Security Dashboard

On the security dashboard, you get an overview of all current security alerts. The alerts identified are mapped to OWASP 2013 top 10 categories.

Supported Languages

The security monitor is only available for:

  • Ruby 
  • Scala 
  • Python 
  • Javascript
  • Java (only for Codacy Self-hosted)
  • Apex 



Our security monitor is built using security patterns from:


Supported categories

XSS: XSS enables attackers to inject client-side scripts into web pages viewed by other users.

Input validation: Input not validated may originate SQL Injection attacks for instance.

File Access: An attacker may use special paths to access files that should not be accessible.

HTTP: HTTP headers are a common attack vector for malign users.

Cookies: An HTTP cookie is a small piece of data sent from a website and stored on the user's computer by the browser while the user is browsing.

Unexpected behaviour: Assigning values to private APIs might lead to unexpected behaviour.

Mass assignment: Mass assignment is a feature of Rails which allows an application to create a record from the values of a hash.

Insecure Storage: Storing sensitive data using this APIs is not safe.

Insecure modules/libraries: Consider possible security implications associated with some modules.

Visibility: Fields should not have public accessibility.

CSRF: Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated.

Android: Android specific issues.

Malicious code: Exposed internal APIs can be accessed or change changed by malicious code or by accident from another package.

Cryptography: Cryptography is a security technique widely used and there are several cryptographic functions, but not all of them are secure.

Command Injection: Command injection is an attack in which the goal is the execution of arbitrary commands on the host operating system.

Firefox OS: Sensitive APIs of Firefox OS.

Auth: Authentication is present in almost all web applications nowadays.

DoS: The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed.

SQL Injection: A SQL injection attack consists of insertion or 'injection' of a SQL query via the input data from the client to the application.

Routes: Badly configured routes can give unintended access to an attacker.

Regex: Regex can be used in a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach heavy computation situations that cause them to work very slowly (exponentially related to input size).

SSL: Simply using SSL isn't enough to ensure the data you are sending is secure. Man in the middle attacks are well known and widely used.

Other: Other language specific security issues.


Possible states

For each security category listed on the left side, there are 4 states:

  •  If there's any security issue on that category, the category has problems, and a red cross will be displayed on the left.
  • Yellow indicates you need to enable the pattern for the category to be verified. You can also enable all patterns.
  •  If Codacy cannot be sure whether you have all the corresponding security category patterns enabled, a blue info icon will be shown on the left. This happens when you are using a configuration file, or if you are using our UI to select the patterns but not all the category patterns are enabled.
  • If you have all the category patterns enabled, and no issues have been found, means that everything is ok, and a green check will be displayed.


Additional features

On the Security dashboard view you can also:

  • Enable all the security patterns for that repository with one click 
  • Download all the patterns in a csv file (this will give you a list of all the patterns considered by Codacy under the security category)

You just have to go to your repository's Security Tab, click on morebutton.png and select the relevant option.


Have more questions? Submit a request


Article is closed for comments.