Skip to content
Home SAST Tools Codacy
Codacy

Codacy

Category: SAST
License: Commercial (Free for open-source, CLI is AGPL-3.0)
GitHub (113★)
Visit Website →
Suphi Cankurt
Suphi Cankurt
AppSec Enthusiast
Updated February 11, 2026
3 min read
Key Takeaways
  • Scans 40+ languages using 30+ underlying tools (Semgrep, ESLint, Bandit, Brakeman, SpotBugs, Checkov) in a unified platform — used by 600,000+ developers.
  • AI Guardrails scan AI-generated code in IDE; AI Risk Hub tracks compliance for AI-assisted development; AI Reviewer analyzes GitHub PRs with rule-based + AI context.
  • Free Developer plan for IDE scanning (4 languages); Pro plan at $15/month per dev covers 40+ languages with PR scanning. Open-source projects get Pro plan free.
  • Combines SAST, SCA, secrets detection, IaC scanning, code quality, and coverage tracking with pull request quality gates across GitHub, GitLab, and Bitbucket.

Codacy is a code quality and security platform that scans 40+ languages for security vulnerabilities, code smells, complexity, and duplication. It is a SAST tool that runs multiple underlying analysis engines — including Semgrep, ESLint, Bandit, Brakeman, and SpotBugs — to provide broad coverage from a single platform.

Founded in 2012, Codacy is used by over 600,000 developers. The Codacy Analysis CLI is open source under AGPL-3.0. The company has 52 employees across 9 countries.

What is Codacy?

Codacy provides automated code review that catches security issues and quality problems on every commit and pull request. It connects directly to GitHub, GitLab, or Bitbucket and runs analysis automatically without CI configuration for basic usage.

The platform wraps 30+ open-source and proprietary analysis tools behind a unified interface. For Python, it runs Bandit, Pylint, Ruff, and Semgrep. For JavaScript, ESLint and Semgrep. For Ruby, Brakeman, RuboCop, and Semgrep. Each language has its own set of tools, all managed through a single dashboard.

40+ Languages
Scans Python, Java, JavaScript, TypeScript, Go, C#, Ruby, Rust, PHP, Kotlin, Swift, Scala, Dart, Elixir, Shell, and more using 30+ underlying analysis tools.
AI Code Guardrails
Scans AI-generated code from Copilot, Cursor, and similar tools for security vulnerabilities in the IDE. AI Risk Hub provides compliance reporting for AI-assisted development.
Pull Request Analysis
Inline issue annotations, coverage summaries, quality gate checks, and suggested fixes on every pull request. AI Reviewer adds AI-powered context to findings on GitHub.

Codacy repository dashboard showing code quality metrics, coverage, and issue breakdown

Key features

Security analysis (SAST)

Codacy runs security-focused tools like Semgrep, Bandit, Brakeman, Gosec, and Flawfinder against your codebase. Detection covers OWASP Top 10 categories including injection, XSS, and authentication flaws, plus secrets detection for hardcoded credentials and API keys. According to OWASP, using multiple complementary scanning tools increases vulnerability coverage, which is the approach Codacy takes by orchestrating 30+ analyzers.

AI features

Codacy has three AI-specific capabilities:

  • AI Guardrails — Scans AI-generated code in the IDE (VS Code, Cursor, IntelliJ, Windsurf) for security issues before it reaches a pull request
  • AI Risk Hub — Risk assessment and compliance tracking for AI-generated code across repositories
  • AI Reviewer — Combines rule-based analysis with AI context to review GitHub pull requests. Triggered by adding a codacy-review label to PRs
Underlying analysis tools
Codacy doesn’t build its own analysis engines. It orchestrates 30+ tools like Semgrep, ESLint, PMD, Checkov, Bandit, Brakeman, SpotBugs, and others. The docs list exactly which tools run for each language. This means Codacy’s detection capabilities are only as good as the tools it wraps.

Software composition analysis

Codacy scans dependencies for known vulnerabilities and checks license compliance. As of December 2025, it also detects malicious packages in the npm supply chain.

Codacy pull request analysis showing quality gate status and code review metrics

Code quality

Beyond security, Codacy tracks code complexity, duplication, and style violations. Coverage integration shows test coverage metrics alongside security findings. Quality gates can block PRs that don’t meet configured thresholds for issues, coverage, or duplication.

Integrations

Git Providers
GitHub Cloud GitHub Cloud
GitHub Enterprise GitHub Enterprise
GitLab Cloud GitLab Cloud
GitLab Enterprise GitLab Enterprise
Bitbucket Cloud Bitbucket Cloud
Bitbucket Server Bitbucket Server
IDEs
VS Code VS Code
IntelliJ IntelliJ
Cursor Cursor
Windsurf Windsurf
Workflow
Slack Slack
Jira Jira

Getting started

1
Sign up with your Git provider — Connect your GitHub, GitLab, or Bitbucket account at codacy.com. Codacy reads your repository list automatically.
2
Add repositories — Select the repositories you want to analyze. Codacy starts scanning on each push and pull request.
3
Configure analysis — Set code patterns, quality gates, and which tools to enable per language through the Codacy dashboard or a .codacy.yml configuration file.
4

Review findings in PRs — Codacy posts inline annotations, coverage summaries, and quality gate status directly on pull requests.

Codacy inline issue annotation on a GitHub pull request diff

Pricing

PlanPriceKey limits
Developer (free)$0/monthIDE-only scanning, 4 languages (TS, JS, Python, Java)
Pro$15/month per dev (annual)30 developers, 100 private repos, 49 languages, PR scanning
BusinessCustomUnlimited repos, DAST, SBOM exports, SSO, AI Risk Hub

Open-source projects get the Pro plan for free.

When to use Codacy

Codacy works well for teams that want a single platform combining security scanning, code quality, and coverage tracking without configuring individual tools. The free Developer plan lets individuals try it in their IDE, and the Pro plan covers most use cases for small to mid-size teams.

Because Codacy wraps existing open-source tools, teams already running those tools directly (e.g., Semgrep + ESLint + Bandit) may not get additional detection capabilities. The value is in the unified dashboard, PR integration, quality gates, and AI features.

Best for
Teams that want unified code quality and security scanning across 40+ languages with PR-level feedback, without configuring individual analysis tools.

Customers include Zalando, Babbel, and Bliss Applications. Stim reported increasing test coverage from 23% across 20 repositories to 57% across 40+ repositories within one year of using Codacy.

Frequently Asked Questions

What is Codacy?
Codacy is a code quality and security platform that scans 40+ programming languages for security vulnerabilities, code smells, complexity issues, and duplication. It uses underlying tools like Semgrep, ESLint, Bandit, Brakeman, and SpotBugs to provide coverage. Founded in 2012, Codacy is used by over 600,000 developers.
Is Codacy free?
Codacy has a free Developer plan that provides IDE-only scanning for TypeScript, JavaScript, Python, and Java. The Pro plan starts at $15/month per developer (annual billing) and covers 40+ languages with PR scanning. Open-source projects get the Pro plan for free.
What AI features does Codacy have?
Codacy has three AI features: AI Guardrails scans AI-generated code for security issues in the IDE, AI Risk Hub provides compliance and governance for AI-generated code, and AI Reviewer combines rule-based analysis with AI context to review pull requests on GitHub.
What languages and tools does Codacy support?
Codacy supports 40+ languages using 30+ underlying analysis tools. These include Semgrep for multi-language security, ESLint for JavaScript, Bandit for Python, Brakeman for Ruby, SpotBugs for Java, Checkov for IaC, and many more. The docs list the exact tools available for each language.
How does Codacy integrate with development workflows?
Codacy integrates with GitHub (Cloud and Enterprise), GitLab (Cloud and Enterprise), and Bitbucket (Cloud and Server). It provides PR status checks, inline issue annotations, coverage summaries, and suggested fixes. IDE plugins are available for VS Code, IntelliJ, Cursor, and Windsurf.
How we review tools Suggest an edit

Other SAST Tools

Bandit
Bandit

Open-Source Python Scanner

detect-secrets
detect-secrets

Baseline secret management

Gitleaks
Gitleaks

Git secret scanner

Semgrep
Semgrep

Fast Open-Source with Custom Rules

SonarLint
SonarLint

Real-time IDE analysis

Coverity
Coverity

Deep Analysis for Complex Codebases

See all SAST tools

Complement with SCA

Pair static analysis with dependency scanning for broader coverage.

AN
Anchore

SBOM-First Container Security Platform

Anchore Grype
Anchore Grype

Fast Container Vulnerability Scanner

See all SCA tools

Learn More

What is SAST? What is DAST? What is IAST? What is RASP? SAST vs DAST vs IAST SAST vs SCA

Explore our Application Security Testing resource hub