Development Standards

Static analysis

Introduction

Static analysis helps teams detect code quality and security issues early in the development process. It provides fast, automated feedback and reduces the risk of introducing defects into production.

Static analysis tools can be applied to application code, infrastructure as code and container configurations. They are most effective when integrated into CI/CD pipelines and run on every pull request. However, because pull request analysis is point-in-time, scheduled scans SHOULD also be used to detect newly disclosed vulnerabilities in previously committed code.

Guidance

Teams MUST:

• run static analysis on every pull request and ensure all checks pass before merging
• use appropriate tools for the language or platform being used
• configure tools to enforce quality and security standards consistently

Teams SHOULD:

• schedule regular scans (e.g. daily or weekly) using tools such as Snyk, CodeQL, or platform-native scanners
• monitor scan results and triage new issues promptly

Application code

For languages such as JavaScript, Python, Java and C#:

• SonarQube MUST be used to detect code quality issues
• Snyk MUST be used to detect known security vulnerabilities
• Dependabot MUST be used to identify and update outdated dependencies

Infrastructure as code

For Terraform:

• TFLint MUST be used to detect code quality issues
• Checkov MUST be used to detect security misconfigurations
• Infracost MUST be used to estimate resource costs before deployment
• Dependabot MUST be used to keep Terraform modules up to date

Containers

For container images:

• Image scanning MUST be performed using built-in tools such as Amazon ECR scanning or Azure Container Registry (ACR) with Microsoft Defender for Cloud

Measurement

Use these indicators to assess adoption and effectiveness of static analysis practices.

ID	Indicator	GREEN	AMBER	RED
SA-1	Static analysis on pull requests	Run on every pull request with all checks passing	Run on some pull requests only	Not run or results ignored
SA-2	Application code scanning	Tools configured and enforced for all supported languages	Tools used inconsistently or not enforced	Tools not used or misconfigured
SA-3	Infrastructure as code scanning	Tools configured and enforced for Terraform	Tools used manually or partially	No scanning in place
SA-4	Container image scanning	Automated scanning in CI/CD using approved tools	Manual scanning or partial coverage	No image scanning
SA-5	Scheduled scanning	Regular scans configured and monitored	Scans configured but not monitored	No scheduled scanning

References

• Amazon ECR image scanning
• Azure Container Registry image scanning
• Checkov
• CodeQL
• Dependabot
• Infracost
• Microsoft Defender for Containers
• Snyk
• SonarQube
• TFLint

---

Published: 24 July 2025
Last updated: 7 August 2025
Page Source