What is Static Analysis Within CI/CD Pipelines?

Thanks to DevOps practices, enterprise IT is faster and more agile. Automation in the form of automated builds, tests, and releases plays a significant role in achieving those benefits and creates the foundation for Continuous Integration/Continuous Deployment (CI/CD) pipelines. However, is it possible to integrate security into the mix without slowing down the process? One way IT teams can integrate security into the DevOps pipeline is by making sure that released code is safe from the very start. The concept of integrating security as a first-class citizen into a DevOps process is known as DevSecOps, and is a best practice for security-sensitive businesses.

Cloud Academy recently released a new set of DevOps labs highlighting some best practices for automation in CI/CD pipelines. In this post, I’ll show you how you can use static analysis in CI/CD pipelines to improve the quality of your code to reduce issues now and in the future.

What is static analysis?

Static analysis is a method of analyzing code for defects, bugs, or security issues prior to pushing to production. Often referred to as “linters,” static analysis tools remove the unnecessary fluff from your code and perform some automated checks to improve code quality. Static analysis tools can check for:

  • Inconsistencies in code style conventions and standards. It can be as simple as enforcing consistent indentation and variable names or as complex as enforcing compliance with the MISRA or CERT Secure Coding Standards
  • Resource leaks such as a failure to release allocated memory, which can eventually lead to program crashes or failure to close files
  • Incorrect usage of Application Programming Interfaces (APIs)
  • Common security vulnerabilities such as those identified by the Open Web Application Security Project (OWASP) or Common Weakness Enumeration (CWE)

What kinds of static analysis tools are available?

The static analysis tools available can be categorized by the capabilities they support, including:

Programming languages: Tools may support single or multiple languages. If your codebase spans multiple languages, a single tool like Coverity which supports 14 languages including JavaScript, .NET, Java, and Python may be the most thorough option for discovering bugs across languages.

Real-time tools: Instantaneous analysis tools are ideal for checking code in development environments as it’s being written. Here, the tradeoff is speed over more thorough, time-consuming checks. Many of these are open source, which allows for easier adoption and customization.

Deep analysis tools: On the other end of the spectrum, deep analysis tools can take much longer and are likely to identify issues that a real-time tool would miss. Enterprise-grade tools in this area often have hefty licensing fees and they may bring more issues to light than you have the bandwidth to address. Many of these tools may be configured to report only the most important issues,.

Compilers: Although not a dedicated static analysis tool, compilers may also be used to improve the quality of your code. You can use configuration flags to adjust the number of checks they perform.

Integrating Static Analysis within CI/CD

Among the many benefits of using static analysis tools, the one that is most beneficial to organizations is the ability to discover bugs before they are released into the wild (and when they are less costly to fix). Within the DevOps practice of CI/CD, static analysis tools provide additional benefits.

Tools that take a long time to run tend to be ignored during development. Even if static analysis isn’t always a long process, it’s still not the best use of a developer’s time. Integrating analysis tools within CI/CD ensures that they are used consistently and automatically while offering an extra level of analysis to make sure that nothing is able to sneak through.

There are different options for how to integrate static analysis tools in your environment. One approach is to run it early in the pipeline along with other automated tests. At this point, you’ll be able to fix any issues before the peer code review and it speeds up the overall process. In turn, developers spend less time reviewing and have more time to develop new code.

If you have large code bases, running a deep analysis on every commit may take too much time. Instead, you can use a less thorough analysis configuration on development branches and perform more expensive scans on a schedule or when integrating into upstream branches. The goal is to discover bugs as early as practically possible and it’s up to you to choose the system that works best for your team. Tools like Klocwork have fully embraced CI/CD workflows and can incrementally analyze the code changes on each commit.

Higher-end static analysis tools can also track bugs over time. This can help you select which issues to work on in the current release cycle as source code is continuously being integrated. Issues reported in longstanding legacy code that haven’t caused problems are probably not worth the time investment to resolve them in the immediate term. Instead, use precious developer time to focus on more recent issues.

Another practical constraint is the budget available for static analysis. Rather than obtaining a license for each developer, run the analysis tools on a set number of build machines (or a single machine if possible).

You can experience how static analysis works in CI/CD by completing the Static Code Analysis within CI/CD Pipelines lab on Cloud Academy. This new Hands-on Lab uses an AWS-centric continuous deployment pipeline for deploying a Node.js application. The application is initially released to production without performing static analysis. You learn how to perform an injection attack on the deployed application and then use static analysis to identify the security issue. Finally, you integrate static analysis into the AWS CodeBuild build stage in the pipeline to prevent the vulnerable code from being deployed before you implement a fix. Here is the final environment:

Cloud9 EC2 Environment

Static Analysis of Infrastructure as Code within CI/CD

Infrastructure as code (IaC) offers many benefits to developers including no configuration drift, easily reproducible environments, and simplified collaboration with version control. Did you know that static analysis can also be used to enforce code standards and identify security vulnerabilities for your infrastructure? By using static analysis for infrastructure code, you automate the process and receive earlier feedback compared to infrastructure tests that require actually deploying the infrastructure, a potentially time-consuming operation.

There is usually some form of static analysis built in to most any IaC framework that you may be using. There may be commands to check syntax, ensure that valid parameter values are used, and automatically style the code. You may also be able to perform dry-run deployments to inspect what changes would take place in the environment or to detect errors before actually deploying any infrastructure changes.

You could complement these commands with your own custom analysis code to check for anything you care to verify, such as ensuring certain ports are not open to the public internet. Fortunately, there are usually open source static analysis tools that already provide common checks. For example, cfn_nag can be used to check for security issues in AWS CloudFormation templates, the native IaC framework for AWS. Other examples of cfn_nag checks include:

  • Ensuring IAM policies are not overly permissive
  • Ensuring encryption is enabled on services that provide it
  • Ensuring security groups are not overly permissive

If an open-source IaC static analysis tool doesn’t offer a check that you want, it may be easier to add it to the existing code base than starting from scratch.

You can experience first-hand how to instrument IaC static analysis within a CI/CD pipeline in Cloud Academy’s Hands-on Lab: Static Analysis and Alerting for Infrastructure as Code. The lab uses Terraform as the IaC framework and Jenkins for its continuous integration pipeline. You will learn about the built-in static analysis capabilities in Terraform as well as two open-source static analysis tools that improve on Terraform’s native capabilities. New infrastructure code is continuously integrated by pushing to a Git repository. You will also learn how to configure Amazon SNS notifications based on the results of the static analysis. This is the final environment for the lab:

Cloud9 EC2 Environment - Final lab environment

Complementing Static Analysis

While static analysis tools are continuously improving, they are not a panacea for all of your code quality and security needs. Instead, think of them as one part of a more comprehensive solution for improving the quality and security of your application and infrastructure code. Occasionally you will still need to employ traditional application unit and integration tests, or even tests for your infrastructure frameworks. You’ll be able to test the Serverspec infrastructure testing framework for yourself in our Hands-on Lab, Infrastructure Testing with Serverspec.Infrastructure Testing with Serverspec
Security is another important category of automated testing frameworks. Learn how to Protect Your Code Against Attacks with Gauntlt in this Hands-on Lab. With Gauntlt, you can write automated tests for several popular security analysis tools, and it can easily be extended to others.
With Gauntlt you can write automated tests for several popular security analysis tools
Ensuring secure applications is an important aspect of security. Transport Layer Security (TLS)/Secure Sockets Layer (SSL) protocols is the standard for securing communications on the web. Learn about Best Practices for Deploying SSL/TLS and tools for testing SSL/TLS deployments in this Cloud Academy lab.

Open SSL


Written by

Logan Rakai

Logan has been involved in software development and research for over ten years, including four years in the cloud. At Cloud Academy, he is adding to the library of hands-on labs.

Related Posts

— February 7, 2019

Measuring DevOps Success: What, Where, and How

The DevOps methodology relates technical and organization practices so it's difficult to simply ascribe a number and say "our organization is a B+ on DevOps!" Things don't work that way. A better approach identifies intended outcomes and measurable characteristics for each outcome. Let'...

Read more
  • DevOps
— February 5, 2019

2019 DevOps and Automation Predictions

2019 DevOps and Automation PredictionsWe recently released our 2019 predictions for cloud computing and are doing the same here for DevOps and automation predictions.2018 was a great year for software, and DevOps falls somewhere on the slope of enlightenment on the Gartner Hype Cy...

Read more
  • DevOps
— January 17, 2019

Testing Through the Deployment Pipeline

Automated deployment pipelines empower teams to ship better software faster. The best pipelines do more than deploy software; they also ensure the entire system is regression-free. Our deployment pipelines must keep up with the shifting realities in software architecture. Applications a...

Read more
  • DevOps
— December 27, 2018

DevOps and Agile: Understanding the Relationship

Agile development used to be front and center in the conversation about software development. Now, DevOps has taken over the conversation. How do agile and DevOps relate? Both ideas began as ways to improve different aspects of software development. Agile embraced the changing nature of...

Read more
  • DevOps
— December 12, 2018

Getting Started With Site Reliability Engineering

Much has been written and discussed about SRE (Site Reliability Engineering) from what it is, how to do it, and how it's the same (or different) as DevOps. Google coined the term, defined the profession, and wrote the book on it. Their "Site Reliability Engineering" book covers the idea...

Read more
  • DevOps
  • SRE
— December 6, 2018

What DevOps Means for Risk Management

What Does DevOps Mean for Risk Management?Adopting DevOps makes the unfamiliar uneasy in two areas. One, they see an inherently risky choice between speed and quality and second, they are concerned that the quick iterations of DevOps may break compliance rules or introduce security vu...

Read more
  • DevOps
— October 25, 2018

How DevOps Transforms Software Testing

Testing is arguably the most important aspect of software development. Whether manual or automated, testing ensures the software works as expected. Broken software causes production outages, unsatisfied customers, refunds, decreased trust, or even complete financial collapse. Testing mi...

Read more
  • DevOps
— August 8, 2018

From Monolith to Serverless – The Evolving Cloudscape of Compute

Containers can help fragment monoliths into logical, easier to use workloads. The AWS Summit New York was held on July 17 and Cloud Academy sponsored my trip to the event. As someone who covers enterprise cloud technologies and services, the recent Amazon Web Services event was an insig...

Read more
  • AWS
  • AWS Summits
  • Containers
  • DevOps
  • serverless
Albert Qian
— August 6, 2018

Four Tactics for Cultural Change in DevOps Adoption

Many organizations approach digital transformation and DevOps adoption with the belief that simply by selecting and using the right tools, they will achieve higher levels of automation and gain massive efficiencies as a result. While DevOps adoption does require new tools and processes,...

Read more
  • DevOps
— July 24, 2018

Get Started with HashiCorp Vault

Ongoing threats of data breaches and cyber attacks remain top of mind for every team responsible for securing cloud workloads and applications, especially with the challenge of managing secrets including passwords, tokens, API keys, certificates, and more. Complexity is especially notab...

Read more
  • DevOps
  • HashiCorp Vault
— June 11, 2018

Open Source Software Security Risks and Best Practices

Enterprises are leveraging a variety of open source products including operating systems, code libraries, software, and applications for a range of business use cases. While using open source comes with cost, flexibility, and speed advantages, it can also pose some unique security chall...

Read more
  • DevOps
— March 29, 2018

What is Chaos Engineering? Failure Becomes Reliability

In the IT world, failure is inevitable. A server might go down, an app may fail, etc. Does your team know what to do during a major outage? Do you know what instances may cause a larger systems failure? Chaos engineering, or chaos as a service, will help you fail responsibly.It almo...

Read more
  • Cloud Computing
  • DevOps