Experts from Qt Quality Assurance provide answers to the most significant questions on static analysis in this interview series.
We interviewed Dr. Sebastian Krings, Manager R&D at Qt Quality Assurance on his top best practices for implementing static code analysis in modern software development — from DevOps integration to reducing false positives.
Top 3 Best Practices for Static Code Analysis
Sebastian, what do you consider the top three best practices for implementing static code analysis in software development?
Sebastian Krings:
- Integrate static code analysis into the CI/CD pipeline to ensure consistent and automated checks, first.
- Then establish clear coding standards and configure the tool accordingly to reduce irrelevant results and avoid frustration caused by false positives.
- Regularly review and update rule sets to reflect project evolution and changing team needs.
- And if I am "allowed" to mention my number four ☺: Tool configuration should never be “set and forget”.
Tool Integration Issues and False Positives in Static Analysis
How to handle tool integration issues and false positives in static analysis?
- Systematically triage and suppress false positives, involving developers in feedback loops to fine-tune static analysis rules and increase trust in results.
- Test everything in a controlled testbed environment before rollout to avoid disruptions and confusion in production.
- Choose tools with strong IDE and CI/CD integrations (e.g., CLion, Visual Studio Code).
- Cross-functional collaboration between DevOps, QA, and developers is crucial to avoid adoption bottlenecks.
Key Metrics & KPIs to Track Code Quality Improvements
What metrics or KPIs should teams track to measure the success of their static code analysis strategy?
Track:
- Evolution of issues over time. Understand if issues reappear and if issues are identical across analysis runs.
- Types of issues can be: cloned code, call cycles, dead code, memory leaks, division by zero
- MISRA or AUTOSAR style violations in safety-critical software.
- False positive rate and developer adoption rate.
These software quality KPIs help ensure accountability, responsiveness, and tool effectiveness in your development projects.
The Introduction of Static Analysis in the SDLC
When should one introduce static analysis in the software development lifecycle (SDLC)?
- Static code analysis should be integrated from the very first line of code—ideally during development in the IDE.
- Embedding it early enables proactive defect detection, reduces technical debt, and fosters a quality-first culture.
- However, you should never refuse static analyzers, it´s never too late to start with static code analysis, but the ideal time is right from the start.
The Integration of Static Code Analysis into Processes
What are the most important considerations for teams when integrating static code analysis into their existing processes? What are your best practices for integrating static analyzers into your process?
- Ensure the tool aligns with existing workflows and developer tools to minimize disruption.
- Balance depth of analysis with performance - avoid long build times.
- Provide training and documentation to facilitate adoption and encourage consistent usage across teams. Make sure your team does not just see additional work but understands meaning and benefit.
- Start small: don’t try to fix all violations at once. Focus on key areas.
- Prioritize “not introducing new violations” over cleaning up legacy issues.
- Be prepared for an initial influx of issues, especially in legacy codebases: Know how to communicate and handle them.
Final Thoughts: Build Quality from the First Commit
Static code analysis is more than a compliance checkbox — static analysis is a proactive strategy for building reliable, maintainable, and secure software.
By integrating early, configuring smartly, and focusing on the right KPIs, teams can significantly boost code quality, tool adoption, and development velocity.
Meet the Expert: Dr. Sebastian Krings
Dr. Sebastian Krings is an R&D manager and software engineer concerned with the deployment and development of tools for static analysis of software.
Formerly, he was a Postdoc at the institute for information security of the Niederrhein University of Applied Sciences, he used to be part of the chair for software engineering and programming languages at Heinrich-Heine University in Düsseldorf/Germany and he reached his PhD with his research around formal methods for the verification of safety critical software systems in 2017.
His daily work includes developing new code quality analyses R&D, defining technical requirements and overseeing the successful implementation of all innovations in the Axivion tools.
Got Questions?
Our experts are happy to help you with any questions that may have arouse. Contact us anytime. We can also recommend our interactive tour through Axivion Static Code Analysis in case you would like to dive in deeper and experience how a sophisticated static analyzer looks like and what it could do for you. Take the tour here.
