Skip to main content

Supported languages and tools

Codacy uses industry-leading tools to perform automatic static code analysis over 40 supported languages:

  • For programming languages, Codacy provides static analysis as well as code duplication, code complexity, secret detection, dependency vulnerability scanning, and code coverage metrics for key languages.

  • For cloud infrastructure-as-code platforms, Codacy provides static analysis and secret detection to enforce security and compliance best practices.

The table below lists all languages that Codacy supports and the corresponding tools that Codacy uses to analyze your source code. Besides this, Codacy uses cloc to calculate the source lines of code for all supported languages and supports multiple code coverage report formats.

caution

Codacy runs security and other analysis tools when code changes are pushed to your repositories. These tools don't scan code for issues continuously.

LanguageFile extensionsStatic analysisSuggested fixesSecret detectionDependency vulnerability scanningMalicious packages detection 11DuplicationComplexityLicense scanning
Apex.cls, .triggerPMD, Semgrep 1-Semgrep--PMD CPD 10 --
AsyncAPI-Spectral-------
AWS CloudFormation-Checkov-Checkov, Semgrep 2, Trivy 2-----
Azure Resource Manager Templates-Checkov-------
C.c, .hClang-Tidy 3, Cppcheck, Flawfinder, Semgrep 1Semgrep 🔧Semgrep, TrivyTrivy, scans
conan.lock (Conan) 		-PMD CPD 10 Lizard-
C++.cpp, .hpp, .cc, .cxx, .inoClang-Tidy 3, Cppcheck 4, Flawfinder, Semgrep 1-Semgrep, TrivyTrivy, scans
conan.lock (Conan) 		-PMD CPD 10 Lizard-
C#.csSemgrep 1, SonarC#Semgrep 🔧Semgrep, TrivyTrivy, scans
.deps.json (.Net), packages.lock.json (NuGet) 		Trivy, scans packages.lock.json for malicious packages published in NuGet PMD CPD 10 Lizard-
CoffeeScript.coffeeCoffeeLint----jscpd--
Crystal.crAmeba-------
CSS.cssStylelint-------
Dart.dartdartanalyzer 5-TrivyTrivy, scans
pubspec.lock		-jscpd--
Dockerfile.dockerfileHadolint, Semgrep 1Semgrep 🔧Semgrep, Trivy-----
Elixir.ex, .exsCredo, Semgrep 1-TrivyTrivy, scans
mix.lock (Mix) 		-jscpd--
GitHub Actions-Semgrep 1-Semgrep, Trivy-----
Go.goaligncheck 3, deadcode 3, Gosec 3, Revive, Semgrep 1, Staticcheck 3Semgrep 🔧Semgrep, TrivyTrivy, scans
go.mod		Trivy, scans
go.mod for malicious packages published in github.com		PMD CPD 10 Lizard-
Groovy.groovyCodeNarc----jscpd--
Helm---Semgrep 2, Trivy 2------
Java.javaCheckstyle, PMD, Semgrep 1, SpotBugs 3Semgrep 🔧PMD, Semgrep, TrivyTrivy, scans
pom.xml and gradle.lockfile		Trivy, scans
pom.xml and gradle.lockfile for malicious packages published in maven		jscpdLizard-
JavaScript.js, .jsx, .jsm, .vue, .mjsESLint, PMD, Semgrep 1ESLint 🔧Semgrep, TrivyTrivy, scans
package.json and package-lock.json (npm),
yarn.lock (Yarn) 		Trivy, scans
package.json and package-lock.json for malicious packages published in npm 		PMD CPD 10 LizardTrivy, scans
package-lock.json (npm)
JSON.jsonJackson Linter-Checkov, Trivy-----
JSP.jspPMD----PMD CPD 10 --
Kotlin.kt, .kts

detekt, Semgrep 1, PMD

-SemgrepTrivy, scans
pom.xml and gradle.lockfile		Trivy, scans
pom.xml and gradle.lockfile for malicious packages published in maven		jscpddetekt 10 -
Kubernetes-Checkov, Semgrep 2Semgrep 🔧Checkov, Semgrep 2, Trivy 2---Lizard-
Less.lessStylelint-------
Markdown.md, .markdown, .mdown, .mkdn, .mkd, .mdwn, .mkdown, .ronremark-lint, markdownlintmarkdownlint 🔧------
Objective-C.mClang-Tidy 3----jscpdLizard-
OpenAPI-Spectral-------
PHP.phpPHP_CodeSniffer, PHP Mess Detector, Semgrep 1-Semgrep, TrivyTrivy, scans
composer.lock (Composer) 		-PHPCPDLizardTrivy, scans
composer.lock (Composer)
PL/SQL.trg, .prc, .fnc, .pld, .pls, .plh, .plb, .pck, .pks, .pkh, .pkb, .typ, .tyb, .tps, .tpbPMD-------
PostgreSQL-SQLint-------
PowerShell.ps1, .psc1, .psd1, .psm1, .ps1xml, .pssc, .cdxml, .clixmlPSScriptAnalyser-------
Python.py

Bandit, Prospector, Pylint, Ruff, Semgrep 1

Semgrep🔧

Bandit, Prospector, Semgrep, Trivy

Trivy, scans
requirements.txt (pip),
Pipfile.lock (pipenv),
poetry.lock (Poetry), uv.lock (UV)

Trivy, scans
requirements.txt (pip),
Pipfile.lock (pipenv)
for malicious packages published in PyPI

PMD CPD10LizardTrivy, scans
requirements.txt (pip),
Pipfile.lock (pipenv),
poetry.lock (Poetry), uv.lock (UV)
Ruby.rb, .gemspec, .podspec, .jbuilder, .rake, .opalReek, Brakeman 7, RuboCop, Semgrep 1Semgrep 🔧Semgrep, TrivyTrivy, scans
Gemfile.lock (Bundler) 		Trivy, scans
Gemfile.lock for malicious packages published in rubygems.org 		FlayLizard-
Rust.rs, .rlibSemgrep 1-Semgrep, TrivyTrivy, scans
Cargo.lock (Cargo) 		Trivy, scans
Cargo.lock for malicious packages published in crates.io 		jscpdLizard-
Sass.scssStylelint-------
Scala.scalaCodacy Scalameta Pro, Scalastyle, Semgrep 1, SpotBugs 3-Semgrep, TrivyTrivy, scans
build.sbt.lock (sbt) 9		Trivy, scans
build.sbt.lock for malicious packages published in maven 9		PMD CPD 10 Lizard-
Serverless Framework-Checkov-------
Shell.sh, .bashShellCheck, Semgrep 1-Semgrep-----
Swift.swift

Semgrep 1, SwiftLint, PMD

-Semgrep, TrivyTrivy, scans
Package.resolved (SwiftPM) 		-PMD CPD 10 Lizard-
SQL.sql

PMD, SQLint, TSQLLint, SQLFluff, Semgrep 1

-------
Terraform.tfCheckov, Semgrep 1-Checkov, Semgrep, Trivy-----
Transact-SQL.tsqlTSQLLint-------
TypeScript.ts, .tsxESLint, Semgrep 1ESLint 🔧Semgrep, TrivyTrivy, scans
package.json and package-lock.json (npm),
yarn.lock (Yarn) 		Trivy, scans
package.json and package-lock.json for malicious packages published in npm 		jscpdLizardTrivy, scans
package-lock.json (npm)
Unity-Unity Roslyn Analyzers 3-------
Velocity.vmPMD-------
Visual Basic.vbSonarVB----jscpd--
Visualforce.component, .pagePMD----PMD CPD 10 --
XML.xml, .xsl, .wsdl, .pomPMD-Trivy-----
XSL.xslPMD-------
YAML.yaml, .yml, .env, .env.production, .env.prod, .env.staging, .env.dev, .env.development--Trivy-----

Docker images of supported tools​

Codacy adds support for new languages and tools by using a Docker image to run each tool.

The following table lists the Codacy GitHub repositories corresponding to each supported tool. Use these repositories to check the extra plugins supported by each tool or to submit GitHub issues related to each tool. To learn more about the tool versions used by Codacy, see the latest release notes.

Tool nameCodacy GitHub repository
aligncheck 3codacy/codacy-aligncheck
Amebacodacy/codacy-ameba
Banditcodacy/codacy-bandit
Brakeman 7codacy/codacy-brakeman
Checkovcodacy/codacy-checkov
Checkstylecodacy/codacy-checkstyle
Clang-Tidy 3codacy/codacy-clang-tidy
Codacy Scalameta Procodacy/codacy-scalameta
CodeNarccodacy/codacy-codenarc
CoffeeLintcodacy/codacy-coffeelint
Cppcheck 4codacy/codacy-cppcheck
Credocodacy/codacy-credo
dartanalyzer 5codacy/codacy-dartanalyzer
deadcode 3codacy/codacy-deadcode
detektcodacy/codacy-detekt
ESLint 6codacy/codacy-eslint
Flawfindercodacy/codacy-flawfinder
Gosec 3codacy/codacy-gosec
Hadolintcodacy/codacy-hadolint
Jackson Lintercodacy/codacy-jackson-linter
Lizardcodacy/codacy-lizard
markdownlintcodacy/codacy-markdownlint
PHP_CodeSniffercodacy/codacy-codesniffer
PHP Mess Detectorcodacy/codacy-phpmd
PMD 6codacy/codacy-pmd7
Prospectorcodacy/codacy-prospector
PSScriptAnalysercodacy/codacy-psscriptanalyzer
Pylintcodacy/codacy-pylint-python3
remark-lintcodacy/codacy-remark-lint
Revivecodacy/codacy-gorevive
RuboCop 6codacy/codacy-rubocop
Ruffcodacy/codacy-ruff
Scalastylecodacy/codacy-scalastyle
Semgrep 1codacy/codacy-semgrep
ShellCheckcodacy/codacy-shellcheck
SonarC#codacy/codacy-sonar-csharp
SonarVBcodacy/codacy-sonar-visual-basic
Spectralcodacy/codacy-spectral
SpotBugs 3codacy/codacy-spotbugs
SQLintcodacy/codacy-sqlint
Staticcheck 3codacy/codacy-staticcheck
Stylelintcodacy/codacy-stylelint
SwiftLint 6 8codacy/codacy-swiftlint
Trivycodacy/codacy-trivy
TSQLLintcodacy/codacy-tsqllint
Unity Roslyn Analyzers 3codacy/codacy-roslyn

1: Semgrep supports additional security rules when signing up for Semgrep Pro. This tool doesn't support custom file extensions.
2: Currently, only YAML file scanning is supported on this platform.
3: Supported as a client-side tool.
4: Currently, Cppcheck only supports the MISRA guidelines for C.
5: Currently, Codacy only supports including the packages lints and flutter_lints on dartanalyzer configuration files.
6: Doesn't calculate the number of methods and the complexity per method for each file.
7: Due to licensing limitations, Codacy doesn't support the latest version of Brakeman. To analyze your Ruby code for the latest security vulnerabilities, use Semgrep, which provides comprehensive and up-to-date security scanning.
8: Supports reporting warnings or errors on functions above specific complexity thresholds. Enable the rule Cyclomatic Complexity on the Code patterns page, or use a configuration file to customize the thresholds.
9: Requires the sbt-dependency-lock plugin for generating the lockfile.
10: Codacy may use a different version of this tool for measuring complexity and duplication.
11: Malicious packages identified in the OpenSSF Malicious Packages database.
🔧: Supports suggesting fixes for identified issues.

See also​