Static Code Analysis for your .NET projects

• Tools
• Dotnet
• SonarCloud
• Static Code Analysis

Building quality software

Every developer aims to create predictable, maintainable, and high-quality software. But being human, we make mistakes. That's where automation comes in, from testing and deploying to running applications.

But what about the codebase? How can we ensure minimal complexity, proper coding standards, avoid common pitfalls, and predict code behavior?

The answer is to rely on rules set by your team, the platform, or the programming language. This is the essence of Static Code Analysis.

It can be a manual code review or automated using various tools, as we'll explore in this post.

More about static code analysis

Read Eric Dietrich's informative article on Static Analysis.

If you're curious about Dynamic Analysis, explore these articles:

• Dynamic Code Analysis Primer
• More on Dynamic Analysis

This post is Part 1 of the Static Analysis series. In the next post, we'll set up SonarCloud for an ASP.NET Core + React SPA application in a continuous integration pipeline. Check it out here.

Where to use static code analysis

I found plenty of NuGet packages, IDE extensions and external services available on the market. That was hard to digest and probably I might miss some very helpful tools.

During development

Using build-time code analysis in Visual Studio /Code (or other preferred tool), we enable developers to quickly understand what rules are being broken. This enables them to fix code earlier in the development lifecycle preventing late-stage build failures.

For Visual Studio Code

Consider extensions like:

• Dev Kit
• OmniSharp A go-to tool for C# development.
• Roslynator Offers 500+ analyzers and fixes for C#.
• DevSkim Provides inline security analysis as you code.
• SonarLint Useful for frontend (HTML, CSS, JS, TS) analysis.
• Sonar Dotnet Connect to SonarCloud from your development environment.

For Visual Studio

• Roslynator Again the famous Roslynator analyzers for Visual Studio.
• SonarLint Useful for frontend (HTML, CSS, JS, TS) analysis.
• ReSharper Not just an analysis tool, but a comprehensive development tool.
• NDepend A "Swiss Army Knife" for .NET Developers.

Other tools

• Rider Another great IDE for .NET developers which comes with the power of ReSharper.

In build pipelines

Use NuGet packaged analyzers to automatically run as your project builds in CI. When a build encounters a code quality error, you can immediately fail the build, send alerts, or apply any other actions.

.NET Core SDK 3.0 or later includes analyzers for Open APIs (previously Swagger). Enable the analyzer by setting IncludeOpenAPIAnalyzers to true in your project file.

NuGet packages to consider

• Microsoft Code Quality Rules
• CSharp Analyzers for ASP.NET Core MVC
• Roslynator Analyzers
• SonarCloud Analyzers
• Async/Await Misuse Checker
• StyleCop's Rules via Roslyn

Security analysis

• SecurityCodeScan for .NET
• DevSkim for inline security analysis

By SCM platform

Different CI platforms may provide their own tool for security analysis:

• Only Azure DevOps https://secdevtools.azurewebsites.net/helpcredscan.html
• Only GitLab https://docs.gitlab.com/ee/user/application_security/sast/index.html
• GitHub GitHub Marketplace Last but not least. GitHub's community driven marketplace provides so many tools for code quality, security analysis. Choose your weapon.

NuGet packages for tests

• Provides diagnostic analyzers to warn about incorrect usage of NSubstitute in C# https://www.nuget.org/packages/NSubstitute.Analyzers.CSharp
• Code Analyzers for projects using xUnit.net https://www.nuget.org/packages/xunit.analyzers

External services

Consider these external services for static code analysis:

• SonarCloud My go-to tool for .NET projects. They even have a separate scanner for .NET. Pretty nice integration with Azure DevOps. Free for public projects.
• Embold Fairly new tool with Free plan for 1M executable-lines-of-code for public repositories.
• Embold Free for public repositories.
• CodeFactor 1 private and unlimited free repositories.
• CodeClimate 50 free repositories.
• Codacy Paid service.

..and many more counting. These are the one I found easy to get started without installing and configuring additional software.

In Conclusion

Static code analysis may seem like overhead initially, but it offers long-term benefits:

• Confidence to release more frequently
• Quicker Time to Market (TTM)
• Reduced business risks (data loss, vulnerabilities, application failures)

Rules may sometimes slow down your development, but it's up to you and your team to configure them for your needs.
Stay tuned for the next post where we'll configure SonarCloud for ASP.NET Core + React SPA.
What are your favorite static code analysis tools? Share your thoughts!

Happy analyzing!

More resources

• Seven Reasons Why Roslyn-Based Code Analyzers Are Awesome
• Microsoft's Visual Studio Code Quality Documentation
• Analysis Tools Development: Static Analysis