# Amazon Inspector Lambda code scanning
**Important**
This feature captures snippets of Lambda functions to highlight detected vulnerabilities. These snippets can show hardcoded credentials and other sensitive materials.
With this feature, Amazon Inspector scans application code in a Lambda function for code vulnerabilities based on AWS security best practices to detect data leaks, injection flaws, missing encryption, and weak cryptography. Amazon Inspector uses automated reasoning and machine learning to evaluate your Lambda function application code. It also uses internal detectors that are developed in collaboration with Amazon Q to identify policy violations and vulnerabilities.
Amazon Inspector generates a [code vulnerability](https://docs.aws.amazon.com/inspector/latest/user/findings-types.html#findings-types-code) when it detects a vulnerability in your Lambda function application code. This finding type includes a code snippet showing the issue and where you can find the issue in your code. It also suggests how to remediate the issue. The suggestion includes plug-and-play code blocks that you can use to replace vulnerable lines of code. These code fixes are provided in addition to general code remediation guidance for this finding type.
Code remediation suggestions is powered by automated reasoning. Some code remediation suggestions might not work as intended. You are responsible for the code remediation suggestions you adopt. Always review code remediation suggestions before adopting them. You might need to edit them to make sure your code performs as intended. For more information, see the [Responsible AI Policy](https://aws.amazon.com/machine-learning/responsible-ai/policy/).
If you want to activate Lambda code scanning, you must activate Lambda standard scanning first. For more information, see [Activating a scan type](https://docs.aws.amazon.com/inspector/latest/user/activate-scans.html). For information about which AWS Regions support this feature, see [Region-specific feature availability](inspector_regions.md#ins-regional-feature-availability).
## Encrypting your code in code vulnerability findings
Amazon Q stores code snippets that are detected to be in connection with a code vulnerability finding using Lambda code scanning. By default, Amazon Q controls [the AWS owned key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk) used to encrypt your code. However, you can use your own customer managed key for encryption through the Amazon Inspector API. For more information, see [Encryption at rest for code in your findings](encryption-rest.md#encryption-code-snippets).
# Excluding functions from Lambda code scanning
You can add tags to Lambda functions, so you can exclude them from Amazon Inspector Lambda code scans. Excluding functions from scans can prevent unactionable alerts. When you tag a function for exclusion, the tag must have the following key-value pair.
+ Key – `InspectorCodeExclusion`
+ Value – `LambdaCodeScanning`
This topic describes how to tag a function for exclusion from code scans. For more information about adding tags in Lambda, see [Using tags on Lambda functions](https://docs.aws.amazon.com/lambda/latest/dg/configuration-tags.html).
**To exclude a function from code scans**
1. Sign in using your credentials, and then open the Lambda console at [https://console.aws.amazon.com/lambda/](https://console.aws.amazon.com/lambda/).
1. From the navigation pane, choose **Functions**.
1. Choose the name of the function you would want to exclude from Amazon Inspector Lambda code scans.
1. Choose **Configuration**, and then choose **Tags**.
1. Choose **Manage tags**, and then **Add new tag**.
1. For **Key**, enter `InspectorCodeExclusion`.
1. For **Value**, enter `LambdaCodeScanning`
1. Choose **Save**.