A Global CX Software Company Closed 1,200 Security Issues with 90% Accuracy Using Codacy
This customer operates in a security-sensitive environment and has requested anonymity; all figures and quotes are as provided.
The company scales application security across 900+ repositories and 1,400 developers while significantly reducing false positives and accelerating remediation times. We spoke with its Manager of Security Operations, who leads vulnerability management, and its Senior Security Engineer, who owns SAST, DAST, and vulnerability scanning.
- 90% accuracy rate in security findings
- 1,200 security issues closed in a single cleanup effort (vs. "few hundred max" before)
- Scaled to 900+ repositories and 1,400 developers
"Just within this last month, we have closed 1,200 findings, which is significantly better than the few hundred max we found before. Codacy makes sure that we do security testing on code automatically so the developer doesn't have to worry about it."
— Senior Security Engineer
About the company
The company is a global leader in AI-powered customer experience orchestration, serving over 7,500 organizations in more than 100 countries. It provides cloud-based contact center solutions that help businesses deliver personalized customer and employee experiences across all channels. With its flagship cloud CX platform, the company enables organizations to orchestrate digital, AI, journey analytics, and workforce management capabilities from a unified solution.
Challenge
Compliance Demanded SAST But Competitors Wanted 10x to Their Budget
When the company received new compliance requirements mandating static application security testing, its Manager of Security Operations knew his team faced a perfect storm of challenges. He oversaw vulnerability management across the company's massive technology footprint, which spanned over 900 repositories containing infrastructure-as-code and product-as-code written in Python, JavaScript, TypeScript, Clojure, and Java.
Together with the company's Senior Security Engineer, who is responsible for SAST, DAST, and vulnerability scanning, the Manager of Security Operations had been trying to make their existing tools work for security analysis. But without proper SAST tooling, they could only catch configuration issues and vulnerabilities that surfaced during expensive penetration tests.
"Unless it was found in a pentest, SAST wasn't really something that we did," the Senior Security Engineer explained. For a company growing this rapidly, with 1,400 developers constantly pushing code, SAST was a necessity.
But finding the right tool had its own set of challenges.
First, the pricing models were punitive for a company their size. These vendors priced by repository count or lines of code, which would only get more expensive as the company's codebase grew.
Second, they needed specific technical capabilities many vendors couldn't provide: seamless Bitbucket integration (their existing version control system), Jira integration for ticket management, support for their diverse programming languages, and the ability to onboard repositories quickly without disrupting developer workflows.
Most critically, the Manager of Security Operations refused to accept rigid, one-size-fits-all security rules. "We don't like out-of-the-box stuff," he emphasized. "Being able to customize what we care about and what we see on the platform side and what devs see on their end — that's what we cared about the most."
They needed a solution flexible enough to adapt to the company's specific security requirements while comprehensive enough to cover SAST, secret scanning, and infrastructure-as-code analysis in one platform.
"We would find a few things, especially since we're not a small security team but with how much code there is, we are considered a smaller security team. Unless it was found in a pentest, SAST wasn't really something that we did."
Solution
Seat-Based Pricing Made SAST Affordable for 1,400 Engineers
Thankfully, Codacy was already in use at the company as a code analysis solution for developers, integrated across many repositories, so when SAST became mandatory, the security team could leverage the existing platform rather than starting from scratch.
Unlike competitors charging 2-3x more based on repository count, Codacy priced by developer seats, which meant that the company could expand its codebase without penalty. "Codacy came in at a good value proposition," the Senior Security Engineer confirmed, comparing it to vendors that wanted prohibitive amounts for the same capabilities.
The company immediately replaced their makeshift attempts with purpose-built security scanning. The Manager of Security Operations highlighted the comprehensive coverage they'd been seeking: "It was one of the only tools that had secret scanning, IAC scanning, and misconfiguration scanning" all integrated in a single platform. This meant no more cobbling together partial solutions or missing vulnerabilities between penetration tests.
Implementation addressed their integration requirements seamlessly. The Bitbucket connection the Senior Security Engineer needed was already built-in: "It was literally just a click on one side, click these repos, and it just does everything for us." Within 10 minutes, any repository could be onboarded and scanning. When the team requested an improvement to Codacy's Jira integration features, Codacy iterated on it quickly. The Senior Security Engineer noted, "When we ask for something, it gets done really quickly."
The platform handled their diverse technology stack without issue, scanning Python, JavaScript, TypeScript, Clojure, Java, and their infrastructure-as-code. Because Codacy used open-source tools under the hood, the team gained flexibility they'd never had before. "If we ever had any issue, we can be like, you know what, they have this other tool, so we'll just turn off that one and turn on the other one," the Senior Security Engineer explained.
Most importantly, Codacy delivered the customization the Manager of Security Operations demanded. Rather than forcing rigid rules, the platform let them configure exactly what mattered for the company's security posture. They disabled linting and code quality patterns they didn't need, focusing purely on security issues. "All the security rules are done by us," the Senior Security Engineer confirmed. "We allow the other teams to turn on whatever else they want."
To transform their trust-based model into verified security, the two leaders established new workflows. Developers now receive automated findings on every pull request, with AI-powered descriptions explaining vulnerabilities in context. "The AI descriptions gave developers a better understanding of what good code is versus bad code," the Senior Security Engineer observed. When developers mark issues as false positives, the security team verifies their assessments, creating the "trust but verify" model that replaced blind faith.
The Manager of Security Operations integrated enforcement directly into change management: "We're able to go into Codacy and say, 'You have critical issues that you need to fix and we can't approve the CM before you fix them.'" The ticket creation feature completed the workflow, enabling end-to-end tracking of vulnerabilities from detection through remediation.
As the company embraced AI coding assistants company-wide, the team implemented Codacy's MCP servers with Cursor and AWS IDE tools. This integration catches security issues as developers write code, before it even enters version control. And that means shifting security truly left in the development process.
"The developers know the requirement is going to have Codacy in their codebase, so they just do it themselves because the permissions are inherited from Bitbucket. They can just add their own repos if they want to."
Results
1,200 Issues Closed vs. "Few Hundred Max" Previously
Codacy fundamentally transformed security operations at the company. The security team achieved a 90% accuracy rate in security findings, with only 76 false positives out of 826 findings in a recent measurement period. In a recent cleanup effort, the team closed 1,200 security issues — a huge increase from finding "a few hundred max" before Codacy.
The automated scanning and clear remediation guidance reduced friction between teams. "Most of our developers have no problem with it," the Senior Security Engineer reported, noting that developer meetings requesting security assistance have decreased substantially as teams became self-sufficient with Codacy's automated guidance.
The efficiency gains freed both security leaders to focus on strategic initiatives. "With AI coming in, we've freed up having to fix the issues themselves. So now we have to secure the AI," the Senior Security Engineer explained, highlighting how automation enabled the team to tackle emerging challenges rather than manual review tasks.
Looking forward, the company plans to deploy Codacy's smart false positive triage feature and expand MCP server adoption across its 1,400 developers. The Manager of Security Operations is exploring further consolidation opportunities: "We've briefly talked about DAST and pentesting features" as potential replacements for other tools in their stack.
Both leaders consider Codacy irreplaceable in their security infrastructure. The Senior Security Engineer was unequivocal about the impact of losing it: "We would have to scramble to figure out a temporary solution. We'd have to POC at least two or three different vendors. It would be a mess."
"Codacy has improved communication between security and development teams, and it's continuing to raise the bar for compliance."