Rahul Singh

Posted on Mar 30 • Originally published at aicodereview.cc

Codacy Security Scanning: Find Vulnerabilities in Your Code

#codereview #ai #programming #tutorial

The Short Answer

Codacy ships a solid security scanning suite that covers the major vulnerability categories most development teams care about - SAST for source code flaws, SCA for vulnerable dependencies, secrets detection for leaked credentials, and DAST for runtime issues on the Business plan. It is not a replacement for a dedicated SAST tool if security scanning is your primary concern, but for teams that want security coverage bundled alongside code quality tools at $15/user/month, Codacy delivers genuine value.

This guide walks through exactly what Codacy's security scanning covers, which tools it uses under the hood, how to configure security quality gates for pull requests, and how it stacks up against dedicated alternatives like Snyk Code and Semgrep.

What Security Scanning Does Codacy Include?

Codacy's security offering is built across four layers, each targeting a different type of vulnerability or threat.

1. Static Application Security Testing (SAST)

SAST is the foundation of Codacy's security work. It analyzes your source code without running it, looking for patterns that match known vulnerability classes. This includes the OWASP Top 10 categories - injection, broken authentication, sensitive data exposure, XML external entities, broken access control, security misconfiguration, XSS, insecure deserialization, using components with known vulnerabilities, and insufficient logging.

Codacy runs SAST on every pull request, scanning the changed files and reporting any new issues introduced in that changeset. This incremental approach is important: rather than flooding developers with every existing vulnerability in the codebase, Codacy surfaces only what changed in the current PR. Teams adopting Codacy on a legacy codebase can therefore start enforcing security standards on new code without being paralyzed by historical debt.

2. Software Composition Analysis (SCA)

Dependency vulnerabilities account for a large share of real-world security incidents, and Codacy's SCA scans your dependency manifests - package.json, requirements.txt, pom.xml, Gemfile.lock, go.sum, and others - to find third-party libraries with known CVEs.

Each finding includes the affected library, the CVE identifier, a severity rating (critical, high, medium, low), and remediation guidance indicating which version resolves the vulnerability. SCA runs alongside SAST on every PR, meaning you get notified when a dependency update introduces a new vulnerability or when a new dependency you add is already known to be insecure.

For teams that need deeper SCA coverage - more comprehensive vulnerability databases, automated fix PRs, or granular license compliance management - dedicated tools like Snyk provide more horsepower. But for teams that want SCA as part of a broader quality and security platform, Codacy's coverage is sufficient for most use cases.

3. Secrets Detection

Accidentally committing API keys, connection strings, private keys, and other credentials is one of the most common and damaging security mistakes developers make. Codacy's secrets detection scans every commit and PR for patterns that match sensitive credential formats.

This includes cloud provider credentials (AWS, GCP, Azure), source code hosting tokens (GitHub, GitLab), payment processor keys (Stripe, PayPal), database connection strings, SSH private keys, JWT secrets, and many other categories. Detection runs automatically with no additional configuration required - it is on by default for every repository you connect to Codacy.

4. Dynamic Application Security Testing (DAST)

DAST is different from SAST in a fundamental way: it tests a running application rather than static code. This means it can find vulnerabilities that only appear at runtime - authentication bypasses, server configuration issues, session management flaws, and real-world exploit paths that static analysis cannot simulate.

Codacy's DAST capability is powered by ZAP (Zed Attack Proxy) and is available exclusively on the Business plan. It requires pointing Codacy at a running instance of your application (typically a staging environment) and running a scan. This is a significant addition for security-conscious teams but is out of reach for developers on the Pro plan.

The Security Tools Running Under the Hood

One of Codacy's architectural strengths - and one of the key things to understand about its security scanning - is that it does not build its own analyzers from scratch. Instead, it integrates well-established open-source security tools and presents their results through a unified interface. Here is a breakdown of the key security tools Codacy wraps.

Bandit (Python)

Bandit is the standard Python security linter, developed under the PyCQA umbrella. It scans Python code for common security issues including the use of hardcoded passwords, shell injection via subprocess, use of unsafe cryptographic functions, SQL injection patterns, insecure XML parsing, and assertion statements in security-sensitive code. Codacy runs Bandit automatically on Python repositories.

Brakeman (Ruby on Rails)

Brakeman is a static analysis tool specifically designed for Ruby on Rails applications. It understands Rails conventions deeply and can detect Rails-specific vulnerabilities like mass assignment, SQL injection through ActiveRecord, cross-site scripting in views, unprotected redirects, and insecure use of send and eval. For Rails teams, Brakeman's integration in Codacy is a significant value-add.

SpotBugs and Find Security Bugs (Java)

SpotBugs is the successor to FindBugs and analyzes Java bytecode for bug patterns. The Find Security Bugs plugin extends SpotBugs with over 130 security-specific detectors covering vulnerabilities like LDAP injection, XPath injection, insecure random number generation, use of MD5 or SHA-1 for cryptography, and deserialization vulnerabilities. Codacy integrates both SpotBugs and Find Security Bugs for Java projects.

Semgrep (Multi-language)

Semgrep is a powerful pattern-matching engine that Codacy uses for cross-language security scanning. It supports JavaScript, TypeScript, Python, Java, Go, Ruby, PHP, C, C++, and more. Codacy runs Semgrep with a curated set of security rules covering injection patterns, insecure API usage, and OWASP Top 10 categories across these languages. If you also use Semgrep directly, note that Codacy's integration runs a pre-configured subset of rules rather than the full Semgrep Registry.

ESLint Security Plugins (JavaScript/TypeScript)

For JavaScript and TypeScript, Codacy leverages ESLint with security-focused plugins including eslint-plugin-security and eslint-plugin-no-unsanitized. These catch patterns like unsafe use of innerHTML, eval, insecure regular expressions vulnerable to ReDoS, and unsafe object property access patterns. They complement the SAST rules from Semgrep to provide layered JavaScript security coverage.

PHP_CodeSniffer Security Rules (PHP)

For PHP codebases, Codacy uses PHP_CodeSniffer with security-oriented rulesets to detect common PHP vulnerabilities including SQL injection through unparameterized queries, command injection via exec and shell_exec, use of deprecated cryptographic functions, and unsafe file inclusion patterns.

The Codacy Security Dashboard

The security dashboard is where you get the repository-level view of all open security issues. It is one of the more useful parts of Codacy's interface for security-focused work.

Issues are organized first by severity - critical, high, medium, low, and info - and then by category. The categories map loosely to vulnerability classes: injection, authentication, cryptography, input validation, authorization, sensitive data, and so on. This categorization makes it easy to identify if your codebase has a systematic problem in a particular area - for example, a pattern of not validating user input across multiple files.

The dashboard shows historical trends, so you can see whether your security debt is growing or shrinking over time. This is useful for security program metrics and for demonstrating progress to management or compliance teams. You can filter by file path, tool, category, and date range to drill into specific areas of concern.

One practical limitation: the dashboard shows findings from the last full scan of the default branch. PR-level findings appear in the PR itself, not automatically in the dashboard until they are merged. This means the dashboard always reflects the state of production code rather than in-flight work, which is the correct behavior but worth understanding when triaging issues.

PR-Level Security Checks

The pull request integration is where most developers interact with Codacy's security scanning day to day. When a PR is opened or updated, Codacy posts a summary comment and inline comments at the specific lines where security issues were found.

Inline comments include the issue description, the rule that triggered it, a severity label, and often a brief explanation of why the pattern is problematic and how to fix it. The quality of these explanations varies by tool - Semgrep rules tend to have the most useful fix guidance, while some of the tool-specific rules provide more terse descriptions.

The PR summary comment shows a breakdown of new issues by severity, any resolved issues from the baseline, and the overall quality gate status. If you have security quality gates configured, the comment will show clearly whether the PR passes or fails the security threshold.

Configuring Security Quality Gates

Quality gates are Codacy's mechanism for enforcing security standards on every PR. They are configured at the repository or organization level and create pass/fail criteria that integrate with your Git provider's branch protection rules.

For security specifically, you can configure gates such as:

Zero new critical severity security issues allowed
Zero new high severity security issues allowed
Security issues introduced must be zero regardless of severity
Maximum total open security issues across the codebase

When a quality gate fails, Codacy posts a failing status check on the PR. If you have branch protection rules set to require Codacy's status check to pass, the PR cannot be merged until the developer resolves the blocking issues or a code owner overrides the gate.

Setting security quality gates requires thinking about what level of strictness is realistic for your team. Starting with "no new critical issues" is a reasonable baseline that prevents the most dangerous vulnerabilities from reaching production without overwhelming developers with medium and low-severity findings. You can tighten the gates over time as the team builds familiarity with the tooling.

Codacy Security vs. Dedicated SAST Tools

If your primary requirement is security scanning, it is worth understanding where Codacy's bundled security fits on the spectrum compared to dedicated SAST tools.

Codacy vs. Snyk Code

Snyk Code is a dedicated SAST tool with a significant focus on developer experience. Its strength is real-time scanning in the IDE and deep integration with Snyk's vulnerability intelligence. Snyk's SCA database is larger and more frequently updated than Codacy's, and its dependency scanning provides more actionable remediation paths including automated fix PRs via Snyk's PR automation.

Codacy offers broader coverage in a single platform - you get quality analysis, coverage tracking, and AI review alongside security. Snyk Code offers deeper security-specific functionality. If you are trying to decide between the two, consider whether security is your primary concern (Snyk) or whether you want a consolidated platform for quality and security together (Codacy). For a detailed breakdown, see the Codacy vs Snyk comparison.

Codacy vs. Semgrep

Semgrep gives security and engineering teams full control over static analysis rules. The Semgrep Registry contains thousands of community-contributed and Semgrep-maintained rules, and you can write custom rules in Semgrep's pattern syntax to match vulnerabilities specific to your codebase and frameworks.

Codacy uses Semgrep internally but in a pre-configured, opinionated way. You do not get access to the full Semgrep Registry or the ability to write custom Semgrep rules through Codacy's interface. If your security requirements include custom rule development or fine-grained control over which Semgrep rulesets run on your code, running Semgrep directly is a better choice. See the Codacy vs Semgrep comparison for more detail.

For a broader comparison of security scanning tools, the best SAST tools guide covers the full landscape.

CodeAnt AI: A Modern Alternative Worth Considering

If you are evaluating Codacy's security scanning, CodeAnt AI is worth putting in the comparison set. It is a Y Combinator-backed platform priced at $24-40/user/month that bundles several capabilities that Codacy either lacks or offers only on higher-tier plans.

The security capabilities in CodeAnt AI include SAST with AI-powered analysis of security findings, secrets detection, and - notably - IaC security scanning for infrastructure-as-code configurations. Terraform, CloudFormation, and Kubernetes manifests are increasingly part of the attack surface for modern applications, and most static analysis platforms do not cover them well. CodeAnt AI's IaC security fills that gap directly.

Beyond security, CodeAnt AI combines AI PR review with DORA metrics tracking and code health analytics. The AI review component is more sophisticated than Codacy's AI Reviewer, offering deeper contextual analysis of security issues and their business risk rather than just pattern-match detections. For teams where AI-powered review and infrastructure security are priorities, CodeAnt AI is a compelling alternative to Codacy, though at a higher price point per user.

Codacy remains the stronger choice if you need broad language coverage (49 languages vs. CodeAnt AI's narrower support), mature SCA with dependency scanning, or the lower $15/user/month entry price. The right choice depends on whether your team prioritizes language breadth or AI depth and infrastructure coverage.

Supported Languages for Security Scanning

Security scanning in Codacy is available for the major languages through the integrated tool ecosystem:

Python - Bandit, Semgrep, Pylint security rules
Java - SpotBugs, Find Security Bugs, PMD security rules
JavaScript and TypeScript - ESLint security plugins, Semgrep
Ruby - Brakeman (Rails), Semgrep
PHP - PHP_CodeSniffer security rules, Semgrep
Go - Semgrep, staticcheck
C and C++ - Semgrep, Cppcheck
Kotlin - Detekt security rules
Scala - Scalastyle, Semgrep
Swift - SwiftLint with security configurations

Coverage depth varies. Python (via Bandit) and Java (via SpotBugs and FindSecBugs) have the most mature security analysis. JavaScript and TypeScript benefit from both ESLint plugins and Semgrep. Languages covered primarily through Semgrep depend on the quality of available Semgrep rulesets for that language.

Setting Up Security Scanning in Codacy

Getting Codacy's security scanning running takes under 15 minutes for most teams.

Step 1: Connect your repository. Sign into Codacy with your GitHub, GitLab, or Bitbucket account and authorize the integration. Select the repositories you want to analyze. Codacy triggers an initial full scan automatically.

Step 2: Review initial findings. The first scan will surface existing security issues across the codebase. Do not try to fix everything immediately. Use the security dashboard to understand the shape of your current security debt - which categories are most common, which files have the most issues, and what the severity distribution looks like.

Step 3: Configure code patterns. In the repository settings, go to Code Patterns to review which security rules are enabled. The defaults are reasonable for most teams, but you may want to disable rules that generate too many false positives for your specific codebase, or enable additional rules in tool categories that are relevant to your tech stack.

Step 4: Set quality gates. Configure security quality gates to fail PRs that introduce new critical or high-severity security issues. Start with a threshold that is achievable - "no new critical issues" is a good starting point. Tighten over time.

Step 5: Enable branch protection. In your Git provider's repository settings, require the Codacy status check to pass before PRs can be merged. This enforces the quality gates in the development workflow.

Step 6: Review PR feedback. From this point forward, security findings from new PRs will appear as inline comments and a summary on each pull request, and the quality gate will reflect your configured security standards.

Practical Tips for Getting the Most Out of Codacy Security

Triage your baseline before enforcing gates. If you connect Codacy to a large existing codebase and immediately enable strict security gates, your development velocity will grind to a halt while the team addresses historical findings. Take a week to triage the baseline, mark pre-existing issues as accepted or false positives, and then enable gates that only apply to new code.

Use the category view to find systemic issues. If you see 30 "SQL injection" findings across 15 files, that is not just 30 individual bugs - it is a systemic pattern suggesting a shared anti-pattern in how your team writes database queries. The category grouping in the dashboard helps surface these systemic issues.

Supplement with secrets scanning in CI. While Codacy's secrets detection is good, adding a dedicated secrets scanning step in your CI pipeline (using a tool like truffleHog or git-secrets) provides a second layer of defense and runs even on commits that go directly to the main branch.

Review the SCA findings regularly. New CVEs for existing dependencies are discovered constantly. Make it a habit to check the SCA section of the Codacy dashboard weekly and keep your dependency manifests current. Codacy will alert you to new vulnerabilities in existing dependencies when it rescans the default branch.

Consider Semgrep for custom rules. If your codebase has security concerns specific to your business logic or internal APIs, Codacy's pre-configured Semgrep rules will not catch them. In those cases, running Semgrep directly alongside Codacy - with custom rules tuned to your codebase - provides the coverage that Codacy cannot.

Conclusion

Codacy's security scanning is a genuine and capable component of its platform - not a checkbox feature. The combination of SAST via integrated tools like Bandit, Brakeman, SpotBugs, and Semgrep; SCA for dependency CVEs; and secrets detection on every PR gives development teams meaningful security coverage without requiring a separate tool subscription.

Where Codacy falls short of dedicated SAST tools is in customizability and depth. You cannot write custom Semgrep rules through Codacy, the SCA database is smaller than Snyk's, and DAST is gated behind the Business plan. Teams with serious security requirements - regulated industries, security-sensitive products, or active bug bounty programs - should layer Codacy with a dedicated SAST or SCA tool to fill the gaps.

For the majority of development teams, though, Codacy's security scanning represents excellent value as part of its all-in-one offering. The PR-level security checks, configurable quality gates, and security dashboard give teams the visibility and enforcement they need to prevent the most common vulnerabilities from reaching production without the operational overhead of managing a separate security toolchain.

Frequently Asked Questions

What security vulnerabilities does Codacy detect?

Codacy detects a broad range of security vulnerabilities including SQL injection, cross-site scripting (XSS), insecure deserialization, hardcoded credentials, path traversal, XML injection, insecure cryptography, and dozens of other OWASP Top 10 and CWE patterns. It runs SAST, SCA for dependency CVEs, and secrets detection on every PR. The Business plan also adds DAST for runtime security testing.

Does Codacy cover the OWASP Top 10?

Yes, Codacy's security scanning covers all OWASP Top 10 categories including injection flaws, broken authentication, sensitive data exposure, XML external entities, broken access control, security misconfiguration, cross-site scripting, insecure deserialization, vulnerable components, and insufficient logging. Coverage depth varies by language depending on which underlying analysis tools are integrated.

Which security tools does Codacy integrate?

Codacy integrates a range of specialized security tools including Bandit for Python, Brakeman for Ruby on Rails, SpotBugs for Java, FindSecBugs for Java bytecode, Semgrep for cross-language pattern matching, ESLint security plugins for JavaScript, PHP_CodeSniffer security rules for PHP, and more. These tools run under a unified configuration and reporting layer.

How does Codacy security scanning compare to Snyk?

Codacy offers a broader security bundle at $15/user/month including SAST, SCA, secrets detection, and DAST (Business plan), whereas Snyk specializes deeply in SCA and vulnerability databases. Snyk's dependency scanning is more comprehensive with a larger vulnerability database and better remediation guidance. Codacy is better if you want all-in-one quality plus security. Snyk is better if dependency security is your primary concern.

How does Codacy compare to Semgrep for security?

Codacy uses Semgrep as one of its integrated engines, so it inherits Semgrep's cross-language pattern matching capabilities. However, running Semgrep directly gives you full control over custom rules, rulesets from the Semgrep Registry, and deeper configuration. Codacy wraps Semgrep in a pre-configured way that is easier to set up but less customizable than running Semgrep standalone.

Can Codacy security scanning block pull requests?

Yes. Codacy supports quality gates for security that can be configured to fail the PR status check if security issues above a certain severity are introduced. You can require that new PRs add zero critical or high-severity security issues before merging, enforced through GitHub, GitLab, or Bitbucket branch protection rules.

Does Codacy detect secrets and API keys?

Yes, Codacy includes built-in secrets detection that scans commits and pull requests for exposed API keys, tokens, passwords, connection strings, private keys, and other sensitive credentials. It runs automatically on every scan without additional configuration and can be tuned to reduce false positives for common patterns.

What is the Codacy security dashboard?

The Codacy security dashboard provides a repository-level view of all open security issues, organized by severity (critical, high, medium, low, info) and category (injection, cryptography, authentication, etc.). It tracks security debt over time, shows which issues are new versus pre-existing, and provides filtering by file, category, and tool. It is available on the Pro and Business plans.

Is Codacy good for finding vulnerabilities in dependencies?

Codacy includes SCA (Software Composition Analysis) that scans dependency manifests like package.json, requirements.txt, pom.xml, Gemfile.lock, and others for known CVEs. It provides severity ratings and remediation suggestions. For teams that need deeper SCA with more comprehensive vulnerability databases and automated fix PRs, dedicated tools like Snyk or Dependabot may be preferable.

What is CodeAnt AI and how does it compare to Codacy for security?

CodeAnt AI is a Y Combinator-backed AI code health platform priced at $24-40/user/month that bundles SAST, secrets detection, IaC security (for Terraform, CloudFormation, Kubernetes), AI PR review, and DORA metrics. It offers deeper AI-powered security review than Codacy and adds infrastructure-as-code security coverage. Codacy covers more languages and has more mature SCA. CodeAnt AI is better for teams prioritizing AI-powered security review and IaC coverage.

How do I configure security rules in Codacy?

Codacy lets you configure security rules through the Code Patterns settings in your repository dashboard. You can enable or disable specific rules from each integrated tool, adjust severity levels, and add file exclusions. For Semgrep rules specifically, you can add custom rulesets via the Codacy configuration file (.codacy.yml) in your repository root.

Does Codacy security scanning work on every commit?

Codacy runs security scans on every pull request by default. It can also be triggered on commits to the main branch. The analysis focuses on changes introduced in the current changeset, though the security dashboard shows cumulative findings across the entire codebase from the last full repository scan.

Originally published at aicodereview.cc