Skip to content
Latchkey

How to Run Codacy Analysis in CI

The Codacy Analysis CLI action runs static analyzers locally and can upload SARIF so results appear in Codacy and the Security tab.

Run codacy/codacy-analysis-cli-action with CODACY_PROJECT_TOKEN. Set upload: true to send results to Codacy, or output SARIF for GitHub code scanning.

Steps

  • Add CODACY_PROJECT_TOKEN as a repo secret from Codacy project settings.
  • Run the analysis action with output as SARIF and upload: true.
  • Optionally upload the SARIF to the Security tab.

Workflow

.github/workflows/ci.yml
jobs:
  codacy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: codacy/codacy-analysis-cli-action@v4
        with:
          project-token: ${{ secrets.CODACY_PROJECT_TOKEN }}
          upload: true
          format: sarif
          output: results.sarif
          gh-code-scanning-compat: true
      - uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif

Gotchas

  • Codacy caps severities; gh-code-scanning-compat: true remaps them so SARIF upload accepts them.
  • The gate itself lives in Codacy repository settings, not the CLI; the action reports, Codacy decides pass/fail on the commit status.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →