Static testing

tldr: Static testing finds defects without running the code. Reviews, walkthroughs, inspections, and static analysis tools all qualify. It catches defects earlier and cheaper than dynamic testing, but most teams underuse it.

What "static" means here

Static testing examines artifacts without executing them. The artifacts can be:

  • Requirements documents
  • Architecture diagrams
  • Source code
  • Configuration files
  • Test scripts

Dynamic testing runs the code and checks the behavior. Static testing reads the code and checks the structure. Both have a place. Static is faster, cheaper, and catches different bug classes.

Forms of static testing

Code review

A peer reads the code before merge. The most common static test in modern teams. Catches obvious bugs, naming issues, missing edge cases, and logic gaps.

Code review is most effective when the reviewer cares enough to actually read. Rubber-stamp review is worse than no review because it creates false confidence.

Walkthrough

The author explains the code or design to a group. Questions surface assumptions the author did not realize they were making.

Less formal than inspections. Best used early in design, before the cost of changes is high.

Inspection

A formal review with defined roles (author, moderator, reviewers, scribe), a checklist, and recorded outcomes. Slow but rigorous. Used in safety-critical software.

Most non-regulated teams skip formal inspections in favor of code review. The trade-off is acceptable for most products. For aerospace, medical devices, or financial controls, inspections still earn their cost.

Static analysis tools

Automated tools that scan the code for known patterns. Linters (ESLint, RuboCop), security scanners (Semgrep, Snyk), type checkers (TypeScript compiler, mypy), and code-quality tools (SonarQube).

Static analysis is the cheapest static testing. It runs on every commit, it never gets bored, and it catches a wide range of common defects.

What static testing catches

Different from dynamic testing. Static is good at:

  • Coding standard violations
  • Type mismatches
  • Unused variables and imports
  • Dead code
  • Common security patterns (SQL injection, XSS, hardcoded secrets)
  • Missing error handling
  • Documentation gaps

Static testing is bad at:

  • Logic errors that look fine on paper
  • Race conditions and concurrency bugs
  • Performance under load
  • Integration bugs

The point is not to choose. Use both. Static for what static catches; dynamic for the rest.

A working static testing setup

What a typical web team runs:

  1. Linter on save. ESLint, Prettier, or equivalent. Fixes happen as you type.
  2. Type check in CI. TypeScript or its equivalent. Blocks the merge if types do not check.
  3. Unit test coverage threshold. Configured per repo. Below threshold fails the build.
  4. Security scan. Snyk, Semgrep, or GitHub's built-in scanners on every PR.
  5. Code review. At least one reviewer per PR, with explicit approval required.

This catches a lot before a single test runs. Adding more is usually low value: the marginal bug caught by the seventh tool is rarely worth its setup cost.

Where static testing fails

Two failure modes.

Tools without buy-in. A scanner that warns but never blocks merges gets ignored. A code review that no one reads gets rubber-stamped. Tools without enforcement become noise.

Enforcement without judgment. A linter that flags 200 issues per PR pushes engineers to disable it. A code review that demands every detail be perfect blocks all velocity. Calibrate strictness.

The right level: strict enough that real defects get caught, loose enough that noise does not drown the signal.

How AI testing relates

AI testing platforms like Bug0 are dynamic by definition. They execute flows, observe behavior, and report failures.

Static testing complements them. Static catches the bugs you can see in the code. Dynamic catches the bugs that only appear when the code runs. A team using both has fewer bugs in production than a team using either alone.

FAQs

Is code review static testing?

Yes. Code review is the most common form of static testing in modern software teams.

What about pair programming?

Pair programming includes continuous review during writing. It produces a similar effect to code review but in real time. Counts as static testing in spirit.

Should static testing replace dynamic testing?

No. They catch different bug classes. A working QA strategy uses both.

Which static analysis tool should I use?

Start with a strict linter and a type checker. Add a security scanner. Add coverage tracking. After that, evaluate based on the bugs your team actually ships.

Can Bug0 detect static issues?

Bug0 is dynamic, so it does not analyze code. For end-to-end behavior, it is the right tool. For code-level issues, pair it with static tools in CI.

Testing Fundamentals
Related Terms
View all terms

Ship every deploy with confidence.

Bug0 gives you a dedicated AI QA engineer that tests every critical flow, on every PR, with zero test code to maintain. 200+ engineering teams already made the switch.

From $2,500/mo. Full coverage in 7 days.

Go on vacation. Bug0 never sleeps. - Your AI QA engineer runs 24/7

Go on vacation.
Bug0 never sleeps.

Your AI QA engineer runs 24/7 — on every commit, every deploy, every schedule. Full coverage while you're off the grid.