As recently announced during our latest Product Showcase, our team is invested in developing new and exciting Codacy security features.
After recently launching secret detection, we now offer insecure dependency detection as well.
Insecure dependencies detection, also called Software Composition Analysis (SCA), is a crucial security practice that involves identifying insecure open-source components used as either direct or transitive dependencies of software applications.
How It Helps You
Our goal is to continue to increase the visibility of common vulnerabilities and exposures (CVE), allowing you to strengthen your organization's security posture and mitigate risks by identifying and solving security issues faster.
By combining insecure dependencies detection with static application security testing and secret detection, Codacy now gives you a more comprehensive range of vulnerability scanning to help you get complete security coverage of your applications.
How It Works
Insecure dependencies detection is available via a new tool on the Code Patterns page, Trivy—one of the most popular open-source security scanners currently available.
Trivy is enabled by default for all new repositories. For existing repositories, you'll need to enable it in the Code Patterns page or enable it in an existing Code Standard.
It applies to several programming languages, including Javascript/Typescript, C/C++, C#, Python, and more. Check out Codacy's supported languages and tools for the complete list of supported languages.
The tool relies on third-party databases—updated daily—to know which dependencies are vulnerable. We leverage a trusted community of security vulnerability databases inclusive of CVE and other security advisories from the world of open-source software, such as the GitHub Advisory Database, the GitLab Advisories Community, and the Ecosystem Security Working Group.
CVEs behave like any other Codacy issues, supporting ignoring issues, coding standards, and appearing in the pull request flow.
Here's an example of a vulnerable version of the rails-html-sanitizer dependency found by the insecure dependencies detection tool in the Issues list.
Here’s what the vulnerable version of the rails-html-sanitizer dependency would look like in the Codacy security and risk dashboard, which gives you the most detailed and easy-to-understand view of detected security issues.
Currently, the feature works on a per-commit basis, meaning that the scan is performed only after a commit.
It also works with all of our most recent security features, including the security issues CSV export, the security issues gate policies, and the Slack notification for security issues.
We encourage you to try this new security feature and let us know your thoughts!
To learn more about the latest security features we’ve added and much more, check out the recording of our most recent Product Showcase:
If your team is looking for a tool that prioritizes code quality and security, start your free Codacy trial today!
