Is Codacy secure?

This is a question that comes up quite often. The short answer: Yes, Codacy is secure.

Simply put, Codacy is our business, our work, our life. Keeping your data secure is the core of our business.

If you have any concerns after reading through this page please get in touch with us at


1. Project Keys

We use secure protocols (SSH and HTTPS) for all access points.

All SSH keys used for project cloning are created and used exclusively on the project that they were created for. The keys are used on a ssh-agent created for that access only and, as soon as the project is idle, the key is removed from the file system.

Likewise, Authorization tokens are generated on a per-project basis.


2. Sensitive Data

All user-sensitive data is kept encrypted in our database. This includes:

  • Generated SSH and Authorization tokens
  • Issue results

Issue results are cached in order to show you results in a reasonable amount of time, being removed after 24 hours. Although this translates into some performance impact within our application, we always felt that our main priority to our users would be to secure all sensitive data within our reach.


3. Passwords

Codacy never collects or stores passwords for external applications like GitHub, Bitbucket, Slack, or others.

All the third party integrations at Codacy are done via mechanisms such as API tokens and OAuth.


4. Project Cloning

Projects are cloned into temporary disk locations, using custom generated SSH keys per project. These keys are also kept in secure hard disk locations with no relation to the project checkout directory, preventing any manual intervention within the server.

We proactively delete our copies of stored code. The code only remains in the server while we are doing the analysis and is erased once the analysis is finished.

On a daily basis, we also terminate all servers used for code analysis, effectively removing all projects and settings from the machine. This allows us to never have the same machine running for more than 8 to 12 hours.


5. Server Information

All servers are hosted on Amazon Elastic Compute Cloud (EC2) within the region of Europe. These dedicated virtual servers get erased and rebuilt several times a day. Everything is encrypted on our servers, including third party tokens (such as GitHub and Bitbucket), as is code itself.

The database stores only the encrypted code fragments that we need in order to show you results in a reasonable amount of time.

Read more about Amazon’s Security Policy:


6. Payment information

Codacy does not store or receive any payment information. We use Stripe to process payments by credit card.

To ensure greater security Stripe shares only the status of the transaction keeping any billing information safe. Stripe is a PCI-DSS Certified Level 1 payment processor. This is the most stringent level of certification available.

To learn more about Stripe security go here:


7. Internal employee policies

None of our team members can clone or see your code in its entirety. For debugging purposes, we use the platform to see dashboard and issues breakdown, but never your code. You feeling safe about your code is of crucial importance to us.


8. Vulnerability reporting

Every week we take an opportunity to discuss security improvements. We also perform regular, automated scans of our environment and have systems in place to detect brute force access attempts.

At Codacy we try to assure that all our data is extremely secure at any level, and we appreciate the hard work that goes to security research. If you have discovered any security concern, please email our Security Team at

We always do our best to ensure the security of your data.

Have more questions? Submit a request


Article is closed for comments.