Guidelines for Using Code Analysis Tools

The following list provides several guidelines to help you select and manage code analysis warnings.

  • Review warning categories.

    Because code analysis tools perform extensive checks for code defects, it is useful to have a basic understanding of the different warnings. For more information about warning categories, see Code Analysis for Managed Code Warnings or Code Analysis for C/C++ Warnings.

  • Analyze existing code.

    Depending on your project type, resources, and requirements, choose the approach that best meets your needs.

    • Enable all warnings.

      Enable all warnings and then review the warning list that is generated by the analysis tool to determine the warnings you want to enable.

    • Enable a subset of warnings.

      Review the warning categories to select a subset of warnings to use in your project and then enable only those warnings.

  • Analyze code under development.

    Because you are not dealing with existing code, we recommend that you enable all warnings and analyze code for defects throughout development. It is much easier to analyze and fix code as you develop it. Do not wait until the end of the development cycle either to analyze code or to enable many warnings. This might put unnecessary pressure on team members and might jeopardize code security and stability.

  • Track warnings.

    After you enable the warnings to use in your project, track them by using work tracking features. For more information, see one of the following topics:

    How to: Create a Work Item for a Managed Code Defect

    How to: Create a Work Item for C/C++ Code Defects

    How to: Create a Work Item from a Defect in Transact-SQL Code

  • Fix warnings.

    You can fix a warning in one of the following ways:

    • Correct: Fix the code and test it before checking it in.

    • Suppress: - Use the System.Diagnostics.CodeAnalysis.SuppressMessageAttribute attribute in managed code to suppress a warning that is caused by code at a particular location.

    • Disable: Use the project property pages to disable warnings for all managed code. For C/C++, you can use a header file that lists all the warnings. Use this file to enable or disable warnings that are not required for your project.

    After the warning is fixed, change its status from warning to error. This helps keep your code clean.

  • Specify check-in requirement.

    You can set up code check-in policy to require code analysis to be run as part of the check-in policy. Only code that passes the analysis can be checked in. This will help make sure that the code that is checked in is clean. For more information about check-in policy, see Creating and Using Code Analysis Check-In Policies.