Recommendation types in CodeGuru Reviewer - Amazon CodeGuru Reviewer

Recommendation types in CodeGuru Reviewer

Amazon CodeGuru Reviewer recommends various kinds of fixes in your Java and Python code. These recommendations are based on common code scenarios and might not apply to all cases.

If you don't agree with a recommendation, you can provide feedback in the CodeGuru Reviewer console or by commenting on the code in the pull requests. Any positive or negative feedback can be used to help improve the performance of CodeGuru Reviewer so that recommendations get better over time.

If you want to suppress recommendations from CodeGuru Reviewer, you can create and add to the root directory of your repository an aws-codeguru-reviewer.yml file that lists files and directories to exclude from analysis. For more information, see Suppress recommendations.

The following content describes the secrets detection functionality of CodeGuru Reviewer. For information about the other recommendation types and the detectors that CodeGuru Reviewer uses, see the Amazon CodeGuru Reviewer Detector Library.

Secrets detection

CodeGuru Reviewer integrates with AWS Secrets Manager to use a secrets detector that finds unprotected secrets in your code. Secrets detection is automatic, so you don't need to turn it on.

The secrets detector searches for hardcoded passwords, database connection strings, user names, and more. When an unprotected secret is found during a code review, CodeGuru Reviewer generates a recommendation and displays it with your code reviews. The recommendation tells you about the unprotected secret. To immediately protect that secret, choose Protect your credential in the code review. This opens the Secrets Manager console to protect and manage the secret. For more information, see Move hardcoded secrets to AWS Secrets Manager in the AWS Secrets Manager User Guide and View recommendations and provide feedback.

Secrets detection supported file types

The secrets detector finds unprotected secrets the following file types with a maximum file size of 100kb.

  • Config files (*.config, *.cfg, *.conf, *.cnf, *.cf)

  • Environment files (*.env)

  • Initialization files (*.ini)

  • Java files (*.java)

  • JSON files (*.json)

  • Jupyter Notebook files (*.ipynb)

  • Key files (*.key)

  • Markdown files (*.md)

  • Privacy Enhanced Mail files (*.pem)

  • Property List files (*.plist)

  • Python files (*.py)

  • reStructuredText files (*.rst)

  • Text files (*.txt, *.text)

  • TOML files (*.toml)

  • XML files (*.xml)

  • YAML files (*.yml, *.yaml)

Types of secrets detected by CodeGuru Reviewer

Amazon CodeGuru Reviewer detects unprotected usernames, passwords, RSA keys, and the following secrets.

Secrets detected by CodeGuru Reviewer
Provider Secrets detected
Amazon Web Services (AWS)
  • Amazon AWS Access Key ID

  • Amazon AWS Secret Access Key

Atlassian
  • Atlassian API Token

  • Atlassian JSON Web Token

  • Bitbucket Server Personal Access Token

Databricks
  • Databricks Access Token

Datadog
  • Datadog API Key

  • Datadog App Key

GitHub
  • GitHub Personal Access Token

  • GitHub OAuth Access Token

  • GitHub Refresh Token

  • GitHub App Installation Access Token

  • GitHub SSH Private Key

Hubspot
  • Hubspot API Key

Intercom
  • Intercom Access Token

Mailchimp
  • Mailchimp API Key

Mailgun
  • Mailgun API Key

Salesforce
  • Private Key

SendGrid
  • SendGrid API Key

Shopify
  • Shopify App Shared Secret

  • Shopify Access Token

  • Shopify Custom App Access Token

  • Shopify Private App Password

Slack
  • Client ID

  • Client Secret

Stripe
  • Stripe API Key

  • Stripe Live API Secret Key

  • Stripe Test API Secret Key

  • Stripe Live API Restricted Key

  • Stripe Test API Restricted Key

  • Stripe Webhook Signing Secret

Tableau
  • Tableau Personal access token

Telegram
  • Telegram Bot Token

Twilio
  • Twilio Account string identifier

  • Twilio API Key