Amazon recently announced the CI/CD integration of Amazon CodeGuru Reviewer with GitHub Actions. The cloud provider also released 20 new security detectors for Java to identify issues and follow best security practices.
Thanks to the new feature, performing a pull request or pushing a change to the master branch in GitHub will trigger a scan on changed lines of code, while scheduling a pipeline run will trigger a full scan of the entire repository. Generally available since a year ago, Amazon CodeGuru Reviewer is a developer tool that leverages machine learning to detect potential defects in Java and Python and offers suggestions for improvements.
The new detectors for CodeGuru Reviewer are designed to help identify security vulnerabilities and check for be st securitypractices in Java code, relying on the top ten OWASP categories, best security practices for AWS APIs, and common crypto libraries. Security detectors are not supported for Python code.
Alex Casalboni, senior developer advocate at AWS, explains how the integration with GitHub Actions is going to help developers:
As a developer or development team, you push new code every day and want to identify security vulnerabilities early in the development cycle, ideally at every push. During a pull-request (PR) review, all the CodeGuru recommendations will appear as a comment, as if you had another pair of eyes on the PR. These comments include useful links to help you resolve the problem. When you push new code or schedule a code review, recommendations will appear in the Security > Code scanning alerts tab on GitHub.
Source: https://aws.amazon.com/blogs/aws/amazon_codeguru_reviewer_updates_new_java_detectors_and_cicd_integration_with_github_actions/
Corey Quinn comments on the latest feature and the integration with GitHub in his newsletter:
You've gotta work with your sworn enemy because that's where all the code lives" is a bitter but necessary pill for AWS to swallow. Their sworn enemy is of course "other companies who make money without giving it to Amazon."
The integration with GitHub, the support of Python, and the recent announcement of AWS BugBust, a global competition for Java and Python developers to fix one million bugs, suggest an increased market for ML-powered developer tools to improve coding. Jeremy Daly, author of the weekly serverless newsletter Off-by-none, highlights how the new approach might benefit both the developers and AWS:
I think it is just a massive crowd-sourced supervised learning exercise to train CodeGuru. But either way, it seems like a fun and creative way to wipe out bugs and save money.
AWS provides a repository of sample code to demonstrate the functionality of Amazon CodeGuru Reviewer. The cloud provider has recently introduced a lower pricing model for CodeGuru that includes 100K lines of code for up to 90 days.