Continuous Integration Continuous Delivery
March 27, 2020

How to Pair Static Analysis With CI/CD Pipelines

Continuous Integration
Static Analysis

As more software is installed into devices across all industries, it has become essential that the embedded code is safe and secure, reliable, and high quality. At the same time, competitive pressures often mean tighter project schedules.

Ensuring that the embedded code meets these standards and is delivered in a timely manner can be a daunting and time-consuming challenge. For that reason, many teams have adopted CI/CD pipelines as a component of a more efficient software development process.

 

What Are CI/CD Pipelines?

Continuous integration and continuous delivery (CI/CD) pipelines are software engineering approaches that are a part of the larger software delivery pipeline. Put simply, continuous integration is the practice of merging each developer’s working copies of code together in a shared mainline several times throughout the day. While continuous delivery refers to the regular, frequent delivery of software functionalities.

CI/CD pipelines form the backbone of DevOps automation. Additionally, quality assurance and security checking can easily be integrated into the CI/CD process. The goal is for developers to receive immediate feedback on any issues found within their most recent code revisions. Fixes can be made at the earliest opportunity (and lowest cost). This all helps ensure delivery of a high quality, reliable, and competitive software product on time.

 

Why Static Analysis Is Necessary for CI/CD Pipelines

Static analysis inspects your source code to identify defects, vulnerabilities, and compliance issues as you code — without having to run the program. This makes static analysis an essential component of a CI/CD pipeline, as it helps with:

  • Detection of common security vulnerabilities, including those highlighted by security coding standards such as CERT and CWE, DISA STIG, and OWASP.
  • Early detection of potential runtime errors. These include memory leaks, concurrency violations, or uninitialized data — all of which can cause system failures.
  • Compliance with safety-related coding standards, such as MISRA C/C++ and AUTOSAR.
  • Enforcement of company or project-wide coding guidelines or naming conventions, and maintainability requirements.
     

What Is Differential Static Analysis?

Most code edits only change a tiny fraction of the total amount of code in a project, but minor changes can still have a large impact on the overall system.

A single developer’s local analysis of a changed source file may not flag any issues; however, the changes may still lead to issues that can only be detected through complete, system-wide analysis.

With a traditional static analyzer, the only way to find these issues is to perform an analysis of the entire, merged codebase. The time to complete this analysis will grow in proportion to the size and complexity of the project. This means that as the project grows, the time taken to feed issues back to developers will increase — making it harder to achieve the CI/CD pipeline goal.

 

Klocwork Is the Only Static Analyzer That Solves This Problem

Klocwork maintains system-wide knowledge of the code in a centralized server. This means it only needs to analyze the small part of the code that has changed in order to work out if there are any resulting system-wide issues.

This means that Klocwork can analyze thousands of source files and tens of millions of lines of code in a matter of seconds — not hours.  What’s more, differential static analysis provides developers with the shortest possible analysis time and provides an impact analysis of the changes — no matter how large the codebase.

For that reason, adding static analysis to every CI/CD pipeline is practical, efficient, and helps to ensure that there is no need to trade feedback times for quality and security.

Klocwork diff analysis included in CI-commit pipeline.
Klocwork diff analysis included in the CI-commit pipeline.

 

Klocwork diff analysis results for new defects.
Klocwork diff analysis results for new defects.

 

How CI/CD Pipelines Save Cloud Computing Costs

In general, the cost of a DevOps pipeline grows in proportion to its execution times. Klocwork’s differential analysis dramatically reduces execution times and therefore also reduces cloud computing costs.

Klocwork's differential analysis applies even if you are using an internal cloud computing resource, such as OpenStack. When deploying static code analysis in your CI/CD pipeline, Klocwork’s Differential Analysis provides results fast.

 

Continuous Integration and Continuous Delivery With Static Analysis

Klocwork is the ideal static analyzer for CI/CD pipelines, and its unique Differential Analysis technology provides the fastest analysis results for DevOps pipelines. What’s more, by using Klocwork, you are able to:

  • Ensure complex software is safe, secure, and reliable.
  • Reduce the cost of finding and fixing defects earlier in development.
  • Prove compliance by enforcing software coding standards.
  • Improve developer productivity, testing efforts, and velocity of software delivery.
  • Report on quality over time and across product versions.

See how your CI/CD pipelines can benefit from Klocwork.

Optimize your ci/cd pipelines