Open Source Static Code Analysis Tools
Context
Bahmni Org has so many code repositories with different tech stack like Java, JS, Type Script, Python, Docker, Ansible Gradle, Maven..etc. We need static code analysis tools to identify the patterns in the code and detect possible security threats and issues in the quality of the code. This page provides different open source tools that validate code smells and security issues in CI pipeline (frontend, backend and infra)
Feature
These tools are integrated to Github repositories and scan for possible vulnerabilities with respect to
Continuous code quality checks
Code coverage
Continuous secret scanning
OWASP top 10 compliances
🔰
Options
Deepsource
Advanced static analysis
Central code health dashboard
Continuous code quality checks
Autofix
Centrally track key metrics of code
Code coverage
Continuous secrets scanning
Minimal configuration
Less than 5% false-positive rate
OWASP Top 10 compliance
Secure by design
API access and webhooks
Reporting and insights
API access and webhooks
Reporting and insights
Setup
Create an account on DeepSource - create an account using an existing GitHub account. DeepSource will ask for your permission to install the DeepSource app for in the Github account.
Setup and configure analysis - Once signed in, we can choose a repository to activate continuous analysis on, generate the configuration and activate the analysis. This process triggers the initial analysis on the default branch of the repository. Once analysis is activated on a repository, all subsequent commits and pull requests will be automatically analysed.
Sonarcloud
Bug, Vulnerability, and Code Smell detection
Issue contextualization, with remediation guidance
Top-notch coding rules
Continous inspection
In-ALM pull request feedback
Setup
same as Deepsource
codacy
OWASP Top 10 vulnerabilities
Code standardisation
Setup
same as Deepsource
Ref:
Detekt
Code smell analysis for Kotlin projects.
Code Smell baseline and suppression for legacy projects.
Highly configurable rule sets
Support for different report formats: html, markdown, SARIF and xml (checkstyle)
Suppression of findings with @Suppress annotations
Setup
We can run Detekt using either of the below options
command line interface
Gradle task
mvn ant task
Git pre-commit hook
Ref:
The Bahmni documentation is licensed under Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0)