- Static code analysis is a method of debugging by examining source code before a program is run. It’s done by analyzing a set of code against a set (or multiple sets) of coding rules.
- Static code analysis and static analysis are often used interchangeably, along with source code analysis.
- This type of analysis addresses weaknesses in source code that might lead to vulnerabilities. Of course, this may also be achieved through manual code reviews. But using automated tools is much more effective.
- Static analysis is commonly used to comply with coding guidelines — such as MISRA. And it’s often used for complying with industry standards — such as ISO 26262.
- Static code analysis is performed early in development, before software testing begins.
So, what’s the difference between static analysis and dynamic analysis?
- Both types detect defects. The big difference is where they find defects in the development lifecycle.
- Static analysis identifies defects before you run a program (e.g., between coding and unit testing).
- Dynamic analysis identifies defects after you run a program (e.g., during unit testing). However, some coding errors might not surface during unit
testing. So, there are defects that dynamic testing might miss that static code analysis can find.