Create code reviews with GitHub Actions - Amazon CodeGuru Reviewer

Create code reviews with GitHub Actions

Amazon CodeGuru Reviewer finds issues in your Java and Python code and recommends how to remediate them. CodeGuru Reviewer detects deviation from best practices for using AWS APIs and SDKs, and also identifies concurrency issues, resource leaks, security vulnerabilities and validates input parameters validation. First, you enable CodeGuru Reviewer on your build workflow. Next, for every push, pull, or scheduled repository scan, the CodeGuru Reviewer GitHub Action copies your code and build artifacts into an S3 bucket in your AWS account. CodeGuru Reviewer APIs are used to analyze the artifacts and provide recommendations.

You can enable security and code quality recommendations with GitHub Actions by making the following changes to your workflow. If your repository has files in both Java and Python, then CodeGuru Reviewer will provide recommendations for the language that has more files. An example workflow file could be .github/workflows/build.yml.

Get recommendations using GitHub Actions

This sections shows you how to create recommendations using GitHub Actions and disassociate a workflow, and also provides examples to get your started.

Create code reviews with GitHub Actions

This section shows you how to create code reviews and get recommendations using GitHub Actions.

To start recommendations using GitHub Actions

  1. Create an Amazon S3 bucket with the prefix codeguru-reviewer-* to upload your code and artifacts. For information on creating a new Amazon S3 bucket, see Creating a bucket in the Amazon S3 User Guide.

  2. Sign into your GitHub account to complete the CI/CD integration process. Your repository must be public or private if it's part of a GitHub organization in order for GitHub actions to work.

  3. In order to run the CodeGuru Reviewer Action, you need to provide AWS credentials. We recommend using aws-actions/configure-aws-credentials to configure your credentials for a job. For self-hosted runners, the configure-aws-credentials action assumes the runner’s IAM credentials or role to the CodeGuru Reviewer Action. Docker must be installed for self-hosted runners. For information on installing Docker, see Get started with Docker.

    For GitHub hosted runners, you can configure the credentials in GitHub Secrets.

    The IAM user or IAM role should have the AmazonCodeGuruReviewerFullAccess policy enabled and Amazon S3 Permissions (s3:PutObject, s3:ListBucket, s3:GetObject). For more details on AWS credentials, see Configuration and credential file settings in the AWS Command Line Interface User Guide.

  4. Add the CodeGuru Reviewer Action. The following code snippet provides an example showing how you can enable your workflow, as supported by CodeGuru Reviewer.

    - name: Amazon CodeGuru Reviewer Scanner if: ${{ always() }} uses: aws-actions/codeguru-reviewer@v1.1 with: build_path: target # build artifact(s) directory. This is only required for Java repositories s3_bucket: codeguru-reviewermyactions-bucket # S3 Bucket with "codeguru-reviewer-*" prefix

    The following is a list of parameters.

    Argument Required Description

    s3_bucket

    Yes

    User-owned bucket which starts with the prefix codeguru-reviewer-. Must be in the same Region as your application.

    build_path

    No

    Path to build artifact(s) directory. JAR files in this directory are uploaded for review. The build artifacts are required to get the complete set of security recommendations.

    kms_key_id

    No

    The key ID uniquely identifies an AWS KMS key within an account and Region.

  5. Run your workflow in GitHub to start the code analysis. When the build is complete, review your recommendations in the GitHub Security tab.

Disassociate your CI/CD workflow

If your CI workflow association fails, you can disassociate your repository by choosing Disassociate repository. If you want to associate your CI workflow later, you can associate your repository again by following set up steps.

If you want to stop CodeGuru Reviewer recommendations for your CI workflow, remove the codeguru action script from your repository’s YML file. Then, choose Disassociate repository to remove the repository association. On your next job run, CodeGuru Reviewer associates the repository again unless you remove the codeguru action script from the YML file.

GitHub Actions code review examples

Run CodeGuru Reviewer Action on a GitHub hosted runner.

steps: - name: Checkout repository uses: actions/checkout@v2 with: fetch-depth: 0 # Required - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v1 if: ${{ always() }} # This ensures that your workflow runs successfully with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} aws-region: us-west-2 - name: Amazon CodeGuru Reviewer Scanner uses: aws-actions/codeguru-reviewer@v1.1 if: ${{ always() }} with: build_path: target # build artifact(s) directory s3_bucket: codeguru-reviewer-my-bucket # S3 Bucket with "codeguru-reviewer-*" prefix - name: Upload review result if: ${{ github.event_name != 'push' }} uses: github/codeql-action/upload-sarif@v1 with: sarif_file: codeguru-results.sarif.json

Run a CodeGuru Reviewer Action on a self-hosted runner.

steps: - name: Checkout repository uses: actions/checkout@v2 with: fetch-depth: 0 - name: Configure AWS Credentials if: ${{ always() }} # This ensures that your workflow runs successfully uses: aws-actions/configure-aws-credentials@v1 with: aws-region: us-west-2 role-to-assume: my-github-actions-role # Refer to Step 2 for more details - name: Amazon CodeGuru Reviewer uses: aws-actions/codeguru-reviewer@v1.1 if: ${{ always() }} with: build_path: target # build artifact(s) directory s3_bucket: codeguru-reviewermy-bucket - name: Upload review result if: ${{ github.event_name != 'push' }} uses: github/codeql-action/upload-sarif@v1 with: sarif_file: codeguru-results.sarif.json