Amazon CodeGuru FAQs

CodeGuru Security is an ML and program analysis-based code scanning tool that finds security vulnerabilities in application code.

CodeGuru Security currently supports scanning Java, Python, JavaScript, TypeScript, C#, CloudFormation, Terraform, Go, and Ruby.

CodeGuru Security detects Open Worldwide Application Security Project (OWASP) Top Ten issues, Common Weakness Enumeration (CWE) Top 25 issues, log injection, secrets, and secure use of AWS APIs and SDKs. See the Amazon CodeGuru Detector Library for more details on vulnerabilities found by CodeGuru Security.
 

Visit the CodeGuru console to integrate CodeGuru Security in your developer lifecycle. You can integrate into continuous integration and delivery (CI/CD) tools, repository scanning, and integrated development environments (IDEs).
 

CodeGuru Security needs read-only access to your code for the purpose of generating recommendations. Your trust, privacy, and the security of your content are our highest priority. We implement appropriate controls, including encryption in transit, to prevent unauthorized access to, or disclosure of, your content and ensure that our use complies with our commitments to you. We also support customer manager KMS keys (CMCMK ) for encryption. Please see the Data Privacy FAQ for more information.

No, CodeGuru Security does not store your source code.
 

CodeGuru Security is trained using rule mining and supervised ML models that use a combination of logistic regression and neural networks. For example, during training for sensitive data leaks, it does a full code analysis for all code paths that use the resource or sensitive data, creates a feature set representing those, and then uses those as inputs for logistic regression models and convolutional neural networks (CNNs).

CodeGuru Security is integrated with Amazon Inspector code scanning for Lambda. Additional integrations with repositories and CI/CD tools are coming soon.
 

Amazon CodeGuru Profiler helps developers and IT Operators easily understand the runtime behavior of their applications, improve performance, and decrease infrastructure costs. Amazon CodeGuru Profiler analyzes the application runtime profile and provides intelligent recommendations and visualizations that guide developers on how to improve the performance of the most relevant parts of their code.

A profiling group is a logical grouping created by you. It represents the boundary of one application. For example, in a microservices architecture, a profiling group would aggregate the profiles of the microservices that you have assigned to it, and produce one profile for all of them.

Logging execution time only works for a limited set of scenarios because logging can only monitor latency (not CPU utilization), and is time consuming to implement because developers have to log every function in an application (without impacting application performance), leaving developers without the tools necessary to effectively monitor and troubleshoot applications in production. This is where profiling comes in: Amazon CodeGuru Profiler is designed to collect data on everything that happened in that application’s behavior, regardless of scenarios. CodeGuru Profiler uses a knowledge base of commonly encountered performance inefficiencies to automatically discover code patterns in your live application that impact its performance. Developers can then follow the provided recommendations to fix the issues.

Traditional APMs provide useful data on monitoring, tracing and application performance. Amazon CodeGuru Profiler complements these APM capabilities by providing visualizations of the application’s runtime data as well as actionable recommendations for the performance issues it discovers. It also uses machine learning to detect and alert on anomalies in your application profile, pointing to the anomalous lines of code. Amazon CodeGuru Profiler enables you to easily see the parts of code that present the biggest opportunity for performance optimization, along with potential savings, and receive guidance on how to address them without the need to have a deep performance engineering background. Amazon CodeGuru Profiler profiles both EC2 instances, containers and serverless compute platforms including AWS Lambda as well as on-premises. Furthermore, some standalone profilers are designed to only run in test environments while Amazon CodeGuru Profiler was designed to continuously run in production, under production traffic loads, and without impact to the application. This is useful when troubleshooting operational issues in production, including when running on bare metal hosts.

Amazon CodeGuru Profiler works with applications hosted on Amazon EC2, containerized applications running on Amazon ECS and Amazon EKS, as well as serverless applications running on AWS Fargate and AWS Lambda. Furthermore, you can run Amazon CodeGuru Profiler on-premises

Amazon CodeGuru Profiler's agent uses the resources (CPU, memory) allocated to AWS Lambda functions. It is tuned to have a minimal impact on your application's performance while it runs as an in-process thread. If your application consumes most of resources on AWS Lambda function, evaluate increasing the resources to enable the agent to properly function.

CodeGuru Profiler currently supports Java, Python (in preview), and JVM languages such as Scala and Kotlin.

Amazon CodeGuru Profiler consists of three parts: an agent, the profiler service, and intelligent recommendations. The agent is started with your application on the command line and it runs as an in-process thread as part of your application. It takes data from each of your service instances running the agent and sends them to the profiler service every five minutes, which then aggregates them. Amazon CodeGuru Profiler then publishes the profile data in interactive flame graphs that enable you to visualize the performance of your application. Amazon CodeGuru Profiler also continuously scans the profiled data and compares it against Amazon and performance engineering best practices and proactively alerts you with intelligent recommendations when performance issues are discovered. It also uses machine learning to continuously analyze application runtime data and alerts when it detects anomalies in the application profile and points to the anomalous lines of code.

CodeGuru Profiler profiles CPU (active CPU and wall clock time) and memory (heap summary) for Java and other JVM languages and CPU (wall clock time) for Python applications.

Yes, once you enable memory profiling and you start profiling, CodeGuru Profiler will collect both CPU and memory information for your application. You only need one profiling group to get both CPU and memory data for a given application.

CodeGuru Profiler offers heap summary information. Heap summary offers a consolidated view of the memory utilization per object type (e.g., String, int, char[]), and custom types, during a given time frame (usually 5 minutes). CodeGuru Profiler tracks both the summed-up sizes of objects and their count. These metrics are presented in a timeline graph, so you can easily spot trends and peaks of memory utilization per object type.

Heap summary is useful in two scenarios. First, you can spot potential memory leaks. A constantly growing memory utilization curve for one or more object types may indicate a leak, possibly leading to out-of-memory errors and application crashes. The second scenario is when you want to optimize the memory footprint of your application. In this case the breakdown of memory utilization per object type will help you know where to focus. For example, by knowing that an unexpectedly high amount of memory has been associated with a specific object type, you can focus your analysis and optimization efforts on the parts of your application that are responsible for allocating and referencing objects of that type.