For the latest updates and improvements, see the latest Cloud documentation instead.
Security Monitor#
This feature is only available on paid plans
The Security Monitor provides an overview of all security issues that Codacy found on your repository, and also warns you if any security code patterns are currently turned off.
By default, the page displays the overview for the main branch of your repository but if you have more than one branch enabled you can use the drop-down list at the top of the page to display information for other branches.
The left-hand side of the dashboard lists the status for each security category that the tools that can analyze the programming languages in your repository support:
| Status | Description |
|---|---|
 |
Codacy found security issues in this category Click the category name to see the list of security issues in this category, and click the title of the issues to see more information about the issue. This status takes precedence over the yellow status, meaning that some code patterns in the category may be turned off. Fix the existing security issues or use the Code patterns page to check if there are any code patterns turned off in this category. |
 |
There are security code patterns in this category that are turned off You should turn on the code patterns in this category so that Codacy can find the corresponding security issues. Click the category name to see the code patterns that are turned off, and click the check box next to each code pattern to turn it on. To turn on all security code patterns on the repository regardless of their category, click the button More and select Turn on all security patterns. |
| Codacy can't determine if all security code patterns in this category are turned on or not This happens when you're using configuration files to control which code patterns are turned on. Ensure that you manually turn on the listed code patterns on your configuration files. |
|
 |
Everything is OK for this category All security code patterns in this category are turned on, and Codacy didn't find security issues in this category. |
Tip
You can use the Warnings drop-down list to display only security categories that have found issues or categories that have code patterns turned off.
Languages checked for security issues#
The Security Monitor supports checking the languages and frameworks below for any security issues reported by the corresponding tools:
| Language or framework | Tools that report security issues |
|---|---|
| Apex | PMD |
| AWS CloudFormation | Checkov |
| C | Clang-Tidy1, Cppcheck, Flawfinder |
| C# | Sonar C# |
| C++ | Clang-Tidy1, Cppcheck, Flawfinder |
| Dockerfile | Hadolint |
| Elixir | Credo |
| Go | Gosec1 |
| Groovy | CodeNarc |
| Java | SpotBugs12 |
| JavaScript | ESLint3 |
| Objective-C | Clang-Tidy1 | PHP | PHP_CodeSniffer, PHP Mess Detector |
| PowerShell | PSScriptAnalyser |
| Python | Bandit, Prospector, Pylint |
| Ruby4 | Brakeman, bundler-audit, RuboCop |
| Scala | Codacy Scalameta Pro, SpotBugs12 |
| Shell | ShellCheck |
| Transact-SQL | TSQLLint |
| TypeScript | ESLint3 |
| Visual Basic | Sonar Visual Basic |
1: Supported as a client-side tool.
2: Includes the plugin Find Security Bugs.
3: Includes the shareable config nodesecurity and the plugins angularjs-security-rules, no-unsafe-innerhtml, no-unsanitized, scanjs-rules, security, and security-node.
4: Currently, Codacy doesn't support any static code analysis tool for Ruby 3.1.
Supported security categories#
Each issue reported on the Security Monitor belongs to one of the following security categories:
| Security category | Description |
|---|---|
| Android | Android-specific security issues. |
| Authentication | Broken authentication and authorization attacks consist in gaining access to accounts that allow disclosing sensitive information or performing operations that could compromise the system. |
| Command Injection | Command injection attacks aim to execute arbitrary commands on the host operating system. |
| Cookies | Security issues related to insecure cookies. |
| Cryptography | Cryptography attacks exploit failures related to cryptography (or lack thereof), potentially leading to exposure of sensitive data. |
| CSRF | Cross-Site Request Forgery (CSRF) attacks force an end user to execute unwanted actions on a web application in which they're currently authenticated. |
| Denial of Service | Denial of Service (DoS) attacks make a resource (site, application, server) unavailable for legitimate users, typically by flooding the resource with requests or exploiting a vulnerability to trigger a crash. |
| File Access | File access security issues may allow an attacker to access arbitrary files and directories stored on the file system such as application source code, configuration, and critical system files. |
| HTTP Headers | Insecure HTTP headers are a common attack vector for malicious users. |
| Input Validation | Client input should always be validated to prevent malformed or malicious data from entering the workflow of an information system. |
| Insecure Modules and Libraries | Security issues related to modules or libraries that can potentially include vulnerabilities. |
| Insecure Storage | Security issues related to insecure storage of sensitive data. |
| Malicious Code | Security issues related to code patterns that are potentially unsafe. |
| Mass Assignment | Unprotected mass assignments are a Rails feature that could allow an attacker to update sensitive model attributes. |
| Regex | Regular expressions can be used in Denial of Service attacks, exploiting the fact that in most regular expression implementations the computational load grows exponentially with input size. |
| Routes | Badly configured routes can give unintended access to an attacker. |
| SQL Injection | SQL injection attacks insert or "inject" malicious SQL queries into the application via the client input data. |
| SSL | Security issues related with old SSL versions or configurations that have known cryptographic weaknesses and should no longer be used. |
| Unexpected Behaviour | Security issues related to potentially insecure system API calls. |
| Visibility | Logging should always be included for security events to better allow attack detection and help defend against vulnerabilities. |
| XSS | Cross-Site Scripting (XSS) attacks inject malicious client-side scripts into trusted websites that are visited by the end users. |
| Other | Other language-specific security issues. |
See also#
Share your feedback 📢
Did this page help you?
Thanks for the feedback! Is there anything else you'd like to tell us about this page?
255 characters left
We're sorry to hear that. Please let us know what we can improve:
255 characters left
Alternatively, you can create a more detailed issue on our GitHub repository.
Thanks for helping improve the Codacy documentation.
If you have a question or need help please contact support@codacy.com.