Why does codacy require commit authors to be codacy users?

Our company has recently adopted codacy and we’re trying to roll it out to our development teams. We’re experiencing issues analyzing github pull requests with an error saying the user is not part of the codacy organization.

Why is this necessary to analyze a pull request? Codacy has clearly successfull pulled the source code and git commit information but its refusing to analyze because a single commit isn’t a codacy user? This causes issues for us because we have service accounts make commits at times and we also have some users that haven’t onboarded themselves to codacy yet.

Hi Jeff, thanks for reaching out here. :wave:

In a nutshell, limiting our analysis to registered users is what allows us to maintain a user-based pricing model with unlimited LoCs, PRs, languages, etc. That does require, however, adding all active contributors to Codacy.

Luckily, there is an easy way for your admins to add all missing contributors (including service accounts) to Codacy, in order to unblock their respective commit/PR scans immediately. Here’s how: https://docs.codacy.com/organizations/managing-people/#adding-people

I’m really sorry about the inconvenience on your side, but I hope this helps sort out the issue. Let me know if that works or if there’s anything else I can help with. :slight_smile:


Do you have any specific advice on how to make this work with GitHub’s dependabot? Dependabot is a GitHub application like Codacy, so I don’t believe we can add it as a user. Yet we still want the Codacy check to be a required check in GitHub.

I’m aware of the “[skip ci]” magic commit message bypass, which sounds great at first. However, GitHub recently added support for the exact same thing meaning that commits with that tag not only bypass Codacy but every other GitHub workflow that we DO want to execute against dependabot PRs.

To summarize:

  • We’d like to make the Codacy check mandatory.
  • GitHub Dependabot PRs wont’ be scanned by Codacy because Dependabot isn’t a real user.
  • Codacy’s method of bypassing scanning also bypasses GitHub Actions, which isn’t acceptable either.

commits-noreply@bitbucket.org is a contributor that I’m supposed to somehow register and pay for?

The Dependabot email can be added to your organization on Codacy so that the commits made by that email address are analysed, even though the Dependabot isn’t a real user.

You can add the Dependabot by going to the organization’s Settings → People → Add people. Here you can select the email address and add it to your organization. Once that step is done, Dependabot’s PRs will be analysed.

Let me know if you have any other questions or concerns!

1 Like

Thanks, Madalena. We’ve exchanged a few messages through a support chat around this same topic, so I’m going to summarize here for the benefit of the rest of the community.

After talking with GitHub support about the email address associated with the dependabot “user”, they informed me that it’s possible it can change in the future (and has done so in the past), but it’s generally not very common. Also, they consider it an internal engineering detail so they have no intention of announcing when that email address changes. They did say that it’s likely to change in the near’ish future as the current address is not considered valid by many systems since it contains square brackets.

Having said all of that, it does work as a short-term workaround. Adding a Codacy user for the dependabot email address does result in PRs being scanned by Codacy. A better long-term solution is needed to avoid forcing users to keep this up-to-date when the email address changes unexpectedly. Looking forward to hearing back from the Codacy team as plans for this long-term solution come into focus.


Can I check that I’m reading this right: adding dependabot user as a “$18/month seat” to my billing is the solution?

Hi @choonkeat and welcome to the Codacy community :wave:

Yes, that is correct. I have reached out to you directly to provide a bit more insight and context on this.