This article is a machine translation of the contents of the following URL, which I wrote in Japanese:
https://qiita.com/Nana_777/items/31ef1d637150409a1990
Introduction
On June 17, 2026, the Release Management feature (preview) was added to the AWS DevOps Agent at AWS Summit New York. This feature automatically performs code reviews on pull requests and determines whether they are ready for release.
This article describes our testing of the Release Management feature's review function.
Official Announcement
AWS DevOps Agent adds release management capabilities (AWS News Blog)
AWS DevOps Agent adds release management capability (What's New)
What is the Release Management feature?
The AWS DevOps Agent's Release Management feature consists of the following three main functions:
- Release Readiness Code Review — Comprehensive review using static code analysis
- Automated Verification Testing — Dynamic verification by building, running, and testing code
- Release Testing — Integration testing (manual execution) on deployed applications
Differences from traditional code review tools
| Item | Traditional Tools (SonarQube, etc.) | AWS DevOps Agent |
|---|---|---|
| Analysis Method | Static Analysis Only | Static Analysis + Dynamic Execution |
| Review Scope | Code Quality | Code Quality + Dependencies + Security + Runtime Behavior |
| Remediation Proposal | Problem Identification | Problem Identification + Specific Correction Code Example |
| Customization | Rule Settings | Define Perspectives in Natural Language (Agent Instructions) |
| Release Decision | None | 3-Stage Decision: BLOCK / Caution / Safe |
Release Decision Details
- BLOCK: Critical issues that should prevent release
- Security violations, build errors, compilation errors, dependency breaks, critical policy violations, critical access control issues
- Proceed with Caution: Issues that pose a risk but are not fatal
- Operational risks (hardcoded names, etc.), technical debt, potential performance impacts, minor best practice violations
- Safe to Release: No critical issues were detected ## Environment Settings
Pipeline Settings
*As of June 27, 2026, this feature is not available in Japan's domestic regions. Please use the Virginia region.
You can configure this from the "Pipelines" section on the AWS DevOps agent's agent space screen.
Select the GitHub repository configured in the pipeline and select "Edit".
Enable the checkboxes for automatic change review triggers and automatic validation tests.
Verification 1: Confidential Information Log Output (Review by DevOps Agent)
Introduced Problem
The code below outputs confidential information such as "password, api_key, token" to the log.
// lambda/scenarioC-auth-handler.ts
export const handler = async (event: APIGatewayProxyEvent) => {
const { username, password, api_key } = JSON.parse(event.body || '{}');
/ Log password and API key
console.log(`[LOGIN_ATTEMPT] username=${username}, password=${password}, api_key=${api_key}`);
console.log({ password, api_key, token });
console.log(`Issued token: ${jwtToken}`);
console.log(JSON.stringify(event)); // Includes Authorization header
/ // ...
};
Expected: Detect logging of sensitive information
Result
A comment regarding the issue introduced by the DevOps agent was added to the GitHub PR.
DevOps Agent Review Comments
The new handler export writes plaintext password, api_key, session token, JWT...
Automated verification testing confirmed the leak: invoking the bundled handler with placeholder credentials produced log lines containing literal password=secret123, api_key=DUMMYKEYVALUE12345, token=CALLER_TOK_PLACEHOLDER_abc...
Proposed Fixes
In addition to pointing out problems, the DevOps Agent also includes suggestions on how to fix those problems in the PR comments.
Verification 2: Custom Naming Conventions (Arbitrary Review Perspectives)
Defining Arbitrary Review Perspectives
DevOpsAgent allows you to define arbitrary review perspectives and conduct reviews based on those perspectives.
The setup procedure begins by selecting "Knowledge" from the DevOps Agent web app menu.
By selecting "Release readiness review" in the "Knowledge" menu, you can define arbitrary review criteria.
These review criteria can be written in natural language, including Japanese.
In this example, we defined a naming convention prohibiting names containing "temp" or "test" as a review criterion.
The release decision level is defined as "BLOCK".
Introduced Problem
In this test, we included functions containing "temp" or "test" in the commit.
// lambda/testNamingConvention.ts
// Function name contains "temp" or "test" ★Custom Review Criteria
export function tempCalculateTotal(items: Item[]): number { ... }
export function testFormatUserData(user: User): string { ... }
Test Results
The pull request message contained comments based on the custom review criteria.
Review Comments on the DevOps Agent
This file exports two functions whose names contain prohibited tokens for production code: tempCalculateTotal (line 10) and testFormatUserData (line 20).
Per the RELEASE_READINESS_REVIEW policy, identifiers containing
temportestare not allowed in production code paths.
Automated Verification Testing Features Confirmed from Verification
From the detailed messages and execution logs of this verification, we were able to confirm that the DevOps agent performs the following actions:
1. Build Execution
- Automated execution of multiple commands:
npm run build,npm run build:lambda,npx cdk synth --quiet - Exit code verification: Check the exit status of all commands
- Automatic detection of package.json scripts: Read the project's build script
2. Build Artifact Verification
- Understand the operation of the build script (
scripts/build-lambdas.ts) - Verify the generation of artifacts (
dist/lambda/xxx/xxx.js) - Verify the preservation of function names
3. Security Checks (3 Types)
- Confidential Information Logs: password, api_key, token, secret, Authorization Header, JWT
- IAM Wildcards:
Action: "*",Resource: "*" - Hardcoded Credentials: AWS credentials, API keys
4. Call Graph Analysis
- Analyze function callers
- Detect dead code (unused functions)
- Check CDK usage
Use Cases for DevOps Agent Reviews
Combined Use with SecurityAgent
Previously, automated vulnerability detection using SecurityAgent was possible for PRs to GitHub.
By adding reviews using DevOps agents, it becomes possible to perform comprehensive reviews in addition to the security-focused reviews provided by SecurityAgent.
While human review will still be necessary for final release execution, this approach is expected to reduce the review workload and enable higher quality, more consistent reviews.
Code Creation
↓
PR Creation
↓
Security Agent Scan (Vulnerability Detection)
↓
DevOps Agent Review (Release Decision)
├─ Release Readiness Code Review
└─ Automated Verification Testing
↓
Human Review
↓
Merge & Deploy
Building a Review Feedback Loop
We confirmed that DevOps agents can define their own review perspectives.
Based on the results of reviews from the DevOps agent's unique perspective, undetected issues can be added to Agent Instructions for continuous improvement.
This allows organizations to build their own review mechanisms tailored to their needs and drive further improvement.
Review Execution → Problem Detection → Correction
↓
Missed Issues Found
↓
Add to Agent Instructions
↓
Automatic Detection Next Time
Conclusion
AWS DevOps Agent's Release Management feature presents a new form of code review to accommodate the increasing volume of AI-generated code.
Automated reviews, customizable review criteria, provision of specific code examples beyond just review findings, and more comprehensive reviews in combination with SecurityAgent are all expected to improve the quality and efficiency of existing reviews.
Top comments (0)