Amazon CodeGuru Reviewer

Amazon CodeGuru Reviewer finds issues in your Java and Python code and provides recommendations to improve your code. For example, CodeGuru Reviewer detects security vulnerabilities, secrets, resource leaks, concurrency issues, incorrect input validation, and deviation from best practices for using AWS APIs and SDKs. To begin reviewing code, you can associate your existing code repositories on GitHub, GitHub Enterprise, Bitbucket, or AWS CodeCommit with CodeGuru.

Security detection

CodeGuru Reviewer helps you improve code security and provides recommendations based on common vulnerabilities (OWASP Top 10) and AWS internal security best practices. It uses automated reasoning to analyze data flow from source to sink and across multiple functions to detect hard-to-find security vulnerabilities. CodeGuru Reviewer Security Detector supports Java 8 through Java 11 and Python 3 and above. You can use it to detect code security issues such as the following:

  1. OWASP Top 10: checks for top web application security risks such as broken access control, injection, and data integrity failures
  2. AWS API security best practices: check API security for Amazon Elastic Compute Cloud and AWS Key Management Service
  3. AWS security best practices (AWS crypto is implemented to Amazon's standards): apply Amazon's internal security expertise to your code
  4.  Java crypto library best practices: check if Javax.Crypto.Cipher is initialized and called correctly
  5. Python crypto library best practices: check if correct versions of Python hashing and cryptography algorithms are used
  6. Secure web applications: check app-related security issues, such as LDAP injections
  7. Sensitive information leaks: check for any leakage of personal or sensitive information (example: logging AWS account credentials in plain text)
  8. Input validation: checks for malformed or malicious data from untrusted sources

You can go to the Amazon CodeGuru console and invoke a security analysis on your entire repository or integrate with CI/CD through GitHub Actions.

Image under Security detection

Secrets detection

CodeGuru Reviewer Secrets Detector uses machine learning-based analysis to help you detect secrets that are hardcoded in your repository or configuration files, including passwords, API keys, SSH keys, access tokens, database connection strings and JSON Web Tokens. Part of CodeGuru Reviewer, Secrets Detector is an automated mechanism that checks code for these secrets and provides point-and-click steps to secure them using AWS Secrets Manager. It can also identify specific keys generated by the most common API providers, including AWS, Atlassian, GitHub, Salesforce, HubSpot, and Stripe. For a list of secrets, visit documentation.

Secrets detection

Code quality

CodeGuru Reviewer identifies code quality issues and equips your development team to maintain a high bar of coding standards in the software development process:

  • AWS best practices: correct use of AWS APIs (example: polling, pagination) 
  • Java and Python best practices: correct use of popular Java and Python language and library features
  • Concurrency: detects missing synchronization resulting in incorrect functionality or excessive synchronization leading to performance issues 
  • Inconsistency: analyzes coding patterns within a repository and helps detect when there is an anomaly that deviates from standard pattern 
  • Code maintainability: identifies code complexities or any characteristic in the source code that makes the code harder to maintain
  • Resource leaks: correct handling of resources (example: releasing database connections)
  • Common coding best practices: checks for parameters and looks for lines of code that could create bugs (example: forgetting to check whether an object is null before using it, reassigning a synchronized object, or forgetting to initialize a variable along an exception path)
  • Code cloning: identifies duplicated code that could be consolidated for better code maintainability
Code quality

Automated recommendations

There are two different kinds of code reviews that CodeGuru Reviewer can do to provide recommendations – Incremental and full repository code reviews 

Incremental code reviews 
Incremental code reviews are created automatically when you create a pull request from an associated repository. These code reviews scan the changed code in a pull request. CodeGuru Reviewer also provides a pull request dashboard that lists information for all code reviews (example: status of the code review, number of lines of code analyzed, and the number of recommendations). The standard monthly pricing for CodeGuru Reviewer includes all incremental code review analysis for onboarded repositories.

Automated recommendations

Full repository analysis code reviews
With CodeGuru Reviewer, you can get ML-powered code review recommendations for all lines of code in the associated repositories) under a specified code branch. You can run full repository scans to get code review recommendations during code migration, code due diligence, and periodic code maintainability initiatives. In the CodeGuru console, you can navigate to the "Repository Analysis" tab in the "Code Reviews" page to initiate a new analysis on a full repository. Two full repository scans come included with the new repository size-based pricing model. For more details, visit the CodeGuru Pricing Page.

Full repository analysis code reviews
Code reviews

You can view all code reviews in the “Code reviews” console page (Reviewer section). The page lists all code review information, such as the status of the code review, the repository, the number of recommendations, and more. You can click on a successfully completed code review to view recommendation details, search for recommendations, and see the number of lines analyzed. You can also give feedback on CodeGuru recommendations by clicking on the thumbs up or thumbs down below a recommendation.

CI/CD integration with GitHub Actions

CI/CD experience for CodeGuru Reviewer allow you to invoke code quality and security analysis as a step within your CI workflow using GitHub Actions. You can configure it to run and provide recommendations on a pull, push, or scheduled run of your pipeline. After you invoke a CodeGuru Reviewer scan via CI/CD, you can view your code quality and security recommendations within the CodeGuru Reviewer Console or within the GitHub’s user interface. With CI/CD integration, you can continuously monitor the quality and security of your code to help ensure that you do not miss a recommendation. In CodeGuru Reviewer, you can use GitHub Action located on the GitHub Marketplace to run security reviews and receive recommendations directly within the GitHub user interface. Once you’re onboarded, recommendations will show directly within the GitHub Security tab.

Security Detection

Recommendations are also provided within the pull request and within the AWS Console. If you click into a recommendation within GitHub, you get more in-depth information on the finding, such as the issue it creates within your application, the path to resolution, any CWEs (Common Weakness Enumerations) linked to it, and its severity.

Pull requests

Amazon CodeGuru Profiler

Amazon CodeGuru Profiler is always searching for application performance optimizations, identifying your most “expensive” lines of code and recommending ways to fix them to reduce CPU utilization, cut compute costs, and improve application performance. For example, CodeGuru Profiler can identify when your application is consuming excessive CPU capacity on a logging routine instead of executing on core business logic.

Always-on profiling of applications in production

CodeGuru Profiler is designed to continuously run on production with minimal overhead which means you can leave it on all the time with minimal impact on application performance. It enables you to profile and troubleshoot your application using real customer traffic patterns and easily discover performance issues. With the profiler data and ML-powered recommendations, you can identify and fix performance issues for your applications in production. CodeGuru Profiler also provides a heap summary, so you can identify what objects are using up memory at any given time.

Understand the runtime behavior of applications

CodeGuru Profiler continuously analyzes application CPU utilization, heap usage, and latency characteristics to show you where you are spending the most cycles or time in your application. The CPU and latency analysis is presented in an interactive flame graph that helps you easily understand which code paths consume the most resources, verify that your application is performing as expected, and uncover areas that can be optimized further.

Image Processing Anomaly
 Click to enlarge

Flame graphs visualize the performance of your application by aggregating stack trace samples over a period of time to produce an accurate picture of the application's behavior during that time. You can use a flame graph to understand which paths consume the most resources, verify that your application is performing as expected, and uncover areas that can be optimized further. For example, method UploadGreyImage is spending $134,868 per year and this is consuming 10.22% wall clock time, so if you didn’t expect it to spend so much time you should investigate. 

Heap summary

The heap usage analysis is presented on a heap summary visualization which shows you what objects are allocated on your heap – whether your own domain classes or those owned by libraries or the JDK.

Discover anomalies and common issues in your application performance
 Click to enlarge

Heap summary visualizes all the objects allocated on the heap for a given period of time along with their size, count and time series. For example you can see on the time series graph that at 4:20pm there are two objects that start significantly growing (java.util.LinkedHashMap$Entry and java.land.UUID) which indicates a potential memory leak. If this upward trend continues it could lead to an out of memory situation if left unchecked.

Intelligent recommendations

CodeGuru Profiler automatically identifies performance issues in your application and provides ML-powered recommendations on how to remediate them. These recommendations help you identify and optimize the most expensive or resource intensive methods within your code without requiring you  to be a performance engineering expert. These optimizations help you reduce the cost of your infrastructure, reduce latency, and improve your overall end user experience.

Intelligent recommendations
 Click to enlarge

When it sees opportunities to optimize your application performance, Amazon CodeGuru Profiler explains why it is recommending a change, what’s causing the issue, how to resolve it, and where in the code this issue is impacting your application. This recommendation shows you that this expensive line of code costs you $182.16K per year and has a 2.97% impact on your CPU utilization. If you follow the suggested resolution steps you will be able to save up to $182.16K.

Anomaly detection

Amazon CodeGuru Profiler continuously analyzes your application profiles in real-time and detects anomalies in the behavior of your application and its methods. Each anomaly is tracked in the Recommendation report of the CodeGuru Profiler console and you can see time series of how the method’s latency behaves over time with anomalies clearly highlighted. If configured, an Amazon SNS notification will also be sent when a new anomaly is detected.

Anomaly detection
 Click to enlarge
Amazon CodeGuru pricing
Learn more about Amazon CodeGuru pricing

Visit the Amazon CodeGuru pricing page.

Learn more 
Sign up for a free account
Sign up for a free account

Instantly get access to the AWS Free Tier. 

Sign up 
Start building in the console
Start building in the console

Get started building with Amazon CodeGuru in the AWS Management Console.

Sign in