Static Code Analysis: How to Pick the Right Tool

code analysis

The tools that you use to streamline your Salesforce development process are what allow you to deliver the best and most efficient version of your release. Planning, project management, source code management, static code analysis (SCA), and continuous integration, these are tools that help to streamline the development process. Each of these tools plays an important role in helping you deliver your final product.

What to Consider

With so many options available, how do you know which tool fits your development needs? As static code analysis experts, we’re here to help you assess which SCA tool is right for your organization.

There are a lot of SCA tools available to optimize your code. Major factors that should be considered in your decision making are as follows:

  • Language Support
  • Ruleset
  • Integrations
  • Cost

Language Support

The most important part of picking a static code analysis tool is language. What language is your code written? There are thousands of languages that you can code in, so at the most basic level, you want to be sure the tool you pick supports your language.

Major Salesforce languages include Apex, Visualforce, Lightning Web Components, metadata, flows, and process builders. The top contenders in the Salesforce ecosystem that support these languages are CodeScan, PMD, SonarQube™, CheckMarx, Clayton, Codecy, and CodeClimate. Before choosing the right tool for you, you should take into consideration how many Salesforce languages are supported.


Finding a tool that supports your languages isn’t enough. You need to evaluate how robust the coverage is within that program. Would you buy a book on translation that only translates 25% of the words?

After understanding how many Salesforce languages are supported in your static code analysis tool, you should consider the number of rules the tool supports within those languages. We created a graph that highlights ruleset and language coverage per SCA tool.

CodeScan graph highlighting static code analysis tools

As you can see, PMD, Codacy, and CodeClimate only offer support for a minimal percentage of languages, Apex. Additionally, they provide minimal rulesets. SonarQube™ and Checkmarx offer slightly more coverage for Apex and Visualforce. CodeScan and Clayton cover all the Salesforce languages including Lightning Web Components and metadata. The number of rules within each tool range from low to high with PMD having the smallest ruleset and CodeScan with the largest ruleset.


The DevOps pipeline requires many different tools to work together simultaneously in order to help teams work more efficiently. This is why integration with your static code analysis tool is important. You want to find the right SCA tool to integrate with your development pipeline and sync with your process. For static code analysis, there are 4 major points in which integration is key: IDE, code repository, project management, and CI. For example, if you want to block failed scans from committing to production, you will need a tool that integrates with your CI. Fortunately, most SCA tools work with APIs, plugins, and GUIs, so they are compatible with the DevOps pipeline. However, you need to consider your team’s capacity, as each tool provides a different level of effort.


Cost can be a dealbreaker for some teams, whereas for other teams, tools that provide the best ROI outweigh the cost. The cost can vary from a free open source option to a very expensive enterprise-level price. It’s important to examine the price structure to determine if the tool suits your needs. Are you a small or large organization? Do you need to perform a couple scans or a lot of scans daily? These questions will help you determine if you need a tool that limits total lines scanned over time (such as CheckMarx) compared to total lines each scan (such as CodeScan). With the wrong choice, you may sacrifice functionality, while increasing your cost.

The number of users is another major factor when evaluating cost. If you anticipate growth within your team or require multiple users, you can expect to see higher costs.

The aspect to consider when it comes to cost is service. What type of customer service are you offered after you purchase your product? Is it extra for a dedicated customer care representative? What is the skill level of your team and do they require extra support with xml files, proxy settings, etc? These all should be factored when making a decision.

Best Ranked Tools

While language support, ruleset, integration, and cost are important to consider when picking a SCA tool, other aspects to consider are the following: – cloud versus self hosted services, and – custom rules options.

Cloud services provide no maintenance and self hosted provides more control. Creating custom rules is a great option if you choose a tool that has a smaller ruleset.

Every organization is different and approaches DevOps differently. Still unsure which static code tool is right for you? We ranked our top three tools and highlighted the benefits of each.

CodeScan: Top Ranking Static Code Analysis Tools

Develop high quality, secure code!

CodeScan’s Acquistion by AutoRABIT: A Complete DevSecOps Solution
CodeScan’s Acquistion by AutoRABIT: A Complete DevSecOps Solution

CodeScan has offered an essential service to further companies' DevOps processes for years—real-time code analysis creates stronger products, faster time to Read more

Manage Your Releases with Blue Canvas and CodeScan
Manage Your Releases with Blue Canvas and CodeScan

CodeScan’s static code analysis solution benefits teams using Salesforce as their CRM system. We value the partner ecosystem within Salesforce Read more

Get Your Salesforce on the Right Path With the TrueNorth Alliance
Get Your Salesforce on the Right Path With the TrueNorth Alliance

At CodeScan, we believe in the strength of partnerships when it comes to providing quality products and services. With technology Read more

What You Need to Know About OWASP’s Top 10 Vulnerabilities List
What You Need to Know About OWASP’s Top 10 Vulnerabilities List

What Is OWASP? OWASP stands for the Open Web Application Security Project, a non-profit, online community with the mission to Read more

Zendesk help