Hi Brian. Thanks!

I think at first glance we try to establish a strong bond between what’s running in the IDE with our CLI and what tool configs you have running on the cloud in Codacy. We spend a lot of time on coding standards, gates, and making all the tools that we integrate (which seems to be pretty comparable to qlty - we do have our own tools right now for example for secret scanning) run well with good standards for large teams. We also have an MCP server and we found that tying code analysis with code agents is not trivial so I think that’s also something different. Beyond that, DAST + Pen testing, etc. We’ve become a full-on security company and that’s been our focus.

We do and we’re looking into it. It really started for us when we launched an MCP server.

Thanks. We’look into it right now. EDIT: should be fixed. Thanks

Hi there. Codacy runs in the cloud when PRs acre created. We run a large number of tools and we have gates, and coding standards, etc. It’s a standardization use case. Codacy Guardrails is about local code analysis with a special focus on coding agents. The problem is that AI generates insecure code and if you don’t have Codacy centrally analyzing things, you’ll introduce vulnerabilities in your repo.

On context pollution unfortunately we rely a lot on the model actually being used. One thing we do is: clear instructions to only analyze the code being produced and not act on ALL issues/problems identified. Still we recommend a good small selection of tools to start and go from there: an SCA (mandatory really), a secret scanner and a good curated list of security issues. If we feed too many issues to the models they.. well.. don’t work

Thanks for testing. Please do share feedback. Windsurf is crucially important to us as we’re working with their team to make the experience good. Would you mind sending any feedback to Jaime at Codacy.com?

thanks tosh!

The guardrails are ran every time there is code being generated by the agent. We give instructions to the coding agents to run the guardrails on the code that is changed. It doesn't YET work with Claude Code and Amp but because it leverages an MCP server, we can easily do it. It's in the plans to do.

I think dev-time is critical, because AI is producing large swaths of code as we speak. We also make sure that regardless of what happens in dev time, we can always run our cloud checks in CI time. Thanks for your questions!

Sorry about that and thanks for flagging. EDIT: should be fixed. Thanks

Hey thanks for testing! That's been my experience well, it's very frequent to see libraries with vulnerable versions being introduced in code. What's also interesting is that, despite using incredible AI coding models like Sonnet 4, you still get CVEs in your code. Try this with Codacy Guardrails: "create a Java server using undertow".

Thanks for testing. Please do share your feedback when you test further!

I guess "partially?" https://docs.codacy.com/chart/#2-installing-codacy:~:text=Th... but https://github.com/codacy/codacy-vscode-extension is MIT and https://github.com/codacy/codacy-mcp-server?tab=License-1-ov... is Apache 2

Also, a big fat raspberry for their use of tinyurl to obfuscate https://marketplace.visualstudio.com/items?itemName=codacy-a... -- just cruel

Hi there. Yes, the extension, the cli and the MCP server are open source.

The local analysis can run locally in a sandboxes environment (provided you download the dependencies and tools etc).

Only if you want to then use our cloud scans, or let your coding agent interact with data from Codacy, then you’d need the MCP server connecting to our API.

Thank you!