Amazon CodeGuru Security Cheat Sheet

Amazon CodeGuru Security is a static application tool that leverages machine learning to identify security vulnerabilities and policy violations. It offers actionable recommendations to mitigate security risks and generates metrics to help track the security posture of your applications. Informed by years of Amazon.com and AWS security best practices, CodeGuru Security’s policies assist in building and deploying secure, high-quality applications.

Features

• Static Code Analysis: Uses ML and automated reasoning to detect security issues in source code (e.g., injection flaws, hardcoded credentials, etc.)

• Repository Scanning: Scans entire repositories or specific pull requests.

• ML-Based Detectors: Includes OWASP Top 10 vulnerability detection.

• CI/CD Integration: Integrates with GitHub, Bitbucket, and AWS CodeCommit.

• Secrets Detector: Detects hardcoded secrets such as API keys, tokens, and passwords.

• Remediation Guidance: Provides actionable recommendations with code examples and documentation links.

Use Cases

• Preventing security flaws before deployment

• Improving developer security awareness via inline suggestions

• Scanning legacy codebases for hidden vulnerabilities

• Meeting secure coding best practices in CI/CD pipelines

Security

• IAM Controls: Follows least privilege with IAM roles and permissions.

• Data Privacy: Code is encrypted at rest and in transit.

• Audit Logging: Integration with AWS CloudTrail for auditing.

• No external sharing: Code is not sent outside AWS; analysis is performed within AWS infrastructure.

Pricing

• Repository Analysis:

  • $0.75 per 100 lines of code analyzed

  • The first 100,000 lines of code per month are free (per AWS account)

• Pull Request Analysis:

  • $0.75 per 100 lines of code

  • Pricing applies per code review request or scan

References:

What is Amazon CodeGuru Security? – Amazon CodeGuru Security

https://aws.amazon.com/codeguru/

https://aws.amazon.com/codeguru/pricing/