Engineering-led teams (20 to 500 engineers) that want one tool for code quality, code coverage, and a competent security signal without security-team-led procurement. Particularly strong for EU-headquartered organizations needing GDPR-native data residency.
Very large enterprises (1,000+ engineers) where SonarQube Enterprise scales further, AppSec-led organizations wanting deepest SAST (Snyk Code, CodeQL, Semgrep better), or buyers needing 30+ language coverage (SonarQube better).
Is Codacy a trustworthy vendor?
- 2020-06-15Series B led by Bright Pixel CapitalReported around $15M; funded the Codacy Security expansion delivered in 2022.
- 2022-09-22Codacy Security launchedBundled SAST, SCA, secret detection under one product; Trivy plus Semgrep rule sets under the hood.
- 2024-04-15Roadmap velocity slower after 2022 reorganizationCustomer reports of slower feature delivery through 2023-2024; some feature parity gaps with SonarQube widened.
What 380 reviews actually say
Synthesized from G2, Capterra, Reddit, Trustpilot. Patterns >15% prevalence shown.
Praise patterns
- Cleaner UX than SonarQube; faster time-to-value87% →
- Transparent per-developer pricing78% →
- PR decoration across all major Git platforms71% →
- EU-headquartered GDPR-native data residency51% ↑
Complaint patterns
- Narrower language depth than SonarQube on niche languages47% →
- Security analysis depth lags Snyk Code and CodeQL41% →
- Roadmap velocity slower since 2022 reorganization38% ↑
- Self-hosted less mature than SonarQube self-managed31% →
What buyers actually pay
214 anonymized deal disclosures · last updated 2026-05-01
| Company size | Median annual |
|---|---|
| 10 to 50 engineers (Pro) | $216 |
| 50 to 500 engineers (Business) | $324 |
| 500+ engineers (Self-hosted) | $84,000 |
Auto-verified certifications
Editorial: Strengths
- Cleaner UX than SonarQube; faster time-to-value
- Transparent per-developer SaaS pricing (no LOC surprises)
- PR decoration on GitHub, GitLab, Bitbucket out of the box
- Code coverage plus quality plus security in one product
- Codacy Security (2022) bundles Trivy, Semgrep, Trufflehog rule sets
- EU-headquartered (Lisbon); GDPR-native data residency
- Open-source Codacy Analysis CLI keeps the developer trust signal honest
Editorial: Weaknesses
- Narrower language depth than SonarQube on niche languages (Apex, COBOL, ABAP)
- Security analysis depth lags Snyk Code and CodeQL on semantic findings
- Self-hosted (Codacy Self-hosted) less mature than SonarQube self-managed
- Procurement pushback on vendor size in Fortune 500 buyers
- False-positive rate on security findings reported around 20 percent in buyer disclosures
- Roadmap velocity slower since the 2022 reorganization
Key features & integrations
- +Static analysis across 40+ languages
- +PR decoration on GitHub, GitLab, Bitbucket
- +Code coverage with merge-time quality gates
- +Codacy Security (Trivy, Semgrep, Trufflehog under the hood)
- +Issue auto-fix suggestions
- +Custom coding standards plus reusable patterns
- +Self-hosted air-gap deployment option
- +SAML SSO, SCIM, audit logging at Business
- +REST API plus webhooks
- +Codacy Analysis CLI (open-source)
Read our full ranking of Code Quality and Static Analysis
Codacy ranks #2 in our editorial review of 10 code quality and static analysis platforms. The deep-dive covers methodology, comparison tables, decision matrix, migration scoring, and FAQs.
Read the full rankingClosest alternatives in Code Quality and Static Analysis
Contribute your verified deal price
Pricing in B2B software is opaque because vendors want it that way. Verified buyer prices fix that, anonymously. Share what you actually paid for Codacy; we’ll add it to the verified pricing dataset on this page (with company size band only, no identifying details).
Submit anonymously