@codacy/codacy-mcp

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    6:     _cliCommand = '';
    7:     _accountToken = process.env.CODACY_ACCOUNT_TOKEN;
>>> 8:     _cliVersion = process.env.CODACY_CLI_VERSION;
    9:     rootPath;
    10:     provider;

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    5: export class CodacyCli {
    6:     _cliCommand = '';
>>> 7:     _accountToken = process.env.CODACY_ACCOUNT_TOKEN;
    8:     _cliVersion = process.env.CODACY_CLI_VERSION;
    9:     rootPath;

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    7: import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
    8: // Check for API key
>>> 9: const CODACY_ACCOUNT_TOKEN = process.env.CODACY_ACCOUNT_TOKEN;
    10: OpenAPI.BASE = 'https://app.codacy.com/api/v3';
    11: OpenAPI.HEADERS = {

Dynamic code execution via exec()

Detected by automated pattern matching (rule SC-003) with medium confidence. May be a false positive.

    6: async function execWindowsCmdAsync(command) {
    7:     return new Promise((resolve, reject) => {
>>> 8:         exec(command, {
    9:             encoding: 'buffer',
    10:         }, (error, stdout, stderr) => {

Decoded base64 content: �+-:��,ڶ*'E�h�+h�'�N�%

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��r^��"���I�.�+r"צ�v�vW�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��E�W��˞�v�vW�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��Qz�,��+�������-)^�*/z��xv�vW�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��O�YQz���Ѣ�8�|v�vW�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: �+->�eE�z�H�˞�v�vW�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��Qz�,��+�h�� ڗ+"�v�vW�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��E�W���ްv�vW�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��Qz�,��+�������-N�%

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: �+-:��,ڶ*'�v�vW�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: J�b�'���ӭ�즊�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: j�e�ƭ������龎�'

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Node.js child process spawning

Detected by automated pattern matching (rule SC-005) with medium confidence. May be a false positive.

    1: export const CODACY_FOLDER_NAME = '.codacy';
>>> 2: import { exec } from 'child_process';
    3: // Set a larger buffer size (10MB)
    4: const MAX_BUFFER_SIZE = 1024 * 1024 * 10;

Dynamic code execution via exec()

Detected by automated pattern matching (rule SC-003) with medium confidence. May be a false positive.

    23:         this._cliCommand = command;
    24:     }
>>> 25:     preparePathForExec(path) {
    26:         return path;
    27:     }

Dynamic code execution via exec()

Detected by automated pattern matching (rule SC-003) with medium confidence. May be a false positive.

    34:         const cmd = `${command} ${argsString}`.trim().replace(/[;&|`$]/g, '');
    35:         return new Promise((resolve, reject) => {
>>> 36:             exec(cmd, {
    37:                 cwd: this.rootPath,
    38:                 maxBuffer: MAX_BUFFER_SIZE, // To solve: stdout maxBuffer exceeded

Dynamic code execution via exec()

Detected by automated pattern matching (rule SC-003) with medium confidence. May be a false positive.

    36:             const codacyCliPath = path.join(CODACY_FOLDER_NAME, 'cli.sh');
    37:             if (!fs.existsSync(codacyCliPath)) {
>>> 38:                 const execPath = this.preparePathForExec(codacyCliPath);
    39:                 await this.execAsync(`curl -Ls -o "${execPath}" https://raw.githubusercontent.com/codacy/codacy-cli-v2/main/codacy-cli.sh`);
    40:                 await this.execAsync(`chmod +x "${execPath}"`);

Dynamic code execution via exec()

Detected by automated pattern matching (rule SC-003) with medium confidence. May be a false positive.

    113:         const { file, tool } = options;
    114:         try {
>>> 115:             const { stdout } = await this.execAsync(`${this.getCliCommand()} analyze ${file ? this.preparePathForExec(file) : ''} --format sarif`, tool ? { tool: tool } : {});
    116:             const jsonMatch = /(\{[\s\S]*\}|\[[\s\S]*\])/.exec(stdout);
    117:             return jsonMatch ? JSON.parse(jsonMatch[0]) : null;

Dynamic code execution via exec()

Detected by automated pattern matching (rule SC-003) with medium confidence. May be a false positive.

    114:         try {
    115:             const { stdout } = await this.execAsync(`${this.getCliCommand()} analyze ${file ? this.preparePathForExec(file) : ''} --format sarif`, tool ? { tool: tool } : {});
>>> 116:             const jsonMatch = /(\{[\s\S]*\}|\[[\s\S]*\])/.exec(stdout);
    117:             return jsonMatch ? JSON.parse(jsonMatch[0]) : null;
    118:         }

Dynamic code execution via exec()

Detected by automated pattern matching (rule SC-003) with medium confidence. May be a false positive.

    19:         return windowsPath;
    20:     }
>>> 21:     preparePathForExec(path) {
    22:         // Convert the path to WSL format
    23:         return WinWSLCodacyCli.toWSLPath(path);

Node.js child process spawning

Detected by automated pattern matching (rule SC-005) with medium confidence. May be a false positive.

    3: import { WinWSLCodacyCli } from './WinWSLCodacyCli.js';
    4: import { WinCodacyCli } from './WinCodacyCli.js';
>>> 5: import { exec } from 'child_process';
    6: async function execWindowsCmdAsync(command) {
    7:     return new Promise((resolve, reject) => {

Decoded base64 content: r����#y�m�`{�i׿���o]}u�^�m5�����t׶���=

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: r���ܡ֜��(u�2

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��?{^�Ȩ��(u�2

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: r�^���)ݲ���g)

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: u����b��-�g)�)쵩e

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: u����b��-�g)�)쵩e

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ������� i�'�*'

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: �K�������jg�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: J�b�'���ӭ�즊�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

High-entropy string (5.3 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.5 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.5 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    184:     }
    185:     onCancel(() => controller.abort());
>>> 186:     return await fetch(url, request);
    187: };
    188: export const getResponseHeader = (response, responseHeader) => {

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Possible Base64-encoded payload (long encoded string)

Detected by automated pattern matching (rule OB-001) with medium confidence. May be a false positive.

    1: # Codacy MCP Server
>>> 2: [![Codacy Badge](https://app.codacy.com/project/badge/Grade/7be4b119dc1e420198f3495017b57c89)](https://app.codacy.com/gh/codacy/codacy-mcp-server/dashboard?utm_source=gh&utm_medium=referral&utm_content=&utm_campaign=Badge_grade)
    3: 
    4: 

Possible Base64-encoded payload (long encoded string)

Detected by automated pattern matching (rule OB-001) with medium confidence. May be a false positive.

    135: You can use the one-click install for Cursor:
    136: 
>>> 137: [![Install MCP Server](https://cursor.com/deeplink/mcp-install-dark.svg)](https://cursor.com/install-mcp?name=codacy&config=eyJjb21tYW5kIjoibnB4IC15IEBjb2RhY3kvY29kYWN5LW1jcEBsYXRlc3QiLCJlbnYiOnsiQ09EQUNZX0FDQ09VTlRfVE9LRU4iOiI8WW91ciBwZXJzb25hbCB0b2tlbj4ifX0%3D) 
    138: 
    139: Otherwise, depending on what you are connecting the MCP Server to, you can use the following methods:

High-entropy string (4.8 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (5.5 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.