Reviewing code with Amazon Q Developer

Amazon Q Developer can review your codebase for security vulnerabilities and code quality issues to improve the posture of your applications throughout the development cycle. You can initiate a review of an entire codebase, analyzing all files in your local project or workspace, or enable auto reviews that assess your code as you write it.

During a code review, Amazon Q assesses both your custom code and third-party libraries in your code. Before starting a code review, Amazon Q applies filtering to ensure that only relevant code is reviewed. As part of the filtering process, Amazon Q excludes unsupported languages, test code, and open source code.

When Amazon Q discovers a potential security vulnerability or quality issue in your code, it generates a code issue with a description of the issue and a recommended fix. For some issues, you can generate and apply a code fix, which updates your code files in-place.

Reviews are powered by both generative AI and rule-based automatic reasoning. Amazon Q detectors, informed by years of AWS and Amazon.com security best practices, power the rule-based security and quality reviews. As security policies are updated and detectors are added, reviews automatically incorporate new detectors to ensure your code is compliant with the most up-to-date policies.

For information on supported IDEs for this feature, see Supported IDEs. For information on supported languages, see Language support for code reviews.

Topics

Types of code issues

Amazon Q reviews your code for the following types of code issues:

SAST scanning — Detect security vulnerabilities in your source code. Amazon Q identifies various security issues, such as resource leaks, SQL injection, and cross-site scripting.
Secrets detection — Prevent the exposure of sensitive or confidential information in your code. Amazon Q reviews your code and text files for secrets such as hardcoded passwords, database connection strings, and usernames. Secrets findings include information about the unprotected secret and how to protect it.
IaC issues — Evaluate the security posture of your infrastructure files. Amazon Q can review your infrastructure as code (IaC) code files to detect misconfiguration, compliance, and security issues.
Code quality issues — Ensure your code is meeting quality, maintainability, and efficiency standards. Amazon Q generates code issues related to various quality issues, including but not limited to performance, machine learning rules, and AWS best practices.
Code deployment risks — Assess risks related to deploying code. Amazon Q determines if there any risks to deploying or releasing your code, including application performance and disruption to operations.
Software composition analysis (SCA) — Evaluate third-party code. Amazon Q examines third-party components, libraries, frameworks, and dependencies integrated into your code, ensuring third-party code is secure and up to date.

For a complete list of the detectors Amazon Q uses to review your code, see the Amazon Q Detector Library.

Quotas

Amazon Q security scans maintain the following quotas:

Input artifact size – The size of all the files within an IDE project workspace, including third-party libraries, build JAR files, and temporary files.
Source code size – The size of the source code that Amazon Q scans after filtering all third-party libraries and unsupported files.

The following table describes the quotas maintained for auto scans and full project scans.

Resource	Auto reviews	File or project reviews
Maximum input artifact size	200 KB	500 MB
Maximum source code size	200 KB	50 MB

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Handling special cases

Starting a review