Engineering Practices for Static Code Scanning: Design, Tool Selection, and Implementation

Through the previous article we learned the definition, classification, and common issues of static code, and now we discuss how to design and implement a static code scanning practice in an engineering workflow.

Engineering Concept

Introduce a code scanning mechanism after the testing phase or before release.

Classify issues by severity and sensitivity.

Support most common programming languages.

Keep integration cost low.

Build an automated pipeline: CI build → scan code → submit bug.

Tool Selection

A good static analysis tool should be able to integrate with continuous integration, provide visual data, cover many languages and layers, and allow customizable rules.

Continuous integration support

Visual data presentation

Broad scanning scope (multi‑language, multi‑layer)

Customizable scanning rules

Tool Comparison

Sonar – a web‑based code quality platform that aggregates traditional static analysis tools (PMD, FindBugs, etc.). Advantages: reliability, security, maintainability, coverage, low duplication.

Infer – Facebook’s static analysis tool for Objective‑C, Java, and C. Advantages: high efficiency, large scale, incremental and non‑incremental analysis, decomposition and result aggregation. Drawbacks: requires compiled code, Linux‑only, focuses on mobile apps.

TscanCode – Tencent’s open‑source C/C++ static analysis tool. Advantages: high‑value checks, low false‑positive rate, accurate issue location, friendly result display, cross‑platform (Windows, Linux), strong extensibility, low integration cost. Drawback: newer project, limited visual interface and detailed error descriptions.

Tool Implementation

Automated Pipeline

Integrate scanning into the CI pipeline so that each code submission goes through: CI build → scan code → submit bug → bug management and visualization.

Jenkins Integration

Place the scanning step before the app or SDK packaging stage, using an Execute Shell command to start scanning and check results. Configure sensitivity levels for different stages (e.g., more checks during testing, only critical issues before release).

Project Management Integration

Connect the scanning results with a project‑management platform via OpenAPI to create, assign, and track bugs, and optionally link with chat tools for end‑to‑end bug lifecycle visibility and detailed analytics.

Practical Results

A video‑cloud team at ByteDance applied the above approach using internal project‑management tools, GitLab, and TscanCode. After six months of scanning, the total number of defects and their severity distribution improved significantly, demonstrating a notable increase in recall rate.