Amazon CodeGuru Security help improve code security

Amazon CodeGuru Security is a static application security testing (SAST) tool that combines machine learning (ML) and automated reasoning to identify vulnerabilities in code, provide recommendations on how to fix identified vulnerabilities, and track the status of vulnerabilities until they are resolved.

Amazon CodeGuru Profiler helps developers find the most expensive lines of code in their applications, helping them understand application behavior, identify and eliminate code inefficiencies, improve performance, and significantly reduce computing costs.

Inline code fixes

For specific weaknesses, CodeGuru Security employs machine learning to generate ready-to-use code segments that can seamlessly substitute the problematic lines of code. You can eliminate the vulnerable code and then insert the recommended code revisions into your file, or retrieve a code fix from the console to implement in your file.

Vulnerability tracking

CodeGuru Security employs a vulnerability monitoring functionality powered by machine learning. This feature keeps tabs on vulnerabilities even if they relocate within a file or migrate to another file. Once a vulnerability is initially identified, the tracking feature continuously checks for its presence in subsequent scans and whether it has been resolved. When vulnerability tracking confirms that a vulnerability has been remedied, it automatically updates the finding status to "Closed." This status change is communicated to any integrated notification system, requiring no action from the user.

Metrics dashboard

CodeGuru Security identifies security vulnerabilities throughout all your code scans and produces metric insights that are showcased on a comprehensive dashboard. This dashboard provides information regarding your security findings, such as the average time required to resolve findings, the types of vulnerabilities detected in your scans, and the distribution of their severity levels. Thanks to the vulnerability tracking feature, the Metrics dashboard continuously keeps an accurate portrayal of the security status of your resources.

How to create and view scans

To start scanning your code for security vulnerabilities, you can integrate your CI/CD pipeline with CodeGuru Security, or you can manually upload code to initiate the scanning. To manually upload the code, you’ll need to have a zip file that is under 5 GB.

code

import psycopg2

DB_NAME = "test"
DB_USER = "test"
DB_PASS = "iYYtLAXVbid-i6MV3NO1EnU-_9SW2uEi"
DB_HOST = "test.db.test.com"
DB_PORT = "5432"

try:
    conn = psycopg2.connect(database=DB_NAME,
                            user=DB_USER,
                            password=DB_PASS,
                            host=DB_HOST,
                            port=DB_PORT)
    print("Database connected successfully")
except:
    print("Database not connected successfully")

Create code scans in the console

Upload zip

Scan in progress

Results

Suggested remediation

For pipeline integrations, you can incorporate AWS CodePipeline GitHub, GitLab, AWS CLI and Bitbucket pipelines. You can also integrate with IDEs and notebooks, as well as with Amazon Inspector.

Within the AWS console's integration section for CodeGuru, you have the option to connect with various CI/CD Pipeline tools. Please note that this screenshot does not display the integrations with IDEs and notebooks, nor does it show the integration with Amazon Inspector.

Reference

https://aws.amazon.com/codeguru/