Static and dynamic code analysis: Complementary techniques
While every programmer wants to deliver high-performing, secure, bug-free and compliant code on the first try, that's not possible. Effective code analysis techniques will help.
So, how can teams review code to make sure that the three primary goals are met?
Code analysis is the easy answer to the question, but should it be static code analysis? What about dynamic code analysis?
Both static and dynamic code analysis have important roles to play as part of an integrated development and deployment process. Without each other, neither is likely to serve the team well.
Let's examine how static and dynamic code analysis both play an important role in software development and how their differences help shape code.
How do static and dynamic code analysis differ?
Static code analysis examines code to identify issues within the logic and techniques. It looks for issues with the code before runtime. Dynamic code analysis involves running code and examining the outcome, which also entails testing possible execution paths of the code.
Even in the most rudimentary fashion, when development teams test the code, they're performing dynamic analysis. When programmers review the code, they're performing static analysis. Regardless of which tools they use, developers and programmers are performing analysis that ultimately helps create better code.
The differences between static and dynamic analysis make them complementary, with each technique addressing the other's weak points to improve code. Some of the main differences include the following:
Timing of analysis. Static code analysis begins as the code is developed, whereas dynamic analysis occurs after the code is written, so teams can execute and examine the workflow.
Code execution. Static code analysis occurs without executing the code, whereas dynamic code analysis requires executing test cases.
Approach to defects. The purpose of static code analysis is to prevent defects before code runs; dynamic analysis focuses on detecting defects in running code.
Timing of detection. Since static code analysis is the first test activity in the development lifecycle, it offers the earliest opportunity to find defects. Dynamic testing is meant to detect defects later in the test cycle.
Types of issues detected. Static code analysis verifies statement coverage, identifies issues with coding standards and potential security vulnerabilities, and finds dead code. Dynamic code analysis elucidates runtime errors, performance issues and integration issues.
Runtime behavior. Static code analysis focuses on reviews and inspections of the code; it does not validate the code's runtime behavior. Dynamic code analysis validates the actual behavior of the code by examining it during runtime.
Resource requirements. Developers usually perform static code analysis, whereas dynamic code analysis is within the realm of the test team.
Static and dynamic code analysis are both necessary for clean code.
Neither static code analysis nor dynamic code analysis by itself is the ideal option. To reap the full benefit -- clean, well-developed code -- teams should optimize both. Development teams shouldn't think of static and dynamic code analysis as alternatives, i.e., static vs. dynamic analysis. Teams should view them instead as complementary and symbiotic.
Code review is similar to static analysis
If, for some reason, a team decides it wants to omit static code analysis, that really means it does not plan to review the code. Think of code review and static code analysis as related terms. Code review helps find code issues without committing to expensive and time-consuming dynamic tests. Static code analysis, done in a code-review context, is the first and most essential step in developing and maintaining good software.
Both static and dynamic code analysis have important roles to play as part of an integrated development and deployment process.
Most static code analysis involves tools designed to evaluate the code and look for errors or nonrecommended techniques and practices. Organizations that treat static code analysis as an element of code review will likely conduct formal code reviews first, then apply the static code analysis tools, and finally review the results through the code review process of choice.
If an organization decides to first review the code with a programmer and mentor, it might consider using static code analysis first. This approach will likely catch a significant portion of code errors and save the expert valuable time in identifying them.
Static code analysis and review is particularly well suited to rapid development and GitOps environments, where changes often apply to a single component. For example, if the software design properly isolates component behaviors, static analysis will catch most of the code errors.
So, why dynamic analysis?
Simply put, static analysis doesn't catch every code defect.
It is particularly limited when it comes to addressing issues in complex, multicomponent applications. It also provides little to no value for measuring performance or testing policies for scaling and load balancing. These limitations are where dynamic code analysis comes into play.
How to coordinate dynamic and static analysis
Just as development teams already use static code analysis routinely -- even if it's not formally mandated or managed -- they also use dynamic code analysis. Routine software testing and running software to verify a fix or validate the initial implementation are forms of dynamic code analysis.
So, it's not a matter of static code analysis vs. dynamic code analysis. Teams likely already use both. The question becomes how to use both effectively.
Static code analysis is best paired with code review. Dynamic code analysis is suited to some form of automated testing and test data generation. Teams should focus dynamic code analysis first on areas where static analysis is likely to be ineffective, such as component performance, application performance, application logic, security validation and crossing component boundaries.
Tools for static and dynamic code analysis
Since static code analysis is primarily for verification and dynamic code analysis is for validation, static analysis tools and dynamic analysis tools are designed for specific purposes. For example, code linters -- tools that analyze code for errors -- are an important part of static analysis and are not generally associated with dynamic analysis. However, there are a few tools that are suited to both types of analysis. Below are some of the tools for each process.
Tools for static code analysis
ESLint. This open source linter is designed to find and fix JavaScript code issues. It is part of most text editors and can test JavaScript that is written with or without a framework.
Pylint. This is a linter for Python. It performs code analysis and makes suggestions on how the code issues might be fixed.
SonarQube. An open source tool for code inspections, this tool is programming language agnostic and provides automatic code quality and coding standard reviews. It can integrate with most CI tools and has commercial versions.
RuboCop. This tool is an analyzer for Ruby code that focuses on finding and fixing issues in coding style and formatting.
DeepSource. This platform can be integrated into the CI/CD pipeline to automatically perform static analysis. It identifies not only performance and security issues, but also code standard and format issues.
Tools for dynamic code analysis
Java VisualVM. This tool provides detailed information about Java applications that are running on a Java Virtual Machine, including configuration, runtime behavior and memory usage.
Python cProfile. This tool is used for determining the length of time various code modules and functions take to execute.
Dynatrace. This platform offers real-time monitoring for observability and security vulnerabilities, as well as code and infrastructure issues. The tool provides an assessment of potential vulnerability impacts and displays them on a dashboard.
AppDynamics. This tool focuses on application performance management, especially in the areas of availability, performance and user experience. Dynamic code analysis is executed in the runtime environment.
New Relic. This cloud-based program focuses on observability in mobile and website applications.
Tools for static and dynamic code analysis
Fortify. Originally developed as a static application security testing (SAST) tool, Fortify provides a comprehensive set of code analysis tools focused on early detection of security vulnerabilities.
Veracode. This platform provides both SAST and dynamic application security testing tools with AI components that find and fix security vulnerabilities, as well as web app runtime errors throughout the entire SDLC.
vFunction. This platform focuses on architectural observability. It provides static and dynamic code analysis focused on the architecture of the application under test.
Editor's note: This article was updated in 2025 to improve the reader experience and include additional content.
Gerie Owen is a QA engineering manager at Roobrik. She is a conference presenter and author on technology and testing topics, and a certified Scrum master. Tom Nolle is founder and principal analyst at Andover Intel, a consulting and analysis firm that looks at evolving technologies and applications first from the perspective of the buyer and the buyer's needs. By background, Nolle is a programmer, software architect, and manager of software and network products. He has provided consulting services and technology analysis for decades.
