Join Codacy Product Showcase on July 9th to learn about product updates

Group 370

Meet us at WeAreDevelopers World Congress in Berlin

Group 370

Spotlight Whitepaper by IDC on Importance of Automated Code Review Technologies

Group 370

Secure Code Review Using Codacy

In this article:
Subscribe to our blog:

When you first sign up for Codacy we ask for numerous permissions, yet, want to ensure the most secure code review process. Depending on your  repository host, we need specific access to settings and data.

Particularly when using Codacy daily, you may wonder about the way we handle your data. The code that you trust us with may be highly confidential.  Secure code review is imperative.

In short, Codacy is absolutely secure — there’s nothing to worry about. Although that’s easily said, let me explain: 

Your data is safe with us

We only store the minimum amount of data we need to provide you with a quality experience, and we make sure to treat it with an incredible amount of care.

Code Reviews in Large-Scale Projects: Best Practices for Managers

When we clone your code to our servers, we use temporary disk locations in combination with custom SSH keys for every single project. The keys are saved to a secure hard disk section unrelated to the project files, only for the time required to clone the project. Long term, they are stored ciphered in a database so that, even if the data would somehow be compromised, the intruder wouldn’t be able to clone the projects when trying to use our key.

Each key is randomly generated when a project is created, and it will only ever work for that specific project. If at any point you want to isolate your repo from the service, all you need to do is remove the key, and nobody is able to clone it again.

All of your code that ever touches our servers is only used for our analysis and then proactively deleted. We take the same precautions with the servers running our service, terminating them on a daily basis. Project analysis is done in Dockers without any kind of network access, making each analysis an isolated island from the rest of the system. Furthermore, all cached issue results are deleted from our servers within 24 hours, striking a balance between performance and offering a secure environment for our users.

Our servers are hosted by Amazon EC2 in Europe, and they get erased and rebuilt multiple times a day. All of the data is held on RDS databases and fully encrypted, including any cache of your code and all third party tokens we use to interact with GitHub and BitBucket.

Interacting with Codacy

All of the interactions you have with our service are completely secured, including those relying on third-party tools. For example, we never ask for your password for GitHub, Bitbucket or Slack because we don’t need it — all integrations with external services are handled by API tokens or OAuth.

We work with  Stripe to accept credit card payments, and they take security just as seriously as we do. As a PCI-DSS Certified Level 1 payment processor, they have to adhere to the highest level of security standards, making every part of the payment flow properly secured. We never get to see any of your financial data, as Stripe only communicates the general status of the transaction.

Running our company in a secure way

Our dedication to security goes beyond how we’ve set up Codacy as a product — it also applies to the way we run the company.

While we work with some of the best people in the business, we still take the utmost care when it comes to their access to your data — Codacy employees can never clone your code or see it in its entirety. In certain situations and for specific purposes, including customer support and debugging, we can view your dashboard and issues breakdown, but we will never have access to your code — unless you explicitly allow it for support purposes.

On top of that, we subject our entire digital environment to recurring, automated security scans, and we’ve implemented advanced systems to detect and repel any attempts to get into our systems.

We’ve also realised it’s important to stay critical about our security policies, as there’s always room for improvement. This is why we regularly stop and think about how we can go that extra mile, developing and integrating new ways to safeguard every part of our product offering.

It’s a big privilege we’ve earned your trust, so the least we can do is work relentlessly to create the best and safest way for you to ship better code. If you’re still unsure or have any other security-related questions, feel free to reach out to security@codacy.com.

Codacy is used by thousands of developers to analyze billions of lines of code every day!

Getting started is easy – and free! Just use your  GitHub, Bitbucket or Google account to sign up.


Is your code secure with Codacy?
If you have been in the development business, you are well aware of the fact that data breaches are a part of the development experience, and while...
Filtering Security Issues By Category in Codacy Security
While constantly adding new ways to check your code for security issues is incredibly important to us, being able to present that data to you...
What Programming Languages need Code Reviews?
This is a blog post of our Code Reading Wednesdays from Codacy (http://www.codacy.com): we make code reviews easier and automatic. We launched Codacy...

Automate code
reviews on your commits and pull request

Group 13