Static Code Analysis in Continuous Integration and Continuous Delivery (CI/CD)
By Puneet Lal
In the past 20 years, advancements in technologies such as mobile, smart devices, IoT, and the cloud have led to creation of millions of new applications. To develop applications faster with quality and predictability, companies are evolving their software development processes. In the early 2000s, “lightweight” agile software development started gaining popularity. Agile is an iterative software development process that places importance on collaboration, continuous planning, and continuous testing.
Continuous integration and delivery (CI/CD) is an extension of agile that is mainly focused on the tools and processes needed to integrate code and automate testing and software delivery. CI/CD is gaining popularity as it enables faster application development and delivery.
What Is Continuous Integration (CI)?
Continuous integration is a development practice where developers integrate their code into a shared mainline several times a day. There are several advantages to developing and integrating code in small increments. Since each code increment has not diverged much from the mainline, the merges are quick, less error-prone, and finding defects is much easier. In a CI workflow, developers first locally test their new or modified code (step 1 in the above diagram), then integrate the code into the mainline (step 2), and lastly, verify that the CI build (step 3) and automated tests (step 4) have passed successfully. The developers address build or test failures before they move on to their next task.
What Is Continuous Delivery (CD)?
Once the CI build and the automated tests complete successfully, the team can decide to automatically release the software into production. This practice of automating the entire release process is called continuous delivery (step 5 in the above diagram). CI is a prerequisite to implementing CD, but based on business needs, teams may decide not to implement CD.
Benefits of CI/CD
The following are the key benefits for adopting CI or CI/CD:
- Lower Risk - Developing and delivering in small increments reduces project risk.
- Better Communication – All code changes are made on the mainline of code, promoting code sharing and collaboration.
- Fast and Cost Effective – Smaller increments reduce the time and effort required to merge code and defects are easier to detect and fix.
- Increased Productivity – Processes are fully automated, eliminating time-consuming and error-prone manual activities such as manual testing.
- Greater Consistency and Quality – Automated tests provide greater predictability, repeatability, and reliable output.
Why Is Static Code Analysis Essential for CI?
Static code analysis tools find code defects by examining the code without executing the program. As such, static code analysis has become an essential part of CI because:
- It is very efficient in identifying hundreds of types of defects such as concurrency, data flow, dynamic memory, and numerical defects.
- It finds defects early in the development cycle, that is, as soon as code is written or modified.
- It verifies compliance with coding standards such as MISRA C®, MISRA C++, JSF++, and custom naming conventions.
- It finds security vulnerabilities and checks for adherence with security standards such as CERT® C, CERT C++, ISO 17961, and MISRA C:2012 Amendment 1.
- By using formal methods, it can prove the absence of overflow, divide-by-zero, out-of-bounds array access, and other run-time errors.
Polyspace® static code analysis products are designed to work in CI and can be easily automated using CI tools such as Jenkins™ and Bamboo.
Polyspace Code Prover™ uses formal methods to prove the absence of critical run-time errors under all possible control flows and data flows. Code proving can be integrated with CI build testing (step 4 in the above CI workflow diagram) to test robustness of the software.
Polyspace Bug Finder™ checks for coding rule violations, security vulnerabilities, hundreds of additional classes of bugs, and computes code metrics. Developers can use Polyspace Bug Finder to find defects and check adherence to coding standards before submitting their code (i.e., step 1 in the above CI workflow diagram). Polyspace Bug Finder can also be integrated with CI build testing (step 4 in the above diagram) to analyze the entire application.
For more information on Polyspace products and how to integrate them in CI, please visit: