TL;DR
Amazon CodeWhisperer is one of the safer AI coding tools available. It includes built-in security scanning, has strong privacy controls for Professional tier, and benefits from AWS's enterprise security infrastructure. The security scanning feature automatically checks generated code for vulnerabilities. Still review all AI-generated code, but CodeWhisperer's built-in protections give it an edge.
What is Amazon CodeWhisperer?
Amazon CodeWhisperer is AWS's AI coding assistant that provides real-time code suggestions in your IDE. Now part of Amazon Q Developer, it integrates with VS Code, JetBrains IDEs, and AWS Cloud9. It's particularly strong for AWS-related code and includes built-in security scanning.
Our Verdict
What's Good
- Built-in security scanning
- Strong AWS integration
- Enterprise privacy controls
- Reference tracking
- Free tier available
What to Watch
- AWS-focused suggestions
- Fewer features than competitors
- Generated code still needs review
- Limited chat capabilities
- Smaller user community
Built-in Security Scanning
CodeWhisperer's standout feature is automatic security scanning of generated code:
Security scanning: CodeWhisperer automatically scans suggestions for security issues like credential exposure, SQL injection, and insecure cryptography before showing them to you.
What It Scans For
- Hardcoded credentials and secrets
- SQL injection vulnerabilities
- Cross-site scripting (XSS)
- Insecure cryptographic practices
- OWASP Top 10 vulnerabilities
- CWE (Common Weakness Enumeration) patterns
Limitations
While helpful, the scanning isn't comprehensive:
- Can't catch all context-specific vulnerabilities
- Business logic flaws not detected
- Some scans require Professional tier
- Not a replacement for security review
Privacy and Data Handling
| Aspect | Individual (Free) | Professional |
|---|---|---|
| Code used for training | Opt-out available | Never |
| Security scans | 50/month | 500/month + full scans |
| Admin controls | No | Yes |
| SSO integration | No | Yes |
| Usage metrics | Basic | Detailed |
Reference Tracking
CodeWhisperer includes reference tracking for code that may match training data:
- Flags suggestions similar to open source code
- Shows license information for matches
- Helps avoid potential licensing issues
- Optional filtering to exclude matches
Unlike Copilot: CodeWhisperer's reference tracking is enabled by default and more prominent, making it easier to identify potentially copied code.
CodeWhisperer vs Competitors
| Feature | CodeWhisperer | Copilot | Cursor |
|---|---|---|---|
| Security scanning | Built-in | No | No |
| Reference tracking | Yes (prominent) | Yes (optional) | No |
| Free tier | Yes (generous) | No | Limited |
| Enterprise controls | Strong (AWS IAM) | Good | Basic |
| Chat/agent features | Amazon Q | Copilot Chat | Built-in |
Best Practices
Using CodeWhisperer Safely
- Enable security scanning: Run scans on all generated code
- Check references: Review flagged code for licensing compliance
- Use Professional for sensitive projects: Better privacy guarantees
- Still review code: Security scanning isn't comprehensive
- Configure AWS IAM: Control who can use CodeWhisperer in your org
Is CodeWhisperer better than Copilot for security?
CodeWhisperer has a notable advantage with its built-in security scanning, which Copilot lacks. However, both tools can generate insecure code, and neither replaces proper security review. CodeWhisperer's scanning helps catch common issues before they reach your codebase.
Does Amazon use my code for training?
For Individual tier, code may be used to improve the service unless you opt out. Professional tier explicitly does not use customer code for training. Check your settings to confirm your preferences.
Is CodeWhisperer free?
Yes, the Individual tier is free and includes code suggestions plus 50 security scans per month. Professional tier costs $19/user/month and includes additional features and privacy guarantees.
Should I use CodeWhisperer for AWS projects?
CodeWhisperer excels at AWS-related code. It's particularly good at suggesting AWS SDK patterns, IAM policies, and CloudFormation templates. If you're building on AWS, it's a natural choice.
Building with CodeWhisperer?
Scan your project for security vulnerabilities beyond what CodeWhisperer catches.
Start Free Scan