Vymo

500+

core repositories standardized under unified quality and security gates

"Codacy is your buddy for securing the code and churning out high quality code at every stage of the life cycle."

Vymo Customer Story 

About Vymo

Vymo is a sales engagement platform trusted by 350,000+ users across 70+ global financial institutions, including major banks, insurance companies, and lending organizations. Founded in 2013 and headquartered in Bengaluru, India, Vymo provides Distribution and Collections Management System solutions for lending, agency, bancassurance, branch banking, and collections operations. The platform is backed by Sequoia Capital, Emergence Capital, and Bertelsmann Investments.

Challenge

Vymo Needed Secure Code Practices Built Into the Entire SDLC

Kiran Kumar Badam has spent close to nine years at Vymo, rising to Senior Director of Engineering. In a startup where the engineering leader wears many hats, Kiran oversees both engineering and security for the platform. His goal was to make secure coding a continuous habit for his developers, not something that only gets attention twice a year during an audit cycle. He wanted quality gates at every stage of the SDLC: while developers write code in their IDE, when they raise a pull request, and before anything reaches a stage release.


The reality at the time was that security checks happened late. Vymo's clients are large banks and insurance companies, and many require third-party audits conducted by certified vendors before they'll sign off on code health. That's standard practice in financial services. Twice a year, the engineering team went through an external audit cycle where preparation alone took four weeks. When auditors flagged observations, the team had to pause other priorities and focus on remediation, a process that stretched two to three months. Those findings weren't a reflection of the engineering team's ability. They were a result of security feedback arriving too late in the process for anyone to act on it efficiently.


Without automated scanning woven into the daily development workflow, there was also the risk that secrets, API keys, or passwords could end up in the codebase in plain text and sit undetected between audit windows. Even experienced reviewers can miss things when they're juggling multiple priorities. That kind of exposure could persist for months, potentially reaching front-end apps, API requests, and partner integrations. For Kiran, this confirmed that point-in-time manual checks weren't enough. The team needed a tool that lived inside their workflow and caught issues as code was written.

"With Codacy, you don't need to look at things retrospectively. While you're coding, you're fixing issues organically versus trying to do one big push. That's not sustainable." 

— Kiran Kumar Badam, Senior Director of Engineering, Vymo

The team had also tried open source scanning tools, but kept running into the same gap: the tools flagged errors and warnings without explaining what the findings meant or how to fix them. Developers were spending 30 minutes to an hour deciphering a single-line warning, and often still had no path forward. Kiran needed a partner that could scan for both quality and security issues, provide fix guidance alongside every finding, and integrate into the development workflow so that secure coding became part of how the team writes code every day.

Solution

Codacy Gives Vymo's Developers a Security Buddy at Every Step 

Vymo evaluated GitHub Advanced Security, Semgrep, SonarQube, and AquaSec alongside Codacy. Several of those tools were built primarily for GitHub, which didn't work for Vymo since the team runs on Bitbucket. Codacy's native Bitbucket support stood out right away, but integration alone didn't close the deal. Kiran pointed to three factors: the functionality, including SAST scanning, secret detection, and code quality analysis with actionable remediation guidance; the ease of connecting to their existing Bitbucket workflow; and the hands-on support from Codacy's team throughout the evaluation.

"When you're making a close decision, you go with the team that's more engaged, more responsive, and gets you answers fast. With Codacy, we got all three: easy integration with Bitbucket, real engagement from the team, and the functionality we needed."

— Kiran Kumar Badam, Senior Director of Engineering, Vymo

Codacy's solutions engineer, Ranga, worked directly with Kiran to set up and test the IntelliJ plugin during a live session. Kiran tried it himself and was able to see scanning results inside his IDE right away. For him, that was the proof point: if a developer can get real-time feedback on security and quality issues without leaving the tool they already work in, adoption follows naturally. The plugin turns Codacy into the "buddy" Kiran had described, one that sits alongside the developer and helps them write better code as they go, rather than flagging problems after the fact.

Security was the primary driver, but Codacy's combined code quality and security capabilities added to the case. Instead of running separate tools for quality and security, Vymo could use one platform for both. Kiran noted that Codacy "does a pretty deep job in terms of quality also, catching the standard ways and telling you the right way to code." That meant one less tool in the stack and one less integration to maintain.

The rollout covers 500+ repositories and 150 developers, with Codacy's quality gates deployed at the IDE, pull request, and stage release levels. Each gate catches a different class of issue at a different point in the workflow, so developers build secure coding habits incrementally rather than facing a wall of findings at the end.

Results

Security Becomes a Daily Practice, Not a Twice-a-Year Event

Vymo is currently onboarding and configuring Codacy across its repositories, with full rollout underway. The team plans to measure impact against their next external third-party audit, tracking both the total number of observations flagged and the time spent on remediation compared to previous cycles.

• Secure coding practices embedded across the SDLC with automated scanning at IDE, PR, and release stages
• Real-time remediation guidance so developers learn to fix security issues as they code
• Automated secret detection catches exposed credentials before they persist between audit windows
• Code quality and security unified in one platform, replacing the need for separate quality tooling

When Kiran pitched the investment internally, he framed it around total cost of ownership. Source code scanning is a compliance requirement in fintech, so the question was never whether Vymo needed a tool. It was whether building and maintaining a homegrown solution made sense compared to working with a dedicated vendor. The team had already built some internal tools on top of open source, but when Kiran laid out the developer salaries required for ongoing maintenance, the opportunity cost of pulling engineers off product work, and the reality that a homegrown tool would never keep pace with a platform like Codacy that ships continuous security updates, the answer was obvious to leadership.

Beyond the tooling, Kiran sees the bigger win in how his developers are starting to relate to security. He's been a developer himself for most of his career, and his view is that engineers don't resist owning security when you give them the right support. What frustrates them is getting blocked right before a production release with findings they've never seen. With Codacy acting as a buddy throughout the development process, developers pick up security nuances organically. They learn what good patterns look like, what mistakes to avoid, and how to write more secure code by default. Kiran sees that growth as what separates a good developer from a well-rounded engineer.

"A good engineer isn't just a developer or just QA. It's about how much they know beyond their own function: business, product, security, operations. Codacy helps our engineers get there. In that journey, they learn security nuances, and that adds real value to their careers."

— Kiran Kumar Badam, Senior Director of Engineering, Vymo