Enhanced SCA Granularity: Full Visibility into All Dependency Vulnerabilities

In this article:
Subscribe to our blog:

We're expanding our issue relevancy initiative to give you complete transparency and control over your security findings.

At Codacy, we're on a mission to make scan results more relevant, giving you the right insights at the right moment, so you can take action with confidence. Earlier this year, we shared how we're using AI to normalize and improve scan rule documentation at Codacy, making it easier for teams to understand and act on security and code quality issues. Now, we're extending this initiative to Software Composition Analysis (SCA) results.

Visibility over all vulnerabilities

Previously, our Trivy-powered SCA results displayed only one vulnerability per severity for each dependency. While this approach helped reduce noise, it occasionally led to confusion, especially when fixing one issue revealed another that had been previously hidden.

Starting early September, you'll see all vulnerabilities detected for each dependency, including multiple issues of the same severity. This means:

  • Better fix clarity – You'll now have a complete picture of which versions fix which issues.
  • No more surprises – If you're fixing a dependency to address an issue we already detected, you should see everything upfront.
  • More complete reporting – You might see an increase in the number of vulnerabilities reported as analyses run in your organization.
 

High severity classification

We're also introducing a new "High" severity category in Trivy results, adding more granularity between "Medium" and "Critical." This enhancement gives you more precise vulnerability classification to help you:

  • Prioritize security fixes more effectively.
  • Set more accurate SLAs based on actual risk levels.
  • Focus resources on vulnerabilities that need urgent attention but aren't quite at the "Critical" threshold. 


Bonus for Python projects

If you use our Prospector tool aggregator for Python, you'll also benefit from improved detection and reporting (part of our broader effort to raise the quality of all results across Codacy).

 

Why we're making this change

Based on feedback from our community, many of you asked for the complete picture to make fully informed security decisions. While reducing noise is important, this change balances transparency with actionability: You get better visibility into your security posture without sacrificing the ability to act decisively.

While it may mean seeing more issues upfront, it prevents surprises down the line and helps you make more informed decisions about your dependencies and SLAs. These changes affect all SCA analyses and our daily Proactive SCA scans (Business plan only), giving you consistent visibility across your entire codebase.


What you should do

  • Review your updated reports to understand the full scope of issues in your dependencies.
  • Revisit your SLAs if necessary, since more vulnerabilities may now fall under them with the new "High" severity classification.
  • Use version upgrade guidance to resolve multiple issues at once when planning dependency updates.

We believe this is a big step forward in helping you manage risk more confidently and transparently. If you have any feedback on this release, feel free to share it with us directly via support or your Customer Success Manager.

πŸ’‘ Want early access? If you'd like to be part of the early release beta, contact us! We'd love to have you test it before the September launch.

RELATED
BLOG POSTS

Codacy DAST: Scan Your Running Applications for Security Vulnerabilities
We’re excited to announce the early access release of Dynamic Application Security Testing (DAST) for Codacy!
Fun Open-Source Tools to Check Out in 2025
We at Codacy are all about open-source tools.
New Security and Risk Management Features Now Available
A few months ago, we debuted our security and risk management dashboard, which gives our customers a unified control plane for identifying and fixing...

Automate code
reviews on your commits and pull request

Group 13