AWS DevOps & Developer Productivity Blog

Code security scanning with Amazon Q Developer

A primary objective of software developers is to develop products that uphold the highest standards of data privacy and security, fostering trust and confidence among their users and customers. Developers seek to secure their software by identifying and mitigating security vulnerabilities in their codebase, thereby enhancing its resilience against cyber threats. Amazon Q Developer, a generative AI–powered assistant, helps shift left and prioritize security earlier in the software development life cycle (SDLC) by providing guidance to developers as they write code within their integrated development environment (IDE).

As a developer, you can use Amazon Q Developer code security scanning to help you proactively identify and remove security vulnerabilities in your codebase, both in existing codebase and in new code as you write it in the IDE. Amazon Q Developer is powered by thousands of security detectors across several programming languages that help you create software that helps meet security requirements and provides an experience that your customers can trust. Addressing the findings generated by Amazon Q Developer reduces the number of security vulnerabilities in the software, and reduces costs by eliminating vulnerabilities early in the development cycle before they propagate to later stages like testing.

This blog post explores the code security scanning feature of Amazon Q Developer and the security detectors that Amazon Q uses to scan your code. First, we demonstrate the auto-scan feature of Amazon Q Developer that assesses the code as you write it. Then, we walk through how to initiate a security scan of an active project and its dependencies in the IDE, review the findings about detected security vulnerabilities, and use the automated remediations provided by Amazon Q Developer to fix the detected vulnerabilities. Finally, this post provides an analysis of the performance of security scans by Amazon Q and a comparison with the performance of similar tools on respected public benchmarks.

Code Security Scanning

Amazon Q Developer assists you to follow secure coding practices by providing two ways of scanning your code: Scan your project and Scan as you code. Amazon Q Developer can run on-demand scans of your entire project. It can also scan your code in real-time as you write it in the IDE.

Amazon Q Developer code security scanning feature currently incorporates thousands of security detectors across more than a dozen programming languages which all have unique benefits to provide a wide array of vulnerability detection capabilities. The scan generates a detection message that includes a description of the issue and a recommended fix. Some of the security vulnerability detections have an accompanying suggested code fix that Amazon Q Developer provides within the IDE. If you choose the option to fix the code, Amazon Q Developer updates your code.

Running Security Scans

The prerequisite for running a security scan is to install the Amazon Q Developer plugin in a supported IDE of your choice. In this walkthrough, we are using the JetBrains IntelliJ IDE. Once you are authenticated to the Amazon Q Developer service, you’ll see the section for Security Scans, including a selection for Run Project Scan, in the Amazon Q Developer menu. If you have subscribed to Amazon Q Developer Pro, auto-scans are enabled by default and you’ll see the additional selection to Pause Auto-Scans in the Amazon Q Developer menu.

When the auto-scan feature is enabled, the security scans will run in the background periodically and highlight the vulnerabilities that are detected in the file where you are actively writing code. Let’s explore this functionality in the context of an example of code where a hard-coded password is used in the credentials to establish a connection with a database. This is a critical security vulnerability because as soon as this code is checked into the repository, an attacker can use this password to gain unauthorized access to the database.

As the developer is writing the code, after several seconds, Amazon Q highlights the method call. If you hover the cursor over the highlighted code, a detection message generated by the security scan is provided in an informational window. It includes the link to the specific Common Weakness Enumeration (CWE) associated with the vulnerability and the detector library used. It may also include a code fix, if available.

Scan as you code

In the IntelliJ IDE, user selects Amazon Q from the navigation bar at the bottom of the IDE. This brings up the Amazon Q Developer menu. Under the section for Security Scans, there is selection for Pause Auto-Scans. This means the auto-scan feature is enabled. Java file is open and user is working in the method for creating a Connection object using the DriverManager.getConnection method. User adds the code password: “password” in the connection string. After few seconds, Amazon Q highlights the code for Connection object. User hovers the cursor over the highlighted code. This brings in focus an informational window that has message generated by the security scan.

 

While the auto-scan feature is exclusive to Amazon Q Developer Pro Tier, the feature to run scans manually is available in both the Pro Tier and the Free Tier. You can evaluate the entire codebase by selecting the Run Project Scan option in the Amazon Q Developer menu. This runs all the detectors on your project.

Scan your project

In the IntelliJ IDE, user selects Amazon Q from the navigation bar at the bottom of the IDE. This brings up the Amazon Q Developer menu. Under the section for Security Scans, there is selection for Run Project Scan. User clicks on this option, and Amazon Q performs a security scan of the entire codebase

 

Once Amazon Q has completed the scan of the active project and its dependencies, a list of all the vulnerabilities appears in a new tab named Amazon Q Security Issues. Selecting an item from the list will open the file where the vulnerability was found and cursor is placed on the location of the issue in the codebase. In this case, the hard-coded password in the file is highlighted. When you hover your cursor on the highlighted issue, it will bring up a window with information on the detected vulnerability including the CWE, in this case CWE-798, and options of how to resolve the problem.

Locate the code where security vulnerability is detected

In the IntelliJ IDE, Amazon Q has completed the scan and a list of all the vulnerabilities appears in a new tab named Amazon Q Security Issues. User selects a vulnerability from the list. This opens the file where the vulnerability was found and cursor is placed on the location of the hardcoded password in the codebase. User hovers the cursor on the highlighted issue. This brings up a window with information on the detected vulnerability including the CWE and options of how to resolve the problem.