Open Source Static Code Analysis Tools

Context

Bahmni Org has so many code repositories with different tech stack like Java, JS, Type Script, Python, Docker, Ansible Gradle, Maven..etc. We need static code analysis tools to identify the patterns in the code and detect possible security threats and issues in the quality of the code. This page provides different open source tools that validate code smells and security issues in CI pipeline (frontend, backend and infra)

Feature

These tools are integrated to Github repositories and scan for possible vulnerabilities with respect to

  • Continuous code quality checks

  • Code coverage

  • Continuous secret scanning

  • OWASP top 10 compliances

🔰Options

Deepsource

  • Advanced static analysis

  • Central code health dashboard

  • Continuous code quality checks

  • Autofix

  • Centrally track key metrics of code

  • Code coverage

  • Continuous secrets scanning

  • Minimal configuration

  • Less than 5% false-positive rate

  • OWASP Top 10 compliance

  • Secure by design

  • API access and webhooks

  • Reporting and insights

  • API access and webhooks

  • Reporting and insights

Setup

  1. Create an account on DeepSource - create an account using an existing GitHub account. DeepSource will ask for your permission to install the DeepSource app for in the Github account.

  2. Setup and configure analysis - Once signed in, we can choose a repository to activate continuous analysis on, generate the configuration and activate the analysis. This process triggers the initial analysis on the default branch of the repository. Once analysis is activated on a repository, all subsequent commits and pull requests will be automatically analysed.

 

Sonarcloud

  • Bug, Vulnerability, and Code Smell detection

  • Issue contextualization, with remediation guidance

  • Top-notch coding rules

  • Continous inspection

  • In-ALM pull request feedback

Setup

same as Deepsource

codacy

  • OWASP Top 10 vulnerabilities

  • Code standardisation

Setup

same as Deepsource

  • Ref:

Detekt

  • Code smell analysis for Kotlin projects.

  • Code Smell baseline and suppression for legacy projects.

  • Highly configurable rule sets

  • Support for different report formats: html, markdown, SARIF and xml (checkstyle)

  • Suppression of findings with @Suppress annotations

Setup

We can run Detekt using either of the below options

  • command line interface

  • Gradle task

  • mvn ant task

  • Git pre-commit hook

  • Ref:

The Bahmni documentation is licensed under Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0)