TL;DR
CodeWhisperer is AWS's AI coding assistant with built-in security scanning. It can flag vulnerabilities like SQL injection and hardcoded secrets as you code. While it excels at AWS service integration, the generated code still needs review. Professional tier adds enterprise controls and doesn't use your code for training.
How CodeWhisperer Works
Amazon CodeWhisperer integrates into your IDE and provides real-time code suggestions:
- Code generation: Suggests complete functions based on comments and context
- Security scanning: Built-in scanning for common vulnerabilities
- Reference tracking: Identifies when suggestions match open source code
- AWS optimization: Especially strong at AWS service integration
Built-in Security Features
CodeWhisperer includes security scanning that other AI tools lack:
Security Scanning
The built-in scanner checks for:
- SQL injection vulnerabilities
- Cross-site scripting (XSS)
- Hardcoded credentials
- Path traversal issues
- Insecure cryptographic practices
- Resource leaks
Pro tip: Run security scans frequently during development, not just at the end. CodeWhisperer can scan your entire project or just the current file.
Reference Tracking
When CodeWhisperer suggests code similar to open source projects, it:
- Flags the suggestion with a reference
- Shows the license of the original code
- Helps you make informed decisions about using the suggestion
AWS Integration Security
CodeWhisperer excels at AWS-specific code, but be careful with:
IAM Policies
Generated IAM policies may be overly permissive. Always review and apply least privilege:
- Check for
*in Resource fields - Verify Action permissions are minimal
- Use IAM Access Analyzer to validate policies
AWS Credentials
CodeWhisperer knows AWS patterns, but may suggest placeholder credentials:
- Never commit AWS access keys
- Use IAM roles instead of access keys when possible
- Use AWS Secrets Manager for sensitive configuration
Important: Even with built-in scanning, don't rely on it exclusively. Review generated code manually and use additional security tools for production applications.
Privacy and Data Handling
Individual Tier
The free Individual tier:
- May use code snippets to improve the service
- You can opt out of sharing code content
- Basic privacy controls available
Professional Tier
The paid Professional tier:
- Code is not used for training
- Admin controls for organization
- SSO integration
- Audit logging
- Custom security policies
Configuration Best Practices
Enable Security Scanning
Make sure security scanning is enabled and run scans regularly:
- Scan on save or at regular intervals
- Review all flagged issues before committing
- Don't dismiss warnings without understanding them
Configure Reference Settings
Decide how to handle open source references:
- Filter suggestions matching certain licenses
- Block or allow specific license types
- Review references before accepting suggestions
Limitations
Even with built-in security features, be aware of limitations:
- Scanning doesn't catch all vulnerabilities
- Business logic flaws aren't detected
- Authentication design issues may not be flagged
- Generated code may have subtle security issues
Does CodeWhisperer have built-in security scanning?
Yes. CodeWhisperer includes security scanning that can detect vulnerabilities in generated code. It checks for issues like SQL injection, XSS, and hardcoded credentials. This is a differentiating feature compared to some other AI coding tools.
Is CodeWhisperer free?
CodeWhisperer offers a free Individual tier with unlimited code suggestions. The Professional tier adds admin controls, organizational policies, and additional security features for enterprise use.
Does CodeWhisperer work with non-AWS services?
Yes. While CodeWhisperer excels at AWS service integration, it supports general programming languages and frameworks. You can use it for any project, not just AWS-specific development.
How does CodeWhisperer compare to Copilot?
CodeWhisperer's key advantages are built-in security scanning and strong AWS integration. Copilot has deeper GitHub integration and may have broader training data. Both require security review of generated code.
Using CodeWhisperer?
Complement built-in scanning with a comprehensive security check.
Start Free Scan