| description | List of tools that Codacy uses to analyze over 40 supported languages. Codacy provides static analysis for all programming languages and cloud infrastructure-as-code platforms as well as code duplication, code complexity, and code coverage metrics for most programming languages. |
|---|
Codacy uses industry-leading tools to perform automatic static code analysis over 40 supported languages:
-
For programming languages, Codacy provides static analysis as well as code duplication, code complexity, secret detection, dependency vulnerability scanning, and code coverage metrics for key languages.
-
For cloud infrastructure-as-code platforms, Codacy provides static analysis and secret detection to enforce security and compliance best practices.
The table below lists all languages that Codacy supports and the corresponding tools that Codacy uses to analyze your source code. Besides this, Codacy uses cloc to calculate the source lines of code for all supported languages and supports multiple code coverage report formats.
!!! important Codacy runs security and other analysis tools when code changes are pushed to your repositories. These tools don't scan code for issues continuously.
| Language | File extensions | Static analysis | Suggested fixes | Secret detection | Dependency vulnerability scanning | Duplication | Complexity | License scanning |
|---|---|---|---|---|---|---|---|---|
| Apex | .cls, .trigger | PMD, Semgrep 1 | - | Semgrep | - | - | - | - |
| AsyncAPI | - | Spectral | - | - | - | - | - | - |
| AWS CloudFormation | - | Checkov | - | Checkov, Semgrep 2, Trivy 2 | - | - | - | - |
| Azure Resource Manager Templates | - | Checkov | - | - | - | - | - | - |
| C | .c, .h | Clang-Tidy 3, Cppcheck, Flawfinder, Semgrep 1 | Semgrep 🔧 | Semgrep, Trivy | Trivy, scans conan.lock (Conan) |
PMD CPD 10 | Lizard | - |
| C++ | .cpp, .hpp, .cc, .cxx, .ino | Clang-Tidy 3, Cppcheck 4, Flawfinder, Semgrep 1 | - | Semgrep, Trivy | Trivy, scans conan.lock (Conan) |
PMD CPD 10 | Lizard | - |
| C# | .cs | Semgrep 1, SonarC# | Semgrep 🔧 | Semgrep, Trivy | Trivy, scans .deps.json (.Net), packages.lock.json (NuGet) |
PMD CPD 10 | SonarC# 10 Lizard | - |
| CoffeeScript | .coffee | CoffeeLint | - | - | - | jscpd | - | - |
| Crystal | .cr | Ameba | - | - | - | - | - | - |
| CSS | .css | Stylelint | - | - | - | - | - | - |
| Dart | .dart | dartanalyzer 5 | - | Trivy | Trivy, scans pubspec.lock |
jscpd | - | - |
| Dockerfile | .dockerfile | Hadolint, Semgrep 1 | Semgrep 🔧 | Semgrep, Trivy | - | - | - | - |
| Elixir | .ex, .exs | Credo, Semgrep 1 | - | Trivy | Trivy, scans mix.lock (Mix) |
jscpd | - | - |
| GitHub Actions | - | Semgrep 1 | - | Semgrep, Trivy | - | - | - | - |
| Go | .go | aligncheck 3, deadcode 3, Gosec 3, Revive, Semgrep 1, Staticcheck 3 | Semgrep 🔧 | Semgrep, Trivy | Trivy, scans go.mod |
PMD CPD 10 | Gocyclo Lizard | - |
| Groovy | .groovy | CodeNarc | - | - | - | jscpd | - | - |
| Helm | - | - | - | Semgrep 2, Trivy 2 | - | - | - | - |
| Java | .java | Checkstyle, PMD, Semgrep 1, SpotBugs 3 | Semgrep 🔧 | PMD, Semgrep, Trivy | Trivy, scans pom.xml and gradle.lockfile |
jscpd | PMD 6 10 Lizard | - |
| JavaScript | .js, .jsx, .jsm, .vue, .mjs | ESLint, PMD, Semgrep 1 | ESLint 🔧 | Semgrep, Trivy | Trivy, scans package.json and package-lock.json (npm), yarn.lock (Yarn) |
PMD CPD 10 | ESLint 6 10 Lizard | - |
| JSON | .json | Jackson Linter | - | Checkov, Trivy | - | - | - | - |
| JSP | .jsp | PMD | - | - | - | - | - | - |
| Kotlin | .kt, .kts | detekt, Semgrep 1, PMD | - | Semgrep | Trivy, scans pom.xml and gradle.lockfile |
jscpd | detekt 10 | - |
| Kubernetes | - | Checkov, Semgrep 2 | Semgrep 🔧 | Checkov, Semgrep 2, Trivy 2 | - | - | Lizard | - |
| Less | .less | Stylelint | - | - | - | - | - | - |
| Markdown | .md, .markdown, .mdown, .mkdn, .mkd, .mdwn, .mkdown, .ron | remark-lint, markdownlint | markdownlint 🔧 | - | - | - | - | - |
| Objective-C | .m | Clang-Tidy 3 | - | - | - | jscpd | Lizard | - |
| OpenAPI | - | Spectral | - | - | - | - | - | - |
| PHP | .php | PHP_CodeSniffer, PHP Mess Detector, Semgrep 1 | - | Semgrep, Trivy | Trivy, scans composer.lock (Composer) |
PHPCPD | PHP Depend Lizard | Trivy, scans composer.lock (Composer) |
| PL/SQL | .trg, .prc, .fnc, .pld, .pls, .plh, .plb, .pck, .pks, .pkh, .pkb, .typ, .tyb, .tps, .tpb | PMD | - | - | - | - | - | - |
| PostgreSQL | - | SQLint | - | - | - | - | - | - |
| PowerShell | .ps1, .psc1, .psd1, .psm1, .ps1xml, .pssc, .cdxml, .clixml | PSScriptAnalyser | - | - | - | - | - | - |
| Python | .py | Bandit, Prospector, Pylint, Ruff, Semgrep 1 | Semgrep 🔧 | Bandit, Prospector, Semgrep, Trivy | Trivy, scans requirements.txt (pip), Pipfile.lock (pipenv), poetry.lock (Poetry) |
PMD CPD 10 | Radon Lizard | - |
| Ruby | .rb, .gemspec, .podspec, .jbuilder, .rake, .opal | Brakeman 7, RuboCop, Semgrep 1 | Semgrep 🔧 | Semgrep, Trivy | Trivy, scans Gemfile.lock (Bundler) |
Flay | RuboCop 6 10 Lizard | - |
| Rust | .rs, .rlib | Semgrep 1 | - | Semgrep, Trivy | Trivy, scans Cargo.lock (Cargo) |
jscpd | Lizard | - |
| Sass | .scss | Stylelint | - | - | - | - | - | - |
| Scala | .scala | Codacy Scalameta Pro, Scalastyle, Semgrep 1, SpotBugs 3 | - | Semgrep, Trivy | Trivy, scans build.sbt.lock (sbt) 9 |
PMD CPD 10 | Scalastyle, Scala 2 compiler and standard library Lizard | - |
| Serverless Framework | - | Checkov | - | - | - | - | - | - |
| Shell | .sh, .bash | ShellCheck, Semgrep 1 | - | Semgrep | - | - | - | - |
| Swift | .swift | Semgrep 1, SwiftLint, PMD | - | Semgrep, Trivy | Trivy, scans Package.resolved (SwiftPM) |
PMD CPD 10 | SwiftLint6 8 Lizard | - |
| Terraform | .tf | Checkov, Semgrep 1 | - | Checkov, Semgrep, Trivy | - | - | - | - |
| Transact-SQL | .tsql | TSQLLint | - | - | - | - | - | - |
| TypeScript | .ts, .tsx | ESLint, Semgrep 1 | ESLint 🔧 | Semgrep, Trivy | Trivy, scans package.json and package-lock.json (npm), yarn.lock (Yarn) |
jscpd | ESLint 6 10 Lizard | - |
| Unity | - | Unity Roslyn Analyzers 3 | - | - | - | - | - | - |
| Velocity | .vm | PMD | - | - | - | - | - | - |
| Visual Basic | .vb | SonarVB | - | - | - | jscpd | - | - |
| Visualforce | .component, .page | PMD | - | - | - | - | - | - |
| XML | .xml, .xsl, .wsdl, .pom | PMD | - | Trivy | - | - | - | - |
| XSL | .xsl | PMD | - | - | - | - | - | - |
| YAML | .yaml, .yml, .env, .env.production, .env.prod, .env.staging, .env.dev, .env.development | - | - | Trivy | - | - | - | - |
Codacy adds support for new languages and tools by using a Docker image to run each tool.
The following table lists the Codacy GitHub repositories corresponding to each supported tool. Use these repositories to check the extra plugins supported by each tool or to submit GitHub issues related to each tool. To learn more about the tool versions used by Codacy, see the latest release notes.
1: Semgrep supports additional security rules when signing up for Semgrep Pro. This tool doesn't support custom file extensions.
2: Currently, only YAML file scanning is supported on this platform.
3: Supported as a client-side tool.
4: Currently, Cppcheck only supports checking the MISRA guidelines for C.
5: Currently, Codacy only supports including the packages lints and flutter_lints on dartanalyzer configuration files.
6: Doesn't calculate the number of methods and the complexity per method for each file.
7: Due to licensing limitations, Codacy doesn't support the latest version of Brakeman. To analyze your Ruby code for the latest security vulnerabilities, use Semgrep, which provides comprehensive and up-to-date security scanning.
8: Supports reporting warnings or errors on functions above specific complexity thresholds. Enable the rule Cyclomatic Complexity on the Code patterns page, or use a configuration file to customize the thresholds.
9: Requires the sbt-dependency-lock plugin for generating the lockfile.
10: Codacy may use a different version of this tool for measuring complexity and duplication.
🔧: Supports suggesting fixes for identified issues.