Getting started with AWS CodeGuru

Photo by Chris Ried on Unsplash

Getting started with AWS CodeGuru

AWS CodeGuru is a set of developer tools provided by Amazon Web Services (AWS) that leverages machine learning (ML) to improve code quality and application performance. It aims to help developers write better code by providing automated code reviews, identifying potential issues, and offering recommendations for improvement.

There are two main components of AWS CodeGuru:

  1. CodeGuru Reviewer: CodeGuru Reviewer uses ML algorithms to analyze your code and provide intelligent recommendations for improving code quality. It performs static code analysis to identify issues such as resource leaks, concurrency bugs, and security vulnerabilities. CodeGuru Reviewer integrates with popular code repositories like GitHub and AWS CodeCommit, allowing it to provide continuous feedback on pull requests and commit history. By following its recommendations, developers can enhance the performance, reliability, and security of their applications.

  2. CodeGuru Profiler: CodeGuru Profiler helps optimize application performance and identify bottlenecks. It collects runtime data and uses ML algorithms to analyze it, highlighting areas where optimizations can be made. CodeGuru Profiler can identify performance issues like CPU utilization, memory leaks, and excessive I/O operations. It provides visualizations and actionable recommendations to optimize code and improve overall application performance.

Both CodeGuru Reviewer and CodeGuru Profiler are designed to be integrated into the development workflow, providing real-time feedback and actionable insights to developers. They aim to reduce the time and effort required to identify and address common code quality and performance issues, ultimately helping developers deliver higher-quality and more performant applications.

Example of vulnerable code

Here's an example of Python code that contains a security vulnerability and can be detected by AWS CodeGuru's static code analysis:

import subprocess

def execute_command(user_input):
    subprocess.call(user_input, shell=True)

if __name__ == "__main__":
    user_input = input("Enter a command to execute: ")
    execute_command(user_input)

In this example, the code takes user input and passes it directly to the subprocess.call() function without any input validation or sanitization. This creates a security vulnerability known as command injection.

An attacker can exploit this vulnerability by providing malicious input that includes additional commands or shell metacharacters. For instance, if the user enters ; rm -rf /, the subprocess.call() function will execute both the intended command and the attacker's injected command, resulting in the deletion of files on the system.

AWS CodeGuru's static code analysis can detect this vulnerability by analyzing the code and identifying the insecure usage of user input in the subprocess.call() function. It can provide recommendations to sanitize or validate the user input before using it in a command execution context.

Scan code via AWS Console

Before uploading the code for scan, you need first to bundle it into zip archive:

  1. In AWS Console select AWS CodeGuru service and press on Create Scan button:

  2. Upload zip archive and press Create Scan button:

References:

  1. Snyk Online Code Checker

  2. AWS CodeGuru Documentation