Amazon CodeGuru Security is in preview release and is subject to change.
Tutorial: Run scans with SageMaker AI Studio and JupyterLab
The Amazon CodeGuru Security extension scans your Python and notebook files and provides security recommendations and quality improvements to your code.
After running a scan, detected vulnerabilities or quality issues in your code are underlined. Each underlined section corresponds to a finding that details the issue and suggested remediation. You can view all findings in the diagnostic panel. Once you update your code, you can re-run a scan to see if the finding has been remediated.
The following instructions show you how to install and use the CodeGuru Security extension in JupyterLab and Amazon SageMaker AI Studio. Before you begin installation, make sure you've followed the steps in Setting up Amazon CodeGuru Security.
Step 1: Install the CodeGuru Security extension
You can install the CodeGuru Security extension in one of two ways, via the command line or in the extension manager.
You can find more information on installing JupyterLab extensions in the JupyterLab Extensions documentation
Note
If you're using SageMaker AI Studio, make sure to run conda activate studio
and
conda deactivate
before and after running the following commands.
If you're using JupyterLab, make sure to run the commands in the same environment where JupyterLab is installed.
If you installed JupyterLab with the conda
environment, activate the
environment where JupyterLab is installed before running the following commands.
Install with the command line (recommended)
JupyterLab
-
Open a command prompt window and run the following command to install the extension.
pip install amazon-codeguru-jupyterlab-extension
-
Restart your JupyterLab server.
-
In your browser, refresh the page to view the extension in JupyterLab.
You can verify that the extension is installed if the LSP server displays Fully initialized on the bottom left corner. The following image shows the LSP server with the Fully initialized status.
SageMaker Studio
-
Open a command prompt window.
-
Run the following commands to install the extension in the
conda
environment:conda activate studio pip install amazon-codeguru-jupyterlab-extension conda deactivate
-
Restart your SageMaker Studio server by running the following command:
restart-jupyter-server
-
In your browser, refresh the page to view the extension in SageMaker Studio.
You can verify that the extension is installed if the LSP server displays Fully initialized on the bottom left corner. The following image shows the LSP server with the Fully initialized status.
If you still don't see the extension, try creating a new notebook instance with your application code, and then install the extension.
Install with the extension manager
-
Open SageMaker AI Studio or JupyterLab.
-
In the left navigation bar, choose the Extension Manager icon.
-
Search @aws/amazon-codeguru-extension.
-
Locate the extension called @aws/amazon-codeguru-extension and choose Install.
-
A pop-up appears with the title Server Companion. Choose OK.
-
After a few moments, the following message appears in the Extension Manager:
"A build is needed to include the latest changes."
Choose Rebuild.
-
After the rebuild is complete, a pop-up appears. Choose Save and Reload.
-
Open a command prompt window and run the following command:
pip install amazon-codeguru-jupyterlab-extension
-
Restart your JupyterLab or SageMaker Studio server.
-
Refresh your browser to view the extension.
You can verify that the extension is installed if the LSP server displays Fully initialized on the bottom left corner.
Step 2: Update IAM permissions
To use the extension, a role or user must have the necessary permissions. Follow these steps to update permissions policies with IAM. If you’re using the extension in JupyterLab, you must also refresh your AWS account credentials.
-
Update the permissions policy for each role or user who is using the extension. We recommended that you use the AWS managed policy AmazonCodeGuruSecurityScanAccess. For more information on creating policies, see Managed policies and inline policies.
Go to the AWS IAM Console
and attach the managed policy to your roles or users. If you're using SageMaker AI Studio, attach the policy to the
AmazonSageMaker-ExecutionRole
.Alternatively, create a new policy with the following permissions.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AmazonCodeGuruSecurityScanAccess", "Effect": "Allow", "Action": [ "codeguru-security:CreateScan", "codeguru-security:CreateUploadUrl", "codeguru-security:GetScan", "codeguru-security:GetFindings" ], "Resource": "arn:aws:codeguru-security:*:*:scans/*" } ] }
-
If you’re using SageMaker AI Studio, you can skip this step. If you’re using JupyterLab, refresh your AWS account credentials via the command line by running the following command:
aws configure
Step 3: Run a scan
Once you’ve installed the extension and updated the permissions policy, you are ready to run a scan in JupyterLab or SageMaker AI Studio.
-
Open the file you want to run a CodeGuru Security scan on in your JupyterLab or SageMaker AI Studio notebook instance.
-
If the LSP server displays Fully initialized on the bottom left corner, the extension is installed, and you are ready to run a scan.
Note
If you see Server extension missing, restart your SageMaker Studio or JupyterLab server.
-
You can initiate a scan in one of the following ways:
-
Choose any code cell in your file, and then choose the light bulb icon in the top task bar.
-
Open the context (right-click) menu on any code cell in your file, and then choose Run code scan.
-
-
Once a scan is running, CodeGuru: Scan in progress will appear on the bottom panel of the page. The scan might take several seconds to complete. Once complete, the bottom panel displays CodeGuru: Scan completed and the findings are underlined in your code.
The following image shows an in-progress scan.
Step 4: View and address findings
Once a scan is complete, you see findings underlined in your code.
-
To view more information on the findings, open the context (right-click) menu for any cell and choose Show diagnostics panel. A panel with information about the findings and recommendations appears at the bottom of the notebook file.
The following image shows a completed scan with the diagnostics panel open to view findings.
To view a popover with a summary of the finding, hold your cursor over the underlined code.
-
In the diagnostics panel, choose a finding to redirect your cursor to the corresponding lines of code.
-
After you update your code based on the recommendations, you can re-run the scan to see if the issue has been addressed.
Once you change your code, the scan findings disappear. You must re-run the scan to see them again.
Step 5: Updating scan settings
You can specify the frequency of scan runs and the Region where you run scans.
-
Choose Settings in the top navigation bar.
-
Choose Advanced Settings Editor.
-
In the left navigation bar, choose CodeGuru Security.
-
Automatic code scans are disabled by default. If you want scans to run automatically, choose Enabled in the dropdown menu next to Auto scans.
If enabled, automatic scans run every 240 seconds by default. If you want to change the frequency of automatic scans, specify a value for CodeGuru scan frequency.
The following image shows the CodeGuru Security scan settings tab with Auto scans disabled.
-
To specify what AWS Region your scans are run in, choose a Region in the dropdown menu next to Region.
You can change the AWS Region where you run scans to keep data in a specific Region while scanning, or to be billed in a specific Region.
Step 6: Disable or uninstall the extension
Disabling the extension prevents you from running scans until it is re-enabled. If you uninstall the extension, you must repeat the installation process to reinstall it.
Note
If you're using SageMaker AI Studio, be sure to run conda activate studio
and
conda deactivate
before and after running the following commands.
If you're using JupyterLab, make sure to run the commands in the same environment where JupyterLab is installed.
If you installed JupyterLab with the conda
environment, activate the
environment where JupyterLab is installed before running the following commands.
Disable the extension
Open a command prompt window and run the following command.
jupyter labextension disable @aws/amazon-codeguru-extension
Uninstall the extension
Uninstall with the command line
Open a command prompt window and run the following command.
pip uninstall amazon-codeguru-jupyterlab-extension
-
You might also want to remove dependent packages by running the following commands:
pip uninstall jupyterlab-lsp pip uninstall python-lsp-server
Uninstall with the extension manager
-
Open a command prompt window and run the following command.
pip uninstall amazon-codeguru-jupyterlab-extension
-
In the Extension Manager, locate the @aws/amazon-codeguru-extension extension and choose Uninstall.
-
The following message appears in the Extension Manager:
"A build is needed to include the latest changes."
Choose Rebuild.
-
After the rebuild is complete, a pop-up appears. Choose Save and Reload.
-
You might also want to remove dependent packages by running the following commands:
pip uninstall jupyterlab-lsp pip uninstall python-lsp-server