Codacy Product Showcase July 2024
Welcome to the third quarterly Codacy Product Showcase event of 2024! Let’s dive right into all of the performance enhancements and new features we have to share with you this time around.
Performance Improvements Remain Continuous
As highlighted in our April Product Showcase, enhancing performance is an ongoing, incremental journey. We have allocated a team of engineers to guarantee that the platform can scale efficiently and accommodate our increasing user base without compromising performance. We aim to minimize analysis times and make them as swift as possible.
One way we are doing this is by targeting the worst-performing repositories first. Some of these repositories were taking 60 minutes to execute. They are now running in a 20-25-minute range, which leads to faster results for everyone.
In April, 75% of analyses finished in three minutes, and 90% took five minutes or less to finish.
Since April, we’ve been able to continue decreasing analysis times even more.
Security Compliance on Codacy Sessions
Our latest session management efforts have been focused on making everyone’s Codacy sessions more secure. We’ve added session limitations so that a user is automatically timed out after 30 minutes of inactivity and fully logged out after eight hours of inactivity.
A pop-up is displayed to inform users that their sessions are about to end and prompt them to take action. If no action is taken, the user will be logged out. When they log in again, the previous session will be resumed.
Access to Audit Logs
Another new feature is audit log access. Business-tier customers can now access their organizational audit logs via API.
Here’s how it works right now. We will track what we call “critical actions” within the software—logins, creation of organizations, edits to coding standards, for example. We'll record those and provide them in a log that you'll be able to access via API.
Eventually, we will consider possibly enhancing the product with some of that information. For example, you’ll be able to easily see who within your organization was the last person to edit a coding standard. The goal is to eventually start presenting this type of information in your dashboards as well.
Onboarding Improvements
We’ve also been working on making it easier for new users to onboard quickly and immediately see the benefits of our platform. In our new onboarding flow, new organizations now get a default Coding Standard, which they can tweak using our Builder—which is located on the Coding Standard pages as well.
The new setup gives you a set of checkboxes so you can quickly understand how far through that onboarding process you are. Also, when you're creating a Coding Standard,
you'll initially get a much simpler set of slider bars to choose precisely what issues you're interested in, rather than having to go tool by tool and pattern by pattern to decide exactly which ones you want and how critical each one should be.
This new and more straightforward method of creating Coding Standards is available for our current users as well, not just for new customers who are onboarding.
We’ve also changed the look and feel of the Code Patterns Configuration pages to match the improvements made to the Coding Standards pages. The Code Patterns page is now faster, easier to use, and provides more insightful information.
For example, users can now easily see information about linked Coding Standards and which configuration files are being used. When you come to edit an individual repository, you'll see a familiar screen but with some key improvements. We’ve improved sorting, filtering, and searching activities on the screen to help you do everything faster than before.
Hackathon Projects
We held a Hackathon in June in which the entire engineering team participated. Over a couple of weeks of intense work, plenty of great ideas and features emerged. While a lot of the work focused on tweaking and fixing things under the hood, we do have a few great new features to share with you that were a direct result of our Hackathon work.
Storyteller
Storyteller summarizes your pull requests (PRs) in your Git provider. It essentially adds an AI-generated summary to your PR as a comment from our Codacy production bot. Storyteller summarizes what has changed in the code to help you gain context for what you're about to examine when you start reviewing a PR.
Fix All
Since we already have a tool that offers AI-generated suggestions for fixing coding errors, we figured we’d give you the option of applying all those fixes in bulk.
If we've detected issues and suggested fixes, you can now fix them all in one go.
When you click the button, we give you all the instructions you need to copy the code into your clipboard, create a new branch, paste the code into that patch, and then create a PR. Once you’ve done that, all of the changes that we can fix for you will be there in your Git provider. From there, you can review them and decide whether you want to accept them or not.
Secrets Detection in the IDE (Coming Soon)
The final Hackathon breakthrough is adding secrets detection in your integrated development environment (IDE), which is coming soon.
We are actively working on executing scans in the IDE locally for you, so you don’t have to wait even the two or three minutes it can take for a cloud scan to take place. The goal is to enhance the security of your code by enabling you to detect secrets pre-commit.
The focus initially will be on making this feature available first in VSCode, on MacOS, and on repos with coding standards.
What’s New With Codacy Security?
The biggest news with Codacy Security is that Dynamic Application Security Testing (DAST) capabilities are now available!
First, let’s look back at where we started just a couple of months ago when we launched Codacy security. Essentially, we started with code scanning and Static Application Security Testing (SAST), secrets, dependency scanning, and Infrastructure as Code (IaC) scanning. These processes all help analyze code security from the inside.
Our first venture into analyzing your code from the outside was adding penetration testing to our offer. Now we are set to launch our DAST solution as well, which detects security vulnerabilities by simulating attacks in the app’s running state and attacking it like a malicious user would.
DAST capabilities will be powered by an integration with ZAP, formerly OWASP ZAP, one of the most popular web app scanners in the world. You’ll be able to run ZAP in your CI/CD and see the scan results in Codacy.
We’ve also introduced a new Dashboard widget to Security that gives you a quick look at any affected aspects, as well as a new filter option that helps drill down on every detected security problem.
Not only can you now see how many issues you have for each kind of security vulnerability, you'll also have an easy way to filter and focus on the security issues that you're trying to solve. So if you're only interested in your dependency scanning or only secret scanning results, you can view and filter those issue types separately.
Another exciting addition to the Security Risk Management Dashboard is the Severity filter, which makes it easier to quickly prioritize which issues need your most immediate attention.
We’ve also added support in Codacy Security for a bunch of new ecosystems.
We’ve added Apex and Elixir for code scanning, Scala for secrets detection, Maven and Gradle (Java/Kotlin), Golang, Scala, Dart, and Elixir for dependency scanning.
As always, if you missed the Product Showcase, you can watch the complete recording here:
We recommend checking it out, especially if you’d like to see a complete demo of how our new DAST features work.
Until next time,
The Codacy Team