GitHub Action for running Codacy static analysis on over 40 supported languages and returning identified issues in the code.
Codacy is an automated code review tool that makes it easy to ensure your team is writing high-quality code by analyzing more than 40 programming languages such as PHP, JavaScript, Python, Java, and Ruby. Codacy allows you to define your own quality rules, code patterns and quality settings you'd like to enforce to prevent issues on your codebase.
The Codacy GitHub Action supports the following scenarios:
By default, the Codacy GitHub Action:
To use the GitHub Action with default settings, add the following to a file .github/workflows/codacy-analysis.yaml
in your repository:
name: Codacy Analysis CLI
on: ["push"]
jobs:
codacy-analysis-cli:
name: Codacy Analysis CLI
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@main
- name: Run Codacy Analysis CLI
uses: codacy/codacy-analysis-cli-action@master
Integrate the Codacy GitHub Action with GitHub code scanning to display the analysis results on your repository under the tab Security, page Code scanning alerts.
In this scenario, the GitHub Action:
master
or main
branch by running all supported static code analysis tools for the languages found in your repository.results.sarif
, which is then uploaded to GitHub.To use the GitHub Action with GitHub code scanning integration, add the following to a file .github/workflows/codacy-analysis.yaml
in your repository:
name: Codacy Security Scan
on:
push:
branches: [ "master", "main" ]
pull_request:
branches: [ "master", "main" ]
jobs:
codacy-security-scan:
name: Codacy Security Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@main
- name: Run Codacy Analysis CLI
uses: codacy/codacy-analysis-cli-action@master
with:
output: results.sarif
format: sarif
# Adjust severity of non-security issues
gh-code-scanning-compat: true
# Force 0 exit code to allow SARIF file generation
# This will hand over control about PR rejection to the GitHub side
max-allowed-issues: 2147483647
# Upload the SARIF file generated in the previous step
- name: Upload SARIF results file
uses: github/codeql-action/upload-sarif@main
with:
sarif_file: results.sarif
Use the GitHub Action to run any of the containerized client-side tools supported by Codacy and upload the results of the analysis to Codacy.
In this scenario, the GitHub action:
After this, Codacy displays the results of the analysis of your commits and pull requests on the UI dashboards, and optionally reports the status of the analysis directly on your GitHub pull requests.
To use the GitHub Action with Codacy integration:
On Codacy, enable the containerized client-side tool and configure the corresponding code patterns on your repository Code patterns page.
On Codacy, enable Run analysis through build server in your repository Settings, tab General, Repository analysis.
This setting enables Codacy to wait for the results of the local analysis before resuming the analysis of your commits.
Set up an API token to allow the GitHub Action to authenticate on Codacy:
CODACY_PROJECT_TOKEN
.CODACY_API_TOKEN
.⚠️ Never write API tokens to your configuration files and keep your API tokens well protected, as they grant owner permissions to your projects on Codacy.
Add the following to a file .github/workflows/codacy-analysis.yaml
in your repository, where <CLIENT_SIDE_TOOL_NAME>
is the name of the containerized client-side tool that the Codacy Analysis CLI will run locally, or don't specify this parameter to run all tools supported by Codacy:
name: Codacy Analysis CLI
on: ["push"]
jobs:
codacy-analysis-cli:
name: Codacy Analysis CLI
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@main
- name: Run Codacy Analysis CLI
uses: codacy/codacy-analysis-cli-action@master
with:
tool: <CLIENT_SIDE_TOOL_NAME>
project-token: ${{ secrets.CODACY_PROJECT_TOKEN }}
# or
# api-token: ${{ secrets.CODACY_API_TOKEN }}
upload: true
max-allowed-issues: 2147483647
If you're running a Go client-side tool you must also set up the Go environment before running the Codacy Analysis CLI GitHub Action. We recommend using the setup-go GitHub Action for this:
- name: set-up go
uses: actions/setup-go@v3
with:
# Go version currently supported by Codacy
go-version: 1.19.1
Optionally, specify the following parameters to run standalone client-side tools:
run-gosec: "true"
run-staticcheck: "true"
Due to the complex orchestration of the tools Clang-Tidy and Faux Pas, the action can receive instead the output files of the tools and upload them to Codacy:
clang-tidy-output: "path/to/output"
faux-pas-output: "path/to/output"
If you only want to run the standalone client-side tools and not all the containerized tools supported by Codacy, specify:
run-docker-tools: "false"
Optionally, enable the GitHub integration on Codacy to have information about the analysis of the changed files directly on your pull requests.
The Codacy GitHub Action is a wrapper for running the Codacy Analysis CLI. For a list of supported input parameters, see action.yml
. To pass input parameters to the action, update the associated with
map.
The following example limits analysis to a src
directory and provides additional details by setting verbose
to true
.
- name: Run Codacy Analysis CLI
uses: codacy/codacy-analysis-cli-action@master
with:
directory: src
verbose: true
We love contributions, feedback, and bug reports. If you run into issues while running this action, open an issue in this repository.