Is Codacy secure?

This is a question that comes up quite often. The short answer: Yes, Codacy is secure.

Simply put, Codacy is our business, our work, our life. Keeping your data secure is the core of our business.

If you have any concerns after reading through this page please get in touch with us at


1. Project Keys

We use secure protocols (SSH and HTTPS) for all access points.

All SSH keys used for project cloning are created and used exclusively on the project they were created for. The keys are used on an ssh-agent created for that access only and, as soon as the project is idle, the key is removed from the file system.

Likewise, Authorization tokens are generated on a per-project basis.


2. Sensitive Data

All user-sensitive data is kept encrypted in our database including:

  • Generated SSH and Authorization tokens
  • Issue results

Issue results are cached in order to show you results in a reasonable amount of time, being removed after 24 hours. Although this translates into some performance impact within our application, we always felt our main priority to our users would be to secure all sensitive data within our reach.


3. Passwords

Codacy never collects or stores passwords for external applications like GitHub, Bitbucket, Slack, or others.

All the third party integrations at Codacy are done via mechanisms such as API tokens and OAuth.


4. Project Cloning

Projects are cloned into temporary disk locations, using custom generated SSH keys per project. These keys are also kept in secure hard disk locations with no relation to the project checkout directory, preventing any manual intervention within the server.

We proactively delete our copies of stored code. The code only remains on the server while we are running analyses and is erased once they're finished.

We terminate all servers used for code analysis, effectively removing all projects and settings from the machine on a daily basis. Allowing us to never have the same machine running for more than 8 to 12 hours.


5. Server Information

All servers are hosted on Amazon Elastic Compute Cloud (EC2) within the region of Europe. These dedicated virtual servers are erased and rebuilt several times a day. Everything is encrypted on our servers, including third-party tokens (such as GitHub and Bitbucket), as is code itself.

The database stores only the encrypted code fragments we need in order to show you results in a reasonable amount of time.

Read more about Amazon’s Security Policy:


6. Payment information

Codacy does not store or receive any payment information. We use Stripe to process payments by credit card.

To ensure greater security Stripe shares only the status of the transaction keeping any billing information safe. Stripe is a PCI-DSS Certified Level 1 payment processor. This is the most stringent level of certification available.

To learn more about Stripe security go here:


7. Internal employee policies

None of our team members can clone or see your code in its entirety. For debugging purposes, we use the platform to see dashboard and issues breakdown, but never your code. You feeling safe about your code is of crucial importance to us.


8. Vulnerability reporting

Every week we take an opportunity to discuss security improvements. We also perform regular, automated scans of our environment and have systems in place to detect brute force access attempts.

At Codacy we try to make sure all our data is extremely secure on all levels, and we appreciate the hard work that goes to security research. If you have discovered any security concern, please email our Security Team at

We always do our best to ensure the security of your data.

Have more questions? Submit a request


Article is closed for comments.