Home Code Quality Code Reviews Secure Code Review Using Codacy

Secure Code Review Using Codacy




When you first sign up for Codacy we ask for numerous permissions, yet, want to ensure the most secure code review process. Depending on your repository host, we need specific access to settings and data.

Particularly when using Codacy daily, you may wonder about the way we handle your data. The code that you trust us with may be highly confidential.  Secure code review is imperative.

In short, Codacy is absolutely secure — there’s nothing to worry about. Although that’s easily said, let me explain: 

Your data is safe with us

We only store the minimum amount of data we need to provide you with a quality experience, and we make sure to treat it with an incredible amount of care.

When we clone your code to our servers, we use temporary disk locations in combination with custom SSH keys for every single project. The keys are saved to a secure hard disk section unrelated to the project files, only for the time required to clone the project. Long term, they are stored ciphered in a database so that, even if the data would somehow be compromised, the intruder wouldn’t be able to clone the projects when trying to use our key.

Each key is randomly generated when a project is created, and it will only ever work for that specific project. If at any point you want to isolate your repo from the service, all you need to do is remove the key, and nobody is able to clone it again.

All of your code that ever touches our servers is only used for our analysis and then proactively deleted. We take the same precautions with the servers running our service, terminating them on a daily basis. Project analysis is done in Dockers without any kind of network access, making each analysis an isolated island from the rest of the system. Furthermore, all cached issue results are deleted from our servers within 24 hours, striking a balance between performance and offering a secure environment for our users.

Our servers are hosted by Amazon EC2 in Europe, and they get erased and rebuilt multiple times a day. All of the data is held on RDS databases and fully encrypted, including any cache of your code and all third party tokens we use to interact with GitHub and BitBucket.

Interacting with Codacy

All of the interactions you have with our service are completely secured, including those relying on third-party tools. For example, we never ask for your password for GitHub, Bitbucket or Slack because we don’t need it — all integrations with external services are handled by API tokens or OAuth.

We work with Stripe to accept credit card payments, and they take security just as seriously as we do. As a PCI-DSS Certified Level 1 payment processor, they have to adhere to the highest level of security standards, making every part of the payment flow properly secured. We never get to see any of your financial data, as Stripe only communicates the general status of the transaction.

Running our company in a secure way

Our dedication to security goes beyond how we’ve set up Codacy as a product — it also applies to the way we run the company.

While we work with some of the best people in the business, we still take the utmost care when it comes to their access to your data — Codacy employees can never clone your code or see it in its entirety. In certain situations and for specific purposes, including customer support and debugging, we can view your dashboard and issues breakdown, but we will never have access to your code — unless you explicitly allow it for support purposes.

On top of that, we subject our entire digital environment to recurring, automated security scans, and we’ve implemented advanced systems to detect and repel any attempts to get into our systems.

We’ve also realised it’s important to stay critical about our security policies, as there’s always room for improvement. This is why we regularly stop and think about how we can go that extra mile, developing and integrating new ways to safeguard every part of our product offering.

It’s a big privilege we’ve earned your trust, so the least we can do is work relentlessly to create the best and safest way for you to ship better code. If you’re still unsure or have any other security-related questions, feel free to reach out to security@codacy.com.

Codacy is used by thousands of developers to analyze billions of lines of code every day!

Getting started is easy – and free! Just use your  GitHub, Bitbucket or Google account to sign up.




Please enter your comment!
Please enter your name here

Subscribe to our newsletter

To be updated with all the latest news, offers and special announcements.

Recent posts

How does code quality fit into your CI/CD pipeline?

Continuous Integration and Continuous Deployment (CI/CD) are key for organizations wanting to deliver software at scale. CI/CD allows developers to automate...

How Stim uses Codacy to achieve high-quality code

We spoke with Tobias Sjösten, Head of Software Engineering at Stim, about how Codacy helps them guarantee code quality and standardization...

6 things developers should do to ship more secure code

Writing better, more secure source code is fundamental to prevent potential exploits and attacks that could undermine your software applications. However,...

Best practices for security code reviews

In today's interconnected world, where data breaches and cyber threats are increasingly common, one of your top priorities should be to...

April Product Update 🚀

Hi there 👋 It's been a whirlwind month, and we have big news to share: