Security scans

You can use CodeWhisperer to detect security policy violations and vulnerabilities in your code with static application security testing (SAST), secrets detection, and infrastructure as code (IaC) scanning. Security scans in CodeWhisperer identify security vulnerabilities and suggest how to improve your code. In some cases, CodeWhisperer provides code you can use to address those vulnerabilities.

Run Security Scan performs a security scan on the currently active file in the IDE editor, and its dependent files from the project. After the scan is finished, security issues in the scanned files are highlighted in the Problems panel in VSC. Note that for JetBrains, security issues are highlighted in a separate CodeWhisperer Security Issues tab in the Problems panel.

Security scans operate at the project level, analyzing files within a user's local project or workspace and then truncating them to create a payload for transmission to the server side. This payload has a size limit that differs per programming language.

CodeWhisperer's security scan is powered by detectors from the Amazon CodeGuru Detector Library. CodeGuru Security does multiple layers of filtering before scanning code to ensure that you can focus on the most critical issues. As part of that, CodeGuru Security filters unsupported languages, test code, and open source code, before scanning for security issues.

Languages that security scans work with

The CodeWhisperer security scan feature supports the following language versions:

• Java ‐ Java 17 and earlier

• JavaScript ‐ ECMAScript 2021 and earlier

• Python ‐ Python 3.11 and earlier, within the Python 3 series

• C# ‐ All versions (.Net 6.0 and later recommended)

• TypeScript ‐ All versions

• Ruby ‐ Ruby 2.7 and 3.2

• Go ‐ Go 1.18

• Infrastructure as Code (IaC) languages

  • AWS CloudFormation

  • Terraform ‐ 1.6.2 and earlier

  • AWS CDK - TypeScript and Python

CodeWhisperer will only provide code remediation suggestions for code written in Java, Python, or JavaScript,

Running security scans

AWS Toolkit for Visual Studio Code

To begin a security scan in VS Code, use the following procedure.

1. In VS Code, choose the AWS logo on the left side of the window. The AWS Toolkit panel will open.

2. In the AWS Toolkit panel, under Developer Tools, under CodeWhisperer, choose Run Security Scan.

3. After creating a scan, you can view findings in the Problems tab.

   To view information about the finding and suggested fix, hold your cursor over the underlined code.

4. If your code is written in Java, Python, or JavaScript, CodeWhisperer might provide a suggested code fix.

   • If it does provide a fix, and you want to implement that fix, choose Apply fix. The information about the finding will disappear.

   • If it does not provide a fix, update your code according to the information provided.

     Run another security scan to verify that the vulnerability was remediated.

A scan can take up to 60 seconds. You may choose to stop an ongoing security scan by selecting Stop Security Scan. Note that, once started, a scan is counted towards your monthly (per user) security scans usage limits. For more information, see Security scan data limits.

Note

If you are running a security scan on a Java file or project, the build artifacts (.class files) are required. If you are running into issues with scanning your Java file or project, check the following:

1. Make sure your project structure is valid for the build system that you are using.

2. Build your project in VS Code before a running security scan, to ensure that CodeWhisperer has access to your build artifacts.

Note

If your project has built successfully in VS Code, but the Security Scan fails with an error message: Cannot find build artifacts for the project, troubleshoot the error by specifying the location of your build artifacts in the compiler output path.

AWS Toolkit for JetBrains

To begin a security scan in JetBrains, use the following procedure.

1. In JetBrains, choose the AWS logo on the left side of the window. The AWS Toolkit panel will open.

2. In the AWS Toolkit panel, under Developer Tools, under CodeWhisperer, choose Start Security Scan.

3. After creating a scan, you can view findings in the CodeWhisperer Security Issues tab of the Problems panel.

   To view information about the finding and suggested fix, hold your cursor over the underlined code.

4. CodeWhisperer may or may not provide a suggested code fix.

   • If it does provide a fix, and you want to implement that fix, choose Apply fix. The information about the finding will disappear.

   • If it does not provide a fix, update your code according to the information provided.

     Run another security scan to verify that the vulnerability was remediated.

A scan can take up to 60 seconds. You may choose to stop an ongoing security scan by selecting Stop Security Scan. Note that, once started, a scan is counted towards your monthly (per user) security scans usage limits. For more information, see Security scan data limits.

Note

To run a security scan on a Java file or project, the build artifacts (.class files) are required.

1. Make sure your project structure is valid for the build system that you are using.

2. Build your project in IntelliJ before running a security scan, to ensure that CodeWhisperer has access to your build artifacts.

If your project has built successfully in IntelliJ, but the Security Scan fails with an error message: Can not find build artifacts for the project, troubleshoot the error by specifying the location of your build artifacts in the compiler output path, as described below:

1. From the IntelliJ main menu, expand File (Windows) or open Preferences (Mac).

2. Choose Project Structure to open the Project Structure navigation pane.

3. Choose Project to open the Project pane.

4. Enter or select the location of your project's artifact files from the Compiler output field.

Security scan data limits

Each security scan may include more than one file. However, the amount of data that can be scanned, per scan, is limited. The limits are subject to regular change by AWS, and they also vary by programming language. If your project exceeds this data limit, then not all of your files will be scanned. After a scan, you can check the log to see the files that were scanned by selecting Show Scanned Files. If the file you are interested in is not scanned because of the data limits, open the file in IDE and start another scan to ensure that this file in included in the scan.

AWS Toolkit for Visual Studio Code

This screenshot shows what the list of scanned files looks like in VS Code.

AWS Toolkit for JetBrains

This screenshot shows what the list of scanned files looks like in JetBrains.