Amazon CodeGuru
Detector Library
Trained on decades of knowledge and experience across millions of code reviews
About Amazon CodeGuru
Amazon CodeGuru is a developer tool that scans code and provides intelligent recommendations to improve code security and quality.
Detectors power the code scanning capabilities of Amazon CodeGuru. Code scanning capabilities are available through Amazon CodeGuru Security, Amazon CodeWhisperer security scanning, and Amazon Inspector code scanning.
Frequently asked questions
What is the Amazon CodeGuru Detector Library?
The Amazon CodeGuru Detector Library is a resource that contains detailed information about CodeGuru's security and code quality detectors to help developers build secure and efficient applications on AWS. Each detection page within the Detector Library contains descriptions, noncompliant and compliant example code snippets, severities, and additional information that helps developers mitigate their risks (such as CWE numbers). The materials presented in the Amazon CodeGuru Detector Library are intended to be a high-level summary of the service's capabilities but may not be inclusive of all detectors or their functionality.
How should I use the Amazon CodeGuru Detector Library?
You should review the Detector Library to get a deeper understanding of the capabilities of CodeGuru. Additionally, after scanning your code resources in CodeGuru, you can use the detailed detection pages to help mitigate the findings you receive. You are also welcome to use this as an educational resource to help improve the overall security posture of your application and help ensure you are following AWS best practices.
How can I see Amazon CodeGuru in action?
You can see Amazon CodeGuru in action by using CodeGuru example detection repositories to scan code. You can scan code using CodeGuru's code scanning capabilities available through Amazon CodeGuru Security, Amazon CodeWhisperer security scanning, or Amazon Inspector code scanning. The repositories contain many of the noncompliant code examples that appear in this Detector Library. The repositories are divided by programming language: Java, Python, JavaScript, TypeScript, C#, and IaC.
How often are the detectors updated?
The CodeGuru team is continually adding new detectors to help you keep your applications free from new, potentially harmful security vulnerabilities.
Do the detectors only find the specific example within each detection page?
No. Each detector can detect a wide range of different code defects. We included one noncompliant and compliant code example on each detection page (such as insecure cryptography) to help clarify the detection. However, each detector can find a range of defects in addition to the explicit code example shown on the detection page.
Which detectors are available in CodeGuru Security, CodeWhisperer, and Amazon Inspector Code Scanning?
CodeGuru Security features hundreds of CodeGuru's code security detectors, as well as hundreds of code quality detectors that can be enabled through additional configuration. CodeGuru Security is available for code written in Python, Java, JavaScript, TypeScript, C#, and IaC.
CodeWhisperer and Amazon Inspector code scanning feature CodeGuru's security detectors which are available for code written in Java, Python, and JavaScript. CodeWhisperer uses these detectors to scan code in the IDE, while Amazon Inspector code scanning uses these detectors to scan Lambda functions.
How does CodeGuru determine what to include or exclude in a scan?
Before commencing a scan, CodeGuru applies filtering to ensure that only relevant customer code is scanned. This ensures that CodeGuru's findings are valuable to customers. As part of the filtering process, CodeGuru excludes unsupported languages, test code, and open source code.
What actions will I see in CloudTrail and IAM policies if I use CodeGuru detectors through Amazon Inspector or Amazon CodeWhisperer?
Access to CodeGuru features is securely controlled using AWS IAM. Amazon Inspector and Amazon CodeWhisperer use IAM permission policies to get access to CodeGuru APIs. Any access is also logged into CloudTrail. Thus, you will see the actions defined in the Amazon CodeGuru Security API Reference in IAM policies and CloudTrail under the codeguru-security namespace.