Have you had any success using static code analysis (static source code analysis) to identify technical debt in your code base? What was the source of the tech debt?
Sort By:
Oldest
CTO3 months ago
We use SonarQube for static analysis and have implemented a clean-as-you-go approach to technical debt, especially for legacy projects. This approach has been invaluable in gradually improving code quality without overwhelming the team with massive refactoring tasks. By integrating SonarQube into our CI/CD pipeline, we've ensured that new code adheres to high standards while incrementally addressing issues in the existing codebase.This constant feedback on PRs also serves as a way to educate our team on coding best practices, preventing the accumulation of technical debt in the first place.
I'd also like to reiterate the importance of security, complexity analysis, and enforcement mentioned by others in this thread.
1. security - use something like the GitHub vulnerability scanning - it will identify libraries with known CVEs. We had option to block a merge request based on findings, we also used BlackDuck, Snyk, Codacy or other
2. quality - test coverage tools - we would block a merge request if unit test coverage fell below the current coverage bar - we would also enforce local coding standards
3. system complexity analysis - this was done with help from external consultants that reviewed the entirety of our source and created a map of system complexity and where we had anti patterns that needed to be addressed