Static Code Scanning: Principles, Tools, and Three Years of Practice in a Dealer Technology Department

In the early stages of our development process we discovered that most defects are introduced during coding, and the later they are found, the higher the repair cost; static code scanning aims to detect these defects early, shifting testing left.

Static code analysis examines source code (and compiled bytecode for languages like Java) using lexical, syntactic, and abstract‑syntax‑tree techniques, checking for conformity, safety, reliability, and maintainability. Two main analysis methods are pattern‑matching of known defect signatures and data‑flow analysis of variable usage.

Popular Java static analysis tools include Checkstyle (focuses on coding style), FindBugs and PMD (focus on defect detection), and SonarQube, a comprehensive quality management platform that can integrate third‑party plugins such as the aforementioned tools.

SonarQube consists of four parts: a web server for displaying quality information, an Elasticsearch‑based search service, a database storing scanned results, and a scanner that uploads analysis outcomes to the server. Its plugin marketplace allows custom extensions.

The dealer technology department began static scanning in late 2016, initially creating a Jenkins job per team that sequentially built and scanned all projects nightly. This approach proved slow, error‑prone, and difficult to aggregate metrics across teams.

To address these issues we parallelized jobs by adding asynchronous scanner sub‑jobs to each project's CI pipeline, built a web portal to register projects and automatically modify Jenkins scripts via the Jenkins API, and aggregated Sonar data to produce group‑level dashboards and historical trends, establishing baselines for quality scores.

Feedback led to further enhancements: immediate feedback after each commit, scanning of all branches, and a push‑event‑driven service that pulls the changed branch, runs Sonar analysis, and sends DingTalk notifications with detailed defect information, creating a closed‑loop workflow.

We also formed a virtual “code guardian” team to define coding standards and best practices, embedding most rules into the static analysis configuration so developers learn and follow them automatically.

Key success factors for successful static code scanning deployment are real‑time feedback, measurable metrics via dashboards, and a closed‑loop process that drives defect resolution and continuous quality improvement.