StaticAnalysis

Code Quality check. Static Analysis

Perfect 👍 — let’s go deeper into Code Quality Checks in CI/CD, especially with tools like SonarQube, linters, and coverage thresholds.

---

🔹 Why Code Quality Checks?

In DevOps pipelines, these checks act as quality gates — they prevent low-quality or risky code from being merged/deployed. They’re usually automated and run as part of CI.

They cover:

• Maintainability (readable, simple code)

• Reliability (bug detection)

• Security (find vulnerabilities early)

• Test coverage (ensure new code is tested)

---

🔹 Main Types of Code Quality Checks

✅ 1. Linting

• What it does: Enforces coding style & catches simple errors.

• Examples: ESLint (JavaScript), Pylint (Python), Checkstyle (Java), clang-tidy (C++).

• Checks for:

  • Unused imports/variables

  • Wrong formatting (tabs vs spaces, line length)

  • Simple bugs (missing await, wrong assignment)

• CI pipeline role: runs on every commit → fast feedback.

---

✅ 2. Static Analysis (SonarQube, CodeQL, etc.)

• What it does: Analyzes code without running it (deep inspection).

• Tools: SonarQube, CodeQL (GitHub), Fortify.

• Checks for:

  • Bugs (null dereferences, memory leaks)

  • Security vulnerabilities (SQL injection, XSS)

  • Code smells (duplicated code, overly complex methods)

  • Technical debt estimate (time to fix issues).

• CI pipeline role: Quality Gate = build fails if thresholds aren’t met (e.g., no new critical bugs allowed).

---

✅ 3. Test Coverage

• What it does: Measures % of code exercised by automated tests.

• Tools: Jacoco (Java), Istanbul/NYC (JS/TS), coverage.py (Python), gcov (C/C++).

• Types:

  • Line coverage (which lines executed?)

  • Branch coverage (did all if/else paths run?)

  • Function/method coverage.

• Best practice: Set a threshold in CI (e.g., PR must have ≥80% coverage).

⚠️ Note: 100% coverage ≠ bug-free code. It only means tests executed all lines, not that tests are meaningful.

---

✅ 4. Quality Gates

A Quality Gate is a rule in the pipeline: “If code quality < threshold, fail the build.”

• Example SonarQube quality gate:

  • 0 new critical bugs/vulnerabilities

  • ≥80% unit test coverage

  • ≤3% code duplication

  • No blocker issues in new code

---

🔹 Example in CI/CD Pipeline

1. Developer commits code

2. Linting runs → quick style/bug feedback

3. Build & Unit Tests → run coverage tool

4. Static Analysis (SonarQube) → detect bugs/security issues

5. Quality Gate → if thresholds fail, pipeline stops

6. If pass → proceed to integration tests & deployment

---

🔹 Benefits

• Catch bugs/security issues before merge

• Keep codebase clean & maintainable

• Prevent “technical debt” from piling up

• Provide objective quality metrics to management

---

✅ In short:

• Lint = quick hygiene

• SonarQube = deep health scan

• Coverage = testing discipline

• Quality Gate = enforce standards automatically

---

👉 Do you want me to show you a sample SonarQube Quality Gate policy (with specific thresholds you can adopt as default), so you could plug it into a real project?