How does Codacy review code safely?
When you first sign up for Codacy, you might be surprised with the amount of permissions we ask from your account. Depending on your repository host, we need specific access to settings and data to provide you with the best possible experience.
Also, when you’re using Codacy on a daily basis, you might wonder about the way we handle your data. We understand the code you trust us with can be highly confidential and should be handled with care.
These topics can raise all kinds of questions about our security policies. Well, the short answer is that Codacy is totally secure, and there’s nothing to worry about. The long answer takes a bit more time to explain.
Your data is safe with us
We only store the minimum amount of data we need to provide you with a quality experience, and we make sure to treat it with an incredible amount of care.
When we clone your code to our servers, we use temporary disk locations in combination with custom SSH keys for every single project. The keys are saved to a secure hard disk section unrelated to the project files, only for the time required to clone the project. Long term, they are stored ciphered in a database so that, even if the data would somehow be compromised, the intruder wouldn’t be able to clone the projects when trying to use our key.
Each key is randomly generated when a project is created, and it will only ever work for that specific project. If at any point you want to isolate your repo from the service, all you need to do is remove the key, and nobody is able to clone it again.
All of your code that ever touches our servers is only used for our analysis and then proactively deleted. We take the same precautions with the servers running our service, terminating them on a daily basis. Project analysis is done in Dockers without any kind of network access, making each analysis an isolated island from the rest of the system. Furthermore, all cached issue results are deleted from our servers within 24 hours, striking a balance between performance and offering a secure environment for our users.
Our servers are hosted by Amazon EC2 in Europe, and they get erased and rebuilt multiple times a day. All of the data is held on RDS databases and fully encrypted, including any cache of your code and all third party tokens we use to interact with GitHub and BitBucket.
Interacting with Codacy
All of the interactions you have with our service are completely secured, including those relying on third-party tools. For example, we never ask for your password for GitHub, Bitbucket or Slack because we don’t need it — all integrations with external services are handled by API tokens or OAuth.
We work with Stripe to accept credit card payments, and they take security just as seriously as we do. As a PCI-DSS Certified Level 1 payment processor, they have to adhere to the highest level of security standards, making every part of the payment flow properly secured. We never get to see any of your financial data, as Stripe only communicates the general status of the transaction.
Running our company in a secure way
Our dedication to security goes beyond how we’ve set up Codacy as a product — it also applies to the way we run the company.
While we work with some of the best people in the business, we still take the utmost care when it comes to their access to your data — Codacy employees can never clone your code or see it in its entirety. In certain situations and for specific purposes, including customer support and debugging, we can view your dashboard and issues breakdown, but we will never have access to your code — unless you explicitly allow it for support purposes.
On top of that, we subject our entire digital environment to recurring, automated security scans, and we’ve implemented advanced systems to detect and repel any attempts to get into our systems.
We’ve also realised it’s important to stay critical about our security policies, as there’s always room for improvement. This is why we regularly stop and think about how we can go that extra mile, developing and integrating new ways to safeguard every part of our product offering.
It’s a big privilege we’ve earned your trust, so the least we can do is work relentlessly to create the best and safest way for you to ship better code. If you’re still unsure or have any other security-related questions, feel free to reach out to email@example.com.