Analyze Python code

To analyze your Python codebase, depending on your Qodana license, you can employ the following linters:

Linter name	Suitable Qodana licenses
Qodana for Python	Ultimate and Ultimate Plus
Qodana Community for Python	Community

Here is the list of technologies and features supported by both linters.

Supported technologies and features	Qodana for Python	Qodana Community for Python
Python, CSS, HTML, JSON and JSON5, RELAX NG, XML, YAML, shell scripts, MongoDB, MySQL, Oracle, PostgreSQL, SQL, SQL Server, Django, Google App Engine, Jupyter, Pyramid	✔	✔
Baseline	✔	✔
Quality gate	✔	✔
License audit	✔	𐄂
Quick-Fix	✔	𐄂
Vulnerability checker	✔	𐄂

Install project dependencies

You can install project dependencies using the bootstrap key, for example:

bootstrap: |
  pip install -r requirements.txt

Analyze your code

Here are several configuration snippets showing how you can analyze Python code.

On the Settings tab of the GitHub UI, create the QODANA_TOKEN encrypted secret and save the project token as its value. If you are using a Qodana Cloud instance other than https://qodana.cloud/, override it by declaring the QODANA_ENDPOINT environment variable.
On the Actions tab of the GitHub UI, set up a new workflow and create the .github/workflows/code_quality.yml file.
To analyze the main and master branches, as well as release branches and the pull requests coming to your repository, save this workflow configuration to the .github/workflows/code_quality.yml file:
name: Qodana on: workflow_dispatch: pull_request: push: branches: # Specify your branches here - main # The 'main' branch - master # The 'master' branch - 'releases/*' # The release branches jobs: qodana: runs-on: ubuntu-latest permissions: contents: write pull-requests: write checks: write steps: - uses: actions/checkout@v3 with: ref: ${{ github.event.pull_request.head.sha }} # to check out the actual pull request commit, not the merge commit fetch-depth: 0 # a full history is required for pull request analysis - name: 'Qodana Scan' uses: JetBrains/qodana-action@v2025.2 env: QODANA_TOKEN: ${{ secrets.QODANA_TOKEN }}

Here is the Jenkins Pipeline configuration.

pipeline {
    environment {
        QODANA_TOKEN=credentials('qodana-token')
    }
    agent {
        docker {
            args '''
              -v "${WORKSPACE}":/data/project
              --entrypoint=""
              '''
            image 'jetbrains/qodana-<python|community>:2025.2'
        }
    }
    stages {
        stage('Qodana') {
            steps {
                sh '''qodana'''
            }
        }
    }
}

In this configuration, the environment block defines the QODANA_TOKEN variable to invoke the project token generated in Qodana Cloud and contained in the qodana-token global credentials. The project token is required by paid Qodana linters, and is optional for using the Community linters.

Qodana provides two options for local analysis of your code. Qodana CLI is the easiest option to start. Alternatively, you can use the Docker command from the Docker image tab.

Assuming that you have already installed Qodana CLI on your machine, you can run this command in the project root directory:

            qodana scan \
               -e QODANA_TOKEN="<cloud-project-token>" \
               -l jetbrains/qodana-<python|community>:2025.2
        

Here, the QODANA_TOKEN variable refers to the project token.

To start, pull the image from Docker Hub (only necessary to get the latest version):

docker pull jetbrains/qodana-<python|community>:2025.2

Start local analysis with source-directory pointing to the root of your project and QODANA_TOKEN referring to the project token:

            docker run \
               -v <source-directory>/:/data/project/ \
               -e QODANA_TOKEN="<cloud-project-token>" \
               jetbrains/qodana-<python|community>:2025.2
        

08 October 2025