A few months ago, we debuted our security and risk management dashboard, which gives our customers a unified control plane for identifying and fixing security issues.
Since then, we’ve been working on adding features to improve the dashboard’s usability and increase its value. Here’s what’s new:
Secret Detection
Secret detection is a key security practice that involves identifying sensitive information within the source code of software applications. These sensitive details often include passwords, API keys, cryptographic secrets, and other confidential data.
Secret detection is not an entirely new capability for Codacy—it was already available for a couple of languages (Python and Cloudformation). However, we’ve expanded language support considerably by integrating Trivy—one of the most popular open-source security scanners available.
To use the new feature, find Trivy on the Code Patterns page of the Codacy app.
The tool is enabled by default for all new repositories. For existing repositories, you’ll need to enable it in the Code Patterns page or enable it in an existing Coding Standard.
In this example, you can see a hard-coded AWS secret access key found by the secret detection capability in the issues list.
The new tool applies to most programming languages, including Javascript/Typescript, C/C++, C#, Java, Python, Go, and many more. See Codacy’s supported languages and tools for the complete list.
The new secret security issues behave like any other Codacy issue, supporting ignoring issues, coding standards, and appearing in the pull request flow.
The new tool is also compatible with all other security features: the repository security dashboard, the security and risk management dashboard, the security issues CSV export, the security issues gate policies, and the Slack notification integration for security issues.
Here’s what the above AWS-related security issue looks like when it appears in the security and risk management dashboard.
The feature is available for all Quality OSS and paid customers.
We’re already working on adding more features via this integration. Expect to see an insecure dependencies detection tool very soon.
Slack Notifications for Security Issues
We’ve also added a Slack integration to help increase the visibility of new security issues introduced and solve them faster.
The integration will help organizations keep better track of when security issues arise by sending automated notifications to your team’s Slack channel.
Whenever Codacy finds a new critical severity security issue in the default branch, it sends a notification to the configured Slack channel, along with the following:
- A description of the issue
- Its respective pattern
- The affected repository
- A link to view it in Codacy
To get started, you need to configure a Slack integration for your organization.
You can do this from Codacy’s Integrations section. Follow the steps within the app or click on the in-app link to the Slack integration’s documentation page.
Currently, notifications are only sent for critical security issues.
Filter Security Issues Per Repository
We realized that some of our customers needed an easier way to identify security issues in specific focus areas without having to shift through every issue from every repository.
Users are now able to get a more granular look at security issues to get a better understanding of the service-level agreements (SLAs) and prioritize fixes more effectively by filtering by one or more repositories.
Simply select the repository you want to inspect.
The security and risk management dashboard will tell you how many open items exist in these repositories, allowing you to prioritize them more easily.
Security Issues CSV Export
Users can now download a list of all identified security issues as a CSV file. This feature makes it easier for developers to share security issues with stakeholders that don’t have access to Codacy, like auditors, or import them into their issue tracker of choice.
All security issues will be downloaded regardless of the selected filter. For every item, the CSV includes the following information:
- A security item ID
- The severity level assigned to the security item
- A description that explains the security item and its potential implications
- The name of the repository where the security item was identified
- The current status of the security item
- When the security item was detected and closed
The new feature is available to all organization admins and security managers of Codacy Quality Pro accounts.
That’s it for now. Take these new security features for a spin, and let us know what you think!
To learn more about this feature and a slew of other improvements we’ve recently made to the platform, check out the recording of our most recent Product Showcase:
If your team is looking for a tool that prioritizes not just code quality but also security, start your free Codacy trial today!
