Scanning your code with Amazon Q

Amazon Q can scan your codebase for security vulnerabilities and code quality issues to improve the posture of your applications throughout the development cycle. You can initiate a scan of an entire codebase, analyzing all files in your local project or workspace, or enable auto scans that assess your code as you write it.

When Amazon Q discovers a potential security vulnerability or quality issue in your code, it generates a finding with a description of the issue and a recommended fix. Some findings include an automatic fix, which updates your code files in-place.

Scan are powered by security detectors that are informed by years of AWS and Amazon.com security best practices. As security policies are updated and detectors are added, scans automatically incorporate new detectors to ensure your code is compliant with the most up-to-date policies.

Topics

Types of scans

Amazon Q performs code security and code quality analysis in every scan. The following sections explain the types of security and quality issues Amazon Q detects.

Code security scanning

Amazon Q detects security policy violations and vulnerabilities in your code with static application security testing (SAST), secrets detection, and infrastructure as code (IaC) scanning. For a complete list of the detectors Amazon Q uses to scan your code, see the Detector Library.

SAST scanning — Detect security vulnerabilities in your source code. Amazon Q identifies various security issues, such as resource leaks, SQL injection, and cross-site scripting.
Secrets scanning — Prevent the exposure of sensitive or confidential information in your codebase. Amazon Q scans your code and text files for secrets such as hardcoded passwords, database connection strings, and usernames. Secrets findings include information about the unprotected secret and how to protect it.
IaC scanning — Evaluate the security posture of your infrastructure files. Amazon Q can scan your infrastructure as code (IaC) code files to detect misconfiguration, compliance, and security issues.

Code quality scanning

Amazon Q detects quality and maintainability issues in your code to ensure your codebase is meeting quality and efficiency best practices. Amazon Q generates findings related to various quality issues, including but not limited to performance, machine learning rules, and AWS best practices.

Quotas

Amazon Q security scans maintain the following quotas:

Input artifact size – The size of all the files within an IDE project workspace, including third-party libraries, build JAR files, and temporary files.
Source code size – The size of the source code that Amazon Q scans after filtering all third-party libraries and unsupported files.

The following table describes the quotas maintained for auto scans and full project scans.

Resource	Auto scans	Project scans
Maximum input artifact size	200 KB	500 MB
Maximum source code size	200 KB	50 MB

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Troubleshooting

Starting a scan