Amazon CodeGuru Security vs Reviewer: What’s the Difference?

August 16, 2023

Setting the Scene: Amazon CodeGuru

Amazon’s offering in the developer tool space comes in the form of the “Amazon CodeGuru” family. Until recently, Amazon CodeGuru provided two (very different) services:

  • Amazon CodeGuru Reviewer  -  A service that uses program analysis and machine learning to detect potential defects in your code and offer suggestions for improving it in the form of PR comments.
  • Amazon CodeGuru Profiler  - A service collects runtime performance data from your live applications, and provides recommendations that can help you fine-tune your application performance.

These services were first revealed at AWS re:Invent 2019 and completed general availability in summer 2020.

Not much has changed since then, until AWS announced Amazon CodeGuru Security at the AWS re:Inforce 2023 event (June, 2023).

What is Amazon CodeGuru Security?  -  A static application security testing (SAST) tool that combines machine learning (ML) and automated reasoning to:

  • Identify vulnerabilities in your code.
  • Provide recommendations on how to fix the identified vulnerabilities.
  • Track the status of the vulnerabilities until closure.

Sound familiar? A CodeGuru service that uses machine learning to scan your code for security vulnerabilities? Isn’t that what CodeGuru Reviewer already does? Then what’s the difference?

I’m glad you asked.

Where Code Is Scanned

CodeGuru Security is API-based, and therefore is available via:

  • IDE plugins (CodeWhisperer and Jupyter Notebooks)
  • Direct integrations with major CI/CD pipeline technologies (GitHub, BitBucket, GitLab & AWS CodePipeline)
  • A CLI-based client (for other pipeline technologies)
  • Direct integration with your deployed Lambda functions (in production!) via Amazon Inspector

An example of how your code is scanned directly from your IDE with CodeGuru Security using an integration.

CodeGuru Reviewer is instead a piece of automation that is triggered upon a pull request in your associated repository. The supported source providers are similar to CodeGuru Security (GitHub, Bitbucket, AWS CodeCommit & S3). The automation is either triggered by an EventBridge event indicating a CodeCommit PR was raised or (I assume) via webhook if using a 3rd party source provider.

Bug Tracking

A second key difference is that CodeGuru Security comes bundled with bug-tracking software. It uses AI/ML to detect when a bug has actually been resolved and this can all be viewed from the built-in dashboard. The team has emphasised their technology will ensure refactored code will not lead to bugs being prematurely closed or duplicated as the defect is moved around files/methods.

The CodeGuru Security dashboard tracks all the bugs/defects found and automatically closes them once the issue is resolved.

CodeGuru Reviewer will simply add a comment on the PR and nothing more.

CodeGuru Reviewer simply adds automated comments to PRs. That is all.

What’s The Catch?

CodeGuru Security clearly offers more than its Reviewer counterpart — so it should be assumed there will be an additional cost, right?

As of writing this article, CodeGuru Security is in public preview and is currently free. CodeGuru Reviewer is still using its pricing model based on lines of code scanned (e.g. $10 for every 100k lines of code).

Summary

Here is a comparison table to summarize all the differences between the services:

Conclusion

Is this the end of CodeGuru Reviewer?— Potentially. Or the Reviewer will undercut the Security’s pricing for those that don’t need all the bells and whistles.

CodeGuru Reviewer is ideal for those in small-scale teams where some improved security direction would be welcomed. For example a small open-source project. It would be nice if CodeGuru Reviewer had a more generous free tier for open-source projects, in the same way CircleCI provides more CI/CD credits for open-source projects.

But for Enterprise Companies with compliance needs and managing large teams, CodeGuru Security is a welcome addition to the AWS ecosystem.

References

Documentation on CodeGuru Security is quite thin. After all, it is a relatively new service:

Serverless Handbook
Access free book

The dream team

At Serverless Guru, we're a collective of proactive solution finders. We prioritize genuineness, forward-thinking vision, and above all, we commit to diligently serving our members each and every day.

See open positions

Looking for skilled architects & developers?

Join businesses around the globe that trust our services. Let's start your serverless journey. Get in touch today!
Ryan Jones
Founder
Book a meeting
arrow
Founder
Eduardo Marcos
Chief Technology Officer
Chief Technology Officer
Book a meeting
arrow

Join the Community

Gather, share, and learn about AWS and serverless with enthusiasts worldwide in our open and free community.