Codacy Product Showcase April 2024
Welcome to the second quarterly Product Showcase event of 2024! We’ve been busy and can’t wait to show you all of the latest performance and product enhancements we’ve worked on.
Let’s get right into it.
The Developer Toolbox
As we announced during our January Product Showcase, our vision for Codacy is to provide software development teams with a single toolbox to merge clean, quality, and secure code.
- Codacy Quality to find and fix common coding issues that lead to rework, poor application performance, and lost productivity.
- Codacy Security to find and fix security issues from the inside your code and outside looking in.
- Code Coverage to ensure code has the right amount of unit tests that leads to higher confidence when coding. Tested code eliminates downstream production surprises.
- Codacy Pulse to give engineering managers the metrics they need to optimize team productivity, leading to overall happiness.
By having a full suite of tools to handle these quality and security-related objectives, your software projects will be more reliable, better performing, and, most of all, more secure.
Codacy’s mission is to make every line of code trustworthy. We do this by helping teams:
- Find and Fix Coding Issues Early: Codacy provides the automated, two-pronged approach engineering teams need to find and fix quality and security issues early in the software development lifecycle (SDLC) for new and existing code.
- Monitor and Enforce Standards: Codacy checks your code against coding standards on every pull request, with seamless Git integrations. We also offer AI-assisted suggestions for fixing uncovered issues that developers can accept to avoid time-consuming research and remediation efforts.
Codacy is a developer-first, API-driven platform that enables cloud-native engineering teams to continuously improve code quality and security by automating the code review process for over 49 languages and frameworks.
Continuous Performance Improvements
As we noted during our last Product Showcase, improved performance is a steady, iterative process. We have dedicated a team of engineers to ensure the platform can scale and handle the quickly growing number of users without any performance degradation. Reducing analysis times and making them as quick as possible is our goal.
In late 2023, we refactored and reorganized how we fetch data from Git providers, which enabled us to complete more than 75% of all customer analyses in under five minutes. In January, that number rose to 84% and we continue to see improvements.
Today, 87% of customer analyses are completed in under five minutes.
If you’re a paying customer with a Pro account, your analyses are prioritized and completed even faster.
Now that we’ve knocked down the time for the bulk of our customers, our next objective is to focus on reducing the slowest 10% of repos—ones with hundreds of daily commits. We’ve seen that if we can improve how these massive repos are performing, there will be residual performance benefits for everyone.
As Kobe Bryant famously said, “Job's not finished.” Our performance team is dedicated to improving the speed and quality of our code analysis month over month.
New Integrations
Another focus of ours has been to make it easier for developers to get the value that Codacy provides within their workflow by integrating it into their favorite development tools.
In late 2023, we created an integration for the popular integrated development environment (IDE) VS Code. We’re happy to announce that we now have an IntelliJ IDEA extension.
You can download and install the extension from the JetBrains marketplace or directly from your IDE.
We’re also very excited about the Backstage Plugin we now offer. Built by Spotify, Backstage is an open-source platform for building developer portals.
Powered by a centralized software catalog, Backstage restores order to your microservices and infrastructure and enables your product teams to ship high-quality code quickly—without compromising autonomy. And now it connects to Codacy!
This plugin consists of an action that can automatically be used on any template to add a repository to Codacy. Check out this quick video to see how to set it up.
What’s New With Security?
We debuted the idea of a full Codacy Security solution during January’s Product Showcase. Let’s start by recapping its capabilities before we dive into the progress we’ve made over the last few months.
Codacy Security is a toolbox of seven different scanning techniques that helps you ensure the security and compliance of your code. We believe that Codacy Security is the best solution for your application security program.
We gave an overview of Codacy Security during the Product Showcase, which you can check out here.
Codacy Security starts evaluating your application from the inside out, scanning your code with static analysis.
Static Application Security Testing (SAST) checks your source code for vulnerabilities early in the development lifecycle, making it easier to fix issues before they reach production. Issues found in this type of testing often include SQL injection (SQLi), cross-site scripting (XSS), insecure cryptography, or broken authentication/authorization—all of which are featured in the OWASP Top 10 vulnerabilities.
Codacy only uses rule-based code scanning to ensure deterministic results and avoid unnecessary alert noise. We also partner with the best static analysis tools in the industry (like Semgrep) to provide the best language and issues coverage for your projects.
Codacy’s IaC scans identify infrastructure misconfigurations early in the development lifecycle, covering critical infrastructure issues such as unconfigured or misconfigured security settings and insecure cryptography—issues so important and prevalent that even the NSA has released several mitigation strategy guides.
Did you know about 12.8 million AWS secrets were found on public GitHub repositories last year? With Codacy’s secret detection, you can prevent accidental leakage or the disclosure of sensitive information, including hardcoded passwords, API tokens, and other credentials for top-tier secrets management.
Supply chain security tools, also known as Software Composition Analysis (SCA), identify insecure open-source dependencies. This scanning technique is critical in a paradigm where more than 90% of today’s application code uses open-source software. Codacy can detect both direct and indirect dependencies. These indirect issues can be the ones that sneak up on you since you can’t always see the dependencies that are being pulled in during build time.
All four “inside out” scans are available for all Codacy customers.
Now let’s look at scanning code from the outside in.
Penetration testing (pen testing) is a manual security assessment method where certified experts simulate cyberattacks to identify vulnerabilities. It allows for greater complexity of issues tested and increased confidence in results. It’s effective at detecting SQL injection (SQLi), cross-site request forgery (CSRF), and sensitive data exposure.
However, it can be time-consuming and expensive to run. As we mentioned in the last Product Showcase, pen testing scans are now available with Codacy Security at affordable rates. If you are interested, schedule your pen test through Codacy today.
And now, here are some things that we’re still working on, but stay tuned during the next showcase event to find out more.
Dynamic Application Security Testing (DAST) runs automated penetration tests to find vulnerabilities in web applications and APIs as they are running. DAST automates a hacker’s approach and simulates real-world attacks on critical components. In addition to uncovering vulnerabilities and misconfigurations that previous techniques cannot detect, it can also alert you of zero-day vulnerabilities.
DAST scans should be available through Codacy Security when our Q3 Product Showcase rolls around.
CSPM (Cloud Security Posture Management) ensures secure cloud configurations. It identifies misconfigurations, compliance violations, and potential risks in cloud environments, just like IaC, but with real-time monitoring of your environments. We are still researching the best ways to add this scan type to Codacy Security.
We have a lot of work ahead of us in making Codacy the only tool you need to ship high-quality, secure, trustworthy code, and we’re excited to double down on this mission in the coming months.
To understand how Codacy Security works today, check out this quick demo.
The New AppSec Dashboard
What good are all these advanced security scans if the results are hard to see? Enter the new AppSec Dashboard, which gives Codacy users a single-pane visibility of their AppSec program.
Coming in late April, this new dashboard (part of our Security and risk management dashboard) allows engineering managers to unlock many new insights from using Codacy. It gives you the insights you need to understand the current state of your organization’s security posture and how it changes over time.
It also makes it easy to find and prioritize the most problematic areas or vulnerabilities to tackle and report status and progress to stakeholders.
The top of the dashboard gives you a quick view of your organization.
You can see data like total open security findings, critical security findings, and security findings breaching service level agreement (SLA).
You’ll also see risk distribution coverage statistics that can be filtered by scan type.
Graphs make it easy to evaluate your security effort. You can see the progression of security risk over time and how your security posture trends.
The dashboard also makes it incredibly easy for your team to prioritize which issues to focus on first, showing clearly which repos are most at risk and which types of security issues are most prevalent.
You can also filter the results by repository to focus on particular repositories that you and your team might be responsible for or to get a better look at a single repository experiencing a greater number of security issues.
Creating reports and sending them to various stakeholders is also easier than ever. You can tweak the findings to show specific data, export a .csv, or send a shareable URL to anyone within the organization you’re reporting to.
The dashboard also allows you to get a detailed view of specific issues. To do so, head over to the “Findings” tab and click on the issue you want to analyze.
Check out this video to see a full demo of the AppSec Dashboard in action.
As always, if you missed the Product Showcase, you can watch the complete recording here:
Until next time,
The Codacy Team