Codacy Product Showcase January 2024
Welcome to the first quarterly Codacy Product Showcase event of 2024! We’re excited to share with you all our recent enhancements and innovations to the Codacy DevOps Intelligence platform.
More importantly, we’re very excited about where Codacy is headed as a platform in 2024. Let’s dive right in and look at all the progress we’ve made since our October 2023 Product Showcase and what we have in store for 2024.
The Developer Tool Landscape: What We're Solving
Codacy’s mission has always been to help developers create and merge clean, secure, high-quality code as efficiently as possible. As we work towards this goal, we’re constantly assessing the developer tool landscape.
In our research, we’ve identified a few obstacles development teams commonly face in finding, integrating, and using the tools they need to code better.
Tool silos are still an issue. There are many code review tools to choose from, and very few are compatible, with tons of functionality and user experience variations.
Using various tools that aren’t complementary and aren’t even built with developers in mind introduces frustration and noise to the development process. You’re no longer focusing on the quality of your code; you’re spending a lot of time fiddling around with and adjusting your tool stack.
Price is another issue. Enterprises aren’t the only companies that need powerful code analysis tools. So why are so many vendors selling their tools at a price that’s hard for smaller teams to justify spending?
A Single Toolbox for Merging Clean, Quality, and Secure Code
At Codacy, we believe that the tools developers need to analyze code for defects don’t have to be complicated, hard to use, or expensive. Our mission in 2024 and beyond is to provide development teams with a single plug-and-play “toolbox” with one easy developer-first experience that offers all the tools they need to find and fix code quality and security issues.
With a single set of tools that have been thoughtfully selected and built to work together, your team can focus on their craft—with affordable, complementary, and easy-to-use tools that enable them to merge clean, quality, and secure code consistently.
- Codacy Quality allows developers to find and fix common coding issues that lead to rework, poor application performance, and lost productivity.
- Codacy Security gives developers a 360-degree view of risk, enabling them to find and fix security issues from inside and outside their code.
- Code Coverage ensures teams are testing their code so developers don’t have to worry about pushing breaking changes.
- Codacy Pulse gives engineering managers the metrics to optimize team productivity and happiness.
Integrate Codacy once to get all these solutions today and, over time, continue to receive new third-party and open-source tools that help you detect and fix even more common and complex coding issues.
Dedication to Performance
Every company that scales quickly faces issues with performance degradation, and we’re no different. In response to our significant growth in customer base last year, we assembled a dedicated team to focus on improving performance across the board.
In the second half of 2023, we refactored and reorganized how we fetch data from Git providers, which resulted in significantly improved performance. By September 2023, more than 75% of all customer analyses were able to be completed in under five minutes.
Today, 84% of analyses are completed in under five minutes, and almost all (95%) are done in less than 15 minutes.
Since paid customers are given priority, their analyses are being completed even faster! While we’re thrilled with the progress, we’re far from satisfied. Our mission is to keep improving the speed and quality of our code analysis month over month.
Last year, we also began the process of separating the Coverage analysis engine from the Quality engine so that you no longer need to wait for the Quality engine to finish in order to see your Coverage results.
We are continuing this process, and you can expect to have a fully-separated, independent Coverage pipeline in the near future.
Continuous Platform Innovation
The quest to provide our customers with the most complete code analysis tool continues. We now support more than 20 programming languages, having just added Rust to our long list of supported languages.
You can also integrate Codacy with popular continuous integration and continuous delivery (CI/CD) platform GitHub Actions now.
At the end of 2023, we created an integration for the popular integrated development environment (IDE) VS Code. You can expect an IntelliJ IDEA extension in the coming months as well.
We’ve also made some changes to help secure your repositories better. Namely, we’re discontinuing the usage of repository SSH keys for Git operations on GitHub in favor of installation access tokens.
This change translates into a couple of important security improvements:
- It limits the access level of the Codacy GitHub App, as it no longer requires read and write repository permissions for Administration.
- Contrary to long-living SSH keys, installation access tokens expire after one hour, and Codacy loses access when the GitHub App is uninstalled.
What’s New With Security?
Our latest solution, Codacy Security, is our vision for the future.
We know that our customers prioritize security. On top of making sure their code is clean and functional, they also want to build secure applications that are compliant with all necessary industry and regional regulations.
Talking to our customers, we realized that many of them are using an abundance of code quality and security tools, many of which have overlapping features, leaving their budgets depleted and the number of tabs they have open multiplying.
Most importantly, we believe security is a fundamental right, and securing your applications and systems should be affordable for teams of any size.
Codacy Security was created to give software development teams comprehensive security scanning without needing dozens of tools. Best of all, these security features will be available within our existing platform for code quality, test coverage, and engineering performance—a unified and affordable code quality and security experience for teams of all sizes.
We’ve identified seven key pillars for building our security solution, four of which will analyze code from the inside out and three from the outside in, giving you a 360-degree view of Application Security (AppSec).
Let’s take a look at the capabilities that are available to you today in Codacy.
We started by looking from the inside out—scanning your code security issues.
Static application security testing (SAST) has been a part of Codacy’s offering for a long time.
We’ve leveraged the best open-source linters and partnered with the best in the industry to help our customers find and fix issues early in the development lifecycle with a simple and easy-to-use approach.
We also started detecting infrastructure-as-code misconfigurations, helping prevent cloud infrastructure issues. In late 2023, we added secret detection that detects passwords, tokens, and other sensitive hardcoded values in your code.
Today, we’re happy to showcase extended support for SAST and new software composition analysis (SCA) capabilities. Through a new partnership with SAST experts Semgrep, we’re adding over 2,000 rules across 20 languages, effectively strengthening our security coverage for C#, Typescript, Java, Python, Go, and others—all available with a one-click configuration.
Another big announcement is the addition of SCA capability to Codacy. A recent Synopsys survey found that most applications are built with open-source libraries. If you are not scanning them, most likely, you’re at risk.
In fact, according to Gartner, “almost two-thirds (61%) of U.S. businesses were directly impacted by a software supply chain attack in 2023.” Understanding what dependencies you are using and ensuring the code you didn’t develop is key to securing your applications.
Codacy customers now get insecure vulnerability scanning of open-source libraries, both direct and indirect, for most popular programming languages.
What’s Next for Security?
Our work in 2024 will focus on scanning your code from the outside in. While the previous scan types help you prevent new issues from being introduced, the following will help you identify in-the-wild and zero-day vulnerabilities:
- Dynamic Application Security Testing (DAST) is vital for assessing web app vulnerabilities in real-time. It identifies potential threats by automatically simulating real-world known attacks.
- Cloud Security Posture Management (CSPM) ensures secure cloud configurations. It identifies misconfigurations, compliance violations, and potential risks in cloud environments, just like infrastructure as code (IaC), but with real-time monitoring of your environments.
- Penetration Testing involves probing your software and simulating real-world attacks to uncover application vulnerabilities.
As we continue to work on integrating DAST and CSPM into Security, we’re excited to announce that we’ve already started offering pen testing. We’ve partnered with TargetDefense/Bulletproof to provide pen testing services to our customers.
With a Codacy Pro subscription, you can get industry-leading penetration testing at an affordable price and see unified results within your Codacy security and risk management dashboard.
If this sounds like something you’re interested in, schedule your pen test today.
We hope you’re as excited as we are about what’s to come for Codacy in 2024.
If you want a complete, in-depth presentation of all these new capabilities and improvements, check out the full recording of your latest Product Showcase.
Until next time,
The Codacy Team