Static Analysis
The automated examination of source code without executing it to find potential bugs, vulnerabilities, and quality issues.
Also known as: Static Code Analysis, SAST, Static Application Security Testing
Category: Software Development
Tags: quality, software-engineering, automation, security, tools
Explanation
Static Analysis is the process of analyzing source code without running it to detect potential defects, security vulnerabilities, coding standard violations, and design issues. Unlike dynamic analysis (which examines running programs), static analysis works on the code itself.
Types of static analysis:
1. **Syntactic analysis** - Checks code structure and formatting (linters like ESLint, Pylint)
2. **Semantic analysis** - Detects logical errors, type mismatches, null dereferences
3. **Data flow analysis** - Tracks how data moves through code to find issues like uninitialized variables
4. **Control flow analysis** - Examines execution paths to find unreachable code or infinite loops
5. **Security analysis** - Identifies vulnerabilities like SQL injection, XSS, buffer overflows (SAST tools)
What static analysis catches:
- Null pointer dereferences
- Resource leaks (memory, file handles)
- Race conditions and concurrency bugs
- Security vulnerabilities (OWASP Top 10)
- Code duplication
- Cyclomatic complexity violations
- Dead code
- Style and convention violations
Popular tools:
- **General purpose** - SonarQube, Codacy, CodeClimate
- **Language-specific** - ESLint (JavaScript), Pylint (Python), RuboCop (Ruby), Clippy (Rust)
- **Security-focused** - Semgrep, Checkmarx, Fortify
- **Type checkers** - TypeScript, mypy, Flow
Static analysis is most effective when integrated into CI/CD pipelines as quality gates, catching issues before they reach code review or production. The key trade-off is between thoroughness and false positive rates — overly aggressive rules cause alert fatigue.
Related Concepts
← Back to all concepts