AWS DevOps & Developer Productivity Blog
Automate code reviews with Amazon CodeGuru Reviewer
A common problem in software development is accidentally or unintentionally merging code with bugs, defects, or security vulnerabilities into your main branch. Finding and mitigating these faulty lines of code deployed to the production environment can cause severe outages in running applications and can cost unnecessary time and effort to fix.
Amazon CodeGuru Reviewer tackles this issue using automated code reviews, which allows developers to fix the issue based on automated CodeGuru recommendations before the code moves to production.
This post demonstrates how to use CodeGuru for automated code reviews and uses an AWS CodeCommit approval process to set up a code approval governance model.
Solution overview
In this post, you create an end-to-end code approval workflow and add required approvers to your repository pull requests. This can help you identify and mitigate issues before they’re merged into your main branches.
Let’s discuss the core services highlighted in our solution. CodeGuru Reviewer is a machine learning-based service for automated code reviews and application performance recommendations. CodeCommit is a fully managed and secure source control repository service. It eliminates the need to scale infrastructure to support highly available and critical code repository systems. CodeCommit allows you to configure approval rules on pull requests. Approval rules act as a gatekeeper on your source code changes. Pull requests that fail to satisfy the required approvals can’t be merged into your main branch for production deployment.
The following diagram illustrates the architecture of this solution.
The solution has three personas:
- Repository admin – Sets up the code repository in CodeCommit
- Developer – Develops the code and uses pull requests in the main branch to move the code to production
- Code approver – Completes the code review based on the recommendations from CodeGuru and either approves the code or asks for fixes for the issue
The solution workflow contains the following steps:
- The repository admin sets up the workflow, including a code repository in CodeCommit for the development group, required access to check in their code to the dev branch, integration of the CodeCommit repository with CodeGuru, and approval details.
- Developers develop the code and check in their code in the dev branch. This creates a pull request to merge the code in the main branch.
- CodeGuru analyzes the code and reports any issues, along with recommendations based on the code quality.
- The code approver analyzes the CodeGuru recommendations and provides comments for how to fix the issue in the code.
- The developers fix the issue based on the feedback they received from the code approver.
- The code approver analyzes the CodeGuru recommendations of the updated code. They approve the code to merge if everything is okay.
- The code gets merged in the main branch upon approval from all approvers.
- An AWS CodePipeline pipeline is triggered to move the code to the preproduction or production environment based on its configuration.
In the following sections, we walk you through configuring the CodeCommit repository and creating a pull request and approval rule. We then run the workflow to test the code, review recommendations and make appropriate changes, and run the workflow again to confirm that the code is ready to be merged.
Prerequisites
Before we get started, we create an AWS Cloud9 development environment, which we use to check in the Python code for this solution. The sample Python code for the exercise is available at the link. Download the .py files to a local folder.
Complete the following steps to set up the prerequisite resources:
- Set up your AWS Cloud9 environment and access the bash terminal, preferably in the
us-east-1
Region. - Create three AWS Identity and Access Management (IAM) users and its roles for the repository admin, developer, and approver by running the AWS CloudFormation template.
Configuring IAM roles and users
- Sign in to the AWS Management Console.
- Download ‘Persona_Users.yaml’ from github
- Navigate to AWS CloudFormation and click on Create Stack drop down to choose With new resouces (Standard).
- click on Upload a template file to upload file form local.
- Enter a Stack Name such as ‘Automate-code-reviews-codeguru-blog’.
- Enter IAM user’s temp password.
- Click Next to all the other default options.
- Check mark I acknowledge that AWS CloudFormation might create IAM resources with custom names. Click Create Stack.
This template creates three IAM users for Repository admin, Code Approver, Developer that are required at different steps while following this blog.
Configure the CodeCommit repository
Let’s start with CodeCommit repository. The repository works as the source control for the Java and Python code.
- Sign in to the AWS Management Console as the repository admin.
- On the CodeCommit console, choose Getting started in the navigation pane.
- Choose Create repository.
- For Repository name, enter
transaction_alert_repo
. - Select Enable Amazon CodeGuru Reviewer for Java and Python – optional.
- Choose Create.
The repository is created.
- On the repository details page, choose Clone HTTPS on the Clone URL menu.
- Copy the URL to use in the next step to clone the repository in the development environment.
- On the CodeGuru console, choose Repositories in the navigation pane under Reviewer.
You can see our CodeCommit repository is associated with CodeGuru.
- Sign in to the console as the developer.
- On the AWS Cloud9 console, clone the repository, using the URL that you copied in the previous step.
This action clones the repository and creates the transaction_alert_repo
folder in the environment.
- Check the file in CodeCommit to confirm that the
README.md
file is copied and available in the CodeCommit repository.
- In the AWS Cloud9 environment, choose the
transaction_alert_repo
folder. - On the File menu, choose Upload Local Files to upload the Python files from your local folder (which you downloaded earlier).
- Choose Select files and upload
read_file.py
andread_rule.py
.
- You can see that both files are copied in the AWS Cloud9 environment under the
transaction_alert_repo
folder:
- Check the CodeCommit console to confirm that the
read_file.py
andread_rule.py
files are copied in the repository.
Create a pull request
Now we create our pull request.
- On the CodeCommit console, navigate to your repository and choose Pull requests in the navigation pane.
- Choose Create pull request.
- For Destination, choose master.
- For Source, choose dev.
- Choose Compare to see any conflict details in merging the request.
- If the environments are mergeable, enter a title and description.
- Choose Create pull request.
Create an approval rule
We now create an approval rule as the repository admin.
- Sign in to the console as the repository admin.
- On the CodeCommit console, navigate to the pull request you created.
- On the Approvals tab, choose Create approval rule.
- For Rule name, enter
Require an approval before merge
. - For Number of approvals needed, enter 1.
- Under Approval pool members, provide an IAM ARN value for the code approver.
- Choose Create.
Review recommendations
We can now view any recommendations regarding our pull request code review.
- As the repository admin, on the CodeGuru console, choose Code reviews in the navigation pane.
- On the Pull request tab, confirm that the code review is completed, as it might take some time to process.
- To review recommendations, choose the completed code review.
You can now review the recommendation details, as shown in the following screenshot.
- Sign in to the console as the code approver.
- Navigate to the pull request to view its details.
- On the Changes tab, confirm that the CodeGuru recommendation files are available.
- Check the details of each recommendation and provide any comments in the New comment section.
The developer can see this comment as feedback from the approver to fix the issue.
- Choose Save.
- Enter any overall comments regarding the changes and choose Save.
- Sign in to the console as the developer.
- On the CodeCommit console, navigate to the pull request -> select the request -> click on Changes to review the approver feedback.
Make changes, rerun the code review, and merge the environments
Let’s say the developer makes the required changes in the code to address the issue and uploads the new code in the AWS Cloud9 environment. If CodeGuru doesn’t find additional issues, we can merge the environments.
- Run the following command to push the updated code to CodeCommit:
- Sign in to the console as the approver.
- Navigate to the code review.
CodeGuru hasn’t found any issue in the updated code, so there are no recommendations.
- On the CodeCommit console, you can verify the code and provide your approval comment.
- Choose Save.
- On the pull request details page, choose Approve.
Now the developer can see on the CodeCommit console that the pull request is approved.
- Sign in to the console as the developer. On the pull request details page, choose Merge.
- Select your merge strategy. For this post, we select Fast forward merge.
- Choose Merge pull request.
You can see a success message.
- On the CodeCommit console, choose Code in the navigation pane for your repository.
- Choose master from the branch list.
The read_file.py
and read_rule.py
files are available under the main branch.
Clean up the resources
To avoid incurring future charges, remove the resources created by this solution by
- Deleting the stack from the AWS CloudFormation
- Deleting AWS Cloud9 environment
- Deleting AWS CodeCommit repository
Conclusion
This post highlighted the benefits of CodeGuru automated code reviews. You created an end-to-end code approval workflow and added required approvers to your repository pull requests. This solution can help you identify and mitigate issues before they’re merged into your main branches.
You can get started from the CodeGuru console by integrating CodeGuru Reviewer with your supported CI/CD pipeline.
For more information about automating code reviews and check out the documentation.