Prerequisites Access the code review setup wizard Step 1: Connect integrations, repos, and buckets Step 2: Optional configurations After setup Edit code review configuration Next steps

Enable code review

Configure your Agent Space to enable code review by connecting source code from GitHub repositories or S3 buckets. Code review analyzes your source code for security vulnerabilities and compliance with your organization’s custom security requirements.

Setting up code review configurations is an Agent Space-wide operation. The integrations and S3 buckets you connect are shared across capabilities, including code review and penetration testing.

After completing setup, users can create and run code reviews in the AWS Security Agent web application to scan repositories and S3 sources for security issues.

Note

If you already have GitHub repositories connected to your Agent Space (for example, through penetration testing setup), code review is already enabled. You can skip this setup and go directly to the web application to create code reviews. See Create a code review.

Prerequisites

Before you begin, ensure you have:

An Agent Space created in the AWS Management Console (see Create an Agent Space)
At least one of the following source code inputs:
- A GitHub organization or user account with the AWS Security Agent GitHub App installed (see Connect AWS Security Agent to GitHub repositories)
- An S3 bucket containing source code you want to review
Permissions to configure integrations for your Agent Space
(Optional) Custom security requirements enabled if you plan to use security requirement validation (see Manage security requirements)

Access the code review setup wizard

Navigate to the code review setup for your Agent Space.

In the AWS Security Agent console, select your Agent Space.
Choose Enable code review from one of the following locations:
- The Code review card at the top of the Agent Space page
- The Code review tab, then choose Enable code review

You’ll be directed to the Setup code review configurations wizard.

Step 1: Connect integrations, repos, and buckets

In the first step of the wizard, connect your source code inputs and configure code review settings. You must add at least one GitHub repository or S3 bucket to proceed.

Important

Integrations and S3 buckets configured here are shared across your Agent Space. Changes apply to both code review and penetration testing capabilities.

Connect GitHub repositories

Add GitHub repositories from your authorized GitHub organizations or user accounts. Choosing Add opens the two-step Connect GitHub wizard, where you first select repositories and then configure what actions AWS Security Agent can take on each one.

In the Connected integrations section, choose Add.
Select the GitHub registration that contains the repositories you want to review.
On the Connect GitHub repositories step, select the checkbox for each repository you want to connect.
Choose Next to go to Manage capabilities.

Note

Connected repositories are accessed read-only for code analysis during code review and penetration testing. You configure write actions such as posting review comments and opening remediation pull requests on the next step.

Note

If you haven’t registered a GitHub integration yet, choose Settings to navigate to the Integrations page where you can authorize the AWS Security Agent GitHub App. For more information, see Connect AWS Security Agent to GitHub repositories.

Configure GitHub repository capabilities

On the Manage capabilities step of the Connect GitHub wizard, choose what AWS Security Agent can do in each repository. Code review comments and Automatic remediation are set independently per repository.

For each repository, toggle Code review comments on to have AWS Security Agent post security findings as comments on pull requests.
For each repository, toggle Automatic remediation on to let users of the AWS Security Agent web application request pull requests that fix findings.
Choose Save to apply your selections and return to the code review setup wizard.

When Code review comments is enabled for a repository:

AWS Security Agent automatically analyzes pull requests when they are marked as "Ready for review". Draft pull requests are not analyzed.
Security findings are posted as review comments directly on the pull request with specific remediation guidance.
The analysis uses your configured code review settings (security vulnerabilities, custom requirements, or both).

Note

Pull request comments are only available for private GitHub repositories.

When Automatic remediation is enabled for a repository, web app users can start remediation for both code review and penetration test findings on that repository, and AWS Security Agent delivers each fix as a pull request. For more information, see Enable users to start remediation of penetration test and code review findings.

For more information about how pull request findings appear in GitHub and how to respond to them, see Review code security findings in GitHub pull requests.

Add S3 buckets

Add S3 buckets containing source code or contextual resources for code review.

In the S3 buckets section, choose Add S3 resource.
Enter the S3 URI for the bucket or prefix containing your source code.
Choose Add.

Note

You can add up to 10 S3 resources. S3 buckets are shared across capabilities including code review and penetration testing.

Tip

You can add S3 buckets that contain source code, configuration files, infrastructure-as-code templates, or other artifacts you want AWS Security Agent to analyze for security issues.

Configure code review settings

Configure the types of security issues AWS Security Agent analyzes during code reviews. This setting applies to all repositories and sources with code review enabled in this Agent Space.

In the Code review settings section, select one of the following options:
- Security requirement validation – Validate whether code complies with the custom security requirements you’ve enabled.
- Security vulnerability findings – Identify common security vulnerabilities in code.
- Security requirements and vulnerability findings – Analyze code for both compliance with your organization’s custom security requirements and common security vulnerabilities. This is the default setting.

Note

When security requirement validation is enabled, AWS Security Agent checks code against your enabled custom security requirements. If you select security requirement validation but do not have at least one custom security requirement enabled, AWS Security Agent will not identify requirement-based findings. For more information about security requirements, see Manage security requirements.

Choose Next to proceed to optional configurations.

Step 2: Optional configurations

In the second step of the wizard, configure optional CloudWatch logging and service access settings for your code review environment.

(Optional) Configure CloudWatch logs

Configure CloudWatch log groups to capture and analyze application behavior during code review.

Expand the CloudWatch logs section.
In the Log Groups dropdown, select one or more existing CloudWatch log groups from your AWS account.

Note

If you don’t select a log group, AWS Security Agent automatically creates a default log group to store code review execution logs.

(Optional) Configure service access

Configure the IAM service role that AWS Security Agent uses to access your AWS resources such as S3 buckets and CloudWatch logs for code review.

Expand the Service access section.
Select one of the following options:
- Create default role – AWS Security Agent automatically creates a new IAM role with the necessary permissions for code review.
- Use an existing service role – Select an existing IAM role from the dropdown menu.
If using the default role, enter a Service role name. The name must be unique across all roles in the account, use alphanumeric characters and +=,.@-_ characters, and cannot include spaces.

Note

The service role name has a maximum length of 64 characters. A service role is automatically created if you don’t select an existing role.

Choose Save to complete the setup.

After setup

After completing the code review setup wizard:

The Code review card on your Agent Space page shows a Ready status.
Users can launch the web application and create code reviews to scan connected repositories and S3 sources.
You can modify your configuration at any time by choosing Edit configuration on the Code review tab.

Edit code review configuration

To modify your code review configuration after initial setup:

Navigate to your Agent Space in the AWS Security Agent console.
Select the Code review tab.
Choose Edit configuration.
Update your integrations, S3 buckets, code review settings, CloudWatch logs, or service access as needed.
Choose Save.

Next steps

After setting up code review configurations:

Launch the web application to create and run code reviews (see Create a code review)
Connect additional GitHub repositories or S3 buckets as your codebase grows
Configure custom security requirements for organization-specific validation (see Manage security requirements)
Review how pull request findings appear in GitHub (see Review code security findings in GitHub pull requests)

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Enable pull request code review for GitHub repositories

Manage security requirements