New Security and Risk Management Features Now Available

In this article:
Subscribe to our blog:

A few months ago, we debuted our security and risk management dashboard, which gives our customers a unified control plane for identifying and fixing security issues.

Since then, we’ve been working on adding features to improve the dashboard’s usability and increase its value. Here’s what’s new:

Secret Detection

Secret detection is a key security practice that involves identifying sensitive information within the source code of software applications. These sensitive details often include passwords, API keys, cryptographic secrets, and other confidential data.

Secret detection is not an entirely new capability for Codacy—it was already available for a couple of languages (Python and Cloudformation). However, we’ve expanded language support considerably by integrating Trivy—one of the most popular open-source security scanners available.

To use the new feature, find Trivy on the Code Patterns page of the Codacy app.

secret detection trivy integration

The tool is enabled by default for all new repositories. For existing repositories, you’ll need to enable it in the Code Patterns page or enable it in an existing Coding Standard.

In this example, you can see a hard-coded AWS secret access key found by the secret detection capability in the issues list.

secret detection in codacy

The new tool applies to most programming languages, including Javascript/Typescript, C/C++, C#, Java, Python, Go, and many more. See Codacy’s supported languages and tools for the complete list.

The new secret security issues behave like any other Codacy issue, supporting ignoring issues, coding standards, and appearing in the pull request flow.

The new tool is also compatible with all other security features: the repository security dashboard, the security and risk management dashboard, the security issues CSV export, the security issues gate policies, and the Slack notification integration for security issues.

Here’s what the above AWS-related security issue looks like when it appears in the security and risk management dashboard.

secret detection in security and risk management dashboard

The feature is available for all Quality OSS and paid customers.

We’re already working on adding more features via this integration. Expect to see an insecure dependencies detection tool very soon.

Slack Notifications for Security Issues

We’ve also added a Slack integration to help increase the visibility of new security issues introduced and solve them faster.

The integration will help organizations keep better track of when security issues arise by sending automated notifications to your team’s Slack channel.

Whenever Codacy finds a new critical severity security issue in the default branch, it sends a notification to the configured Slack channel, along with the following:

  • A description of the issue
  • Its respective pattern
  • The affected repository
  • A link to view it in Codacy

codacy security issue slack integration

To get started, you need to configure a Slack integration for your organization.

You can do this from Codacy’s Integrations section. Follow the steps within the app or click on the in-app link to the Slack integration’s documentation page.

codacy security slack integration

Currently, notifications are only sent for critical security issues.

Filter Security Issues Per Repository

We realized that some of our customers needed an easier way to identify security issues in specific focus areas without having to shift through every issue from every repository.

Users are now able to get a more granular look at security issues to get a better understanding of the service-level agreements (SLAs) and prioritize fixes more effectively by filtering by one or more repositories.

Simply select the repository you want to inspect.

codacy repository selection

The security and risk management dashboard will tell you how many open items exist in these repositories, allowing you to prioritize them more easily.

codacy security issues per repository

Security Issues CSV Export

Users can now download a list of all identified security issues as a CSV file. This feature makes it easier for developers to share security issues with stakeholders that don’t have access to Codacy, like auditors, or import them into their issue tracker of choice.

codacy security issues CSV export

All security issues will be downloaded regardless of the selected filter. For every item, the CSV includes the following information:

  • A security item ID
  • The severity level assigned to the security item
  • A description that explains the security item and its potential implications
  • The name of the repository where the security item was identified
  • The current status of the security item
  • When the security item was detected and closed

The new feature is available to all organization admins and security managers of Codacy Quality Pro accounts.

That’s it for now. Take these new security features for a spin, and let us know what you think!

To learn more about this feature and a slew of other improvements we’ve recently made to the platform, check out the recording of our most recent Product Showcase:

 

 

If your team is looking for a tool that prioritizes not just code quality but also security, start your free Codacy trial today!

RELATED
BLOG POSTS

New Feature: Assigning Multiple Coding Standards to a Single Repository 
We’re excited to share a major update: you can now assign multiple coding standards to a single repository.
New Organization Manager Role and Language Support Added
Our new organization manager role represents a huge step in our mission to tailor platform access to the needs and preferences of our customers.
New Feature: Customizing Patterns When Following Coding Standards
We’re excited to announce a new feature that will give developers using Codacy more freedom and power than ever to tailor their code analysis...

Automate code
reviews on your commits and pull request

Group 13