Setup static code analysis for Python

Walkthrough of setting up static analysis for a Python repository on GitHub.

  • By Prajjwal
  • ·
  • Product
  • Guides
  • Python
Last updated Aug 21, 2020

Static code analysis is the technique of approximating the runtime behaviour of a program. In other words, it is the process of predicting the output of a program without actually executing it. That's what DeepSource does, statically analyzing your project and reporting you the potential code quality issues which can be solved within no time.

This is what we will be doing here in this blog. We will try to integrate DeepSource over a forked repo, specifically on a Python project, and run analysis over it. We will further fix some of the issues with the auto-fix tool and let transformers fix some of the styling issues for our project.

Let's get started!

Note: In this guide, We will be analyzing only the Python project on GitHub. However, steps for other languages and platforms are similar.

Steps to integrate DeepSource with GitHub

DeepSource needs only a few steps to integrate continuous analysis on any repository. The process looks like this:

  • Create an account on DeepSource
  • Pick a Python repository to analyse.
  • Visit to DeepSource dashboard.
  • Choose your project from the repository list.
  • Add DeepSource configuration file.
  • Run the analysis.

Pretty simple, isn't it! Let us now look into the steps in detail:

We will first look for a python project on GitHub.

Sample-Python-Project

SIH-2019 is a Data visualisation project of National Accounts Statistics that was built within 36 hours. A short time span like this can be the obvious factor of introducing code quality issues.

Let us now fork this repo and open our DeepSource dashboard and activate the repo.

DeepSource repo list

From this list, you can choose the project on which you want to run the analysis. Here, I am choosing pnijhara/sih-2019 which I forked. After clicking on the repository, you will be guided to add a DeepSource configuration file that is .deepsource.toml file for DeepSource to run analysis on the repo. The configuration file contains exclude file patterns which tell DeepSource to not to analyse these set of files, they can be migrations, example code, data, templates etc. Followed by test file patterns to specify test files. These all patterns are written as glob patterns. You can read more about how to write these patterns correctly here. After which you got to specify the language(s) that you want DeepSource to look for in your project. And finally followed by a transformer to improve your code style.

Configurations

You can directly commit the configuration file to GitHub with a single click. This will add a commit to the master branch of your repo. Or you can manually add the file. DeepSource will automatically look at the .deepsource.tomlconfig file and start running the analysis.

Dashboard overview

As soon as you commit configuration file to GitHub, DeepSource starts analyzing the repo. First run can take sometime but mostly within a 5 minutes span and generates a report that contains issues which can be fixed.

DeepSource recommendations

Issue categorization

DeepSource divides the issues into categories such as Anti-patterns, Bug-risk, Style, Performance, Security, and Documentation. Out of which DeepSource on the basis of collected data recommends you some issues that can be considered as high priority.

Format code auto-PR

Automated code formatting

As soon as the Analysis finishes DeepSource automatically sends a PR related to fixing style issues because of the Transformer(black) we have added.

Format code PR desrcription

Issue triage

Though DeepSource ensures less than 5% false positives, you can still ignore the issues that you find not relevant to the project or are made intentionally. Read more about ignoring issues here.

Open issue on GitHub

DeepSource allows you to create GitHub issues directly from the dashboard on your repo for letting other contributors to discuss and fix it. Again, it is a simple task. You just need to open any issue found be DeepSource and click on the button "Create issue on GitHub". This button allows you to create an issue on your repository’s page on the VCS provider directly. You can edit the issue description and that title before the issue is created, and you’d also be able to add tags or assign it to someone in your team.

Issue desription

This will redirect you to your repo with an issue that you can open.

Issue

Note: You can create GitHub issues through this method only if the repository settings allow you to do so. Else you will get a 404 Error.

Autofixable issues

Many issues that DeepSource found can be automatically fixed in a click. DeepSource sends a pull request for you with the fix which can be merged right away on approval. In the above forked project where DeepSource found 278 issues out of them 64 can be autofixed. Look for the "Autofix" button against an issue.

Autofix

And with a single click a PR is generated to the repo with an additional commit of formated code with black(transformer).

Pull request with autofix

Pull request

References

Ship clean and secure code.