Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

Address findings

PDF
RSS
Focus mode
Address findings - Amazon CodeGuru Security
Add suggested code changes with the consoleAddress findings with the AWS CLI and AWS SDKs

Amazon CodeGuru Security is in preview release and is subject to change.

Amazon CodeGuru Security is in preview release and is subject to change.

After analyzing your finding, update your code based on the suggested remediation, and then re-run the same scan on the updated code resource to make sure the vulnerability was remediated and to close the finding.

If there is a suggested code change, see the following instructions for updating your code with inline code fixes. You can retrieve the suggested code changes from the console, the AWS CLI, and AWS SDKs.

Important

Be sure to keep track of scan names, so you know which scan to re-run on your updated resource. If you scan a different resource, you will compromise metrics that help to monitor the security posture of your applications.

Add suggested code changes with the console

For some findings, CodeGuru Security highlights the vulnerable sections of your code and provides inline code fixes to remediate the vulnerability. Several code changes may be offered for you to select from depending on what solution applies to your use case.

To update your code with a suggested code change using the console, you can download a diff file with the new code or copy and paste the new code into your file.

  1. Open the Findings page in the CodeGuru Security console at https://console.aws.amazon.com/codeguru/security/findings/ and choose the finding you want to address.

  2. In the Suggested remediation panel, you can view the vulnerable lines of code to be removed, the suggested code change, and where to add it. If there are alternate code change solutions, choose the arrows above the code boxes to switch between options.

  3. Determine which code fix you want to use to update your code. Then, choose Download patch to download the diff file, which shows the vulnerable lines of code to remove and the new code to replace it with.

    Alternatively, you can manually update your resource. Be sure to remove the vulnerable lines of code and add the updated code to the correct section of your code.

    The following image is an example of a vulnerability that you can download a patch for.

    A security vulnerability in the console with a suggested code change and the Download patch button.

  4. Once your code is updated, re-run the scan to check that the vulnerability was remediated and to close the finding. For information on how to re-run a scan, see Scan a revised file in the console.

Address findings with the AWS CLI and AWS SDKs

Use the GetFindings or BatchGetFindings operations to retrieve findings, including the suggested remediation for a given vulnerability. Then, make the change that applies to your use case and re-run your scan using the same scan name. If you need to make inline code changes, remove the vulnerable lines of code and add the new code to the correct section of your code.

On this page

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.