Skip to content
Codacy

Codacy

Category: SAST
License: Commercial (Free for open-source, CLI is AGPL-3.0)
Visit Codacy GitHub (113โ˜…)
Suphi Cankurt
Suphi Cankurt
+8 Years in AppSec
Updated February 4, 2026
5 min read
Key Takeaways
  • Scans 40+ languages using 30+ underlying tools (Semgrep, ESLint, Bandit, Brakeman, SpotBugs, Checkov) in a unified platform โ€” used by 600,000+ developers.
  • AI Guardrails scan AI-generated code in IDE; AI Risk Hub tracks compliance for AI-assisted development; AI Reviewer analyzes GitHub PRs with rule-based + AI context.
  • Free Developer plan for IDE scanning (4 languages); Team plan at $18/month per dev covers 40+ languages with PR scanning. Open-source projects get the Team plan free.
  • Combines SAST, SCA, secrets detection, IaC scanning, code quality, and coverage tracking with pull request quality gates across GitHub, GitLab, and Bitbucket.

Codacy is a code quality and security platform that scans 40+ languages for security vulnerabilities, code smells, complexity, and duplication. It is a SAST tool that runs multiple underlying analysis engines โ€” including Semgrep, ESLint, Bandit, Brakeman, and SpotBugs โ€” to provide broad coverage from a single platform.

Founded in 2012, Codacy is used by over 600,000 developers. The Codacy Analysis CLI is open source under AGPL-3.0. The company has 52 employees across 9 countries.

What is Codacy?

Codacy provides automated code review that catches security issues and quality problems on every commit and pull request. It connects directly to GitHub, GitLab, or Bitbucket and runs analysis automatically without CI configuration for basic usage.

The platform wraps 30+ open-source and proprietary analysis tools behind a unified interface. For Python, it runs Bandit, Pylint, Ruff, and Semgrep.

For JavaScript, ESLint and Semgrep. For Ruby, Brakeman, RuboCop, and Semgrep.

Each language has its own set of tools, all managed through a single dashboard.

Why Codacy fits the code-quality-plus-security niche

Codacy sits in a narrow but useful slot: teams that want a single dashboard for code quality, security, and coverage rather than three separate stacks. Most SAST vendors lead with security and treat quality metrics as a side product.

Codacy starts from the opposite end โ€” style, complexity, duplication, and coverage โ€” then layers Semgrep, Bandit, Brakeman, and Gosec on top to add security findings.

That positioning suits two audiences. Engineering teams that already think in pull-request gates appreciate the unified annotations: one bot comment instead of one per scanner.

Compliance-aware orgs get a single audit trail for every finding category, which matters when SOC 2 or ISO 27001 evidence collection has to span quality and security at the same time.

The trade-off is depth: Codacy orchestrates other engines rather than building its own SAST core, so detection ceilings are bounded by the underlying tools. Teams that already run Semgrep + ESLint + Bandit directly may not gain new findings, only a unified UI on top of them.

40+ Languages
Scans Python, Java, JavaScript, TypeScript, Go, C#, Ruby, Rust, PHP, Kotlin, Swift, Scala, Dart, Elixir, Shell, and more using 30+ underlying analysis tools.
AI Code Guardrails
Scans AI-generated code from Copilot, Cursor, and similar tools for security vulnerabilities in the IDE. AI Risk Hub provides compliance reporting for AI-assisted development.
Pull Request Analysis
Inline issue annotations, coverage summaries, quality gate checks, and suggested fixes on every pull request. AI Reviewer adds AI-powered context to findings on GitHub.
Codacy repository dashboard showing code quality metrics, coverage, and issue breakdown
Codacy repository dashboard showing code quality metrics, coverage, and issue breakdown

What are Codacy’s key features?

Security analysis (SAST)

Codacy runs security-focused tools like Semgrep, Bandit, Brakeman, Gosec, and Flawfinder against your codebase.

Detection covers OWASP Top 10 categories including injection, XSS, and authentication flaws, plus secrets detection for hardcoded credentials and API keys.

According to OWASP, using multiple complementary scanning tools increases vulnerability coverage, which is the approach Codacy takes by orchestrating 30+ analyzers.

Codacy security risk management findings list showing vulnerability severity, category, and affected repositories
Codacy security risk management findings list โ€” vulnerabilities grouped by severity and OWASP category

AI features

Codacy has three AI-specific capabilities:

  • AI Guardrails โ€” Scans AI-generated code in the IDE (VS Code, Cursor, IntelliJ, Windsurf) for security issues before it reaches a pull request
  • AI Risk Hub โ€” Risk assessment and compliance tracking for AI-generated code across repositories
  • AI Reviewer โ€” Combines rule-based analysis with AI context to review GitHub pull requests. Triggered by adding a codacy-review label to PRs
Underlying analysis tools

Codacy doesn’t build its own analysis engines. It orchestrates 30+ tools like Semgrep, ESLint, PMD, Checkov, Bandit, Brakeman, SpotBugs, and others.

The docs list exactly which tools run for each language. This means Codacy’s detection capabilities are only as good as the tools it wraps.

Software composition analysis

Codacy scans dependencies for known vulnerabilities and checks license compliance. As of December 2025, it also detects malicious packages in the npm supply chain.

Codacy pull request analysis showing quality gate status and code review metrics
Codacy pull request analysis showing quality gate status and code review metrics

Code quality

Beyond security, Codacy tracks code complexity, duplication, and style violations. Coverage integration shows test coverage metrics alongside security findings.

Quality gates can block PRs that don’t meet configured thresholds for issues, coverage, or duplication.

How Codacy works

Codacy’s pipeline is webhook-driven rather than CI-config-driven. When you connect GitHub, GitLab, or Bitbucket, Codacy registers a webhook that fires on every push and pull request. The webhook triggers a parallel scan that runs the bundled linters for each detected language: ESLint and Semgrep for JavaScript, Bandit and Pylint for Python, Brakeman and RuboCop for Ruby, SpotBugs and PMD for Java, and so on.

Results from every engine flow into a single aggregation layer. Codacy deduplicates overlapping findings (Semgrep and Bandit both report on Python subprocess issues, for example), maps each finding to its OWASP or CWE category, and posts inline annotations on the pull request diff. Pioneer AI then ranks findings by likely impact, so the top of the list is what reviewers should triage first rather than what the engines emitted alphabetically.

For security-focused workflows, Codacy also runs source code static analysis on every commit, performs rule-based pattern matching for CWEs across 40+ languages, and reuses Semgrep’s data-flow rules where available โ€” but it does not maintain its own taint analysis on proprietary code engine.

What does Codacy integrate with?

Git Providers
GitHub Cloud GitHub Cloud
GitHub Enterprise GitHub Enterprise
GitLab Cloud GitLab Cloud
GitLab Enterprise GitLab Enterprise
Bitbucket Cloud Bitbucket Cloud
Bitbucket Server Bitbucket Server
IDEs
VS Code VS Code
IntelliJ IntelliJ
Cursor Cursor
Windsurf Windsurf
Workflow
Slack Slack
Jira Jira

How do I get started with Codacy?

1
Sign up with your Git provider โ€” Connect your GitHub, GitLab, or Bitbucket account at codacy.com. Codacy reads your repository list automatically.
2
Add repositories โ€” Select the repositories you want to analyze. Codacy starts scanning on each push and pull request.
3
Configure analysis โ€” Set code patterns, quality gates, and which tools to enable per language through the Codacy dashboard or a .codacy.yml configuration file.
4

Review findings in PRs โ€” Codacy posts inline annotations, coverage summaries, and quality gate status directly on pull requests.

Codacy inline issue annotation on a GitHub pull request diff
Codacy inline issue annotation on a GitHub pull request diff

How much does Codacy cost?

PlanPriceKey limits
Developer (free)$0/monthIDE-only scanning, 4 languages (TS, JS, Python, Java)
Team$18/month per dev (annual)30 developers, 100 private repos, 49 languages, PR scanning
BusinessCustomUnlimited repos, DAST, SBOM exports, SSO, AI Risk Hub

Open-source projects get the Pro plan for free.

When to use Codacy

Codacy works well for teams that want a single platform combining security scanning, code quality, and coverage tracking without configuring individual tools. The free Developer plan lets individuals try it in their IDE, and the Pro plan covers most use cases for small to mid-size teams.

Because Codacy wraps existing open-source tools, teams already running those tools directly (e.g., Semgrep + ESLint + Bandit) may not get additional detection capabilities. The value is in the unified dashboard, PR integration, quality gates, and AI features.

Best for
Teams that want unified code quality and security scanning across 40+ languages with PR-level feedback, without configuring individual analysis tools.

Customers include Zalando, Babbel, and Bliss Applications. Stim reported increasing test coverage from 23% across 20 repositories to 57% across 40+ repositories within one year of using Codacy.

Visit Codacy View source on GitHub (113โ˜…)

Frequently Asked Questions

What is Codacy?
Codacy is a code quality and security platform that scans 40+ programming languages for security vulnerabilities, code smells, complexity issues, and duplication. It uses underlying tools like Semgrep, ESLint, Bandit, Brakeman, and SpotBugs to provide coverage. Founded in 2012, Codacy is used by over 600,000 developers.
Is Codacy free?
Codacy has a free Developer plan that provides IDE-only scanning for TypeScript, JavaScript, Python, and Java. The Team plan starts at $18/month per developer (annual billing) and covers 40+ languages with PR scanning. Open-source projects get the Team plan for free.
What AI features does Codacy have?
Codacy has three AI features: AI Guardrails scans AI-generated code for security issues in the IDE, AI Risk Hub provides compliance and governance for AI-generated code, and AI Reviewer combines rule-based analysis with AI context to review pull requests on GitHub.
What languages and tools does Codacy support?
Codacy supports 40+ languages using 30+ underlying analysis tools. These include Semgrep for multi-language security, ESLint for JavaScript, Bandit for Python, Brakeman for Ruby, SpotBugs for Java, Checkov for IaC, and many more. The docs list the exact tools available for each language.
How does Codacy integrate with development workflows?
Codacy integrates with GitHub (Cloud and Enterprise), GitLab (Cloud and Enterprise), and Bitbucket (Cloud and Server). It provides PR status checks, inline issue annotations, coverage summaries, and suggested fixes. IDE plugins are available for VS Code, IntelliJ, Cursor, and Windsurf.
How I review tools Suggest an edit

Other SAST Tools

Veracode
Veracode

Binary Analysis AppSec Platform

Corgea
Corgea

AI-native SAST with automatic vulnerability detection and code fix generation

Parasoft
Parasoft

Compliance-first SAST for automotive, aerospace & medical device software

Infer
Infer

Meta's Inter-Procedural Static Analyzer

PHPStan
PHPStan

PHP Static Analysis with Progressive Strictness

Psalm
Psalm

PHP Type Safety + Security Taint Analysis

See all SAST tools

Complement with SCA

Pair static analysis with dependency scanning for broader coverage.

Mend
Mend

Renovate-powered SCA + Agentic SAST in one platform

cdxgen
cdxgen

CycloneDX SBOM generator for 20+ languages

See all SCA tools

Learn More

Best SAST Tools for C# in 2026 Best SAST Tools for Go in 2026 Best SAST Tools for Java in 2026 Best SAST Tools for PHP in 2026 Best SAST Tools for JavaScript and TypeScript in 2026 Best SAST Tools for Python in 2026

Explore all SAST guides and tools