Codacy Security Adds Thousands of New SAST Rules With Semgrep Integration

In this article:
Subscribe to our blog:

If 2023 taught us anything, it’s that code quality and code security are inextricably linked. Their main commonality? They are both required upstream in the development lifecycle to streamline the creation of high-quality, reliable, and secure code that performs. 

Software development companies are losing millions in wasted time and resources spent on finding and fixing code issues. Millions are also spent on data breach detection and escalation, operational disruption, affected-party notification, and service restoration due to insecure code. 

And with the fast proliferation of generative AI in coding, identifying code quality and security issues that can compromise your product will be paramount in 2024.

Regardless of the issue you face, manual or AI-generated code, quality or security defects, the process is the same. Why not use a single solution that can find both types of issues for any type of code?

Until now, most dev teams have struggled to integrate and use multiple tools that produce different results with varying degrees of noise that cost them time and productivity.

With the introduction of Codacy Security to our platform, we want to provide developers with an all-in-one solution—a single toolbox to ship secure, high-quality, clean code that works and performs how it was intended at scale.

Much like Codacy Quality, Security is an integrated part of the Codacy platform, designed to offer you a continuous stream of third-party and open-source tools for automated code analysis and issue detection upstream in the development lifecycle before code ever gets merged. 

In late 2023, we integrated Trivy—a comprehensive open-source security scanner—adding secrets and insecure dependencies detection to Codacy. In 2024, we’re doubling down on security by integrating with a leader in the security analysis industry, Semgrep.

How Semgrep Helps You 

With the Semgrep Codacy integration, you’ll be able to:

  • Scan first-party code for vulnerabilities using built-in static application security testing (SAST) rules
  • Perform advanced code analysis to detect vulnerabilities across functions  

The integration adds nearly 2,000 new Static Analysis security rules (Code Patterns) to check your code across 19 languages, including C/C++, Java, Go, Python, Terraform, and more.

You also get comprehensive OWASP Top 10 coverage to keep your code secure and compliant with industry regulations (PCI-PDS, HIPPAA, SOC2, and more). 

How It Works 

New users will always get Semgrep open source (Semgrep OSS) enabled by default. Customers and existing users will get Semgrep OSS enabled by default on any new repositories they add. However, they will need to enable Semgrep OSS manually for existing repositories. 

If you want to enable Semgrep for any repository you follow, you can do so through the Code patterns page of any repository. You can also enable it for the entire organization through the Coding standards page if you're an organization admin or organization manager.

Here’s how to enable it through the Code patterns page. First, select the repository from the drop-down menu up top. 

Now click on the Code patterns page. 

Next, enable Semgrep OSS from the list of built-in tools. Users can also upgrade to the Semgrep Platform for even deeper security analysis to get more than 800 high-confidence Pro rules and interfile analysis (not supported by Semgrep OSS). 

Make sure you’ve enabled the Trivy integration as well to take full advantage of Codacy’s security scanning features, including Supply Chain Analysis, to scan your open-source libraries for security vulnerabilities.

We also recommend enabling only Security rules in Semgrep for faster analysis and a decreased rate of false positives. To do so, click on Semgrep and toggle the Security filter for a list of all relevant rules. 

To see Codacy Security in action, head over to the Security and risk dashboard to see if Codacy has found any security issues. 

Finally, click “Review” to see a list of your open issues. 

We’re very excited about this new era of the Codacy. Adding industry-leading security analysis tools to our platform brings us closer to fulfilling our mission of providing developers with an all-in-one code quality solution.

The Semgrep integration is just the tip of the iceberg. You can expect Codacy integrations with many other thoughtfully selected, complementary tools in 2024 and beyond— tools that give developers the peace of mind that comes with knowing that their code quality and security are in good hands, allowing them to focus on creating and innovating instead.

If you're already using Codacy, head to the platform to check out Codacy Security.  Codacy Pro customers can also schedule discounted cybersecurity pen testing (via Bulletproof) and view the results via their Security dashboard.

New users interested in evaluating Codacy's robust code quality and security features can start a free 14-day trial to give it a spin. 

RELATED
BLOG POSTS

Codacy Vulnerability Scanning Now Includes Insecure Dependencies Detection
As recently announced during our latest Product Showcase, our team is invested in developing new and exciting Codacy security features.
Now Available. Centralized view of security issues & risk within Codacy
Codacy is empowering engineering teams to bring their security auditing process to the surface.
Codacy Security Now Includes Dynamic Application Security Testing (DAST)
We're thrilled to announce that Codacy Security now includes Dynamic Application Security Testing (DAST) capabilities!

Automate code
reviews on your commits and pull request

Group 13