a5c-ai/static-code-analyzer
library/specializations/code-migration-modernization/skills/static-code-analyzer/SKILL.md
Deep static analysis of codebases for quality, complexity, and migration readiness assessment
$ install --global
skillsauthnpx skillsauth add a5c-ai/babysitter static-code-analyzerInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 28, 2026, 4:39 PM218.6s2 files scanned
SKILL.md
- name:
- static-code-analyzer
- description:
- Deep static analysis of codebases for quality, complexity, and migration readiness assessment
- allowed-tools:
- ["Bash", "Read", "Write", "Grep", "Glob", "Edit"]
Static Code Analyzer Skill
Performs comprehensive static analysis of codebases to assess code quality, complexity metrics, and migration readiness. This skill integrates with industry-standard tools to provide actionable insights for migration planning.
Purpose
Enable deep static analysis of codebases for:
- Code quality assessment
- Complexity measurement
- Migration readiness evaluation
- Technical debt quantification
- Security vulnerability scanning (SAST)
Capabilities
1. Cyclomatic Complexity Measurement
- Analyze control flow complexity
- Identify high-complexity functions/methods
- Generate complexity reports by module/package
- Track complexity trends over time
2. Code Duplication Detection (Clone Detection)
- Detect exact code clones
- Identify near-duplicates and structural clones
- Calculate duplication percentage
- Map clone relationships
3. Dead Code Identification
- Find unreachable code paths
- Identify unused functions/methods
- Detect orphaned imports and exports
- Flag obsolete feature flags
4. Security Vulnerability Scanning (SAST)
- Scan for common security anti-patterns
- Identify injection vulnerabilities
- Check for hardcoded secrets
- Assess authentication/authorization patterns
5. Maintainability Index Calculation
- Calculate composite maintainability scores
- Assess code readability metrics
- Evaluate documentation coverage
- Measure API surface complexity
6. Coding Standards Compliance
- Check against language-specific style guides
- Validate naming conventions
- Verify structural patterns
- Assess best practices adherence
Tool Integrations
This skill can leverage the following external tools when available:
| Tool | Purpose | Integration Method | |------|---------|-------------------| | SonarQube | Comprehensive code quality | MCP Server / API | | CodeClimate | Quality metrics | API | | ESLint | JavaScript/TypeScript linting | CLI | | PMD | Java static analysis | CLI | | FindBugs/SpotBugs | Java bug detection | CLI | | Checkstyle | Java code standards | CLI | | ast-grep | AST-based pattern matching | MCP Server / CLI | | Semgrep | Security-focused SAST | CLI |
Usage
Basic Analysis
# Invoke skill for basic analysis
# The skill will auto-detect language and apply appropriate analyzers
# Expected inputs:
# - targetPath: Path to codebase or directory to analyze
# - analysisScope: 'full' | 'quick' | 'security' | 'quality'
# - outputFormat: 'json' | 'markdown' | 'html'
Analysis Workflow
-
Discovery Phase
- Detect programming languages present
- Identify project structure and build systems
- Check for existing configuration files
-
Tool Selection
- Select appropriate analyzers based on languages
- Configure tool-specific settings
- Validate tool availability
-
Analysis Execution
- Run selected analyzers
- Collect metrics and findings
- Aggregate results
-
Report Generation
- Consolidate findings
- Calculate composite scores
- Generate actionable recommendations
Output Schema
{
"analysisId": "string",
"timestamp": "ISO8601",
"target": {
"path": "string",
"languages": ["string"],
"filesAnalyzed": "number",
"linesOfCode": "number"
},
"metrics": {
"complexity": {
"average": "number",
"max": "number",
"distribution": {}
},
"duplication": {
"percentage": "number",
"cloneCount": "number",
"duplicatedLines": "number"
},
"maintainability": {
"index": "number",
"grade": "A-F"
},
"technicalDebt": {
"estimatedHours": "number",
"ratio": "number"
}
},
"findings": [
{
"type": "string",
"severity": "critical|high|medium|low|info",
"file": "string",
"line": "number",
"message": "string",
"rule": "string",
"recommendation": "string"
}
],
"migrationReadiness": {
"score": "number (0-100)",
"blockers": [],
"risks": [],
"recommendations": []
}
}
Integration with Migration Processes
This skill integrates with the following Code Migration/Modernization processes:
- legacy-codebase-assessment: Primary tool for initial codebase evaluation
- code-refactoring: Identifies refactoring targets
- technical-debt-remediation: Quantifies and prioritizes debt
Configuration
Skill Configuration File
Create .static-analyzer.json in the project root:
{
"excludePaths": ["node_modules", "dist", "build", ".git"],
"severityThreshold": "medium",
"enabledChecks": {
"complexity": true,
"duplication": true,
"security": true,
"standards": true
},
"customRules": [],
"reportFormats": ["json", "markdown"]
}
MCP Server Integration
When SonarQube MCP Server is available:
// Example MCP tool invocation
{
"tool": "sonarqube_analyze",
"arguments": {
"project_key": "my-project",
"sources": "./src",
"language": "javascript"
}
}
When ast-grep MCP Server is available:
// Example AST pattern search
{
"tool": "ast_grep_search",
"arguments": {
"pattern": "console.log($$$)",
"language": "javascript",
"path": "./src"
}
}
Best Practices
- Incremental Analysis: For large codebases, use incremental analysis to reduce time
- Baseline Establishment: Create baseline metrics before migration
- Threshold Configuration: Set appropriate thresholds for your team's standards
- Trend Tracking: Track metrics over time to measure improvement
- Integration Testing: Validate analysis results against known issues
Related Skills
code-smell-detector: Specialized smell detectiontechnical-debt-quantifier: Debt measurement and prioritizationtest-coverage-analyzer: Coverage gap identification
Related Agents
legacy-system-archaeologist: Uses this skill for codebase explorationmigration-readiness-assessor: Uses this skill for readiness scoringtechnical-debt-auditor: Uses this skill for debt assessment
References
- SonarQube MCP Server
- ast-grep MCP Server
- SonarQube Documentation
- ast-grep Documentation
Related Skills
a5c-ai/model-card-generator
development
VerifiedTrustedCommunity
Model documentation skill for generating model cards following Google's model card framework.
680SKILL.mdUpdated Apr 28, 2026
a5c-ai/mlflow-experiment-tracker
development
VerifiedTrustedCommunity
MLflow integration skill for experiment tracking, model registry, and artifact management. Enables LLMs to log experiments, compare runs, manage model lifecycle, and retrieve artifacts through the MLflow API.
680SKILL.mdUpdated Apr 28, 2026
a5c-ai/lime-explainer
data-ai
VerifiedTrustedCommunity
LIME-based local explanation skill for individual predictions across tabular, text, and image data.
680SKILL.mdUpdated Apr 28, 2026
a5c-ai/kubeflow-pipeline-executor
devops
VerifiedTrustedCommunity
Kubeflow Pipelines skill for ML workflow orchestration, component management, and Kubernetes-native ML.
680SKILL.mdUpdated Apr 28, 2026