Looking for Senior AWS Serverless Architects & Engineers?
Let's TalkSetting the Scene: Amazon CodeGuru
Amazon’s offering in the developer tool space comes in the form of the “Amazon CodeGuru” family. Until recently, Amazon CodeGuru provided two (very different) services:
- Amazon CodeGuru Reviewer - A service that uses program analysis and machine learning to detect potential defects in your code and offer suggestions for improving it in the form of PR comments.
- Amazon CodeGuru Profiler - A service collects runtime performance data from your live applications, and provides recommendations that can help you fine-tune your application performance.
These services were first revealed at AWS re:Invent 2019 and completed general availability in summer 2020.
Not much has changed since then, until AWS announced Amazon CodeGuru Security at the AWS re:Inforce 2023 event (June, 2023).
What is Amazon CodeGuru Security? - A static application security testing (SAST) tool that combines machine learning (ML) and automated reasoning to:
- Identify vulnerabilities in your code.
- Provide recommendations on how to fix the identified vulnerabilities.
- Track the status of the vulnerabilities until closure.
Sound familiar? A CodeGuru service that uses machine learning to scan your code for security vulnerabilities? Isn’t that what CodeGuru Reviewer already does? Then what’s the difference?
I’m glad you asked.
Where Code Is Scanned
CodeGuru Security is API-based, and therefore is available via:
- IDE plugins (CodeWhisperer and Jupyter Notebooks)
- Direct integrations with major CI/CD pipeline technologies (GitHub, BitBucket, GitLab & AWS CodePipeline)
- A CLI-based client (for other pipeline technologies)
- Direct integration with your deployed Lambda functions (in production!) via Amazon Inspector
An example of how your code is scanned directly from your IDE with CodeGuru Security using an integration.
CodeGuru Reviewer is instead a piece of automation that is triggered upon a pull request in your associated repository. The supported source providers are similar to CodeGuru Security (GitHub, Bitbucket, AWS CodeCommit & S3). The automation is either triggered by an EventBridge event indicating a CodeCommit PR was raised or (I assume) via webhook if using a 3rd party source provider.
Bug Tracking
A second key difference is that CodeGuru Security comes bundled with bug-tracking software. It uses AI/ML to detect when a bug has actually been resolved and this can all be viewed from the built-in dashboard. The team has emphasised their technology will ensure refactored code will not lead to bugs being prematurely closed or duplicated as the defect is moved around files/methods.
The CodeGuru Security dashboard tracks all the bugs/defects found and automatically closes them once the issue is resolved.
CodeGuru Reviewer will simply add a comment on the PR and nothing more.
CodeGuru Reviewer simply adds automated comments to PRs. That is all.
What’s The Catch?
CodeGuru Security clearly offers more than its Reviewer counterpart — so it should be assumed there will be an additional cost, right?
As of writing this article, CodeGuru Security is in public preview and is currently free. CodeGuru Reviewer is still using its pricing model based on lines of code scanned (e.g. $10 for every 100k lines of code).
Summary
Here is a comparison table to summarize all the differences between the services:
Conclusion
Is this the end of CodeGuru Reviewer?— Potentially. Or the Reviewer will undercut the Security’s pricing for those that don’t need all the bells and whistles.
CodeGuru Reviewer is ideal for those in small-scale teams where some improved security direction would be welcomed. For example a small open-source project. It would be nice if CodeGuru Reviewer had a more generous free tier for open-source projects, in the same way CircleCI provides more CI/CD credits for open-source projects.
But for Enterprise Companies with compliance needs and managing large teams, CodeGuru Security is a welcome addition to the AWS ecosystem.
References
Documentation on CodeGuru Security is quite thin. After all, it is a relatively new service: