Merge branch 'master' into security/pin-actions-to-sha

Author: afsmeira

docs/codacy-ai/codacy-ai.md

@@ -10,12 +10,13 @@ Codacy AI utilizes only enterprise-grade instances of OpenAI and Google Gemini s
 
 ### AI-enhanced comments
 
+!!! note
+    This feature is available on GitLab and Bitbucket. It is no longer available on GitHub, where it has been replaced by the [AI Reviewer](#ai-reviewer).
+
 _This feature leverages OpenAI models, and is strictly opt-in: it will only run on repositories or projects where a repository admin has enabled it._
 
 AI-enhanced comments are optional, machine-generated suggestions that appear directly in pull requests and review threads. They use Codacy's AI to provide concise issue summaries, remediation suggestions, and links to relevant documentation — helping reviewers and authors quickly understand and fix problems.
 
-More details about [AI-enhanced comments here](../repositories-configure/integrations/github-integration.md#ai-enhanced-comments).
-
 **How to turn it on**
 
 1. Go to your organization or repository settings in Codacy.
@@ -57,7 +58,8 @@ More details about [False Positives here](../repositories/commits.md#false-posit
 
 - Codacy does not use your code, repository contents, or comments to train external AI models. No customer code or review text is incorporated into model training.
 - To detect a Possible False Positive, Codacy only processes the specific issue context: one request per file with issues. No additional repository data is sent or used.
-- Prompts are neither stored nor visible by anyone
+- Prompts are neither stored nor visible to anyone.
+- As an extra precaution, before any code snippet is sent to the AI model, Codacy automatically redacts secrets (API keys, tokens, credentials, and other high-entropy strings) from the code context.
 
 <div id="pr-reviewer"></div>
 
@@ -76,7 +78,7 @@ More details about [AI Reviewer here](../repositories-configure/integrations/git
 
 1. Go to your organization or repository settings in Codacy.
 2. Navigate to the "Integrations" or "AI features" section (depending on your Codacy plan and UI version).
-3. Find "AI Reviewer", under "Status checks", and toggle the feature to "On" for the repository or organization scope you want to enable.
+3. Find "AI Reviewer", under "Pull request summary", and toggle the feature to "On" for the repository or organization scope you want to enable.
 4. Save your changes. Once enabled, Codacy will start adding a Summary to your pull requests based on the AI-enriched reviews.
 5. To request a PR review, click **Run Reviewer** in the Summary or call our [public API](https://api.codacy.com/api/api-docs#triggerpullrequestaireview). Your review will be published as soon as it's ready.
 
@@ -122,4 +124,5 @@ Rules for the output:
 
 - Codacy does not use your code, repository contents, or comments to train external AI models. No customer code or review text is incorporated into model training.
 - To enrich the review, the git diff of the Pull Request as well as some related files' contents can be sent as context. No data is stored on our side, or used to train any models.
-- Prompts are neither stored nor visible by anyone
+- Prompts are neither stored nor visible to anyone.
+- As an extra precaution, before any code snippet is sent to the AI model, Codacy automatically redacts secrets (API keys, tokens, credentials, and other high-entropy strings) from the code context.

docs/faq/troubleshooting/why-did-codacy-stop-commenting-on-pull-requests.md

@@ -6,7 +6,7 @@
 
 Coverage information is currently sent to GitHub by a new version of the Codacy Coverage engine, which depends on updated app permissions.
 
-If you stopped receiving coverage summaries on your pull requests, please [review and accept the updated Codacy app permissions on GitHub](https://docs.github.com/en/enterprise-cloud@latest/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#reviewing-permissions). For more information on the rollout of the new Coverage engine, [see the relevant release note](../../release-notes/cloud/cloud-2023-11-23-new-coverage-engine-status-checks.md).
+If you stopped seeing coverage information in the pull request summaries, please [review and accept the updated Codacy app permissions on GitHub](https://docs.github.com/en/enterprise-cloud@latest/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#reviewing-permissions). For more information on the rollout of the new Coverage engine, [see the relevant release note](../../release-notes/cloud/cloud-2023-11-23-new-coverage-engine-status-checks.md).
 
 ## Outdated permissions or invalid SSH key {: id="outdated-permissions"}
 

docs/getting-started/supported-languages-and-tools.md

@@ -165,7 +165,8 @@ The table below lists all languages that Codacy supports and the corresponding t
     <tr>
       <td>CSS</td>
       <td>.css</td>
-      <td><a href="https://stylelint.io/">Stylelint</a></td>
+      <td><a href="https://biomejs.dev/">BiomeJS</a>,
+          <a href="https://stylelint.io/">Stylelint</a></td>
       <td>-</td>
       <td>-</td>
       <td>-</td>
@@ -290,7 +291,8 @@ The table below lists all languages that Codacy supports and the corresponding t
     <tr>
       <td>JavaScript</td>
       <td>.js, .jsx, .jsm, .vue, .mjs</td>
-      <td><a href="https://eslint.org/">ESLint</a>,
+      <td><a href="https://biomejs.dev/">BiomeJS</a>,
+          <a href="https://eslint.org/">ESLint</a>,
           <a href="https://pmd.github.io/">PMD</a>,
           <a href="https://github.com/opengrep/opengrep/">Opengrep</a> <a href="#opengrep"><sup>1</sup></a></td>
       <td><a href="https://eslint.org/docs/rules/">ESLint</a> <a href="#suggest-fixes">🔧</a></td>
@@ -305,7 +307,8 @@ The table below lists all languages that Codacy supports and the corresponding t
     <tr>
       <td>JSON</td>
       <td>.json</td>
-      <td><a href="https://github.com/FasterXML/jackson-core">Jackson Linter</a></td>
+      <td><a href="https://biomejs.dev/">BiomeJS</a>,
+          <a href="https://github.com/FasterXML/jackson-core">Jackson Linter</a></td>
       <td>-</td>
       <td><a href="https://github.com/bridgecrewio/checkov/">Checkov</a>,
           <a href="https://trivy.dev">Trivy</a></td>
@@ -638,7 +641,8 @@ The table below lists all languages that Codacy supports and the corresponding t
     <tr>
       <td>TypeScript</td>
       <td>.ts, .tsx</td>
-      <td><a href="https://eslint.org/">ESLint</a>,
+      <td><a href="https://biomejs.dev/">BiomeJS</a>,
+          <a href="https://eslint.org/">ESLint</a>,
           <a href="https://github.com/opengrep/opengrep/">Opengrep</a> <a href="#opengrep"><sup>1</sup></a></td>
       <td><a href="https://eslint.org/docs/rules/">ESLint</a> <a href="#suggest-fixes">🔧</a></td>
       <td><a href="https://github.com/opengrep/opengrep/">Opengrep</a>,
@@ -763,6 +767,10 @@ The following table lists the Codacy GitHub repositories corresponding to each s
 <td><a href="https://github.com/codacy/codacy-bandit" class="skip-vale">codacy/codacy-bandit</a></td>
 </tr>
 <tr>
+<td><a href="https://biomejs.dev/">BiomeJS</a></td>
+<td><a href="https://github.com/codacy/codacy-biomejs" class="skip-vale">codacy/codacy-biomejs</a></td>
+</tr>
+<tr>
 <td><a href="https://brakemanscanner.org/">Brakeman</a> <a href="#opengrep-brakeman"><sup>7</sup></a></td>
 <td><a href="https://github.com/codacy/codacy-brakeman" class="skip-vale">codacy/codacy-brakeman</a></td>
 </tr>

docs/organizations/ai-risk-hub.md

@@ -0,0 +1,184 @@
+---
+description: The organization's AI Risk Hub dashboard provides an overview of all the AI issues detected in the repositories applied to the organization's AI Policy standard and your organization's risk level based on your AI practices.
+---
+
+# AI Risk Hub
+
+The **AI Risk Hub** gives you visibility into the AI usage, dependencies, and risks across your organization's repositories. It brings together AI policy compliance, risk assessment, and a detailed inventory of AI resources found in your codebase.
+It also provides an overview of all the AI issues detected in the repositories applied to the organization's AI Policy standard and your organization's risk level based on your AI practices. Here, you can navigate through the issues detected in your repositories and filter them by severity and category. You can also filter the issues by selecting specific repositories or using [the segments that you have set up](segments.md).
+
+!!! important
+    This dashboard is a Business tier feature, generally available until May 18.
+
+To access the AI Risk Hub, select an organization from the top navigation bar and click on **AI Risk** on the left navigation sidebar.
+
+Inside this hub, you can find the following pages to help you monitor the AI risk of your organization:
+
+- [Overview](#overview)
+- [AI Inventory](#ai-inventory)
+
+---
+
+## Overview
+
+The **Overview** tab is the main dashboard for monitoring AI risk across your organization. It includes:
+
+- [AI Policy Compliance](#ai-policy-compliance)
+- [Risk Level](#risk-level)
+- [AI Risk Checklist](#ai-risk-checklist)
+- [Repositories with most AI issues](#repositories-with-most-ai-issues)
+- [AI Inventory summary](#ai-inventory-summary)
+
+![AI Risk Hub overview](images/ai-risk-hub.png)
+
+### AI Policy Compliance
+
+This section shows whether your organization has an AI Policy enabled and how your repositories are performing against it.
+
+The AI Policy is a curated set of rules designed to detect AI-related risks in your code. When enabled, Codacy applies AI-specific patterns to your repositories and enforces them on pull request checks. You can enable the policy directly from this section.
+
+Once enabled, the section displays a breakdown of AI issues by **severity** and **category**.
+
+If you already have the AI Policy enabled, an **Edit** button lets you manage which repositories have the policy applied.
+
+The AI Policy covers four categories of AI-specific risks:
+
+#### Unapproved model calls
+
+Detects usage of disallowed or non-compliant AI models in your codebase, giving you visibility into potential compliance violations.
+
+#### AI Safety
+
+Flags missing or incorrect safety practices when using AI-generated or AI-integrated code.
+
+#### Hardcoded secrets
+
+Detects hardcoded API keys, credentials, and secrets related to AI services.
+
+#### Vulnerabilities (insecure dependencies / SCA)
+
+Identifies vulnerable AI-related dependencies and packages through software composition analysis.
+
+![AI Policy Compliance](images/ai-risk-policy-compliance.png)
+
+---
+
+### Risk Level
+
+This panel shows your organization's overall **AI Risk Level**: **High**, **Medium**, or **Low**.
+
+The risk level is calculated based on whether essential AI safeguards have been enabled in Codacy. These safeguards are listed in the [AI Risk Checklist](#ai-risk-checklist).
+
+![Risk Level](images/ai-risk-level.png)
+
+---
+
+### AI Risk Checklist
+
+The AI Risk Checklist outlines the source code controls that Codacy recommends enabling across your organization:
+
+- **AI Policy enabled:** Enable the AI Policy inside the AI Risk Hub tab.
+- **Coverage enabled:** Set up code coverage for your repositories.
+- **Enforced gates:** Add quality gates to your repositories and apply gate policies across your organization.
+- **Protected pull requests:** Protect pull requests by enforcing quality gates in your Git workflow.
+- **Daily vulnerability scans:** Enable Proactive SCA to protect your repositories from dependency vulnerabilities.
+- **Applications scanned:** Enable App scanning to scan web applications and APIs for security vulnerabilities.
+
+The more controls you have enabled, the lower your organization's AI risk level.
+
+![AI Risk Checklist](images/ai-risk-checklist.png)
+
+---
+
+### Repositories with most AI issues
+
+This panel shows your repositories ranked by number of open AI issues, in descending order.
+
+You can filter the list by:
+
+- **AI category** (unapproved model calls, AI safety, hardcoded secrets, vulnerabilities)
+- **Severity** (critical, high, medium, low, info)
+- **Checklist status**
+- **Repository** or **segment**
+
+Each entry shows how the repository's AI issue count has changed compared to the previous month.
+
+![Repositories with most AI issues](images/ai-risk-repositories.png)
+
+---
+
+### AI Inventory summary
+
+This section shows a high-level view of the AI resources discovered across your repositories, broken down by provider. For each provider, you can see the number of resources and repositories involved, as well as a breakdown by resource type.
+
+The section surfaces the top AI providers detected in your organization. You can click through to the full [AI Inventory](#ai-inventory) for a detailed view.
+
+![AI Inventory summary](images/ai-risk-inventory-overview.png)
+
+---
+
+## AI Inventory
+
+The **AI Inventory** tab gives you a detailed, searchable view of all AI resources discovered across your organization's repositories. Resources are detected through static analysis and represent actual AI usage found in the code — not just configuration.
+
+![AI Inventory](images/ai-risk-inventory.png)
+
+### Resource types
+
+Codacy detects four types of AI resources:
+
+| Type | Pattern ID | Description |
+|------|------------|-------------|
+| Model usage | `ai_model_usage` | Direct calls to AI model APIs |
+| Dependency | `ai_dependency` | AI SDKs and packages included as dependencies |
+| API key | `ai_key` | AI service API keys and credentials found in code |
+| Endpoint / env variable | `ai_env_endpoint` | Environment variables and endpoint references for AI services |
+
+### Supported providers
+
+Codacy detects resources from the following AI providers:
+
+- OpenAI
+- Anthropic
+- Google
+- Microsoft
+- Amazon
+- Mistral
+- Cohere
+- Groq
+- Together AI
+- Replicate
+- DeepSeek
+- Pinecone
+- Community models
+
+### How it works
+
+The inventory is built from static analysis of your repositories' source code. For each AI resource found, Codacy records:
+
+- Which **provider** the resource belongs to (e.g. OpenAI, Anthropic)
+- What **type** of resource it is (model usage, dependency, API key, endpoint)
+- The **marker** that identifies it (e.g. model name, package name)
+- How many **repositories** contain it
+- How many total **references** to it exist
+
+### Navigating the inventory
+
+Resources are listed as expandable entries. You can drill into each one to see:
+
+1. **Repositories** — which repositories contain the resource, with file counts and reference counts per repository
+2. **Files** — within each repository, the specific files where the resource appears
+3. **Lines** — within each file, the exact lines where the resource is referenced, with direct links to the file in your Git provider
+
+![AI resource detail](images/ai-risk-resource.png)
+
+### Filtering
+
+You can filter the inventory using the sidebar on the left:
+
+- **Providers** — filter by one or more AI vendors
+- **Resource types** — filter by resource type (model usage, dependency, API key, endpoint)
+- **Repositories** — filter by specific repository names
+- **Segments** — filter by repository segments if segmentation is enabled for your organization
+
+You can reset all filters at once using the **Reset filters** button.