4.2.6. Pipeline Security and Code Scanning
First Principle: Security vulnerabilities are cheapest to fix when found earliest. Integrating security scanning into CI/CD pipelines catches vulnerabilities in code, dependencies, and configurations before they reach production.
Amazon CodeGuru Security (new in C03):
- Static Application Security Testing (SAST) that analyzes source code
- Detects security vulnerabilities, hardcoded credentials, and insecure patterns
- Supports Java, Python, JavaScript, and other languages
- Integrates with CodePipeline and third-party CI/CD tools
Amazon Q Developer (new in C03):
- AI-powered code recommendations including security remediation
- Suggests fixes for identified vulnerabilities
- Reviews code for security anti-patterns during development
- Available in IDEs (VS Code, JetBrains) for real-time guidance
Pipeline Security Integration Points:
| Stage | Security Check | Tool |
|---|---|---|
| Code commit | SAST code scanning | CodeGuru Security |
| Build | Dependency vulnerability check | Inspector |
| Container build | Image vulnerability scan | Inspector + ECR scanning |
| Pre-deploy | IaC template validation | CloudFormation Guard, cfn-lint |
| Post-deploy | Runtime monitoring | GuardDuty Runtime Monitoring |
⚠️ Exam Trap: CodeGuru Security scans source code (SAST). Inspector scans deployed artifacts (images, functions, instances). They operate at different pipeline stages and find different types of issues.
Scenario: A development team pushes code that contains a hardcoded database password. CodeGuru Security catches it during the code review stage, blocking the merge. The developer moves the credential to Secrets Manager and the code passes review.
Reflection Question: Why does "shift-left" security testing in CI/CD pipelines reduce overall security costs, and what happens when scanning only occurs post-deployment?
