amazon Bedrock is a fully managed service that makes base models (FMs) from leading ai startups and amazon available via an API, so you can choose from a wide range of FMs to find the model that best suits you. suits your use case. With amazon Bedrock's serverless experience, you can get started quickly, privately customize FMs with your own data, integrate them, and deploy them to your application using amazon Web Services (AWS) tools without having to manage any infrastructure.
For companies in the cloud computing and software development space, providing secure code repositories is essential. As sophisticated cybersecurity threats become more prevalent, organizations must take proactive measures to protect their assets. amazon Bedrock offers a powerful solution by automating the process of scanning repositories for vulnerabilities and remediating them. This post explores how you can use amazon Bedrock to improve the security of your repositories and maintain compliance with organizational and regulatory standards.
This solution demonstrates how amazon Bedrock agents can be configured to scan a specific code repository, fix vulnerabilities, and push the changes to a new branch. This approach can speed development, reduce errors, and meet security guidelines.
Solution Overview
There are three high-level steps to implement the solution:
- Set up the amazon Bedrock agent
- Configure AWS Lambda function for action group
- Add the action group to the amazon Bedrock agent
There are two key steps in the architecture, as illustrated in the following diagram:
- The user provides the necessary information through the amazon Bedrock agent chat console. They provide the URL of the code repository, such as
https://github.com/abc/testand specify the name of the branch to scan, e.g. major. They then list the folders that will be excluded from the scan, such as proofand specify the file extensions you want to exclude, such as .Maryland and .TXT. They then provide a new branch name where the corrected code will be uploaded. - The amazon Bedrock agent sends the details to an action group that invokes a Lambda function. This function retrieves the code, scans it for vulnerabilities using a preselected large language model (LLM), applies the fix, and pushes the fixed code to a new branch for user validation. Excluded folders and file extensions are not scanned. Upon completion, the action group (Lambda function) sends the information to the amazon Bedrock agent, which then displays the status to the user.
Figure 1. Architecture diagram
Prerequisites
To implement the solution, you need the following:
Set up the amazon Bedrock agent
To configure the amazon Bedrock agent, complete the following steps:
- In the amazon Bedrock console, choose Agents in the navigation pane, then choose Create agent.
- (Optional) Provide agent details, including agent name and description.
- Grant the agent permissions to AWS services through the IAM service role. This gives your agent access to required services, such as Lambda.
- Select an FM on amazon Bedrock (like Anthropic's Claude 3 Sonnet).
- To scan a code repository and fix vulnerabilities through amazon Bedrock agents, attach the following instructions to the agent:
You are an ai assistant to scan and remediate codes. Greet the user and ask the repository URL and branch name that need to be scanned. Prompt the user for a list of folders that should be excluded from scanning and also prompt for a list of specific file extensions that should be excluded from scanning. Prompt the user for the new branch name to send the corrected code. Pass those entries to activate the code scan fix action group.
Configure Lambda for the action group
After initial configuration of the agent and adding the above statement to the agent, create a Lambda function to be used for the action group.
Create a Lambda function designed to scan a code repository for vulnerabilities, fix the vulnerabilities, and push the changes to a new branch specified by the user. This function will be used by the action group, which will be invoked by the amazon Bedrock agent after the user enters the code repository URL, the branch name, and the list of folders and file extensions to exclude from scanning . Reference to the <a target="_blank" href="https://github.com/aws-samples/code-scanning-remediation-using-amazon-bedrock/blob/main/Code-Scanning-Remediation/lamda_function.py” target=”_blank” rel=”noopener”>lambda code. Confirm that the Lambda function has the necessary IAM permissions and configure a resource-based policy on the Lambda function to allow amazon Bedrock Agent to invoke Lambda using the lambda:InvokeFunction action. See policy <a target="_blank" href="https://github.com/aws-samples/code-scanning-remediation-using-amazon-bedrock/blob/main/Code-Scanning-Remediation/resource-based-policy.json” target=”_blank” rel=”noopener”>here.
Add the action group to the amazon Bedrock agent
Complete the following steps to add the action groups to the amazon Bedrock agent:
- Add an action group to the amazon Bedrock agent.
- Give the action group a descriptive name and detail the function in the description field. This helps clarify the purpose of the action group within the workflow.
- For Action group typeselect Define with function details.
- For Action Group InvocationSelect the Lambda function you created earlier.
This function executes the necessary business logic when an action is invoked. Make sure you choose the correct version of the Lambda function and that the GitHub token is set as an environment variable. For more information about how to configure Lambda functions for action groups, see Configure Lambda functions to send information that an amazon Bedrock agent obtains from the user.
- For him Role of action group 1select JSON editor and add the required parameters. Reference to the <a target="_blank" href="https://github.com/aws-samples/code-scanning-remediation-using-amazon-bedrock/blob/main/Code-Scanning-Remediation/function-details.json” target=”_blank” rel=”noopener”>JSON file.
The following screenshot shows an example of user interaction with amazon Bedrock agents.
<img loading="lazy" class="alignnone wp-image-91460 size-full" src="https://technicalterrence.com/wp-content/uploads/2024/11/1732899994_512_Use-Amazon-Bedrock-Agents-to-scan-optimize-and-fix-codes.png" alt="Sample amazon Bedrock Agent Interaction” width=”1280″ height=”1126″/>
Figure 2. User interaction with amazon Bedrock Agent
The following screenshot shows a corrected code example.
Figure 3. Example of difference between the real code and the corrected one
Best practices
Follow these best practices:
- Add automation tests to validate code before pushing it to the repository, and review fixed code before merging it into the default branch.
- Use descriptive branch names when creating new branches during patching to maintain clear version control.
- Configure IAM roles and permissions with the principle of least privilege to protect the amazon Bedrock agent and Lambda functions.
- Update messages to address and remediate use case-specific vulnerabilities
Clean
The services used in this demonstration may incur costs. Complete the following steps to clean up your resources:
- Delete the Lambda function if it is no longer needed
- Delete the action group and agents you created
- Delete the generated branch from the GitHub repository
Conclusion
amazon Bedrock Agents uses generative ai to transform code repositories by finding vulnerabilities and automatically applying fixes. This capability is essential for engineers because it speeds up the process of securing code and maintaining compliance with best practices established from the beginning.
amazon Bedrock Agents' interactive features automate the vulnerability scanning and remediation process, not only streamlining initial setup but also significantly improving ongoing code maintenance. Although this post focuses on code scanning and remediation, the interactive capabilities of amazon Bedrock Agents can be applied across multiple AWS services, offering a dynamic, end-to-end solution for managing and optimizing cloud infrastructure.
Ready to optimize your cloud deployment process with amazon Bedrock's generative ai? Start by exploring the amazon Bedrock User Guide to learn how you can ease your organization's transition to the cloud. For specialized support, consider engaging AWS Professional Services to maximize the efficiency and benefits of using amazon Bedrock.
Unlock the potential for fast, secure, and efficient cloud transformation with amazon Bedrock. Take the first step today and discover how using generative ai can revolutionize your approach to cloud infrastructure.
About the authors
Rama Krishna Yalla is an Associate DevOps Consultant at AWS, an expert in designing scalable, reliable, and secure cloud environments. Leverage automation and CI/CD best practices to optimize software delivery, reduce downtime, and improve operational efficiency. Rama has experience in managing infrastructure as code (IaC), ensuring consistent and repeatable deployments. It also focuses on implementing robust monitoring and logging solutions, enabling proactive issue resolution and optimized performance. Outside of work, Rama enjoys playing badminton and often participates in local tournaments.
Akhil Raj Yallamelli is a Cloud Infrastructure Architect at AWS specializing in designing cloud infrastructure solutions to improve data security and profitability. He has experience integrating technical solutions with business strategies to create scalable, reliable and secure cloud environments. Akhil enjoys developing solutions focused on clients' business outcomes, incorporating Generative ai (Gen ai) technologies to drive innovation and cloud enablement. He has a master's degree in Computer Science. Outside of his professional work, Akhil enjoys watching and playing sports.
