AWS Brings Secrets Detection Capability to CodeGuru Reviewer
Amazon Web Services (AWS) is giving developers the ability to scan their code for embedded "secrets," or highly sensitive data, such as passwords, user names and access tokens.
Amazon CodeGuru Reviewer Secrets Detector is now generally available, AWS announced Monday as part of its 2021 re:Invent conference, taking place this week. It's an expansion of the existing CodeGuru Reviewer product, which scans code for potential issues like security bugs.
The CodeGuru Reviewer Secrets Detector works with AWS Secrets Manager to help prevent developers from deploying code written in Python or Java with secrets inadvertently hard-coded in it. AWS developer advocate Alex Casalboni described how that mistake could happen in a blog post Monday:
As many other developers facing a strict deadline, I've often taken shortcuts when managing and consuming secrets in my code, using plaintext environment variables or hard-coding static secrets during local development, and then inadvertently commit them. Of course, I've always regretted it and wished there was an automated way to detect and secure these secrets across all my repositories.
CodeGuru Reviewer Secrets Detector uses machine learning to sniff out secrets embedded in code before it goes live, he said. The Secrets Manager product then recommends ways to fix the problem.
Besides checking code, CodeGuru Reviewer Secrets Detector also checks "configuration and documentation files" for hard-coded secrets. It supports popular API providers, including GitHub, Salesforce, Slack and others (a full list of vendors is available here).
CodeGuru Reviewer Secrets Detector is available at no extra cost to CodeGuru Reviewer users.