Amazon CodeGuru Reviewer FAQs

Q: What is Amazon CodeGuru Reviewer?

Amazon CodeGuru Reviewer is an automated code review service that identifies critical defects and deviation from coding best practices for Java and Python code. It scans the lines of code within a pull request and provides intelligent recommendations based on standards learned from major open source projects as well as Amazon codebase. Amazon CodeGuru Reviewer seamlessly integrates with existing code review workflows on widely-used source control systems including GitHub, GitHub Enterprise, Bitbucket, and AWS CodeCommit, and provides actionable recommendations for improving code quality.

Q: What can I do with Amazon CodeGuru Reviewer?

Amazon CodeGuru Reviewer uses machine learning and automated reasoning to identify critical issues and hard-to-find bugs during application development to improve code quality.

Q: How do I get started with Amazon CodeGuru Reviewer?

Amazon CodeGuru is now generally available. You can start right now in the Amazon CodeGuru console. To get started with Amazon CodeGuru Reviewer, log in to the Amazon CodeGuru Reviewer console where you can associate an existing code repository on GitHub, GitHub Enterprise, Bitbucket or AWS CodeCommit. After a one-time setup, Amazon CodeGuru Reviewer begins analyzing code and providing code improvement recommendations directly within the pull request or code repository.

Q: In which AWS Regions is Amazon CodeGuru Reviewer available?

To see supported AWS Regions, please visit the AWS Region Table for all AWS global infrastructure. For more information, see Regions and Endpoints in the AWS General Reference. 

Q: What programming languages and source code repositories are supported?

Amazon CodeGuru Reviewer currently supports Java and Python code stored in GitHub, GitHub Enterprise, Bitbucket and AWS CodeCommit repositories.

Q: What type of issues are detected by Amazon CodeGuru Reviewer?

Amazon CodeGuru Reviewer checks for concurrency issues, potential race conditions, un-sanitized or malicious inputs, inappropriate handling of sensitive data such as credentials, resource leaks, and also detects race conditions and deadlocks in concurrent code. It also suggests AWS, Java and Python best practices and detects cloned code that could be consolidated for better code maintainability.

Q: How do I get started with Amazon CodeGuru Reviewer?

Visit the Amazon CodeGuru console to integrate Amazon CodeGuru Reviewer recommendations directly within your code pull requests. You can get started by visiting the CodeGuru console and following the steps to associate your AWS CodeCommit, GitHub, GitHub enterprise and BitBucket repositories to start receiving Amazon CodeGuru Reviewer’s recommendations. Once enabled, Amazon CodeGuru Reviewer will automatically provide intelligent recommendations as comments on your pull requests generated for the connected repositories.

Q: Does Amazon CodeGuru Reviewer access my code?

Amazon CodeGuru Reviewer needs read-only access to your code for the purpose of generating recommendations. Your trust, privacy, and the security of your content are our highest priority and we implement appropriate controls, including encryption in transit, to prevent unauthorized access to, or disclosure of, your content and ensure that our use complies with our commitments to you. Please see the Data Privacy FAQ for more information.

Q: Does Amazon CodeGuru Reviewer persist a copy of my code?

No, Amazon CodeGuru Reviewer does not store your source code.

Q: How is Amazon CodeGuru Reviewer trained to provide intelligent recommendations?

Amazon CodeGuru Reviewer is trained using rule mining and supervised machine learning models that use a combination of logistic regression and neural networks.

For example, during training for deviation from AWS best practices, Amazon CodeGuru Reviewer mines Amazon code bases using search techniques and locality sensitive models for pull requests that include AWS API calls. It looks at code changes intended to improve the quality of the code, and cross-references them against documentation data. The result is the creation of a new set of rules that Reviewer recommends to you as best practices when it reviews your code.

During training for resource and sensitive data leaks, it does a full code analysis for all code paths that use the resource or sensitive data, creates a feature set representing those, and then uses those as inputs for logistic regression models and convolutional neural networks (CNNs).

For code inconsistencies, the models are trained during either the full or incremental code review. After a customer triggers a review, these models utilize a number of data mining and machine learning techniques to build the dataset, highlight the reason for the code patterns, and make recommendations customized to the customer’s code.

For both rule-based and machine learning-based models, Amazon CodeGuru Reviewer uses the feedback you provide as labels and iteratively improves the quality of code detectors.

Q: How are open-source code analysis tools integrated into CodeGuru Reviewer?

Amazon CodeGuru Reviewer incorporates rules from three sources (1) CodeGuru Reviewer rules are integral to the service and designed to use machine learning and automated reasoning to analyze code for code quality and security issues, (2) a managed version of Bandit, an open source code analysis tool designed to find security issues in Python code, is integrated into CodeGuru Reviewer, and (3) a managed version of Infer, an open source code analysis tool designed to find concurrency and other issues in Java code, is also integrated into CodeGuru Reviewer. CodeGuru Reviewer analyzes your code using rules from all sources (as applicable to the programming language) and has simple pricing that includes all analyses performed. 

Q: What programming languages are supported by Amazon CodeGuru Reviewer Security Detector?

Amazon CodeGuru Reviewer Security Detector supports Java 8 through Java 11 and Python 3 and above.

Q: Why should I use Amazon CodeGuru Reviewer Security Detector?

CodeGuru Reviewer Security Detector is like having a security expert on call 24/7 to review your code. It helps identify security best practices before deployment.

Q: How does Amazon CodeGuru Reviewer Security Detector work?

CodeGuru Reviewer Security Detector statically analyzes code to build a control-flow graph representing all the possible ways that the code can be executed. Then it detects how data flows through the control-flow graph to discover potential issues that involve sequences of operations that may span across your application, involving multiple methods and classes. For example, the security detector determines if Javax.Crypto.KeyGenerator or crypto.secrets in Python, both symmetric secret key generators, are initialized before use, even if initialization and use occur in different methods.

Q: What type of issues are detected by Amazon CodeGuru Reviewer Security Detector?

CodeGuru Reviewer can help you with five categories of the code security issues: (1) AWS API Security Best Practices help you follow the security best practices when using APIs of various AWS services, such as AWS EC2 and KMS (2) Java and Python Crypto Library Best Practices help you check common Java cryptography libraries, such as Javax.Crypto.Cipher and the built-in and third party hashing or crypto module (e.g. cryptography) in Python, to ensure that they are initialized and called correctly (3) Secure Web Applications help you check web app related security issues, such as cross-site scripting, LDAP injection, and path traversal injection (4) AWS Security Best Practices bring internal security expertise, such as AWS Crypto recommendations, to your use cases.

Q: Does Amazon CodeGuru Reviewer Security Detector analyze all the code in my repository?

Yes, CodeGuru Reviewer Security Detector analyzes build artifacts and all Java source code in a repository to provide security recommendations.

Q: What CI/CD providers does CodeGuru support?

CodeGuru supports GitHub Actions for CI/CD integration.

Q: How does integrating CodeGuru into my CI/CD pipeline help improve my code?

By integrating CodeGuru Reviewer into your CI/CD pipeline, you can easily automate the code review process for both code quality and security recommendations. You can configure it to run on pull/merge requests, push, or scheduled runs of your pipeline. The integration ensures you never miss a recommendation and are continuously monitoring the quality of your code and potential security vulnerabilities.

Q: How do I set up CI/CD integration with GitHub?

You can view the CodeGuru Reviewer GitHub Action on the GitHub Marketplace by clicking here. Follow the instructions on the marketplace page to integrate CodeGuru into you GitHub CI workflow. Visit our documentation for additional details.