Skip to content
This documentation is a preview of the pull request #2086

For the latest updates and improvements in production, open docs.codacy.com instead.

Supported languages and tools#

Codacy uses industry-leading tools to perform automatic static code analysis over 40 supported languages:

  • For programming languages, Codacy provides static analysis as well as code duplication, code complexity, secret detection, dependency vulnerability scanning, and code coverage metrics for key languages.

  • For cloud infrastructure-as-code platforms, Codacy provides static analysis and secret detection to enforce security and compliance best practices.

The table below lists all languages that Codacy supports and the corresponding tools that Codacy uses to analyze your source code. Besides this, Codacy uses cloc to calculate the source lines of code for all supported languages and supports multiple code coverage report formats.

Important

Codacy runs security and other analysis tools when code changes are pushed to your repositories. These tools don't scan code for issues continuously.

Language Static analysis Suggested fixes Secret detection Dependency vulnerability scanning Duplication Complexity
Apex PMD, Semgrep 1 - - - - -
AsyncAPI Spectral - - - - -
AWS CloudFormation Checkov - Checkov, Trivy 2 - - -
Azure Resource Manager Templates Checkov - - - - -
C Clang-Tidy 3, Cppcheck, Flawfinder, Semgrep 1 - Trivy Trivy, scans
conan.lock (Conan)
PMD CPD -
C++ Clang-Tidy 3, Cppcheck 4, Flawfinder, Semgrep 1 - Trivy Trivy, scans
conan.lock (Conan)
PMD CPD -
C# Semgrep 1, SonarC# - Trivy Trivy, scans
.deps.json (.Net), packages.lock.json (NuGet)
PMD CPD SonarC#
CoffeeScript CoffeeLint - - - - -
Crystal Ameba - - - - -
CSS Stylelint - - - - -
Dart dartanalyzer 5 - Trivy - jscpd -
Dockerfile Hadolint, Semgrep 1 - Trivy - - -
Elixir Credo, Semgrep 1 - Trivy Trivy, scans
mix.lock (Mix)
- -
GitHub Actions Semgrep 1 - - - - -
Go aligncheck 3, deadcode 3, Gosec 3, Revive, Semgrep 1, Staticcheck 3 - Trivy - PMD CPD Gocyclo
Groovy CodeNarc - - - - -
Helm - - Trivy 2 - - -
Java Checkstyle, PMD, Semgrep 1, SpotBugs 3 - PMD, Trivy Trivy, scans
pom.xml and gradle.lockfile
PMD CPD PMD 6
JavaScript ESLint, PMD, Semgrep 1 ESLint 🔧 Trivy Trivy, scans
package.json and package-lock.json (npm),
yarn.lock (Yarn)
PMD CPD ESLint 6
JSON Jackson Linter - Checkov, Trivy - - -
JSP PMD - - - - -
Kotlin detekt, Semgrep 1 - - - jscpd detekt
Kubernetes Checkov - Checkov, Trivy 2 - - -
Less Stylelint - - - - -
Markdown remark-lint, markdownlint markdownlint 🔧 - - - -
Objective-C Clang-Tidy 3 - - - - -
OpenAPI Spectral - - - - -
PHP PHP_CodeSniffer, PHP Mess Detector, Semgrep 1 - Trivy Trivy, scans
composer.lock (Composer)
PHPCPD PHP Depend
PL/SQL PMD - - - - -
PostgreSQL SQLint - - - - -
PowerShell PSScriptAnalyser - - - - -
Python Bandit, Prospector, Pylint, Semgrep 1 - Bandit, Prospector, Trivy Trivy, scans
requirements.txt (pip),
Pipfile.lock (pipenv)
PMD CPD Radon
Ruby 7 Brakeman 8, RuboCop, Semgrep 1 - Trivy Trivy, scans
Gemfile.lock (Bundler)
Flay RuboCop 6
Rust Semgrep 1 - Trivy Trivy, scans
Cargo.lock (Cargo)
- -
Sass Stylelint - - - - -
Scala Codacy Scalameta Pro, Scalastyle, Semgrep 1, SpotBugs 3 - - - PMD CPD Scalastyle, Scala 2 compiler and standard library
Serverless Framework Checkov - - - - -
Shell ShellCheck, Semgrep 1 - - - - -
Swift Semgrep 1, SwiftLint - - Trivy, scans
Package.resolved (SwiftPM)
PMD CPD SwiftLint6 9
Terraform Checkov, Semgrep 1 - Checkov, Trivy - - -
Transact-SQL TSQLLint - - - - -
TypeScript ESLint, Semgrep 1 ESLint 🔧 Trivy Trivy, scans
package.json and package-lock.json (npm),
yarn.lock (Yarn)
jscpd ESLint 6
Unity Unity Roslyn Analyzers 3 - - - - -
Velocity PMD - - - - -
Visual Basic SonarVB - - - - -
Visualforce PMD - - - - -
XML PMD - - - - -
XSL PMD - - - - -
YAML - - Trivy - - -

1: Semgrep supports additional security rules when signing up for Semgrep Pro. This tool doesn't support custom file extensions.
2: Currently, Trivy only supports scanning YAML files on this platform.
3: Supported as a client-side tool.
4: Currently, Cppcheck only supports checking the MISRA guidelines for C.
5: Currently, Codacy only supports including the packages lints and flutter_lints on dartanalyzer configuration files.
6: Doesn't calculate the number of methods and the complexity per method for each file.
7: Currently, Codacy doesn't support any static code analysis tool for Ruby 3.1.
8: Due to licensing limitations, Codacy doesn't support the latest version of Brakeman. To analyze your Ruby code for the latest security vulnerabilities, use Semgrep, which provides comprehensive and up-to-date security scanning.
9: Supports reporting warnings or errors on functions above specific complexity thresholds. Enable the rule Cyclomatic Complexity on the Code patterns page, or use a configuration file to customize the thresholds.
🔧: Supports suggesting fixes for identified issues.

Docker images of supported tools#

Codacy adds support for new languages and tools by using a Docker image to run each tool.

The following table lists the Codacy GitHub repositories corresponding to each supported tool. Use these repositories to check the extra plugins supported by each tool or to submit GitHub issues related to each tool. To learn more about the tool versions used by Codacy, see the latest release notes.

Tool name Codacy GitHub repository
aligncheck codacy/codacy-aligncheck
Ameba codacy/codacy-ameba
Bandit codacy/codacy-bandit
Brakeman codacy/codacy-brakeman
Checkstyle codacy/codacy-checkstyle
Checkov codacy/codacy-checkov
Clang-Tidy codacy/codacy-clang-tidy
Codacy Scalameta Pro codacy/codacy-scalameta
Gosec codacy/codacy-gosec
dartanalyzer codacy/codacy-dartanalyzer
deadcode codacy/codacy-deadcode
CodeNarc codacy/codacy-codenarc
CoffeeLint codacy/codacy-coffeelint
Cppcheck codacy/codacy-cppcheck
Credo codacy/codacy-credo
detekt codacy/codacy-detekt
ESLint codacy/codacy-eslint
Flawfinder codacy/codacy-flawfinder
Revive codacy/codacy-gorevive
Hadolint codacy/codacy-hadolint
Jackson Linter codacy/codacy-jackson-linter
PHP_CodeSniffer codacy/codacy-codesniffer
PHP Mess Detector codacy/codacy-phpmd
PMD codacy/codacy-pmd
Prospector codacy/codacy-prospector
PSScriptAnalyser codacy/codacy-psscriptanalyzer
Pylint codacy/codacy-pylint-python3
markdownlint codacy/codacy-markdownlint
remark-lint codacy/codacy-remark-lint
Unity Roslyn Analyzers codacy/codacy-roslyn
RuboCop codacy/codacy-rubocop
Scalastyle codacy/codacy-scalastyle
Semgrep codacy/codacy-semgrep
ShellCheck codacy/codacy-shellcheck
SonarC# codacy/codacy-sonar-csharp
SonarVB codacy/codacy-sonar-visual-basic
Spectral codacy/codacy-spectral
SpotBugs codacy/codacy-spotbugs
SQLint codacy/codacy-sqlint
Staticcheck codacy/codacy-staticcheck
Stylelint codacy/codacy-stylelint
SwiftLint codacy/codacy-swiftlint
Trivy codacy/codacy-trivy
TSQLLint codacy/codacy-tsqllint

See also#

Share your feedback 📢

Did this page help you?

Thanks for the feedback! Is there anything else you'd like to tell us about this page?

We're sorry to hear that. Please let us know what we can improve:

Alternatively, you can create a more detailed issue on our GitHub repository.

Thanks for helping improve the Codacy documentation.

Edit this page on GitHub if you notice something wrong or missing.

If you have a question or need help please contact support@codacy.com.

Last modified June 5, 2024