Engineering Manager’s Guide to Static Analysis
How you can improve the code health and security of your team's codebase with automation.
- By Jai
- ·
- Engineering
- Continuous Quality
Every engineering manager dreams of a clean codebase — where every engineer follows best practices, writes tests, and adheres to your code guidelines. But the messy reality is that codebases are ever-evolving, needing frequent refactoring filled with unintelligible code and bugs. Engineering time spent fixing bad code is time that could be spent on product development and moving the business forward. Worse, you can open yourself up to security issues when bad code gets through your review process.
There are ways to improve your code — the most foundational being strict testing practices and code reviews. Code reviews are a labor-intensive manual process, but automation tools using static analysis are emerging that can reduce engineering time and effort cleaning code. In this guide, we'll dive into the cost of bad code, the cost of and fallibility of code reviews, and how you can use technologies like static analysis to improve your code quality and lessen the burden on your developers.
Why does clean code matter?
As an engineering manager, you want a well-maintained codebase that's free of bugs and easy to read. Here are some reasons why:
- Good code reduces bugs, lightens the load on your QA team, and gives your customers a better experience.
- A clean code base makes it easier to onboard new engineers because it's easier to understand what's happening.
- Clean code makes code reviews faster. Save your engineers from parsing code that's written a couple of years ago, riddled with bugs and incoherent structure.
- It reduces time spent refactoring and fixing bugs. Let your engineers focus on higher leverage tasks.
- It ensures your product has the security and reliability to operate effectively.
Every engineering team has a code review process to keep your codebase clean, but it takes engineering time away from developing your product. The code review process alone can take 10 to 15% of the time to ship a new feature.
Code reviews help your team but are fallible
A code review is a manual peer-review process that improves overall software quality. Poor code quality leads to software rot, technical debt, and security vulnerabilities. Code reviews find and fix overlooked mistakes during the initial development phase.
Code review keeps code cleaner
A recent large-scale research study of 3,126 software-development projects (Thomson & Wagner) demonstrated the value of code review for reducing errors and improving security, resulting in a 5-fold reduction in error rate and a 14% increase in productivity.
Thomson & Wagner still found that, despite these gains, manual review is fallible:
Edmundson et al. examined the effects of manual code inspection on a piece of web software with known and injected vulnerabilities. They found that no reviewer could find all vulnerabilities, that experience didn’t necessarily reflect accuracy or effectiveness (the effects were not statistically significant), and that false positives were correlated with true positives (r = 0.39). It seems difficult to predict the effectiveness of targeted code inspection for finding vulnerabilities.
Creating a culture around code reviews is hard
Despite the benefits, code reviews are far from perfect. While code reviews are essential for any engineering team, they take time and are error-prone.
Since manual code review involves people interacting with each other, processes can fall. Engineers have a lot of responsibilities, and enforcing process is challenging, so you might run into hitches. Feedback can be ignored or overlooked, which has to be recognized and followed up on by the engineer who's already spent valuable time writing the feedback.
A positive culture of code-review feedback interaction can be developed to address this, but that's a constant burden on engineering managers tasked with developing and maintaining those processes. Every time you onboard a new engineer or a tenured engineer starts getting lazy, you'll find yourself with improperly followed code review processes.
Code review is an error-prone human process
Even the best code can have bugs, which is why you're doing code review in the first place. Mistakes can be made during the review process — coding errors can be missed, and security holes can be left exposed. Even the most meticulous engineer is vulnerable to fatigue.
Code errors that slip through cause problems later on, and your engineering team is then spending time fixing overlooked bugs and security issues, covering the same ground instead of moving forward.
Human error in code review sets back your progress, threatening deadlines, which has a knock-on effect on clients, investors, and other stakeholders.
So we've talked about why clean code matters, how code review can help you maintain a clean codebase, and how code review still has problems.
The solution is to automate part of the code review process. That's where techniques like static analysis come in to help you get your clean codebase without disgruntled engineers.
What is static analysis?
Automation helps code review by taking some of the load off your development team: it can help them with about 50% of the work — checking syntax, for example. It has limits: e.g., it doesn't assess architecture.
Static analysis detects errors in code by analyzing the code without executing it. It can catch bugs, anti-patterns, security holes, and performance issues in code.
How can static analysis improve code review outcomes?
Pulling automated systems that use static analysis into your code review process increases productivity because you can unload the more tedious aspects of the process from your team, particularly improving pull request flows and overall efficiency.
Static analysis shortens code review time
Static analysis tools catch objective problems in code. It helps developers by suggesting fixes before the code gets sent to manual peer review. Once submitted, clear of objective problems, code reviewers can focus their time and energy on higher-level issues. This results in an average time savings of 4 hours per week per engineer on code reviews.
Static analysis identifies security issues
This is the original application of static analysis — auditing code for security vulnerabilities. It can help your team cover off on OWASP Top 10 vulnerabilities that have cost companies millions of dollars.
Static analysis improves code review by improving code quality, enforcing coding standards, and identifying software security issues. A clean, secure codebase positively affects developer productivity and happiness.
How do I get started on static code analysis for my team?
Static analysis has historically been used for the security aspects of code review. Further, static analysis tools are usually aimed at buyers, not end-users (developers) — you'd buy a security analysis product and use it to identify issues and come up with solutions. That's not something directly incorporated into your development processes.
So, what do you do if you're an engineering manager who wants to incorporate static analysis into your development process?
DeepSource: static analysis built for developers
DeepSource is a static analysis tool designed to sit in your code-review workflow. It can cover the entire objective analysis of your code beyond security. It's aimed at developers. By analyzing your codebase and identifying potential code health and security issues early in your code development process, DeepSource can help your team find and fix bugs. DeepSource helps you avoid expensive mistakes down the road, improving your code quality and saving developer time.
DeepSource:
- Fits seamlessly into your developer workflow.
- Saves an average of 4 hours of developer time per developer per week.
- Can be plugged in to analyze large repositories in minutes, not weeks.
- Continuously enforces code quality and security.
Conclusion
Static analysis saves time on code reviews by making complex and time-consuming processes trivial and accurate. It frees up your team to do higher-level code reviews and more coding. This means that you have more bandwidth for what matters: your product. Better, shorter code review gives your team more time to focus on engineering. Your code is clean and secure. Your engineering team is satisfied because they're not bogged down in the objective parts of the code review.
When used as part of code review, static analysis is a powerful tool that every engineering manager should be familiar with. By incorporating static analysis into your code review process with DeepSource, you'll improve your codebase's quality and security, making your development team more productive.