Recommendation types in CodeGuru Reviewer

Amazon CodeGuru Reviewer recommends various kinds of fixes in your Java and Python code. These recommendations are based on common code scenarios and might not apply to all cases.

If you don't agree with a recommendation, you can provide feedback in the CodeGuru Reviewer console or by commenting on the code in the pull requests. Any positive or negative feedback can be used to help improve the performance of CodeGuru Reviewer so that recommendations get better over time.

If you want to suppress recommendations from CodeGuru Reviewer, you can create and add to the root directory of your repository an aws-codeguru-reviewer.yml file that lists files and directories to exclude from analysis. For more information, see Suppress recommendations.

The following content describes the secrets detection functionality of CodeGuru Reviewer. For information about the other recommendation types and the detectors that CodeGuru Reviewer uses, see the Amazon CodeGuru Reviewer Detector Library.

Secrets detection

CodeGuru Reviewer integrates with AWS Secrets Manager to use a secrets detector that finds unprotected secrets in your code. Secrets detection is automatic, so you don't need to turn it on.

The secrets detector searches for hardcoded passwords, database connection strings, user names, and more. When an unprotected secret is found during a code review, CodeGuru Reviewer generates a recommendation and displays it with your code reviews. The recommendation tells you about the unprotected secret. To immediately protect that secret, choose Protect your credential in the code review. This opens the Secrets Manager console to protect and manage the secret. For more information, see the AWS Secrets Manager User Guide and View recommendations and provide feedback.

Topics

Secrets detection supported file types
Types of secrets detected by CodeGuru Reviewer

Secrets detection supported file types

The secrets detector finds unprotected secrets the following file types with a maximum file size of 100kb.

Config files (*.config, *.cfg, *.conf, *.cnf, *.cf)
Environment files (*.env)
HTML files (*.html)
Initialization files (*.ini)
Java files (*.java)
JSON files (*.json)
Jupyter Notebook files (*.ipynb)
Key files (*.key)
Markdown files (*.md)
Privacy Enhanced Mail files (*.pem)
Property List files (*.plist)
Python files (*.py)
reStructuredText files (*.rst)
Text files (*.txt, *.text)
TOML files (*.toml)
XML files (*.xml)
YAML files (*.yml, *.yaml)

Types of secrets detected by CodeGuru Reviewer

Amazon CodeGuru Reviewer detects unprotected usernames, passwords, RSA keys, and the following secrets.

Secrets detected by CodeGuru Reviewer
Provider	Secrets detected
Amazon Web Services (AWS)	Amazon AWS Secret Access Key
Atlassian	Atlassian API Token Atlassian JSON Web Token Bitbucket Server Personal Access Token
Databricks	Databricks Access Token
Datadog	Datadog API Key Datadog App Key
GitHub	GitHub Personal Access Token GitHub OAuth Access Token GitHub Refresh Token GitHub App Installation Access Token GitHub SSH Private Key
Intercom	Intercom Access Token
Mailchimp	Mailchimp API Key
Mailgun	Mailgun API Key
Salesforce	Private Key
SendGrid	SendGrid API Key
Shopify	Shopify App Shared Secret Shopify Access Token Shopify Custom App Access Token Shopify Private App Password
Slack	Client ID Client Secret
Stripe	Stripe API Key Stripe Live API Secret Key Stripe Test API Secret Key Stripe Live API Restricted Key Stripe Test API Restricted Key Stripe Webhook Signing Secret
Tableau	Tableau Personal access token
Telegram	Telegram Bot Token
Twilio	Twilio Account string identifier Twilio API Key

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Product and service integrations

Security