# Codacy > Codacy is a code quality and security platform that automates code reviews, enforces coding standards, and governs AI-generated code across the entire software development lifecycle. Codacy is a cloud-based code quality and security platform built for engineering teams working with AI-assisted development. It integrates with GitHub, GitLab, and Bitbucket to scan repositories, pull requests, and IDE sessions for quality violations, security vulnerabilities, and AI coding policy breaches. The platform is actively developed by a 57-person team across 6 countries, with the company reporting over 15,000 organizations onboarded according to its About page. ## What It Is Codacy sits in the code quality and application security category, functioning as a unified platform that replaces multiple point tools for static analysis, dependency scanning, secret detection, and AI governance. It operates as a 100% cloud-hosted service — no CI/CD pipeline integration is required — using webhooks to trigger scans on every commit and pull request. The platform covers 49 programming languages and frameworks, and extends into the IDE via plugins for VS Code, JetBrains, and Cursor. ## Core Scanning Capabilities Codacy bundles several distinct scan types into a single platform: - **SAST** — static application security testing for vulnerabilities like SQL injection - **SCA / Dependency scanning** — detects insecure or malicious packages, with daily CVE database re-scans - **Secret scanning** — finds hardcoded credentials and passwords - **Infrastructure-as-Code (IaC) scanning** — detects misconfigurations in infrastructure definitions - **DAST** — dynamic application security testing for runtime vulnerabilities - **Container image scanning** — CVE detection in container images - **Code quality analysis** — error-prone patterns, complexity, duplications, unused code, and style violations across 49 languages - **Test coverage tracking** — monitors coverage per file and enforces merge gates ## AI Governance Layer A distinguishing feature of Codacy is its AI-specific governance tooling, which the product page describes as "AI Guardrails," "AI Inventory," and "AI Risk Hub." These modules enforce organization-defined AI coding policies — blocking unapproved model calls, detecting prompt injection risks, and flagging vulnerable libraries inherited from outdated AI training data. The Guardrails component scans AI-generated code as it is being written inside the IDE, enabling agents to auto-fix issues before a developer sees the output. This positions Codacy as a governance layer for agentic coding workflows using tools like GitHub Copilot, Claude, Cursor, and Windsurf. ## Where It Fits in the Stack Codacy integrates at multiple points in the development workflow: - **IDE** — VS Code, JetBrains, and Cursor plugins provide real-time local scanning - **Git** — GitHub Cloud, Bitbucket Cloud, and GitLab Cloud (self-hosted Git providers are not supported) - **Pull Requests** — automated AI reviewer with fix suggestions, PR summaries, and false positive detection - **Containers** — JFrog, Amazon ECR, and Docker registries - **Issue tracking** — two-way Jira integration - **Alerts** — Slack integration for critical security notifications - **AWS Marketplace** — available for purchase through AWS ## Compliance and Reporting The platform generates audit-ready outputs including SBOM exports, SLA remediation tracking, and real-time security and risk dashboards. The company states its cloud infrastructure is SOC2 Type 2 certified. Compliance-relevant scan reports are described as supporting SOC2 and ISO27001 requirements. The pricing page notes that open-source projects can use the platform for free indefinitely, while private repository access requires a paid subscription. ## Current Status Codacy is actively developed and commercially available. The About page lists 57 employees with 51% in product and engineering roles. The platform recently launched AI Inventory as a new module, noted in a site-wide banner. IDE plugin support for VS Code and JetBrains is live, with Cursor also listed as a supported environment. The company publishes a public roadmap at roadmap.codacy.com and maintains documentation at docs.codacy.com. ## Features - Automated code quality analysis across 49 languages - SAST vulnerability scanning - Software Composition Analysis (SCA) / dependency scanning - Hardcoded secrets and password detection - Infrastructure-as-Code (IaC) misconfiguration detection - DAST (pipeline-less runtime scans) - Container image scanning - AI Guardrails for agentic workflows - AI Inventory and AI Risk Hub - AI coding policy enforcement - AI-powered pull request reviewer with fix suggestions - False positive detection - Test coverage tracking and merge gates - Daily CVE and malicious package re-scans - SBOM exports - License scanning - Two-way Jira integration - Slack integration for critical security alerts - Org-wide coding standards across 49 languages - Real-time commit and pull request scans - Pull request merge gates - Custom scan rules - SOC2 Type 2-certified cloud infrastructure - SSO/SAML and audit logs - Configurable SLA remediation due date tracking - Organization-wide security and risk management dashboard - IDE plugins for VS Code, JetBrains, and Cursor ## Integrations GitHub Cloud, GitLab Cloud, Bitbucket Cloud, VS Code, JetBrains, Cursor, Windsurf, GitHub Copilot, Claude, Gemini, Jira, Slack, JFrog, Amazon ECR, Docker, AWS Marketplace ## Platforms WEB, API, VSC_EXTENSION, JETBRAINS_PLUGIN ## Pricing Freemium — Free tier available with paid upgrades ## Links - Website: https://www.codacy.com - Documentation: https://docs.codacy.com/ - Repository: https://github.com/codacy - EveryDev.ai: https://www.everydev.ai/tools/codacy