Static Code Analyzer Skill
Performs comprehensive static analysis of codebases to assess code quality, complexity metrics, and migration readiness. This skill integrates with industry-standard tools to provide actionable insights for migration planning.
Purpose
Enable deep static analysis of codebases for:
- •Code quality assessment
- •Complexity measurement
- •Migration readiness evaluation
- •Technical debt quantification
- •Security vulnerability scanning (SAST)
Capabilities
1. Cyclomatic Complexity Measurement
- •Analyze control flow complexity
- •Identify high-complexity functions/methods
- •Generate complexity reports by module/package
- •Track complexity trends over time
2. Code Duplication Detection (Clone Detection)
- •Detect exact code clones
- •Identify near-duplicates and structural clones
- •Calculate duplication percentage
- •Map clone relationships
3. Dead Code Identification
- •Find unreachable code paths
- •Identify unused functions/methods
- •Detect orphaned imports and exports
- •Flag obsolete feature flags
4. Security Vulnerability Scanning (SAST)
- •Scan for common security anti-patterns
- •Identify injection vulnerabilities
- •Check for hardcoded secrets
- •Assess authentication/authorization patterns
5. Maintainability Index Calculation
- •Calculate composite maintainability scores
- •Assess code readability metrics
- •Evaluate documentation coverage
- •Measure API surface complexity
6. Coding Standards Compliance
- •Check against language-specific style guides
- •Validate naming conventions
- •Verify structural patterns
- •Assess best practices adherence
Tool Integrations
This skill can leverage the following external tools when available:
| Tool | Purpose | Integration Method |
|---|---|---|
| SonarQube | Comprehensive code quality | MCP Server / API |
| CodeClimate | Quality metrics | API |
| ESLint | JavaScript/TypeScript linting | CLI |
| PMD | Java static analysis | CLI |
| FindBugs/SpotBugs | Java bug detection | CLI |
| Checkstyle | Java code standards | CLI |
| ast-grep | AST-based pattern matching | MCP Server / CLI |
| Semgrep | Security-focused SAST | CLI |
Usage
Basic Analysis
bash
# Invoke skill for basic analysis # The skill will auto-detect language and apply appropriate analyzers # Expected inputs: # - targetPath: Path to codebase or directory to analyze # - analysisScope: 'full' | 'quick' | 'security' | 'quality' # - outputFormat: 'json' | 'markdown' | 'html'
Analysis Workflow
- •
Discovery Phase
- •Detect programming languages present
- •Identify project structure and build systems
- •Check for existing configuration files
- •
Tool Selection
- •Select appropriate analyzers based on languages
- •Configure tool-specific settings
- •Validate tool availability
- •
Analysis Execution
- •Run selected analyzers
- •Collect metrics and findings
- •Aggregate results
- •
Report Generation
- •Consolidate findings
- •Calculate composite scores
- •Generate actionable recommendations
Output Schema
json
{
"analysisId": "string",
"timestamp": "ISO8601",
"target": {
"path": "string",
"languages": ["string"],
"filesAnalyzed": "number",
"linesOfCode": "number"
},
"metrics": {
"complexity": {
"average": "number",
"max": "number",
"distribution": {}
},
"duplication": {
"percentage": "number",
"cloneCount": "number",
"duplicatedLines": "number"
},
"maintainability": {
"index": "number",
"grade": "A-F"
},
"technicalDebt": {
"estimatedHours": "number",
"ratio": "number"
}
},
"findings": [
{
"type": "string",
"severity": "critical|high|medium|low|info",
"file": "string",
"line": "number",
"message": "string",
"rule": "string",
"recommendation": "string"
}
],
"migrationReadiness": {
"score": "number (0-100)",
"blockers": [],
"risks": [],
"recommendations": []
}
}
Integration with Migration Processes
This skill integrates with the following Code Migration/Modernization processes:
- •legacy-codebase-assessment: Primary tool for initial codebase evaluation
- •code-refactoring: Identifies refactoring targets
- •technical-debt-remediation: Quantifies and prioritizes debt
Configuration
Skill Configuration File
Create .static-analyzer.json in the project root:
json
{
"excludePaths": ["node_modules", "dist", "build", ".git"],
"severityThreshold": "medium",
"enabledChecks": {
"complexity": true,
"duplication": true,
"security": true,
"standards": true
},
"customRules": [],
"reportFormats": ["json", "markdown"]
}
MCP Server Integration
When SonarQube MCP Server is available:
javascript
// Example MCP tool invocation
{
"tool": "sonarqube_analyze",
"arguments": {
"project_key": "my-project",
"sources": "./src",
"language": "javascript"
}
}
When ast-grep MCP Server is available:
javascript
// Example AST pattern search
{
"tool": "ast_grep_search",
"arguments": {
"pattern": "console.log($$$)",
"language": "javascript",
"path": "./src"
}
}
Best Practices
- •Incremental Analysis: For large codebases, use incremental analysis to reduce time
- •Baseline Establishment: Create baseline metrics before migration
- •Threshold Configuration: Set appropriate thresholds for your team's standards
- •Trend Tracking: Track metrics over time to measure improvement
- •Integration Testing: Validate analysis results against known issues
Related Skills
- •
code-smell-detector: Specialized smell detection - •
technical-debt-quantifier: Debt measurement and prioritization - •
test-coverage-analyzer: Coverage gap identification
Related Agents
- •
legacy-system-archaeologist: Uses this skill for codebase exploration - •
migration-readiness-assessor: Uses this skill for readiness scoring - •
technical-debt-auditor: Uses this skill for debt assessment