There are many options for static analysis, and it's a hot topic, so:
What is static analysis?
When should you use it, and when shouldn't it be used?
What are potential gotchas regarding proper and improper usage/application of static analysis?
Any languages that don't have a good static analysis tool, and what do you do when you don't have an option for automated analysis?
What is static analysis?
Analyzing code without executing it. Generally used to find bugs or ensure conformance to coding guidelines. The classic example is a compiler which finds lexical, syntactic and even some semantic mistakes.
When should you use it, and when shouldn't it be used?
Static analysis tools should be used when they help maintain code quality. If they're used, they should be integrated into the build process, otherwise they will be ignored.
What are potential gotchas regarding proper and improper usage/application of static analysis?
Two common pathologies occur when using static analysis tools:
The tools produces spurious warnings/errors that the developers cannot silence. Eventually, most of the warnings are spurious and the developers stop paying attention to the output. This is why many teams require that code compile cleanly. If developers feel comfortable ignoring compiler warnings, the compile phase will eventually be filled with warning nobody ever pays attention to, even though they may be bugs.
The tools take too long to run and developers never bother to run them.
Any languages that don't have a good static analysis tool, and what do you do when you don't have an option for automated analysis?
For a number of reasons, many of the dynamic languages (ruby, python, perl) don't have static analysis tools that are as strong as those available in static languages. The standard method of finding bugs and making sure the code is working in dynamic languages are unit tests which help build confidence that the code actually works (hat-tip: Chris Conway).
Static analysis is looking at source-code for potential problems. It's called static because the code isn't executed to find the problems, the source is analysed analytically.
At the moment, static analysis is very immature. Most tools find only the most stupid of bugs. For example, no tools that I know of can find all null pointer dereferences, yet this is an obvious bug you'd want to target with static analysis. You can forget trying to find harder bugs such as race conditions with static analysis, for the moment at least.
Static Analysis is particularly useful for enforcing coding standards. FXCop, which analyses .NET code, contains rules for all sorts of coding standards defects.
As you say, there are many tools that do static analysis. Here is a list of free products that I have personally used:
I can recommend all of them.
In addition to finding bugs in your code (such as guaranteed null pointer dereferencing, infinite loops, etc.), static analysis can be used for security analysis of the code. I'd highly recommend watching the "Secure Programming with Static Analysis" presentation from Brian Chess of Fortify software.
Other questions on static analysis (each with tool recommendations):
Check out http://www.ouncelabs.com if you are looking for an enterprise class tool.