The security stuff is pretty cool - it's really nice to have code-level audits that are continuous, ongoing, and automated. It won't replace the need for physical code review but it has already caught stuff our code reviews haven't.
I'm a huge fan of automation over manual labor and static code analysis is a great tool to help. For example, in our CI (CircleCI) we tie in different ruby gems (rails_best_practices, rcov, jshint, etc.) to help enforce code quality automagically. Violate one of our team-defined guidelines? The build will fail.
I often find it frustrating that teams introduce reams of documentation for code standards and then painstakingly hand-review code for adherence. Automate that and spend the rest of your time reviewing for things that can't be trivially automated (CodeClimate doesn't care about tabs v. spaces, of course)
PS. The site looks great, I am importing my first repository right now. Great job!
It looks for all the big issues (XSS, CSRF, SQLi). In many cases it means keeping track of where user input enters the system (e.g. params) and how it is eventually used. So if you interpolate a param into a string and then give that string to ActiveRecord, it will produce a warning with high confidence you're vulnerable to SQL injection.
We run it every 2-3 hours on your repo, then look for new things that come up and send out alerts.
More info about Security Monitor is here: https://codeclimate.com/security-monitor
I would _LOVE_ to be proven wrong on this one.
