DAILY NEWS

Stay Ahead, Stay Informed – Every Day

Advertisement
It’s not too late! Make your AWS Security Agent debut with a code review!


This article is an English translation of the article at the following URL, which was originally written in Japanese. The screenshots are still in Japanese. Sorry about that.

https://qiita.com/amarelo_n24/items/e196b74f718c750a0e18

The penetration testing feature for AWS Security Agent (hereinafter referred to only as “Security Agent”), which was announced at AWS re:Invent 2025, has been generally available (GA). Code review and design review are still in preview as of May 25th, so those who haven’t been able to try Security Agent yet can still try these features. I wasn’t able to try penetration testing during the preview period , so I decided to at least experience code review and made my Security Agent debut!

This article reflects the author’s personal views. It is based on personal testing and should be used for reference only. Furthermore, the author has no experience in app development, so the terminology used may not be entirely accurate. Any corrections or errors in the content would be greatly appreciated.This article was written based on information as of May 25, 2026.

As mentioned above, this service was announced during AWS re:Invent 2025. It is a frontier agent that proactively protects applications throughout the entire development lifecycle in all environments (quoted from the official AWS page).

https://aws.amazon.com/security-agent/

It includes three features that became generally available (GA) in April: penetration testing, design review, and code review (the subject of this article).

Function name
Feature Overview
Status(As of 2026/5/25)

Penetration testing
Attempting to infiltrate the system from an external source to evaluate security measures.
GA

Design Review
Analyze product specifications, architecture documents, and technical designs from a security risk perspective.
Preview

Code Review
Inspect source code and repositories to detect code-level vulnerabilities.
Preview

Code security review (hereinafter referred to as “code review”) is a web application diagnostic method that falls under “SAST” (Static Application Security Testing). It is considered a vulnerability assessment that checks for flaws in the source code during the development phase before it is deployed in a test environment, and detects vulnerabilities visible at the code level.

From here, I will describe the steps to enable the Security Agent and run a code review.

Enable Security Agent

To start using Security Agent, you first need to enable it. Incidentally, simply enabling Security Agent will not incur any charges.

① Click (Set up AWS Security Agent)

② Enter (Agent Space name).③ Specify (User access configuration).

If you have enabled AWS Organizations and also enabled IAM Identity Center, you might want to select “Single sign-on (SSO) with IAM Identity Center.” I chose this option because I also run a one-person organization. Even if you haven’t enabled Organizations yet, this might be a good opportunity to try out a one-person organization.

④ Enter a service role name. If there is no suitable role available in your account, a new service role will be created.⑤ If you want to use KMS encryption, check the encryption option checkbox. If the default encryption is sufficient, uncheck the checkbox.⑥ Set tags as needed.⑦ Click (Set up AWS Security Agent).

⑧ Once you see a message indicating that the application has been successfully enabled, the Security Agent has been successfully activated.

① Click “Enable code review”.

② Add a “Connected Integration”. Click “Add”.

③ Select “Create a new account” and “GitHub,” then click “Next.”

④ Click “Open AWS Security Agent on GitHub”.

⑤ You will be redirected to the GitHub page. Click “Install”.

⑥ Click on the GitHub account that contains the repository where you want to install the AWS Security Agent GitHub App.

⑦ Click “Only select repositories” and select the repository where you want to install the GitHub App from the “Select repositories” dropdown menu.

⑧ Click “Install,” and the setup is complete when a screen like the one below appears.

⑨ Return to the following screen and click “Add” again.

⑩ Select the added integration and click “Next”.

⑪ Select the GitHub repository name and click “Next”.

⑫ Select the features to enable. If you want to perform code reviews, enable “Code review comments”. If you want to automatically remediate detected vulnerabilities, enable “Automatic remediation”. Click Connect and confirm that “Integration resource added” is displayed.

⑬ Select the code review settings and click “Next”. I selected “Security requirements and vulnerability detection results,” which is selected by default.

⑭ If you want to obtain application operation logs in CloudWatch Logs, select the log group where you want to store the logs (you need to create the log group beforehand).⑮ Create a role for service access. If you have already created one, click “Use existing service role”. If the default role is acceptable, click “Create default role”.⑯ Click “Save”.

This time, we created a default role, but I think it’s necessary to create a role with carefully considered policy settings. I’ll investigate what policies are necessary in the future.

⑰When it displays as shown below and “Ready” appears in the code review section, code review is enabled.

Add an IAM Identity Center user to allow code reviews from the application.

For testing purposes, you can access it with “Administrator Access” without creating a user, but since administrators don’t usually perform vulnerability assessments in normal operation, we’ll configure a user even for testing purposes.

① Return to the “Agent Spaces” top page and click “Add Users” from the “Web App” tab.

② Select the IAM Identity Center username you want to allow access to the Security Agent web app and click “Add users”.

③ Once the message indicating that the user has been added is displayed, click the Agent Web App URL.

④ When the following screen appears, click “Sign in” or wait a moment, and you will be redirected to the Agent Web App screen.

⑤ The screen will display as shown below, and you should confirm that the created Agent Space name is displayed.

Now, we will run the code review.

① From the Agent Web App home screen, click “Create a code review.”

② Enter a title for the code review.③ Select the previously connected GitHub repository, the created service role, and the CloudWatch log group, and click “Create a code review.”

④ Once the message indicating that the code review has been created is displayed, click “Start review.” A confirmation screen will appear, so click “Start review” again.

⑤ The message “Code review started” will be displayed. Reloading the screen will display “In progress.”

⑥ Clicking on the created code review will show the progress. Wait until completion.

This time it was completed in about an hour.

① Once completed, you can view the code review results.

② The scan results are displayed as follows. Well-known vulnerabilities such as SQL injection, cross-site scripting, and path traversal were detected.

Although it says “Completed,” it remained showing “Finalizing” for some reason.

You can download the code review results as a PDF file. This is likely for requesting corrections or sharing information with developers who do not have an AWS account, or for storing it as evidence.

① Click “Generate Report” in the upper right corner of the code review results screen.

② Edit the extraction criteria and click “Generate and Download.” The code review results will be output as a PDF file to your PC’s download folder.

Detected vulnerabilities need to be fixed. It is possible to fix them automatically instead of manually.

① Select the vulnerability you want to automatically fix and click “Fix Code.”

② Code remediation will begin.

If “Automatic remediation” is not enabled, the following error will appear. In the GitHub repository’s features management, turn on the “Automatic remediation” toggle button and save.

③ Scroll to the bottom of the screen to see the detection results for the selected vulnerability. The code remediation status will be displayed. Once the fix is ​​complete and the status changes to “COMPLETED,” a pull request is sent to GitHub.

④ Opening the pull request reveals that it was automatically created by Security Agent and details of the changes. If there are no issues with the content, merge it.

Recognizing the Importance of SAST

This code review detected many types of vulnerabilities. It’s probably difficult to uncover all vulnerabilities through human code reviews alone. I believe it’s an important service that complements human code reviews by inspecting for remaining vulnerabilities. Furthermore, I realized that web application security testing should not only utilize external attack-based testing methods like DAST (Dynamic Application Security Testing), but also SAST, which identifies vulnerabilities at the code level and provides a starting point for fixes.

Completely Eliminating Human Reviews is Not Yet Possible

I realized that Security Agent doesn’t completely replace human code reviews.

After running the automatic fix and then performing another code review, the fixed vulnerabilities were not re-detected, but several new vulnerabilities were detected. It’s possible that a detection method was added during the initial code review, or that it was a false positive, but it’s also possible that a fix in one place affected the entire code or even the entire repository.

As such, the results of the review and the recommended fixes for vulnerabilities are not always optimal for the whole system. Furthermore, there’s a risk that applying automated fixes too readily could break the entire application. I think that unless people carefully review the fixes and decide whether to automate or manual fixes, it could lead to unnecessary work being done.

Wouldn’t it be great if it could be integrated with CodeCommit?

As of May 21, 2026, it’s not possible to target CodeCommit repositories for code reviews. It was truly surprising that S3 could be targeted for code reviews, but CodeCommit couldn’t. Currently, if a user of CodeCommit wants to perform code reviews with the Security Agent, they would have to either:

Store source code files in S3 and perform code reviews there
Migrate the repository to GitHub.

Storing files in S3 is troublesome, and migrating to GitHub doesn’t seem practical. I think it would be great if it could integrate with CodeCommit to easily perform code reviews.

CodeCommit was such a valuable service that it was shut down once before returning to GA (General Availability), so I thought it was a bit of a shame that it couldn’t be integrated. I guess we can only hope for future AWS updates.

It’s been almost six months since re:Invent 2025, but I finally got to try out Security Agent. Penetration testing, once GA is available, has become difficult to implement at an individual level. The preview period doesn’t last forever. I strongly felt that you should try it as soon as possible after the announcement.

You can still relatively easily experience Security Agent through code reviews, which are still in preview, so it’s not too late! Why not make your Security Agent debut with a code review and use it as an opportunity to learn about web application security?

Also, since design reviews are still in preview, I plan to try those out soon as well.

I hope this article is helpful to someone. Thank you for reading to the end!



Source link

Re-Engineering My Portfolio: Moving from No-Code to React & Firebase



GitHub “Finish-Up-A-Thon” Challenge Submission

This is a submission for the GitHub Finish-Up-A-Thon Challenge

What I Built

I built a professional, production-ready React 18 + Vite Engineering Portfolio and Interactive Media Dashboard. As an undergraduate studying Electronic and Telecommunication Engineering, my work constantly jumps between hardware schematic designs, firmware code, web dashboards, and technical writing.

This platform isn’t just a basic resume resume layout; it’s a fully integrated software architecture. It bridges a modern dark UI framework with a robust Firebase 11 ecosystem. The system handles live data mirroring via Firestore, real-time social engagement pipelines (likes, threaded blog comments), dynamic newsletter enrollment tracking, and automated static Open Graph template injections so social platforms scrape perfect image previews whenever my work is shared.

Demo

🌐 Live Production ApplicationExplore the live deployment here: (https://kaushalyamullegama.netlify.app)

1. The Home Page & Background Canvas View

2. The Interactive Skills Bento Grid View

uploads.s3.amazonaws.com/uploads/articles/cqdtrn4w2imknigu2n96.png)

3. The Live CMS Admin Edit View

The Comeback Story

The Problem:The portfolio originally lived as a closed-source, layout-restricted mock-up draft on Wix Studio (Previous Wix Draft- (https://krbmullegama.wixstudio.com/kaushalya)). While it visually captured my style, it lacked real engineering depth. It was completely static, did not allow for any user interaction, could not dynamically display project logs or updates without opening a visual website builder, and lacked proper modern developer ergonomics.

Rebuilding from ScratchI decided to revive this static layout draft and transition it into a maintainable engineering asset. I used an advanced AI workflow to turn this project around. First, I utilized Gemini to scrape the visual assets, text structures, and image links from the original page layout, translating them into a clean Single-Page Application baseline. From there, I expanded the architecture into a full-scale React + Vite software app using GitHub Copilot.

What I changed, fixed, and added to finish it up:

The Cloud Data Layer: Centralized static data configurations in src/data/defaultContent.js with structured, automated fallbacks to local files if Firestore network connections are unavailable.

Real-time Interaction Hub: Added dynamic user spaces utilizing real-time Firestore synchronization tunnels for a live blog commenting system and client post likes.

Pre-rendered Social Previews: Integrated custom shell preprocessing commands inside package.json (npm run build runs a secondary custom script scripts/generate-shares.js) that outputs pre-rendered meta configurations inside an export wrapper. This provides beautiful social card embeds on messaging apps like WhatsApp, Discord, or X.

Responsive Layout Overhaul: Rebuilt the layout sheets with mobile-first CSS grids. The mobile navigation menu collapses smoothly, and the login dialog contextually positions itself under primary viewport coordinates on smaller devices.

My Experience with GitHub Copilot

This project went from an abandoned, locked-down draft layout to a live, production-grade cloud application in record time because GitHub Copilot acted as an experienced engineering peer right inside VS Code. Here is exactly how Copilot accelerated the development process:

Handling complex Firebase Lifecycles: Copilot was incredibly efficient when writing asynchronous state wrappers inside ContentContext.jsx and AuthContext.jsx. It generated clean error boundaries, cleanly initialized the core configurations inside src/lib/firebase.js, and anticipated subscription cleanups (unsubscribe()) to avoid database leaks.

Mathematical Vector Math: Writing custom HTML5 Canvas rendering logic manually can feel tedious. Copilot instantly scaffolded the mathematical bounding box physics for the network nodes, allowing the circuit lines to trace toward the user’s mouse movements smoothly.

Eliminating Asset Font Dependencies: To ensure total layout reliability without massive external font files slowing things down, Copilot swiftly wrote lightweight inline SVGs for all my technical branding icons and social footers.

Vite Optimization Insights: When the compiler threw chunk size optimization alerts, Copilot helped me track down the dependencies, suggesting clean lazy loading paths and code splitting strategies to keep the application lightning fast.



Source link

TipTap + Yjs + Hocuspocus saves content, but other users only see updates after a page refresh



Hi everyone, I’m working on a Next.js app with a TipTap editor and I’m trying to enable real-time collaboration with Yjs and Hocuspocus.

Current setup:

Next.js app

TipTap editor using useEditor() and EditorContent

u/tiptap/extension-collaboration

u/tiptap/extension-collaboration-cursor

u/hocuspocus/provider on the frontend

u/hocuspocus/server running separately

Postgres stores normal TipTap JSON content

Postgres also stores a base64 Yjs state

Current behavior:

User A edits a document section.

The edit saves to the database correctly.

User B can see the update only after refreshing the page.

Without refreshing, User B’s editor does not update live.

What we tried:

Started the Hocuspocus server locally.

Added the Hocuspocus WebSocket URL to the frontend.

The editor can switch between normal TipTap mode and Yjs collaboration mode.

When collaboration mode is forced, the editor reads from Yjs state instead of the normal TipTap JSON content.

If the Yjs state is empty or stale, the document appears blank.

Main question:

What is the correct way to initialize a TipTap editor with existing saved TipTap JSON and then move it into Yjs/Hocuspocus collaboration mode without blanking the document?

Specific questions:

Should the existing TipTap JSON be converted into a Y.Doc before the editor is created?

In collaboration mode, should the TipTap editor content option be undefined?

What is the best practice for saving both Yjs state and normal TipTap JSON to a database?

How can I verify that two users are connected to the same Hocuspocus document and receiving updates live?

What are common reasons Hocuspocus/Yjs appears to save correctly but does not broadcast updates to other users?

Any guidance on the correct TipTap + Yjs + Hocuspocus flow would be appreciated.



Source link