# Reviewing code with Amazon Q Developer
Amazon Q Developer can review your codebase for security vulnerabilities and code quality issues to improve the posture of your applications throughout the development cycle. You can review an entire codebase, analyzing all files in your local project or workspace, or review a single file. You can also enable auto reviews that assess your code as you write it.
Reviews are powered by both generative AI and rule-based automatic reasoning. [Amazon Q detectors](https://docs.aws.amazon.com/codeguru/detector-library), informed by years of AWS and Amazon.com security best practices, power the rule-based security and quality reviews. As security policies are updated and detectors are added, reviews automatically incorporate new detectors to ensure your code is compliant with the most up-to-date policies.
For information on supported IDEs for this feature, see [Supported IDEs](q-in-IDE.md#supported-ides-features). For information on supported languages, see [Language support for code reviews](q-language-ide-support.md#code-reviews-language-support).
**Topics**
+ [How it works](#how-code-reviews-work)
+ [Types of code issues](#issue-types)
+ [Quotas](#quotas)
+ [Starting a code review with Amazon Q Developer](start-review.md)
+ [Addressing code issues with Amazon Q Developer](address-code-issues.md)
+ [Filtering code issues](filter-code-issues.md)
+ [Code issue severity in Amazon Q Developer code reviews](code-issue-severity.md)
## How it works
During a code review, Amazon Q assesses both your custom code and third-party libraries in your code. Before starting a code review, Amazon Q applies filtering to ensure that only relevant code is reviewed. As part of the filtering process, Amazon Q excludes unsupported languages, test code, and open source code.
Amazon Q can either review your recent code changes, or an entire file or project. To initiate a review, you open your code folder in your IDE, and then ask Amazon Q to review your code from the chat panel.
By default, if you simply ask Amazon Q to review your code, it will review only the code changes in the active file in your IDE. Code changes are determined by the output of the `git diff` command on your file. If there is no diff file is present, Amazon Q will review the entire code file. If no file is open, it will search for any code changes in the project to review.
Similarly, if you ask Amazon Q to review your entire project or workspace, it will first attempt to review your code changes. If there is no diff file present, it will review your entire codebase.
## Types of code issues
Amazon Q reviews your code for the following types of code issues:
+ **SAST scanning — Detect security vulnerabilities in your source code.** Amazon Q identifies various security issues, such as resource leaks, SQL injection, and cross-site scripting.
+ **Secrets detection — Prevent the exposure of sensitive or confidential information in your code.** Amazon Q reviews your code and text files for secrets such as hardcoded passwords, database connection strings, and usernames. Secrets findings include information about the unprotected secret and how to protect it.
+ **IaC issues — Evaluate the security posture of your infrastructure files.** Amazon Q can review your infrastructure as code (IaC) code files to detect misconfiguration, compliance, and security issues.
+ **Code quality issues — Ensure your code is meeting quality, maintainability, and efficiency standards.** Amazon Q generates code issues related to various quality issues, including but not limited to performance, machine learning rules, and AWS best practices.
+ **Code deployment risks — Assess risks related to deploying code.** Amazon Q determines if there are any risks to deploying or releasing your code, including application performance and disruption to operations.
+ **Software composition analysis (SCA) — Evaluate third-party code. ** Amazon Q examines third-party components, libraries, frameworks, and dependencies integrated into your code, ensuring third-party code is secure and up to date.
For a complete list of the detectors Amazon Q uses to review your code, see the [Amazon Q Detector Library](https://docs.aws.amazon.com/codeguru/detector-library/).
## Quotas
Amazon Q security scans maintain the following quotas:
+ **Input artifact size** – The maximum size of all the files within an IDE project workspace, including third-party libraries, build JAR files, and temporary files.
+ **Source code size** – The maximum size of the source code that Amazon Q scans after filtering all third-party libraries and unsupported files.
The following table describes the quotas maintained for auto scans and full project scans.
| Resource | Auto reviews | File or project reviews |
| --- | --- | --- |
| Input artifact size | 200 KB | 500 MB |
| Source code size | 200 KB | 50 MB |
# Starting a code review with Amazon Q Developer
Amazon Q can review your entire file or codebase, or auto-review your code as you write it.
Before you get started, make sure you've installed Amazon Q in an IDE that supports code reviews. For more information, see [Installing the Amazon Q Developer extension or plugin in your IDE](q-in-IDE-setup.md).
**Topics**
+ [Review a file, project, or workspace](#project-review)
+ [Example tasks and prompts](#code-review-prompts)
+ [Review as you code](#auto-scan)
## Review a file, project, or workspace
You can initiate a review from the chat panel to have Amazon Q review a particular file or project. File and project reviews include both rule-based and generative AI-powered reviews.
After Amazon Q completes a review, you can investigate the issue and get a code fix to remediate the issue. For more information, see [Addressing code issues](address-code-issues.md).
To start a file or project review, complete the following steps for your IDE:
------
#### [ JetBrains ]
1. Open a file or project you want to review in your IDE.
1. Choose the Amazon Q icon to open the chat panel.
1. Using natural language, describe the type of code review you want to run. You can review only your recent code changes, or an entire file. Code changes are determined based on the output of the git diff command on your file. If applicable, Amazon Q will only review your code changes by default unless otherwise specified.
1. With your code project or file open in the IDE, you can enter things like:
1. **Review my code changes** – Amazon Q will review any code changes in your codebase
1. **Run a code review on this entire file** – Amazon Q will review all code in your file, not only changes
1. **Review this repository** – Amazon Q will review your entire codebase, not only changes
For more detailed code review scenarios and associated prompts, see [Example prompts](#code-review-prompts).
1. Amazon Q will begin reviewing your file or project. Once complete, it will summarize the highest priority issues and observations.
1. If any issues were detected, the **Code Issues** tab opens with a list of the issues Amazon Q found.
1. To learn more about a code issue, navigate to the **Code Issues** panel. From there, you can do the following:
1. Select an issue to be redirected to the specific area of the file where the vulnerable or low-quality code was detected.
1. To get an explanation of the code issue, choose the magnifying glass icon next to the name of the code issue. Amazon Q will provide details about the issue and suggest a remediation that you can insert into your code.
1. To fix the code issue, choose the wrench icon next to the name of the code issue. Amazon Q will provide a brief explanation of the fix and then make an in-place fix in your code file. You will see the code change in your file, and have the option to undo the change from the chat panel.
1. You can also use natural language to ask more about an issue, get an explanation of proposed fixes, or ask for alternative solutions.
1. For more information about addressing code issues, see [Addressing code issues with Amazon Q Developer](address-code-issues.md).
------
#### [ Visual Studio Code ]
1. Open a file or project you want to review in your IDE.
1. Choose the Amazon Q icon to open the chat panel.
1. Using natural language, describe the type of code review you want to run. You can review only your recent code changes, or an entire file. Code changes are determined based on the output of the git diff command on your file. If applicable, Amazon Q will only review your code changes by default unless otherwise specified.
1. With your code project or file open in the IDE, you can enter things like:
1. **Review my code changes** – Amazon Q will review any code changes in your codebase
1. **Run a code review on this entire file** – Amazon Q will review all code in your file, not only changes
1. **Review this repository** – Amazon Q will review your entire codebase, not only changes
For more detailed code review scenarios and associated prompts, see [Example prompts](#code-review-prompts).
1. Amazon Q will begin reviewing your file or project. Once complete, it will summarize the highest priority issues and observations.
1. If any issues were detected, the **Code Issues** tab opens with a list of the issues Amazon Q found.
1. To learn more about a code issue, navigate to the **Code Issues** panel. From there, you can do the following:
1. Select an issue to be redirected to the specific area of the file where the vulnerable or low-quality code was detected.
1. To get an explanation of the code issue, choose the magnifying glass icon next to the name of the code issue. Amazon Q will provide details about the issue and suggest a remediation that you can insert into your code.
1. To fix the code issue, choose the wrench icon next to the name of the code issue. Amazon Q will provide a brief explanation of the fix and then make an in-place fix in your code file. You will see the code change in your file, and have the option to undo the change from the chat panel.
1. You can also use natural language to ask more about an issue, get an explanation of proposed fixes, or ask for alternative solutions.
1. For more information about addressing code issues, see [Addressing code issues with Amazon Q Developer](address-code-issues.md).
------
#### [ Visual Studio ]
1. Open up a file from the project you want to scan in Visual Studio.
1. Choose the Amazon Q icon at the bottom of your file to open the Amazon Q task bar.
1. From the task bar, choose **Run Security Scan**. Amazon Q begins scanning your project.
In the following image, in Visual Studio, the user chooses the **Amazon Q** icon, prompting a task bar from which the user may choose **Run Security Scan**.
![\[Visual Studio with the Amazon Q task bar showing "Run Security Scan" as a choice\]](http://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/images/VS-scans.png)
1. The status of your scan is updated in the Visual Studio output pane. You're notified when the scan is complete.
For information about viewing and addressing findings, see [Addressing code issues with Amazon Q Developer](address-code-issues.md).
------
## Example tasks and prompts
There are several scenarios that you might be in when initiating a code review. Following is an overview of some of the ways to initiate a code review and how to prompt Amazon Q to run the review you want.
+ To review just the code changes for a single file:
+ Open the file in your IDE and enter **Review my code**
+ Enter **Review the code in **
+ To review an entire code file:
+ Open a file without changes and enter **Review my code**
+ Open a file with changes and enter **Review my entire code file**
+ Enter **Review all the code in **
+ To review all code changes in your repository:
+ Open the repository in your IDE and enter **Review my code**
+ To review your entire repository, not just the changes:
+ Open the repository in your IDE and enter **Review my repository**
## Review as you code
**Note**
Amazon Q auto-reviews are only available with a [Amazon Q Developer Pro subscription](getting-started-q-dev.md).
Auto-reviews are rule-based reviews powered by [Amazon Q detectors ](https://docs.aws.amazon.com/codeguru/detector-library/). Amazon Q automatically reviews the file you are actively coding in, generating code issues as soon as they are detected in your code. When Amazon Q performs auto reviews, it doesn’t generate in-place code fixes.
Auto-reviews are enabled by default when you use Amazon Q. Use the following procedure to pause or resume auto-reviews.
**Pause and resume auto-reviews**
To pause auto-reviews, complete the following steps.
1. Choose **Amazon Q** from the bottom of the IDE window.
The Amazon Q task bar opens.
1. Choose **Pause Auto-Reviews**. To resume auto-reviews, choose **Resume Auto-Reviews**.
# Addressing code issues with Amazon Q Developer
The topics in this section explain how to address and resolve code issues, and, where applicable, how to ignore issues.
**Topics**
+ [Address code issues in JetBrains and Visual Studio Code](address-issues-jetbrains-visualstudiocode.md)
+ [Address code issues in Visual Studio](address-issues-visualstudio.md)
# Address code issues in JetBrains and Visual Studio Code
To address a code issue in JetBrains and Visual Studio Code, you will either have the option to generate an in-place fix or generate an explanation that you can use to manually update your code.
You can take the following actions:
+ Generate an in-place code fix
+ Explain the issue and get new code
+ Ignore the issue, or ignore all similar issues
## Generate in place fixes for your file
Amazon Q can update your files in-place to automatically remediate a code issue it detected.
To automatically fix a code issue in your file:
------
#### [ JetBrains ]
1. In the **Problems** tool window, in the **Amazon Q Code Issues** tab, choose the code issue you want to address.
1. A panel opens with more information about the code issue. If applicable, you'll see details about the Amazon Q detector that was used to identify the code issue.
1. Along the bottom of the panel, choose **Fix**.
1. In the chat panel, Amazon Q provides a brief explanation of the fix and then applies an in-place fix in your code file.
1. You will see the code change in your file, and have the option to undo the change from the chat panel.
------
#### [ Visual Studio Code ]
1. In the **Code Issues** tab, choose the code issue you want to address.
1. Choose the wrench icon.
The following image shows the wrench icon for a code issue in Visual Studio Code.
![\[The wrench icon for a code issue in Visual Studio Code, used to generate a code fix.\]](http://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/images/code-review-fix-vsc.png)
1. In the chat panel, Amazon Q provides a brief explanation of the fix and then applies an in-place fix in your code file.
1. You will see the code change in your file, and have the option to undo the change from the chat panel.
------
## Explain the code issue and get new code
Amazon Q can provide an in-depth explanation of a code issue and provide remediation options with accompanying code for you to add to your files.
To get an explanation of a code issue:
------
#### [ JetBrains IDEs ]
1. In the **Problems** tool window, in the **Amazon Q Code Issues** tab, choose the code issue you want to address.
1. A panel opens with more information about the code issue. If applicable, you'll see details about the Amazon Q detector that was used to identify the code issue.
1. Along the bottom of the panel, choose **Explain**.
1. In the chat panel, Amazon Q provides details about the issue and suggests how to fix it, with code that you can insert into your file.
1. To update your file, follow Amazon Q’s instructions for where to add or replace code, and copy the provided code in the correct location in your file. Make sure to remove the vulnerable code when adding the updated code.
------
#### [ Visual Studio Code ]
1. In the **Code Issues** tab, choose the code issue you want to address.
1. Choose the magnifying glass icon.
The following image shows the magnifying glass icon for a code issue in Visual Studio Code.
![\[The magnifying glass icon for a code issue in Visual Studio Code, used to explain a code issue.\]](http://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/images/code-review-view-details-vsc.png)
1. In the chat panel, Amazon Q provides details about the issue and suggests how to fix it, with code that you can insert into your file.
1. To update your file, follow Amazon Q’s instructions for where to add or replace code, and copy the provided code in the correct location in your file. Make sure to remove the vulnerable code when adding the updated code.
------
## Ignore a code issue
If a detected code issue isn’t applicable, you can choose to ignore it, or ignore it and all similar issues (issues with the same CWE). The issues will be removed from the Code Issues tab.
To ignore a code issue:
------
#### [ JetBrains ]
1. In the **Problems** tool window, in the **Amazon Q Code Issues** tab, choose the code issue you want to ignore.
1. A panel opens with more information about the code issue. Along the bottom of the panel, choose **Ignore**. The code issue is removed from the Code Issue panel.
1. You can also choose **Ignore All** to ignore this and other code issues with the same CWE.
------
#### [ Visual Studio Code ]
1. In the **Code Issues** tab, choose the code issue you want to ignore.
1. Choose the ignore icon.
The following image shows the ignore icon for a code issue in Visual Studio Code.
![\[The ignore icon for a code issue in Visual Studio Code, used to ignore and close a code issue.\]](http://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/images/code-review-ignore-issue-vsc.png)
1. The code issue is removed from the Code Issue panel.
1. To ignore similar issues, choose the elipses icon, and then the choose **Ignore Similar Issues** button that appears.
------
# Address code issues in Visual Studio
To view code issues detected by Amazon Q in Visual Studio, open the Visual Studio **Error List** by expanding the **View** heading in the Visual Studio main menu and choosing **Error List**.
You can use the information in the code issue to update your code. After updating your code, review your code again to see if the issues were addressed.
By default, the Visual Studio **Error List** displays all of the warnings and errors for your code base. To filter your Amazon Q code issues from the Visual Studio **Error List**, create a filter by completing the following procedure.
**Note**
Code issues are only visible after you've run a code review in which Amazon Q detected issues.
Code issues appear as warnings in Visual Studio. In order to view issues detected by Amazon Q in the **Error List**, the **Warnings** option in the **Error List** heading must be selected.
**Filter code issues in the Error List**
1. From the Visual Studio main menu, choose view and then **Error List** to open the **Error List** pane.
1. From the **Error List** pane, right-click the header row to open the context menu.
1. From the context menu, expand **Show Columns**, and then select **Tool** in the expanded menu.
1. The **Tool** column is added to your **Error List**.
1. From the **Tool** column header, select the **Filter** icon and choose **Amazon Q** to filter for Amazon Q code issues.
# Filtering code issues
**Note**
You can only filter code issues in JetBrains IDEs and Visual Studio Code.
When you filter code issues, only issues that meet the selected criteria are shown in the Code Issues panel. You can filter the issues based on their severity so you only see issues with the selected severity in the panel.
You can also control how code issues are organized in the Code Issues panel. You can group issues based on severity or based on their file location.
To filter code issues:
------
#### [ JetBrains IDEs ]
1. From the **Amazon Q Code Issues** tab, choose the filter icon.
1. A pop-up menu with Severity levels opens.
The following image shows the Severity menu in the Code Issues tab in IntelliJ IDEA.
![\[The severity filter menu in IntelliJ IDEA.\]](http://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/images/jb-filter-issues.png)
1. Select or deselect the the severity levels you want to filter for, and then choose **OK**. Only the issues with the severity you selected will appear in the **Amazon Q Code Issues** panel.
------
#### [ Visual Studio Code ]
1. From the **Code Issues** panel, choose the filter icon.
The following image shows the filter icon in the Code Issues tab in Visual Studio Code.
![\[The filter icon in the Code Issues tab in Visual Studio Code.\]](http://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/images/filter-issues-vsc.png)
1. The **Filter Issues** menu opens.
Select or deselect the boxes next to the severity levels you want to filter for, and then choose **OK**. Only the issues with the severity you selected will appear in the **Code Issues** panel.
------
To group code issues:
------
#### [ JetBrains IDEs ]
1. From the **Amazon Q Code Issues** panel, choose the grouping icon.
1. A **Group By** pop-up menu opens.
1. Select **Severity** to group issues in the Code Issues panel based on their severity. Select **Location** to group issues based on which code file they are located in.
------
#### [ Visual Studio Code ]
1. From the **Code Issues** panel, choose the grouping icon.
The following image shows the grouping icon in the Code Issues tab in Visual Studio Code.
![\[The grouping icon in the Code Issues tab in Visual Studio Code.\]](http://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/images/group-issues-vsc.png)
1. The **Group Issues** menu opens.
1. Select **Severity** to group issues in the Code Issues panel based on their severity. Select **Location** to group issues based on which code file they are located in.
------
# Code issue severity in Amazon Q Developer code reviews
Amazon Q defines the severity of the code issues detected in your code so you can prioritize what issues to address and track the security posture of your application. The following sections explain what methods are used to determine the severity of code issues and what each level of severity means.
## How severity is calculated
The severity of a code issue is determined by the detector that generated the issue. Detectors in the [Amazon Q Detector Library](https://docs.aws.amazon.com/codeguru/detector-library) are each assigned a severity using the Common Vulnerability Scoring System ([CVSS](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator)). The CVSS considers how the finding can be exploited in its context (for example, can it be done over internet, or is physical access required) and what level of access can be obtained.
The following table outlines how severity is determined based on the level of access and level of effort required for a bad actor to successfully attack a system.
**Severity determination matrix**
| Level of access | Level of effort | Severity |
| --- | --- | --- |
| Full control of system or its output | Requires access to system | High |
| Full control of system or its output | Internet with high level of effort | Critical |
| Full control of system or its output | Over internet | Critical |
| Access to sensitive information | Requires access to system | Medium |
| Access to sensitive information | Internet with high level of effort | High |
| Access to sensitive information | Over internet | High |
| Can crash or slow down the system | Requires access to system | Low |
| Can crash or slow down the system | Internet with high level of effort | Medium |
| Can crash or slow down the system | Over internet | Medium |
| Provides additional security | Not exploitable | Info |
| Provides additional security | Requires access to system | Info |
| Provides additional security | Internet with high level of effort | Low |
| Provides additional security | Over internet | Low |
| Best practice | Not exploitable | Info |
## Severity definitions
The severity levels are defined as follows.
**Critical – The code issue should be addressed immediately to avoid it escalating.**
Critical code issues suggest that an attacker can gain control of the system or modify its behavior with moderate effort. It is recommended that you treat critical findings with the utmost urgency. You also should consider the criticality of the resource.
**High – The code issue must be addressed as a near-term priority.**
High severity code issues suggest that an attacker can gain control of the system or modify its behavior with high effort. It is recommended that you treat a high severity finding as a near-term priority and that you take immediate remediation steps. You also should consider the criticality of the resource.
**Medium – The code issue should be addressed as a midterm priority.**
Medium severity findings can lead to crash, unresponsiveness, or unavailability of the system. It is recommended that you investigate the implicated code at your earliest convenience. You also should consider the criticality of the resource.
**Low – The code issue does not require action on its own.**
Low severity findings suggest programming errors or anti-patterns. You do not need to take immediate action on low severity findings, but they can provide context when you correlate them with other issues.
**Informational – No recommended action.**
Informational findings include suggestions for quality or readability improvements, or alternative API operations. No immediate action is necessary.