Add Codacy security scan workflow

[JaclynCodes]

This workflow integrates Codacy security scans with GitHub Actions, checking code on push and pull requests to the main branch, and scheduling weekly scans.

Description

Brief description of what this PR does.

Fixes #

Checklist

• I have read the contributing guidelines
• My code follows the project's coding standards
• This PR focuses on a single change

[gemini-code-assist]

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

[coderabbitai]

Warning

Rate limit exceeded

@JaclynCodes has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 13 minutes and 17 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 2e57133 and 16eef0f.

📒 Files selected for processing (1)

• .github/workflows/codacy.yml (1 hunks)

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

📝 Walkthrough

Walkthrough

A new GitHub Actions workflow file is added to perform Codacy security scanning. The workflow triggers on pushes and pull requests to main, plus weekly intervals. It checks out code, executes Codacy analysis, generates a SARIF report, and uploads results to GitHub Code Scanning.

Changes

Cohort / File(s)	Summary
Codacy Security Scan Workflow ​.github/workflows/codacy.yml	Introduces new GitHub Actions workflow triggering on main branch pushes, pull requests, and weekly schedule. Runs Codacy security analysis with SARIF report generation and uploads results via CodeQL action.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

• Verify that the CODACY_PROJECT_TOKEN secret is properly configured in repository settings
• Confirm the SARIF upload step is compatible with existing GitHub Code Scanning setup
• Check that trigger conditions (push to main, PRs, schedule) align with intended security scanning cadence

Suggested labels

Coderabbit

Poem

🔒 A guardian workflow takes its stance,
Codacy scans with algorithmic dance,
SARIF reports in ordered array—
Security whispers, "All clear today!" 🫧

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: adding a Codacy security scan workflow to the repository.
Description check	✅ Passed	The description is directly related to the changeset, explaining what the Codacy workflow does and when it runs, though the checklist items are left unchecked.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR adds a new GitHub Actions workflow to integrate Codacy security scans into the CI/CD pipeline. The workflow runs on pushes and pull requests to the main branch, as well as on a weekly schedule.

Key changes:

• Adds automated Codacy security scanning with SARIF output for GitHub Security
• Configures workflow to run on push, pull request, and weekly cron schedule (Sundays at 17:43 UTC)
• Integrates results with GitHub Advanced Security code scanning features

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/codacy.yml (1)

41-55: Configuration looks solid! 🫧 Consider updating to latest action version.

The workflow is well-configured with CODACY_ANALYSIS_CLI_VERSION=7.10.0 bundled by default, SARIF output format for GitHub Code Scanning integration, and the appropriate settings for severity adjustment and SARIF generation.

However, the pinned commit SHA (d840f886c4bd4edc059706d09c6a1586111c540b) appears to be an older version. The latest stable releases are v4.4.7 (17 Jul), v4.4.6 (15 Jul), and v4.4.5 (12 Jul). Consider using a version tag like @v4.4.7 instead of a specific commit, which makes future maintenance easier and ensures you're on the latest stable build.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to Reviews > Disable Cache setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between d22da3e and 2e57133.

📒 Files selected for processing (1)

• .github/workflows/codacy.yml (1 hunks)

🧰 Additional context used

🔍 Remote MCP

Summary of Relevant Context for PR Review

Codacy Workflow Configuration Best Practices

The PR implementation aligns well with official Codacy GitHub Action recommendations. To authenticate the GitHub Action on Codacy, you should obtain a project API token and store it as an encrypted secret for your repository with the name CODACY_PROJECT_TOKEN, or obtain an account API token and store it as an encrypted secret for your organization with the name CODACY_API_TOKEN. The PR uses project-token from secrets, which is the correct approach for a single-repository setup.

Critical Security Considerations

API Token Security: API tokens grant owner permissions to your projects on Codacy and should never be written to configuration files and kept well protected. This is a key point for the PR review—verify that the project-token secret has been properly configured in the repository settings and is not committed.

Workflow Integration Standards

The workflow triggers on pushes to main, pull requests targeting main, and uses GitHub code scanning integration to display analysis results in the repository's Security tab under Code scanning alerts. The PR's trigger configuration (push to main, pull requests to main, and weekly schedule) follows the recommended pattern.

SARIF Output and GitHub Code Scanning

The analysis results are output to a results.sarif file, which is then uploaded to GitHub. The PR correctly configures this output format and uses github/codeql-action/upload-sarif@v3 for the upload step. Third-party code scanning tools are initiated with a GitHub Action based on an event in GitHub, and results are formatted as SARIF and uploaded to the GitHub Security Alerts tab.

Key Review Points

• Verify the CODACY_PROJECT_TOKEN secret is properly configured in repository settings (not checked in code)
• Confirm the action version (codacy/codacy-analysis-cli-action uses an unversioned reference—consider pinning to a specific version like @master or a release tag)
• The max-allowed-issues: 2147483647 effectively disables issue limits, allowing the workflow to always generate the SARIF report

[::web_search::]

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: Codacy Security Scan

🔇 Additional comments (6)

.github/workflows/codacy.yml (6)

1-13: Documentation looks great! 🫧

The header provides clear context about the third-party action and helpful links to Codacy documentation. This will be handy for future maintainers.

---

14-24: Trigger configuration is spot-on! 🎯

The workflow will run on pushes, pull requests, and weekly intervals—a solid approach for catching security issues early and continuously monitoring the codebase.

---

25-34: Permissions are configured beautifully! 🔐

The least-privilege approach with job-level overrides and clear inline documentation is exactly what we want to see. This keeps the workflow secure while granting only the necessary access.

---

35-39: Checkout step is solid! ✓

Using ubuntu-latest and actions/checkout@v4 are both excellent choices.

---

47-47: Verify the secret is configured in repository settings! 🔑

The workflow references secrets.CODACY_PROJECT_TOKEN, which must be properly set up in your repository's secrets before this workflow can run successfully. Based on Codacy's documentation, this should be a project API token that grants owner permissions.

Please confirm the CODACY_PROJECT_TOKEN secret has been added to the repository settings (Settings → Secrets and variables → Actions).

Based on external tools context: API tokens grant owner permissions and should never be written to configuration files—the use of secrets here is correct.

---

57-61: SARIF upload step is perfect! 📤

The upload configuration correctly references the results.sarif file generated by Codacy and uses the appropriate github/codeql-action/upload-sarif@v3 action. This will integrate beautifully with GitHub's Security tab.

[openhands-ai]

Looks like there are a few issues preventing this PR from being merged!

• GitHub Actions are failing:
  • Codacy Security Scan

If you'd like me to help, just leave a comment, like

@OpenHands please fix the failing actions on PR #9 at branch `JaclynCodes-patch-1`

Feel free to include any additional details that might help me get this PR into a better state.

_{^{You can manage your notification settings}}

[JaclynCodes]

copilot/fix-pull-request-merge-issue

[JaclynCodes]

@copilot

[Copilot]

@JaclynCodes I've opened a new pull request, #10, to work on those changes. Once the pull request is ready, I'll request review from you.

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[JaclynCodes]

@JaclynCodes @copilot JaclynCodes-patch-1

[Copilot]

@JaclynCodes I've opened a new pull request, #11, to work on those changes. Once the pull request is ready, I'll request review from you.

[JaclynCodes]

JaclynCodes-patch-1 @copilot

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

@JaclynCodes I've opened a new pull request, #12, to work on those changes. Once the pull request is ready, I'll request review from you.