DevOps for the Cloud: Code Quality Scanning

October 3, 2018 Rahul Agrawal

Coding is hard. Managing a team of distributed programmers, enforcing style guidelines, and performing code reviews is even harder. Fortunately, there are automated tools that can help enforce and remind developers of standards and best practices for that language.



Implementing code quality scanning


When the main focus is simply getting code to work, code quality may not be the first thing a developer focuses on. However as project team professionals and developers, improved code quality and efficiency should be one of our main concerns. To maintain code quality, you need to ensure your developers are writing quality code. Code quality scanning is a very helpful mechanism to improve code quality.


Code quality scanning is an automated system for providing code feedback. It's like spelling and grammar check for your code. Code quality maintenance and improvement requires attention and focus throughout a project's lifecycle. Issues with code quality, such as poorly designed or poorly documented code, will accumulate easily if left unchecked. These issues are known as technical debt, and if left to grow, they will make software maintenance increasingly difficult, time-consuming, and risky. In the same way that one might deal with financial debt, the key to mitigating technical debt is to acknowledge and address quality risks or concerns, as early as possible in the development process — not to let them accumulate.


Tools to monitor and improve code quality


There are many tools and techniques that can help your project team improving code quality. The main ones are:

  • Coding Standards
  • Training
  • Code Review
  • Automated Quality Analysis

Automated Quality Analysis tools (often called ‘static code analysis’ tools) help maintain high code quality. These tools benefit developers by scanning code and flagging vulnerabilities. Tools like ESLint, PMD, SonarQube, and Checkmarx can identify these issues and track trends over time. This allows your project teams to view the current and historic code health of the project. Let’s dive deeper into how PMD and SonarQube bring code scanning into your workflow.


Static code analysis tool: PMD


PMD examines source code in several languages, including Salesforce Apex, and is capable of automatically detecting a wide range of potential bugs, dead code, suboptimal code, over-complicated expressions, and duplicated code. PMD comes with a rich and highly configurable set of rules that developers can quickly set up, straight out of the box. This code scanning tool can identify the following types of issues:


  • Empty ‘try/catch/finally/switch’ blocks
  • Empty ‘if/while’ statements
  • Classes with high Cyclomatic Complexity measurements
  • Unnecessary 'if' statements for loops that could be 'while' loops
  • Unused local variables, parameters, and private methods
  • SOQL queries in loops
  • Duplicated code — copy/paste code can mean copy/paste bugs, and decrease maintainability

The recently updated Apex PMD extension for VS Code provides real-time feedback on Apex code right inside the code editor … there’s no better method to ensure developers see and act on feedback.  


Open-source code tracker: SonarQube


SonarQube is an open-source product used to track quality metrics across multiple languages and projects. SonarQube scans are typically run as part of continuous integration jobs (such as GitLab CI) whenever changes are made to a codebase.


These scans identify issues from excessive complexity or security flaws. They can also track unit test coverage. SonarQube tracks issues over time, ranks them by severity, and attributes them to the developer who last touched that line of code. This allows your project team to see quality trends, take action on particular issues, and prevent code from proceeding through the continuous deployment process if it shows significant quality issues.


SonarQube examines and evaluates different aspects of your source code: from minor styling details, potential bugs, and code defects to critical design errors, lack of test code coverage, and excessive complexity. SonarQube produces metrics and statistics that can reveal problematic source code that require inspection or improvement.


We recommend the free Enforce plugin for SonarQube to provide support for Salesforce Apex code analysis.


Benefits of improving your code quality

Improving your project’s code quality has a trickle-down effect, resulting in a number of benefits. Here are a few other ways to advance:

  • Follow the programming language style guide for the language(s) being developed in.
  • Give descriptive names for methods and variables
  • Do not overdesign
  • Use efficient data structures and algorithms
  • Create proper test classes and modularize code
  • Document all aspects of the project
  • Keep all elements of your project in a version control system

By sticking to these points, project teams have the available tools to create readable, thoroughly tested, manageable code. Improved code quality helps development teams work quickly and safely, which benefits them and the businesses they support.


Ready to start your DevOps transformation today? Visit the Appirio Hub to find more information on what we offer, and arrange a DevOps Assessment to get a customized roadmap to DevOps success.

Previous Article
Better Approaches for Attachment Migration to Salesforce
Better Approaches for Attachment Migration to Salesforce

Attachment migration can be a pain for migration specialists, but choosing the right approach can simplify ...

Next Article
Avoid Unwanted Salesforce Complexities With CMC Metrics
Avoid Unwanted Salesforce Complexities With CMC Metrics

Appirio CMC Metrics can support Salesforce users as they work to avoid unwanted Salesforce complexity and d...