Artificial Intelligence News

AI-powered code suggestion and security scanning on Amazon SageMaker notebooks using Amazon CodeWhisperer and Amazon CodeGuru


Amazon SageMaker comes with two options to enable fully managed notebooks to explore data and create machine learning (ML) models. The first option is a quick start, collaborative notebook accessible within Amazon SageMaker Studio—a fully integrated development environment (IDE) for machine learning. You can quickly launch notebooks in Studio, easily connect to the underlying computing resources without interrupting your work, and even share your notebooks as links in a few clicks. In addition to creating a notebook, you can perform all the ML development steps to build, train, debug, track, deploy, and monitor your models in a single pane of glass in Studio. The second option is an Amazon SageMaker notebook instance—a fully managed ML compute instance that runs your notebook in the cloud, offering more control over your notebook configuration.

Today, we are excited to announce the availability of the Amazon CodeWhisperer and Amazon CodeGuru Security extensions on SageMaker notebooks. These AI-powered extensions help accelerate ML development by offering code suggestions as you type, and ensuring that your code is secure and follows AWS best practices.

In this post, we show how you can get started with Amazon CodeGuru Security and CodeWhisperer on Studio and SageMaker notebook instances.

Solution overview

That CodeWhisper extension is an AI coding companion that provides developers with real-time code suggestions in notebooks. Individual developers can use CodeWhisperer for free on Studio and SageMaker notebook instances. Coding companion generates single-line or complete function code suggestions in real-time. It understands the semantics and context in your code and can recommend suggestions made in AWS and development best practices, increasing developer efficiency, quality, and speed.

That CodeGuru Security Extension offers security and code quality scanning for Studio and SageMaker notebook instances. It assists notebook users in detecting security vulnerabilities such as injection weaknesses, data leaks, weak cryptography, or missing encryption within notebook cells. You can also detect many common issues affecting the readability, reproducibility, and correctness of computing notebooks, such as ML library API abuse, invalid run orders, and nondeterminism. When a vulnerability or quality issue is identified in a notebook, CodeGuru generates recommendations that allow you to remedy the issue based on AWS security best practices.

In the following sections, we show how to install each extension and discuss the capabilities of each, showing how these tools can increase overall developer productivity.


If this is your first time working with Studio, you must first create a SageMaker domain. Additionally, ensure that you have appropriate access to CodeWhisperer and CodeGuru using AWS Identity and Access Management (IAM).

You can use this extension in any AWS Region, but requests to CodeWhisperer will be served through us-east-1 Region. Requests will be serviced to CodeGuru in the Studio domain Region and if CodeGuru is supported in the Region. For all unsupported Regions, requests will be served via us-east-1.

Set up CodeWhisperer with a SageMaker notebook

In this section, we demonstrate how to set up CodeWhisperer with SageMaker Studio.

Update IAM permissions to use the extension

You can use the CodeWhisperer extension in any Region, but all requests to CodeWhisperer will be served through us-east-1 Region.

To use the CodeWhisperer extension, make sure you have the necessary permissions. In the IAM console, add the following policy to the SageMaker user execution role:

"Version": "2012-10-17",
"Statement": (
               	"Sid": "CodeWhispererPermissions",
               	"Effect": "Allow",
               	"Action": ("codewhisperer:GenerateRecommendations"),
				"Resource": "*"

Install the CodeWhisperer extension

You can install the CodeWhisperer extension via command line. In this section, we look at the steps involved. To get started, complete the following steps:

  1. In Submit menus, select New And Terminal.
  2. Run the following command to install the extension:
    conda activate studio
    pip install amazon-codewhisperer-jupyterlab-ext
    jupyter server extension enable amazon_codewhisperer_jupyterlab_ext
    conda deactivate

Refresh your browser, and you will have successfully installed the CodeWhisperer extension.

Use CodeWhisperer in Studio

After we complete the installation steps, we can use CodeWhisperer by opening a new Python notebook or file. As an example we will open the Notebook example.

You will see a toolbar at the bottom of your named notebook CodeWhisperer. It shows common shortcuts for CodeWhisperer along with the ability to pause code suggestions, open code reference logs, and get links to CodeWhisperer documentation.

The code reference log flags or filters code suggestions that resemble open source training data. Get the URL and license of the associated open source project repository so you can review it more easily and add attribution.

To get started, place your cursor on a block of code in your notebook, and CodeWhisperer will start making suggestions. If you don’t see a suggestion, press it Alt+C on Windows or Option+C on the Mac to ask for suggestions manually.

The following video shows how to use CodeWhisperer to read and run descriptive statistics on data files in Studio.

Use CodeWhisperer on SageMaker Notebook Instances

Complete the following steps to use CodeWhisperer on notebook instances:

  1. Navigate to your SageMaker notebook instance.
  2. Make sure you’ve attached the CodeWhisperer policy from before to the notebook instance’s IAM role.
  3. When permissions are added, select them Open Jupyter Lab.
  4. Install the extension. by using the terminal, in Submit menus, select New And Terminaland enter the following command:
    pip install amazon-codewhisperer-jupyterlab-ext
    jupyter server extension enable amazon_codewhisperer_jupyterlab_ext

  5. After the command is complete, on Submit menus, select Turn off to restart our Jupyter Server.
  6. Refresh browser window.

You will now see the CodeWhisperer extension installed and ready to use.

Let’s test in a Python file.

  1. In Submit menus, select New And Python Files.

The following video shows how to create a function to convert a JSON file to CSV.

Set up CodeGuru Security with a SageMaker notebook

In this section, we demonstrate how to set up CodeGuru Security with SageMaker Studio.

Update IAM permissions to use the extension

To use the CodeGuru Security extension, make sure you have the necessary permissions. Complete the following steps to update permission policies with IAM:

  1. Choice: In the IAM console, you can install AmazonCodeGuruSecurityScanAccess managed policies for your IAM identity. This policy provides permissions that allow users to work with scans, including creating scans, viewing scan information, and viewing scan findings.
  2. For custom policies, enter the following permissions:
        "Version": "2012-10-17", 
        "Statement": ( 
                "Sid": "AmazonCodeGuruSecurityScanAccess", 
                "Effect": "Allow", 
                "Action": ( 
                "Resource": "arn:aws:codeguru-security:*:*:scans/*" 

  3. Attach policies to any users or roles that will use the CodeGuru Security extension.

For more information, see Policies and permissions in IAM.

Install the CodeGuru Security extension

You can install the CodeGuru Security extension via command line. To get started, complete the following steps:

  1. In Submit menus, select New And Terminal.
  2. Run the following command to install the extension on conda environment:
    conda activate studio
    pip install amazon-codeguru-jupyterlab-extension
    conda deactivate

Refresh your browser, and you will have successfully installed the CodeGuru extension.

Run a code scan

The following steps demonstrate running your first CodeGuru Security scan using an example file:

  1. Create a new notebook named example.ipynb with the following code for testing purposes:
    import torch
    # import tensorflow as tf
    def tensorflow_avoid_using_nondeterministic_api_noncompliant():
        data = tf.ones((1, 1))
        # Noncompliant: Determinism of tf.compat.v1.Session
        # can not be guaranteed in TF2.
            target="", graph=None, config=None
        layer = tf.keras.layers.Input(shape=(1))
        model = tf.keras.models.Model(inputs=layer, outputs=layer)
        model.compile(loss="categorical_crossentropy", metrics="AUC"), y=data)
    def pytorch_sigmoid_before_bceloss_compliant():
        # Compliant: `BCEWithLogitsLoss` function integrates a `Sigmoid`
        # layer and the `BCELoss` into one class
        # and is numerically robust.
        loss = nn.BCEWithLogitsLoss()
        input = torch.randn(3, requires_grad=True)
        target = torch.empty(3).random_(2)
        output = loss(input, target)

The code below intentionally incorporates common bad practices to demonstrate the capabilities of Amazon CodeGuru Security.

  1. Important: Please confirm that the CodeGuru-Security extension is installed and if the LSP server says Fully initialized as shown below when you open the notebook.

If you don’t see the extension fully initialized, go back to the previous section to install the extension and complete the installation steps.

  1. Start scanning. You can start the scan in one of the following ways:
    • Select any code cell in your file, then select the light bulb icon.
    • Select (right-click) any code cell in your file, then select it Run a CodeGuru scan.

When the scan starts, the scan status will be displayed as CodeGuru: Scan is in progress.

After a few seconds, when the scan is complete, the status will change to CodeGuru: Scan completed.

View and deal with findings

After the scan is complete, your code may have some underlined findings. Hover over the underlined code, and a pop-up window appears with a brief summary of the findings. To access additional details about the findings, right-click on any cell and select it Show diagnostic panel.

This opens a panel with additional information and suggestions regarding the findings, located at the bottom of the notebook file.

After making changes to the code based on the recommendations, you can run the scan again to check if the issue is resolved. It’s important to note that the scan findings will disappear after you change the code, and you’ll need to run the scan again to see them again.

Enable automatic code scanning

Automatic scanning is disabled by default. Optionally, you can enable automatic code scanning and set the frequency and AWS Region to run your scans. To enable automatic code scanning, complete the following steps.

  1. In Studio, in Arrangement menus, select Advanced Settings Editor.
  2. For Auto scanchoose activated.
  3. Specify scan frequency in seconds and Region for your CodeGuru Security scan.

For our example, we configured CodeGuru to perform an automatic security scan every 240 seconds at us-east-1 Region. You can change this value for any region that CodeGuru Security supports.


SageMaker Studio and SageMaker Notebook Instances now support AI-powered CodeWhisperer and CodeGuru extensions that help you write secure code faster. We encourage you to try both extensions. To learn more about CodeGuru Security for SageMaker, see Get Started with Amazon CodeGuru Extensions for JupyterLab and SageMaker Studio, and to learn more about CodeWhisperer for SageMaker, see Set Up CodeWhisperer with Amazon SageMaker Studio. Please share any feedback in the comments!

About the Author

Pathak king is a Senior Solutions Architect and Technologist specializing in Financial Services (Insurance, Banking, Capital Markets) and Machine Learning. He specializes in Natural Language Processing (NLP), Big Language Models (LLM), and Machine Learning operations and infrastructure projects (MLOps).

Gaurav Parekh is a Solutions Architect who helps AWS customers build modern, scalable architectures. His core areas of expertise include Data Analytics, Networks and Technology strategy. Outside of work, Gaurav enjoys playing cricket, football and volleyball.

Arkaprava De is a Senior Software Engineer at AWS. He has been at Amazon for over 7 years and is currently working to enhance the Amazon SageMaker Studio IDE experience. You can find it at LinkedIn.

Little Prashant Pawan is the Lead Product Manager at Amazon Web Services (AWS). He has built products across AWS and Alexa, and is currently focused on helping Machine Learning practitioners become more productive through AWS services.


Source link

Related Articles

Back to top button