Amazon CodeGuru Profiler FAQs

Q: What is Amazon CodeGuru?

Amazon CodeGuru is a developer tool that provides intelligent recommendations to improve code quality and identifying an application’s most expensive lines of code.

Q: What can I do with Amazon CodeGuru?

Amazon CodeGuru has two components- Amazon CodeGuru Reviewer and Amazon CodeGuru Profiler. Amazon CodeGuru Reviewer uses machine learning and automated reasoning to identify critical issues and hard-to-find bugs during application development to improve code quality. Amazon CodeGuru Profiler optimizes performance for applications running in production and identifies the most expensive lines of code, reducing operational costs significantly.

Q: How do I get started with Amazon CodeGuru?

Amazon CodeGuru is now generally available. You can start right now in the Amazon CodeGuru console.

To get started with Amazon CodeGuru Reviewer, log in to the Amazon CodeGuru Reviewer console where you can associate an existing code repository on GitHub, GitHub Enterprise, Bitbucket or AWS CodeCommit. After a one-time setup, Amazon CodeGuru Reviewer begins analyzing code and providing code improvement recommendations directly within the pull request or code repository.

You can also start profiling your applications in minutes. To get started with Amazon CodeGuru Profiler, log in to the Amazon CodeGuru Profiler console where you can configure a profiling group for your application. Start your application with the profiling agent on the command line or follow the steps to use one of the described custom methods. You can let Amazon CodeGuru Profiler run continuously so it can proactively catch performance issues in your live applications.

Q: In which AWS Regions is Amazon CodeGuru available?

To see supported AWS Regions, please visit the AWS Region Table for all AWS global infrastructure. For more information, see Regions and Endpoints in the AWS General Reference.

Q: What is Amazon CodeGuru Reviewer?

Amazon CodeGuru Reviewer is an automated code review service that identifies critical defects and deviation from coding best practices for Java and Python code. It scans the lines of code within a pull request and provides intelligent recommendations based on standards learned from major open source projects as well as Amazon codebase. Amazon CodeGuru Reviewer seamlessly integrates with existing code review workflows on widely-used source control systems including GitHub, GitHub Enterprise, Bitbucket, and AWS CodeCommit, and provides actionable recommendations for improving code quality.

Q: What programming languages and source code repositories are supported?

Amazon CodeGuru Reviewer currently supports Java and Python code stored in GitHub, GitHub Enterprise, Bitbucket and AWS CodeCommit repositories.

Q: What type of issues are detected by Amazon CodeGuru Reviewer?

Amazon CodeGuru Reviewer checks for concurrency issues, potential race conditions, un-sanitized or malicious inputs, inappropriate handling of sensitive data such as credentials, resource leaks, and also detects race conditions and deadlocks in concurrent code. It also suggests AWS, Java and Python best practices and detects cloned code that could be consolidated for better code maintainability.

Q: How do I get started with Amazon CodeGuru Reviewer?

Visit the Amazon CodeGuru console to integrate Amazon CodeGuru Reviewer recommendations directly within your code pull requests. You can get started by visiting the CodeGuru console and following the steps to associate your AWS CodeCommit, GitHub, GitHub enterprise and BitBucket repositories to start receiving Amazon CodeGuru Reviewer’s recommendations. Once enabled, Amazon CodeGuru Reviewer will automatically provide intelligent recommendations as comments on your pull requests generated for the connected repositories.

Q: Does Amazon CodeGuru Reviewer access my code?

Amazon CodeGuru Reviewer needs read-only access to your code for the purpose of generating recommendations. Your trust, privacy, and the security of your content are our highest priority and we implement appropriate controls, including encryption in transit, to prevent unauthorized access to, or disclosure of, your content and ensure that our use complies with our commitments to you. Please see the Data Privacy FAQ for more information.

Q: Does Amazon CodeGuru Reviewer persist a copy of my code?

No, Amazon CodeGuru Reviewer does not store your source code.

Q: How is Amazon CodeGuru Reviewer trained to provide intelligent recommendations?

Amazon CodeGuru Reviewer is trained using rule mining and supervised machine learning models that use a combination of logistic regression and neural networks.

For example, during training for deviation from AWS best practices, Amazon CodeGuru Reviewer mines Amazon code bases using search techniques and locality sensitive models for pull requests that include AWS API calls. It looks at code changes intended to improve the quality of the code, and cross-references them against documentation data. The result is the creation of a new set of rules that Reviewer recommends to you as best practices when it reviews your code.

During training for resource and sensitive data leaks, it does a full code analysis for all code paths that use the resource or sensitive data, creates a feature set representing those, and then uses those as inputs for logistic regression models and convolutional neural networks (CNNs).

For code inconsistencies, the models are trained during either the full or incremental code review. After a customer triggers a review, these models utilize a number of data mining and machine learning techniques to build the dataset, highlight the reason for the code patterns, and make recommendations customized to the customer’s code.

For both rule-based and machine learning-based models, Amazon CodeGuru Reviewer uses the feedback you provide as labels and iteratively improves the quality of code detectors.

Q: How are open-source code analysis tools integrated into CodeGuru Reviewer?

Amazon CodeGuru Reviewer incorporates rules from three sources (1) CodeGuru Reviewer rules are integral to the service and designed to use machine learning and automated reasoning to analyze code for code quality and security issues, (2) a managed version of Bandit, an open source code analysis tool designed to find security issues in Python code, is integrated into CodeGuru Reviewer, and (3) a managed version of Infer, an open source code analysis tool designed to find concurrency and other issues in Java code, is also integrated into CodeGuru Reviewer. CodeGuru Reviewer analyzes your code using rules from all sources (as applicable to the programming language) and has simple pricing that includes all analyses performed.

Q: What programming languages are supported by Amazon CodeGuru Reviewer Security Detector?

Amazon CodeGuru Reviewer Security Detector supports Java 8 through Java 11 and Python 3 and above. 

Q: Why should I use Amazon CodeGuru Reviewer Security Detector?

CodeGuru Reviewer Security Detector is like having a security expert on call 24/7 to review your code. It helps identify security best practices before deployment.

Q: How does Amazon CodeGuru Reviewer Security Detector work?

CodeGuru Reviewer Security Detector statically analyzes code to build a control-flow graph representing all the possible ways that the code can be executed. Then it detects how data flows through the control-flow graph to discover potential issues that involve sequences of operations that may span across your application, involving multiple methods and classes. For example, the security detector determines if Javax.Crypto.KeyGenerator or crypto.secrets in Python, both symmetric secret key generators, are initialized before use, even if initialization and use occur in different methods.

Q: What type of issues are detected by Amazon CodeGuru Reviewer Security Detector?

CodeGuru Reviewer can help you with five categories of the code security issues: (1) AWS API Security Best Practices help you follow the security best practices when using APIs of various AWS services, such as AWS EC2 and KMS (2) Java and Python Crypto Library Best Practices help you check common Java cryptography libraries, such as Javax.Crypto.Cipher and the built-in and third party hashing or crypto module (e.g. cryptography) in Python, to ensure that they are initialized and called correctly (3) Secure Web Applications help you check web app related security issues, such as cross-site scripting, LDAP injection, and path traversal injection (4) AWS Security Best Practices bring internal security expertise, such as AWS Crypto recommendations, to your use cases.

Q: Does Amazon CodeGuru Reviewer Security Detector analyze all the code in my repository?

Yes, CodeGuru Reviewer Security Detector analyzes build artifacts and all Java source code in a repository to provide security recommendations.

Q: What CI/CD providers does CodeGuru support?

CodeGuru supports GitHub Actions for CI/CD integration.

Q: How does integrating CodeGuru into my CI/CD pipeline help improve my code?

By integrating CodeGuru Reviewer into your CI/CD pipeline, you can easily automate the code review process for both code quality and security recommendations. You can configure it to run on pull/merge requests, push, or scheduled runs of your pipeline. The integration ensures you never miss a recommendation and are continuously monitoring the quality of your code and potential security vulnerabilities.

Q: How do I set up CI/CD integration with GitHub?

You can view the CodeGuru Reviewer GitHub Action on the GitHub Marketplace by clicking here. Follow the instructions on the marketplace page to integrate CodeGuru into you GitHub CI workflow. Visit our documentation for additional details.

Q: What is Amazon CodeGuru Profiler?

Amazon CodeGuru Profiler helps developers and IT Operators easily understand the runtime behavior of their applications, improve performance, and decrease infrastructure costs. Amazon CodeGuru Profiler analyzes the application runtime profile and provides intelligent recommendations and visualizations that guide developers on how to improve the performance of the most relevant parts of their code.

Q: What is a profiling group?

A profiling group is a logical grouping created by you. It represents the boundary of one application. For example, in a microservices architecture, a profiling group would aggregate the profiles of the microservices that you have assigned to it, and produce one profile for all of them.

Q: I already have extensive logging integrated into my code. Do I still need to profile?

Logging execution time only works for a limited set of scenarios because logging can only monitor latency (not CPU utilization), and is time consuming to implement because developers have to log every function in an application (without impacting application performance), leaving developers without the tools necessary to effectively monitor and troubleshoot applications in production. This is where profiling comes in: Amazon CodeGuru Profiler is designed to collect data on everything that happened in that application’s behavior, regardless of scenarios. CodeGuru Profiler uses a knowledge base of commonly encountered performance inefficiencies to automatically discover code patterns in your live application that impact its performance. Developers can then follow the provided recommendations to fix the issues.

Q: How does Amazon CodeGuru Profiler differ from traditional APMs and standalone profilers?

Traditional APMs provide useful data on monitoring, tracing and application performance. Amazon CodeGuru Profiler complements these APM capabilities by providing visualizations of the application’s runtime data as well as actionable recommendations for the performance issues it discovers. It also uses machine learning to detect and alert on anomalies in your application profile, pointing to the anomalous lines of code. Amazon CodeGuru Profiler enables you to easily see the parts of code that present the biggest opportunity for performance optimization, along with potential savings, and receive guidance on how to address them without the need to have a deep performance engineering background. Amazon CodeGuru Profiler profiles both EC2 instances, containers and serverless compute platforms including AWS Lambda as well as on-premises. Furthermore, some standalone profilers are designed to only run in test environments while Amazon CodeGuru Profiler was designed to continuously run in production, under production traffic loads, and without impact to the application. This is useful when troubleshooting operational issues in production, including when running on bare metal hosts.

Q: What types of applications can I profile?

Amazon CodeGuru Profiler works with applications hosted on Amazon EC2, containerized applications running on Amazon ECS and Amazon EKS, as well as serverless applications running on AWS Fargate and AWS Lambda. Furthermore, you can run Amazon CodeGuru Profiler on-premises.

Q: How does CodeGuru Profiler impact the performance of applications hosted on AWS Lambda?

Amazon CodeGuru Profiler's agent uses the resources (CPU, memory) allocated to AWS Lambda functions. It is tuned to have a minimal impact on your application's performance while it runs as an in-process thread. If your application consumes most of resources on AWS Lambda function, evaluate increasing the resources to enable the agent to properly function.

Q: What programming languages are supported?

Amazon CodeGuru Profiler currently supports Java, Python (in preview), and JVM languages such as Scala and Kotlin.

Q: How does Amazon CodeGuru Profiler work?

Amazon CodeGuru Profiler consists of three parts: an agent, the profiler service, and intelligent recommendations. The agent is started with your application on the command line and it runs as an in-process thread as part of your application. It takes data from each of your service instances running the agent and sends them to the profiler service every five minutes, which then aggregates them. Amazon CodeGuru Profiler then publishes the profile data in interactive flame graphs that enable you to visualize the performance of your application. Amazon CodeGuru Profiler also continuously scans the profiled data and compares it against Amazon and performance engineering best practices and proactively alerts you with intelligent recommendations when performance issues are discovered. It also uses machine learning to continuously analyze application runtime data and alerts when it detects anomalies in the application profile and points to the anomalous lines of code.

Q: Which resources does Amazon CodeGuru Profiler profile and what are the supported languages?

CodeGuru profiles CPU (active CPU and wall clock time) and memory (heap summary) for Java and other JVM languages and CPU (wall clock time) for Python applications.

Q: Can I get both CPU and memory information from the same application?

Yes, once you enable memory profiling and you start profiling, CodeGuru Profiler will collect both CPU and memory information for your application. You only need one profiling group to get both CPU and memory data for a given application.

Q: What memory profiling information does Amazon CodeGuru Profiler provide?

CodeGuru Profiler offers heap summary information. Heap summary offers a consolidated view of the memory utilization per object type (e.g. String, int, char[]), and custom types, during a given time frame (usually 5 minutes). CodeGuru tracks both the summed-up sizes of objects and their count. These metrics are presented in a timeline graph, so you can easily spot trends and peaks of memory utilization per object type.

Q: What can I do with heap summary information?

Heap summary is useful in two scenarios. First, you can spot potential memory leaks. A constantly growing memory utilization curve for one or more object types may indicate a leak, possibly leading to out-of-memory errors and application crashes. The second scenario is when you want to optimize the memory footprint of your application. In this case the breakdown of memory utilization per object type will help you know where to focus. For example, by knowing that an unexpectedly high amount of memory has been associated with a specific object type, you can focus your analysis and optimization efforts on the parts of your application that are responsible for allocating and referencing objects of that type.