GitHub Action for running Codacy static analysis on over 30 supported languages and returning identified issues in the code.

Codacy is an automated code review tool that makes it easy to ensure your team is writing high-quality code by analyzing more than 30 programming languages such as PHP, JavaScript, Python, Java, and Ruby. Codacy allows you to define your own quality rules, code patterns and quality settings you'd like to enforce to prevent issues on your codebase.

The Codacy GitHub Action supports the following scenarios:

• Analysis with default settings: Analyzes each commit and pull request and fails the workflow if it finds issues in your code.
• Integration with GitHub code scanning: Analyzes each commit and pull request and uploads the results to GitHub, which displays the identified issues under your repository's tab Security.
• Integration with Codacy for client-side tools: Analyzes each commit and pull request using one of Codacy's client-side tools and uploads the results to Codacy, which displays the identified issues in UI dashboards and can also report the status of the analysis on your pull requests.

By default, the Codacy GitHub Action:

• Analyzes each commit or pull request by running all supported static code analysis tools for the languages found in your repository.
• Prints the analysis results on the console, which is visible on the GitHub Action's workflow panel.
• Fails the workflow if it finds at least one issue in your code.

To use the GitHub Action with default settings, add the following to a file .github/workflows/codacy-analysis.yaml in your repository:

name: Codacy Analysis CLI

on: ["push"]

jobs:
  codacy-analysis-cli:
    name: Codacy Analysis CLI
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@main

      - name: Run Codacy Analysis CLI
        uses: codacy/codacy-analysis-cli-action@master

Integrate the Codacy GitHub Action with GitHub code scanning to display the analysis results on your repository under the tab Security, page Code scanning alerts.

In this scenario, the GitHub Action:

• Analyzes each commit and pull request to the master or main branch by running all supported static code analysis tools for the languages found in your repository.
• Outputs the analysis results to a file results.sarif, which is then uploaded to GitHub.

To use the GitHub Action with GitHub code scanning integration, add the following to a file .github/workflows/codacy-analysis.yaml in your repository:

name: Codacy Security Scan

on:
  push:
    branches: [ "master", "main" ]
  pull_request:
    branches: [ "master", "main" ]

jobs:
  codacy-security-scan:
    name: Codacy Security Scan
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@main

      - name: Run Codacy Analysis CLI
        uses: codacy/codacy-analysis-cli-action@master
        with:
          output: results.sarif
          format: sarif
          # Adjust severity of non-security issues
          gh-code-scanning-compat: true
          # Force 0 exit code to allow SARIF file generation
          # This will handover control about PR rejection to the GitHub side
          max-allowed-issues: 2147483647
      
      # Upload the SARIF file generated in the previous step
      - name: Upload SARIF results file
        uses: github/codeql-action/upload-sarif@main
        with:
          sarif_file: results.sarif

Use the GitHub Action to run any of the containerized Codacy client-side tools and upload the results of the analysis to Codacy.

In this scenario, the GitHub action:

• Analyzes each commit or pull request by running a specific client-side tool with the configurations that you defined on Codacy.
• Uploads the analysis results to Codacy.

After this, Codacy displays the results of the analysis of your commits and pull requests on the UI dashboards, and optionally reports the status of the analysis directly on your GitHub pull requests.

To use the GitHub Action with Codacy integration:

1. On Codacy, enable Run analysis through build server in your repository Settings, tab General, Repository analysis.

   This setting enables Codacy to wait for the results of the local analysis before resuming the analysis of your commits.

2. On Codacy, obtain a Project API Token for your repository.

   You need the Project API Token to allow the Codacy Analysis CLI to authenticate to Codacy when reporting the analysis results.

3. On GitHub, store the Project API Token as an encrypted secret for your repository with the name CODACY_PROJECT_TOKEN.

   Do this to avoid committing the secret token to your repository.

4. Add the following to a file .github/workflows/codacy-analysis.yaml in your repository, where <CLIENT_SIDE_TOOL_NAME> is the name of the containerized client-side tool that the Codacy Analysis CLI will run locally:

   name: Codacy Analysis CLI
   
   on: ["push"]
   
   jobs:
     codacy-analysis-cli:
       name: Codacy Analysis CLI
       runs-on: ubuntu-latest
       steps:
         - name: Checkout code
           uses: actions/checkout@main
   
         - name: Run Codacy Analysis CLI
           uses: codacy/codacy-analysis-cli-action@master
           with:
             tool: <CLIENT_SIDE_TOOL_NAME>
             project-token: ${{ secrets.CODACY_PROJECT_TOKEN }}
             upload: true
             max-allowed-issues: 2147483647

5. Optionally, enable the GitHub integration on Codacy to have information about the analysis of the changed files directly on your pull requests.

The Codacy GitHub Action is a wrapper for running the Codacy Analysis CLI and supports the same parameters as the command analyze, with the following exceptions:

• --commit-uuid (the action always analyzes the commit that triggered it)
• --api-token, --username, and --project (use --project-token instead)

We love contributions, feedback, and bug reports. If you run into issues while running this action, open an issue in this repository.