As we leave 2020 behind, we had the chance to virtually attend and hear much about new service features and announcements in the re:invent. In this blog post, we’ll take a look at and try the newly announced Amazon CodeGuru Reviewer Security Detector. For those who haven't heard about this tool or new to these security detection capabilities, keep reading as we summarize how Amazon CodeGuru improves the code quality and performance in software development processes. Then follow us to onboard with the Amazon CodeGuru Reviewer Security Detector with an open source repository and see the results.
To put it simply, Amazon CodeGuru is a developer tool that helps developers maintain high quality standards in their source code and improve their application performance through machine learning and intelligent recommendations. The service has two main elements, called Amazon CodeGuru Reviewer and Amazon CodeGuru Profiler. Before we jump to review the new Security Detector feature, let’s look at how Amazon CodeGuru overall improves the code quality and application performance.
Amazon CodeGuru Reviewer automatically reviews your code and identifies any defects and issues within your source code. With Amazon CodeGuru reviewer, you can easily scan thousands of lines of source code and get intelligent recommendations on how to take proper actions, resolve these issues and follow the best practices. These recommendations emerge from years of experience of AWS.
You can automate these source code reviews for every push request to make sure every incremental change in your code meets the quality standards. You can also perform full repository code analyses to ensure high quality across time and get recommendations to improve if needed. You can integrate Amazon CodeGuru Reviewer to your existing code review workflows on your preferred source control systems (supporting Github, Github Enterprise, Bitbucket, AWS CodeCommit)
Alongside the source code review, you can also use Amazon CodeGuru to improve your application performance and increase your operational efficiency with Amazon CodeGuru Profiler. It basically analyzes runtime behaviour of your application and provides visualized recommendations for increased performance.
You can start to use Amazon CodeGuru at no cost with the free tier for 90 days. Following usage is priced on a pay-as-you-use basis for full repository and pull request analyses. Check the official service page for detailed pricing information.
What is new with the Amazon CodeGuru is the Security Detector feature that helps developers to review their code and identify security vulnerabilities with ease. This way, you can easily detect and remediate potential security issues in the extensive and often complicated code through intelligent recommendations before they become actual issues. Security Detector helps you improve your security posture and eliminates the time and effort spent on dealing with such security issues in the source code.
Security Detector utilizes machine learning to analyse your code and simplify your security management within development processes. Through comprehensive analysis, you can easily identify security vulnerabilities that would be otherwise hard to find or often overlooked and get recommendations on how to remediate them. The security categories found in Amazon CodeGuru Reviewer Security Detector can be given as:
Security Detector analyses your code and helps you ensure best practices in AWS API usage for Amazon EC2, AWS KMS, common Java Crypto libraries and TLS/SSL libraries are followed across your source code. For example, the service helps you discover any hard coded credentials in your code.
You can also secure your source code against web application security vulnerabilities and protect your application against scripting and injection attacks, including SQL injection, LDAP injection and many more caused by unvalidated, malicious user-input. Security Detector is capable of detecting security risks described in Top 10 Web Application Security Risks described by OWASP.
Last but not least, Amazon CodeGuru Reviewer helps you find out whether any sensitive information is leaked and take proper action to stay compliant with regulatory requirements.
Now it is time to take a look at how the new feature works.
Our example will be an example code that uses the popular Java framework, Spring Boot. You can check out the spring-petclinic by spring-examples here. Let’s clone the git repository and go to CodeGuru in AWS console.
In the AWS CodeGuru console, click
Code Reviews from the left menu and
Repository analysis tab. After that, click
Create repository analysis and select
Code and security recommendations (Java).
For security scan, your source code and build artifact needs to be in a S3 bucket. So, go ahead to the S3 console to create a new bucket to upload your local code. Your source code needs to be zipped, so create a zip package from the local repository and upload it to that bucket. For the artifacts, we’ve used CodeBuild to build and put the artifacts to the same S3 bucket. You can build in your local machine, then zip and upload them to the bucket, too. After uploading, head back to CodeGuru wizard, pick
Browse S3 bucket for existing artifacts, pick your zip files from selector and
Create Repository Analysis.
Your code’s review starts, and it is in pending status, CodeGuru Reviewer is reviewing the source code. After a bit of waiting, the result arrives and you can see issues listed in the Recommendations part. Since Spring is an active open source project with a lot of contributors, we only received one recommendation.
It is stating that an auto generated Id field should not be an integer field, it should be a long field. Even though there are no severe issues, recommendations help you gain a new perspective on how to make your application better.
An experienced software engineer, Durul is indeed a technology lover and always excited to see and learn what technology offers. With his experience in startups from Entertainment to SaaS, he is keen on sharing his experience with the technology community.
Cookies are small files that are sent to and stored in your computer by the websites you visit. Next time you visit the site, your browser will read the cookie and relay the information back to the website or element that originally set the cookie.
Cookies allow us to recognize you automatically whenever you visit our site so that we can personalize your experience and provide you with better service.