Skip to main content
The Corgea Code Quality Scanner is an AI-powered code review tool that identifies maintainability, readability, performance, and correctness issues in your codebase. Unlike our security vulnerability scanners that focus on security threats, the Code Quality Scanner acts as an expert software engineer reviewing your code to help maintain high standards and prevent technical debt.

What It Does

The Code Quality Scanner analyzes your source code files to identify concrete issues that impact your codebase’s long-term health. Think of it as having an experienced senior engineer reviewing every file, catching issues that might slip through manual code reviews while focusing on practical, actionable improvements.

Key Capabilities

  • Automated Code Review: Performs thorough analysis of your code, checking for common quality issues that affect maintainability
  • Language-Aware Analysis: Understands the context and conventions of different programming languages
  • Framework Detection: Recognizes common frameworks and applies framework-specific best practices
  • Severity Classification: Prioritizes issues based on their impact (High, Medium, Low)
  • CWE Mapping: Maps issues to Common Weakness Enumeration (CWE) standards for standardized categorization

What It Can Find

The Code Quality Scanner identifies a comprehensive range of code quality issues. All findings are mapped to for consistent categorization.
  • Typos and spelling errors in code comments, variable names, and strings (CWE-1078)
  • Inaccurate or misleading comments that contradict actual code behavior or may be outdated (CWE-1116)
example.js
// Bad: Misleading comment
// Calculate the sum of two numbers
function multiply(a, b) {
  return a * b;  // Actually multiplying, not adding
}
  • Empty code blocks that serve no purpose (CWE-1071)
  • Unused variables, imports, and dead code that clutter the codebase (CWE-563, CWE-1041)
  • Empty exception blocks that silently swallow errors (CWE-1069, CWE-390)
  • Unreachable code that can never execute (CWE-561)
example.py
# Bad: Empty exception block silently swallows errors
try:
    risky_operation()
except Exception:
    pass  # Error is hidden!
  • Duplicate code that should be refactored into shared functions (CWE-1041)
  • Duplicate keys or literals in objects and magic numbers that should be constants (CWE-1078)
  • Non- code - repeated logic that increases maintenance burden
  • String concatenation in loops that degrades performance (CWE-1046)
  • Inefficient operations and unnecessary resource consumption (CWE-1050)
  • Performance bottlenecks in frequently-executed code paths
Example.java
// Bad: String concatenation in loop
String result = "";
for (int i = 0; i < 1000; i++) {
    result += data[i];  // Creates new string object each iteration
}
  • Functions with too many parameters (>5 parameters) indicating poor design (CWE-1064)
  • Overly complex function signatures that are difficult to use correctly
  • Circular dependencies between modules (CWE-1047)
  • Violations of
  • Complex one-liners that should be broken down for clarity (CWE-1120)
  • Deeply nested logic with excessive branching that’s hard to understand
  • Overly generic helper functions that obscure intent
  • Violations of
  • Inconsistent naming conventions that make code harder to follow (CWE-1099)
  • Generic, non-descriptive variable names like ‘obj’, ‘x’, ‘data’
  • Mixed naming styles (e.g., camelCase and snake_case in the same codebase)
  • Logic errors that cause incorrect behavior (CWE-670)
  • Incorrect data processing that produces wrong results
  • Code that won’t work as intended due to implementation mistakes
  • TODO comments and placeholder code (CWE-1071)
  • Half-finished features that may cause issues
  • Incomplete implementations that need attention

How It Works

1. File Analysis

The scanner processes each file in your codebase individually, analyzing the complete source code with full context of the file’s structure, language, and detected frameworks.

2. AI-Powered Review

Using advanced language models specifically trained for code review, the scanner examines your code against established software engineering principles and best practices. The AI understands:
  • Language-specific idioms and conventions
  • Framework patterns and best practices
  • Code complexity and maintainability metrics
  • Industry-standard software design principles

3. Issue Identification

When a potential issue is found, the scanner:
  • Pinpoints the exact lines of code involved
  • Classifies the issue type using CWE standards
  • Assigns an appropriate severity level
  • Generates a clear explanation of the problem and its impact

4. High-Confidence Detection

The scanner only reports issues it’s at least 90% confident about. This high threshold ensures that findings are actionable and accurate, not speculative.
The 90% confidence threshold significantly reduces noise and false positives, so you can trust that reported issues are worth addressing.

False Positive Suppression

The Code Quality Scanner includes sophisticated false positive suppression mechanisms to ensure you receive only meaningful, actionable findings:

Built-In Filters

Security Issue Exclusion: The scanner explicitly excludes security vulnerabilities (SQL injection, XSS, authentication issues, etc.) as these are handled by Corgea’s dedicated security scanners. This prevents overlap and confusion between code quality and security findings.
Style Preference Filtering: Minor style preferences such as brace placement, indentation, and whitespace are not reported. The scanner focuses on substantive quality issues, not formatting preferences.
Confidence Threshold: Only issues where the AI is highly confident (>90%) are reported, reducing speculative or uncertain findings.

Contextual Understanding

The scanner understands code context to avoid false positives:
  • Recognizes when “empty” blocks are intentional (e.g., placeholder implementations)
  • Understands framework-specific patterns that might otherwise look problematic
  • Considers language idioms that are acceptable in specific programming languages

Automated Remediation

When code quality issues are identified, Corgea provides automated remediation capabilities to help you fix problems quickly and consistently:

What Gets Remediated

The automated remediation system can fix many common code quality issues, including:
  • Removing unused variables and imports
  • Converting magic numbers to named constants
  • Fixing typos in variable names and comments

How Remediation Works

  1. Issue Context: The system analyzes the full context around each issue, understanding not just the problematic code but its role in the broader codebase
  2. Safe Fixes: Automated fixes are designed to be safe and maintain existing functionality
  3. Code Style Preservation: Fixes respect your existing code style and conventions
  4. Review Before Apply: You maintain full control over which fixes to apply

Separate from Vulnerability Scanning

The Code Quality Scanner is completely separate from Corgea’s security vulnerability scanning capabilities.

Key Differences

Code Quality ScannerVulnerability Scanner
Focuses on maintainability, readability, and correctnessFocuses on security threats and exploitable weaknesses
Identifies technical debt and design issuesIdentifies SQL injection, XSS, authentication flaws, etc.
Helps improve long-term code healthHelps protect against security breaches
Uses CWEs related to code qualityUses CWEs related to security

Why Both Matter

  • Security keeps your application safe from attackers
  • Code Quality keeps your codebase maintainable, performant, and reliable
Both are essential for a healthy software project, but they address different concerns. A codebase can be secure but unmaintainable, or well-structured but vulnerable. Corgea provides both to give you complete visibility into your code’s health.

Severity Levels Explained

Issues that will cause crashes, severe performance problems, or critical bugs:
  • Empty catch blocks that hide errors
  • Infinite loops
  • Logic that always fails
  • Critical performance bottlenecks
Action: Fix immediately

Getting Started

The Code Quality Scanner integrates seamlessly into your development workflow:
1

Connect Your Repository

Link your code repository to Corgea using GitHub, GitLab, Azure DevOps, or Bitbucket
2

Automatic Scanning

The scanner analyzes your files automatically
3

Review Findings

Browse identified issues with clear explanations and severity levels in the project dashboard
4

Apply Fixes

Use automated remediation or fix issues manually
5

Track Progress

Monitor improvements in code quality over time

AI-native SAST

Learn about Corgea’s security vulnerability scanning capabilities

Automated Fixes

Explore how automated remediation works across all scan types

False Positive Management

Manage and suppress false positives effectively

Issue Management

Track and manage all issues across your projects

Support

For assistance, contact us at [email protected]