Enhancing Code Security with Amazon Q Developer’s AI-powered Productivity Tool

We all know that hand-coding takes time. Time that we rather spend otherwise.

What if I told you that you can? AI tooling can take care of a lot of the grunt work for you - and make it more secure. If you’re not already using CodeWhisperer to accelerate your coding, here’s how it works.

Amazon Q Developer, what is it?

Amazon Q Developer is a powerful tool that anticipates how you will complete the code you’re creating.

It’s machine-learning powered, generating secure, personalized code based on your existing code and comments, and offering these as options with the ‘most likely’ completion first.

This can take a lot of time out of coding, as well as time spent on debugging and security scans.

All these tasks are unavoidable when adapting or building any applications, especially for repetitive tasks like generating tests, so it’s much more efficient to have these done with the help of (semi) automated tooling.

To use Amazon Q Developer you just need to sign-in with your AWS Builder ID, open the console, and start typing a line of code.

How does it work?

Amazon Q Developer uses your input, existing code, and previous inputs to make suggestions of how to complete the line.

Then it makes numerous suggestions, and you can scroll through them easily with the arrow key, until you find the one you want. In fact, you don’t even need to start typing code. You can type a comment instead, and Amazon Q Developer will search for a relevant function, code block, or snippet that matches it.

The beauty of it is that it’s not limited to small bits of code – it can generate entire functions, based on your comments.

Amazon Q Developer can offer suggestions for a wide range of languages including C# and JavaScript, so there are many possibilities.

Amazon Q Developer for integrated security scans.

Amazon Q Developer scans your code in three ways:

1. Static Application Security Testing (SAST)
2. Secret information scanning
3. Infrastructure as Code scanning

These scans can quickly uncover hard-to-find vulnerabilities as well as security policy violations.

Amazon Q Developer security scans use detectors from the CodeGuru Detector Library - prioritizing the most critical issues first.

In addition to finding these issues, Amazon Q Developer can offer suggested fixes for them, including code improvements.

As you might expect from something that’s designed to make life easier, running a security scan in Amazon Q Developer is very simple: you just select ‘Run Security Scan’ and you’ll get results in about a minute.

But, there are some limitations to this:

?? Security scanning can only cover the active project you’re working on in the IDE and files in the workspace

?? The scan is performed server-side and there are limits to the file size it can handle at one time. (It can only transmit a payload up to a certain size for security and performance reasons)

?? The integrated security scanning in CodeWhisperer can handle most common programming languages, but can only offer suggestions for Java, JS, and Python

?? When it comes to scanning your IaC, CodeWhisperer can handle CloudFormation, Terraform, and AWS CDK (TypeScript and Python)

Provided you are using a supported programming language, Amazon Q Developer will offer suggested fixes. These are implemented easily by selecting ‘Apply Fix’ in the IDE.

If you’re working with a language other than JS, Java, or Python however, you’ll need to address the issue yourself.

Always anticipate your next move

AI tools can speed up many complex processes and help you uncover important insights.

In the case of Q Developer, machine-learning is leveraged to offer a powerful tool that predicts how you will complete the code you’re creating based on similar code in the same repository or available publicly on the internet.

Also, it will make suggestions to improve your code, but it’s always best to perform another scan to make sure it’s 100% problem-free and secure.

You can check that a file has been scanned by looking at the log and selecting ‘Show Scanned Files’. This gives you a clear overview of all the files that have been checked and can highlight when something has been missed (which can easily happen for any number of reasons - from file size to simple oversight).

Because the suggested code snippets and functions are based (in part) on open-source resources, you may also want to trace and verify where code has come from - and that it’s from a trusted source.

Thankfully, you can easily view the sources of suggestions in Q Developer, and you can also give feedback when suggestions are inappropriate for your requirements.

This is yet another layer of security and accountability, which helps you deliver secure projects in shortened timescales. Altogether, Q Developer offers substantial benefits for extending and building applications in AWS, by accelerating development and by supporting security throughout the development process.

Excited about enhancing your code security with Amazon Q Developer?

In case you missed the LinkedIn Live tutorial, consult our website: https://www.blackbird.cloud/webinars

Or consult me, I’m happy to help!