Skip to content

Supported languages and tools#

Codacy uses industry-leading tools to perform automatic static code analysis over 40 supported languages:

  • For programming languages, Codacy provides static analysis as well as code duplication, code complexity, secret detection, dependency vulnerability scanning, and code coverage metrics for key languages.

  • For cloud infrastructure-as-code platforms, Codacy provides static analysis and secret detection to enforce security and compliance best practices.

The table below lists all languages that Codacy supports and the corresponding tools that Codacy uses to analyze your source code. Besides this, Codacy uses cloc to calculate the source lines of code for all supported languages and supports multiple code coverage report formats.

Important

Codacy runs security and other analysis tools when code changes are pushed to your repositories. These tools don't scan code for issues continuously.

Language Static analysis Suggested fixes Secret detection Dependency vulnerability scanning Duplication Complexity
Apex PMD, Semgrep 1 - Semgrep - - -
AsyncAPI Spectral - - - - -
AWS CloudFormation Checkov - Checkov, Semgrep 2, Trivy 2 - - -
Azure Resource Manager Templates Checkov - - - - -
C Clang-Tidy 3, Cppcheck, Flawfinder, Semgrep 1 Semgrep 🔧 Semgrep, Trivy Trivy, scans
conan.lock (Conan)
PMD CPD 10 -
C++ Clang-Tidy 3, Cppcheck 4, Flawfinder, Semgrep 1 - Semgrep, Trivy Trivy, scans
conan.lock (Conan)
PMD CPD 10 -
C# Semgrep 1, SonarC# Semgrep 🔧 Semgrep, Trivy Trivy, scans
.deps.json (.Net), packages.lock.json (NuGet)
PMD CPD 10 SonarC# 10
CoffeeScript CoffeeLint - - - jscpd -
Crystal Ameba - - - - -
CSS Stylelint - - - - -
Dart dartanalyzer 5 - Trivy Trivy, scans
pubspec.lock
jscpd -
Dockerfile Hadolint, Semgrep 1 Semgrep 🔧 Semgrep, Trivy - - -
Elixir Credo, Semgrep 1 - Trivy Trivy, scans
mix.lock (Mix)
jscpd -
GitHub Actions Semgrep 1 - Semgrep, Trivy - - -
Go aligncheck 3, deadcode 3, Gosec 3, Revive, Semgrep 1, Staticcheck 3 Semgrep 🔧 Semgrep, Trivy Trivy, scans
go.mod
PMD CPD 10 Gocyclo
Groovy CodeNarc - - - jscpd -
Helm - - Semgrep 2, Trivy 2 - - -
Java Checkstyle, PMD, Semgrep 1, SpotBugs 3 Semgrep 🔧 PMD, Semgrep, Trivy Trivy, scans
pom.xml and gradle.lockfile
PMD CPD 10 PMD 6 10
JavaScript ESLint, PMD, Semgrep 1 ESLint 🔧 Semgrep, Trivy Trivy, scans
package.json and package-lock.json (npm),
yarn.lock (Yarn)
PMD CPD 10 ESLint 6 10
JSON Jackson Linter - Checkov, Trivy - - -
JSP PMD - - - - -
Kotlin detekt, Semgrep 1 - Semgrep Trivy, scans
pom.xml and gradle.lockfile
jscpd detekt 10
Kubernetes Checkov, Semgrep 2 Semgrep 🔧 Checkov, Semgrep 2, Trivy 2 - - -
Less Stylelint - - - - -
Markdown remark-lint, markdownlint markdownlint 🔧 - - - -
Objective-C Clang-Tidy 3 - - - jscpd -
OpenAPI Spectral - - - - -
PHP PHP_CodeSniffer, PHP Mess Detector, Semgrep 1 - Semgrep, Trivy Trivy, scans
composer.lock (Composer)
PHPCPD PHP Depend
PL/SQL PMD - - - - -
PostgreSQL SQLint - - - - -
PowerShell PSScriptAnalyser - - - - -
Python Bandit, Prospector, Pylint, Semgrep 1 Semgrep 🔧 Bandit, Prospector, Semgrep, Trivy Trivy, scans
requirements.txt (pip),
Pipfile.lock (pipenv),
poetry.lock (Poetry)
PMD CPD 10 Radon
Ruby Brakeman 7, RuboCop, Semgrep 1 Semgrep 🔧 Semgrep, Trivy Trivy, scans
Gemfile.lock (Bundler)
Flay RuboCop 6 10
Rust Semgrep 1 - Semgrep, Trivy Trivy, scans
Cargo.lock (Cargo)
jscpd -
Sass Stylelint - - - - -
Scala Codacy Scalameta Pro, Scalastyle, Semgrep 1, SpotBugs 3 - Semgrep, Trivy Trivy, scans
build.sbt.lock (sbt) 9
PMD CPD 10 Scalastyle, Scala 2 compiler and standard library
Serverless Framework Checkov - - - - -
Shell ShellCheck, Semgrep 1 - Semgrep - - -
Swift Semgrep 1, SwiftLint - Semgrep, Trivy Trivy, scans
Package.resolved (SwiftPM)
PMD CPD 10 SwiftLint6 8
Terraform Checkov, Semgrep 1 - Checkov, Semgrep, Trivy - - -
Transact-SQL TSQLLint - - - - -
TypeScript ESLint, Semgrep 1 ESLint 🔧 Semgrep, Trivy Trivy, scans
package.json and package-lock.json (npm),
yarn.lock (Yarn)
jscpd ESLint 6 10
Unity Unity Roslyn Analyzers 3 - - - - -
Velocity PMD - - - - -
Visual Basic SonarVB - - - jscpd -
Visualforce PMD - - - - -
XML PMD - Trivy - - -
XSL PMD - - - - -
YAML - - Trivy - - -

Docker images of supported tools#

Codacy adds support for new languages and tools by using a Docker image to run each tool.

The following table lists the Codacy GitHub repositories corresponding to each supported tool. Use these repositories to check the extra plugins supported by each tool or to submit GitHub issues related to each tool. To learn more about the tool versions used by Codacy, see the latest release notes.

Tool name Codacy GitHub repository
aligncheck 3 codacy/codacy-aligncheck
Ameba codacy/codacy-ameba
Bandit codacy/codacy-bandit
Brakeman 7 codacy/codacy-brakeman
Checkov codacy/codacy-checkov
Checkstyle codacy/codacy-checkstyle
Clang-Tidy 3 codacy/codacy-clang-tidy
Codacy Scalameta Pro codacy/codacy-scalameta
CodeNarc codacy/codacy-codenarc
CoffeeLint codacy/codacy-coffeelint
Cppcheck 4 codacy/codacy-cppcheck
Credo codacy/codacy-credo
dartanalyzer 5 codacy/codacy-dartanalyzer
deadcode 3 codacy/codacy-deadcode
detekt codacy/codacy-detekt
ESLint 6 codacy/codacy-eslint
Flawfinder codacy/codacy-flawfinder
Gosec 3 codacy/codacy-gosec
Hadolint codacy/codacy-hadolint
Jackson Linter codacy/codacy-jackson-linter
markdownlint codacy/codacy-markdownlint
PHP_CodeSniffer codacy/codacy-codesniffer
PHP Mess Detector codacy/codacy-phpmd
PMD 6 codacy/codacy-pmd
Prospector codacy/codacy-prospector
PSScriptAnalyser codacy/codacy-psscriptanalyzer
Pylint codacy/codacy-pylint-python3
remark-lint codacy/codacy-remark-lint
Revive codacy/codacy-gorevive
RuboCop 6 codacy/codacy-rubocop
Scalastyle codacy/codacy-scalastyle
Semgrep 1 codacy/codacy-semgrep
ShellCheck codacy/codacy-shellcheck
SonarC# codacy/codacy-sonar-csharp
SonarVB codacy/codacy-sonar-visual-basic
Spectral codacy/codacy-spectral
SpotBugs 3 codacy/codacy-spotbugs
SQLint codacy/codacy-sqlint
Staticcheck 3 codacy/codacy-staticcheck
Stylelint codacy/codacy-stylelint
SwiftLint 6 8 codacy/codacy-swiftlint
Trivy codacy/codacy-trivy
TSQLLint codacy/codacy-tsqllint
Unity Roslyn Analyzers 3 codacy/codacy-roslyn

1: Semgrep supports additional security rules when signing up for Semgrep Pro. This tool doesn't support custom file extensions.
2: Currently, only YAML file scanning is supported on this platform.
3: Supported as a client-side tool.
4: Currently, Cppcheck only supports checking the MISRA guidelines for C.
5: Currently, Codacy only supports including the packages lints and flutter_lints on dartanalyzer configuration files.
6: Doesn't calculate the number of methods and the complexity per method for each file.
7: Due to licensing limitations, Codacy doesn't support the latest version of Brakeman. To analyze your Ruby code for the latest security vulnerabilities, use Semgrep, which provides comprehensive and up-to-date security scanning.
8: Supports reporting warnings or errors on functions above specific complexity thresholds. Enable the rule Cyclomatic Complexity on the Code patterns page, or use a configuration file to customize the thresholds.
9: Requires the sbt-dependency-lock plugin for generating the lockfile.
10: Codacy may use a different version of this tool for measuring complexity and duplication.
🔧: Supports suggesting fixes for identified issues.

See also#

Share your feedback 📢

Did this page help you?

Thanks for the feedback! Is there anything else you'd like to tell us about this page?

We're sorry to hear that. Please let us know what we can improve:

Alternatively, you can create a more detailed issue on our GitHub repository.

Thanks for helping improve the Codacy documentation.

Edit this page on GitHub if you notice something wrong or missing.

If you have a question or need help please contact support@codacy.com.

Last modified December 5, 2024