AWS Developer Tools & CI/CD
CodeGuru
ML-powered code reviews and runtime performance profiling recommendations
Amazon CodeGuru is an ML-powered developer tool with two components: CodeGuru Reviewer, which analyzes pull requests to find bugs, security vulnerabilities, and inefficiencies; and CodeGuru Profiler, which continuously monitors application performance in production and identifies the most expensive lines of code. It is trained on millions of open source repositories and Amazon's internal code, bringing expertise that catches issues human reviewers commonly miss.
CodeGuru Reviewer: How Code Analysis Works
CodeGuru Reviewer analyzes Java, Python, JavaScript, TypeScript, CloudFormation, and Terraform code. It integrates with pull requests to post inline recommendations as PR comments.
| Finding Type | Examples | Severity |
|---|---|---|
| AWS best practices | Incorrect SDK usage, missing pagination, wrong service configuration | Medium-High |
| Security | Hardcoded credentials, SQL injection, path traversal, insecure random | Critical-High |
| Code quality | Resource leaks, null pointer risks, dead code, duplicated logic | Low-Medium |
| Concurrency | Race conditions, improper synchronization, deadlock risks | High |
| Input validation | Missing validation, injection risks | High |
| Secrets detection | API keys, passwords, tokens in code | Critical |
Reviewer supports two scan types:
| Scan Type | Trigger | Coverage | Use Case |
|---|---|---|---|
| Pull request analysis | New/updated PR | Changed files only | Continuous review on every PR |
| Repository analysis | Manual or scheduled | Entire repository | Baseline scan, legacy code audit |
CodeGuru Reviewer findings have a "suppression" mechanism - you can suppress a finding with a comment and it will not re-appear on future scans. This is important for false positives. Suppressed findings are tracked so you can audit them later.
CodeGuru Profiler: Runtime Performance Analysis
CodeGuru Profiler instruments running applications to identify CPU hotspots, latency contributors, and heap allocation patterns. It produces flame graphs and actionable recommendations.
To use Profiler, add the agent to your application:
# Python agent
pip install amazon-codeguruprofiler-python-agent
# Add to application code
from codeguru_profiler_agent import Profiler
profiler = Profiler(
profiling_group_name='my-app-profiling-group',
region_name='us-east-1'
)
profiler.start()
# Java - add as Maven dependency and JVM agent
# -javaagent:codeguru-profiler-java-agent.jar \
# -Dcom.amazonaws.codeguruprofiler.profilingGroupName=my-app| Profiling Insight Type | What It Identifies | Example Recommendation |
|---|---|---|
| CPU time | Functions consuming most CPU | Replace JSON library X with library Y |
| Latency | Slow code paths during I/O wait | Use connection pooling for database calls |
| Heap summary | Memory allocation hotspots (JVM) | Reduce string concatenation in loop |
| Lambda overhead | Cold start contributors | Reduce dependency initialization |
Profiler uses statistical sampling (not instrumentation) so it adds less than 5% overhead to application performance. It aggregates samples into 5-minute reporting periods. The agent requires an IAM role with codeguru-profiler:PostAgentProfile permission.
Integration with Source Providers and CI/CD
CodeGuru Reviewer integrates with pull request workflows via associations:
| Source Provider | Integration Method | PR Comment Mechanism |
|---|---|---|
| CodeCommit | Native AWS integration | Posts as CodeCommit PR comment |
| GitHub | CodeStar Connection | Posts as GitHub PR review comment |
| GitHub Enterprise | CodeStar Connection | Posts as GHE PR review comment |
| Bitbucket | CodeStar Connection | Posts as Bitbucket PR comment |
| GitLab | Not supported directly | Use Security Detector API |
You can also trigger scans programmatically via the AWS CLI or SDK, which enables integration into custom CI pipelines:
# Start a repository analysis scan
aws codeguru-reviewer create-code-review \
--name my-full-scan \
--repository-association-arn arn:aws:codeguru-reviewer:us-east-1:123456789:association:xxxxxxxx \
--type RepositoryAnalysis={\
RepositoryHead={BranchName=main}\
}
# List recommendations from a completed review
aws codeguru-reviewer list-recommendations \
--code-review-arn arn:aws:codeguru-reviewer:us-east-1:123456789:code-review:xxxxxxxxPricing Model
| Component | Pricing Metric | Price |
|---|---|---|
| Reviewer - pull request | Per 100 lines of code analyzed | $0.75 per 100 lines (first 100k free/month) |
| Reviewer - repository analysis | Per 100 lines of code analyzed | $0.75 per 100 lines |
| Profiler | Per hour of CPU time profiled per instance | $0.005 per hour (first 250 hours free/month) |
Reviewer pricing is based on the number of lines in the changed files, not just the lines changed. A PR that touches a large file will be priced based on the full file size.
Large monorepos with PRs that touch many files can generate significant Reviewer costs. Consider configuring exclusion patterns (via aws-codeguru-reviewer.yml) to skip generated code, test fixtures, and vendor directories.
Interview Focus Points
- 1What is the difference between CodeGuru Reviewer and CodeGuru Profiler?
- 2What types of issues does CodeGuru Reviewer detect and what languages does it support?
- 3How does CodeGuru Profiler instrument applications and what is its performance overhead?
- 4How does CodeGuru Reviewer integrate with pull requests in GitHub?
- 5How does the pricing model for CodeGuru Reviewer work - what drives costs?
- 6What is a profiling group and how do you configure the Profiler agent?
- 7How would you use CodeGuru in a security review workflow?
- 8What are the limitations of CodeGuru compared to dedicated SAST tools like Checkmarx or SonarQube?