codacy

Codacy Plugin for Claude Code

A powerful Claude Code plugin that combines Codacy CLI v2 static analysis with Claude's AI-powered security expertise for comprehensive code security reviews.

Features

• Project Profiling: Automatically analyzes your codebase to understand languages, frameworks, and architecture
• Project-Specific Security Patterns: Generates custom security rules based on your detected stack
• Automated Static Analysis: Leverages Codacy's suite of analysis tools (ESLint, Trivy, Semgrep, Pylint, PMD, Bandit, Gosec, and more)
• AI-Enhanced Review: Claude provides deep security analysis, context-aware risk assessment, and actionable remediation guidance
• OWASP Coverage: Systematic checking for OWASP Top 10 vulnerabilities
• Flexible Scanning: Full project reviews, quick scans of staged changes, PR reviews, and file-specific analysis
• SARIF Support: Generate industry-standard SARIF reports for integration with other tools

Installation

Prerequisites

• Claude Code (latest version)

Step 1: Add the Marketplace

/plugin marketplace add jaimefjorge/codacy-plugin

Step 2: Install the Plugin

After adding the marketplace, install the plugin:

/plugin install codacy

Step 3: Run Setup (Required)

You must run setup before using any other commands. This installs Codacy CLI v2 and configures your project:

/codacy:setup

The setup command will:

• Install Codacy CLI v2 if not already installed
• Profile your project (languages, frameworks, architecture)
• Generate project-specific security patterns
• Configure the appropriate analysis tools

Updating the Plugin

claude plugin update codacy

Or enable auto-updates via /plugin → Marketplaces → Enable auto-update.

Usage

Quick Start

# 1. Setup (installs Codacy CLI v2 + profiles project + generates security patterns)
/codacy:setup

# 2. Run a full security review (uses project profile)
/codacy:security-review

# 3. Quick scan before committing
/codacy:quick-scan --staged

Available Commands

Command	Description
/codacy:setup	Required first. Install Codacy CLI v2, profile project, and generate security patterns
/codacy:security-review	Full security review with AI analysis
/codacy:quick-scan	Fast scan of specific files or changes
/codacy:help	Show help information

Project Profiling (New!)

The setup command now performs comprehensive project analysis to optimize security scanning:

What Gets Analyzed

1. Directory Structure

   • Source directories (src/, lib/, app/, etc.)
   • Test directories
   • Configuration directories
   • CI/CD pipelines
   • Infrastructure as code

2. Languages and Versions

   • Detects all programming languages
   • Identifies versions from config files
   • Counts files per language

3. Frameworks Detection

   • JavaScript/TypeScript: React, Vue, Angular, Next.js, Express, Fastify, NestJS
   • Python: Django, Flask, FastAPI, Tornado
   • Go: Gin, Echo, Fiber, Chi
   • Java: Spring Boot, Quarkus, Micronaut
   • Ruby: Rails, Sinatra
   • PHP: Laravel, Symfony

4. Security Components

   • Authentication (JWT, sessions, OAuth)
   • Database access (ORMs, raw queries)
   • File handling (uploads, downloads)
   • External API integrations
   • User input entry points

Generated Files

After setup, two files are created in .codacy/:

.codacy/project-profile.yaml

Contains your project's structure, languages, frameworks, and security-relevant components.

project:
  name: "my-app"
  type: "web-app"
  architecture: "monolith"

languages:
  primary: "typescript"
  all:
    - name: "typescript"
      version: "5.x"
      files_count: 200
      percentage: 60

frameworks:
  - name: "react"
    version: "18.x"
    type: "frontend"
  - name: "express"
    version: "4.x"
    type: "backend"

security_components:
  authentication:
    present: true
    type: "jwt"
    files:
      - "src/auth/"

.codacy/security-patterns.yaml

Contains project-specific security patterns to check, organized by:

• Language patterns (JavaScript, Python, Go, etc.)
• Framework patterns (React, Express, Django, Flask, etc.)
• Component patterns (authentication, database, file handling)
• Secrets patterns (AWS keys, API keys, tokens)
• Critical files list (files that always need review)

How It Helps

1. Smarter Scanning: Quick scans know which patterns to apply based on your stack
2. Better Prioritization: Security reviews focus on your actual entry points
3. Framework-Aware: Checks for React XSS, Express CORS, Django safe filters, etc.
4. Component-Aware: JWT-specific checks if you use JWT, SQL injection patterns if you use databases
5. Reduced False Positives: Patterns only apply to relevant files

Command Details