{"id":4723,"date":"2026-05-30T07:59:41","date_gmt":"2026-05-30T00:59:41","guid":{"rendered":"https:\/\/daiilynews.cu.ma\/?p=4723"},"modified":"2026-05-30T07:59:41","modified_gmt":"2026-05-30T00:59:41","slug":"its-not-too-late-make-your-aws-security-agent-debut-with-a-code-review","status":"publish","type":"post","link":"https:\/\/daiilynews.cu.ma\/?p=4723","title":{"rendered":"It&#8217;s not too late! Make your AWS Security Agent debut with a code review!"},"content":{"rendered":"<p> <br \/>\n<\/p>\n<p>This article is an English translation of the article at the following URL, which was originally written in Japanese. The screenshots are still in Japanese. Sorry about that.<\/p>\n<p>https:\/\/qiita.com\/amarelo_n24\/items\/e196b74f718c750a0e18<\/p>\n<p>The penetration testing feature for AWS Security Agent (hereinafter referred to only as &#8220;Security Agent&#8221;), which was announced at AWS re:Invent 2025, has been generally available (GA). Code review and design review are still in preview as of May 25th, so those who haven&#8217;t been able to try Security Agent yet can still try these features. I wasn&#8217;t able to try penetration testing during the preview period , so I decided to at least experience code review and made my Security Agent debut!<\/p>\n<p>This article reflects the author&#8217;s personal views. It is based on personal testing and should be used for reference only. Furthermore, the author has no experience in app development, so the terminology used may not be entirely accurate. Any corrections or errors in the content would be greatly appreciated.This article was written based on information as of May 25, 2026.<\/p>\n<p>As mentioned above, this service was announced during AWS re:Invent 2025. It is a frontier agent that proactively protects applications throughout the entire development lifecycle in all environments (quoted from the official AWS page).<\/p>\n<p>https:\/\/aws.amazon.com\/security-agent\/<\/p>\n<p>It includes three features that became generally available (GA) in April: penetration testing, design review, and code review (the subject of this article).<\/p>\n<p>Function name<br \/>\nFeature Overview<br \/>\nStatus\uff08As of 2026\/5\/25\uff09<\/p>\n<p>Penetration testing<br \/>\nAttempting to infiltrate the system from an external source to evaluate security measures.<br \/>\nGA<\/p>\n<p>Design Review<br \/>\nAnalyze product specifications, architecture documents, and technical designs from a security risk perspective.<br \/>\nPreview<\/p>\n<p>Code Review<br \/>\nInspect source code and repositories to detect code-level vulnerabilities.<br \/>\nPreview<\/p>\n<p>Code security review (hereinafter referred to as &#8220;code review&#8221;) is a web application diagnostic method that falls under &#8220;SAST&#8221; (Static Application Security Testing). It is considered a vulnerability assessment that checks for flaws in the source code during the development phase before it is deployed in a test environment, and detects vulnerabilities visible at the code level.<\/p>\n<p>From here, I will describe the steps to enable the Security Agent and run a code review.<\/p>\n<p>  Enable Security Agent<\/p>\n<p>To start using Security Agent, you first need to enable it. Incidentally, simply enabling Security Agent will not incur any charges.<\/p>\n<p>\u2460 Click (Set up AWS Security Agent)<\/p>\n<p>\u2461 Enter (Agent Space name).\u2462 Specify (User access configuration).<\/p>\n<p>If you have enabled AWS Organizations and also enabled IAM Identity Center, you might want to select &#8220;Single sign-on (SSO) with IAM Identity Center.&#8221; I chose this option because I also run a one-person organization. Even if you haven&#8217;t enabled Organizations yet, this might be a good opportunity to try out a one-person organization.<\/p>\n<p>\u2463 Enter a service role name. If there is no suitable role available in your account, a new service role will be created.\u2464 If you want to use KMS encryption, check the encryption option checkbox. If the default encryption is sufficient, uncheck the checkbox.\u2465 Set tags as needed.\u2466 Click (Set up AWS Security Agent).<\/p>\n<p>\u2467 Once you see a message indicating that the application has been successfully enabled, the Security Agent has been successfully activated.<\/p>\n<p>\u2460 Click &#8220;Enable code review&#8221;.<\/p>\n<p>\u2461 Add a &#8220;Connected Integration&#8221;. Click &#8220;Add&#8221;.<\/p>\n<p>\u2462 Select &#8220;Create a new account&#8221; and &#8220;GitHub,&#8221; then click &#8220;Next.&#8221;<\/p>\n<p>\u2463 Click &#8220;Open AWS Security Agent on GitHub&#8221;.<\/p>\n<p>\u2464 You will be redirected to the GitHub page. Click &#8220;Install&#8221;.<\/p>\n<p>\u2465 Click on the GitHub account that contains the repository where you want to install the AWS Security Agent GitHub App.<\/p>\n<p>\u2466 Click &#8220;Only select repositories&#8221; and select the repository where you want to install the GitHub App from the &#8220;Select repositories&#8221; dropdown menu.<\/p>\n<p>\u2467 Click &#8220;Install,&#8221; and the setup is complete when a screen like the one below appears.<\/p>\n<p>\u2468 Return to the following screen and click &#8220;Add&#8221; again.<\/p>\n<p>\u2469 Select the added integration and click &#8220;Next&#8221;.<\/p>\n<p>\u246a Select the GitHub repository name and click &#8220;Next&#8221;.<\/p>\n<p>\u246b Select the features to enable. If you want to perform code reviews, enable &#8220;Code review comments&#8221;. If you want to automatically remediate detected vulnerabilities, enable &#8220;Automatic remediation&#8221;. Click Connect and confirm that &#8220;Integration resource added&#8221; is displayed.<\/p>\n<p>\u246c Select the code review settings and click &#8220;Next&#8221;. I selected &#8220;Security requirements and vulnerability detection results,&#8221; which is selected by default.<\/p>\n<p>\u246d If you want to obtain application operation logs in CloudWatch Logs, select the log group where you want to store the logs (you need to create the log group beforehand).\u246e Create a role for service access. If you have already created one, click &#8220;Use existing service role&#8221;. If the default role is acceptable, click &#8220;Create default role&#8221;.\u246f Click &#8220;Save&#8221;.<\/p>\n<p>This time, we created a default role, but I think it&#8217;s necessary to create a role with carefully considered policy settings. I&#8217;ll investigate what policies are necessary in the future.<\/p>\n<p>\u2470When it displays as shown below and &#8220;Ready&#8221; appears in the code review section, code review is enabled.<\/p>\n<p>Add an IAM Identity Center user to allow code reviews from the application.<\/p>\n<p>For testing purposes, you can access it with &#8220;Administrator Access&#8221; without creating a user, but since administrators don&#8217;t usually perform vulnerability assessments in normal operation, we&#8217;ll configure a user even for testing purposes.<\/p>\n<p>\u2460 Return to the &#8220;Agent Spaces&#8221; top page and click &#8220;Add Users&#8221; from the &#8220;Web App&#8221; tab.<\/p>\n<p>\u2461 Select the IAM Identity Center username you want to allow access to the Security Agent web app and click &#8220;Add users&#8221;.<\/p>\n<p>\u2462 Once the message indicating that the user has been added is displayed, click the Agent Web App URL.<\/p>\n<p>\u2463 When the following screen appears, click &#8220;Sign in&#8221; or wait a moment, and you will be redirected to the Agent Web App screen.<\/p>\n<p>\u2464 The screen will display as shown below, and you should confirm that the created Agent Space name is displayed.<\/p>\n<p>Now, we will run the code review.<\/p>\n<p>\u2460 From the Agent Web App home screen, click &#8220;Create a code review.&#8221;<\/p>\n<p>\u2461 Enter a title for the code review.\u2462 Select the previously connected GitHub repository, the created service role, and the CloudWatch log group, and click &#8220;Create a code review.&#8221;<\/p>\n<p>\u2463 Once the message indicating that the code review has been created is displayed, click &#8220;Start review.&#8221; A confirmation screen will appear, so click &#8220;Start review&#8221; again.<\/p>\n<p>\u2464 The message &#8220;Code review started&#8221; will be displayed. Reloading the screen will display &#8220;In progress.&#8221;<\/p>\n<p>\u2465 Clicking on the created code review will show the progress. Wait until completion.<\/p>\n<p>This time it was completed in about an hour.<\/p>\n<p>\u2460 Once completed, you can view the code review results.<\/p>\n<p>\u2461 The scan results are displayed as follows. Well-known vulnerabilities such as SQL injection, cross-site scripting, and path traversal were detected.<\/p>\n<p>Although it says &#8220;Completed,&#8221; it remained showing &#8220;Finalizing&#8221; for some reason.<\/p>\n<p>You can download the code review results as a PDF file. This is likely for requesting corrections or sharing information with developers who do not have an AWS account, or for storing it as evidence.<\/p>\n<p>\u2460 Click &#8220;Generate Report&#8221; in the upper right corner of the code review results screen.<\/p>\n<p>\u2461 Edit the extraction criteria and click &#8220;Generate and Download.&#8221; The code review results will be output as a PDF file to your PC&#8217;s download folder.<\/p>\n<p>Detected vulnerabilities need to be fixed. It is possible to fix them automatically instead of manually.<\/p>\n<p>\u2460 Select the vulnerability you want to automatically fix and click &#8220;Fix Code.&#8221;<\/p>\n<p>\u2461 Code remediation will begin.<\/p>\n<p>If &#8220;Automatic remediation&#8221; is not enabled, the following error will appear. In the GitHub repository&#8217;s features management, turn on the &#8220;Automatic remediation&#8221; toggle button and save.<\/p>\n<p>\u2462 Scroll to the bottom of the screen to see the detection results for the selected vulnerability. The code remediation status will be displayed. Once the fix is \u200b\u200bcomplete and the status changes to &#8220;COMPLETED,&#8221; a pull request is sent to GitHub.<\/p>\n<p>\u2463 Opening the pull request reveals that it was automatically created by Security Agent and details of the changes. If there are no issues with the content, merge it.<\/p>\n<p>  Recognizing the Importance of SAST<\/p>\n<p>This code review detected many types of vulnerabilities. It&#8217;s probably difficult to uncover all vulnerabilities through human code reviews alone. I believe it&#8217;s an important service that complements human code reviews by inspecting for remaining vulnerabilities. Furthermore, I realized that web application security testing should not only utilize external attack-based testing methods like DAST (Dynamic Application Security Testing), but also SAST, which identifies vulnerabilities at the code level and provides a starting point for fixes.<\/p>\n<p>  Completely Eliminating Human Reviews is Not Yet Possible<\/p>\n<p>I realized that Security Agent doesn&#8217;t completely replace human code reviews.<\/p>\n<p>After running the automatic fix and then performing another code review, the fixed vulnerabilities were not re-detected, but several new vulnerabilities were detected. It&#8217;s possible that a detection method was added during the initial code review, or that it was a false positive, but it&#8217;s also possible that a fix in one place affected the entire code or even the entire repository.<\/p>\n<p>As such, the results of the review and the recommended fixes for vulnerabilities are not always optimal for the whole system. Furthermore, there&#8217;s a risk that applying automated fixes too readily could break the entire application. I think that unless people carefully review the fixes and decide whether to automate or manual fixes, it could lead to unnecessary work being done.<\/p>\n<p>  Wouldn&#8217;t it be great if it could be integrated with CodeCommit?<\/p>\n<p>As of May 21, 2026, it&#8217;s not possible to target CodeCommit repositories for code reviews. It was truly surprising that S3 could be targeted for code reviews, but CodeCommit couldn&#8217;t. Currently, if a user of CodeCommit wants to perform code reviews with the Security Agent, they would have to either:<\/p>\n<p>Store source code files in S3 and perform code reviews there<br \/>\nMigrate the repository to GitHub.<\/p>\n<p>Storing files in S3 is troublesome, and migrating to GitHub doesn&#8217;t seem practical. I think it would be great if it could integrate with CodeCommit to easily perform code reviews.<\/p>\n<p>CodeCommit was such a valuable service that it was shut down once before returning to GA (General Availability), so I thought it was a bit of a shame that it couldn&#8217;t be integrated. I guess we can only hope for future AWS updates.<\/p>\n<p>It&#8217;s been almost six months since re:Invent 2025, but I finally got to try out Security Agent. Penetration testing, once GA is available, has become difficult to implement at an individual level. The preview period doesn&#8217;t last forever. I strongly felt that you should try it as soon as possible after the announcement.<\/p>\n<p>You can still relatively easily experience Security Agent through code reviews, which are still in preview, so it&#8217;s not too late! Why not make your Security Agent debut with a code review and use it as an opportunity to learn about web application security?<\/p>\n<p>Also, since design reviews are still in preview, I plan to try those out soon as well.<\/p>\n<p>I hope this article is helpful to someone. Thank you for reading to the end!<\/p>\n<p><br \/>\n<br \/><a href=\"https:\/\/dev.to\/naoyukifujita\/its-not-too-late-make-your-aws-security-agent-debut-with-a-code-review-5egk\">Source link <\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This article is an English translation of the article at the following URL, which was originally written in Japanese. The screenshots are still in Japanese. Sorry about that. https:\/\/qiita.com\/amarelo_n24\/items\/e196b74f718c750a0e18 The penetration testing feature for AWS Security Agent (hereinafter referred to only as &#8220;Security Agent&#8221;), which was announced at AWS re:Invent 2025, has been generally available [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":4724,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[676],"tags":[1533,761,765,762,763,764,1086,1689,760],"class_list":["post-4723","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-tech-ai","tag-aws","tag-coding","tag-community","tag-development","tag-engineering","tag-inclusive","tag-security","tag-securityagent","tag-software"],"_links":{"self":[{"href":"https:\/\/daiilynews.cu.ma\/index.php?rest_route=\/wp\/v2\/posts\/4723","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/daiilynews.cu.ma\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/daiilynews.cu.ma\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/daiilynews.cu.ma\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/daiilynews.cu.ma\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4723"}],"version-history":[{"count":0,"href":"https:\/\/daiilynews.cu.ma\/index.php?rest_route=\/wp\/v2\/posts\/4723\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/daiilynews.cu.ma\/index.php?rest_route=\/wp\/v2\/media\/4724"}],"wp:attachment":[{"href":"https:\/\/daiilynews.cu.ma\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4723"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/daiilynews.cu.ma\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4723"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/daiilynews.cu.ma\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4723"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}