How do you monitor code quality in your team or orgs? You can see one of my favourite quotes on this topic above. If you are doing it manually, ask yourself:
- Is it being done consistently
- What is being checked, is it only the coding style or items such as security issues or vulnerabilities being checked too
- Does the review vary depending on who is doing it or how busy the team is
Using a tool is a great way to automate this and ensure that it is done in a consistent manner, you can still use some manual reviews or pair programming for learning and development.
I think the most important part of adding an automated tool to your process is to put in the hands of the developers. For example, they should not have to wait until something is being deployed to QA to find out that there is a medium of high finding on a feature that they developed two weeks ago. If they have access to the tool and are either running it in real time or at least daily (depending on the features available in the tool that you have chosen). This means that the issues never get out of development environments and it is a learning experience for the the developer. It also means that any false positives found can be flagged early.
I have used a few different tools such as SonarQube, Clayton, Apex PMD and CodeScan.io – Which tool you should choose will depend on your specific requirements, your setup and your budget but even using a free tool will add alot of value to your team and the quality of your development.
What did look for when choosing a tool? These are specific to the organisation that I was working for but I looked at:
- Will it scan Apex and does know and understand Apex keywords
- Will it do the above for both legacy Visualforce pages and new Lightning Web Components
- Can I see reports with trends over time
- Does it give me details on issues found and how to solve them
- Is it easy to use and access
- Is there a plugin for VS Code so developers can see issues when they save their code
- Can issues be marked as false positives
- Can I control who can make issues as false positives and is there an audit trail of this
Your requirements might be completely different but the code scanning tools for Salesforce have improved massively in recent years and there are many options out there now. Some even have the ability to do basic configuration scanning and security setup scanning. If you are looking at implementing one of these tools, I would recommend documenting your requirements and giving each tool a score for each requirement rather than relying on a sales demo.