Amazon CodeGuru
Detector Library
Trained on decades of knowledge and experience across millions of code reviews
About Amazon CodeGuru
Amazon CodeGuru is a developer tool that scans code and provides intelligent recommendations to improve code quality and security.
Detectors power the code scanning capabilities of Amazon CodeGuru. Code scanning capabilities are available through Amazon CodeGuru Reviewer, Amazon CodeWhisperer security scanning, and Amazon Inspector code scanning.
Frequently asked questions
What is the Amazon CodeGuru Detector Library?
The Amazon CodeGuru Detector Library is a resource that contains detailed information about CodeGuru's security and code quality detectors to help developers build secure and efficient applications on AWS. Each detection page within the Detector Library contains descriptions, noncompliant and compliant example code snippets, severities, and additional information that helps developers mitigate their risks (such as CWE numbers). The materials presented in the Amazon CodeGuru Detector Library are intended to be a high-level summary of the service's capabilities but may not be inclusive of all detectors or their functionality.
How should I use the Amazon CodeGuru Detector Library?
You should review the Detector Library to get a deeper understanding of the capabilities of CodeGuru. Additionally, after running a repository scan of your application in CodeGuru, you can use the detailed detection pages to help mitigate the findings you receive. You are also welcome to use this as an educational resource to help improve the overall security posture of your application and help ensure you are following AWS best practices.
How can I see Amazon CodeGuru in action?
You can see Amazon CodeGuru in action by using CodeGuru example detection repositories to scan code. You can scan code using CodeGuru's code scanning capabilities available through Amazon CodeGuru Reviewer, Amazon CodeWhisperer security scanning, or Amazon Inspector code scanning. The repositories contain many of the noncompliant code examples that appear in this Detector Library. The repositories are divided by programming language: Java, Python, and JavaScript.
How often are the detectors updated?
The CodeGuru team is continually adding new detectors to help you keep your applications free from new, potentially harmful security vulnerabilities.
Do the detectors only find the specific example within each detection page?
No. Each detector can detect a wide range of different code defects. We included one noncompliant and compliant code example on each detection page (such as insecure cryptography) to help clarify the detection. However, each detector can find a range of defects in addition to the explicit code example shown on the detection page.
Which detectors are available in CodeGuru Reviewer, CodeWhisperer, and Amazon Inspector Code Scanning?
CodeGuru Reviewer features hundreds of CodeGuru's code quality detectors and a few code security detectors. CodeGuru Reviewer is currently only available for code written in Java and Python.
CodeWhisperer and Amazon Inspector code scanning feature CodeGuru's security detectors which are available for code written in Java, Python, and JavaScript. CodeWhisperer uses these detectors to scan code in the IDE, while Amazon Inspector code scanning uses these detectors to scan Lambda functions.
How does CodeGuru determine what to include or exclude in a scan?
Before commencing a scan, CodeGuru applies filtering to ensure that only relevant customer code is scanned. This ensures that CodeGuru's findings are valuable to customers. As part of the filtering process, CodeGuru excludes unsupported languages, test code, and open source code.
What actions will I see in CloudTrail and IAM policies if I use CodeGuru detectors through Amazon Inspector or Amazon CodeWhisperer?
Access to CodeGuru features is securely controlled using AWS IAM. Amazon Inspector and Amazon CodeWhisperer use IAM permission policies to get access to CodeGuru APIs. Any access is also logged into CloudTrail. Thus, you will see the following actions in IAM policies and CloudTrail under codeguru-security namespace: UpdateAccountConfiguration, CreateUploadUrl, CreateScan, GetScan, ListFindings, BatchGetFindings, and DeleteScansByCategory.