We’re excited to announce the launch of our proactive software composition analysis (SCA) scans, which are available to all our business-tier customers.
Proactive means that this scan runs automatically. Unlike the traditional analysis flow—where we require a commit to the default branch or a pull request to run an analysis—the SCA scan runs daily, scanning all your organization's repositories to keep even your less frequently used repos secure at all times.
How It Works
Codacy automatically scans user repositories every night to check for any vulnerable dependencies. Uncovered vulnerabilities will be reported directly on the Security and risk management dashboard, as always, and via Slack.
With this feature, we want to ensure that all your repos are safe, even ones rarely updated (legacy services/libraries, etc.). The SCA scan will flag vulnerable dependencies even if the latest commit did not change the configuration files for the repo's dependencies.
To help you notice the new issues, we've added a new component to the “Findings open” widget on the Security and risk management page, highlighting the latest findings for the current week.
We’ve also changed the default sorting on the Findings page to highlight the most recently detected vulnerabilities.
As already mentioned, if you have our Slack integration installed, your team will be notified via Slack whenever a new critical security issue is detected.
Since our Trivy integration powers our SCA scanning capabilities, we also decided to split and better categorize Trivy results to reduce noise and assign severity levels for each found vulnerability.
This means that Trivy now has three patterns for vulnerable dependencies instead of one: Critical, Medium, and Minor. All repositories and standards that had the previous pattern enabled will now have these three patterns enabled.
Want to see SCA scans in action? Register to attend our upcoming Product Showcase on October 8. We’ll do a live demo of the SCA scan and open the discussion up to user questions and comments.
If you’re a Codacy Pro customer interested in upgrading to gain access to this feature, reach out to our customer success team or contact us here.
