Introduction
This article is an English translation of the article at the following URL, which was originally written in Japanese. The screenshots are still in Japanese. Sorry about that.
https://qiita.com/amarelo_n24/items/e196b74f718c750a0e18
The penetration testing feature for AWS Security Agent (hereinafter referred to only as "Security Agent"), which was announced at AWS re:Invent 2025, has been generally available (GA). Code review and design review are still in preview as of May 25th, so those who haven't been able to try Security Agent yet can still try these features. I wasn't able to try penetration testing during the preview period , so I decided to at least experience code review and made my Security Agent debut!
This article reflects the author's personal views. It is based on personal testing and should be used for reference only. Furthermore, the author has no experience in app development, so the terminology used may not be entirely accurate. Any corrections or errors in the content would be greatly appreciated.
This article was written based on information as of May 25, 2026.
What is a Security Agent?
As mentioned above, this service was announced during AWS re:Invent 2025. It is a frontier agent that proactively protects applications throughout the entire development lifecycle in all environments (quoted from the official AWS page).
https://aws.amazon.com/security-agent/
It includes three features that became generally available (GA) in April: penetration testing, design review, and code review (the subject of this article).
| Function name | Feature Overview | Status(As of 2026/5/25) |
|---|---|---|
| Penetration testing | Attempting to infiltrate the system from an external source to evaluate security measures. | GA |
| Design Review | Analyze product specifications, architecture documents, and technical designs from a security risk perspective. | Preview |
| Code Review | Inspect source code and repositories to detect code-level vulnerabilities. | Preview |
Code security review (hereinafter referred to as "code review") is a web application diagnostic method that falls under "SAST" (Static Application Security Testing). It is considered a vulnerability assessment that checks for flaws in the source code during the development phase before it is deployed in a test environment, and detects vulnerabilities visible at the code level.
Security Agent Code Review
From here, I will describe the steps to enable the Security Agent and run a code review.
Enable Security Agent
To start using Security Agent, you first need to enable it. Incidentally, simply enabling Security Agent will not incur any charges.
① Click [Set up AWS Security Agent]
② Enter [Agent Space name].
③ Specify [User access configuration].
If you have enabled AWS Organizations and also enabled IAM Identity Center, you might want to select "Single sign-on (SSO) with IAM Identity Center." I chose this option because I also run a one-person organization. Even if you haven't enabled Organizations yet, this might be a good opportunity to try out a one-person organization.
④ Enter a service role name. If there is no suitable role available in your account, a new service role will be created.
⑤ If you want to use KMS encryption, check the encryption option checkbox. If the default encryption is sufficient, uncheck the checkbox.
⑥ Set tags as needed.
⑦ Click [Set up AWS Security Agent].
⑧ Once you see a message indicating that the application has been successfully enabled, the Security Agent has been successfully activated.
Enable Code Review
① Click "Enable code review".
② Add a "Connected Integration". Click "Add".
③ Select "Create a new account" and "GitHub," then click "Next."
④ Click "Open AWS Security Agent on GitHub".
⑤ You will be redirected to the GitHub page. Click "Install".
⑥ Click on the GitHub account that contains the repository where you want to install the AWS Security Agent GitHub App.
⑦ Click "Only select repositories" and select the repository where you want to install the GitHub App from the "Select repositories" dropdown menu.
⑧ Click "Install," and the setup is complete when a screen like the one below appears.
⑨ Return to the following screen and click "Add" again.
⑩ Select the added integration and click "Next".
⑪ Select the GitHub repository name and click "Next".
⑫ Select the features to enable. If you want to perform code reviews, enable "Code review comments". If you want to automatically remediate detected vulnerabilities, enable "Automatic remediation". Click Connect and confirm that "Integration resource added" is displayed.
⑬ Select the code review settings and click "Next". I selected "Security requirements and vulnerability detection results," which is selected by default.
⑭ If you want to obtain application operation logs in CloudWatch Logs, select the log group where you want to store the logs (you need to create the log group beforehand).
⑮ Create a role for service access. If you have already created one, click "Use existing service role". If the default role is acceptable, click "Create default role".
⑯ Click "Save".
This time, we created a default role, but I think it's necessary to create a role with carefully considered policy settings. I'll investigate what policies are necessary in the future.
⑰When it displays as shown below and "Ready" appears in the code review section, code review is enabled.
Application User Settings
Add an IAM Identity Center user to allow code reviews from the application.
For testing purposes, you can access it with "Administrator Access" without creating a user, but since administrators don't usually perform vulnerability assessments in normal operation, we'll configure a user even for testing purposes.
① Return to the "Agent Spaces" top page and click "Add Users" from the "Web App" tab.
② Select the IAM Identity Center username you want to allow access to the Security Agent web app and click "Add users".
③ Once the message indicating that the user has been added is displayed, click the Agent Web App URL.
④ When the following screen appears, click "Sign in" or wait a moment, and you will be redirected to the Agent Web App screen.
⑤ The screen will display as shown below, and you should confirm that the created Agent Space name is displayed.
Running the Code Review
Now, we will run the code review.
① From the Agent Web App home screen, click "Create a code review."
② Enter a title for the code review.
③ Select the previously connected GitHub repository, the created service role, and the CloudWatch log group, and click "Create a code review."
④ Once the message indicating that the code review has been created is displayed, click "Start review." A confirmation screen will appear, so click "Start review" again.
⑤ The message "Code review started" will be displayed. Reloading the screen will display "In progress."
⑥ Clicking on the created code review will show the progress. Wait until completion.
Code Review Results
This time it was completed in about an hour.
① Once completed, you can view the code review results.
② The scan results are displayed as follows. Well-known vulnerabilities such as SQL injection, cross-site scripting, and path traversal were detected.
Although it says "Completed," it remained showing "Finalizing" for some reason.
Downloading Code Review Results
You can download the code review results as a PDF file. This is likely for requesting corrections or sharing information with developers who do not have an AWS account, or for storing it as evidence.
① Click "Generate Report" in the upper right corner of the code review results screen.
② Edit the extraction criteria and click "Generate and Download." The code review results will be output as a PDF file to your PC's download folder.
Automatic Remediation of Detected Vulnerabilities
Detected vulnerabilities need to be fixed. It is possible to fix them automatically instead of manually.
① Select the vulnerability you want to automatically fix and click "Fix Code."
② Code remediation will begin.
If "Automatic remediation" is not enabled, the following error will appear. In the GitHub repository's features management, turn on the "Automatic remediation" toggle button and save.
③ Scroll to the bottom of the screen to see the detection results for the selected vulnerability. The code remediation status will be displayed. Once the fix is complete and the status changes to "COMPLETED," a pull request is sent to GitHub.
④ Opening the pull request reveals that it was automatically created by Security Agent and details of the changes. If there are no issues with the content, merge it.
Impressions of Conducting a Code Review with Security Agent
Recognizing the Importance of SAST
This code review detected many types of vulnerabilities. It's probably difficult to uncover all vulnerabilities through human code reviews alone. I believe it's an important service that complements human code reviews by inspecting for remaining vulnerabilities. Furthermore, I realized that web application security testing should not only utilize external attack-based testing methods like DAST (Dynamic Application Security Testing), but also SAST, which identifies vulnerabilities at the code level and provides a starting point for fixes.
Completely Eliminating Human Reviews is Not Yet Possible
I realized that Security Agent doesn't completely replace human code reviews.
After running the automatic fix and then performing another code review, the fixed vulnerabilities were not re-detected, but several new vulnerabilities were detected. It's possible that a detection method was added during the initial code review, or that it was a false positive, but it's also possible that a fix in one place affected the entire code or even the entire repository.
As such, the results of the review and the recommended fixes for vulnerabilities are not always optimal for the whole system. Furthermore, there's a risk that applying automated fixes too readily could break the entire application. I think that unless people carefully review the fixes and decide whether to automate or manual fixes, it could lead to unnecessary work being done.
Wouldn't it be great if it could be integrated with CodeCommit?
As of May 21, 2026, it's not possible to target CodeCommit repositories for code reviews. It was truly surprising that S3 could be targeted for code reviews, but CodeCommit couldn't. Currently, if a user of CodeCommit wants to perform code reviews with the Security Agent, they would have to either:
- Store source code files in S3 and perform code reviews there
- Migrate the repository to GitHub.
Storing files in S3 is troublesome, and migrating to GitHub doesn't seem practical. I think it would be great if it could integrate with CodeCommit to easily perform code reviews.
CodeCommit was such a valuable service that it was shut down once before returning to GA (General Availability), so I thought it was a bit of a shame that it couldn't be integrated. I guess we can only hope for future AWS updates.
Finally
It's been almost six months since re:Invent 2025, but I finally got to try out Security Agent. Penetration testing, once GA is available, has become difficult to implement at an individual level. The preview period doesn't last forever. I strongly felt that you should try it as soon as possible after the announcement.
You can still relatively easily experience Security Agent through code reviews, which are still in preview, so it's not too late! Why not make your Security Agent debut with a code review and use it as an opportunity to learn about web application security?
Also, since design reviews are still in preview, I plan to try those out soon as well.
I hope this article is helpful to someone. Thank you for reading to the end!
Top comments (0)