static-code-analyzer
npx machina-cli add skill a5c-ai/babysitter/static-code-analyzer --openclawFiles (1)
SKILL.md
6.4 KB
Static Code Analyzer Skill
Performs comprehensive static analysis of codebases to assess code quality, complexity metrics, and migration readiness. This skill integrates with industry-standard tools to provide actionable insights for migration planning.
Purpose
Enable deep static analysis of codebases for:
- Code quality assessment
- Complexity measurement
- Migration readiness evaluation
- Technical debt quantification
- Security vulnerability scanning (SAST)
Capabilities
1. Cyclomatic Complexity Measurement
- Analyze control flow complexity
- Identify high-complexity functions/methods
- Generate complexity reports by module/package
- Track complexity trends over time
2. Code Duplication Detection (Clone Detection)
- Detect exact code clones
- Identify near-duplicates and structural clones
- Calculate duplication percentage
- Map clone relationships
3. Dead Code Identification
- Find unreachable code paths
- Identify unused functions/methods
- Detect orphaned imports and exports
- Flag obsolete feature flags
4. Security Vulnerability Scanning (SAST)
- Scan for common security anti-patterns
- Identify injection vulnerabilities
- Check for hardcoded secrets
- Assess authentication/authorization patterns
5. Maintainability Index Calculation
- Calculate composite maintainability scores
- Assess code readability metrics
- Evaluate documentation coverage
- Measure API surface complexity
6. Coding Standards Compliance
- Check against language-specific style guides
- Validate naming conventions
- Verify structural patterns
- Assess best practices adherence
Tool Integrations
This skill can leverage the following external tools when available:
| Tool | Purpose | Integration Method |
|---|---|---|
| SonarQube | Comprehensive code quality | MCP Server / API |
| CodeClimate | Quality metrics | API |
| ESLint | JavaScript/TypeScript linting | CLI |
| PMD | Java static analysis | CLI |
| FindBugs/SpotBugs | Java bug detection | CLI |
| Checkstyle | Java code standards | CLI |
| ast-grep | AST-based pattern matching | MCP Server / CLI |
| Semgrep | Security-focused SAST | CLI |
Usage
Basic Analysis
# Invoke skill for basic analysis
# The skill will auto-detect language and apply appropriate analyzers
# Expected inputs:
# - targetPath: Path to codebase or directory to analyze
# - analysisScope: 'full' | 'quick' | 'security' | 'quality'
# - outputFormat: 'json' | 'markdown' | 'html'
Analysis Workflow
-
Discovery Phase
- Detect programming languages present
- Identify project structure and build systems
- Check for existing configuration files
-
Tool Selection
- Select appropriate analyzers based on languages
- Configure tool-specific settings
- Validate tool availability
-
Analysis Execution
- Run selected analyzers
- Collect metrics and findings
- Aggregate results
-
Report Generation
- Consolidate findings
- Calculate composite scores
- Generate actionable recommendations
Output Schema
{
"analysisId": "string",
"timestamp": "ISO8601",
"target": {
"path": "string",
"languages": ["string"],
"filesAnalyzed": "number",
"linesOfCode": "number"
},
"metrics": {
"complexity": {
"average": "number",
"max": "number",
"distribution": {}
},
"duplication": {
"percentage": "number",
"cloneCount": "number",
"duplicatedLines": "number"
},
"maintainability": {
"index": "number",
"grade": "A-F"
},
"technicalDebt": {
"estimatedHours": "number",
"ratio": "number"
}
},
"findings": [
{
"type": "string",
"severity": "critical|high|medium|low|info",
"file": "string",
"line": "number",
"message": "string",
"rule": "string",
"recommendation": "string"
}
],
"migrationReadiness": {
"score": "number (0-100)",
"blockers": [],
"risks": [],
"recommendations": []
}
}
Integration with Migration Processes
This skill integrates with the following Code Migration/Modernization processes:
- legacy-codebase-assessment: Primary tool for initial codebase evaluation
- code-refactoring: Identifies refactoring targets
- technical-debt-remediation: Quantifies and prioritizes debt
Configuration
Skill Configuration File
Create .static-analyzer.json in the project root:
{
"excludePaths": ["node_modules", "dist", "build", ".git"],
"severityThreshold": "medium",
"enabledChecks": {
"complexity": true,
"duplication": true,
"security": true,
"standards": true
},
"customRules": [],
"reportFormats": ["json", "markdown"]
}
MCP Server Integration
When SonarQube MCP Server is available:
// Example MCP tool invocation
{
"tool": "sonarqube_analyze",
"arguments": {
"project_key": "my-project",
"sources": "./src",
"language": "javascript"
}
}
When ast-grep MCP Server is available:
// Example AST pattern search
{
"tool": "ast_grep_search",
"arguments": {
"pattern": "console.log($$$)",
"language": "javascript",
"path": "./src"
}
}
Best Practices
- Incremental Analysis: For large codebases, use incremental analysis to reduce time
- Baseline Establishment: Create baseline metrics before migration
- Threshold Configuration: Set appropriate thresholds for your team's standards
- Trend Tracking: Track metrics over time to measure improvement
- Integration Testing: Validate analysis results against known issues
Related Skills
code-smell-detector: Specialized smell detectiontechnical-debt-quantifier: Debt measurement and prioritizationtest-coverage-analyzer: Coverage gap identification
Related Agents
legacy-system-archaeologist: Uses this skill for codebase explorationmigration-readiness-assessor: Uses this skill for readiness scoringtechnical-debt-auditor: Uses this skill for debt assessment
References
Source
git clone https://github.com/a5c-ai/babysitter/blob/main/plugins/babysitter/skills/babysit/process/specializations/code-migration-modernization/skills/static-code-analyzer/SKILL.mdView on GitHub Overview
Static code analyzer performs comprehensive static analysis to assess code quality, complexity metrics, and migration readiness. It integrates with industry-standard tools to produce actionable insights for planning refactors and migrations, including SAST security scans.
How This Skill Works
The skill automatically detects languages, selects appropriate analyzers, and runs them to collect metrics such as cyclomatic complexity, duplication, dead code, and maintainability. It then aggregates findings and generates a prioritized report with recommendations.
When to Use It
- Planning a major codebase migration or modernization project
- Assessing code maintainability and readability before refactors
- Running security-focused SAST scans to uncover vulnerabilities
- Identifying dead code, code clones, and high-risk hotspots
- Generating objective readiness scores to guide migration backlog and budgeting
Quick Start
- Step 1: Provide targetPath, analysisScope, and outputFormat
- Step 2: Run the static-code-analyzer to auto-detect languages and analyzers
- Step 3: Open the generated report to review metrics and recommendations
Best Practices
- Integrate into CI to run nightly or on PRs and monitor trends
- Ensure tool availability for the languages in the repo (ESLint, PMD, etc.)
- Run a full analysis on critical modules before migration milestones
- Correlate complexity with churn to pinpoint risky areas
- Review findings across complexity, duplication, and security together
Example Use Cases
- Java monolith migration using PMD/Checkstyle for standards and complexity
- JS/TS project with ESLint and Semgrep for quality and security checks
- Clone detection to reduce duplication in a large codebase
- SAST findings used to prioritize remediation backlog
- Maintainability index improvements after targeted refactors
Frequently Asked Questions
Add this skill to your agents
