Watch our latest Product Showcase

Group 370

Meet us at WeAreDevelopers World Congress in Berlin

Group 370

Spotlight Whitepaper by IDC on Importance of Automated Code Review Technologies

Group 370

Codacy Vulnerability Scanning Now Includes Insecure Dependencies Detection

In this article:
Subscribe to our blog:

As recently announced during our latest Product Showcase, our team is invested in developing new and exciting Codacy security features. 

After recently launching secret detection, we now offer insecure dependency detection as well. 

Insecure dependencies detection, also called Software Composition Analysis (SCA), is a crucial security practice that involves identifying insecure open-source components used as either direct or transitive dependencies of software applications.

How It Helps You

Our goal is to continue to increase the visibility of common vulnerabilities and exposures (CVE), allowing you to strengthen your organization's security posture and mitigate risks by identifying and solving security issues faster.

By combining insecure dependencies detection with static application security testing and secret detection, Codacy now gives you a more comprehensive range of vulnerability scanning to help you get complete security coverage of your applications.

How It Works 

Insecure dependencies detection is available via a new tool on the Code Patterns page, Trivy—one of the most popular open-source security scanners currently available.

Trivy is enabled by default for all new repositories. For existing repositories, you'll need to enable it in the Code Patterns page or enable it in an existing Code Standard.

It applies to several programming languages, including Javascript/Typescript, C/C++, C#, Python, and more. Check out Codacy's supported languages and tools for the complete list of supported languages.

The tool relies on third-party databases—updated daily—to know which dependencies are vulnerable. We leverage a trusted community of security vulnerability databases inclusive of CVE and other security advisories from the world of open-source software, such as the GitHub Advisory Database, the GitLab Advisories Community, and the Ecosystem Security Working Group.

codacy patterns list view

CVEs behave like any other Codacy issues, supporting ignoring issues, coding standards, and appearing in the pull request flow.

Here's an example of a vulnerable version of the rails-html-sanitizer dependency found by the insecure dependencies detection tool in the Issues list.

codacy current security issues

Here’s what the vulnerable version of the rails-html-sanitizer dependency would look like in the Codacy security and risk dashboard, which gives you the most detailed and easy-to-understand view of detected security issues. 

codacy security and risk dashboard

Currently, the feature works on a per-commit basis, meaning that the scan is performed only after a commit. 

It also works with all of our most recent security features, including the security issues CSV export, the security issues gate policies, and the Slack notification for security issues.

We encourage you to try this new security feature and let us know your thoughts!

To learn more about the latest security features we’ve added and much more, check out the recording of our most recent Product Showcase:


If your team is looking for a tool that prioritizes code quality and security, start your free Codacy trial today!


Filtering Security Issues By Category in Codacy Security
While constantly adding new ways to check your code for security issues is incredibly important to us, being able to present that data to you...
New Security and Risk Management Features Now Available
A few months ago, we debuted our security and risk management dashboard, which gives our customers a unified control plane for identifying and fixing...
Introducing Codacy Security’s AppSec Dashboard
What good are all these advanced security scans if the results are hard to see? Enter the new AppSec Dashboard, which gives Codacy Security users a...

Automate code
reviews on your commits and pull request

Group 13