Secure Code Review Using Codacy


Monorepo with Static Code Analysis

Monorepo is short for monorepository. With it, code for many projects is stored in the same repository. I like to use...

Automated Code Review Benefits: Webinar

Our sales team member Matt Kohler recently gave a presentation on code review benefits with his "Benefits of Automated Code Review" webinar....

Codacy at DevOps Jenkins World

Gain key insight on the state of DevOps and come together with the global Jenkins community... The Codacy team...

Codacy announces raising $7.7M in funding

Today we’re excited to make a funding announcement.  We have raised $7.7M in funding.  Join Capital along with existing investors EQT Ventures, Armilar Venture...

DNS problems scaling with Kubernetes

Here at Codacy, everyone has been working really hard in the last few months to move all of our services to Kubernetes. And it...

How to write legible QA tests

Our quality-minded software engineer shares best practices for writing legible QA tests.

When you first sign up for Codacy we ask for numerous permissions, yet, want to ensure the most secure code review process. Depending on your repository host, we need specific access to settings and data.

Particularly when using Codacy daily, you may wonder about the way we handle your data. The code that you trust us with may be highly confidential.  Secure code review is imperative.

In short, Codacy is absolutely secure — there’s nothing to worry about. Although that’s easily said, let me explain: 

Your data is safe with us

We only store the minimum amount of data we need to provide you with a quality experience, and we make sure to treat it with an incredible amount of care.

When we clone your code to our servers, we use temporary disk locations in combination with custom SSH keys for every single project. The keys are saved to a secure hard disk section unrelated to the project files, only for the time required to clone the project. Long term, they are stored ciphered in a database so that, even if the data would somehow be compromised, the intruder wouldn’t be able to clone the projects when trying to use our key.

Each key is randomly generated when a project is created, and it will only ever work for that specific project. If at any point you want to isolate your repo from the service, all you need to do is remove the key, and nobody is able to clone it again.

All of your code that ever touches our servers is only used for our analysis and then proactively deleted. We take the same precautions with the servers running our service, terminating them on a daily basis. Project analysis is done in Dockers without any kind of network access, making each analysis an isolated island from the rest of the system. Furthermore, all cached issue results are deleted from our servers within 24 hours, striking a balance between performance and offering a secure environment for our users.

Our servers are hosted by Amazon EC2 in Europe, and they get erased and rebuilt multiple times a day. All of the data is held on RDS databases and fully encrypted, including any cache of your code and all third party tokens we use to interact with GitHub and BitBucket.

Interacting with Codacy

All of the interactions you have with our service are completely secured, including those relying on third-party tools. For example, we never ask for your password for GitHub, Bitbucket or Slack because we don’t need it — all integrations with external services are handled by API tokens or OAuth.

We work with Stripe to accept credit card payments, and they take security just as seriously as we do. As a PCI-DSS Certified Level 1 payment processor, they have to adhere to the highest level of security standards, making every part of the payment flow properly secured. We never get to see any of your financial data, as Stripe only communicates the general status of the transaction.

Running our company in a secure way

Our dedication to security goes beyond how we’ve set up Codacy as a product — it also applies to the way we run the company.

While we work with some of the best people in the business, we still take the utmost care when it comes to their access to your data — Codacy employees can never clone your code or see it in its entirety. In certain situations and for specific purposes, including customer support and debugging, we can view your dashboard and issues breakdown, but we will never have access to your code — unless you explicitly allow it for support purposes.

On top of that, we subject our entire digital environment to recurring, automated security scans, and we’ve implemented advanced systems to detect and repel any attempts to get into our systems.

We’ve also realised it’s important to stay critical about our security policies, as there’s always room for improvement. This is why we regularly stop and think about how we can go that extra mile, developing and integrating new ways to safeguard every part of our product offering.

It’s a big privilege we’ve earned your trust, so the least we can do is work relentlessly to create the best and safest way for you to ship better code. If you’re still unsure or have any other security-related questions, feel free to reach out to

Codacy is used by thousands of developers to analyze billions of lines of code every day!

Getting started is easy – and free! Just use your  GitHub, Bitbucket or Google account to sign up.