Codacy

Codacy is a cloud-based code quality and security platform built for engineering teams working with AI-assisted development. It integrates with GitHub, GitLab, and Bitbucket to scan repositories, pull requests, and IDE sessions for quality violations, security vulnerabilities, and AI coding policy breaches. The platform is actively developed by a 57-person team across 6 countries, with the company reporting over 15,000 organizations onboarded according to its About page.

What It Is

Codacy sits in the code quality and application security category, functioning as a unified platform that replaces multiple point tools for static analysis, dependency scanning, secret detection, and AI governance. It operates as a 100% cloud-hosted service — no CI/CD pipeline integration is required — using webhooks to trigger scans on every commit and pull request. The platform covers 49 programming languages and frameworks, and extends into the IDE via plugins for VS Code, JetBrains, and Cursor.

Core Scanning Capabilities

Codacy bundles several distinct scan types into a single platform:

• SAST — static application security testing for vulnerabilities like SQL injection
• SCA / Dependency scanning — detects insecure or malicious packages, with daily CVE database re-scans
• Secret scanning — finds hardcoded credentials and passwords
• Infrastructure-as-Code (IaC) scanning — detects misconfigurations in infrastructure definitions
• DAST — dynamic application security testing for runtime vulnerabilities
• Container image scanning — CVE detection in container images
• Code quality analysis — error-prone patterns, complexity, duplications, unused code, and style violations across 49 languages
• Test coverage tracking — monitors coverage per file and enforces merge gates

AI Governance Layer

A distinguishing feature of Codacy is its AI-specific governance tooling, which the product page describes as "AI Guardrails," "AI Inventory," and "AI Risk Hub." These modules enforce organization-defined AI coding policies — blocking unapproved model calls, detecting prompt injection risks, and flagging vulnerable libraries inherited from outdated AI training data. The Guardrails component scans AI-generated code as it is being written inside the IDE, enabling agents to auto-fix issues before a developer sees the output. This positions Codacy as a governance layer for agentic coding workflows using tools like GitHub Copilot, Claude, Cursor, and Windsurf.

Where It Fits in the Stack

Codacy integrates at multiple points in the development workflow:

• IDE — VS Code, JetBrains, and Cursor plugins provide real-time local scanning
• Git — GitHub Cloud, Bitbucket Cloud, and GitLab Cloud (self-hosted Git providers are not supported)
• Pull Requests — automated AI reviewer with fix suggestions, PR summaries, and false positive detection
• Containers — JFrog, Amazon ECR, and Docker registries
• Issue tracking — two-way Jira integration
• Alerts — Slack integration for critical security notifications
• AWS Marketplace — available for purchase through AWS

Compliance and Reporting

The platform generates audit-ready outputs including SBOM exports, SLA remediation tracking, and real-time security and risk dashboards. The company states its cloud infrastructure is SOC2 Type 2 certified. Compliance-relevant scan reports are described as supporting SOC2 and ISO27001 requirements. The pricing page notes that open-source projects can use the platform for free indefinitely, while private repository access requires a paid subscription.

Current Status

Codacy is actively developed and commercially available. The About page lists 57 employees with 51% in product and engineering roles. The platform recently launched AI Inventory as a new module, noted in a site-wide banner. IDE plugin support for VS Code and JetBrains is live, with Cursor also listed as a supported environment. The company publishes a public roadmap at roadmap.codacy.com and maintains documentation at docs.codacy.com.