Code security analysis Code quality analysis

Types of code scans

Amazon CodeGuru Security can perform code security analysis and code quality analysis in code scans. All code scans perform code security analysis, where CodeGuru Security scans your code and returns findings about detected security vulnerabilities and hardcoded secrets. You can also configure your scans to include code quality analysis, which returns findings related to the quality of your code in addition to security vulnerabilities.

Whereas security findings are used to generate finding and vulnerability resolution metrics for your account, code quality findings do not affect the metrics in your dashboard data. Rather, they are labeled as Informational findings that you can choose to address and will not affect how the security posture of your application is assessed.

This section covers types of code analysis and how to enable them in your scans.

Topics

Code security analysis
Code quality analysis
Secrets detection

Code security analysis

Code security analysis detects potential security policy violations and vulnerabilities in your code. Code security analysis is powered by Amazon CodeGuru detectors that are informed by years of Amazon.com and AWS security best practices. Examples of security vulnerabilities include resource leaks, hardcoded credentials, and cross-site scripting. To learn more about the security vulnerabilities CodeGuru Security detects, see the Amazon CodeGuru Detector Library.

In addition to security vulnerabilities identified by CodeGuru detectors, security analysis also includes scanning code and text files for hardcoded secrets. For more information, see Secrets detection.

All code scans include code security analysis. You do not need to take any action to enable security analysis in your scans.

Code quality analysis

Code quality analysis detects issues related to quality and maintainability in your code. You can include code quality analysis in addition to security analysis in your scans to ensure your code is meeting quality best practices. Code quality analysis returns findings with an Informational severity level that do not impact the security assessment of your code base.

Code quality analysis is available for most, but not all, integrations. The following list includes the services and integrations in which you can scan your code for both security and quality findings:

AWS CLI
AWS SDKs
GitHub
Bitbucket
GitLab
AWS CodePipeline
IDE plugins
Amazon SageMaker Studio and JupyterLab notebooks

Scans created with the console and with Amazon Inspector Lambda code scanning only generate findings related to security.

Enable quality analysis

Scans created in IDE plugins and notebook integrations automatically perform both security and quality analysis.

You can enable quality analysis in scans created with the AWS CLI, AWS SDKs, and the supported integrations by specifying the analysis type when you create a scan. By default, these scans only perform security analysis.

Specify All for the analysis type to perform both security and quality analysis in your scans. Specify Security to only scan for security vulnerabilities. For more information, see CreateScan in the CodeGuru Security API Reference.

Choose from the list in the Getting started with CodeGuru Security section to learn how to configure code scans to perform quality analysis wherever you are using CodeGuru Security.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Working with code scans

Secrets detection