Black Cat Security

Amazon CodeGuru Reviewer Updates: New Predictable Pricing Model Up To 90% Lower and Python Support Moves to GA

Amazon CodeGuru helps you automate code reviews and improve code quality with recommendations powered by machine learning and automated reasoning. You can use CodeGuru Reviewer to detect potential defects and bugs that are hard to find, and CodeGuru Profiler to fine-tune the performance of your applications based on live data. The service has been generally available since June 2020; you can read more about how to get started with CodeGuru here.

While working with many customers in the last few months, we introduced security detectors, Python support in preview, and memory profiling to help customers improve code quality and save hours of developer time. We also heard resounding feedback on various areas such as the structure of pricing and language coverage. We’ve decided to address that feedback and make it even easier to adopt Amazon CodeGuru at scale within your organization.

Today I’m happy to announce two major updates for CodeGuru Reviewer:

  • There’s a brand new, easy to estimate pricing model with lower and fixed monthly rates based on the size of your repository, with up to 90% price reductions
  • Python Support is now generally available (GA) with wider recommendation coverage and four updates related to Python detectors

New Predictable Pricing for CodeGuru Reviewer
CodeGuru Reviewer allows you to run full scans of your repository stored in GitHub, GitHub Enterprise, AWS CodeCommit, or Bitbucket. Also, every time you submit a pull request, CodeGuru Reviewer starts a new code review and suggests recommendations and improvements in the form of comments.

The previous pricing structure was based on the number of lines of code (LoC) analyzed per month, $0.75 per 100 LoC. We’ve heard your feedback: As a developer, you’d like to analyze your code as often as possible, create as many pull requests and branches as needed without thinking about cost, and maximize the chances of catching errors and defects before they hit production.

That’s why with the new pricing you’ll only pay a fixed monthly rate, based on the total size of your repositories: $10 per month for the first 100k lines of code, across all connected repositories. And $30 per month for each additional 100k of code. Please note that only the largest branch in the repository counts, and that empty lines and comments aren’t counted at all.

This price structure not only makes the cost more predictable and transparent, but it will also help simplify the way you scale CodeGuru Reviewer across different teams in the organization. You still have the possibility to perform full repository scans on demand and incremental reviews on each pull request. The monthly rate includes all incremental reviews, and you get up to two full scans per repository per month included in the monthly rate. Additional full scans are charged $10 per 100k lines of code.

Basically you get all the benefits of Amazon CodeGuru and all the new detectors and integrations, but it’s up to 90% cheaper. Also, you can get started at no cost with the Free Tier for the first 90 days, up to 100k LoC. When the Free Tier expires or if you exceed the 100k LoC, you simply pay the standard rates. Check out the updated pricing page here.

Let me share a few practical examples (excluding the Free Tier):

  1.  Medium-size repository of 150k LoC: In this case, your monthly rate gets rounded up to 200k lines of code, for a total of $40 per month ($10 + $30). The number of LoC is always rounded up. And by the way you could also connect a repository (or multiple) of up to 50K lines of code (bringing the total to that 200k lines of code) for the same price. Up to 2 full scans are included for each repository.
  2. Three repositories of 300k LoC each (the equivalent of a large repository of 900k LoC): In this case, your monthly rate is $250 ($10 for the first 100k lines of code, plus $240 for the remaining 800k lines of code). Up to 2 full scans are included for each repository.
  3.  Small repository of 70k LoC, with 10 full scans every month: In this case, your monthly rate is only $10 for the number of LoC, plus $60 for the additional full scans (560k LoC), for a total of $70 per month.
  4.  Small repository with 50 active branches, the largest branch containing 10k LoC, and 300 pull requests every month: Simple, just $10 per month. Up to 2 full scans are included for each repository.

The new pricing will apply starting in April for new repositories connected on April 6th, 2021, as well as for repositories already connected up to April 5th, 2021. We expect the largest majority of use cases to see a considerable cost reduction. Unless you need to perform full repository scans multiple times a day (this is quite an edge case), most small repositories up to 100k LoC will be charged only a predictable and affordable fee of $10 per month after the 90-day trial, regardless of the number of branches, contributors, or pull requests. Now you can develop and iterate on your code repositories — knowing that CodeGuru will review your code and find potential issues — without worrying about unpredictable costs.

Give CodeGuru Reviewer a try and connect your first repository in the CodeGuru console.

Python Support for CodeGuru Reviewer Now Generally Available
Python Support for CodeGuru Reviewer has been available in preview since December 2020. It allows you to improve your Python applications by suggesting optimal usage of data structures and concurrency. It helps you follow Python best practices for control flow, error handling, and the standard library. Last but not least, it offers recommendations about scientific/math operations and AWS best practices. These suggestions are useful for both beginners and expert developers, and for small and large teams who are passionate about code quality.

With today’s announcement of general availability, you’ll find four main updates related to Python detectors:

  • Increased coverage and precision for existing detectors: Many Python best practices have been integrated into the existing detectors related to standard library, data structures, control flow, and error handling. For example, CodeGuru Reviewer will warn you in case your code is creating a temporary file insecurely, using float numbers instead of decimal for scientific computation that requires maximum precision, or confusing equality with identity. These warnings will help you avoid security vulnerabilities, performance issues, and bugs in general.
  • Improved detector for resource leaks: During the preview, this detector only focused on open file descriptors; now it generates recommendations about a broader set of potential resource leaks such as connections, sessions, sockets, and multiprocessing thread pools. For example, you may implement a Python function that opens a new socket and then forget to close it. This is quite common and it doesn’t immediately turn into a problem, but resource leaks can cause your system to slow down or even crash in the long run. CodeGuru Reviewer will suggest closing the socket or wrapping it in a with statement. As a reminder, this detector is available for Java as well.
  • New code maintainability detector: This new detector helps you identify code issues related to aspects that usually make code bases harder to read, understand, and maintain, such as code complexity and tight coupling. For example, imagine that you’ve spent a couple of hours implementing a simple prototype and then you decide to integrate it with your production code as is. Because you were rushing a bit, this prototype may include a huge Python function with 50+ lines of code ranging from input validation, data preparation, some API calls, and a final write to disk. CodeGuru Reviewer will suggest you refactor this code into smaller, reusable, and loosely coupled functions that are easier to test and maintain.
  • New input validation detector: This new detector helps you identify situations where some functions or classes may benefit from additional validation of input parameters, especially when these parameter are likely to be user-generated or dynamic. For example, you may have implemented a Python function that takes an environment name as CLI input (e.g. dev, stage, prod), performs an API call, and then returns a resource ARN as output. You haven’t validated the environment name, so CodeGuru Reviewer might suggest you implement some additional validation; in this example, you may add a few lines of code to check that the environment name is not empty and that it’s a valid environment for this project.

Please note that Python Support for CodeGuru Profiler is still in preview: CodeGuru Profiler allows you to collect runtime performance data, identify how code is running on the CPU and where time is consumed, so you can tune your Python application starting from the most expensive parts — with the goal of reducing cost and improving performance.

You can get started with CodeGuru Reviewer and CodeGuru Profiler for Python in the CodeGuru console.

Conclusions
Amazon CodeGuru is available in 10 AWS Regions and it supports Python and Java applications. We’re looking forward to publishing even more detectors and support for more programming languages to help more developers and customers improve their application code quality and performance.

If you’d like to learn more about Amazon CodeGuru, check out the CodeGuru Reviewer documentation and CodeGuru Profiler documentation.

Alex