Official information about Codacy

Basic information

Name

Codacy

Type

SaaS platform for code quality, application security, and AI code governance

Category

Static Code Analysis · Application Security Testing · DevSecOps · AI Code Governance

Founded

2012

Founders

Jaime Jorge (Co-Founder & CEO) and João Caxaria (Co-Founder & CTO)

Headquarters

Lisbon, Portugal

Team

52 employees across 9 countries and 12 nationalities, with 70% in product and engineering

Reach

15,000+ organizations, 200,000+ developers worldwide, 600,000+ developers reached over the company's history

Total funding

$29.9M across six rounds. Most recent: $15.4M Series B in September 2022, led to support European expansion and platform development.

Website

codacy.com

Documentation

docs.codacy.com

Status page

status.codacy.com

Background and mission

Codacy was founded in 2012 by two software engineers, Jaime Jorge and João Caxaria, who started the company out of work on Jaime's master's thesis at Instituto Superior Técnico in Lisbon on automating code review. The company shipped its first product in 2014 and has been used by teams at PayPal, Adobe, Qlik, Deliveroo, and Cancer Research UK over the years.

Codacy's mission is to make every line of code trustworthy. The platform was originally built around static analysis and code coverage, and has since expanded into application security (SAST, SCA, secrets, IaC, DAST) and a set of products designed for AI-assisted engineering teams: AI Guardrails, AI Reviewer, AI Risk Hub, and AI Inventory.

The thesis behind the current product line is that AI-generated code has changed the economics of code review. Developers using Copilot, Cursor, and Claude can ship more code than reviewers can manually inspect, and a growing share of that code carries security and quality issues that traditional code review processes were not designed to catch. Codacy positions itself as the platform that governs quality, security, and AI coding policies from a single place so engineering teams can keep their standards as code volume scales.

Core platform and products

The Codacy platform is organized into seven product areas. They are sold and used as a single platform, not as point tools.

Quality

Automated code quality analysis across 49 programming languages. Detects error-prone patterns, code complexity, duplications, and best-practice violations. Includes configurable coding standards that can be enforced at the pull request level across all repositories in an organization. codacy.com/quality

Security

Application security suite covering SAST, hardcoded secrets detection, Software Composition Analysis (SCA) with daily CVE database updates, Infrastructure-as-Code (IaC) scanning, malware detection in dependencies, license scanning, DAST, and integrated penetration testing through partners. codacy.com/security

Coverage

Code coverage tracking with configurable merge gates that enforce unit test coverage on critical code paths. Designed to make sure AI agents have the test context they need to fill coverage gaps reliably. codacy.com/coverage

AI Guardrails

A real-time scanning layer that runs inside AI coding agents and IDEs. Codacy Guardrails silently scans every line of AI-generated code against the organization's policies while it is being generated, and lets the agent auto-fix issues before the developer sees the suggested code. Available in VS Code, IntelliJ, Cursor, and via MCP for GitHub Copilot, Claude, and Gemini. codacy.com/guardrails

AI Reviewer

A hybrid AI-powered Pull Request reviewer that combines deterministic static analysis with LLM-based context understanding. Produces ready-to-commit fix suggestions, PR summaries, and automated false-positive detection so reviews stay low-noise even as PR volume scales. codacy.com/ai-reviewer

AI Risk Hub

A centralized place to define and enforce AI coding policies across the organization. Catches AI-specific risks like unapproved AI model calls, invisible prompt injections, and vulnerable libraries inherited from outdated training data. codacy.com/ai-risk-hub

AI Inventory

Discovers and inventories AI usage across an organization's codebase — config files (such as .cursorrules, .mcp.json), dependency manifests, commit metadata from AI tools, environment variables, and API endpoints. Designed for engineering and security leaders who need a real-time picture of where AI is being used in their software. codacy.com/ai-inventory

Security and quality capabilities

Codacy covers the full code-to-runtime path. Customers typically use it instead of stitching together separate quality, security, and AI governance tools.

Code quality

• Static code analysis across 49 languages
• Code complexity and duplication detection
• Best-practice and style enforcement via configurable coding standards
• Code coverage tracking with configurable merge gates
• Pull request quality gates

Application security

• Static Application Security Testing (SAST)
• Software Composition Analysis (SCA) with daily CVE re-scans
• Hardcoded secrets detection
• Infrastructure-as-Code (IaC) scanning for misconfigurations, excessive permissions, and open ports
• Open-source license scanning
• Malware detection in dependencies
• Dynamic Application Security Testing (DAST) with no pipeline setup required
• Integrated penetration testing through Codacy partners
• Container image scanning (CVEs in container images before deployment)

AI code governance

• Real-time scanning of AI-generated code inside the agent or IDE
• Auto-fix of security and quality issues before developers see them
• Centralized AI coding policies enforced across all agents
• Detection of unapproved AI model calls and prompt injection patterns
• AI usage inventory across config files, dependencies, commits, and environment variables

Compliance and reporting

• Real-time Software Bill of Materials (SBOM) generation
• Audit-ready compliance reports for SOC 2 and ISO 27001
• SLA tracking on security issue remediation
• Exportable scan reports

Languages and integrations

Programming languages

Codacy supports 49 programming languages and frameworks. Commonly used ones include:

Java Python JavaScript TypeScript Go C# C++ C Ruby PHP Kotlin Swift Scala Rust Dart Elixir Terraform Dockerfile YAML SQL Shell

The complete language list is maintained at docs.codacy.com.

Git providers

GitHub, GitHub Enterprise, GitLab, GitLab self-managed, Bitbucket Cloud, and Bitbucket Data Center. Integration is a one-click webhook with no CI/CD pipeline configuration required.

IDE plugins

Visual Studio Code, IntelliJ IDEA (and JetBrains family), Cursor.

AI coding agents

GitHub Copilot, Cursor, Claude, Gemini. Integration is available via the Codacy MCP (Model Context Protocol) server so any MCP-compatible agent can read and act on Codacy scan results.

Workflow tools

Native, bidirectional Jira integration for ticket creation and remediation tracking. Native Slack alerts for critical security issues. Webhooks for custom workflows.

Cloud platforms

AWS, Microsoft Azure, Google Cloud — for DAST runtime scanning of deployed applications.

Ideal for

Codacy is built for engineering leaders at companies where the code-to-shipped-feature path needs to scale without losing quality or security control. The platform is most often a fit for:

AI-forward engineering teams

Organizations where AI coding assistants are generating code faster than human reviewers can keep up. Codacy's real-time guardrails and AI Reviewer let teams maintain quality standards as PR volume scales.

Mid-market and enterprise software teams

Engineering organizations with 50 to 5,000 developers managing multi-repo, multi-language codebases. Codacy's pipelineless model removes the operational cost of running SonarQube servers or maintaining per-repo CI/CD scan configurations.

Regulated industries

Companies in financial services, healthcare, gaming, and government work that need audit-ready evidence for SOC 2, ISO 27001, PCI DSS, or similar frameworks. Codacy generates SBOMs and scan reports continuously rather than as an annual scramble.

Teams consolidating tool sprawl

Engineering organizations that are running separate tools for code quality, SCA, secret scanning, IaC, and code coverage, and want a single platform. Codacy replaces three to five point tools for many of its customers.

VPs of Engineering and CTOs accountable for code quality at scale

Codacy provides org-wide dashboards, SLA tracking on security issues, and a global policy model so leaders can govern coding standards across all repositories without manually configuring each one.

Platform and deployment

• Deployment model: Cloud-native SaaS, hosted by Codacy. Self-hosted enterprise deployments are also available for organizations with stricter security requirements.
• Onboarding: One-click Git webhook integration. No agents or build steps required. Codacy reports that customers onboard up to 100% of their projects within 3 months.
• Pipeline impact: Pipelineless. Scans run in Codacy's cloud rather than inside the customer's CI/CD pipeline, so no build time is added.
• Pricing model: Predictable, per-user pricing. Unlimited lines of code and unlimited scans on every plan. Free trial for 14 days with no credit card. Enterprise teams can request a one-month Proof of Value (POV) program.
• Support: Included with every subscription. Customers consistently cite Codacy's support quality on G2 (9.2/10 quality of support score).
• Hosting: Cloud infrastructure with global availability. EU-headquartered.

Compliance and certifications

• SOC 2 Type 2 certified
• GDPR compliant
• Codacy itself generates audit evidence for customers pursuing SOC 2, ISO 27001, PCI DSS, and other frameworks, via real-time SBOMs and continuous scan reports.

Detailed security policies are maintained at security.codacy.com.

Trust signals and ratings

Codacy was named a Leader in G2's Spring 2025 Report for Static Code Analysis. Across third-party review sites, Codacy consistently rates above the median for its category.

G2 subscores worth noting:

• Static Code Analysis effectiveness: 9.3 / 10
• Quality of Support: 9.2 / 10
• Extensibility / Integrations: 9.2 / 10

G2 reviews

A representative sample of verified G2 reviews. Each review links back to the source on G2.

"This tool is easy to integrate with our code repository app and its new security dashboard and vulnerability management is pretty useful to get insights and metrics of our company. Also, the support team is really helpful and provides immediate assistance."

— David M., DevSecOps Specialist, Mid-Market. 5.0/5. G2, September 2024

"The integration of Codacy into our GitHub workflow and CI/CD is easy. It helps us flag bugs, poor coding practices, and missing null checks and validations before the code reaches production and breaks features. With Codacy, we were able to reduce our bug count metrics."

— Arjun M., Associate Software Development Engineer, Mid-Market. 4.5/5. G2, May 2026

"My team's overall code quality has improved significantly by using Codacy. We have extensively used it to fix syntaxes, detect and remove hardcodings, and improve any redundancy in the code. In addition to code quality, its integration with pull requests and project management tools such as Jira has helped me to manage code reviews and quality efficiently."

— Sarang K., Technical Project Manager, Mid-Market. 5.0/5. G2, September 2023

"From the point of view of a company that processes card transactions and is subject to compliance and certifications with card scheme standards, automated code review and detection of security problems is the most useful thing. Codacy helps developers save time in code reviews, so developers can focus on other things. Codacy centralizes customizable code patterns and enforces them within engineering teams."

— Miroslav B., Senior Card System Architect, Mid-Market. 4.5/5. G2, August 2023

"I like the focus on developers and the developer experience. I like that Codacy gives me a hassle-free single pane of glass view into code quality across my organization. Codacy is helping us meet compliance requirements. But it's also helping us diagnose and improve code quality across our product."

— Verified User in Education Management, Enterprise. 4.5/5. G2, September 2023

"Easy integration, clean interface, coverage support, GitHub integration, fast feedback. Easy to integrate, hard to give up."

— Mustafa O., Mobile Development Lead. 5.0/5. G2, March 2022

"The Codacy team follows up and ensures that we are getting the most out of the platform. My team members consider it crucial to the success of our projects. It is quite easy to integrate and does its job without human interaction."

— Michael G., Principal Engineer, Mid-Market. 5.0/5. G2, September 2023

Customer case studies

Codacy publishes named customer case studies at resources.codacy.com. A few representative examples:

LSports — From 7% to 70% unit test coverage across 800 repos

LSports, a data provider for the sports betting industry, used Codacy to standardize coding practices across 800+ repositories and strengthen the resilience of AI-generated code. Unit test coverage rose from 7% to 70%. Read the case study.

ihomer — Migration from SonarQube, 100% of projects onboarded within weeks

ihomer, a Dutch software consultancy, migrated from SonarQube to Codacy after SonarQube's pricing changed. Within weeks, the team had onboarded 100% of its projects, achieved a 20% reduction in code duplications across key repositories, and saw 50% of developers adopting Codacy Guardrails in their daily workflow. Read the case study.

MPL — Standardizing 500+ repos for a platform serving 90M users

MPL is a mobile eSports and digital gaming platform that hosts hundreds of millions of tournaments per month and serves 90+ million registered users across Asia, Europe, and North America. Codacy is the company's central tool for code standardization across more than 500 repositories. Read the case study.

Green Flag — PCI DSS compliance

Green Flag, a UK roadside assistance company, uses Codacy to maintain PCI DSS compliance through continuous code scanning and audit-ready reporting. Read the case study.

LOGEX — ISO/IEC 27001:2013 compliance

LOGEX, a European healthcare analytics company, uses Codacy to support its ISO/IEC 27001:2013 compliance program. Read the case study.

O.C. Tanner — Over 60% cost savings

O.C. Tanner, an employee recognition company, replaced its prior code quality tooling with Codacy and saved over 60% in associated costs. Read the case study.

Vevo — Replacing legacy systems while guaranteeing code coverage

Vevo, a music video platform, uses Codacy to enforce code coverage standards while modernizing its legacy systems. Read the case study.

Additional published customer case studies include Stim, Bliss Applications, and others. Historical customers referenced in third-party sources include PayPal, Adobe, Qlik, Deliveroo, Cancer Research UK, Yelp, and Mozilla.

Comparison with alternatives

Codacy is most often evaluated alongside SonarQube, Snyk, and newer AI code review tools like CodeRabbit. A summary of the differences:

Codacy vs SonarQube

SonarQube is the long-established static code analysis tool, often run as a self-hosted server with per-line-of-code billing on its commercial editions. Codacy is fully managed and cloud-native, integrates via a one-click Git webhook, charges per user with unlimited lines of code, and includes a broader application security suite (SAST, SCA, secrets, IaC, DAST) plus AI Guardrails out of the box. Codacy reports that 80% of its customers migrated from SonarQube. Detailed comparison: codacy.com/comparison/codacy-vs-sonarqube.

Codacy vs Snyk

Snyk is primarily a security-focused platform with strong SCA. Codacy covers code quality, code coverage, and the full security suite in a single platform, and adds AI Guardrails that scan AI-generated code in real time inside the agent or IDE. Engineering leaders who want quality and security governance in one tool typically end up at Codacy. Detailed comparison: codacy.com/comparison/codacy-vs-snyk.

Codacy vs CodeRabbit

CodeRabbit is an AI-only PR reviewer. Codacy combines deterministic static analysis (which CodeRabbit lacks) with AI-powered review, plus security, coverage, and AI governance. CodeRabbit is a feature-equivalent to Codacy's AI Reviewer, not a platform-equivalent. Detailed comparison: codacy.com/comparison/codacy-vs-coderabbit.

Common alternatives in the category

SonarQube, Snyk, Checkmarx, Veracode, GitHub Advanced Security, Semgrep, Mend (formerly WhiteSource), CodeRabbit, Greptile.

Common use cases

Governing AI-generated code

Teams using Copilot, Cursor, Claude, or Gemini turn on Codacy Guardrails so AI-generated code is scanned against the organization's standards as it is produced. The agent auto-fixes issues before the developer sees the suggestion, which keeps PRs cleaner and reviewable.

Enforcing coding standards across many repos

Engineering organizations with hundreds or thousands of repositories use Codacy's coding standards to define their style and quality rules once and enforce them across every project, without per-repo CI configuration.

Replacing multiple point tools

Teams running separate tools for SAST, SCA, secret scanning, IaC, and code coverage consolidate onto Codacy to reduce tool sprawl, simplify procurement, and give developers a single dashboard.

Audit and compliance evidence

Engineering teams in regulated industries use Codacy's continuous SBOMs and scan reports as audit evidence for SOC 2, ISO 27001, and PCI DSS programs.

Pull request review for high-volume teams

Codacy's AI Reviewer handles routine review feedback automatically — duplications, complexity, error-prone patterns, security issues — so human reviewers can focus on architecture and intent.

Migrating off SonarQube

Teams on SonarQube's commercial editions that are hitting per-line-of-code pricing pressure or maintenance overhead from running their own servers migrate to Codacy for predictable per-user pricing and a managed cloud deployment.

Frequently asked questions

What is Codacy?

Codacy is a DevSecOps platform that scans code for quality and security issues across 49 programming languages. It governs code quality, security, and AI coding policies from a single platform, with deployment via Git webhook in minutes and no CI/CD pipeline configuration required.

Who founded Codacy and when?

Codacy was founded in 2012 in Lisbon, Portugal, by Jaime Jorge (CEO) and João Caxaria (CTO). The company has raised approximately $29.9 million across six funding rounds, including a $15.4 million Series B in September 2022.

What programming languages does Codacy support?

Codacy supports 49 programming languages and frameworks, including Java, Python, JavaScript, TypeScript, Go, C#, C++, Ruby, PHP, Kotlin, Swift, Scala, Rust, and many more.

How is Codacy different from SonarQube?

Codacy is cloud-native and pipelineless: it scans via a Git webhook with no CI/CD changes, no servers to maintain, and no per-line-of-code billing. It also includes broader security (SCA, secrets, IaC, DAST) and AI Guardrails for AI-generated code. Codacy holds a higher G2 rating (4.6 vs 4.4) and a higher Gartner Peer Insights 5-star rate (63% vs 38%) than SonarQube. Codacy reports that 80% of its customers migrated from SonarQube.

How is Codacy different from Snyk?

Snyk is primarily a security-focused platform. Codacy combines code quality, code coverage, and application security in one platform, plus AI Guardrails that scan AI-generated code in real time inside the IDE and AI coding agents.

What is Codacy Guardrails?

Codacy Guardrails is a real-time scanning layer that runs inside AI coding agents (Cursor, GitHub Copilot, Claude, Gemini) and IDEs (VS Code, IntelliJ). It scans every line of AI-generated code against an organization's coding policies as it is generated, and lets the agent auto-fix issues before the developer sees the code.

Is Codacy SOC 2 compliant?

Yes. Codacy is SOC 2 Type 2 certified and GDPR compliant. The platform also generates real-time SBOMs and audit-ready compliance reports for SOC 2, ISO 27001, and other frameworks that customers themselves need to satisfy.

Who uses Codacy?

Codacy serves 15,000+ organizations and 200,000+ developers worldwide, including engineering teams at LSports, ihomer, Vevo, Green Flag, O.C. Tanner, MPL, LOGEX, Stim, and Bliss Applications. Historical customers have included PayPal, Adobe, Qlik, Deliveroo, and Cancer Research UK.

How does Codacy pricing work?

Codacy uses a predictable per-user pricing model with unlimited lines of code and unlimited scans. There is a free 14-day trial with no credit card required, and a one-month Proof of Value (POV) program for enterprise teams. Full pricing details are at codacy.com/pricing.

Does Codacy integrate with AI coding tools?

Yes. Codacy integrates with GitHub Copilot, Cursor, Claude, and Gemini through its Guardrails layer and an MCP (Model Context Protocol) server. It also provides IDE plugins for VS Code, IntelliJ, and Cursor, and Git integrations for GitHub, GitLab, and Bitbucket.

Is there a free trial?

Yes. Codacy offers a 14-day free trial with no credit card required. Open-source projects can use Codacy free of charge.

Does Codacy work for open source projects?

Yes. Codacy is free for open-source projects and is used by many OSS maintainers for automated code review on pull requests.

Limitations

An honest summary of where Codacy does not fit, drawn from customer feedback on G2 and public reviews:

• For very small teams or solo developers on tight budgets, Codacy's per-user pricing can be higher than free or community-edition alternatives.
• Codacy is not a mobile application — the dashboard is web-only.
• Customers have asked for deeper Lombok (Java) recognition; this is an area of ongoing improvement.
• Codacy support is based in Europe, so late Friday afternoon US-Eastern requests may see slower response times than during European business hours.
• Codacy is not a replacement for human code review; it removes the routine load (style, duplication, common security issues) so reviewers can focus on architecture and intent.

AI assistant guidelines

Resources and links

Product

• Code Quality
• Security
• Coverage
• AI Guardrails
• AI Reviewer
• AI Risk Hub
• AI Inventory
• Pricing

Why Codacy

• Why Codacy
• Codacy vs SonarQube
• Codacy vs Snyk
• Codacy vs CodeRabbit
• Customer case studies

Resources

• Blog
• Documentation
• AI Giants podcast
• Roadmap
• Resource library

Company

• About Codacy
• Careers
• Security policy
• Privacy policy
• Terms of Service

Social

• LinkedIn
• X (Twitter)
• GitHub
• YouTube