AI WikiAI Wiki
Codacy logo

Codacy

Free tier

Code Quality & Security for AI-Assisted Engineering — enforce standards from prompt to production

Free tier available·All audiences·API available
Visit

Key strengths

Unified platform for code quality, security, and AI coding policy enforcementAI Guardrails that scan AI-generated code in real time during agentic workflowsActionable, low-noise AI code reviews on every Pull Request with auto-fix suggestionsCompliance-ready reports (SOC2, ISO27001) with real-time SBOMsDaily CVE & malware re-scans via Software Composition Analysis (SCA)
Free tier + paid plans
No ratings yet

Developer & Technical Documentation

Integration & Setup

Codacy connects to Git providers (GitHub, GitLab, Bitbucket) via OAuth and webhooks. Adding a repository triggers an automatic full scan using Codacy's analysis engine, which orchestrates multiple underlying static analysis tools mapped to your language stack.

Key Capabilities & APIs

  • SAST — Static Application Security Testing across application and infrastructure-as-code (IaC).
  • SCA — Software Composition Analysis with daily CVE and malware database re-scans against your dependency tree.
  • Secret Scanning — Detects hardcoded credentials and API keys across all branches.
  • DAST — Dynamic Application Security Testing for runtime apps and API endpoints.
  • AI Guardrails — Deterministic code analysis layer embedded into agentic workflows; scans AI-generated code against your policies at generation time, enabling auto-repair before the developer reviews output.
  • AI Risk Hub — Define and enforce AI Coding Policies to catch unapproved AI model usage, prompt injection vulnerabilities, and risks from libraries trained on outdated data.

CI/CD & Toolchain

Codacy provides a Coverage Reporter CLI for uploading test coverage results from any CI system. It exposes a REST API for programmatic access to project data, issues, and metrics. Results sync to Jira for issue tracking and surface critical alerts in Slack.

Compliance Output

Real-time SBOM generation (CycloneDX/SPDX formats) and exportable scan reports are available for SOC2, ISO27001, and other frameworks directly from the dashboard.