbox&#x2F;production.<p>I look forward to your recommendations.<p>Thanks and regards!
======
humaid
You might want to check this out: [https://github.com/mre/awesome-static-
analysis](https://github.com/mre/awesome-static-analysis)

------
thecupisblue
Well, what kind of stack are you using?

To cover most uses, I'd suggest looking at SonarQube (most popular, not a
fan), CodeClimate - metrics and quality and Codacy.

~~~
psnosignaluk
Thanks. Having a look at Codacy.

------
psnosignaluk
Commenting to add languages: Java, Go, JavaScript, PHP and C# primarily. gRPC
in Java services, tooling in Go and SDK's in all languages. Not much in the
way of typical frameworks.

~~~
austincheney
I created a parsing scheme to address a variety of static analysis concern.
[https://sparser.io/](https://sparser.io/)

You don't have to use the parser libraries I provide. The important thing
about a tool like that is the data structure is provides.

Here are some key benefits:

1\. The output is table that can be used as a tree. Each parsed token knows
what its parent is and where the containing parent ends which allows for
walking the tree in an algorithmic fashion.

2\. Since the output is a table of arrays it is the fastest non-bytecode
parsing scheme to access.

3\. The output structure is language agnostic, so provided a proper parser it
can represent any language, any combination of languages, and any combination
of languages in a nested fashion.

------
relaunched
Based on the programming languages, and the lack of a stated preference for
open source / free vs. proprietary, I'd strongly consider checkmarx or
veracode for a corporate environment.

We've used all the tools at work and are running a pretty significant number
of applications, in a fully ci / cd environment.

No tool is perfect, but make sure you have the right language support,
versions, framework support, etc. Also, make sure you have someone qualified
to do static analysis, because the tools all have false positives, as well as
can miss things.

Happy to talk via email.

------
jerome-jh
For which programming language???

