Amazon CodeGuru permits you to automate code opinions and enhance code high quality, and because of the brand new pricing mannequin introduced in April you will get began with a decrease and glued month-to-month charge based mostly on the scale of your repository (as much as 90% inexpensive). CodeGuru Reviewer helps you detect potential defects and bugs which can be laborious to seek out in your Java and Python purposes, utilizing the AWS Administration Console, AWS SDKs, and AWS CLI.
As we speak, I’m pleased to announce that CodeGuru Reviewer natively integrates with the instruments that you just use day-after-day to bundle and deploy your code. This new CI/CD expertise permits you to set off code high quality and safety evaluation as a step in your construct course of utilizing GitHub Actions.
Though the CodeGuru Reviewer console nonetheless serves as an evaluation hub for all of your onboarded repositories, the brand new CI/CD expertise permits you to combine CodeGuru Reviewer extra deeply together with your favourite supply code administration and CI/CD instruments.
And that’s not all! As we speak we’re additionally releasing 20 new safety detectors for Java that will help you establish much more points associated to safety and AWS finest practices.
A New CI/CD Expertise for CodeGuru Reviewer
As a developer or growth crew, you push new code day-after-day and wish to establish safety vulnerabilities early within the growth cycle, ideally at each push. Throughout a pull-request (PR) assessment, all of the CodeGuru suggestions will seem as a remark, as in case you had one other pair of eyes on the PR. These feedback embody helpful hyperlinks that will help you resolve the issue.
Whenever you push new code or schedule a code assessment, suggestions will seem within the Safety > Code scanning alerts tab on GitHub.
Let’s see combine CodeGuru Reviewer with GitHub Actions.
To begin with, create a .yml file in your repository beneath .github/workflows/ (or replace an present motion). This file will include all of your actions’ step. Let’s undergo the person steps.
Step one is configuring your AWS credentials. You wish to do that securely, with out storing any credentials in your repository’s code, utilizing the Configure AWS Credentials motion. This motion permits you to configure an IAM position that GitHub will use to work together with AWS providers. This position would require a number of permissions associated to CodeGuru Reviewer and Amazon S3. You’ll be able to connect the
AmazonCodeGuruReviewerFullAccess managed coverage to the motion position, along with
This primary step will look as follows:
- title: Configure AWS Credentials makes use of: aws-actions/configure-aws-credentials@v1 with: aws-access-key-id: $ aws-secret-access-key: $ secrets and techniques.AWS_SECRET_ACCESS_KEY aws-region: eu-west-1
These entry key and secret key correspond to your IAM position and can be used to work together with CodeGuru Reviewer and Amazon S3.
Subsequent, you add the CodeGuru Reviewer motion and a remaining step to add the outcomes:
- title: Amazon CodeGuru Reviewer Scanner makes use of: aws-actions/codeguru-reviewer if: $ with: build_path: goal # construct artifact(s) listing s3_bucket: 'codeguru-reviewer-myactions-bucket' # S3 Bucket beginning with "codeguru-reviewer-*" - title: Add assessment outcome if: $ makes use of: github/codeql-action/upload-sarif@v1 with: sarif_file: codeguru-results.sarif.json
The CodeGuru Reviewer motion requires two enter parameters:
- build_path: The place your construct artifacts are within the repository.
- s3_bucket: The title of an S3 bucket that you just’ve created beforehand, used to add the construct artifacts and evaluation outcomes. It’s a customer-owned bucket so you will have full management over entry and permissions, in case you have to share its content material with different programs.
Now, let’s put all of the items collectively.
Your .yml file ought to appear like this:
title: CodeGuru Reviewer GitHub Actions Integration on: [pull_request, push, schedule] jobs: CodeGuru-Reviewer-Actions: runs-on: ubuntu-latest steps: - title: Configure AWS Credentials makes use of: aws-actions/configure-aws-credentials@v1 with: aws-access-key-id: $ aws-secret-access-key: $ secrets and techniques.AWS_SECRET_ACCESS_KEY aws-region: us-east-2 - title: Amazon CodeGuru Reviewer Scanner makes use of: aws-actions/codeguru-reviewer if: $ with: build_path: goal # construct artifact(s) listing s3_bucket: 'codeguru-reviewer-myactions-bucket' # S3 Bucket beginning with "codeguru-reviewer-*" - title: Add assessment outcome if: $ makes use of: github/codeql-action/upload-sarif@v1 with: sarif_file: codeguru-results.sarif.json
It’s vital to keep in mind that the S3 bucket title wants to begin with
codeguru_reviewer- and that these actions will be configured to run with the pull_request, push, or schedule triggers (try the GitHub Actions documentation for the complete record of occasions that set off workflows). Additionally remember that there are minor variations in the way you configure GitHub-hosted runners and self-hosted runners, primarily within the credentials configuration step. For instance, in case you run your GitHub Actions in a self-hosted runner that already has entry to AWS credentials, reminiscent of an EC2 occasion, you then don’t want to supply any credentials to this motion (try the complete documentation for self-hosted runners).
Now while you push a change or open a PR CodeGuru Reviewer will remark in your code modifications with a number of suggestions.
Or you possibly can schedule a day by day or weekly repository scan and take a look at the suggestions within the Safety > Code scanning alerts tab.
New Safety Detectors for Java
In December final yr, we launched the Java Safety Detectors for CodeGuru Reviewer that will help you discover and remediate potential safety points in your Java purposes. These detectors are constructed with machine studying and automatic reasoning strategies, educated on over 100,000 Amazon and open-source code repositories, and based mostly on the many years of experience of the AWS Utility Safety (AppSec) crew.
For instance, a few of these detectors will take a look at potential leaks of delicate data or credentials via excessively verbose logging, exception dealing with, and storing passwords in plaintext in reminiscence. The safety detectors additionally enable you establish a number of net software vulnerabilities reminiscent of command injection, weak cryptography, weak hashing, LDAP injection, path traversal, safe cookie flag, SQL injection, XPATH injection, and XSS (cross-site scripting).
The brand new safety detectors for Java can establish safety points with the Java Servlet APIs and net frameworks reminiscent of Spring. A number of the new detectors can even enable you with safety finest practices for AWS APIs when utilizing providers reminiscent of Amazon S3, IAM, and AWS Lambda, in addition to libraries and utilities reminiscent of Apache ActiveMQ, LDAP servers, SAML parsers, and password encoders.
Out there As we speak at No Further Value
The brand new CI/CD integration and safety detectors for Java can be found right this moment at no extra price, excluding the storage on S3 which will be estimated based mostly on measurement of your construct artifacts and the frequency of code opinions. Take a look at the CodeGuru Reviewer Motion within the GitHub Market and the Amazon CodeGuru pricing web page to seek out pricing examples based mostly on the brand new pricing mannequin we launched final month.
We’re wanting ahead to listening to your suggestions, launching extra detectors that will help you establish potential points, and integrating with much more CI/CD instruments sooner or later.
You’ll be able to study extra in regards to the CI/CD expertise and configuration within the technical documentation.