What practice should be followed to perform static analysis of code during deployment?

Implementing infrastructure as code is a critical practice for performing static analysis of code during deployment because it automates the provisioning of resources, making the entire process more consistent and repeatable. This practice enables security policies to be embedded directly into the code, allowing for automated security checks to occur before deployment. By codifying the infrastructure, developers can leverage tools that check for vulnerabilities or compliance issues in the codebase as part of the deployment pipeline.

This approach helps to maintain a high level of security hygiene by ensuring that any infrastructure changes can be reviewed, tested, and validated against security standards. It also promotes collaboration between development and operations teams, which is essential for identifying security issues early in the software development lifecycle.

While manual code reviews and running tests in a local environment can contribute to security and quality, they are not as scalable or efficient in a deployment context as infrastructure as code. Deploying directly to production without analysis increases risk and does not support a secure deployment process.