fbpx

Use CodeWhisperer to identify issues and use suggestions to improve code security in your IDE

I’ve always loved building things, but when I first began as a software developer, my least favorite part of the job was thinking about security. The security of those first lines of code just didn’t seem too important. Only after struggling through security reviews at the end of a project, did I realize that a security focus at the start can save time and money, and prevent a lot of frustration.

   <p>This focus on security at the earliest phases of development is known in the DevOps community as <a href="https://aws.amazon.com/what-is/devsecops/" target="_blank" rel="noopener">DevSecOps</a>. By adopting this approach, you can identify and improve security issues early, avoiding costly rework and reducing vulnerabilities in live systems. By using the security scanning capabilities of <a href="https://aws.amazon.com/codewhisperer/" target="_blank" rel="noopener">Amazon CodeWhisperer</a>, you can identify potential security issues in your integrated development environment (IDE) as you code. After you identify these potential issues, CodeWhisperer can offer suggestions on how you can refactor to improve the security of your code early enough to help avoid the frustration of a last-minute change to your code.</p> 
   <p>In this post, I will show you how to get started with the code scanning feature of CodeWhisperer by using the <a href="https://aws.amazon.com/pycharm/" target="_blank" rel="noopener">AWS Toolkit for JetBrains extension in PyCharm</a> to identify a potentially weak hashing algorithm in your IDE, and then use CodeWhisperer suggestions to quickly cycle through possible ways to improve the security of your code.</p> 
   <h2>Overview of CodeWhisperer</h2> 
   <p>CodeWhisperer understands comments written in natural language (in English) and can generate multiple code suggestions in real time to help improve developer productivity. The code suggestions are based on a large language model (LLM) trained on Amazon and publicly available code with identified security vulnerabilities removed during the training process. For more details, see <a href="https://aws.amazon.com/codewhisperer/faqs/" target="_blank" rel="noopener">Amazon CodeWhisperer FAQs</a>.</p> 
   <p>Security scans are available in VS Code and JetBrains for Java, Python, JavaScript, C#, TypeScript, CloudFormation, Terraform, and AWS Cloud Development Kit (AWS CDK) with both Python and TypeScript. <a href="https://aws.amazon.com/codeguru/" rel="noopener" target="_blank">AWS CodeGuru Security</a> uses a detection engine and a machine leaning model that uses a combination of logistic regression and neural networks, finding relationships and understanding paths through code. CodeGuru Security can detect common security issues, log injection, secrets, and insecure use of AWS APIs and SDKs. The detection engine uses a <a href="https://docs.aws.amazon.com/codeguru/detector-library/" target="_blank" rel="noopener">Detector Library</a> that has descriptions, examples, and additional information to help you understand why CodeWhisperer highlighted your code and whether you need to take action. You can start a scan manually through either the <a href="https://aws.amazon.com/visualstudiocode/" target="_blank" rel="noopener">AWS Toolkit for Visual Studio Code </a>or <a href="https://docs.aws.amazon.com/toolkit-for-jetbrains/latest/userguide/welcome.html" target="_blank" rel="noopener">AWS Toolkit for JetBrains</a>. To learn more, see <a href="https://aws.amazon.com/blogs/security/how_amazon_codeguru_security_helps_effectively_balance_security_and_velocity/" target="_blank" rel="noopener">How Amazon CodeGuru Security helps you effectively balance security and velocity</a>.</p> 
   <h2>CodeWhisperer code scan sequence</h2> 
   <p>To illustrate how PyCharm, Amazon CodeWhisperer, and Amazon CodeGuru interact, Figure 1 shows a high-level view of the interactions between PyCharm and services within AWS. For more information about this interaction, see the <a href="https://docs.aws.amazon.com/codewhisperer/" target="_blank" rel="noopener">Amazon CodeWhisperer documentation</a>.</p> 
   <div id="attachment_32564" class="wp-caption aligncenter"> 
    <img aria-describedby="caption-attachment-32564" src="https://www.infracom.com.sg/wp-content/uploads/2023/12/img1-17.png" alt="Figure 1: Sequence diagram of the security scan workflow" width="780" class="size-full wp-image-32564"> 
    <p id="caption-attachment-32564" class="wp-caption-text">Figure 1: Sequence diagram of the security scan workflow</p> 
   </div> 
   <p>Communication from PyCharm to CodeWhisperer is HTTPS authenticated by using a bearer token in the authorization header of each request. As shown in Figure 1, when you manually start a security scan from PyCharm, the sequence is as follows:</p> 
   <ol> 
    <li>PyCharm sends a request to CodeWhisperer for a presigned <a href="https://aws.amazon.com/s3/" target="_blank" rel="noopener">Amazon Simple Storage Service (Amazon S3)</a> upload URL, which initiates a request for an upload URL from CodeGuru. CodeWhisperer returns the URL to PyCharm.</li> 
    <li>PyCharm archives the code in open PyCharm tabs along with linked third-party libraries into a <a href="https://www.gzip.org/" target="_blank" rel="noopener">gzip</a> file and uploads this file directly to the S3 upload URL. The S3 bucket where the code is stored is encrypted at rest with strict access controls.</li> 
    <li>PyCharm initiates the scan with CodeWhisperer, which creates a scan job with CodeGuru. CodeWhisperer returns the scan job ID that CodeGuru created to PyCharm. </li> 
    <li>CodeGuru downloads the code from Amazon S3 and starts the code scan. </li> 
    <li>PyCharm requests the status of the scan job from CodeWhisperer, which gets the scan status from CodeGuru. If the status is pending, PyCharm keeps polling CodeWhisperer for the status until the scan job is complete.</li> 
    <li>When CodeWhisperer responds that the status of the scan job is complete, PyCharm requests the details of the security findings. The findings include the file path, line numbers, and details about the finding.</li> 
    <li>The finding details are displayed in the PyCharm code editor window and in the CodeWhisperer Security Issues window.</li> 
   </ol> 
   <h2>Walkthrough</h2> 
   <p>For this walkthrough, you will start by configuring <a href="https://www.jetbrains.com/pycharm/" target="_blank" rel="noopener">PyCharm</a> to use <a href="https://docs.aws.amazon.com/toolkit-for-jetbrains/latest/userguide/welcome.html" target="_blank" rel="noopener">AWS Toolkit for JetBrains</a>. Then you will create an <a href="https://docs.aws.amazon.com/signin/latest/userguide/sign-in-aws_builder_id.html" target="_blank" rel="noopener">AWS Builder ID</a> to authenticate the extension with AWS. Next, you will scan Python code that CodeWhisperer will identify as a potentially weak hashing algorithm, and learn how to find more details. Finally, you will learn how to use CodeWhisperer to improve the security of your code by using suggestions. </p> 
   <h3>Prerequisites</h3> 
   <p>To follow along with this walkthrough, make sure that you have the following prerequisites in place:</p> 

   <h3>Install and authenticate the AWS Toolkit for JetBrains</h3> 
   <p>This section provides step-by-step instructions on how to install and authenticate your JetBrains IDE. If you’ve already configured JetBrains or you’re using a different IDE, skip to the section <a href="https://aws.amazon.com/blogs/security/use-codewhisperer-to-identify-issues-and-use-suggestions-to-improve-code-security-in-your-ide/#identify_a_potentially_weak_hashing_algorithm">Identify a potentially weak hashing algorithm by using CodeWhisperer security scans</a>.</p> 
   <p>In this step, you will install the latest version of AWS Toolkit for JetBrains, create a new PyCharm project, sign up for an AWS Builder ID, and then use this ID to authenticate the toolkit with AWS. To authenticate with AWS, you need either an <a href="https://docs.aws.amazon.com/toolkit-for-visual-studio/latest/user-guide/builder-id.html" target="_blank" rel="noopener">AWS Builder ID</a>, <a href="https://aws.amazon.com/iam/identity-center/" target="_blank" rel="noopener">AWS IAM Identity Center</a> user details, or <a href="https://docs.aws.amazon.com/toolkit-for-visual-studio/latest/user-guide/keys-profiles-credentials.html" target="_blank" rel="noopener">AWS IAM credentials</a>. Creating an AWS Builder ID is the fastest way to get started and doesn’t require an AWS account, so that’s the approach I’ll walk you through here.</p> 
   <h4>To install the AWS Toolkit for JetBrains</h4> 
   <ol> 
    <li>Open the PyCharm IDE, and in the left navigation pane, choose <strong>Plugins</strong>.</li> 
    <li>In the search box, enter <strong>AWS Toolkit</strong>.</li> 
    <li>For the result — <strong>AWS Toolkit</strong> — choose <strong>Install</strong>.</li> 
   </ol> 
   <p>Figure 2 shows the plugins search dialog and search results for the AWS Toolkit extension.</p> 
   <div id="attachment_32565" class="wp-caption aligncenter"> 
    <img aria-describedby="caption-attachment-32565" src="https://www.infracom.com.sg/wp-content/uploads/2023/12/img2-12.png" alt="Figure 2: PyCharm plugins browser" width="780" class="size-full wp-image-32565"> 
    <p id="caption-attachment-32565" class="wp-caption-text">Figure 2: PyCharm plugins browser</p> 
   </div> 
   <h4>To create a new project</h4> 
   <ol> 
    <li>Open the PyCharm IDE.</li> 
    <li>From the menu bar, choose <strong>File &gt; New Project</strong>, and then choose <strong>Create</strong>.</li> 
   </ol> 
   <h4>To authenticate CodeWhisperer with AWS</h4> 
   <ol> 
    <li>In the navigation pane, choose the AWS icon (<img loading="lazy" src="https://d2908q01vomqb2.cloudfront.net/22d200f8670dbdb3e253a90eee5098477c95c23d/2023/11/29/icon_aws.png" alt="AWS icon" width="28" height="23" class="size-full wp-image-32569">).</li> 
    <li>In the <strong>AWS Toolkit</strong> section, choose the <strong>Developer Tools</strong> tab.</li> 
    <li>Under <strong>CodeWhisperer</strong>, double-click the <strong>Start</strong> icon(<img loading="lazy" src="https://d2908q01vomqb2.cloudfront.net/22d200f8670dbdb3e253a90eee5098477c95c23d/2023/11/29/icon_play.png" alt="play icon" width="18" height="19" class="size-full wp-image-32571">). 
     <div id="attachment_32572" class="wp-caption alignnone"> 
      <img aria-describedby="caption-attachment-32572" loading="lazy" src="https://www.infracom.com.sg/wp-content/uploads/2023/12/img3-9.png" alt="Figure 3: Start CodeWhisperer" width="460" height="340" class="size-full wp-image-32572"> 
      <p id="caption-attachment-32572" class="wp-caption-text">Figure 3: Start CodeWhisperer</p> 
     </div> </li> 
    <li>In the <strong>AWS Toolkit: Add Connection</strong> section, select <strong>Use a personal email to sign up and sign in with AWS Builder ID</strong>, and then choose <strong>Connect</strong>. 
     <div id="attachment_32573" class="wp-caption alignnone"> 
      <img aria-describedby="caption-attachment-32573" loading="lazy" src="https://www.infracom.com.sg/wp-content/uploads/2023/12/img4-7.png" alt="Figure 4: AWS Toolkit Add Connection" width="638" height="399" class="size-full wp-image-32573"> 
      <p id="caption-attachment-32573" class="wp-caption-text">Figure 4: AWS Toolkit Add Connection</p> 
     </div> </li> 
    <li>For the <strong>Sign in with AWS Builder ID</strong> dialog box, choose <strong>Open and Copy Code</strong>.</li> 
    <li>In the opened browser window, in the <strong>Authorize request</strong> section, in the <strong>Code</strong> field, paste the code that you copied in the previous step, and then choose <strong>Submit and continue</strong>. 
     <div id="attachment_32574" class="wp-caption alignnone"> 
      <img aria-describedby="caption-attachment-32574" loading="lazy" src="https://www.infracom.com.sg/wp-content/uploads/2023/12/img5-6.png" alt="Figure 5: Authorize request page" width="435" height="476" class="size-full wp-image-32574"> 
      <p id="caption-attachment-32574" class="wp-caption-text">Figure 5: Authorize request page</p> 
     </div> </li> 
    <li>On the <strong>Create your AWS Builder ID</strong> page, do the following: 
     <ol> 
      <li>For <strong>Email address</strong>, enter a valid current email address. </li> 
      <li>Choose <strong>Next</strong>.</li> 
      <li>For <strong>Your name</strong>, enter your full name.</li> 
      <li>Choose <strong>Next</strong>. 
       <div id="attachment_32575" class="wp-caption alignnone"> 
        <img aria-describedby="caption-attachment-32575" loading="lazy" src="https://www.infracom.com.sg/wp-content/uploads/2023/12/img6-5.png" alt="Figure 6: Create your AWS Builder ID" width="391" height="736" class="size-full wp-image-32575"> 
        <p id="caption-attachment-32575" class="wp-caption-text">Figure 6: Create your AWS Builder ID</p> 
       </div> </li> 
     </ol> </li> 
    <li>Check your inbox for an email sent from no-reply@signin.aws titled <strong>Verify your AWS Builder ID email address</strong>, and copy the verification code that’s in the email.</li> 
    <li>In your browser, on the <strong>Email verification</strong> page, for <strong>Verification code</strong>, paste the verification code, and then choose <strong>Verify</strong>. 
     <div id="attachment_32576" class="wp-caption alignnone"> 
      <img aria-describedby="caption-attachment-32576" loading="lazy" src="https://www.infracom.com.sg/wp-content/uploads/2023/12/img7-4.png" alt="Figure 7: Email verification" width="393" height="580" class="size-full wp-image-32576"> 
      <p id="caption-attachment-32576" class="wp-caption-text">Figure 7: Email verification</p> 
     </div> </li> 
    <li>On the <strong>Choose your password page</strong>, enter a <strong>Password</strong> and <strong>Confirm password</strong>, and then choose <strong>Create AWS Builder ID</strong>.</li> 
    <li>In the <strong>Allow AWS Toolkit for JetBrains to access your data?</strong> section, choose <strong>Allow</strong>. 
     <div id="attachment_32577" class="wp-caption alignnone"> 
      <img aria-describedby="caption-attachment-32577" src="https://www.infracom.com.sg/wp-content/uploads/2023/12/img8-3.png" alt="Figure 8: Allow AWS Toolkit for JetBrains to access your data" width="550" class="size-full wp-image-32577"> 
      <p id="caption-attachment-32577" class="wp-caption-text">Figure 8: Allow AWS Toolkit for JetBrains to access your data</p> 
     </div> </li> 
    <li>To confirm that the authentication was successful, in the PyCharm IDE navigation pane, select the AWS icon (<img loading="lazy" src="https://d2908q01vomqb2.cloudfront.net/22d200f8670dbdb3e253a90eee5098477c95c23d/2023/11/29/icon_aws.png" alt="AWS icon" width="28" height="23" class="size-full wp-image-32569">). On the <strong>AWS Toolkit</strong> window, make sure that <strong>Connected with AWS Builder ID</strong> is displayed.</li> 
   </ol> 
   <h3 id="identify_a_potentially_weak_hashing_algorithm">Identify a potentially weak hashing algorithm by using CodeWhisperer security scans</h3> 
   <p>The next step is to create a file that uses the hashing algorithm, SHA-224. CodeWhisperer considers this algorithm to be potentially weak and references <a href="https://cwe.mitre.org/data/definitions/328.html" target="_blank" rel="noopener">Common Weakness Enumeration (CWE)-328</a>. In this step, you use this weak hashing algorithm instead of the recommend algorithm SHA-256 so that you can see how CodeWhisperer flags this potential issue.</p> 
   <h4>To create the file with the weak hashing algorithm (SHA-224)</h4> 
   <ol> 
    <li>Create a new file in your PyCharm project named <span>app.py</span></li> 
    <li>Copy the following code snippet and paste it in the <span>app.py</span> file. In this code snippet, <span>PBKDF2</span> is used with SHA-224, instead of the recommended SHA-256 algorithm. 
     <div class="hide-language"> 
      <pre class="unlimited-height-code"><code class="lang-text">import hashlib

import os

salt = os.urandom(8)
password = ‘secret’.encode()

Noncompliant: potentially weak algorithm used.

derivedkey = hashlib.pbkdf2_hmac(‘sha224’, password, salt, 100000)
derivedkey.hex()

   <h4>To initiate a security scan </h4> 
   <ul> 
    <li>In the <strong>AWS Toolkit</strong> section of PyCharm, on the <strong>Developer Tools</strong> tab, double-click the play icon (<img loading="lazy" src="https://d2908q01vomqb2.cloudfront.net/22d200f8670dbdb3e253a90eee5098477c95c23d/2023/11/29/icon_play.png" alt="play icon" width="18" height="19" class="size-full wp-image-32571" />) next to <strong>Run Security Scan</strong>. This opens a new tab called <strong>CodeWhisperer Security Issues</strong> that shows the scan was initiated successfully, as shown in Figure 9. 
     <div id="attachment_32578" class="wp-caption aligncenter"> 
      <img aria-describedby="caption-attachment-32578" src="https://www.infracom.com.sg/wp-content/uploads/2023/12/img9-3.png" alt="Figure 9: AWS Toolkit window with security scan in progress" width="740" class="size-full wp-image-32578" /> 
      <p id="caption-attachment-32578" class="wp-caption-text">Figure 9: AWS Toolkit window with security scan in progress</p> 
     </div> </li> 
   </ul> 
   <h3>Interpret the CodeWhisperer security scan results</h3> 
   You can now interpret the results of the security scan.</p> 
   <h4>To interpret the CodeWhisperer results</h4> 
   <ol> 
    <li>When the security scan completes, CodeWhisperer highlights one of the rows in the main code editor window. To see a description of the identified issue, hover over the highlighted code. In our example, the issue that is displayed is CWE-327/328, as shown in Figure 10. 
     <div id="attachment_32579" class="wp-caption aligncenter"> 
      <img aria-describedby="caption-attachment-32579" src="https://www.infracom.com.sg/wp-content/uploads/2023/12/img10-1.png" alt="Figure 10: Code highlighted with issue CWE-327,328 – Insecure hashing" width="740" class="size-full wp-image-32579" /> 
      <p id="caption-attachment-32579" class="wp-caption-text">Figure 10: Code highlighted with issue CWE-327,328 – Insecure hashing</p> 
     </div> </li> 
    <li>The issue description indicates that the algorithm used in the highlighted line might be weak. The first argument of the <span>pbkdf2_hmac</span> function shown in Figure 10 is the algorithm SHA-224, so we can assume this is the highlighted issue.</li> 
   </ol> 
   <p>CodeWhisperer has highlighted SHA-224 as a potential issue. However, to understand whether or not you need to make changes to improve the security of your code, you must do further investigation. A good starting point for your investigation is the CodeGuru <a href="https://docs.aws.amazon.com/codeguru/detector-library/" target="_blank" rel="noopener">Detector Library</a>, which powers the scanning capabilities of CodeWhisperer. The entry in the Detector Library for <a href="https://docs.aws.amazon.com/codeguru/detector-library/python/insecure-hashing/" target="_blank" rel="noopener">insecure hashing</a> provides example code and links to additional information.</p> 
   <p>This additional information reveals that the SHA-224 output is truncated and is 32 bits shorter than SHA-256. Because the output is truncated, SHA-224 is more susceptible to <a href="https://en.wikipedia.org/wiki/Collision_attack" target="_blank" rel="noopener">collision attacks</a> than SHA-256. SHA-224 has 112-bit security compared to the 128-bit security of SHA-256. A collision attack is a way to find another input that yields an identical hash created by the original input. The CodeWhisperer issue description for insecure hashing in Figure 10 describes this as a potential issue and is the reason that CodeWhisperer flagged the code. However, if the size of the hash result is important for your use case, SHA-224 might be the correct solution, and if so, you can ignore this warning. But if you don’t have a specific reason to use SHA-224 over other algorithms, you should consider the alternative suggestions that CodeWhisperer offers, which I describe in the next section.</p> 
   <h3>Use CodeWhisperer suggestions to help remediate security issues</h3> 
   <p>CodeWhisperer automatically generates suggestions in real time as you type based on your existing code and comments. Suggestions range from completing a single line of code to generating complete functions. However, because CodeWhisperer uses an LLM that is trained on vast amounts of data, you might receive multiple different suggestions. These suggestions might change over time, even when you give CodeWhisperer the same context. Therefore, you must use your judgement to decide if a suggestion is the correct solution.</p> 
   <h4>To replace the algorithm</h4> 
   <ol> 
    <li>In the previous step, you found that the first argument of the <span>pbkdf2_hmac</span> function contains the potentially vulnerable algorithm SHA-224. To initiate a suggestion for a different algorithm, delete the arguments from the function. The suggestion from CodeWhisperer was to change the algorithm from SHA-224 to SHA-256. However, because of the nature of LLMs, you could get a different suggested algorithm.</li> 
    <li>To apply this suggestion and update your code, press <strong>Tab</strong>. Figure 11 shows what the suggestion looks like in the PyCharm IDE. 
     <div id="attachment_32580" class="wp-caption aligncenter"> 
      <img aria-describedby="caption-attachment-32580" src="https://www.infracom.com.sg/wp-content/uploads/2023/12/img11-2.png" alt="Figure 11: CodeWhisperer auto-suggestions" width="740" class="size-full wp-image-32580" /> 
      <p id="caption-attachment-32580" class="wp-caption-text">Figure 11: CodeWhisperer auto-suggestions</p> 
     </div> </li> 
   </ol> 
   <h3>Validate CodeWhisperer suggestions by rescanning the code</h3> 
   <p>Although the training data used for the CodeWhisperer machine learning model has identified that security vulnerabilities were removed, it’s still possible that some suggestions will contain security vulnerabilities. Therefore, make sure that you fully understand the CodeWhisperer suggestions before you accept them and use them in your code. You are responsible for the code that you produce. In our example, other algorithms to consider are those from the SHA-3 family, such as SHA3-256. This family of algorithms are built using the <a href="https://en.wikipedia.org/wiki/Sponge_function" target="_blank" rel="noopener">sponge function</a> rather than the <a href="https://en.wikipedia.org/wiki/Merkle%E2%80%93Damg%C3%A5rd_construction" target="_blank" rel="noopener">Merkle-Damgård structure</a> that SHA-1 and SHA-2 families are built with. This means that the SHA-3 family offers greater resistance to certain security events but <a href="https://keccak.team/2017/is_sha3_slow.html" target="_blank" rel="noopener">can be slower to compute</a> in certain configurations and hardware. In this case, you have multiple options to improve the security of SHA-224. Before you decide which algorithm to use, test the performance on your target hardware. Whether you use the solution that CodeWhisperer proposes or an alternative, you should validate changes in the code by running the security scans again.</p> 
   <h4>To validate the CodeWhisperer suggestions</h4> 
   <ul> 
    <li>Choose <strong>Run Security Scan</strong> to rerun the scan. When the scan is complete, the CodeWhisperer Security Issues panel of PyCharm shows a notification that the rescan was completed successfully and no issues were found. 
     <div id="attachment_32581" class="wp-caption aligncenter"> 
      <img aria-describedby="caption-attachment-32581" src="https://www.infracom.com.sg/wp-content/uploads/2023/12/img12-1-1.png" alt="Figure 12: Final security scan results" width="740" class="size-full wp-image-32581" /> 
      <p id="caption-attachment-32581" class="wp-caption-text">Figure 12: Final security scan results</p> 
     </div> </li> 
   </ul> 
   <h2>Conclusion</h2> 
   <p>In this blog post, you learned how to set up PyCharm with CodeWhisperer, how to scan code for potential vulnerabilities with security scans, and how to view the details of these potential issues and understand the implications. To improve the security of your code, you reviewed and accepted CodeWhisperer suggestions, and ran the security scan again, validating the suggestion that CodeWhisperer made. Although many potential security vulnerabilities are removed during training of the CodeWhisperer machine learning model, you should validate these suggestions. CodeWhisperer is a great tool to help you speed up software development, but you are responsible for accepting or rejecting suggestions.</p> 
   <p>The example in this post showed how to identify a potentially insecure hash and improve the security of the algorithm. But CodeWhisperer security scans can detect much more, such as the <a href="https://owasp.org/www-project-top-ten/" target="_blank" rel="noopener">Open Web Application Security Project (OWASP) top ten web application security risks</a>, <a href="https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html" target="_blank" rel="noopener">CWE top 25 most dangerous software weaknesses</a>, log injection, secrets, and insecure use of AWS APIs and SDKs. The detector engine behind these scans uses the searchable <a href="https://docs.aws.amazon.com/codeguru/detector-library/" target="_blank" rel="noopener">Detector Library</a> with descriptions, examples, and references for additional information.</p> 
   <p>In addition to using CodeWhisperer suggestions, you can also <a href="https://aws.amazon.com/blogs/devops/enabling-devsecops-with-amazon-codecatalyst/" target="_blank" rel="noopener">integrate security scanning into your CI/CD pipeline</a>. By combining CodeWhisperer and automated release pipeline checks, you can detect potential vulnerabilities early with validation throughout the delivery process. Catching potential issues earlier can help you resolve them quickly and reduce the chance of frustrating delays late in the delivery process.</p> 
   <p>Prioritizing security throughout the development lifecycle can help you build robust and secure applications. By using tools such as CodeWhisperer and adopting DevSecOps practices, you can foster a security-conscious culture on your development team and help deliver safer software to your users.</p> 
   <p>If you want to explore code scanning on your own, CodeWhisperer is now generally available, and the <a href="https://aws.amazon.com/blogs/aws/amazon-codewhisperer-free-for-individual-use-is-now-generally-available/" target="_blank" rel="noopener">individual tier is free for individual use</a>. With CodeWhisperer, you can enhance the security of your code and minimize potential vulnerabilities before they become significant problems.</p> 
   <p>If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, start a new thread on the <a href="https://repost.aws/tags/TA0G4grBnFSRmf5DghJHOf1Q/amazon-codewhisperer" rel="noopener" target="_blank">Amazon CodeWhisperer re:Post</a> or <a href="https://console.aws.amazon.com/support/home" rel="noopener" target="_blank">contact AWS Support</a>.</p> 
   <p><strong>Want more AWS Security news? Follow us on <a title="Twitter" href="https://twitter.com/AWSsecurityinfo" target="_blank" rel="noopener noreferrer">Twitter</a>.</strong>
   <!-- '"` -->