Static analysis

Static analysis is the automated examination of source code — or compiled artifacts — without executing it.

By reasoning about the code’s structure, data flows, and control paths at rest, static analysis tools can surface a wide range of issues that might otherwise only manifest at runtime or under specific conditions: type mismatches, null dereferences, unreachable code, overly complex functions, violations of coding standards, and security vulnerabilities such as injection flaws or the use of unsafe APIs.

Because it operates without execution, static analysis can be run cheaply and continuously — on every commit, as part of a [CI/CD] pipeline — giving developers fast feedback and catching entire classes of defect long before they reach testing or production.

Static analysis is complementary to, but distinct from, dynamic analysis, which analyses a program’s behavior during execution through techniques such as profiling, runtime instrumentation, and fuzzing.

Static analysis encompasses several overlapping disciplines:

[Linting] checks for stylistic inconsistencies, suspicious patterns, and straightforward bugs using relatively lightweight heuristics.
Type checking — whether enforced by a statically-typed language’s compiler or by an optional type system layered onto a dynamic language (such as TypeScript or mypy) — verifies that values are used consistently with their declared types.
Static application security testing (SAST) applies deeper analysis specifically to identify exploitable vulnerabilities, and is an important component of a [secure development lifecycle].
At the more rigorous end of the spectrum, formal verification uses mathematical proof techniques to establish that a program satisfies a precise specification — an approach used in [high-integrity] and safety-critical systems where the cost of defects is unacceptably high.