February 10, 2020

What Is Static Code Analysis? Static Analysis Overview

Static Analysis
Security & Compliance

Static analysis helps development teams that are under pressure. Quality releases needed to be delivered on time. Coding and compliance standards need to be met. And mistakes are not an option.

That’s why development teams are using static analysis tools. Here, we discuss static analysis and the benefits of using a static code analysis tool.

Read along or jump to the section that interests you the most:

➡️ Choose the best static analysis tool

What Is Static Analysis?

Static analysis is a method of debugging that is done by automatically examining the source code without having to execute the program. This provides developers with an understanding of their code base and helps ensure that it is compliant, safe, and secure.

What Is Static Code Analysis?

Static code analysis refers to the operation performed by a static analysis tool, which is the analysis of a set of code against a set (or multiple sets) of coding rules.

Static code analysis and static analysis are often used interchangeably, along with source code analysis. 

This type of analysis addresses weaknesses in source code that might lead to vulnerabilities. Of course, this may also be achieved through manual code reviews. But using automated tools is much more effective.

Static analysis is commonly used to comply with coding guidelines — such as  MISRA. And it’s often used for complying with industry standards — such as  ISO 26262.

📕 Related Resource:  How Static Code Analysis works  to help ensure high quality, secure, and reliable code.

When Is Static Analysis Performed?

Static code analysis is performed early in development, before software testing  begins. For organizations practicing DevOps, static code analysis takes place during the “Create” phase.

Static code analysis also supports DevOps by creating an automated feedback loop. Developers will know early on if there are any problems in their code. And it will be easier to fix those problems.

Static Analysis vs Dynamic Analysis

So, what’s the difference between static analysis and dynamic analysis?

Both types detect defects. The big difference is where they find defects in the development lifecycle.

Static analysis identifies defects before you run a program (e.g., between coding and unit testing).

Dynamic code analysis  identifies defects after you run a program (e.g., during unit testing). However, some coding errors might not surface during unit testing. So, there are defects that dynamic testing might miss that static code analysis can find.

What Are the Limitations of Static Code Analyzers?

Static code analysis is used for a specific purpose in a specific phase of development. But there are some limitations of a static code analysis tool.

No Understanding of Developer Intent


int calculateArea(int length, int width)
    return (length + width);


A static analysis tool may detect a possible overflow in this calculation. But it can’t determine that function fundamentally does not do what is expected!

Rules That Aren’t Statically Enforceable

Some coding rules depend on external documentation. Or they are open to subjective interpretation.

For example:



Use comments consistently and in a readable fashion.


Possible Defects Lead to False Positives and False Negatives

In some situations, a tool can only report that there is a possible defect.


int divide(void)
    int x;
        x = 0;
        x = 5;
    return (10/x);


If we know nothing about foo(), we do not know what value x will have.

The result is undecidable. That means that tools may report defects that do not actually exist (false positives). Or they may fail to report real defects (false negatives). 

What Are the Benefits of Static Code Analyzers?

There are several benefits of static code analysis tools — especially if you need to comply with an industry standard.

The best static code analysis tools offer speed, depth, and accuracy. 


It takes time for developers to do manual code reviews. Automated tools are much faster.

Static code checking addresses problems early on. And it pinpoints exactly where the error is in the code. So, you’ll be able to fix those errors faster. Plus, coding errors found earlier are less costly to fix.


Testing can’t cover every possible code execution path. But a static code analyzer  can.

It checks the code as you work on your build. You’ll get an in-depth analysis of where there might be potential problems in your code, based on the rules you’ve applied.

Here's an example of in-depth code analysis in Helix QAC

Image Solution Automotive Compliance Helix QAC
An example of code analysis in Helix QAC.


Manual code reviews are prone to human error. Automated tools are not.

They scan every line of code to identify potential problems. This helps you ensure the highest-quality code is in place — before testing begins. After all, when you’re complying with a  coding standard, quality is critical.  

How to Choose a Static Analysis Tool?

Here are a few things to consider when deciding which tool is right for you.

Programming Language

Analyzers are designed for many different programming languages. So, it’s important to choose a tool that supports your language.


One the primary uses of static analyzers is to comply with standards. So, if you’re in a regulated industry that requires a coding standard, you’ll want to make sure your tool supports that standard.

Tips for Choosing a Static Analysis Tool

Interested in more tips for selecting a static code analysis tool? "How to Choose the Best Static Code Analyzer" covers:

  • Benefits and challenges of static code analysis.
  • Best practices for using it.
  • 6 requirements for choosing the right tool.
📕 Related White Paper: Learn how to choose the right Static Analysis  tool for your team.

Why Choose a Perforce Static Code Analyzer Tool?

Perforce static analysis solutions have been trusted for over 30 years to deliver the most accurate and precise results to mission-critical project teams across a variety of industries.  Helix QAC  and  Klocwork  are certified to comply with coding standards and compliance mandates. And they deliver fewer false positives and false negatives.

Experience firsthand the difference that a Perforce static code analysis tool can have on the quality of your software. Sign up for a free trial today.

➡️ register for a free Static analysis trial