Static code analysis in a continuous integration world

The adoption of Agile methods, DevOps, and continuous integration (CI) has driven the velocity of software development to unprecedented levels, with teams delivering multiple releases a day. The benefits for embedded systems are obvious, the latest features, fixes, and updates can be deployed as rapidly as possible. But does this high frequency of change impact code quality? The answer is yes, but then the question is: How does your team adapt to maintain high-release standards?

“Manual intervention leads to human error and non-repeatable processes. Two areas where manual intervention can disrupt agility the most are in testing and deployments. If testing is performed manually, it is impossible to implement continuous integration and continuous delivery in an agile manner (if at all). Also, manual testing increases the chance of producing defects, creating unplanned work.” – 11 Common DevOps Bottlenecks, Forbes Magazine

Manual testing is out of the question to meet development velocity where it counts, as are forms of automated testing where a person has to spend time researching, creating, and validating new tests before deploying. That’s where comes (SCA) in, bringing in a suite of automated checks for everything from security vulnerabilities and concurrency violations to gaps in compliance to industry standards. Let’s look at how this proven technology, invented more than 30 years ago, fits into a CI system.
A new type of SCA engine

The answer lies in the SCA engine itself. Most SCA tools, by their very nature, operate on large, holistic code bases to ensure their analysis takes into account as many components and execution paths as possible. This is akin to the old waterfall method of development where testing happens only after large pieces of code have been integrated. Not a very good fit for rapid release cycles and CI.

Changing the engine itself to analyze only the modified code, rather than processing all the code all the time, and running at check in brings agility to SCA and the testing process. With this continuous static code analysis, developers get the results of all the automated checks in the shortest possible time, as the checks run on their incremental code changes only. It’s really the only way for testing by analysis to keep up.
Leveling up scale

This begs the question of scalability: How does a continuous static code analysis engine work across multiple developers? Again, the answer is to break up the problem. By deploying the analysis to CI agents across machines, the workload is fully distributed and able to work within the context of individual developers. It also helps scaling up as more developers are added. The simplest way to do this is to integrate with existing CI systems, taking advantage of their architecture and making set up easy for teams already using them.

For more details on how static code analysis fits into CI, read this white paper. For a demonstration of how continuous static code analysis works on real code, visit

Walter Capitani is the Klocwork product manager for Rogue Wave Software. Walter’s diverse industry experience encompasses high-speed satellite radio communications, file distribution applications for broadcast television and cinema, and 3D and transmission technology. In the past decade, Walter has managed the development and deployment of large content distribution systems for customers such as PBS, CBS Westwood One, Best Buy, and Deluxe Digital Cinema. Although his favorite programming language is C++, Walter has experimented with Assembler, Java, BASIC, and others. He still feels that you can’t beat an original!

Rogue Wave Software

Topics covered in this article