For the latest updates and improvements in production, open docs.codacy.com instead.
Supported languages and tools#
Codacy uses industry-leading tools to perform automatic static code analysis over 40 supported languages:
-
For programming languages, Codacy provides static analysis as well as code duplication, code complexity, secret detection, dependency vulnerability scanning, and code coverage metrics for key languages.
-
For cloud infrastructure-as-code platforms, Codacy provides static analysis and secret detection to enforce security and compliance best practices.
The table below lists all languages that Codacy supports and the corresponding tools that Codacy uses to analyze your source code. Besides this, Codacy uses cloc to calculate the source lines of code for all supported languages and supports multiple code coverage report formats.
Important
Codacy runs security and other analysis tools when code changes are pushed to your repositories. These tools don't scan code for issues continuously.
| Language | Static analysis | Suggested fixes | Secret detection | Dependency vulnerability scanning | Duplication | Complexity |
|---|---|---|---|---|---|---|
| Apex | PMD, Semgrep 1 | - | Semgrep | - | - | - |
| AsyncAPI | Spectral | - | - | - | - | - |
| AWS CloudFormation | Checkov | - | Checkov, Semgrep 2, Trivy 2 | - | - | - |
| Azure Resource Manager Templates | Checkov | - | - | - | - | - |
| C | Clang-Tidy 3, Cppcheck, Flawfinder, Semgrep 1 | Semgrep 🔧 | Semgrep, Trivy | Trivy, scans conan.lock (Conan) |
PMD CPD | - |
| C++ | Clang-Tidy 3, Cppcheck 4, Flawfinder, Semgrep 1 | - | Semgrep, Trivy | Trivy, scans conan.lock (Conan) |
PMD CPD | - |
| C# | Semgrep 1, SonarC# | Semgrep 🔧 | Semgrep, Trivy | Trivy, scans .deps.json (.Net), packages.lock.json (NuGet) |
PMD CPD | SonarC# |
| CoffeeScript | CoffeeLint | - | - | - | jscpd | - |
| Crystal | Ameba | - | - | - | - | - |
| CSS | Stylelint | - | - | - | - | - |
| Dart | dartanalyzer 5 | - | Trivy | Trivy, scans pubspec.lock |
jscpd | - |
| Dockerfile | Hadolint, Semgrep 1 | Semgrep 🔧 | Semgrep, Trivy | - | - | - |
| Elixir | Credo, Semgrep 1 | - | Trivy | Trivy, scans mix.lock (Mix) |
jscpd | - |
| GitHub Actions | Semgrep 1 | - | Semgrep, Trivy | - | - | - |
| Go | aligncheck 3, deadcode 3, Gosec 3, Revive, Semgrep 1, Staticcheck 3 | Semgrep 🔧 | Semgrep, Trivy | Trivy, scans go.mod |
PMD CPD | Gocyclo |
| Groovy | CodeNarc | - | - | - | jscpd | - |
| Helm | - | - | Semgrep 2, Trivy 2 | - | - | - |
| Java | Checkstyle, PMD, Semgrep 1, SpotBugs 3 | Semgrep 🔧 | PMD, Semgrep, Trivy | Trivy, scans pom.xml and gradle.lockfile |
PMD CPD | PMD 6 |
| JavaScript | ESLint, PMD, Semgrep 1 | ESLint 🔧 | Semgrep, Trivy | Trivy, scans package.json and package-lock.json (npm), yarn.lock (Yarn) |
PMD CPD | ESLint 6 |
| JSON | Jackson Linter | - | Checkov, Trivy | - | - | - |
| JSP | PMD | - | - | - | - | - |
| Kotlin | detekt, Semgrep 1 | - | Semgrep | Trivy, scans pom.xml and gradle.lockfile |
jscpd | detekt |
| Kubernetes | Checkov, Semgrep 2 | Semgrep 🔧 | Checkov, Semgrep 2, Trivy 2 | - | - | - |
| Less | Stylelint | - | - | - | - | - |
| Markdown | remark-lint, markdownlint | markdownlint 🔧 | - | - | - | - |
| Objective-C | Clang-Tidy 3 | - | - | - | jscpd | - |
| OpenAPI | Spectral | - | - | - | - | - |
| PHP | PHP_CodeSniffer, PHP Mess Detector, Semgrep 1 | - | Semgrep, Trivy | Trivy, scans composer.lock (Composer) |
PHPCPD | PHP Depend |
| PL/SQL | PMD | - | - | - | - | - |
| PostgreSQL | SQLint | - | - | - | - | - |
| PowerShell | PSScriptAnalyser | - | - | - | - | - |
| Python | Bandit, Prospector, Pylint, Semgrep 1 | Semgrep 🔧 | Bandit, Prospector, Semgrep, Trivy | Trivy, scans requirements.txt (pip), Pipfile.lock (pipenv), poetry.lock (Poetry) |
PMD CPD | Radon |
| Ruby | Brakeman 7, RuboCop, Semgrep 1 | Semgrep 🔧 | Semgrep, Trivy | Trivy, scans Gemfile.lock (Bundler) |
Flay | RuboCop 6 |
| Rust | Semgrep 1 | - | Semgrep, Trivy | Trivy, scans Cargo.lock (Cargo) |
jscpd | - |
| Sass | Stylelint | - | - | - | - | - |
| Scala | Codacy Scalameta Pro, Scalastyle, Semgrep 1, SpotBugs 3 | - | Semgrep, Trivy | Trivy, scans build.sbt.lock (sbt) 9 |
PMD CPD | Scalastyle, Scala 2 compiler and standard library |
| Serverless Framework | Checkov | - | - | - | - | - |
| Shell | ShellCheck, Semgrep 1 | - | Semgrep | - | - | - |
| Swift | Semgrep 1, SwiftLint | - | Semgrep, Trivy | Trivy, scans Package.resolved (SwiftPM) |
PMD CPD | SwiftLint6 8 |
| Terraform | Checkov, Semgrep 1 | - | Checkov, Semgrep, Trivy | - | - | - |
| Transact-SQL | TSQLLint | - | - | - | - | - |
| TypeScript | ESLint, Semgrep 1 | ESLint 🔧 | Semgrep, Trivy | Trivy, scans package.json and package-lock.json (npm), yarn.lock (Yarn) |
jscpd | ESLint 6 |
| Unity | Unity Roslyn Analyzers 3 | - | - | - | - | - |
| Velocity | PMD | - | - | - | - | - |
| Visual Basic | SonarVB | - | - | - | jscpd | - |
| Visualforce | PMD | - | - | - | - | - |
| XML | PMD | - | Trivy | - | - | - |
| XSL | PMD | - | - | - | - | - |
| YAML | - | - | Trivy | - | - | - |
Docker images of supported tools#
Codacy adds support for new languages and tools by using a Docker image to run each tool.
The following table lists the Codacy GitHub repositories corresponding to each supported tool. Use these repositories to check the extra plugins supported by each tool or to submit GitHub issues related to each tool. To learn more about the tool versions used by Codacy, see the latest release notes.
1: Semgrep supports additional security rules when signing up for Semgrep Pro. This tool doesn't support custom file extensions.
2: Currently, only YAML file scanning is supported on this platform.
3: Supported as a client-side tool.
4: Currently, Cppcheck only supports checking the MISRA guidelines for C.
5: Currently, Codacy only supports including the packages lints and flutter_lints on dartanalyzer configuration files.
6: Doesn't calculate the number of methods and the complexity per method for each file.
7: Due to licensing limitations, Codacy doesn't support the latest version of Brakeman. To analyze your Ruby code for the latest security vulnerabilities, use Semgrep, which provides comprehensive and up-to-date security scanning.
8: Supports reporting warnings or errors on functions above specific complexity thresholds. Enable the rule Cyclomatic Complexity on the Code patterns page, or use a configuration file to customize the thresholds.
9: Requires the sbt-dependency-lock plugin for generating the lockfile.
🔧: Supports suggesting fixes for identified issues.
See also#
Share your feedback 📢
Did this page help you?
Thanks for the feedback! Is there anything else you'd like to tell us about this page?
255 characters left
We're sorry to hear that. Please let us know what we can improve:
255 characters left
Alternatively, you can create a more detailed issue on our GitHub repository.
Thanks for helping improve the Codacy documentation.
Edit this page on GitHub if you notice something wrong or missing.
If you have a question or need help please contact support@codacy.com.