Static Code Analysis: client-side tools integration with Codacy

In this article:
Subscribe to our blog:

Testing and analyzing your code is one of the most important parts of your software development process. With Codacy, you can automate code reviews, with your code being automatically evaluated in every commit and pull request. Codacy uses static code analysis to do that, which means that we analyse your code without executing it in a non-runtime environment. Static code analysis makes early development faster and more efficient since errors can be caught before they end up causing significant damage — to your software and your heart, because finding a major error in production is not for the faint-hearted.

Codacy uses several tools to perform automatic static code analysis over 40+ supported languages and frameworks. However, some tools require code compilation, so Codacy does not directly integrate them. But don’t worry, you can still use those tools! You just need to configure them as client-side tools. We are here to help you shift left and analyze your code earlier in the development lifecycle.

How does Codacy support client-side tools?

At the moment, Codacy supports client-side tools in two different ways, depending on if they are considered standalone or containerized. Let’s analyze each of the options.

Standalone tools

You need to download, configure, and run standalone tools yourself. You can’t configure these tools on the Codacy UI because they must be configured manually. However, we are not leaving you alone: Codacy provides auxiliary converters that parse the output provided by the standalone tools’ output and convert it to a format that you can later upload to Codacy using our API. 

Containerized tools

For containerized tools, Codacy provides a Docker image (an executable package) for the tools, and you can then run the image using the Codacy Analysis CLI. Check out how to set it up in our documentation. When Codacy Analysis CLI is up and running, it will automatically fetch the code pattern settings that you previously defined in the Codacy UI and apply them when running these tools.

If you are using GitHub, you can use the Codacy Analysis CLI GitHub Action to run any containerized tool and upload the results to Codacy. Codacy will then display the results of the analysis of your commits and pull requests on the UI. 

7 client-side tools integrated by Codacy

Codacy currently supports 7 client-side tools: 4 standalone and 3 containerized options. Let’s get to know them.

aligncheck (Containerized)

The check package is a linter tool for the Go programming language, with a set of 3 utilities. Aligncheck detects align errors, varcheck finds unused global variables and constants, and structcheck finds unused struct fields. Note that structcheck doesn’t handle embedded structs yet. Check out our instructions on how you can run check with Codacy. 

Clang-Tidy (Standalone)

The Clang tools are a set of linter tools for C, C++, and Objective-C programming languages.  Its goal is to diagnose and fix typical programming errors, such as interface misuse, style violations, and overall programming bugs. It checks more than 300 common bug patterns, including critical security and performance errors. Check out our instructions on how you can run Clang-Tidy with Codacy. 

deadcode (Containerized)

The deadcode tools is a tool for Go programming language, which detects unused declarations in a Go package.  Check out our instructions on how you can run deadcode with Codacy. 

Faux Pas (Standalone)

The Faux Pas tool is a tool for Objective-C programming language, which detects bugs, maintainability, and style issues. Besides code, it also analyses Xcode IDE for project configurations, interface builder files, static assets such as images, and version control issues. Check out our instructions on how you can run Faux Pas with Codacy. 

 

Gosec (Standalone)

The Gosec tool is a security checker for Go programming language. It inspects code for security problems by scanning the Go AST. Check out our instructions on how you can run Gosec with Codacy. 

SpotBugs (Containerized)

The SpotBugs tool is a tool for Java and Scala programming languages. It is a fork of FindBugs (no longer maintained), and it checks more than 400 bug patterns. SpotBugs can be used standalone or through IDE integration (Ant, Maven, Grandle, and Eclipse). At Codacy, we bundled this tool with Find Security Bugs, a SpotBugs plugin for security audits of web applications, which also integrates with your IDE (Ant, Maven, Eclipse, IntelliJ, Android Studio, and NetBeans). Check out our instructions on how you can run SpotBugs (and Find Security Bugs) with Codacy. 

Staticcheck (Standalone)

The Staticheck tool is a linter tool for Go programming language. It performs more than 100 checks, with the goals of detecting bugs and performance issues, offering simplifications, and enforcing style rules. Check out our instructions on how you can run Staticcheck with Codacy.

RELATED
BLOG POSTS

Enhanced security for C++, Java, and Scala with Clang-Tidy and SpotBugs
As part of our effort to continue expanding our language support, we are excited to announce the support of two new tools for all Codacy users:...
Further Enterprise security analysis for Scala
We’re excited to announce the latest addition to our suite of security analysis: Spotbugs.
A Deep Dive into Static Code Analysis Tools
Static code analysis is a crucial aspect of modern software development. At its core, it involves examining the source code of a program to identify...

Automate code
reviews on your commits and pull request

Group 13