Codacy is a unified code quality and security platform that automatically analyzes code for security vulnerabilities, code smells, complexity issues, and style violations.
Founded in 2012, Codacy supports over 40 programming languages and integrates directly into developer workflows through IDE plugins and pull request checks.
The Codacy Analysis CLI is open source (AGPL-3.0) with 113+ stars on GitHub. Codacy maintains 156+ repositories on GitHub, including language-specific integrations for ESLint, Pylint, Trivy, and more.
What is Codacy?
Codacy provides automated code review that catches security issues and quality problems before they reach production.
The platform combines multiple analysis engines to deliver comprehensive coverage, from security vulnerabilities and hardcoded secrets to code duplication and maintainability concerns.
What sets Codacy apart is its AI code guardrails feature, specifically designed to protect against vulnerabilities introduced by AI-generated code.
As developers increasingly use tools like GitHub Copilot and ChatGPT for code generation, Codacy ensures that AI-assisted code meets the same security and quality standards as human-written code.
The platform emphasizes developer experience with real-time feedback in IDEs, actionable findings with remediation guidance, and auto-fix capabilities that resolve common issues automatically.
Key Features
Security Analysis (SAST)
Detect security vulnerabilities across your codebase:
- OWASP Top 10 vulnerability detection
- CWE coverage for comprehensive security scanning
- SQL injection, XSS, and command injection detection
- Authentication and authorization flaws
- Cryptographic weaknesses
- Path traversal and file inclusion vulnerabilities
- Severity-based prioritization
AI Code Guardrails
Protect against AI-generated code risks:
- Specialized detection rules for AI code patterns
- Identification of common AI-generated vulnerabilities
- Quality checks for Copilot and ChatGPT code
- Automated scanning of AI-assisted pull requests
- Risk scoring for AI-generated code blocks
Secrets Detection
Find hardcoded credentials before they leak:
- API keys and tokens
- Database credentials
- Private keys and certificates
- Cloud provider credentials
- Custom secret patterns
- Historical scanning of repository history
Code Quality Analysis
Maintain healthy, maintainable codebases:
- Code complexity metrics (cyclomatic, cognitive)
- Duplication detection
- Style and formatting violations
- Documentation coverage
- Dead code identification
- Technical debt tracking
Software Composition Analysis
Identify open-source risks:
- Dependency vulnerability scanning
- License compliance checking
- Outdated package detection
- Transitive dependency analysis
- SBOM generation
Installation
GitHub Integration
Connect Codacy directly to your GitHub repositories:
- Sign up at codacy.com using your GitHub account
- Select repositories to analyze
- Codacy automatically scans on each push
IDE Extensions
Install Codacy in your development environment:
# VS Code
code --install-extension codacy.codacy
# JetBrains IDEs (IntelliJ, PyCharm, WebStorm)
# Install via IDE Settings > Plugins > Marketplace > Search "Codacy"
CLI Tool
Run Codacy analysis locally or in CI:
# Install Codacy CLI
curl -L https://github.com/codacy/codacy-analysis-cli/releases/latest/download/codacy-analysis-cli.sh \
-o codacy-analysis-cli.sh
chmod +x codacy-analysis-cli.sh
# Run local analysis
./codacy-analysis-cli.sh analyze \
--directory /path/to/project \
--tool eslint \
--tool security
# With project token for upload
./codacy-analysis-cli.sh analyze \
--project-token $CODACY_PROJECT_TOKEN \
--upload
Configuration File
Create a .codacy.yml in your repository root:
---
engines:
eslint:
enabled: true
config: .eslintrc.json
pylint:
enabled: true
config: pylintrc
semgrep:
enabled: true
secrets:
enabled: true
exclude_paths:
- "node_modules/**"
- "vendor/**"
- "**/*.min.js"
- "tests/**"
languages:
javascript:
extensions:
- ".js"
- ".jsx"
- ".ts"
- ".tsx"
Integration
GitHub Actions
name: Codacy Analysis
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
codacy-analysis:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0 # Full history for accurate analysis
- name: Run Codacy Analysis CLI
uses: codacy/codacy-analysis-cli-action@master
with:
project-token: ${{ secrets.CODACY_PROJECT_TOKEN }}
upload: true
max-allowed-issues: 0
- name: Run Codacy Coverage Reporter
uses: codacy/codacy-coverage-reporter-action@v1
with:
project-token: ${{ secrets.CODACY_PROJECT_TOKEN }}
coverage-reports: coverage/lcov.info
GitLab CI
stages:
- quality
codacy:
stage: quality
image: codacy/codacy-analysis-cli:latest
variables:
CODACY_PROJECT_TOKEN: $CODACY_PROJECT_TOKEN
script:
- codacy-analysis-cli analyze
--project-token $CODACY_PROJECT_TOKEN
--upload
--verbose
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
codacy-coverage:
stage: quality
image: codacy/codacy-coverage-reporter:latest
script:
- codacy-coverage-reporter report
--project-token $CODACY_PROJECT_TOKEN
--coverage-reports coverage/lcov.info
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
needs:
- test # Depends on your test job that generates coverage
Jenkins Pipeline
pipeline {
agent any
environment {
CODACY_PROJECT_TOKEN = credentials('codacy-project-token')
}
stages {
stage('Codacy Analysis') {
steps {
sh '''
curl -L https://github.com/codacy/codacy-analysis-cli/releases/latest/download/codacy-analysis-cli.sh \
-o codacy-analysis-cli.sh
chmod +x codacy-analysis-cli.sh
./codacy-analysis-cli.sh analyze \
--project-token $CODACY_PROJECT_TOKEN \
--upload \
--fail-if-incomplete
'''
}
}
stage('Coverage Report') {
steps {
sh '''
bash <(curl -Ls https://coverage.codacy.com/get.sh) report \
--project-token $CODACY_PROJECT_TOKEN \
--coverage-reports coverage/lcov.info
'''
}
}
}
}
Pull Request Integration
Codacy comments directly on pull requests with:
- Security vulnerability findings
- Code quality issues
- Coverage impact
- Overall quality gate status
- Links to detailed explanations
Configure quality gates in Codacy settings:
# Quality gate example configuration
quality_gate:
issues:
max_new_issues: 0
severity_threshold: medium
coverage:
min_coverage: 80
max_coverage_drop: 5
duplication:
max_duplication: 3
When to Use Codacy
Codacy is particularly well-suited for teams that:
- Use AI coding assistants and need guardrails for generated code
- Want unified quality and security in a single platform
- Need multi-language support across diverse tech stacks
- Value developer experience with IDE integration and PR comments
- Have open-source projects that can use the free tier
- Want auto-fix capabilities to speed up remediation
Consider alternatives if you need:
- Deep security analysis only without code quality (consider dedicated SAST tools)
- Compliance-focused reporting for regulated industries (consider Checkmarx or Veracode)
- Enterprise-scale deployment with complex policy management
- Specific language depth that specialized tools might offer
Codacy works well as part of a defense-in-depth strategy, complementing dedicated security tools with its broad quality coverage and developer-friendly workflow integration.