I have performed static code analysis at $firm on C code with Logiscope, so I'll chime in with some general experiences with static analysis. The software in question was a business critical component (NDA, sorry), and we used Logiscope's built-in rules in addition to MISRA's ruleset as a basis for the analysis.

We found that the first runs drowned us in information on violated rules, many of which were of the type "Put your brackets at the end of the line." As a result of this we ended up evaluating all the 200 or so rules and only using around 20.

What's my point in this rambling intro? Static analysis is never better than your ruleset, and choosing a good ruleset is time consuming. I therefore second the suggestions of making a small default ruleset, and making it very clear that users should think hard about what they are looking for when performing the analysis. Static analysis is somewhat similar to test code coverage, in that it tells you how well you have done in a certain subset of your problem area, while completely ignoring any frolicking dragons in neighbouring areas.

Don't get me wrong, though. Both static analysis and code coverage are excellent ways of getting metrics for software, but they must be used with care. Know what they can help you with, and don't assume your software is perfect just because your metrics say so. I therefore think that using the rules from Conway's book is a bad idea, simply because the large number of rules will tell you your code is bad no matter how good you are. Using some of his rules, on the other hand, is a good idea. We just have to figure out which ones...

And by the way, my bosses will love you for making Perl::Critic. Great work, now we can take our own medicine :)