100% free for Open Source, forever. Get another set of eyes on your code.

The latest Code Climate updates

Code Climate for TypeScript is here! ⌨️

We’re excited to add TypeScript as our latest fully supported language!

As with our other supported languages (Java, JavaScript, PHP, Python, and Ruby), we now provide our 10-point technical debt assessment and full test coverage support for all your TypeScript repos (including .tsx files with JSX syntax), plus TSLint.

To celebrate, we’re offering new customers 50% off their first 6 months.  Signup by December 31 with the promo code TYPEWRITER to get started.

Plus, if you're already using Code Climate and want to try our TypeScript support with a different team in your organization, just get in touch and we'll give them free access to Code Climate for a month!

Give it a try today – we'd love to hear what you think!

New release: Code Climate CLI version 0.7.0

We're excited to release version 0.7.0 of our Command Line Interface, which allows you to run Code Climate locally inside of Docker containers!

This latest version of the Code Climate CLI includes support for our new advanced config file schema, and the option to run with without a checked in codeclimate.yml.

It also adds our 10-point technical debt assessment for JavaScript, Java, PhP, Python and Ruby, as part of the default analysis. To turn off any of these checks, add the following to your .codeclimate.yml:

    enabled: false
    enabled: false
    enabled: false
    enabled: false
    enabled: false
    enabled: false
    enabled: false
    enabled: false
    enabled: false
    enabled: false

Download the new version of the CLI and try it out!

Now available: SonarPHP & SonarPython plugins! 🐘 🐍

Following our SonarJava plugin, we are excited to bring support for SonarPHP and SonarPython to Code Climate!

SonarPHP and SonarPython are open source plugins that, together, bring over 175 new checks to our plugin offerings. They can help detect code smells, potential bugs, and security vulnerabilities in your code!

Enable it in your repo settings to expand your PHP or Python analysis!

Add the changelog to your RSS reader!

This changelog is now available via RSS! Subscribe at https://codeclimate.com/changelog.rss to stay up to date with all the latest news.

Run Brakeman on a Rails app in a sub-directory 🛤

Our Brakeman engine now supports scanning a Rails application against any directory jn your repository. Brakeman supports this via an app_path option, which you can now specify in your .codeclimate.yml:

          app_path: "apps/rails2"

Now available: SonarJava plugin! 🐋

We're excited to introduce our SonarJava plugin, which expands our recently launched support for Java on Code Climate.


SonarJava is an open source plugin referencing a set of static analysis checks produced by SonarSource. It helps find a variety of issues in Java repos from style checks, to potential null-pointer exceptions, and much more.

Enable it in your repo settings to add linting to your Java analysis!

Smarter duplication detection! 🤓

Our duplication analysis is great for finding accidental copy-paste or slightly modified pieces of code in your project. However, sometimes it would report common pieces of boilerplate when those are perfectly legitimate uses of the language. One example is large numbers of module requires in JavaScript, such as:

const ModuleA = require("module_a"),
  ModuleB = require("module_b"),
  ModuleC = require("module_c"),
  ModuleD = require("module_d"),
  ModuleE = require("module_e");

Another example is import statements:

import React, { Component, PropTypes } from 'react'
import { Table, TableBody, TableHeader, TableHeaderColumn, TableRow } from 'material-ui/Table'
import values from 'lodash/values'
import { v4 } from 'uuid

We've recently made our duplication analysis smarter so that common patterns like these in Java, JavaScript, and PHP will no longer be reported as duplication on Code Climate, so you can be more confident in the duplication results you do see from Code Climate.

New: Support for JSX

We're glad to announce we've recently improved our JavaScript analysis with support for React's JSX syntax!

If you're a React developer, JSX is probably an important part of how you write your components. We've improved our JavaScript parsing capabilities recently, so we now apply the same 10-point technical debt inspection to your JSX code that we do to the rest of your JavaScript:

We think this'll really help JavaScript teams improve their React apps, and hope you enjoy it!

Fresh pots! Code Climate for Java is here ☕️

We're delighted to finally announce first class support for Java within Code Climate!

This includes understanding and tracking Java technical debt using our 10-point maintainability inspections, full support for tracking test coverage of Java applications, as well as plugins for open source static analysis tools you may already know and love, like Checkstyle and PMD.

Java becomes the fifth programming language to be supported on Code Climate after JavaScript, PHP, Python, and Ruby. To celebrate, we’re offering new customers 50% off their first 6 months. Find us on Product Hunt to learn more.

We're really looking forward to seeing how this helps teams level up the quality of their Java server-side applications as well as desktop and Android apps.

Give it a try today – we'd love to hear what you think!

Introducing new ratings for your files and repos 🚀

We're extremely excited to introduce new top-level ratings for your files and repositories!

  • Maintainability: An estimate of technical debt in the repo based on a standardized 10-point assessment of duplication, complexity and structural issues.
  • Test Coverage: The percentage of covered lines compared to the total number of lines of code. (We ingest test coverage information from your continuous integration server using our new universal test reporter.)
  • It’s been six years since we introduced radically simple metrics for code quality. Our new maintainability and test coverage ratings build on that to deliver a new, clearer way to understand your code's quality.

    For more information about how these ratings are calculated, please see our docs. And to learn more about the other great features we're shipping today, check out the blog!

    Finally: In-app analysis configuration 🎉

    We are absolutely delighted to share that it's now possible to control the way we analyze your code quality using simple, in-app configuration. Easily select which checks to run and exclude files that are not relevant:

    You can also easily browse and enable open source plugins right in the app, taking advantage of the 30+ static analysis tools that are compatible with our open, extensible platform.

    Prefer finer-grained control, or want to keep your config in version control? No worries. You can still use file-based configuration using .codeclimate.yml. If checked in, the .codeclimate.yml will take precedence over the in-app configuration.

    This feature has been a long time coming and we hope you like it as much as we do!

    Better quality alerts 🚨

    Our pass/fail pull request statuses are great for ensuring that every change merged into your codebase meets your quality standards. However, every once in a while something may slip through the cracks. For those situations, we’ve got new and improved quality alerts for Slack and email. Alerts are sent when any letter rating changes, or any new files are created with a rating of “C” or lower.

    Here’s what it looks like in Slack:

    And here's an email reporting some test coverage changes:

    We think this new functionality is an excellent complement to our recently-launched customizable issue alerts.

    New test coverage statuses for your pull requests

    We're excited to introduce two new pull request statuses to help you meet your goals for test coverage:

    • Diff Coverage, enforces a minimum percentage of test coverage on new and changed lines of code, to help you make sure that every commit improves your overall coverage.
    • Total Coverage, helps you maintain your current level of coverage. If merging the PR will reduce your total coverage, this status line will fail.
    • These statuses will be rolled out gradually over the next few weeks. If you're already using our test coverage integration you'll automatically get these pass/fail statuses on your pull requests, with diff coverage threshold set at a default of 80%.

      If you’re currently using our older codeclimate/coverage as a required status on your pull requests, we recommend first removing it via your GitHub Repo Settings before enabling either of the new statuses. The codeclimate/coverage status is deprecated, and will no longer update correctly within your pull request.

      Head to our docs to learn more about configuring these new statuses, and setting up test coverage.

    Limit permissions for pull request approvals and issue status setting 🙋🏽

    Previously, any member of your Code Climate organization could set an issue's status (to "invalid" for example), and anyone could "approve" a pull request. These are powerful tools, either of which can easily turn a pull request status from red to green, and thereby allow engineers to merge potentially problematic code. While granting these powers to everyone is probably fine for smaller teams, larger teams asked us to provide a way to limit these abilities to a subset of members.

    We listened, and recently rolled out 2 new organization level settings: one to restrict pull request approvals and one to restrict editing an issue's status. The default for these permissions is "Anyone who can view the repo". To change it to "Owners only", navigate to your organization's settings, click the "Teams" tab, and navigate to "Permissions" at the bottom of the page.

    Override issue severity for better tuning 🚦

    Following our recent update to pull request statuses, we have added a way to override the severity issues reported by Code Climate! Let's say you want to add the FIXME engine to your repo, but don't want new FIXME issues to fail your pull requests. You can add the following snippet to your .codeclimate.yml:

            enabled: true
              severity: info

    FIXME issues will be reported by Code Climate and shown on the pull request page, as well as the issue list, but won't cause your PRs to turn red.

    New Pull Request Status Behavior

    Today, we are rolling out a change to our pull request status. Issues reported by Code Climate have a severity. Starting today, issues with a severity of info will not be included in the count of new or fixed issues sent to the pull request's status line. We hope that this makes our status lines more relevant and actionable!

    New: Configurable Issue Alerts ⛑

    We're excited to announce that you can now configure issue alerts to receive an email when high impact issues are introduced into the default branch of your project's code base.

    Now, instead of sifting through issues of mixed relevancy, you can be notified immediately about the issues that matter most:

    By default, Code Climate will send an email alert when issues with a severity of "critical" or higher are introduced. You can configure issue alerts to prioritize specific categories and modify the severity threshold in the notifications section of your user settings:

    We've found these really useful for tracking significant changes in our project's quality, including the introduction of security vulnerabilities. Check out our docs for more information on configuring .

    Feel free to send user feedback at https://codeclimate.com/help.

    Organizing your organizations

    We are happy to announce improved navigation of your Code Climate organizations!

    Now when you go to Code Climate, you will see a list of your current private organizations as well as open source. Click on the desired organization to open the familiar list of repositories for that organization or open source. To return to the organization selection page, click on the Code Climate logo at the top left of the screen.

    You can also access the organization list via a dropdown at the top left side of your screen next to the Code Climate logo. Hover over the current organization name and then click on the organization you wish to see, to easily jump to whichever organization you need from anywhere on Code Climate.

    Now in public beta: Support for parallelized test coverage reporting!

    We're excited to announce the public beta for our new test coverage reporter!

    This reporter adds a frequently requested feature — support for parallelized CI builds, by combining multiple test reports together into a single payload submitted to the Code Climate API. You can combine multiple reports from the same test suite or from entirely different test suites covering code written in different languages.

    It's written in Go, improving performance, and supports multiple test coverage formats under the same pre-built binary.

    The new reporter currently supports popular test coverage report formats for Ruby, JavaScript, Python, PHP, Go, Java, and Groovy.

    For installation instructions, please check out the docs.

    We would love to hear your feedback! Feel free to send us a message or open an issue on GitHub.

    New: One-click set up for OSS repos!

    Adding open source repositories to Code Climate has never been easier!

    While logged into Code Climate, you'll see a list of the GitHub open source repositories for which you're an admin. Select the repository you want and we'll set it up, including webhooks and pull request integration. Once added, you can keep track of your projects in the Open Source section of your dashboard.


    Let's Talk About Grep! 🔍

    Today, we are excited to introduce our grep analysis engine.

    Grep is a long-standing tool that is essential to developers. It allows you to search files for matches against given regular expressions. Now, we are bringing grep to Code Climate to give teams a way to detect specific patterns in their code. The issues emitted by the grep engine are entirely configurable. You can use the grep engine to enforce specific style rules (e.g. don't define methods that start with set_ or get_), or to help burn-down existing constructs – as seen in this rule to deprecate use of octicons:

        enabled: true
              pattern: \.octicon
              annotation: "Don't use octicons"
              severity: minor
              categories: Compatibility
                - "**/*.slim"

    This will generate the following issues on Code Climate:


    Check out our documentation to set up your own grep patterns!

    New: Test Coverage Trends 📈

    We are excited to introduce the test coverage trends chart, a new way to visually track the overall test coverage of a repository over time. For repositories with test coverage enabled, this chart will now appear on the trends tab in addition to the GPA and Churn vs. Quality charts.

    Data is plotted on a weekly basis, with each data point corresponding to the most recent coverage payload received for the repository's default branch within that week. The coverage value is also given a rating (A, B, C, D, or F) that reflects the degree of test coverage, with each rating appearing as a different color band.

    Data is available beginning the week of 3/26/2017.

    So fresh, so clean: Introducing our new design 🛁

    We're excited to announce that our new UI is leaving beta and rolling out to all Code Climate users!

    Our new design emphasizes clarity and readability while bringing you several new features:

    • A new progress report, that gives you a convenient overview of major changes in your repo from the last 7 days,
    • An expansion of how we rate the severity of issues, making it easier to assess the importance of found issues, and
    • New issue statuses that let you mark issues as confirmed, wontfix, or invalid, and complements the functionality of our Pull Request Approval feature. Now, if an issue is marked with a status other than 'Confirmed', it won't fail a pull request!

    These updates form the foundation for future changes to improve your workflow and give you more insight into your code's quality.

    Thanks to everyone who has provided feedback so far and helped shape our new look. If you have thoughts, we'd love to hear them: Please drop us a line at https://codeclimate.com/help.

    Introducing issue statuses

    We're excited to introduce new functionality that lets you add meaningful status and context to issues, so you can better manage what is addressed and when.

    Now you can mark issues as confirmed, invalid, or wontfix, with the option to note a reason for your choice.

    Our pull request integration provides a pass/fail commit status to help you decide at-a-glance if code should be merged or not. When set as a required check, pull requests introducing new issues are blocked until each new issue is resolved.

    Now, you can mark issues as invalid or wontfix so that they won't count toward the overall fail state and block the merging of the PR. Pull requests will update automatically to reflect status changes.

    Check out our issues documentation for a full walkthrough of the feature.

    Prog rocks: Our newly released progress report 🎸

    Keeping track of longer-term changes in your codebase is an important part of ensuring code quality. Today, we're happy to make our new progress report available to help you do just that.

    The progress report shows you significant changes in your codebase over the last seven days, and allows you to dive into the details of those changes to identify causes of improvements and declines.

    We hope you find this helpful in managing your projects!

    Ring the alarm: Announcing issue severity 🚨

    Today, we're excited to introduce a more nuanced view of issue severity. Each issue is now reported with one of five possible severity levels – Info, Minor, Major, Critical, and Blocker – so you can quickly gauge a reported issue's potential impact. Dots on the corner of every issue provide a further visual representation of the severity, helping you quickly parse your Issues report.


    One of the greatest challenges in improving code quality is knowing where to start, and understanding issue severity is a great way to figure that out!

    Engine Update: ESLint 3 promoted to stable 🚂

    We are pleased to announce that the stable channel of our ESLint engine now tracks ESLint 3! ESLint 3 was previously available on its own eslint-3 channel, and we are excited to promote it to the default ESLint version available on Code Climate.

    ESLint brings a slew of new checks, as well as code path analysis to help you keep your JavaScript the best it can be.

    To enable ESLint for your project, enable it in your .codeclimate.yml.

            enabled: true

    Historically, we have auto-generated an .eslintrc file if it was not present in the repository, even if other ESLint configuration was present. With this push, we will now generate a file only if there is no other top-level ESLint configuration.

    Lastly, this update will automatically upgrade your configuration if you were using an older version of ESLint. To see what changes we made, expand the output on your repo's build page:


    February Engine Updates

    Brakeman OSS and Brakeman Pro

    • Updated Brakeman to 3.5.0

    Bundler Audit

    • Updated vulnerabilites database
    • Added support for custom Gemfile.lock paths


    • Promoted ESLint 3 to the stable channel


    • Updated to 4.6.1


    • Updated to 2.1.12

    New analysis engine: Stylelint 🎩

    We're excited to introduce our latest community engine, thanks to awesome developer program member contributor Gil Barbara!

    Stylelint is a modern CSS linter to help you enforce code style conventions and avoid errors in your stylesheets.

    To enable Stylelint for your analysis on codeclimate.com or Code Climate Enterprise, add the following to your .codeclimate.yml configuration file:

            enabled: true
          - "**.css"
          - "**.less"
          - "**.scss"
          - "**.sss"

    You can also enable the engine via the CLI with codeclimate engines:enable stylelint. This will create a default configuration file if you don’t have one already.

    Stylelint has over 150 rules, all of which are completely configurable. Add it today and keep your CSS squeaky clean!

    We're on fire! Our GitHub browser extension now supports Firefox 🔥

    We are excited to announce that we have added Firefox support to our browser extension! Now, in both Firefox and Chrome, you can see all your analysis results right in the GitHub UI, including:

    • Project GPAs
    • Inline issues on pull requests
    • Integrated Test Coverage

    Thousands of Chrome users have already installed our extension, and we're very excited to improve the GitHub and GitHub Enterprise workflow of all of our Firefox users too!

    Head to the product page to install the extension and to watch a quick tour.

    New analysis engine: Flog 💎

    Today, we're excited to announce the release of the Flog analysis engine.

    Flog is a static analysis tool for Ruby that measures the ABC complexity of methods. Or, as stated by its author, Ryan Davis: "Flog reports the most tortured code in an easy to read pain report. The higher the score, the more pain the code is in."

    For those of you who’ve been using Code Climate for a while, ABC is the same complexity metric that was calculated as part of our Classic analysis - and we’re excited to reintroduce it as an engine!

    To enable the Flog engine for your project, add the following to your .codeclimate.yml configuration file:

            enabled: true
          - "**.rb"

    If you have the latest version of the CLI installed, you can enable the engine with codeclimate engines:enable flog.

    Better HTML output in the Code Climate CLI 📂

    Generating an HTML report can be helpful when working with our CLI, especially for repos with a large number of issues. Our HTML formatter is now greatly improved and includes:

    • Issue Read Ups
    • Filtering
    • Code snippets
    • Analysis engine information


    To generate an HTML report for your repo, run:

        codeclimate analyze -f html > codeclimate.html

    Open codeclimate.html in your browser of choice and check out what Code Climate found!

    Improved help commands in the Code Climate CLI 📚

    We've expanded the help information in the Code Climate CLI! Running codeclimate help will give you a list of commands, a description of each, and their arguments. Running help with a specific command (e.g. codeclimate help analyze) will give you a fuller description of the arguments for that command, including the possible values!


    Update to the latest version of the CLI and try it out today!

    January Engine Updates 🎊


    Brakeman OSS

    Bundler Audit



    • eslint-config-react-app plugin added
    • eslint-plugin-xogroup plugin added



    • Added a stable release

    New in Code Climate Enterprise Version 1537

    This release contains a number of engine improvements and introduces a new pull request approvals feature.

    Application Updates

    • Introduced Pull Request Approvals. It is now possible for repo collaborators to approve a pull request when issues are introduced that should not prevent merging.
    • Added a button to test SMTP authentication on the instance settings page.

    Engine Updates

    ESLint: eslint-3 channel

    • Added support for the eslint-plugin-meteor plugin
    • Added support for the eslint-plugin-immutable plugin
    • Added support for the eslint-plugin-import-order plugin
    • Added support for the eslint-plugin-jasmine plugin
    • Added support for the eslint-config-semistandard configuration







    New: Approve your failed pull requests!

    We're excited to share some new functionality that our team has been using for a little while. Now, there's a straightforward means for merging any "failed" pull requests that your team agrees are acceptable.

    Our pull request integration provides a pass/fail commit status for quality, security, or style issues. This is great for helping you decide at-a-glance if the code should be merged or not. It's especially useful when set as a required check, to ensure that only code meeting your team’s standards is merged into protected branches.

    However, there are situations in which you may not want to address the new issue right away – particularly if the remedy for the issue is beyond the scope of the pull request. For example, refactoring a class that exceeds a code line threshold due to changes introduced in a pull request.

    To approve a failing pull request, view the PR on Code Climate and click the "Approve" button next to the status:

    We've been using this feature for a while now, and really appreciate the added flexibility in our workflow. We hope you will too!

    December Engine updates ☃️


    • eslint-config-semistandard plugin added


    • Ignore non-comment instances of matched strings in .codeclimate.yml



    • Updated to 2.5.0

    PHP Code Sniffer

    • Updated to 2.7.1
    • Updated drupal/coder to 8.2.10


    Reek - Updated to 4.5.3

    RuboCop - Updated to 0.46.0

    New: One-click set up for GitHub integrations! 🐙

    Rejoice! We've simplified our GitHub integration setup so that you can add Code Climate GitHub integrations to your repositories with a single click.

    If you've authorized your Code Climate user and are an administrator for your repository on GitHub, you can use these new buttons to set up integrations for both your private and public projects. No more copying and pasting access tokens between GitHub and Code Climate!

    With pull request integration enabled, Code Climate will automatically analyze your branch when changes are pushed and pull requests are opened. We'll then post a summary of what we found as a status check at the bottom of the pull request, with a link back to the complete analysis. Check out our docs on GitHub integrations for more details.

    November Engine updates 🍁 🍂


    • [NEW] Updated to ApexMetrics 1.3.1, including new security-focused checks


    • [NEW] Issues considered "warnings" by CoffeeLint are now reported to Code Climate (details)



    • [NEW] Added support for the react-intl plugin in both our eslint-2 and eslint-3 channels

    channel eslint-3

    • [NEW] Upgraded ESLint version to 3.9.1
    • [NEW] Upgraded several ESLint packages for the eslint-3 channel (details)


    New in Code Climate Enterprise Version 1430

    New functionality to Code Climate: Enterprise for users interested in our API, and some engine updates that may be valuable to Apex and React developers.

    Application Updates

    Engine Updates


    • Update to ApexMetrics 1.3.1, including new security-focused checks


    • Issues considered "warnings" by CoffeeLint are now reported to Code Climate (details)


    • Added [support for the react-intl plugin in both our eslint-2 and eslint-3 channels

    Configure your GitHub permissions from Code Climate

    We're excited to introduce new functionality which allows you to manage the GitHub permissions you've granted Code Climate right from your Code Climate profile page.

    Not too long ago, we updated the way Code Climate users sign up via GitHub, requiring fewer permissions up front, and letting users grant additional access as needed later.

    To further simplify managing your Code Climate user's connection to GitHub, we've added a new section to your Code Climate user page listing precisely which permissions you've granted, as well as a convenient button so that you can grant access to add or administer repositories on Code Climate with a single click:

    For more detailed information about the differences in GitHub permissions, check out our docs.

    Now in beta: Code Climate REST API 📡

    We are pleased to announce the beta release of a new Code Climate REST API. For the first time, this means that you can easily access robust static analysis and test coverage information that Code Climate produces.

    The API lives at https://api.codeclimate.com and here's an example of one endpoint:

    GET /repos/:repo_id/:snapshots/:snapshot_id/issues

    issues response

    Although not previously public, this is the same API that powers the Code Climate browser extension for GitHub. We are shifting to an API-first development process which should result in significant expansion and improvement to the API on an ongoing basis.

    We are excited for you to give it a try. To get started, visit the new token settings page of your Code Climate profile and create a new personal access token:

    The API is currently in beta and we welcome your feedback. To learn more about the endpoints and resources available, check out our API documentation.

    New in Code Climate Enterprise Version 1415

    This week's release brings some new functionality to Code Climate: Enterprise to improve your workflows.

    Application Updates

    Engine Updates


    Code Climate Browser Extension now available for GitHub Enterprise!

    Code Climate Enterprise customers can now use our browser extension with GitHub Enterprise.

    Head on over to our extension's options page and configure your Code Climate Enterprise and GitHub Enterprise endpoints like so:

    For a full run-down of configuration options, check out our docs.

    You're all set! For Code Climate Enterprise enabled repositories, you'll now see analysis results, test coverage reports, and other helpful code review tools right in your GitHub Enterprise UI.

    Happy coding!

    New in Code Climate Enterprise Version 1411

    Application Updates

    Engine Updates



    • Upgraded ESLint version to 3.9.1

    • Upgraded several ESLint packages for the eslint-3 channel (details)

    Now available: Support for external configurations 🎇

    As a team that works in many different repositories, we know it can be hard to keep your rules for tools like RuboCop & ESLint consistent & up-to-date for all your repos. Which is why we're very excited to announce support for sharing these files automatically on Code Climate:

      - url: "https://example.com/styleguide/our_rubocop.yml"
        path: ".rubocop.yml"
        enabled: true

    With this new prepare configuration option, you can keep your engine configurations in one place (personally, we like to use a centralized styleguide repository) and ensure all of your repos get the same engine configurations when Code Climate analyzes them.

    We've found this to be very useful when working with multiple repositories, and we think you will too!

    You can start using external configuration files today by editing your .codeclimate.yml. For more details please see our doc on Configuring the prepare step.

    Just released: Ruby Test Reporter 1.0.0

    We're excited to share that we've released the 1.0.0 version of our Ruby Test Reporter tool for submitting test coverage information to Code Climate. The biggest improvement is that we only send results when the tests pass, because that's what's most interesting to track over time. This helps keep your coverage information relevant and complete, especially with the recent addition of a pull request status about test coverage.

    If you were previously using our Ruby test reporter, check out our upgrade instructions here.

    If you aren't yet reporting test coverage to Code Climate, now is a great time to start. With our GitHub browser extension, you can see which lines are covered while looking at pull requests or browsing through files. We also recently added the aforementioned support for adding a coverage status check to your pull requests.

    To get started with test coverage please check out our docs.

    New in Code Climate Enterprise Version 1405

    This release adds several engine updates, as well as some meaningful improvements to the experience of using Code Climate: Enterprise.

    Application Updates

    • Users can now upload self-signed certificates for self-hosted services like JIRA.
    • We added a configuration option for permitting internal webhook integrations.

    Engine Updates



    • Added configuration option for ignoring warnings.


    • Analyzes all shellcheck-compatible scripts.

    Support for ESLint 3

    Back in May, we introduced engine channels as a new feature in the Code Climate Platform. The good news is that engine channels make it super easy for us to provide additional tracks of engine releases. In fact, it's so easy, we forgot to announce our newest engine channel, eslint-3, which brings support for the latest major release of ESLint.

    So, without further ado, we'd like to announce support for ESLint 3!!

    ESLint 3 adds some new features and fixes several bugs found in previous versions. Additionally, some important rules were added to the shared eslint:recommended configuration. You can read more about the changes in ESLint's official announcement.

    Since we published the ESLint 3 engine channel in September, it has become the most active target for new plugins and enhancements.

    Here are a few awesome community contributions we've released recently:

    • Support for JSDoc, Lodash, Mocha, MongoDB, and Node Security Project plugins (pr/131 by @knuagpal)

    • Support for the ember-suave ESLint plugin (pr/140 by @blimmer) A popular plugin for Ember users recently made it's way to the ESLint ecosystem! Users of the Code Climate engine can now use the new ESLint plugin on codeclimate.com and via the CLI.

    • Ignore warning-level violations from ESLint (pr/144 by @blimmer) By default, this ESLint engine will emit both ESLint errors and warnings as Code Climate issues. If you prefer, you can now ignore warning-level violations by setting the ignore_warnings configuration option:

          enabled: true
          channel: eslint-3
            ignore_warnings: true

    These contributions are, for now, exclusive to the eslint-3 channel so why not take the opportunity to upgrade your analysis? You can do so by updating your .codeclimate.yml configuration file:

        enabled: true
        channel: eslint-3

    RuboCop engine upgraded to v0.45.0

    Good news for Rubyists! We've upgraded our RuboCop engine to run RuboCop v0.45.0.

    This upgrade brings a number of bug fixes and improvements in RuboCop, including several new cops, such as one to help improve your Rails migrations.

    If you're already using our RuboCop engine, you'll get these improvements automatically. If you aren't currently using RuboCop as part of your analysis, you can add it to your .codeclimate.yml:

        enabled: true

    Check out our RuboCop engine doc for more information.

    Improved GitHub OAuth experience!

    We're very pleased to announce that we've updated the way GitHub users OAuth into Code Climate to give you more fine-grained control over your GitHub account permissions.

    Previously, signing up for Code Climate via GitHub meant giving us access to your private repos right away. That's unnecessary if you're exclusively using Code Climate for browsing repos added by others or for open source projects.

    We've improved our OAuth implementation so that the only access needed upfront is to your email address.

    Later, if you'd like to set up or administer a repository, you'll be prompted to provide additional permissions on GitHub.

    This update applies to GitHub linked users for both codeclimate.com and Code Climate Enterprise.

    For more information, please check out our doc on Setting GitHub OAuth Permission Levels or get in touch with our support team.

    We have more improvements to our GitHub OAuth experience planned, but wanted to get this out the door quickly. Stay tuned for more 🔜.

    October engine updates 🎃


    • [NEW] Brakeman now supports configurable engine paths
    • [NEW] Brakeman now verifies that protect_from_forgery is enabled in direct subclasses of ActionController::Base
    • [FIX] Fixed an issue with link_to href warnings and string interpolation
    • [FIX] Fixed a false-positive warning when using where_values_hash



    • [NEW] Support Python 3 syntax
    • [NEW] Support PHP 7 syntax
    • [FIX] Implemented performance improvements related to engine's memory usage
    • [FIX] Upgraded to latest version of jruby


    Foodcritic - [NEW] Allow configuration of custom rules - [NEW] Upgraded Foodcritic to 8.1.0


    • [FIX] Fixed an issue where files with colons in the name would error (details)
    • [FIX] Fixed an issue where an exception would cause the engine to hang


    • [NEW] Update WordPress coding standards to 0.10.0
    • [FIX] Fixed an issue with unescaped unicode encoding (details)


    • [FIX] Fixed an issue with unescaped unicode encoding (details)




    Foodcritic Engine upgrade and support for custom rules

    Chef users rejoice! We have upgraded our engine to run Foodcritic v8.1.0.

    We've also added support to include your own custom static analysis rules. Adding an include_rules attribute to your .codeclimate.yml file now allows a list of custom rules to be evaluated in your Code Climate report. Here's an example configuration file:

        enabled: true
          - rules/my_custom_rule.rb
          - rules/my_other_custom_rule.rb

    Check out the full engine documentation for all configuration options.

    New in Code Climate Enterprise Version 1382

    This release brings a host of engine updates, as well as some meaningful improvements to the experience of using Code Climate: Enterprise.

    Application Updates

    • As part of our improved GitHub OAuth experience, users signing up via GitHub need only provide the email scope, with additional scopes requested as needed,

    • Admins will now receive an email notification about requested password resets for their users,

    • You'll be able to see whether or not an organization is public in the admin view, and

    • Your dashboard will now display public organizations.

    Engine Updates



    • Support for ESLint3

    • Support for eslint-plugin-ember-suave



    • WordPress coding standards updated to 0.10.0


    • Updated Reek to 4.5.0


    • Improved grading of BlockLength issues

    Introducing our new and improved Docs ✨

    Code Climate Docs

    We love seeing people ship quality software. That’s why we're incredibly excited to show off our new and improved docs site!

    It'll help set you up for success by letting you quickly find answers to questions like:

    Our new docs layout makes it easier to find critical information, so you can get more done, sooner. Happy coding!

    Duplication analysis for PHP 7! 🐘

    We’ve just added support for PHP 7 to our duplication engine. Now you can identify duplication in PHP 5 and PHP 7 code!

    In addition to PHP, our duplication engine provides analysis for Ruby, JavaScript, and Python. Repos already using the engine will automatically receive duplication analysis for both PHP 5 and 7.

    To enable duplication analysis, add the following to your .codeclimate.yml configuration file, removing any languages which aren't present in your repository:

            enabled: true
              - ruby
              - javascript
              - php
              - python

    Check out our documentation for other ways you can customize your duplication analysis.

    New Duplication Analysis for Python 3 🐍

    Python authors using Python 3 can now get more out of Code Climate with our duplication engine. We've long supported Python 2, but as of today we've released additional parsing options so that users can find potential code duplication issues in their Python 3 code.

    To enable Python 3 duplication analysis for your repo, ensure you've turned on our duplication engine in your .codeclimate.yml, and add a python_version key:

            enabled: true
                  python_version: 3
            - "**.py"

    Check out our documentation for other ways you can customize your duplication analysis.

    New analysis engine: Brakeman Pro 🚂

    Today, we’re excited to announce the release of the Brakeman Pro analysis engine.

    Brakeman Pro is the commercial version of the Brakeman vulnerability scanner (also available as a Code Climate engine), providing deeper analysis, more in-depth feedback, and greater customization of your Ruby on Rails security scan.

    Already available in desktop and Ruby gem versions, the Brakeman Pro engine lets you easily automate in-depth source code security scans as part of your Code Climate analysis.

    To enable the Brakeman Pro engine for your project, you’ll need to include a Brakeman Pro license file in the top directory of the project. Check out the Brakeman Pro docs for more information about obtaining a license. Then add the following to your .codeclimate.yml configuration file: ​

                enabled: true
            - "**.rb"

    If you have the CLI installed, you can enable the engine with the engines:enable command: ​ ​

       brew update && brew upgrade codeclimate
       cd ~/my/awesome/app
       codeclimate engines:enable brakeman-pro

    You can try Brakeman Pro free for 14 days - just head to the official site to get started.

    Now available: Our GitHub browser extension 🎉

    The Code Climate browser extension for GitHub is out of closed beta and available for all to install!

    Code Climate Browser Extension

    Our browser extension brings all your analysis results right into the GitHub UI. We're really enjoying how much inline code review and test coverage highlighting has improved our GitHub workflow – and we think you will too!

    Head to the product page for one-click install and to watch a quick tour.

    🚀 Introducing Status Updates for GitLab!

    Good news for GitLab users: We've tightened our integration to add support for status updates on merge requests! Now you can automatically run analysis and get results in your GitLab or GitLab Enterprise merge requests:

    After you open a merge request, we update its status in GitLab with a pass/fail status and a link back to our complete analysis, so you can merge with confidence. 

    Check out our documentation to get started today!

    Test Coverage on your GitHub PR Commit Status

    We love GitHub's commit statuses and have sent our own based on the results of Code Climate build analyses for quite some time.

    Today, we're happy to announce that we've added an additional status specifically for test coverage.

    As soon as we receive and analyze your test report payload, sent from any of our test reporters, we'll update the PR with test coverage details giving you more insight into the proposed changes.

    If you haven't already, configure your CI service to send test reports to Code Climate and enable GitHub Pull Request integration for your Code Climate repo to receive the new status. If you're already setup, you should see the test coverage status show up on new PRs soon after your CI build finishes!

    Get test coverage for PRs without leaving GitHub

    We take test coverage seriously here at Code Climate, which is why we’re super excited to bring inline test coverage annotations to our GitHub browser extension:

    If you're already sending test coverage reports to Code Climate with our Ruby, Python, JavaScript, or PHP test reporter, annotations should show up automatically in the diff when we have a matching report.

    To get this, and other critical information about code quality without ever leaving GitHub join our browser extension beta.

    Happy testing!

    Engine Update: PHP Code Sniffer now supports WordPress and Drupal coding standards

    We're pleased to announce that our PHP Code Sniffer engine now supports WordPress and Drupal coding standards thanks to an awesome community contribution from @josephdpurcell!

    This support is provided by two great packages, WordPress Coding Standards and Coder, which extend PHP_CodeSniffer with additional checks relevant to their respective communities.

    You can enable checks for Wordpress or Drupal coding standards by updating your .codeclimate.yml configuration file:

          enabled: true
            standard: "WordPress"
          enabled: true
            standard: "Drupal"

    Check out the engine's README for the full list of supported coding standards.

    Salesforce devs, this one’s for you.

    It’s with the utmost pleasure that we introduce our latest community engine, ApexMetrics, for Salesforce.com’s Apex programming language.

    ApexMetrics runs checks for complexity, performance, and style, to help you find technical debt, identify hot spots for refactoring, and show improvements in your Apex code.

    To enable ApexMetrics for your analysis on codeclimate.com or Code Climate Enterprise, add the following to your .codeclimate.yml configuration file:

          enabled: true
          - "**.cls"
          - "**.trigger"

    You can also enable the engine via the CLI with codeclimate engines:enable apexmetrics. This will create a default configuration file if you don’t have one already.

    The ApexMetrics engine was built by our friends at Up2Go, with some help from their friends – isn’t open source great?

    By popular demand: ESLint 2

    We're very excited to announce that our ESLint engine now supports the latest and greatest ESLint 2. ESLint 2 offers an updated rule schema, new rules, updated configuration behavior, improved ES6 support, and other great enhancements. You can see more in ESLint's official announcement on the ESLint blog.

    Use ESLint 1.x? No problem. Your ESLint engine will continue analyzing as usual. For those of you using ESLint 2, you can start using the new version in your analysis by making the following update to your .codeclimate.yml configuration file:

            enabled: true
            channel: "eslint-2"

    Notice that you're specifying eslint-2 as a "channel"? Engine channels are a new feature in the Code Climate platform. With channels, we'll be able to maintain multiple tracks of engine releases so you can pick the channel that makes the most sense for your project’s requirements. For more information, check out the doc.

    Code Climate integration with Atlassian Bitbucket Pipelines

    Atlassian recently announced a beta program for their new Bitbucket Pipelines integration and we’re proud to be one of their launch partners. Pipelines provides a way to integrate user defined build steps directly into Bitbucket Cloud, allowing for a flexible and powerful build component right inside your favorite VCS – pretty cool!

    Bitbucket Cloud users who also use Code Climate can now automate quality, security, and style analysis for any branch when commits are pushed to Bitbucket. This is the first step in deeper, tighter integration between Bitbucket and Code Climate.

    You can read more about Bitbucket Pipelines here, or head directly to our documentation to learn how to integrate Bitbucket Pipelines with Code Climate today!

    Introducing the Code Climate browser extension for GitHub

    We’re super excited to introduce our new GitHub browser extension, debuting today on Product Hunt.

    It’s still in closed beta for a few weeks, but we’re sending invites to the first 1,000 people who sign up today.


    Head to Product Hunt to see a demo and sign up. We'll also be on Product Hunt all day answering any questions you may have.

    Hope to see you there!

    Tailor your Swift

    We’re super excited to debut our latest community engine, and our first engine for mobile! Tailor is a static analysis tool and linter that analyzes your Swift code to ensure consistent styling and help avoid bugs. Much thanks to Sleekbyte, creators of Tailor, for seeing the potential in open static analysis and going the extra mile to make their tool available on the Code Climate platform.

    Tailor supports Swift 2 out of the box and helps enforce style guidelines outlined in the The Swift Programming Language, GitHub, Ray Wenderlich, and Coursera style guides.

    To enable the Tailor engine for your analysis on codeclimate.com or Code Climate Enterprise, find a Blank Space in your .codeclimate.yml configuration file and add the following: ​ ​

            enabled: true
          - "**.swift"

    ​If you’re running the Code Climate CLI you can enable Tailor with the engines:enable command: ​ ​

        brew update && brew upgrade codeclimate
          cd ~/my/awesome/app
          codeclimate engines:enable tailor

    Add Tailor to your analysis, and keep your code Safe & Sound!

    Introducing Python Test Coverage 🎉

    Code coverage is an important metric of quality in any software project. Giving your team the confidence that all crucial paths of your codebase are exercised is as important as the test suite itself.

    That's why we're excited to announce official test coverage support for Python projects with our new python test reporter.

    To use the new reporter in your Python project, first generate a coverage report with coverage.py:

    Then you can use the codeclimate-test-reporter to report your results to codeclimate.com:

    And that's it! You'll then see test coverage results within your Code Climate repo.

    For more information, check out our test coverage doc and the Python test reporter repo on GitHub.

    Happy reporting!

    Goodbye PR Comments, Hello Commit Status

    A long time ago, in, well this galaxy actually, we implemented a feature to allow comments on pull requests with a link to the analysis results.

    Since then, GitHub introduced commit statuses for pull requests, and this comment functionality has become less valuable.

    Today, we did a little spring cleaning and migrated all our GitHub pull request integrations to use commit statuses only. Commit statuses give more detailed and clear information about your analysis results, including the number of new and fixed issues.

    If you'd like to disable the commit status integration, visit the integration settings inside of your repo settings and uncheck "Update status":

    Haxe the Planet

    We just released our latest community engine from the good people at Haxe Checkstyle and it’s already being put to great use!

    Haxe is super cool. It’s a high level, strictly typed language used by the Haxe compiler to produce cross-platform code natively. Haxe Checkstyle is a highly configurable static analysis tool to help developers write Haxe that adheres to a coding standard. ​ To enable the Haxe Checkstyle engine for your analysis on codeclimate.com or Code Climate Enterprise, add the following to your .codeclimate.yml configuration file: ​ ​

           enabled: true
           - "**.hx"

    ​ ​If you have the Code Climate CLI installed you can enable the engine with the engines:enable command: ​ ​

       brew update && brew upgrade codeclimate
       cd ~/my/awesome/app
       codeclimate engines:enable haxe-checkstyle

    ShellCheck yo self

    Shell scripts inhabit an interesting place in most projects: they're critical glue code keeping everything working, but don't often receive the attention they deserve when it comes to testing and other quality considerations.

    ShellCheck is a project aimed at solving that by linting shell code for common problems like forgetting to quote variables or accidentally using "bashism" in a script with an sh shebang. Today, we're happy to announce the release of our ShellCheck engine, wrapping this great tool to provide analysis of your shell scripts as part of your familiar Code Climate workflow.

    To try out this engine, just add shellcheck to your list of enabled engines:

        enabled: true

    Good marks for your Markdown

    We’re super excited to release a new community engine based on markdownlint, a style checking tool for markdown documents. markdownlint ships with a set of configurable rules to catch syntax issues and enforce consistency across all the Markdown documentation in your repo. ​ ​ To enable markdownlint for your analysis on codeclimate.com or Code Climate Enterprise, add the following to your .codeclimate.yml configuration file: ​ ​

           enabled: true

    ​If you have the Code Climate CLI installed you can enable the engine with the engines:enable command: ​ ​

       brew update && brew upgrade codeclimate
       cd ~/my/awesome/app
       codeclimate engines:enable markdownlint

    Git your team on board

    Now you can add new team members directly from the commit logs of any repo you've added to Code Climate.

    After all, you already gave everyone access to your Git repository, so why type all those email addresses again?

    Of course, you'll always have the chance to review new members before they join your team, and you can still type in email addresses if you need to.

    We hope this, along with other recent team management improvements, will help simplify onboarding new teammates and establishing shared standards across your whole organization.

    Better Visibility into Critical Issues

    Building on our new issues browsing view, you can now see the number of critical issues in a repo from your dashboard:

    Clicking this number will take you directly to a page to view the critical issues themselves. From there, you can apply additional filters to see issues by engine or by category.

    Adding the number of critical issues to your dashboard provides an at-a-glance view of all of your projects' key metrics. We hope you like it!

    Code quality: Now more inviting.

    Code Climate makes it simple to establish code standards and style guides for your favorite programming languages and frameworks, delivering results from world class static analysis tools directly where you work.

    The thing with standards is that they’re much better when they’re well, standard. So we're happy to present you with three new ways to get your team in sync.

    First, we've added a way to quickly invite anyone on your team who needs access to your Code Climate results, right from your dashboard.

    We've also made it easy to onboard new teammates to your organization from your Pull Request and Build pages. When a new author makes a commit to your repo, we'll display a banner enabling you to quickly invite them then and there, all without leaving the page!

    Email not your thing? No worries. You can now generate a reusable invitation link for your Organization from the People tab. Just copy the link , drop in your team's Slack or wherever you chat, and everyone can click to join.

    We hope these changes help you take your code to the next level, so you can take over the world!

    P.S. When you take over the world, please remember us fondly.

    Get your Reek on

    New for the Code Climate Platform: Smell detection with Reek! ​

    Code smells aren’t usually bugs and won’t necessarily stop your code from functioning correctly. However, they’re often symptoms of underlying problems that could put your codebase at risk — so they're definitely worth investigation. Reek examines your classes, modules, and methods and reports any code smells it finds so you can keep an eye on these potentially problematic areas and take action before they become issues. Think about it as a RuboCop for your architecture and code quality.

    To enable Reek for your project, add the following to your .codeclimate.yml configuration file: ​

           enabled: true
          - "**.rb"

    ​ If you have the Code Climate CLI installed, you can enable the engine with the engines:enable command: ​

       $ brew update && brew upgrade codeclimate
       $ cd ~/my/awesome/app
       $ codeclimate engines:enable reek

    Add Reek to your analysis today and keep your code fresh!

    Latest Updates to Analysis Engines: February 8 - 14

    ICYMI – the big news from last week is that the Code Climate Platform (including our engines-based analysis) is now out of beta! To learn more, and to see the platform in action, check out the announcement and video on our blog.

    But that’s not all:


    Vim Plugin

    • The hits keep coming for our Vim friends with a plugin that runs the Code Climate CLI. Now you can see your Code Climate results in Atom and Vim!



    • Updated to latest PHPMD (2.3.2)
    • Tuned concurrent processing of directory contents, dramatically improving engine performance.


    • Updated the Airbnb configuration version from 1.0.0 to 5.0.0
    • Updated the Babel parser version from 4.1.3 to 4.1.8
    • Updated the React plugin from version 3.6.3 to 3.16.1
    • Fixed a bug with reporting issues to increase engine stability

    These updates are available in the CLI, on codeclimate.com, and are packaged regularly for Code Climate Enterprise customers. Enjoy!

    Code Climate 💖 Vim

    Today we’re delighted to share two goodies with all our Vim friends: an editor integration and a Vint engine! Both of these are courtesy of our own Will Fleming.

    The vim-codeclimate plugin makes it easy for you to seamlessly aggregate all the results from your preferred static analysis tools without leaving your favorite editor. It also takes advantage of Vim’s quickfix window, making navigating to and fixing issues natural for Vim users.

    To get started, you’ll need to have the Code Climate CLI installed. If you’re using a Mac with Homebrew, installing is as simple as:

       brew tap codeclimate/formulae
       brew install codeclimate

    Once brew has finished installing the CLI, you’ll want to make sure that the engines you need to analyze your code are installed locally.

       cd MYPROJECT
       codeclimate init  # run this if you don’t already have a .codeclimate.yml for the project
       codeclimate engines:install

    When you’ve got the CLI up and running, you’re ready to see analysis results within Vim. Details of how to install the plugin will vary a bit depending on your Vim installation. Instructions for some common package managers are included in the plugin’s README.

    And for our friends who write their own Vim scripts, our new Vint engine provides fast and extensible linting.

    The source for the engine is on GitHub, and you can enable it for your own repos using your .codeclimate.yml:

           enabled: true
           - "**.vim"

    We hope you’re as excited as we are to start using Code Climate within Vim. Making static analysis an easier, more natural part of your workflow is something we care a lot about, and we think editor integrations are a great way to do that. If you’re interested in building support for your favorite editor, shoot an email to mrb@codeclimate.com and we’ll help get you started!

    RuboCop Engine Updated to RuboCop 0.37.2

    We've released a new version of our RuboCop engine which upgrades from RuboCop 0.35.1 to 0.37.2. This upgrade includes support for Ruby 2.3 syntax, as well as a variety of new checks and other enhancements.

    You can see a complete list of changes in the RuboCop change log. ​ As part of the latest RuboCop release, several checks were removed and renamed which may necessitate tweaks to your rubocop.yml configuration. We've updated our default RuboCop configuration for 0.37.2 which you can drop into your project as .rubocop.yml.

    We've also deployed the previous version of the engine (RuboCop 0.35.1) as rubocop-v35. If you wish to continue using this version, you can activate this in your .codeclimate.yml by changing the rubocop stanza to rubocop-v35.

    If you have any questions about the new version of RuboCop or need help with your configuration file, please get in touch with Code Climate support or send us a tweet at @codeclimate.

    🎊The Code Climate Platform - now out of beta! 🎊

    We’re extremely excited to announce that, as of today, the Code Climate platform is out of beta.

    Since launching last year, we've been busy adding features, upgrading infrastructure, and incorporating your feedback to build a superior experience for developers everywhere.

    The result? Our engines-based analysis includes everything you've come to expect from our ‘classic’ offering, and a lot more, including over 1,800 static analysis checks across more than a dozen languages and frameworks!

    To learn more, and to see the platform in action, check out the announcement and video on our blog.

    Adjusted Threshold for PHP Duplication

    We've just released a new version of our duplication engine with an adjusted default "mass threshold" for PHP. We've increased the threshold from 10 to 28. This brings it in line with our Classic analysis, so a repository that moves from Classic to Platform shouldn't see any new instances of PHP duplication as a result.

    What does this mean?

    Instances of duplication have a "mass", which is a measure of how big that portion of code is. Bigger bits of duplicated code are considered more of a problem than smaller bits. We use the mass to quantify this.

    You can read more about it in our docs.

    Increasing this threshold means code now has to be slightly bigger before we'll consider it an issue.

    How does this impact you?

    You should find that any instances of duplication with a mass between 10 and 28 will no longer be flagged as issues in your code base. This may result in a small uptick in ratings.

    If you prefer to keep the threshold at 10 (or set it to any other number), you can do so by configuring it in your .codeclimate.yml:

        enabled: true
              mass_threshold: 10

    Update to Duplication Engine Grades

    We’re pleased to announce that we’ve tuned our Duplication Engine for Python, PHP, and JavaScript, to produce results closer to those provided by our Classic analysis. As a result, Python, PHP, and JavaScript repos analyzed on the platform may see a decline in GPA.

    As the Code Climate Platform offers the ability to configure the engines, categories of checks, and even individual checks running on your project, you can always adjust the number of duplication issues found to better meet the requirements of your team.

    You can adjust the number of duplication issues found by tuning the mass threshold configuration in your .codeclimate.yml:

            enabled: true
                  mass_threshold: 40

    More information about tuning mass thresholds and per-language defaults can be found in our docs. Feel free to reach out with any questions to codeclimate support.

    Code Climate CLI: Better, stronger, faster.

    We’re very excited to release a faster and more configurable version of our CLI!

    This release includes significant internal changes, resulting in faster and more accurate processing of exclude_paths and faster startup time for the codeclimate analyze command.

    But wait, there’s more! Because of these internal changes, you can now provide exclude_paths for specific engines, an often requested feature that should make many of your lives easier.

    To configure these engine specific exclude_paths, add an exclude_paths key to your .codeclimate.yml for the specific engine:

        enabled: true
        enabled: true
          - *.md
          - *.yml
      - vendor/
      - app/assets/**/vendor/

    Note, we no longer automatically exclude paths ignored in a Git .gitignore file, since we found this was limiting performance. If you rely on any of these files being ignored during analysis, please copy those patterns to your .codeclimate.yml’s .exclude_paths.

    We’re very excited to bring you this better, stronger, faster version of our CLI. Grab the new version from Docker Hub, or if you’re running OS X and brew, just run brew update && brew upgrade codeclimate - and please let us know what you think!

    We just launched a new issues browsing view! 🎉

    Previously, issues could only be viewed by category, but now you can filter by Category, Engine, and Severity. When you visit the Issues tab for your repo, you'll see dropdowns for each of those filters at the right of the page. Want to see severe security issues? Filter by Severity and Category. How about style issues reported by RuboCop? Engines and Category it is.

    We hope this new view helps you find issues faster, so you can start improving your codebase sooner!

    Increased Visibility for Security issues Reported by our Brakeman and Bundler-Audit Engines

    We recently added icons to security issues reported by Brakeman OSS and Bundler-Audit to easily differentiate their severity.

    critical security issues are now reported with a warning icon, while issues with info level severity (the lowest ranked by our spec) display a related icon.

    Fixed Bug in Duplication Reporting on Code Climate Platform

    We recently uncovered and fixed a bug in our Duplication Engine that resulted in incorrect issue counts. Previously, when a duplication violation was detected across multiple locations, an issue was only counted for the first occurrence, instead of once for each location with an instance of the duplicated code.

    Now, each site where duplicated code exists is assigned its own duplication issue. These are viewable in the UI when browsing issues by category, and on an individual file's code tab:

    As a result of this change, you may see a greater number of duplication issues reported on codeclimate.com and with the CLI. Some repositories may also experience fluctuations in grades.

    We’re sorry for any inconvenience this may have caused and are committed to bringing you the most accurate analysis possible with every commit. If you have any questions or feedback please get in touch with Code Climate support or send us a tweet at @codeclimate -- we’re always happy to help!

    Latest Updates to Analysis Engines: January 18 - 24

    Greetings from snowy NYC where we bring you the latest installment in updates to the Code Climate Platform's analysis engines. These updates are available in the CLI, on codeclimate.com, and are packaged regularly for Code Climate Enterprise customers:

    Brakeman OSS

    • Critical security issues reported


    • Updated vulnerability database
    • Critical security issues reported


    • Improved path handling to improve performance for hosted analysis


    • Increased detail in issue descriptions to report instances of duplicated code as Identical or Similar

    Increased Detail in Duplication Engine Issue Reports

    We've recently updated our Duplication engine to report instances of duplicated code as Identical or Similar in the issue description. This behavior matches our Classic duplication analysis and provides more detail as to the nature of the repeated code.

    This is available on our hosted analysis:

    As well as in our CLI:

    To make sure you're running the most up to date version of the Code Climate CLI, Homebrew users can run:

        brew update && brew upgrade codeclimate

    To pull the latest Duplication engine, run:

        docker pull codeclimate/codeclimate-duplication

    or from within the root of your project:

        codeclimate engines:enable duplication

    Latest Updates to Analysis Engines: January 11 - 17

    Not only are we adding new engines all the time (hello, HLint!) we’re also constantly tuning the ones already available. Here’s a quick summary of the most significant tweaks made to our analysis engines in the past week. Of course, all our engines are open source so you can always look at the commit history for all the updates.

    gofmt, golint, govet

    • Remediation points updated for consistency with other Code Climate analysis engines.


    • Added configurability of the confidence threshold used by the golint engine, giving you greater ability to customize the results of your golint analysis.


    • Updated default parser to one which is ES6-compatible, reducing setup for anyone using ES6
    • Improved accuracy of reporting and grading complexity issues. Remediation points now scale with the severity of the complexity as specified in the engine configuration.


    • Updated to a newer version of foodcritic
    • Worked with the team at Chef to refine the severity and remediation points for each check

    File Churn Information Now Available on the Code Climate Platform

    We are very excited to bring our file churn metrics to the Code Climate Platform! Starting today, when we have finished analyzing your default branch, you will see churn metrics for the files in your repository. This churn metric is approximately the number of times a file has changed in the last 90 days, calculated by counting the number of distinct versions of that file across commits from that time. The absolute value won't be as useful as comparing the values across files - which files change most often, what are their relative qualities, etc.? Quality issues can have a greater impact on files that churn frequently, so high churn, low quality files should be top candidates for attention.

    There are two ways to view these churn metrics. The first is on the Code tab of your Code Climate repo:

    The second is on the repo's Trends page:

    As mentioned above, it can be useful to identify high churn, low quality files within a repository. The x axis of this graph is the churn of the file - lower, or left, is better. The y axis is the quality, plotted by remediation cost (how long it will take to improve the file) - lower, or bottom, is better. Clicking on a plotted point will take you to that file's issues.

    You can now analyze you a Haskell on Code Climate!

    We're excited to announce that you can now analyze your Haskell code on Code Climate using the Haskell community's favorite tool, HLint. Our resident Haskell wizard Pat Brisbin started on a Haskell engine before engines really existed, so it's really fun for us to be able to share this with the world.

    Haskell Results

    The code for the engine is on GitHub and you can enable it in your Haskell repos using your .codeclimate.yml file:

            enabled: true
          - "**.hs"

    To enable on the Code Climate CLI, use the engines:enable CLI command:

        $ brew update && brew upgrade codeclimate
        $ cd ~/my/awesome/app
        $ codeclimate engines:enable hlint

    Because HLint is awesome, you'll even get hints for how to fix your code in our contextual readups. Click on the 'book' icon on this page for some examples.

    One more thing: HLint on Code Climate is a great way to make contribution management easier for Open Source projects. You can now automatically run HLint against any PRs on your repos, and make your standards enforceable! If you'd like some help with that, drop Mike a line at mrb@codeclimate.com.

    Changes to grading for Ruby engines

    We're pleased to announce that we’ve honed our grades for Ruby analysis on the Code Climate Platform, to produce results closer to those provided by our Classic analysis. Specifically, we’ve increased the penalties for Ruby complexity and duplication. As a result, Ruby repos analyzed on the platform may see a decline in GPA of up to a full point. Repositories with significant Complexity and Duplication violations will be most strongly impacted.

    For Ruby duplication checks we've updated the penalty formula to give more base weight for each violation, and a small penalty per unit over permitted duplication mass threshold.

    For Ruby complexity checks (via the RuboCop engine), changes include:

    • Enable Method length check, and increase default maximum from 10 to 30
    • Increase default Class length max from 150 to 250
    • Increase default Module length max from 150 to 250
    • Enable Cyclomatic complexity check
    • Disable ABCSize check
    ​Diff viewable here.

    Of course, as the Code Climate Platform offers the ability to configure the engines, categories of checks, and even individual checks running on your project, you can always adjust the new thresholds to better meet the requirements of your team.

    Configuring Complexity Checks in the RuboCop engine

    RuboCop provides several different metrics which can be used to help assess the maintainability of code, including ABCSize, ClassLength, MethodLength, ModuleLength, ParameterLists, CyclomaticComplexity, and PerceivedComplexity.

    As part of this grading update, we've updated the default settings in the .rubocop.yml generated when a user has ruby code and no .codeclimate.yml config file. This includes a suggested set of settings in your .rubocop.yml for assessing software complexity. If you’re using the auto-generated config for your analysis you may see changes in your reported issues.

    Configuring the Duplication engine for Ruby analysis

    As with rubocop complexity checks, you can can optionally tune your own tolerance for duplication mass by updating the engine configuration in your .codeclimate.yml. Code Climate's suggested and default threshold for Ruby is 18.

    Have questions? Feedback? Please feel free to contact Code Climate support or send us a tweet at @codeclimate!

    More Accurate Brakeman Fingerprints

    We recently announced the ability (on our new platform) to exclude any issue that Code Climate identifies from your results using issue exclusions in your .codeclimate.yml. Exclusions use fingerprints identified by a fingerprinting algorithm to identify and exclude particular sections of code. In this release, we've improved the fingerprints of security vulnerabilities identified by Brakeman.

    The more accurate and reliable the fingerprints associated with issues, the less chance that issues will unexpectedly re-appear in your results or be accidentally grouped together.

    As a result of this change, if you had previously marked any exclusions in your .codeclimate.yml for Brakeman in your .codeclimate.yml, you will need to add them back with the new fingerprints. If you need assistance with this process please contact us and we'll be happy to assist you.

    Introducing Issue Exclusion

    Have you ever wished you could ignore a specific reported issue, but not the entire check type? Now you can! Our engines-based analysis now lets you configure your analysis to exclude specific issues.

    On codeclimate.com, click on the Exclude icon, and select "Ignore this issue":

    Exclude menu

    This will open a modal containing all the information needed to update your analysis configuration via your .codeclimate.yml:

    Ignore Issue modal

    If you're using the Code Climate CLI, you can find the fingerprints of reported issues by running analysis using the JSON formatter, and grepping for text in the issue you care about:

    $ codeclimate analyze -f json | grep -F "CVE-2015-3227"

    We're proud to continue adding ways for you to customize Code Climate's analysis for your needs, and hope you find this latest addition helpful in your projects.

    Duplication Detection now available for Engines-based Analysis

    We're thrilled to introduce our new duplication engine for the Code Climate platform! While duplication detection has been a key part of our analysis for years, this release open sources our duplication detection code, and makes it available for our engines-based analysis.

    Our duplication engine currently supports Ruby, JavaScript (including JSX), PHP, and Python out of the box. We welcome contributions, so if you'd like to see a new language supported, open an issue/PR or tweet @codeclimate!

    Duplication Results

    To enable the duplication engine for your project, add the following to your .codeclimate.yml configuration file:

            enabled: true
              - ruby
              - javascript
              - python
              - php
          - "**.rb"
          - "**.py"
          - "**.php"
          - "**.js"
          - "**.jsx"

    Most projects don't have so many languages present within a single repository, so feel free to adjust the above to suit your project's languages.

    If you have the CLI installed, you can enable the engine with the engines:enable CLI command:

        $ brew update && brew upgrade codeclimate
        $ cd ~/my/awesome/app
        $ codeclimate engines:enable duplication

    Enable the duplication engine for your project today to keep your code DRY!

    GitHub Pull Request Details on Code Climate

    We've improved our pull request page to show more of the details from your GitHub pull request that are important to you. The new page now shows the status of your pull request's Code Climate analysis - passed, failed, or pending. We also now display the pull request's title and number from GitHub:

    New PR Header View

    We hope these changes make your use of our pull request integration even more useful and enjoyable to use!

    Join Code Climate Organizations with GitHub OAuth

    Starting today, organization invitations can be accepted using GitHub OAuth! When you invite someone to your organization, they'll see the following screen:

    Clicking "Sign Up with GitHub" will create a user, link them to GitHub, and join the organization, all in one step! We hope this feature allows users of organizations to have faster, more secure access to their repositories and Code Climate analysis.

    Introducing Code Climate Builds

    Code Climate analysis is a multi-step process which involves fetching and analyzing code, collating results, and more. As we've built out our platform, we've worked hard to make it easy to know exactly where you are in the analysis process whenever you push some new code. Each time you push code, we generate what we call a "build" which represents everything that needs to happen to produce what you care about: analysis.

    Today we're happy to introduce a new repository level view to give you greater visibility into Builds and the history of Code Climate's analysis of your repo: ​

    Running Build

    There's also a pull request Builds tab that shows all recent analyses performed on a pull request. If a build fails, you'll see helpful information for debugging, while still being able to browse the most recent comparison results for the pull request:

    Builds List

    Brakeman Now Available on the Code Climate Platform

    Today, we’re excited to announce the release of a new analysis engine: Brakeman OSS.

    Brakeman is a static analysis tool which checks Ruby on Rails applications for security vulnerabilities. We’re big Brakeman fans - and have been using it for years as part of our Ruby security analysis - so we’re especially glad to be able to offer it as part of our engines-based analysis.

    Brakeman Analysis

    To enable the Brakeman engine for your project, add the following to your .codeclimate.yml configuration file: ​

                enabled: true
            - "**.rb"

    If you have the CLI installed, you can enable the engine with the engines:enable command: ​

        $ brew update && brew upgrade codeclimate
        $ cd ~/my/awesome/app
        $ codeclimate engines:enable brakeman

    Add it to your analysis today and ensure that your Rails application is protected against attacks!

    Python Analysis Now Available on the Code Climate Platform


    We're delighted to announce the addition of Python support to the Code Climate Platform via two new analysis Engines!

    Radon provides analysis of cyclomatic complexity:

    Radon result

    Out of the box, it can be configured to report complexity levels from A-F. This threshold can also be specified in your .codeclimate.yml:

         radon: true
           threshold: "B"

    Pep8 provides feedback on Python code style following the rules outlined in the PEP 8 style guide:

    pep8 result

    To enable, just add the following to your .codeclimate.yml:

           enabled: true

    The Code Climate pep8 and Radon engines honor any .py configuration files you may have in your repository.

    As with all Code Climate Engines, these can be run via our hosted analysis, or on the Code Climate CLI. to add these Engines to your analysis:

    1. Ensure you've enabled our Engines-based Platform.

    2. Add pep8 or radon to your .codeclimate.yml file.

    3. That takes care of your hosted analysis at codeclimate.com. If you’re also using the Code Climate CLI, you can update that as well by running brew update && brew upgrade codeclimate.

    Previously, we'd provided Python support exclusively via our Classic analysis with feedback on complexity and duplication. Our pep8 engine introduces our first offering of style analysis for Python – we hope you like it!

    GitHub Pull Request Pass/Fail Status now available for Classic Analysis

    One of the most effective ways to incorporate Code Climate into your team's workflow is via our GitHub pull request integration. We analyze each PR, and update its status in GitHub with a summary of what we found and a link back to our complete analysis.

    A few months ago we introduced pass/fail PR status for repos using our Engines-based analysis. PRs are failed if they have one or more new quality, security, or style issues:

    failed pr

    If no new issues are found, the PR passes:

    passed pr

    We’ve now rolled this feature out for all repos – including those using our Classic analysis. This means that if you were already using our pull request integration with your project, your PRs will now look like those pictured above.

    Pass/Fail status is helpful in providing helping you decide at-a-glance if a PR should be merged or not. You can even set it as a required status check to ensure that only PRs meeting your organization’s standards are merged in protected branches.

    If you’d like to be able to fine tune which checks can fail your PR, we recommend trying out our engines-based analysis which lets you configure checks on a repo by repo basis.

    Engine Update: Use Airbnb’s .eslintrc configuration for your analysis

    We’re delighted to announce that our ESLint Engine now supports Airbnb’s .eslintrc configurations.

    Airbnb makes three configurations available as shared and extensible configurations for ESLint analysis:

    • eslint-config-airbnb, which contains all of Airbnb’s ESLint rules, including EcmaScript 6+ and React.
    • eslint-config-airbnb/base, which lints ES6+ but does not lint React.
    • eslint-config-airbnb/legacy, which lints ES5 and below.

    To use one of these configurations with our ESLint Engine:

    • copy the file, adding rule overrides as needed, then
    • add `”extends”: “airbnb” to your .eslintrc

    As with all Code Climate Engines, ESLint can be run via our hosted analysis, or on the Code Climate CLI.

    For more information on adding this – or any – Engine to your analysis, please see our documentation.

    New in Code Climate Enterprise: Improved User Authorization Options

    We're excited to announced three new features to help you manage authorization to your Code Climate Enterprise instance.

    The first of these is Public Organizations. Now, when you're creating or updating an organization, you have the option to make it public:

    Repositories belonging to public organizations will be visible to any user logged into your Code Climate Enterprise instance. This can be a really great way to increase the visiblity of analysis within your team without needing to add each person to your Code Climate Organization.

    Secondly, you can now require that users sign up via Github or Github Enterprise OAuth, rather than allowing signups with email and password. This can be a useful way to restrict access to your Code Climate Enterprise instance to only those who have access to the code itself.

    Lastly, we added the ability to require that users be administrators in order to create organizations. By default, anyone with access to the instance can create an organization and add repositories. If this setting is enabled, only Enterprise Admins will be able to perform those functions. This feature is especially useful when paired with Public Organizations - team members will be able to view analysis results, but not add any unwanted repositories.

    More information about these latter 2 features can be found on our Enterprise documentation site.

    New in Code Climate Enterprise: Builds Dashboard

    Good news for Code Climate Enterprise admins: your admin console now includes a dashboard to provide you with better introspection into the builds being run on your instance of Code Climate Enterprise.

    In-progress builds will be highlighted in yellow. You can click through to see the progress of any snapshot via the "Log" link.

    New In Code Climate Enterprise: Configurable Engine Timeouts and Memory Limits

    Code Climate Enterprise now supports configuring the time and memory allocated to containers running our Engines-based analysis. To adjust these settings for your Code Climate Enterprise instance, see the "Analysis Settings" section of your Code Climate Management Settings page:

    These settings are especially useful for large repositories that may benefit from increased limits to optimize analysis time. More information is available at our Enterprise documentation site.

    Are you interested in learning more about Code Climate Enterprise? We would love to hear from you.

    Improved React/JSX Support in ESLint Engine Analysis

    Great news for anyone analyzing EcmaScript or JavaScript code. We’ve souped up our ESLint Engine, particularly in respect to support for projects using JSX and React.

    Syntax Highlighting for JSX

    The first of these improvements is syntax highlighting for JSX files. We now highlight JSX syntax in code views and when displaying issues.

    React ESLint Plugin and Babel Packages

    Our second improvement is to bundle the Babel Parser and the eslint-plugn-react package into the ESLint Engine, in order to provide better analysis results for JSX code. To use these, you can modify your .eslintrc file to include

    parser: "babel-eslint"
    plugins: ["react"]

    Projects with these packages already configured will see them utilized automatically.

    Read Ups for ESLint Results

    Lastly, we’ve brought our Read Up feature to the ESLint Engine. Now, next to issues reported in the ESLint Engine analysis, you will see this button:

    Clicking it will reveal a modal displaying more in-depth information about the issue:

    Read Ups are a great way to learn more about an issue, how it’s detected, why it’s a problem, and how to resolve it. For customers using our Platform analysis, Read Ups are now available on our Bundler Audit, RuboCop, and ESLint engines, with more on the way!

    Do you want to help bring better static analysis tools to more developers? Join us in our NYC office!

    Automatic Configuration Now Available for Your Engines-based Analysis

    As the Code Climate Platform continues to grow – we now analyze 11 languages and 4 frameworks – we're always looking for ways to make it easier for customers to get started analyzing their code.

    So we're pleased to announce that our Engines-based analysis now supports automatic configuration for repositories.


    Now, when you add a repository to Code Climate for analysis on our Platform, you do not need to immediately add a .codeclimate.yml file. Instead, we’ll scan your code and automatically run the analysis Engines which are the best fit.


    Of course, we know it's still important to be able to configure your analysis to suit your own needs, so if you do add a .codeclimate.yml to your repository, we’ll always use your specified settings for analysis. We’ve also made it easy to download the automatically generated config file (or generate it yourself using our CLI), so that you can customize it for your specific needs.

    Check out our docs for more information on getting started with our Engines-based analysis and customizing your analysis configuration.

    We're Hiring in New York City!

    Code Climate is growing! Our company is small and your impact will be big. We currently have the following openings in our NYC office:

    We'd love to work with you to help people build better software. Please get in touch by filling out the application form on the position you're interested in or drop us a line.

    Bitbucket Server Pull Request Integration Available on Code Climate Enterprise

    We are delighted to announce that Pull Request support for Atlassian's Bitbucket Server (formerly known as Stash) is now available on Code Climate Enterprise. Now, teams using Bitbucket Server can set up automated integration for feedback on Pushes and Pull Requests.


    Set up

    Bitbucket Server Pull Request integration can be configured by installing two plugins available for free in the Atlassian marketplace. One plugin triggers a refreshed scan of your repository every time you push code, and the other provides a webhook that can send Pull Request information back to Code Climate for analysis.

    Explore our docs for detailed instructions on setting up Bitbucket Server integration Post-Receive webhooks for Pushes and Pull Requests on Code Climate Enterprise.

    New Analysis Engine for Node.js Security


    Today we’re excited to announce another great Community Engine! This one’s from the good folks at ^Lift Security who have turned their requireSafe tool into an engine for Node.js.

    requireSafe audits your Node.js modules using a seasoned auditing team and alerts you to vulnerabilities when Node Security Project advisories are created or updated. Add it to your analysis today and reap the benefits of standards enforcement and dependency checking across your whole company or OSS contributions!


    As with all Code Climate Engines, requireSafe can be run via our hosted analysis, or on the Code Climate CLI.

    To add requireSafe − or any − Engines to your analysis:

    1. Ensure you've enabled our Engines-based Platform.

    2. Add requiresafe to your .codeclimate.yml file:

            enabled: true
    3. Your hosted analysis at codeclimate.com is now good to go! If you’re also using the Code Climate CLI, you'll need to update that too. Just run brew update && brew upgrade codeclimate.

    Analyze specific files and paths with the Code Climate CLI

    We’re pleased to announce that with the latest update to the Code Climate CLI you can now pass file paths as arguments to the codeclimate analyze command. You can also specify engine options with -e or --engine.

    For example:


    Exclude paths in .codeclimate.yml config will not be analyzed.

    We've gotten a lot of requests for this feature to aid in debugging hotspots. Instead of having to re-run a repo's entire analysis locally, developers using the CLI can now target tricky bits of code with particular engines!

    To run the latest version of the CLI and take advantage of this new feature, run brew update && brew upgrade codeclimate

    New Analysis Engines: SCSS-Lint and Foodcritic

    scss-lint Foodcritic

    While I'm always happy when new engines are added to the Code Climate Platform, today I'm super excited to announce my favorite kind of engines: Community Engines! We're releasing an engine for Foodcritic , which brings static analysis to your Chef cookbooks, and an engine for SCSS lint , to help keep your fancy SCSS in order.

    These engines were contributed by two members of the Code Climate Developer Program: Sean O'Meara and Ivan Tse. Thanks and welcome, Sean and Ivan! The Code Climate Platform is nothing without the community that supports it.

    As with all Code Climate Engines, these can be run via our hosted analysis, or on the Code Climate CLI.

    To add these − or any − Engines to your analysis:

    1. Ensure you've enabled our Engines-based Platform.

    2. Add scss-lint or foodcritic to your .codeclimate.yml file.

          enabled: true
          enabled: true

    3. That’s all you need to do to run an Engine to our hosted analysis at codeclimate.com! If you’re also using the Code Climate CLI, you'll need to update that too. Just run brew update && brew upgrade codeclimate.

    Run Code Climate Enterprise behind your firewall

    We just launched Code Climate Enterprise which allows you to run Code Climate on-premise or in your private cloud. It includes:

    • Our new, extensible analysis Platform, with support for a variety of programming languages and frameworks
    • Integration with GitHub Enterprise and Atlassian Stash
    • Support for authentication via LDAP or Active Directory
    • Integration with the new Code Climate CLI to run analysis locally before pushing commits

    With Code Climate Enterprise, we're excited to make it possible for for even more developers to take advantage of static analysis, while complying with their organization's security policies. Check it out and let us know what you think.

    Read Ups For bundler-audit Issues

    Read Ups are a great way to learn more about a specific issue, including basic descriptions of what is being checked, or steps needed to fix it.

    Up until now, this feature was absent from repos using our Engines-based Platform. Starting today, repos analyzed by our bundler-audit Engine will receive Read Ups on their issues!

    Next to each issue you'll see a book icon:


    Clicking this will reveal a modal with more information on the vulnerability, including its criticality, a link to read more about the vulnerability, and a solution for the issue:


    We look forward to bringing this functionality to other Engines. If you're interested in helping to implement Read Ups in existing Engines or building your own Engine, please get in touch!

    Improved Ticket Integration

    We've made some improvements to the tickets created by our service integrations. As always, you can click "Create Ticket" from an issue to automatically add a Github Issue, Pivotal Tracker Story, JIRA Ticket, and more.

    We've updated the contents of these tickets to be more specific to the issue, providing information about the issue itself, as well as a direct link back to it on Code Climate!

    Pull Request analysis for Open Source repos

    We’re very excited to announce a major expansion to our service for open source projects – our GitHub Pull Request integration now supports analysis for open source repos!


    Our PR integration can now automatically analyze PRs for OSS repos running on our new Engines-based Platform, and post an analysis summary right into the PR's status in GitHub.

    Enabling this functionality takes just a couple of steps:

    1. In GitHub, go to Settings > Webhooks & Services for your repo and add a webhook to send an event to Code Climate each time you open a PR. The webhook URL will be https://codeclimate.com/webhooks:


    1. From your Code Climate repository’s Settings > Integrations page, setup the GitHub Pull Request Integration, using a GitHub token:


    This is great news for anyone working in open source, particularly project maintainers. We hope you like it!

    Easily Manage Engines and Checks

    We've made it easier to identify and disable which Engine or check is emitting an issue, right from your analysis page. Now, if you are running an Engines analysis on our new Platform, individual issues will display an icon, which when clicked displays a dropdown with options to disable either the Engine or the specific check that emitted the issue, for all files in the repo:

    Disable Dropdown

    Selecting the first option will reveal a modal that explains how to disable that Engine:

    Disable Engine

    If you don’t want to disable the entire Engine, you can just disable that specific check by choosing the “Disable this check” option, which will reveal an explanatory modal:

    Disable Check

    These new features give you more control over what Code Climate analyzes in your project. If you haven't yet tried our new Engines-based Platform and would like to check it out, follow these steps.

    Improved PR Integration: Cross Repository Analysis

    Does your team use a fork-based workflow? If so, great news – our GitHub pull request integration now analyzes cross-repository PRs! This means the same pull request integration you’re used to is now available for forked repositories.


    For right now, this expanded PR integration is available only for private repos running on our new Engines-based Platform, but we plan to roll it out to open source repos in the near future. We’ll keep you posted!

    Enabling Platform Analysis now Even Easier

    We’ve improved the process for enabling the Code Climate Platform on a repository-by-repository basis.

    On your repo's Settings > Analysis tab you’ll now see a section titled “Want to try out the new Code Climate Platform?”. If the button is in the Enable Code Climate Platform state, the repo is running our original analysis, and you’ll need to click it to enable Platform analysis.


    Clicking Enable Code Climate Platform opens our new Enable Engines page, which has everything you need to set up the repo for Platform analysis including:

    • information to help you decide which analysis is right for your repo,
    • a sample Engines-enabled codeclimate.yml file,
    • and the confirmation Enable Code Climate Platform for this repo button to explicitly switch the repo to our Platform analysis.

    You can return the repository to the original analysis at any time by clicking the “Disable Code Climate Platform” button on the repo's Settings > Analysis tab and reverting to a non-Engines enabled .codeclimate.yml file.

    We think this will really help simplify setting up and keeping track of which of your repositories are running Platform analysis. If you have any feedback, or if we can help with anything at all, let us know.

    Code Climate CLI no longer colorizes redirected output

    While colorized data is generally easier for humans to digest, it can cause some hiccups when consumed by other software − something we found when passing data from the Code Climate CLI to other services.

    Now, when you output your Code Climate CLI data to another program or service, the data is stripped of color codes, making it easier to consume and improving integration.

    JSON output simplified in Code Climate CLI

    The Code Climate CLI JSON formatter now provides output as a single JSON document.

    This really streamlines the process for anyone using a third-party program or service to consume their JSON data.

    To output JSON data via our CLI, just run: codeclimate analyze -f json

    RuboCop Engine now Analyzes RSpec

    Use RSpec? If so, great news! Thanks to a pull request from Code Climate user Aigeruth, our codeclimate-rubocop analysis Engine now supports RSpec cops. These can run alongside the Engine's standard cops.

    If you've already selected to use our new Engines-based analysis, you can run RSpec cops against your project in a few quick clicks:

    1. Ensure your .rubocop.yml file contains require: rubocop-rspec.
    2. Also ensure that you've enabled rubocop in your .codeclimate.yml file.
    3. If you're running this Engine via our hosted analysis at codeclimate.com, that's all you need to do! However, if you're using the Code Climate CLI, you'll also need to install and/or update this Engine by running codeclimate engines:install.

    If you're not up and running yet with our new Engines-based analysis, now's a great time! Check out our "getting started" help doc.

    We're hard at work adding more Engines and leveling up those we've already released! Is there an Engine that you'd like to see run on Code Climate? Awesome! Let us know, or if you're interested, jump right in and build it!

    Email Notifications for Analysis Problems

    You’ll now receive an email notification if there are any problems analyzing your repository. For example, if there's a syntax error in your project's .codeclimate.yml file, we'll notify everyone on your team with access to the project. This email will go out right when we attempt to run a new analysis and we identify a problem.

    Here's a sample email:


    Our email will include troubleshooting steps, but if you need more help, just hit "reply" and your message will go straight to our Support Team. We're here to help!

    Note: These emails are only available for repositories on our new Engines-based Platform. Also, to manage your email preferences, check out your user profile page.

    New Analysis Engine: codeclimate-fixme

    We just released a new official Code Climate analysis Engine! codeclimate-fixme finds and alerts you to comments in your code that match any of the following: TODO, FIXME, HACK, or BUG. Instances of these strings are problems waiting to happen -- now you can be alerted when they get checked in to your codebase!

    You can run this new Engine via our hosted analysis:


    Or you can run it via the Code Climate CLI:


    To get started with codeclimate-fixme:

    1. Ensure you've enabled our new Engines-based Platform. If you haven't, here's how to do so.
    2. Add fixme to your .codeclimate.yml file.
    3. If you're running this Engine via our hosted analysis at codeclimate.com, that's all you need to do! However, if you're using the Code Climate CLI, you'll also need to update your CLI to know about this new engine. To do so, run brew update && brew upgrade codeclimate.

    We've also written a guide on how to write Code Climate engines from scratch that features the FIXME engine. Check it out and let us know what you think!

    Pass/Fail PRs Based on Analysis

    One of the most effective ways to incorporate Code Climate into your team's workflow is via our GitHub pull request integration. We'll analyze each PR that you open, and update its status -- right in the GitHub UI -- based on what we find.

    Today we're excited to announce a significant improvement to how this integration works. After we analyze a PR, we will now fail it if we find one or more new quality, security, or style issues. If none are found, the PR gets a green-light from Code Climate!

    Failed PR

    We’ll analyze every PR you open, and give you direct feedback on the code's overall health. Just like you wouldn't merge a PR that was failed by your CI, you might not want to merge a PR that introduces a new quality, security, or style issue. We'll give you all the information you need to make those types of decisions!

    This change is only available to repositories on our new engines-based Platform. To use this new functionality, ensure that our PR integration is enabled on your project.

    The Code Climate Platform

    Today we’re excited to announce the Code Climate Platform − the first open, extensible platform for all types of static analysis.

    What does this mean? First, we’re open sourcing our analysis tools, including the engines and algorithms we use to evaluate code.

    We’re also enabling anyone to write static analysis engines that run on our servers by following a simple specification. No longer will you have to wait for us to provide support for your programming languages, frameworks and libraries of choice.

    Finally, using our new Code Climate CLI, you can now run any Code Climate-compatible static analysis on your laptop – for free.

    You can read all about it on our blog. We’d love to hear what you think!

    Line-by-Line Coverage Breakdowns

    When it comes to test coverage, context is king. Knowing a file's overall coverage percentage is certainly helpful, but it's not necessarily actionable. What you really want to know is which individual lines of code aren't covered by any tests.

    Code Climate can help here, as our recently released Coverage page now links to line-by-line coverage breakdowns for each file.

    Test Coverage View

    Within the breakdown, green lines are covered by at least one test, while red lines aren't covered at all. Unshaded lines are not testable.


    If you're not already sending us your test coverage data, now's a great time to start! Just follow the set up instructions in our help doc. If you run into any trouble, or have any feedback, let us know.

    New Test Coverage View

    Test coverage is important to our users, so we have recently been doing some work to improve the user experience around reporting and viewing coverage information. The first step is a brand new view for your test coverage results:

    Test Coverage View

    In addition to displaying the overall test coverage for your project, we now provide statistics for test coverage per file, including coverage percentage, the number of covered and missed lines, and average hits per line.

    More information means smarter development, so enjoy the new view!

    Introducing .codeclimate.yml

    You can now set both exclusions (code you don't want us to analyze) and language settings (which programming languages you want us to scan) in a configuration file. Introducing .codeclimate.yml.

    To get started with this file -- plus see a sample .codeclimate.yml file -- check out our help doc.

    Stay tuned for more options, values, and thresholds that you'll be able to set within this file. If you have any feedback, or if we can help with anything at all, let us know.

    Analysis for .inc and .module Files

    We now analyze more PHP code! In addition to .php files, we now analyze PHP found within .inc and .module files as well.

    Code Page

    There's no set up required on your end. These files will automatically be analyzed in all future commits that you push. As a result, note that your GPA may change.

    Let us know if you have any feedback or bump into issues that we can help with.

    Analysis Engine Upgrade

    Today we upgraded all repositories to a new version of our analysis engine. As a result of this upgrade, Code Climate will skip one analysis for all projects, for the commit following the upgrade. For this commit only, no new Feed items will appear and no email or chatroom notifications will be sent. Everything will return to normal for the following commit that is pushed.

    We're sorry for any inconvenience here. For most upgrades that we perform, skipping a commit won't be necessary. Today's upgrade however -- which was primarily aimed at hardening our security practices -- was outside of our normal upgrade procedure. Future upgrades should be seamless, without skipped analyses.

    If you have any questions or concerns, please let us know. Thanks!

    New Badge Format: reStructuredText

    You can now share your Code Climate GPA and test coverage percentage via reStructuredText badges! We've just added this badge format to the others that we support, which include HTML, Markdown, Textile, and RDOC.

    To grab the badge for your project, see our help doc.

    Improved PR Integration: Analysis Summaries

    Today we're excited to announce an important improvement to our GitHub pull request integration. After analyzing a PR branch, we'll now post an analysis summary right into the PR's status in GitHub.

    PR Analysis Summary

    This summary shows you an overview of what changed. Did existing issues get resolved? Did new issues get introduced? We'll let you know. And if the summary suggests that further investigation is warranted, just click the status' Details link to view our complete analysis of the PR branch.

    For right now, all of our PR status updates will be green/passed. That said, stay tuned for more improvements to our PR integration down the road!

    Tip: If your repository's PR integration is currently configured to get our comment (instead of our status update), we highly recommend switching. Our status update will sit nicely alongside any other services that post to the PR (like those from your CI), so everything will be in one place for you to easily review. In addition, since we consider the status update the preferred configuration, we don't plan to make any future changes to our PR comments. If you need help switching, see our help doc, or drop us a line and will switch it for you.

    Code Climate for Python in Public Beta

    We're excited to announce that we now support Python! The following features are now available to all users:

    • Python Letter Grades. Based on Code Climate's analysis of your Python codebase, we'll assign a letter grade of A through F to each file.

    • Blended GPA. Your GPA for the repo will take into account all languages that we analyze in the repository. If your Python repository contains JavaScript code, we'll analyze that too.

    • Series of different checks. We'll check your Python code for complexity, duplication, and code clarity issues. More checks are planned!

    Quick Tour!

    Your Python repository's Feed tracks your codebase as it changes:


    Catch Python smells, like complexity and duplication:


    Compare feature branches against your default branch:

    Ratings tab

    Python analysis is available now for all new repositories. Add your project today, check out our analysis, and let us know what you think!

    Stability Improvements for PR Integration

    Just a quick note that we've recently made some important stability improvements to our GitHub pull request integration. These changes were primarily aimed at a few edge-cases and known issues, which sometimes caused our PR status update to get perpetually stuck in a yellow "pending" state (even after our analysis successfully completed). We've addressed that issue, plus a few others.

    We've also put together a detailed help article on troubleshooting possible configuration issues with this integration. If you're not seeing any comment or status update from us on your PRs, stepping through this troubleshooting article should help identify and resolve the problem.

    If you bump into any issues here, or if there is anything else that we can help with, please let us know.

    Working with GitHub's 3rd-Party App Restrictions

    GitHub has recently released a new feature called third-party application restrictions. While you can read all about it via GitHub's blog, the basic idea is that organizations can now create a whitelist of approved applications, giving them tighter control around which third-parties can access their data.

    Code Climate works great with this new GitHub feature. If you choose to enable third-party application restrictions, you'll want to whitelist us so that we can continue to access your data.

    Third-Party Application Restrictions

    It's important to note that enabling this feature in GitHub automatically disables all SSH keys that were created before February 2014. As a result, today we'll be automatically replacing our older SSH keys for any GitHub-hosted repositories added to Code Climate. For each repository, we'll remove our old key and add a new one. If this affects you, admins in your GitHub organization/account will receive emails from GitHub, letting them know that a new key was added.

    In some cases, it won't be possible for us to automatically replace the key. For example, if no members of your Code Climate organization are GitHub-linked, we won't have sufficient permissions to swap in a new key. In this situation, Code Climate will only lose access to your repository if you added it before February 2014 and you also enable third-party application restrictions in GitHub. Not to worry though, we'll email you if we can no longer analyze your project, with instructions on how to fix the problem.

    If you have any questions about this change, or if any issues pop up, we're always here to help.

    GPA Stats for Branch Comparisons

    Before merging, we'll tell you if a branch is going to help or hurt your overall code quality. To make this process even easier for you, we've recently added some helpful GPA stats to the top of our branch comparison page. You can now see if merging a branch will affect your project's GPA, and -- if so -- by how much.


    To be fair, it's actually more accurate to say that we've recently re-added these GPA stats to the page! They disappeared awhile back after we redesigned our comparison page. While the overall feedback we got on our redesign was positive, one thing we heard loud and clear was that the GPA needed to be resurrected, and now it is.

    For large- or even medium-sized repositories, we don't expect a GPA to change much (or at all) for any branch, and that's the primarily the reason that we removed the GPA stats to begin with. For smaller repositories though, or for branches that introduce a lot of change at once, GPAs do sometimes change for a single branch. To account for all situations, and to give you all of the info that you need to merge with confidence, the GPA stats are now back!

    Dedicated Pages and Badges for OSS Orgs

    We now have a dedicated page for each GitHub organization, which lets you track all of the organization's repositories that are being analyzed by Code Climate. You can see each project's GPA and test coverage percentage, and you can quickly jump into the project's analysis via its link. It works for GitHub users as well!

    Org Page

    We also now have badges that point back to an organization/user's page in Code Climate. You can grab the badge's embed code (see below) and then insert it into your top-level project in GitHub. This gives everyone a quick and easy way to see the Code Climate stats for all of your repositories.

    Org Badges

    We love OSS! If you haven't added your open source projects to Code Climate yet, now is a great time to do so!

    Redesigned Badges

    Your GPA and test coverage badges now look better than ever! We just released a redesign that flattens out the badges out and spruces them up.

    This new badge style is available now for all repositories. To access your repository's badge embed snippet, follow the instructions in our help article.

    Redesigned Branch Comparison Page

    Every commit either improves or degrades the quality of your codebase. The key is to know which changes are positive versus negative, and that's exactly what our branch comparison page is designed to help you do.

    Today we're excited to announce a complete redesign of this page that gives you a deeper and more actionable comparison. Most importantly: You can now see an exhaustive list of issues in the branch (along with their code), plus easily identify which issues are better or worse, brand new or resolved.

    Issues versus Ratings

    The page is now broken up into two tabs. The Issues tab is the focal point, showing you every issue in the branch.

    Issues Tab

    For each issue, we'll show you detailed information, including:

    • Type: Exactly what the problem is (e.g. "very high overall complexity").
    • Code: The lines of code causing the issue (if relevant).
    • Comparison: An indication of whether the issue has gotten better or worse in the branch. Alternatively, we'll also flag which issues are brand new, plus show you issues that the branch actually resolves.
    • Documentation: Click the "book" icon for a description of the issue, plus feedback on how to address it.

    Also, switch over to the page's Ratings tab to see how the letter grades for each class, module, or file have changed. This gives you a different perspective of the branch, visualizing which overall areas of your codebase have changed, as well as which areas need the most work.

    Ratings tab

    Tip: Want to get hands on right away with our new branch comparison page? Check out this open source project.

    Pull Request Integration

    If you haven't yet set up our GitHub pull request integration, now would be a great time. We'll update each PR you open, linking it back to the matching branch comparison page. This shows you exactly how any given PR will affect your code quality.

    If we can help you set up this integration, or if you have any questions or feedback about our redesigned branch comparison page, we'd love to hear from you.

    Easily Manage Permissions with Teams

    Today we're releasing a better way for you to manage users and permissions on Code Climate. Introducing: Teams.

    Using teams, you can quickly and easily configure repository access to many users at once. If you've used GitHub's Teams feature before, Code Climate's Teams should be very familiar.

    You can also use Teams to create more streamlined dashboards for your developers, allowing them to focus on the repositories they care about most.

    How does it work?

    Teams are managed in the Teams tab of your account's settings. From here you can add and remove teams, add and remove developers from teams, and add and remove repositories from teams.

    Teams Page

    Need to make changes to a single developer’s access to multiple teams at once? You can do that too. A developer’s teams can be edited in the People tab under your account.

    User Settings

    We're rolling out Teams now to all accounts, on all plans.

    If you're an admin, you can start setting up your teams by clicking Manage Team Members on your Dashboard. By default, your existing users will be automatically migrated into teams that respect your current permission settings.

    As always, let us know what you think.

    ES6 Support, JSHint Upgrade, PHP Fixes, and More...

    Our JavaScript and PHP analysis just got better. Today we're excited to announce some significant updates, which enable us to handle more types of code and provide deeper analysis for these languages.

    ES6 Support

    We now support ECMAScript 6 syntax, such as named/default exports/imports, and more.

    While ES6 is not yet widely used in client-side applications, it is increasingly important for server-side applications. As such, we're excited to now support it.

    JSHint Upgrade

    Our JavaScript linting analysis is implemented via JSHint, which we've now upgraded from version 2.1.10 to 2.5.8. As a result, we now support significantly more JSHint options (like freeze and nonbsp to name a couple). By adding these options to a .jshintrc file (within any folder of your repository), you can customize the types of linting and style issues that we'll flag.

    As an added bonus: We also now support inline JSHint configuration, allowing you to customize our linting analysis without the need for a .jshintrc file. For example, you can now add the following directly to your source: /* jshint undef: true, unused: true */

    Other Changes

    • PHP Improvements: We've implemented a series of updates and changes to our PHP parser, which improve the analysis and resolves some known parsing issues. Specifically, we've leveled up our parser's ability to handle very complex PHP code and we've improved our ability to identify which issues have changed between commits. As a result, some PHP grades and GPAs may change to be more accurate and you should also see better and deeper PHP analysis.
    • JavaScript LOC Counts: We've modified our line counting algorithm to exclude JavaScript comments from the number of lines. While this won't affect the number or kinds of issues we identify, your ratings and GPA may adjust based on the new number of lines now reported for your files.
    • JavaScript Shebangs: Previously, Code Climate would ignore executable JavaScript files that began with #! (which are often found in nodejs apps). We've now added support for these files.

    All of these changes are in the process of rolling out, and we expect all repositories to be updated by week's end.

    As always, if you have any feedback, or run into any issues, let us know.

    Redesigned Issues Page

    Solid analysis is not only meaningful and accurate, it's also presented in a way that is easy to parse and highly actionable. As we add more types of quality and security checks (like the 19+ checks we recently added for PHP), finding the right way to lay out this data becomes both more challenging and more critical.

    This is a topic we've been thinking a lot about recently. In doing so, we identified that the existing design of our Issues page fell short of ideal. While it did provide an exhaustive list of the repository's flagged issues, it didn't lay out the analysis in a way that was easy to parse, prioritize, and action.

    Today we're excited to announce an Issues page redesign aimed at improving how the data is presented and organized. Every flagged issue now lives in a category, allowing you to quickly see which types of issues have been flagged and how many issues there are for a particular type.

    New Issue Page

    Clicking on a specific category shows you all issues of that type. From this page you can drill down into the details of each individual issue. For example, you can see the lines of code causing the issue (if applicable). In addition, you can click the "book" icon to get detailed documentation and refactoring help. Furthermore, if you want to quickly bounce to another issue type, you've got the sidebar on the right.

    Issues Category Page

    While your Feed page is aimed at visualizing how your codebase is changing over time (i.e,. getting better or worse with each commit), your Issues page displays every last issue we've flagged. While we don't necessarily recommend combing through this exhaustive list and resolving every last one, it is helpful to identify what's been flagged and what needs to be addressed. Our new design will hopefully make this process easier.

    As always, we've love to hear your feedback.

    19 New PHP Checks

    Last Tuesday we announced 8 new PHP checks, and promised more were on the way.

    Today, we're releasing 19 new checks, which identify security, logical and clarity issues in your PHP code. Each new check is outlined below, by category.


    • Changing PHP configuration dynamically

      Some PHP functions are able to dynamically change properties of the system while running. Doing so can make assumptions about the structure and configuration of the running environment, limiting portability and creating potential security and performance issues.

    • Using debug functions

      The information provided by debugging functions may inadvertently make private information public, which is a security risk.

    • Changing the error display levels at runtime

      The error reporting level should not be changed at runtime as a consistent method should be used throughout your application to prevent accidental data leakage.

    • Using echo with file_get_contents

      The file_get_contents function reads the contents of a file into a string. Because this requires accessing files on the server's file system, it is already necessary to use caution when using this function in application code. When combined with the echo function, code that has been read from the file system with file_get_contents is now being displayed, which creates a security risk.

    • Using *parse_str functions

      While these are convenient for evaluating query parameters into in-memory variables, these functions have potential security and clarity issues and should be avoided where possible.

    • Usage of the pass thru command

      This method should be very selectively used because of potential security and performance issues.

    • Using /e in regular expression modifier

      The /e regular expression modifier has been deprecated for security reasons. Using it has the dangerous side effect that the resulting string from the regular expression is evaluated as code.

    • Using the superglobal $_REQUEST

      Since this variables combines various data from user input, it can lead to data loss as well as Delayed Cross Site Request Forgery and Session Fixation vulnerabilities.

    • Usage of script-delaying functions

      Delaying the completion of a script opens your system up to Denial of Service (DoS) attacks as it ties up server resources for the duration of the script, putting you at risk for exceeding your available PHP processes, database connections, and other server resources.

    • Usage of the system command

      This method should be very selectively used because of potential security and performance issues.

    Bug Risk

    • Not using the identical operator when comparing booleans

      Failure to use the comparison operator (===) when comparing booleans can lead to unexpected results.

    • Usage of exit or die

      Usage of these calls tends to result in poor user experience, hard to re-use code, and in some cases, inadvertent exposure of sensitive information.

    • Use of deprecated $http_raw_post_data

      Code that relies on $http_raw_post_data will eventually fail in future versions of PHP. Additionally, because $http_raw_post_data depends on a special ini directive in order to be populated, using it decreases the portability of your program.


    • Using more than one Class per file

      Keeping one class per file ensures a clean, understandable file structure

    • High cyclomatic complexity

      Cyclomatic complexity correlates the number of potential pathways through a given unit of code with complexity - a unit of code with a lot of potential pathways will have a high cyclomatic complexity score.

    • Long classes

      The longer a class is, the harder it is to break down, test, and adequately express with a great name. Classes that are long will grow over time and become harder to manage, so it is usually a worthwhile investment to simplify classes by refactoring into smaller, more discrete units of functionality.

    • Long methods

      Methods that are too long are error prone, hard to understand, difficult to test, and tend to grow in size over time. All of these issues are design related and documenting, testing, and breaking down large methods into smaller ones is one of the best ways to simplify class structure and clarify design.

    • Long variable names

      Using excessively long variable names makes code difficult to scan easily and can be confusing. Long variable names are also a hassle to type and are prone to typos.

    • Short variable names

      Short variable names convey too little information at best and are confusing or error prone at worst. Using an abbreviated or meaningless name for a variable destroys its intent-conveying purpose, which can make code difficult to read and debug.

    More PHP Checks

    New PHP Checks

    Today we're excited to release our first new PHP analysis checks since launching our PHP public beta.

    Working with early customers and developers in the PHP community, we've focused on creating checks that flag a number of specific, impactful and actionable issues related to code clarity, security, compatibility and potential for bugs.

    In addition to complexity and duplication, Code Climate now checks your PHP code for:

    • Non-standard PHP opening tags

      Non-standard PHP opening tags such as <%, <? or even <script language=php"> are less portable than the standard, recommended <?php tag.

    • PHP closing tags

      Using PHP closing tags is prohibited by many style guides, including PSR-2, Zend Framework, Symfony, and CodeIgniter. By omitting the closing tag you can avoid a common class of bugs which cause malformed or just plain broken responses.

    • Eval use

      Just say "no" to eval. Using eval inevitably leads to insecure, slow, and hard to follow code.

    • Superglobal use

      Direct access to superglobals such as $GLOBALS, $_GET and $_ENV can create both maintainability and security problems. For these and other reasons many PHP frameworks wrap superglobals in a Request object.

    • Classes with too many public methods

      A class with an excessive number of public methods has too many responsibilities and is a coupling liability that can be difficult to refactor.

    • Short method names

      We'll flag any method names that are 1-2 characters long. Short method names convey too little information at best, and are confusing or error prone at worst.

    • Error suppression using @

      Placing an @ symbol before an expression in PHP suppresses any errors generated by that expression, including fatal errors. This makes debugging code difficult, and goes against the best practice of gracefully handling errors.

    • Non-uppercased constants

      The PHP manual, along with PHP-FIG's PSR-1, recommends that the names of constants should always be uppercase. This makes them easy to identify and easier to scan for when reading the code.

    • Too many arguments to a method

      Methods or functions which take too many parameters are inconvenient and error-prone for consumers of the code and are confusing in terms of design. This check previously existed, but we've tuned and calibrated it to be more strict.

    Stay tuned, we've got more checks on the way.

    New PHP Checks

    Support for Ruby 2.0 Syntax

    We've recently implemented a series of infrastructure changes that streamline our ability to upgrade internal analysis tools. What does this mean for you? More new features on a regular basis!

    First up on this list: across-the-board support for Ruby 2.0-specific syntax. For example, we now support 2.0 features like optional keyword arguments and using %i and %I as symbol array literals.

    A few things to note:

    • For Ruby-based repositories, you may see new classes/modules show up in our analysis. This would occur if we were previously unable to analyze a file due to 2.0-specific syntax. As a result of new files being analyzed, your overall GPA may change.
    • We don't yet support Ruby 2.1-specific syntax (like required keyword arguments). We hope to add support for this soon.
    • If you took part in our beta Ruby 2.0 upgrade, you won't see any changes. We'll continue to parse your 2.0 (and lower) syntax as we have been.

    All repositories have been upgraded. If you have any questions or feedback, we'd love to hear it.

    Improved Performance

    One of our primary goals is exceptional performance. We expect all aspects of Code Climate -- from our analysis to integrations to notifications -- to run at breakneck speeds.

    Starting a few weeks ago, we started to see slower than acceptable performance around two important areas:

    • Test coverage: Delays were occurring between when we received test coverage payloads and when we processed and displayed them.
    • GitHub pull requests: After a pull request was opened, too much time was passing before we analyzed the branch and applied our status update/comment.

    We are happy to announce today that we've resolved these two issues. By adding a new server and making significant optimizations, we've been able to return these aspects of Code Climate to our expected level of performance. For both test coverage and pull requests, all Code Climate work should complete in minutes. If you are seeing otherwise, please let us know.

    To those that experienced these delays: sorry for the trouble and thanks for sticking through them. We understand the importance that speed plays in a solid dev tool and we'll continue pressing towards extremely high performance standards.

    Easily Change Account Ownership

    Each Code Climate organization has a designated owner. In the past, changing the owner meant writing in to Code Climate Support. No more, as this can now be done in a few quick clicks.

    Change Owner

    For more information, check out our new help article on this topic.

    SVG Badges

    Want to show off your Code Climate badges on Retina displays? Now you can!

    We've upgraded all of our badges to the Scalable Vector Graphics (SVG) format. Our badges are now resolution-independent, fully scalable and crystal clear!

    Our new SVG badges are available for all repositories. To access your repository's badge embed snippet, follow the instructions in our help article.

    Expanded Documentation

    A couple of months ago, we identified the areas of Code Climate that needed documentation the most. Since then, we've added 48 new help articles across 95 new pages! Chances are, if you need help, the docs now have you covered!

    Docs Site

    Here are some highlights:

    But we're not done yet! Coming soon:

    • Better documentation on test coverage, integrations, and how our quality and security analysis works.
    • More troubleshooting and FAQ articles.
    • Videos!

    You can access our documentation by clicking Docs at the bottom of virtually any Code Climate page.

    Docs Link

    New Help & Support Form

    We've made it just a little easier to reach out to our Support Team!

    Instead of firing up a new email, visit our new Help & Support form. Use this form to contact us about any and everything. We're here to help!

    To access the form, click Help at the bottom of virtually any Code Climate page.

    Help Button

    Improved PHP Analysis

    In June, we were excited to release PHP to a public beta! Since then, one of our primary focuses has been improving and expanding our PHP analysis. As a milestone towards that goal, Code Climate will now flag PHP functions with a high number of parameters.

    Code View

    In addition, we've also tuned and calibrated our PHP method complexity analysis. As a result, don't be surprised if some of your PHP methods are more strictly graded.

    These changes are already available for all PHP repositories that were added in the past week, as well those added day-forward. For older PHP repositories, we have plans to roll out these changes soon, but drop us a line if you want them enabled now.

    Unsubscribe from Repository Emails in One-Click

    One of Code Climate’s primary focuses is to provide visibility into how your codebase is changing over time. One way we achieve this is via repository email notifications that alert you to quality and security analysis events.

    Users have long been able to opt in/out of email notifications on a repository-by-repository basis. To make the opt-out process easier, we've added a simple "unsubscribe" link to all repository emails.

    Repository Unsubscribe

    It's as easy as it looks! Click the link and voilà: no more emails for that repository! Use this link to ensure you're only receiving alerts for repositories you care about.

    Show Off Your Test Coverage Badge

    We've made some interface tweaks to ensure our test coverage badges are easy to find and simple to embed!

    On a repository's Feed page, both the GPA and test coverage badge now appear under the GPA wheel.


    Click one of the badges to visit the repository's Badges settings screen. From here you can quickly grab various flavors of embed snippets for both the test coverage badge (shown below) and the GPA badge.

    Test Coverage Badge Snippets

    Easily Audit 2FA Statuses for All Team Members

    The recently streamlined Team Members page makes it easier than ever to enforce two-factor authentication (2FA) in your organization. At a glance, see which of your team members have (and have not!) enabled 2FA for their Code Climate login.

    Team Members

    In addition, from this screen you can see who is an owner or administrator, as well as add, remove, and edit a user.

    To check out the new Team Members page, log in as an organization administrator, click the Settings link for your account, and select the Team Members tab.

    Integrations Now Open Source

    Is there a third-party integration that you'd love to see in Code Climate? Are you dying to tweak one of our existing integrations (e.g., Slack, Campfire, HipChat)?

    If so, great news! Our codeclimate-services repository is now open source and ready for your pull request!

    For more information, see the README, which includes implementation details plus specifics on how to contribute. If you have any questions, drop us a line at hello@codeclimate.com.

    Code Climate for PHP in Public Beta

    Code Climate is excited to announce that PHP is now in public beta!

    The following features are now available to all users:

    • PHP Letter Grades. Based on Code Climate's analysis of your PHP codebase, we'll assign a letter grade of A-F for each file.

    • Blended GPA. Your GPA for the repo will take into account all languages that we analyze in the repository. If your repository contains JavaScript code, we'll analyze that too.

    • PHP Test Coverage. Set up our php-test-reporter package within your PHP test suite to view test coverage data side-by-side with Code Climate's quality analysis.

    Quick Tour!

    Your PHP repository's Feed tracks your codebase as it changes:

    PHP Repository Feed

    Compare feature branches against your default branch:

    PHP Branch Comparison

    Catch PHP smells, like complexity and duplication:

    PHP Duplication

    Code Climate now automatically analyzes PHP files for all new repositories going forward. If you have an existing repository, you may need to go into your repository's Settings menu and select PHP in the Analysis tab.

    While we're always eager to hear your thoughts, we're especially interested in feedback on our new PHP analysis. Give us a shout at hello@codeclimate.com!

    Select who comments on your Pull Requests

    Code Climate currently has a couple ways to integrate with Pull Requests on GitHub. You can elect to update the Pull Request "status" -- which will turn green when Code Climate has finished its analysis -- and/or you can elect to have a comment added to the Pull Request.

    Previously, if you chose the latter, Code Climate automatically selected an eligible user to do the commenting. Understandably, customers asked for more control and we're happy to provide that: you can now select the user who comments.

    Select the user who comments on a PR

    In order for Code Climate to post a comment as a user, the Code Climate user must be GitHub linked. Therefore, users who aren't GitHub linked won't appear in the list. If the user you want isn't listed, first have the user GitHub link. Then you'll be able to select them.

    Enjoy the new feature. We're doing more work to improve our Pull Request integration, so stay tuned.

    Associate a message with a False Positive

    We've been hearing from a lot of teams that while being able to mark a false positive is valuable, it's difficult for developers or an application security team to look over previously marked false positives and understand the context. We've always told you which developer marked it as a false positive, but even the developers who marked them may not remember the logic that led them to believe that a particular vulnerability was a false positive.

    Associate message with false positive

    To address this we now allow you to (optionally) associate a message with a false positive. The reason appears next to the false positive when you browse your listing of false positives.

    Multiple Language Support

    By popular request, we now support analysis of multiple languages within the same repo. With multiple languages, you'll have a single GPA that reflects the quality of all analyzable code in your repo, and be able to apply repository settings in one place.

    To select the languages you want analyzed, click the Settings gear -- either on your dashboard on in the repo navigation -- and click the checkboxes, and then "Save".

    Multiple Language Analysis

    We hope you enjoy this consolidation, but of course, if you prefer separate GPAs, you can still maintain separate repos for each language.

    One advantage of this new system is you can reduce the number of repos in your account. If you are running up close against your repository quota, this will give you a bit more headroom.

    Login with GitHub

    You can now login with GitHub! If you signed up with your email address and password just link your account to GitHub and you can login with one click!

    github login

    We also rolled out a new design for all of Code Climate. Each page should be a little bit cleaner and easier to read. There are a few other design changes which will rollout in the next week or two.

    Asana Ticket Integration

    Code Climate recently added JIRA to our list of supported ticket/issue trackers. Today we're happy to announce another new third party integration for a very cool project management service: Asana.


    Once you've set up the integration, clicking on the ticket icons in Code Climate will create and redirect you to a task in Asana.

    JIRA Ticket Integration

    In addition to offering external integrations with chat services, Code Climate has been working hard on expanding the group of issue/ticket trackers that we integrate with as well.

    Today we're happy to announce that we're shipping support for Jira, a very popular tool that is often requested by our customers.


    Set up your Jira account, and then you'll be able to create tickets based on quality and security issues in your repos.

    Enjoy, and stay productive!

    Test Coverage Now Free for Open Source

    Code Climate has been working hard to expand our offering for open source projects to more closely match the features of private, paid accounts.

    In that vein, Code Climate now offers the same support for test coverage to open source Ruby or JavaScript project hosted on Github. By sending test coverage data to Code Climate, open source maintainers and contributors will now be able to see on a line by line basis how coverage for a class or file relates to its quality.

    For example, you can view which complex methods in a class are covered and not covered by tests.

    Complex Uncovered

    Complex Covered by Tests

    To setup coverage for an open source project, signup with Github for Code Climate, click Settings and then click Test Coverage for further instructions.

    Test Coverage for JavaScript projects

    Code Climate now supports test coverage for JavaScript projects. While the setup for JavaScript projects is different, the end result is the same: Code Climate displays coverage statistics on a file and project basis and can overlay line by line coverage information over your existing quality information.

    As with Ruby projects, source code listings have two highlighting modes controlled by the toggle at the top of the listing: the first where quality data is shown as the primary color:

    Source Listing with Coverage

    ... and the second where coverage data is the primary color:

    Source Listing with Quality

    To report test coverage data to Code Climate, install Code Climate's NPM package and pipe your test coverage data to the provided script (ensuring you set your per-repository repo token):

    $ CODECLIMATE_REPO_TOKEN=427acacbc7af8c736b1870edf664822b5737f794a730eda5d646926576e26e15 your-script | codeclimate

    Full instructions, including your repository's token can be found by clicking on your repo's settings and then navigating to the Test Coverage section.

    New: Configure your Open Source repos

    Open source project maintainers can now manage their OSS repos on Code Climate, just like they can with private repos. After using our new Sign Up with GitHub feature, just click the "Settings" link for your project:

    Open source settings

    Then, you'll be able to configure things like Exclude Patterns, as well as chat integrations, ticket integrations and more -- all from your dashboard:

    Exclude patterns

    Code Climate has always been free for OSS and we’re really excited to unify the open source and private experiences. We hope you like it!

    New: Sign Up with GitHub to track Open Source projects

    Now it's easy to have your own Code Climate dashboard to keep track of Open Source projects you care about, even if you’re not a member of a private account. Just use our new "Sign Up with GitHub" button:

    Sign Up with Github

    After authenticating, you can immediately start adding and monitoring OSS repositories:

    Personal dashboards for OSS.

    As with all of our Open Source support, this is 100% free forever. We'll even automatically star any OSS repos for which you're an admin that are already on Code Climate.

    New: Track open source projects from your dashboard

    Code Climate customers can now keep track of the open source projects they care about right from their dashboard.

    Go to the Code Climate page for an open source project and click the Star button in the top right:

    Starring an open source repo.

    The repo will now be listed in the new Open Source section at the bottom of your dashboard:

    Track OSS projects on your dashboard.

    Many of you have asked for a way to keep close tabs on the open source projects you care about, so we’re especially excited to add this functionality.


    New: Sort by test coverage

    By popular demand, you can now sort the classes listed under the "Code" tab by their test coverage by clicking the header:

    Sorting by test coverage

    New: Test coverage on the dashboard

    Taking advantage of our new dashboard design, we have added an easy way to see your latest test coverage information:

    Test coverage on dashboard

    Note: Right now test coverage is available for Ruby repositories within an Account. It just takes a few minutes to setup. We are working on supporting test coverage for JavaScript as well as for OSS repos.

    New: One-Click Exclude File from Analysis

    Code Climate has always allowed you to exclude files from our analysis by editing the "exclude patterns" under your repository settings.

    This is great if you want to apply some large sweeping ignore patterns across your repo without specifying each file one by one, but less convenient for those "one-offs" you discover while browsing around Code Climate. Now it's easy. Simply:

    1. Go to the file you want ignored
    2. Click the "Hide" button in the upper right.

    The file will be excluded from the next analysis that is run on Code Climate:

    Exclude File

    (Note: You must be an admin on your account to specify files to ignore.)

    Security Monitor Improvements -- February 2014

    Last week we rolled out a number of improvements to Security Monitor, which will make scans more accurate, more comprehensive, and much quicker than previously. In addition to the speed improvements, here's a list of some of the specific improvements that were rolled out:

    New Checks

    • If you're in danger of showing stack traces to end users, you will get a warning in a new category "Information Disclosure". For example, consider_all_requests_local should be set to false in production.
    • XSS vulnerability in the i18n gem. When the gem is unable to provide a translation for a given string, it creates a fallback HTML string which can contain user input in some configurations.
    • Denial of service vulnerability in some versions of Rails in which specially-craft headers are cached indefinitely.
    • Certain calls to the number_to_currency helper make applications vulnerable to an XSS attack. Specifically, the method's "unit" parameter was not being escaped properly.
    • Calls to simple_format which supply HTML attributes can be vulnerable to an XSS attack in some versions of Rails:

      simple_format(some_text, class: params[:class])
    • Looks for unsafe uses of the strong parameters permit! method that could expose a mass assignment vulnerability when models aren't properly protected:

      attributes = params.permit!
      @user = User.new(attributes) # mass assignment vulnerability
    • SSL verification bypass for when the verify_mode on HTTPS connections is set to OpenSSL::SSL::VERIFY_NONE. Bypassing SSL verification leaves these connections vulnerable to man in the middle attacks.

    • Many more SQL injection checks, including when using raw connection objects, when unsafe values are used in delete_all and destroy_all calls.

    False Positives

    • Redirects using FriendlyId models as parameters will no longer create redirect warnings.
    • Fewer false positives for command injection when interpolating string literals in commands.
    • Do not warn on redirects models created with create/create! methods.
    • Avoids flagging non-ActiveRecord models as having SQL injection vulnerabilities even if methods names match AR methods (find_by_sql, e.g.).


    • Rails versions are detected more accurately than previously.
    • Blocks, especially blocks inside of controllers, are more accurately scanned now.
    • More Ruby code can be parsed than previously because the underlying ruby_parser was updated.

    New: Slack integration

    Slack is a new team chat system that's been growing in popularity these days, and we wanted to make sure it wasn't left out of the Code Climate party. You can now enable notifications from Code Climate to your Slack channel of choice.

    Just head to the repository Chat Integrations page and turn it on:

    Slack integration

    We'll send messages when code quality improves or declines, test coverage changes, or new potential security vulnerabilities are introduced. Enjoy!

    New: Flowdock integration

    Flowdock has been our #1 most requested integration for a long time. We're thrilled to announce we finally support native Flowdock support! Just head on over to the new Chat Integrations section for your repositories and set it up:

    Flowdock support

    Like all of our chat system integrations, we'll send messages about quality changes, test coverage, and new potential security vulnerabilities as soon as they hit your master branch.

    New: Per-repo chat integrations

    For the last two years, we've supported sending messages to HipChat and Campfire rooms on key events. The configuration of these services has been at the account level, meaning that each customer could not customize the chat integrations on a per-repository basis.

    We fixed that this week. All of the chat integrations are configured per-repository. This means you can now turn it on selectively on certain repositories, and you can send messages from different repos to different chat rooms.

    Check it out:

    Repo chat integrations

    New: Comments on GitHub Pull Requests

    When we launched our support for GitHub pull requests we leveraged GitHub's commit status API in order to report back to GitHub when our analysis finished.

    We believe this is the ideal user experience, but we quickly hit a problem: Although GitHub stores all commit statuses sent to it, it only displays the last status on the site. Therefore, our customers who used Code Climate in addition to a continuous integration (CI) system did not have a good way to quickly access both directly from GitHub's pull request page.

    Today we are launching a workaround: an option to have Code Climate post back to GitHub as a comment when it finished analysis, rather than using the commit status API. It's an option in the Repo Settings area:

    Click on Settings

    Then check the box:

    Comment on pull requests option

    With that enabled, Code Climate will post a comment the first time it analyzes a pull request, and include a permalink back to the Branch Compare page:

    Pull request status as a comment

    New Feature: Read Up!

    Today we're launching a feature we are really excited about. We call it "Read Up."

    Since day one, we've always had a goal for Code Climate to help learn how to build more maintainable apps. To date, we've done that by providing clear, timely and actionable feedback about what is going on in your codebase, but we've been missing one piece: educational content to help developers make decisions about the information we surface.

    Starting now you'll start seeing the "Read Up" button popping up on the site:

    Opening Read Up

    Click it, and you'll get content about the particular type of issue you are looking at, with references for further reading (both online and in books):

    Read Up content

    We'd love to hear what you think. Also, if you have suggestions for how the content could be improved, please feel free to email us and let us know.

    New: Source Code Annotations

    We've rolled out a bunch of upgrades to our source code listings. Here's an example:

    Source code annotations

    There are a handful of changes you might notice:

    • We've added annotations, so you can see an inline description of the issues that are being identified.
    • You can now filter the types of issues you want to highlight just like you have been able to filter the issues list.
    • We've also restored the indicators for test coverage and smells so you you can still see which lines are covered by tests even when highlighting smells. (This got lost when we switched our syntax highlighter.)


    Improved: New Ruby Parser

    We recently started working toward analyzing Ruby 2.x code and in the process have updated the parser used for all of our Ruby code. As a consequence you may see either a change in your GPA or the presence of files that didn't parse before. If you have any questions about the results of your report, please get in touch at hello@codeclimate.com.

    Improved: New Dashboard Design

    We've rolled out a new design for our dashboard. The new design works better for people with lots of repos they are tracking on Code Climate.

    Perhaps more important, the new design structure is a better foundation for future dashboard improvements that we are planning. Stay tuned!

    New dashboard

    New: Coverage badges

    Tonight we shipped out a small but highly requested feature: coverage badges.

    87% coverage

    You can access them in the "Badges" page within your private repo's settings area.

    New: Support For Pull Requests and Branch Comparisons

    Today we're announcing three new, key features to help you see how each of your changes affects your codebase before it’s merged into master:

    • GitHub Pull Request integration
    • Compare view
    • Branch analysis

    Check out our latest blog post for all the details. Here's a quick teaser:

    Code Climate analyzing a Pull Request

    Launched: New Compare View

    Today we’re happy to announce the compare view: one page that provides you with the detailed changes to the quality and security of your code between two commits.

    Links which used to take you to your repository’s feed, or to the view for a single class have been replaced with a much richer and more focused view of your work.

    Compare View

    In the screenshot above you can see the main features of our new compare view. We show you:

    • Your overall GPA as well as the change in your GPA
    • New and fixed vulnerabilities for the range
    • Grade changes for constants or files
    • Fluctuations in code smells —better, worse, new or fixed

    Compare View Detail

    We hope that you enjoy using our new compare view as much as we have. If you think it’s cool, hang on a couple more days, there’s more to this story.

    New: Code Climate for JavaScript

    Today we launched support for JavaScript:

    Code Climate analyzing a JavaScript repo

    You can see more screenshots and get all the details on the blog.

    Improved: Security Monitor checks -- October 2013

    A couple weeks ago, we rolled out improvements to Security Monitor including some news checks. Here's a summary of the changes:

    Additional Checks

    Security Monitor now checks for:

    • Unilaterally whitelisting an attribute named admin, role, banned, account_id, or any foreign key (via attr_accessible)
    • Including hard coded passwords for certain forms of HTTP Basic Authentication support
    • Additional avenues to shell command injection. Methods in Open3, and POSIX::Spawn for example will now be checked to ensure they are being called in a safe way.

    Removed Duplicate Warnings

    • Some Cross-Site Scripting (XSS) vulnerabilities were generating both high and low confidence warnings -- they now only report as high confidence.

    More Supported Syntax

    • We can now parse, for the purposes of security scans, Ruby 2.0-specific syntax (such as keywords arguments).
    • Slim 2.0 syntax is now supported

    Improved: Code detail page

    We've just shipped an update to our venerable code detail page:

    Revised class detail page

    The new design moves the filtering of issues into the left column, and allows easily changing between viewing the issues as a list and viewing annotated source code.

    Even better, this design gives us a solid foundation to continue to improve and add high impact features. Stay tuned for more on that front.

    New: Test Coverage Alongside Your Quality Metrics

    Today we rolled out the ability to track test coverage metrics to your Code Climate repos. We have long relied on test coverage reporting during development, and now we are proud to say that we have integrated the two views of your code in a seamless, natural way.

    Test Coverage View

    Just like with code quality, we surface test coverage information at the repository, class, and source listing level (down to an individual line of code) and provide feedback as metrics change over time in the form of email alerts, activity feeds, chat notifications and RSS.

    Here's a couple examples of Test Coverage in action ...

    ... in chat notifications:

    Chat Notifications

    ... and in your weekly summary email:

    Weekly Summary

    How it works

    Code Climate does not run your code, but we have provided an easy way to get your coverage metrics to us: our codeclimate-test-reporter Gem. Integrating this Gem into your existing test suite is straightforward and you will see the results right away. This means our test coverage feature works anywhere you run your tests.

    See our blog post for all of the details or head straight to the Test Coverage tab in your repo settings to set it up.

    Another Round of Security Monitor Updates

    A couple weeks ago, we rolled out a new version of Security Monitor. The latest version has more checks, removes some duplicate warnings, produces less false positives, and has more code coverage than the previous version. Here's a more detailed breakdown:

    Additional Checks

    • In addition to unsafe YAML de-serialization, you will now also be warned about unsafe calls to CSV.load and Marshal.load.

    Removed Duplicate Warnings

    • In certain cases, warnings were being generated for every reference to the same unsafe code, and not just the original vulnerability. These duplicate warnings -- for checks to dangerous sends, unsafe ruby reflection (aka unsafe constantize calls) and symbol Denial of Service attacks -- have been removed.

    Less False Positives

    • Security Monitor no longer warns on safe calls to Model#id or Model#to_json, such as when your Rails configuration specifies to escape JSON.

    More Code Coverage

    • Now handles some nested classes (previously ignored them all)
    • Handles stabby lamdas with no arguments such as:

      -> { #rubycode }
    • Handles block argument destructuring, such as:

      your_method_call do | arg_a, ( arg_b, arg_c ) |
         # do something

    Overall, we're seeing stabler and more accurate Security Monitor scans, but please do let us know if you find any issues or have any questions.

    New: Badges for private repos

    By popular request, Code Climate now supplies GPA badges for private repositories. The snippet needed to add a badge to your README (or anywhere else) is available as HTML, Markdown, Textile and RDOC from the new Badges page:

    Private repo badges

    (Technical note: The badge URLs are protect with tokens, so don't share the URL with anyone who you aren't comfortable seeing your GPA change over time. However, the tokens in the URLs do not provide any access other than viewing the GPA for each specific repo.)

    New: Security vulnerabilities on dashboard

    We've improved the dashboard experience a bit for people who are using our Security Monitor feature to find and fix vulnerabilities in their Rails apps.

    The number of unresolved security vulnerabilities is now rendered below the repository's code quality information:

    Vulnerabilities on dashboard

    (This count excludes security issues that have been marked as false positives, so we advocate getting it to zero and keeping it there.)

    Metadata About False Positives Now Shown

    As you may already know, Code Climate allows you to mark vulnerabilities as "false positives" in Security Monitor, as shown below.

    Mark as false positive

    Doing so is a great way to clear out any unwanted noise from the Security dashboard. However, because marking false positives is a pretty impactful action and often tricky to spot, it's important, especially on larger teams, to audit this list occasionally.

    To help enable this practice we've added some important meta-data to the False Positives view. As show below, you can now see when the vulnerability was marked and by whom. Instead of wondering why something was done, you can start a conversation about it with the person who did it.

    False Positive metadata

    Hope you find this useful, and thanks to everyone who asked for this.

    2 API Endpoints

    Well, let's be clear about this: Code Climate does not really have an API (yet).

    But, Code Climate does have a couple of API endpoints. They are unsupported and subject to change, but they do exist. The endpoints allow you to:

    1. Get metadata about the last two snapshots of a repo, including its GPA.
    2. Request that Code Climate run an analysis. This is usually not necessary, especially if you've linked your account to Github, but, if you're not on Github, or not linked, you may find it useful.

    Full "API" documentation can be found here.

    Security Monitor now running on every Git push

    When we first introduced Security Monitor we wanted to make sure it could run for everyone, so were very conservative and only ran it every 2-3 hours.

    We're pleased to let you know that thanks to recent upgrades Security Monitor now runs each time you push to GitHub (or anytime your repository refreshes), ensuring even-more-continuous inspection for security issues in your code.

    New: Per-repository permissions

    Many top Ruby consultancies are using Code Climate for their client projects, and we've heard they'd love to give access to their client developers and stakeholders directly to login to Code Climate. There's just one problem: Up until today there was no way to add someone to an account without giving them access to all the repositories. People had to resort to hacks like creating multiple Code Climate accounts, but that made administration a pain and billing more complicated.

    Code Climate now supports the ability to configure access to repositories on a per-user basis within a single account. (This feature is available on the Company and Enterprise plans.) You can turn it on from the Users page in the Account Settings area:

    Enabling per-repo permissions

    Once enabled, you can configure access from a user's Permissions page or the Manage Users page for the repository:

    User permissions

    Repo permissions

    Note: Account Admins can access all repositories (in addition to making configuration and billing changes).

    With the per-repo permissions feature, it's even easier to raise the visibility of code quality across all of the collaborators on a project. We hope you'll like it!

    Test Your Campfire/HipChat Integration

    As I mentioned in our last changelog update, Code Climate has had support for Campfire and HipChat notifications for awhile now. When enabled, Code Climate notifies your chatroom whenever your classes' ratings change or a new security vulnerability is introduced.

    One common complaint we've heard is that there was no way to verify that these integrations were actually working. You'd enter in your credentials, and then wait. And wait ... and if nothing happens? shrug Did it work?

    Test Chat Notifications

    Well, that makes no sense. So we added a Send Test button. Click the button and, if you've configured everything correctly, you should receive a message in your chat room immediately. Got it? Good.

    Less Chatty Campfire Notifications

    Code Climate has had Campfire (and HipChat) notifications for awhile now -- we can notify your chatrooms whenever your classes' ratings change or a new security vulnerability is introduced.

    Because Campfire does not support HTML, some of the notifications to Campfire rooms were more chatty, as 2 lines were taken up just with links to more details. We got a lot of feedback that this was too noisy.

    In response, we've reduced the Campfire notification to 1 line per event. The line contains the class that changed rating and a link back to Code Climate with more information.

    Campfire Notifications

    Hopefully this reduces the chatter a bit. Being HipChat users, it's something we would not have noticed ourselves without your feedback, so thanks for letting us know. Keep the feedback coming.

    Security Monitor Upgrade

    On Friday, we rolled out an upgrade to the engine that powers Security Monitor. The new engine is more accurate (fewer false positives) and more thorough (detects more potential vulnerabilities). The major changes are outlined below:

    New checks

    • Unsafe symbol creation DoS vulnerability - One Denial of Service (DoS) technique specific to Ruby takes advantage of the way symbols are stored. Specifically, because symbols are not garbage collected, if an attacker can find a way to create an unbounded set of new symbols, they can create unbounded memory growth, which generally leads to... bad things.

      Security Monitor now includes a check to make sure unsafe input (e.g. params) is not dynamically translated into symbols. References like params[:foo].to_sym or :"my_#{params[:foo]}" will generate a warning.

    • Symbol DoS vulnerability in Active Record (CVE-2013-1854) - Similarly, a warning was added for applications using vulnerable versions of ActiveRecord. Queries of the form User.where(:name => params[:name]) were vulnerable to symbol DoS attacks when params[:name] was a hash. More Information.

    • Cross Site Scripting (XSS) vulnerability in #sanitize_css (CVE-2013-1855) - Applications impacted by an ActionPack vulnerability will see a new warning. The method #sanitize_css(user_input) had a XSS vulnerability when called with specially crafted user input. More information.

    • XSS vulnerability in #sanitize (CVE-2013-1857) - Certain versions of Action Pack have a vulnerability in the #sanitize helper method which allows an attacker to inject URLs with JavaScript. Security Monitor will issue warnings for each use of #sanitize if the Rails version is vulnerable. More information.

    • Unsafe reflection - Security Monitor will now warn when #constantize is called on user input as in, for example, params[:class].constantize. More information, including some example exploits for this vulnerability, are detailed on this blog post by Gabriel Quadros.


    • Do not warn on mass assignment restricted with #slice/#only A false positive for mass assignment vulnerabilities was resolved. Using slice or only on parameters is now considered safe, such as in the following code:

      User.new(params.slice(:name, :email))
      User.new(params.only(:name, email))
    • Detect another way to activate strong_parameters - Security Monitor was issuing warnings about mass assignment even though they had configured their Rails 3 application to use Strong Parameters. This occurred when Strong Parameters was activated with the following code:

      ActiveRecord::Base.send(:include,  ActiveModel::ForbiddenAttributesProtection)

      (Instead of say, using class_eval.) Security Monitor now detects this syntax, which removes false positive warnings about mass assignment on impacted applications.

    • Add support for Slim templates - Support for detecting vulnerabilities in Slim templates (like Haml) was added.

    Overall, security analysis should now be more more accurate and thorough. However, if you're seeing some new unexpected results, do not hesitate to let us know.

    New: Security vulnerabilities in your weekly summary

    For those of you on the new Team plan or higher, in addition to the usual code quality information presented, you'll see a breakdown of the remaining security vulnerabilities in your application -- the total count as well as top 3 kinds of vulnerabilities most prevalent in your application.

    Security Vulnerabilities in the weekly summary email

    We've been hearing some great stories about developers using Code Climate to reduce their applications' vulnerabilities. Teams are tackling these issues, and finding satisfaction in getting their app's known vulnerability counts down to zero. We hope that seeing this in your inbox helps you get even more visibility into your progress.

    As always, let us know if you have any questions or issues.

    New Security Vulnerability Alerts

    Because we realize how important it is to keep tabs on the security of your applications, you can now be notified of vulnerabilities in two new ways.

    New Repository Feed Items

    Security items in Feed

    When new vulnerabilities are detected, they will show up in your repository's feed. Along with the type of vulnerability you'll see:

    • The date it was found
    • A link to more information about the vulnerability (line number, description, etc)
    • A link to open a new issue in your project's issue tracker (configured under repository settings)

    To keep your feed clean and noise-free, we also roll up issues of the same kind. For example, if more than one SQL Injection was introduced, you might see "4 new SQL Injection issues found" in your feed, with a link to a page of SQL Injection issues in your application.

    New Chat Notifications

    HipChat Security Notifications

    If you've configured Code Climate to integrate with your company's chat system, such as Campfire or HipChat, you will now start receiving notifications about new security issues. You'll see:

    • The type of issue introduced
    • The number of vulnerabilities of that type introduced
    • The location, if relevant
    • A link back to Code Climate where the issue was reported

    New: GitHub Issues integration

    We've had this feature for awhile, but in case you missed it: Code Climate now integrates directly with GitHub Issues. Clicking on a Github Issues link in Code Climate pre-populates a Github Issues ticket.

    The ticket contains all the information a developer needs to get started on the issue: a description of a problem, a location, and a link back to Code Climate where the issue was reported.

    Github Issue

    If you've configured your repository to use Github Issues, you'll find Github Issues links in several places on Code Climate.

    In Security (as well as Quality) Alert emails:

    Security Alert

    In your feed, by hovering over relavant feed items:


    And on class overview pages, and security vulnerability pages.

    GitHub Issues integration can be enabled from the repo settings page:

    GitHub Issues integration

    Let us know if you have any questions. Enjoy!

    New: Optional Two-Factor Authentication

    We care deeply about security at Code Climate, so today we're happy to be rolling out optional two-factor authentication to all of our users.

    Two-factor authentication improves the security of your account by making login depend on something you have (your phone) in addition to something you know (your password). We're using Authy to implement this. They take care of sending SMS messages with tokens, and also have nice smartphone apps that can be used instead of SMS.

    To enable two-factor authentication, you just need to provide your cell phone number and country code:

    Enable Two-Factor Authentication

    Once you've enabled it, after logging in with your email address and password as usual, you'll be prompted to enter a current token:

    Two-Factor Login

    To enable two-factor authentication, visit your Profile page (by clicking your name in the upper-right corner) and then scroll down to the bottom:

    Two-Factor Authentication Settings

    New: Dynamic badges for open source projects

    Many Ruby open source projects use and love Code Climate, and for a long time they've been able to add a Code Climate badge to their READMEs:

    This was great for letting contributors know the Code Climate metrics were available, but didn't convey any project-specific information.

    At the time, we didn't have a single metric that represented the code quality for the entire project. Now that we give each project a GPA based on the quality in all of its classes and modules, we can do better with the badges. Here are the new badges:

    If you have an open source project on Code Climate, please consider upgrading to the new badges. We provide the code in HTML, Markdown, Textile and RDOC to make it as easy as possible to add them to the README (for example, Paperclip's).

    The Badges page is accessed by clicking the badge in the header of any OSS page.

    Fittingly, the new badges are themselves open source contributions. Thanks to Olivier Lacan and Nicholas Acker for producing the images (in both SVG and PNG). Olivier started a design project for more readable, consistent badges for open source projects and I hope other companies will migrate to the new badges as well.

    New: Compare view for classes

    Today I'm thrilled to unveil a big new feature: Compare views. Just like GitHub's Compare views show you diffs, we'll now show you exactly which code smells are new, worse and fixed when you compare two revisions:

    Compare view

    This is huge. Before, we'd tell you a class declined from a B to a D, but we didn't show you exactly which smells caused the change. Now you can see exactly how the quality changed and a diff of the source code without leaving Code Climate.

    We've updated the activity feed, emails, chat notifications and RSS feeds to link to this view. If you want to stop comparing and return to the current state of the class, just click the "x" in the upper right.

    New: Quality improvement emails

    At Code Climate we believe good code should be rewarded. So we now send emails about improvements to code quality:

    Quality improvement email

    These improvement emails are like the Quality Alert emails but are sent when a class improves from a D or an F.

    New: Pivotal Tracker integration

    We're very excited to announce single click integration with Pivotal Tracker. Now when a new code quality issue arises you can immediately open a Story right from your email alert:

    Pivotal Tracker integration in emails

    Tracker stories can be easily opened from the Hotspots list as well as your feed:

    Pivotal Tracker integration in feed

    You can also open stories from any Class detail page.

    Tracker integration can be enabled from the repo settings page:

    Configuring Tracker integration

    All stories opened via Code Climate automatically include a link back to your repo. We think this is an important feature to close the code quality feedback loop, and we hope you like it.

    New: Send multiple invites at once

    We've received some feedback that it was a bit cumbersome to add large teams to a Code Climate account. To make it easy as possible to get everyone in your organization using Code Climate, we fixed that. You can now invite multiple users at the same time:

    Send multiple invites at once

    Improved and simplified weekly summaries

    This week we completed a set of big improvements and simplifications to the weekly summary emails:

    Code Climate weekly summary email

    The changes include:

    • Focusing on your GPA — After being introduced on the Trends tab, this is now front and center in the emails as well. Quickly see how it's changed since last week and last month

    • Percentile rankings — See how your GPA stacks up against other projects on Code Climate.

    • Simplified summaries of class rating changes — We now only include classes that have crossed the threshold between a C and a D. This is the key inflection point we recommend people focus on in their development. Don't let new classes fall to D/F territory, and fix Ds and Fs over time. The emails now reinforce this approach.

    We hope you like it!

    Introducing your Quality GPA

    Every repo now has a "Quality GPA" that is calculated by aggregating the ratings for each class and module, weighted by lines of code, into an average from 0 to 4.0. The Trends tab now reflects this:

    Code quality GPA

    Code Climate makes it easy to see the quality of each class and module in your application by grading them on a scale from A to F, and summarizing this information into a single metric for the entire repo was the next step.

    We'll be weaving GPA information throughout the rest of user experience in the coming weeks.

    Also, we recently turned on the Trends tab for the free/OSS repos.

    New: Link to your GitHub account

    You can now link your GitHub account to your Code Climate user. This makes it even easier to add repos to Code Climate, removing the need to install Deploy Keys by hand. Also, we'll automatically setup the GitHub Post-Receive Hook so your Code Climate metrics stay up-to-date on every push. (If you don't setup the post-receive hook, they update every few hours on cron.)

    Link Code Climate to GitHub

    New: Per-repo notification preferences

    Email notification preferences have been improved significantly. In addition to choosing which types of emails you'd like to receive, you can now opt-out of emails on a per-repo basis:

    Notification preferences

    This should help organizations with multiple teams working on separate codebases.

    New: Exclude files and directories

    You can now provide a list of file and directory patterns to exclude from Code Climate's analysis of your repo:

    Exclude patterns

    We still do our best to filter out irrelevant files by default, but now you can easily exclude anything you want. Patterns are processed as glob patterns, so to exclude your entire features directory you'd use: features/*.

    Note: A repo update will need to occur for your changes to be reflected.

    New: Quality Alerts

    Code Climate will now send you an immediate email alert when it detects that new classes are rated as Ds of Fs:

    Quality Alerts

    This is intended to mirror how I recommend teams use the tool. Don't let any new D's or F's creep in.

    Unveiling the new Code Climate logo

    Just in time for RubyConf, Code Climate has a new logo! Check it out:

    New Code Climate logo

    New: Comments (Hurricane Sandy edition)

    Code Climate now supports comments on classes and modules:

    Comments on Code Climate

    Now when you see a quality issue or improvement, you can easily start a discussion about it with your team. Comments will be emailed to all of your team members.

    Note: Comments are not currently available in our free-for-OSS product.

    New: Trends

    Every private repo now has a Trends tab on with charts:

    Code quality trends on Code Climate

    For now we have two charts:

    • Quality Over Time — Tracks the distribution of the A through F ratings of classes and modules week-to-week.
    • Churn vs. Quality — Compares the rating of your classes to how many times they've changed in your Git history. Quality issues cause bigger maintenance problems in classes that change frequently, and this chart will help you pinpoint those cases in your code.

    We're planning on doing a lot more with Trends in the future, but wanted to get this rough cut out for people to start using. Stay tuned.

    New: "Onion skin" highlighting of souce code

    Code Climate now handles smells in red in the source code listings on the class details page. I call this "onion skin" view:

    If there are no issues with a line of code, it shows as green. Complex methods, duplication and classes that are complex overall are highlighted in red. If the line of code has multiple issues (e.g. duplication within an overall complex class), the red will be darker to signify the number of problems.

    Improved: Users can be members of multiple accounts

    Previously, a single Code Climate user (as identified by a unique email address) could only be under one account. That was simple, but quickly broke down for users who worked with multiple organizaitons, especially consultancies who use Code Climate for all of their projects.

    As of today, a Code Climate user can be added to multiple accounts. There's not much to show for this feature, but account admins will no longer receive the dreaded "email is already in use by a user" error when adding their teams.

    New: Spinner for repos that are updating

    When an update is processing for one of your repositories, you'll now see a spinner next to the commit SHA in the navigation:

    Once the update completes, a flash message will appear prompting you to refresh the page to view the latest information.

    Updated: Redesigned class details page

    We launched a modest update to the design of the class details page:

    All smells are now organized under one of three tabs. If a tab contains no smells, the green check mark appears. We'll be doing more with this area soon, and expect those green check marks and red Xs to make their way into other parts of the site.

    New: Drag-and-drop sorting of repos

    Repos can now be sorted on the dashboard using drag-and-drop:

    The sort order will persist for all users of the account. (Only admins can sort.)

    New: Account invoices page

    This might not be the most exciting update, but hopefully it's useful from time to time. Code Climate now has an Invoices page in the account settings area that lists all of of your payments:

    We've always sent invoices via email, and that will continue, but now you have a place to get them if you didn't save the emails. The Invoices page is accessible to all account admins.

    New: Site redesign and Smells page

    As you probably noticed by now, we've redesigned Code Climate! We hope you like our new looks. We're especially excited because the big design changes you see now help set us up for adding more awesome features in the future.

    Today we've also launched the Smells page. Previously you could access code smell information on each Class page, but there was no way to look at all the code smells across the project. The Smells page provides that view, and we're going to keep improving it over the coming weeks.

    New: Sortable Classes, Churn metrics and click-to-refresh

    We have made big improvements to our quality analysis engine, and are rolling out the first of many new features it enables. First, by popular request, the Classes page now has sortable columns:

    We now are tracking Churn metrics, or the number of times that each source file has changed in Git since it was created. Classes that are both complex and change frequently are particularly bug prone, so we wanted to surface this. This data is displayed on both the Classes list and Class detail pages:

    With the speed improvements in our new analysis engine, we're now able to provide a manual click-to-refresh button. This is currently limited to repos in private accounts (not OSS), but we plan to roll it out for all OSS repos (1,200+!) in the near future:

    Finally, we have upgraded our parser to have better support for Ruby 1.9. We handled most Ruby 1.9 code fine previously, but there were some new and less common syntaxes that would trip us up. Most of those should be handled without issue now. We'll keep an eye on this to make sure the new parser is running smooth.