Guidelines for Using Code Analysis Tools

The following list provides several guidelines to help you select and manage code analysis warnings.

  • Review warning categories.

    Because code analysis tools perform extensive checks for code defects, it is useful to have a basic understanding of the different warnings. For more information about warning categories, see Code Analysis for Managed Code Warnings or Code Analysis for C/C++ Warnings.

  • Analyze existing code.

    Depending on your project type, resources, and requirements choose the approach that best meets your needs.

    • Enable all warnings.

      Enable all the warnings and then review the warning list generated by the analysis tool to determine the warnings you want to enable.

    • Enable a subset of warnings.

      Review the warning categories to decide a subset of warnings to use in your project and enable only those warnings.

  • Analyze code under development.

    Because you are not dealing with existing code, we recommend that you enable all warnings and analyze code for defects throughout development. It is much easier to analyze and fix code as you develop it. Do not wait until the end of the development cycle to either analyze code or enable lots of warnings. This might put unnecessary pressure on team members and might jeopardize code security and stability.

  • Track warnings.

    After determining the warnings to use in your project, track them using work tracking features. For more information, see How to: Add New Work Items.

  • Fix warnings.

    There are several ways you can fix a warning:

    • Correct - fix the code and test it before checking it in.

    • Suppress - you can use the System.Diagnostics.CodeAnalysis.SuppressMessageAttribute attribute in managed code to suppress a warning caused by code at a particular location.

    • Disable - you can use the project property pages to disable warnings for all managed code. For C/C++, you can use a header file that lists all the warnings. Use this file to enable or disable warnings that are not required for your project.

    After the warning is fixed, change its status from warning to error. This helps keep your code clean.

  • Specify check-in requirement.

    You can set up code check-in policy to require code analysis to be run as part of the check-in policy. Only code that passes the analysis is allowed to be checked in. This will help make sure that the code that is checked in is clean. For more information about check-in policy, see Code Analysis Check-in Policies.