As a engineer, I want to use static code analysis so that we don't deploy type issues to production that can break prod.
I attached slides with presentation
Other projects that use Static Code Analysis and are able to detect and prevent issues from being deployed to production.
What it does
Check our codebase on every commit, checking for class existence, correct types used between method calls, variables usage. Additionally we also added PHPMD to find unused calls on all commits too.
How We built it
We checked lists of available analysis tools for PHP, created a list of tools we found more useful at some time easy to set up and we used them to analyze our codebase.
Challenges We ran into
Custom logic and extensions available on prod only are causing a lot of noise in analysis. A lot of false errors.
Accomplishments that we are proud of
Last Thursday we broke production with type issues in merged code. We ran the tools on these commits and were able to spot all issues. If we would have this last week, we would prevent 3 prod breaking deployments, that we had to pinpoint on prod, deploy fix for and check again, wasting hours of our time.
- Gitlab CI pipelines to analyse every commit
- Prevents error that broke label print
- Prevents data integrity issues
- Detected dead code that can be removed
- Monitor our technical debt over time
- Spot security issues in old and new composer packages
What We learned
- It's better to show specific actionable issues, instead of numbers like code complexity, npaths etc...
- A lot of tools provide similar numbers
- Process has to be integrated into our gitlab pipeline to make it available for everyone
What's next for Static Code Analysis
- Finish basic implementation, we can benefit from
- Fix issues found by the tools
- Set up continuous code quality tool for the whole company
- Investigate more tools to improve engineer velocity
- Check for class cyclic dependencies
- Enable rules per team