It depends on what we want to analyze and / or control with this verification method.
If you want to know some reasons why it is important to be done, read here (static analysis - why).
How?
The ideal scenario is to choose the right tool for the job you have to do (as always). This is the how. The tool ideally integrates with your favorite IDE (e.g. Checkstyle plugin for Eclipse, see more info here) so that features are readily available without tool and additional context changes.What?
Tools already measure things during static analysis and will allow you to do some kind of fine tuning on the KPI thresholds (e.g. minimum value for the measure, maximum value).There are lots of papers (and standards) on what to measure to achieve, for instance, maintainability.
Examples of measures:
- LOC
- % comments
- Cyclomatic Complexity
- Max. Depth
- Average Depth
- Etc.
For each programming language there could be different recommendations for the KPIs. Also have a look on what the "community" has to say about it (and to the tool defaults for that language). i.e. Google for it.
Additional Info
Some additional ideas:- https://en.wikipedia.org/wiki/Software_metric#Common_software_measurements
- http://www.kaner.com/pdfs/metrics2004.pdf
- What is Static Analysis (and examples of tools): http://istqbexamcertification.com/what-are-static-analysis-tools