Amazon CodeGuru Reviewer is an AWS service that uses program analysis and machine learning to detect potential defects that are difficult for developers to find and offers suggestions for improvement.
CodeGuru Reviewer finds defects in Java, Python, and JavaScript code. For more information about how to set up and use CodeGuru Reviewer, see the Amazon CodeGuru Reviewer User Guide.
This repo demonstrates some of CodeGuru Reviewer's JavaScript detectors. For more descriptions of each detector, see our Detector Library. You can also see the code example repos for Java and Python.
PLEASE NOTE: This repo is for demonstration purpose only. It is meant to educate people about 'security flaws'. The code examples contain vulnerable code and should not be used for real-word purposes.
You can use this code repository to try out CodeGuru Reviewer using your AWS credentials.
To use the CodeGuru Reviewer GitHub Action to scan a fork of this repo, you will first need to create a suitable Role, S3 Bucket, and Policy in your AWS account. You can do this automatically by following these instructions.
A CodeGuru Reviewer GitHub Action workflow template has already been added to this repo. To see CodeGuru Reviewer in action:
- Fork this repo.
- In
.github/workflows/analyze.yml
, replace the following three fields with the values obtained from the prerequisites step above: your Role ARN (role-to-assume
), your Region (aws-region
), and your S3 bucket name (s3_bucket
). - Click on the Actions tab (next to pull requests).
- Click on the CodeGuru Reviewer Workflow.
- Click "Run workflow".
- Navigate to the Security tab to see results (it should take 5-10 min). GitHub only enables the security tab for free on public repositories.
You can copy the CodeGuru Reviewer GitHub Action analyze.yml
that you made in the Setup step to your own personal repo.
If you do not have GitHub Advanced Security, you will still be able to view your findings within the AWS Console. You can also use tools like jq
within your workflow to postprocess the findings. If you print some of the findings to stdout, you will see them in your workflow's output log.
Use the community resources below for getting help with AWS CodeGuru Reviewer.
- Use GitHub issues to report bugs and request features.
- Open a support ticket with AWS Support.
- For contributing guidelines, refer to CONTRIBUTING.
See CONTRIBUTING for more information.
This project is licensed under the Apache-2.0 License. See the LICENSE file.