Apex static code analysis

UPDATE: On Pluralsight Robert from PMD and Lorenzo from Clayton.io just released a FREE (no-signup) in-depth course on Automated Code Analysis in Salesforce.

I recently ported the famous Java Static code analyzer PMD to Apex. We also ported many of the original Java rules and created a few Apex specific to showcase how to write language-specific rules (e.g. AvoidSoqlInLoops, AvoidLogicInTriggers,...).

Other than CodeScan, our effort is open source and was merged back into the original PMD repository on Github (https://github.com/pmd/pmd). Every Salesforce developer or expert out there can fork the repo and create new and better rules and integrations.

As the Apex language module is now part of the regular PMD distribution all PMD-based tools also speak Apex now, e.g. the Eclipse / Force.com IDE.

We have also built an open-source engine for CodeClimate so you cannot only analyze files on your local machine but also have code checked into your Github repos verified.

Just recently another Github-integrated services called Codacy.com added full support for PMD and Apex.

Apologies for plugging myself, but I've been working on a static analysis tool. You can find some information and try out a single page at http://codescan.villagechief.com/.

The enterprise version is based on Sonar, so it's got graphs and timelines, code reviews functionality, and much more.

There are over 100 static analysis checks including many very specific to Apex; code complexity metrics, etc. You can also build your own rules using XPath, or use it for continuous integration by having it run your Apex class tests and recording the results.

On http://codescan.villagechief.com/ you can also try out the analysis by uploading a single file. It doesn't have all the functionality as the enterprise version though, and quite a few metrics and analysis points are not enabled.

There is an eclipse version of this as well which displays the static analysis results as you work in Eclipse (analysis is done locally, so you can fix it as you work).

Let me know if you want some more information or a demo.

You can get a local version of the Checkmarx source code scanner to run in Eclipse as a plugin. I think you get 90 days for free.

See Apex security scanner - Eclipse Plug-in.

The report is the same as the one you get from the Force.com Security Source Code Scanner, just integrated into the IDE. So you can go straight to the applicable lines in the source code.

While this solution is more local than the version you run from the website, it still relies on sending the code off to Checkmarx for remote analysis.