Taro Logo
1

How to choose a static code analyzer?

Profile picture
Senior Software Engineer at Taro Communitya month ago
Senior Engineer

What are some things that I should think about when choosing a static code analyzer? The team that I work in has a large code base that had never used a static code analyzer. There are no automated smell checks, security checks, etc.

The team is thinking of introducing a static code analyzer. There is no strict guidance from the top on what we should use. What are things I need to consider when choosing a static code analyzer? What are some analyzers that you recommend? I thought about things like ease of use, does it have checks for diff or PR level changes, visualization dashboards etc

It should handle JS, TS, PHP.

32
2

Discussion

(2 comments)
  • 0
    Profile picture
    Tech Lead/Manager at Meta, Pinterest, Kosei
    a month ago

    I don't know much about static code analysis, but my first thought is, why not go with the default, most popular option? For JS/TS, it would be ESLint (that's what we use at Taro, e.g. @typescript-eslint/eslint-plugin).

    The benefit of going with the tried and true option:

    • Likely to be well-tested since it has so many users already
    • Widely adopted in the JavaScript/TypeScript ecosystem
    • Can be integrated into your workflow, e.g. trigger your CI system to run it on pull requests

    For many decisions in startups or engineering, you want something that "Just Works". Unless you have reason to believe you have special needs that other engineering teams don't have, your goal should be to minimize the time on that decision and focus on areas of differentiation.

    • 0
      Profile picture
      Senior Software Engineer
      Taro Community
      a month ago

      The problem with using eslint is that it does not support just linting a diff or setting a baseline (I might be wrong here, still researching).

      The codebase we have is large and does some mission crital work. It has never been linted before and likely, when we firt turn eslint on, there is going to be a lot of flagged issues.

      We won't be able to fix all of the issues right away. Ideally, we would like to set a baseline and ignore all previous issues and only focus on not introducing an new issues.

      eslint doesn't support setting baselines natively (again I might wrong here). There seems to be a new baseline feature for CSS but can't find anything else. (baseline eslint)

      There are plugins that help me do this, but I don't want to introduce plugins made by random people on the internet. It might not be supported long term. ( eslint-diff, eslint-baseline )

Taro Footer Icon
Taro Footer Logo
Explore CompaniesAmazonGoogleMetaMicrosoftNetflixApple
Explore Jobs By LevelEntry-Level Software Engineer JobsMid-Level Software Engineer JobsSenior Software Engineer JobsStaff Software Engineer Jobs
Explore TrendingLayoffsPerformance Improvement PlanSystem DesignInterpersonal CommunicationTech Lead
Explore Interview QuestionsGoogle Interview QuestionsMeta Interview QuestionsAmazon Interview QuestionsApple Interview QuestionsNetflix Interview Questions
ProductH-1B Visa Salary DatabaseBecome An AffiliateGreat DiscussionsPerksTopics
CompanyBlogPrivacy PolicyTerms & ConditionsSupport
Taro iOS appTaro Android app
LinkedIn IconTwitter IconYouTube Icon
Copyright © Taro