Get the book

Static Code Analysis

At Ombu Labs we use popular open source tools to assess the complexity and test coverage of our client’s code base, looking for critical issues and security vulnerabilities.

In order to perform static code analysis for our clients, we like to do the following steps:

  1. Generate a Code Climate report of their source code. Code Climate is a tool we use to measure the health of our client’s code, searching for duplications, code smells and pointing out possible improvements.
  2. The following is an example of the output of running Code Climate on a linked GitHub repository:

    Code Climate Report

  3. Review the most complicated files with less covered files, using SimpleCov data. SimpleCov is a tool that generates a report with the percent coverage of each of your files.
  4. The following is an example of a Coverage Results Report, you are able to browse through it and view each individual source file and it's coverage:

    Simple Cov Report

    Source File Coverage View:

    Simple Cov Source File

  5. Compare the most churned files with less covered files, using SimpleCov data.
  6. Run brakeman, through Code Climate, to find known security holes. Brakeman is a static analysis security vulnerability scanner for Ruby on Rails applications.
  7. Compile the most critical issues into a detailed report and share it with the client, to help define the best course of action to upgrade their application securely.