Codacy
Application shielding software
Static code analysis tools
Dynamic application security testing (DAST) software
Software composition analysis tools
Static application security testing (SAST) software
Application security software
DevSecOps software
- Features
- Ease of use
- Ease of management
- Quality of support
- Affordability
- Market presence
Take the quiz to check if Codacy and its alternatives fit your requirements.
$18 per dev per month
Free TrialFree version
Small
Medium
Large
- Information technology and software
- Media and communications
- Education and training
What is Codacy
Codacy is a cloud-based code quality and security analysis platform that scans source code to identify issues such as maintainability problems, common bug patterns, and security findings. It is used by software engineering teams to automate reviews in pull requests and enforce standards across repositories. The product integrates with common Git hosting and CI/CD workflows and provides dashboards, quality gates, and reporting to support continuous improvement. Codacy’s core value centers on static analysis and policy enforcement rather than runtime application shielding.
Broad static analysis coverage
Codacy runs automated static checks for code style, maintainability, and security across multiple languages and repositories. It centralizes findings into a single interface with issue categorization and prioritization. This supports consistent standards across teams without relying solely on manual code review. It aligns well with DevSecOps workflows where code scanning is expected on every change.
CI/CD and PR workflow integration
Codacy integrates with common Git-based workflows to comment on pull requests and block merges based on quality gates. It can be triggered as part of CI pipelines to provide fast feedback during development. These integrations reduce the operational effort of running separate scanners and collecting results. Teams can standardize enforcement through configurable rules and thresholds.
Centralized governance and reporting
Codacy provides dashboards and reporting that help teams track trends, hotspots, and compliance with internal standards. It supports organization-level configuration to apply policies across many repositories. This is useful for engineering leadership that needs visibility into code health and security posture. The reporting focus differentiates it from tools that primarily protect applications at runtime.
Limited runtime security testing
Codacy primarily performs static analysis and does not function as a runtime protection or application shielding product. It is not a substitute for tools that harden binaries, protect mobile apps, or mitigate client-side tampering. Organizations needing runtime defenses typically require additional products. This can increase toolchain complexity for end-to-end application protection.
DAST capabilities not core
Dynamic testing of running applications (DAST) is not Codacy’s primary focus compared with dedicated dynamic scanners. Teams that need authenticated crawling, complex API testing, or environment-specific attack simulation may find gaps. As a result, Codacy is better positioned as a shift-left control than a full dynamic testing solution. Many security programs still need separate DAST coverage.
SCA depth varies by ecosystem
Software composition analysis needs can include deep dependency graphing, license policy enforcement, and advanced vulnerability context. Codacy’s SCA-related coverage may not match specialized dependency-focused tools for all languages and build systems. Organizations with strict open-source governance may need additional controls for SBOM workflows and license compliance. This is especially relevant in regulated environments with formal audit requirements.
Plan & Pricing
| Plan | Price | Key features & notes |
|---|---|---|
| Developer | Free forever — $0 per dev / month | IDE extensions (VSCode, Cursor, JetBrains, Windsurf); AI Guardrails for TypeScript, JavaScript, Python & Java; local, real-time IDE scans for SAST vulnerabilities, hardcoded secrets, insecure dependencies, complexity/duplication/performance issues. |
| Team | $18 per dev/month (when billed annually) — $21 per dev/month (monthly billing) | Pull Request scanning across 49 languages; scan unlimited lines of code in up to 100 private repos; AI Guardrails and sharable security/coding standards across teams; SAST, secret and dependency scans; Free forever for open-source projects; 14-day free trial available. |
| Business | Custom pricing (contact sales) | Unlimited private projects; daily SCA & malicious package re-scans; SBOM exports; AI Risk Hub; DAST (pipeline-less runtime scans); Smart false-positive triage; penetration testing (billed separately); enterprise deployment and priority/white-glove support. |
| Audit (one-off) | Custom pricing (contact sales) | One-off 360° compliance report covering SAST, secrets, IaC, SCA, SBOM and DAST report upload; includes unlimited retests and white-glove customer service. |
Seller details
Codacy
Lisbon, Portugal
2013
Private
https://www.codacy.com/
https://x.com/codacy
https://www.linkedin.com/company/codacy
