# Amazon Inspector Code Security
Amazon Inspector is a vulnerability management service that automatically discovers workloads and continually scans them for software vulnerabilities and unintended network exposure. With Code Security, Amazon Inspector scans first-party application source code, third-party application dependencies, and Infrastructure as Code for vulnerabilities. You can activate Code Security in the Amazon Inspector console or with the Amazon Inspector API. Once you activate Code Security, you can create and apply a scan configuration to your code repository to determine how often and when it will be scanned. You can view, edit, and delete your scan configuration at any time. For information about the Amazon Web Services Regions where Code Security is available, see [Regions and endpoints](https://docs.amazonaws.cn/inspector/latest/user/inspector_regions.html#ins-regional-feature-availability). For information about pricing, see [Amazon Inspector pricing](https://aws.amazon.com/inspector/pricing/?nc=sn&loc=3&refid=0d873978-11ec-4d4f-9e53-b563bf029726).
# Prerequisites for Code Security
Before you can begin using Code Security, you must activate Code Security and decide how to encrypt your data. This can be information like integration credentials, code, or any other information related to your integrations, code repositories, and projects. By default, your data is encrypted with an [Amazon owned key](https://docs.amazonaws.cn/kms/latest/developerguide/concepts.html#aws-owned-cmk). This means the key is created, owned, and managed by the service. If you want to own and manage the key used to encrypt your data, you can create a [customer managed KMS key](https://docs.amazonaws.cn/kms/latest/developerguide/concepts.html#aws-owned-cmk).
# Activating Code Security
You activate Code Security in the same way that you activate all automated scan types. For more information, see [Activating a scan type](https://docs.amazonaws.cn/inspector/latest/user/activate-scans.html).
# Creating a customer managed key to access Amazon KMS
By default, your data is encrypted with an [Amazon owned key](https://docs.amazonaws.cn/kms/latest/developerguide/concepts.html#aws-owned-cmk). This means the key is created, owned, and managed by the service. If you want to own and manage the key used to encrypt your data, you can create a [customer managed KMS key](https://docs.amazonaws.cn/kms/latest/developerguide/concepts.html#aws-owned-cmk). Amazon Inspector doesn't interact with your data. Amazon Inspector only ingests metadata from repositories in your source code provider. For information about how to create a customer managed KMS key, see [Create a KMS key](https://docs.amazonaws.cn/kms/latest/developerguide/create-keys.html) in the *Amazon Key Management Service User Guide*.
**Sample policy**
When you [create your customer managed key](https://docs.amazonaws.cn/kms/latest/developerguide/create-keys.html), use the following sample policy.
**Note**
The [FAS permissions](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_forward_access_sessions.html) in the following policy are specific to Amazon Inspector, as they allow Amazon Inspector to perform only those API calls.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id": "key-policy",
"Statement": [
{
"Sid": "Allow Q to use Encrypt Decrypt GenerateDataKey and GenerateDataKeyWithoutPlaintext",
"Effect": "Allow",
"Principal": {
"Service": "q.amazonaws.com"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "111122223333"
},
"StringLike": {
"kms:EncryptionContext:aws:qdeveloper:codesecurity-scope": "111122223333"
},
"ArnLike": {
"aws:SourceArn": "arn:aws-cn:inspector2:us-east-1:111122223333:codesecurity-integration/*"
}
}
},
{
"Sid": "Allow Q to use DescribeKey",
"Effect": "Allow",
"Principal": {
"Service": "q.amazonaws.com"
},
"Action": "kms:DescribeKey",
"Resource": "*"
},
{
"Sid": "Allow Inspector to use Encrypt Decrypt GenerateDataKey and GenerateDataKeyWithoutPlaintext using FAS",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws-cn:iam::111122223333:role/inspectorCodeSecurity"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:ViaService": "inspector2.us-east-1.amazonaws.com"
},
"StringLike": {
"kms:EncryptionContext:aws:qdeveloper:codesecurity-scope": "111122223333"
}
}
},
{
"Sid": "Allow Inspector to use DescribeKey using FAS",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws-cn:iam::111122223333:role/inspectorCodeSecurity"
},
"Action": [
"kms:DescribeKey"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:ViaService": "inspector2.us-east-1.amazonaws.com"
}
}
}
]
}
```
------
After you create your KMS key, you can use the following Amazon Inspector APIs.
+ UpdateEncryptionKey – Use with `CODE_REPOSITORY` for `resourceType` and `CODE` as the scan type to configure the use of your customer managed KMS key.
+ GetEncryptionKey – Use with `CODE_REPOSITORY` for `resourceType` and `CODE` as the scan type to configure the retrieval of your KMS key configuration.
+ ResetEncryptionKey – Use with `CODE_REPOSITORY` for `resourceType` and `CODE` to reset your KMS key configuration and to use an Amazon owned KMS key.
# Creating an integration between Amazon Inspector your code repository
This section includes topics that describe how to create an integration between Amazon Inspector and your code repository. When you create an integration, all code repositories are listed as projects in the Amazon Inspector console on the **Code Security** page. Other topics in this section describe how to access your integrations and projects.
Code Security only imports up to 100,000 projects, and only the default branch for each repository is monitored. A project can be associated with a maximum of three default scan configurations.
Code Security only supports a maximum of 100 integrations per account. Code Security integrations have no concept of the delegated administrator account/member account relationship.
To avoid encountering restrictions, we recommend not using the same host for an integration more than once.
Integrations with GitHub SaaS, GitHub Enterprise Cloud, and GitHub Enterprise Server require public internet access.
**Important**
Third-party integrations might be temporarily or permanently disabled without prior notice for any reason, such as to address security concerns.
# Creating an integration between Amazon Inspector and GitHub
This topic describes how to create an integration between Amazon Inspector and GitHub.
**Note**
If this is your first time creating an integration, you're prompted to create a default scan configuration on Step 2. When you [create a scan configuration](https://docs.amazonaws.cn/inspector/latest/user/code-security-assessments-create-configuration.html), you choose the scan frequency, scan analysis, and repositories to be scanned. Creating a default scan configuration is the same as creating a general scan configuration. However, the default scan configuration is automatically associated with any new and existing projects imported into Amazon Inspector. If you want to create a default scan configuration, choose **Continue with this configuration**. You can only create a default scan configuration once. If you create a default scan configuration, you won't be prompted to create a default scan configuration again. You can only create a default scan configuration once per account and once per organization. If you don't want to configure a default scan configuration, choose **Skip configuration**. However, will be prompted to create a default scan configuration the next time you create an integration. After you create a default scan configuration or skip creating a default scan configuration, you're directed to Step 3 of the integration workflow where you enter your integration details.
Integrations with GitHub SaaS, GitHub Enterprise Cloud, and GitHub Enterprise Server require public internet access.
**Note**
Amazon Inspector only scans and monitors your default branch. If you create a new default branch, Amazon Inspector scans and updates the new default branch.
**Important**
Before you finish creating the integration, you're directed to authorize the connection between Amazon Inspector and GitHub. You must complete this step to finish the procedure. If you close the pop-up, you will not be able to proceed.
**To create an integration between Amazon Inspector and GitHub**
1. Sign in using your credentials. Open the Amazon Inspector console at [https://console.aws.amazon.com/inspector/v2/home](https://console.amazonaws.cn/inspector/v2/home).
1. From the navigation pane, choose **Code Security**. Choose **Connect to**, and choose GitHub.
1. Under **Integration details**, enter the name of your integration, and choose **Connect to GitHub**.
1. Choose **Authorize** in the pop-up to create a connection between Amazon Inspector and GitHub.
1. In the success banner, choose **Go to GitHub connection creation page**.
1. Enter the installation ID for the GitHub application. If you installed the GitHub application, you can find the installation ID in GitHub from the **GitHub Apps** page or at the end of the GitHub application URL. If you haven't installed the GitHub application, choose **Install a new app**. This directs you to GitHub where you select the GitHub organization and specify the repository scope.
1. Choose **Connect to GitHub**.
After you create the integration, you can encounter a scenario where Amazon Inspector is unable to refresh the access token. This can occur if the integration host is unavailable or Amazon Inspector experiences other communication issues. To remediate the issue, you can re-authenticate the connection from the **Integrations** tab on the **Code Security** page. Under the **Status** column, the integration shows as **Inactive**, and Amazon Inspector provides the option to re-authenticate. Choose **Re-authenticate**. You're redirected to the integration workflow where you can complete the connection setup.
If you delete system settings for your integration, you can lose connection indefinitely. If this occurs, you must [delete the integration](https://docs.amazonaws.cn/inspector/latest/user/code-security-assessments-connect-delete-integrations.html) and create a new integration. When you delete an integration, you lose all projects and scan configurations associated with the integration.
# Creating an integration between Amazon Inspector and GitLab Self Managed
This topic describes how to create an integration between Amazon Inspector and your code repository in GitLab Self Managed.
**Required information**
The following is required when you create a connection:
+ Integration name – This is the name added to the body of your integration.
+ Endpoint URL – This is the URL used to access your GitLab Self Managed instance.
+ Personal access token – The personal access token is [created in GitLab Self Managed](https://docs.gitlab.com/user/profile/personal_access_tokens/) from an administrator account and must include the following scopes: `api`, `read_api`, `read_repository`, and `write_repository`.
**Note**
Amazon Inspector only scans and monitors your default branch. If you create a new default branch, Amazon Inspector scans and updates the new default branch.
## Creating an integration between Amazon Inspector and GitLab Self Managed
The following procedure describes how to create a connection between Amazon Inspector and your code repository in GitLab Self Managed.
**Note**
If this is your first time creating an integration, you're prompted to create a default scan configuration on Step 2. When you [create a scan configuration](https://docs.amazonaws.cn/inspector/latest/user/code-security-assessments-create-configuration.html), you choose the scan frequency, scan analysis, and repositories to be scanned. Creating a default scan configuration is the same as creating a general scan configuration. However, the default scan configuration is automatically associated with any new and existing projects imported into Amazon Inspector. If you want to create a default scan configuration, choose **Continue with this configuration**. You can only create a default scan configuration once. If you create a default scan configuration, you won't be prompted to create a default scan configuration again. You can only create a default scan configuration once per account and once per organization. If you don't want to configure a default scan configuration, choose **Skip configuration**. However, you will be prompted to create a default scan configuration the next time you create an integration. After you create a default scan configuration or skip creating a default scan configuration, you're directed to Step 3 of the integration workflow where you enter your integration details.
**Important**
Before you finish creating the integration, you're prompted to authorize the connection between Amazon Inspector and GitLab Self Managed. You must complete this step to finish the procedure. If you close the pop-up, you will not be able to proceed.
**To create a connection with GitLab Self Managed**
1. Sign in using your credentials. Open the Amazon Inspector console at [https://console.aws.amazon.com/inspector/v2/home](https://console.amazonaws.cn/inspector/v2/home).
1. From the navigation pane, choose **Code Security**. Choose **Connect to** and choose **GitLab Self Managed**.
1. Under **Integration details**, enter the following:
1. For **Integration name**, enter the name added to the body of your integration.
1. For **Endpoint URL**, enter the URL used to access your GitLab self-managed instance.
1. For **Personal access token**, enter your personal access token with the required scopes.
1. Choose connect to GitLab.
1. Choose **Authorize** in the pop-up window to finish creating a connection between Amazon Inspector and GitLab.
After you create the integration, you can encounter a scenario where Amazon Inspector is unable to refresh the access token. This can occur if the integration host is unavailable or Amazon Inspector experiences other communication issues. To remediate the issue, you can re-authenticate the connection from the **Integrations** tab on the **Code Security** page. Under the **Status** column, the integration shows as **Inactive**, and Amazon Inspector provides the option to re-authenticate. Choose **Re-authenticate**. You're redirected to the integration workflow where you can complete the connection setup.
If you delete system settings for your integration, you can lose connection indefinitely. If this occurs, you must [delete the integration](https://docs.amazonaws.cn/inspector/latest/user/code-security-assessments-connect-delete-integrations.html) and create a new integration. When you delete an integration, you lose all projects and scan configurations associated with the integration.
# Viewing integrations with code repositories
This topic describes how to view integrations in the Amazon Inspector console.
**To view integrations in the Amazon Inspector console**
1. Sign in using your credentials, and then open the Amazon Inspector console at [https://console.aws.amazon.com/inspector/v2/home](https://console.amazonaws.cn/inspector/v2/home).
1. From the navigation pane, choose **Code Security**.
1. Choose **Integrations**. From this tab, you can review all of your configured integrations and review basic information about all of your integrations. This information includes the name of the integration, status of the integration, and source code provider name.
**Re-authenticate to provider**
After you create the integration, you can encounter a scenario where Amazon Inspector is unable to refresh the access token. This can occur if the integration host is unavailable or Amazon Inspector experiences other communication issues. To remediate the issue, you can re-authenticate the connection from the **Integrations** tab on the **Code Security** page. Under the **Status** column, the integration shows as **Inactive**, and Amazon Inspector provides the option to re-authenticate. Choose **Re-authenticate**. You're redirected to the integration workflow where you can complete the connection setup.
If you delete system settings for your integration, you can lose connection indefinitely. If this occurs, you must [delete the integration](https://docs.amazonaws.cn/inspector/latest/user/code-security-assessments-connect-delete-integrations.html) and create a new integration. When you delete an integration, you lose all projects and scan configurations associated with the integration.
# Viewing code repositories
The topic describes how to view code repositories in the Amazon Inspector console.
**To view code repositories in the Amazon Inspector console**
1. Sign in using your credentials, and then open the Amazon Inspector console at [https://console.aws.amazon.com/inspector/v2/home](https://console.amazonaws.cn/inspector/v2/home).
1. From the navigation pane, choose **Code Security**.
1. Choose **Code repositories**. From this tab, you can review all of your code repositories, which are listed as projects, and review basic information about them. This information includes the name and scan status for each project. You can also review the configurations associated with your projects and when your projects were last scanned. You can even filter your projects in the search bar.
# Viewing details for a project
This topic describes how to view details for a project in the Amazon Inspector console. If your account is the delegated administrator for an organization, you can view details for projects that belong to member accounts.
**To view code projects in the Amazon Inspector console**
1. Sign in using your credentials, and then open the Amazon Inspector console at [https://console.aws.amazon.com/inspector/v2/home](https://console.amazonaws.cn/inspector/v2/home).
1. From the navigation pane, choose **Code Security**.
1. Choose **Code repositories**. From this tab, you can review all of your code repositories, which are listed as projects, and review basic information about them. This information includes the name and scan status for each project. You can also review the configurations associated with your projects and when your projects were last scanned. You can even filter your projects in the search bar.
1. Choose a project. Or select a project, and choose **View details**. From the **Project details** screen, you can review basic information about the project. This information includes the name and ID for the project, as well as the integration ARN. It includes information about when the project was scanned and the provide type. You can even review findings associated with the project, as well as [export findings](https://docs.amazonaws.cn/inspector/latest/user/findings-managing-exporting-reports.html) and [create suppression rules for findings](https://docs.amazonaws.cn/inspector/latest/user/findings-managing-supression-rules.html).
# Deleting an integration
The following procedure describes how to delete an integration in the Amazon Inspector console. When you delete an integration, you lose all projects and scan configurations associated with the integration.
**To delete an integration in the Amazon Inspector console.**
1. Sign in using your credentials, and then open the Amazon Inspector console at [https://console.aws.amazon.com/inspector/v2/home](https://console.amazonaws.cn/inspector/v2/home).
1. From the navigation pane, choose **Code Security**.
1. Choose **Integrations**. From this tab, you can review all of your configured integrations and review basic information about all of your integrations. This information includes the name of the integration, status of the integration, and integration provider type.
1. Select an integration, and choose **Delete**.
# Creating a scan configuration
Before you create a scan configuration, you must [create an integration with Amazon Inspector](https://docs.amazonaws.cn/inspector/latest/user/code-security-assessments-create-integration.html). The first time you create an integration, you're prompted to create a default scan configuration. This topic describes how to create a general scan configuration. The difference between a default scan configuration and a general scan configuration is that a default scan configuration is automatically attached to new projects. You can skip creating a default scan configuration.
Code Security only supports a maximum of 500 general scan configurations. Code security only supports 1 default scan configuration per account and per organization. A scan configuration only can be associated with a maximum of 100,000 projects.
A project can be associated with a maximum of 4 scan configurations total. This includes a default scan configuration if a default scan configuration was created. Scan configurations for an organization cannot be tagged.
If the delegated administrator for an organization creates a scan configuration, the scan configuration is created at the organization level and applied to all member accounts in the organization. The same occurs if the delegated administrator creates a default scan configuration.
When you create a scan configuration, you choose the scan frequency, scan analysis, and repositories to be scanned. The scan frequency can be change based and periodic or customized. Change-based and periodic scanning gives you the option to enable periodic scanning. If you enable periodic scanning, you set the scan frequency to the day of the week or month when a scan occurs. Customized scanning gives you the option to enable scanning when code is changed and periodic scanning. If you enable scanning when code is changed, you specify the scan trigger to include in merge and pull requests.
Scans can be skipped if a commit ID hasn't changed in a set amount of time. For periodic scanning, scans are skipped if a commit ID hasn't changed between scans in 1 week. For on-demand scans, scans are skipped if a commit ID hasn't changed between scans in 24 hours.
**Note**
If a scan configuration only has triggers for merge requests and pull requests, only the top 25 critical or high findings are presented and only in the source code management platform. None will be visible in Amazon Inspector.
**To create a general scan configuration**
1. Sign in using your credentials. Open the Amazon Inspector console at [https://console.aws.amazon.com/inspector/v2/home](https://console.amazonaws.cn/inspector/v2/home).
1. From the navigation pane, choose **Code Security**.
1. Choose **Configurations**, and then choose **Create scan configuration**.
1. Under **Scan details**, do the following:
1. For **Configuration name**, enter a name for the scan configuration.
1. Under **Scan frequency**, specify how often code is scanned by choosing **Change-based and periodic scanning** or **Customized scanning types and triggers**.
1. (Option 1) If you choose **Change based and periodic scanning**, choose **Enable periodic scanning** or **Disable periodic scanning**.
1. . If you choose **Enable periodic scanning**, set the scan frequency by choosing the week and day you want code to be scanned.
1. (Option 2) If you choose **Customized scanning**, decide whether to enable scanning when code is changed and periodic scanning.
1. Choose **Enable scanning when code is changed** or **Disable scanning when code is changed**. If you choose **Enable scanning when code is changed**, specify when scans are triggered from the dropdown.
1. Choose **Enable periodic scanning** or **Disable periodic scanning**. If you choose **Enable periodic scanning**, set the scan frequency by choosing the week and day you want code to be scanned. You can also scan on event-based triggers. These events include when a new pull request is initially opened against the default branch and when a commit is merged or pushed to the default branch. Scans are not triggered on subsequent updates or revisions to an existing pull request. To trigger a new scan, close and reopen the pull request.
1. Under **Scan analysis**, decide whether to configure a complete scanning analysis or customized scanning analysis:
1. (Option 1) If you choose **Complete scanning analysis**, you apply all of the following scan analyses:
+ *Static Application Security Testing* – Analyzes source code for vulnerabilities.
+ *IaC scanning* – Analyzes scripts and code that configure and provision infrastructure.
+ *Static software composition analysis* – Examines open source packages in applications.
1. (Option 2) If you choose **Customized scanning analysis**, you must choose at least one type of the previously mentioned scan analysis types from the dropdown menu:
1. (Optional) For **Tags**, create a key-value pair to apply to your project. You can create up to 50 tags.
1. Choose **Next**.
1. Under **Repository selection**, choose **All repositories** or **Specific repositories**.
1. (Option 1) If you choose **All repositories**, scanning is enabled for any of your existing repositories.
1. (Option 2) If you choose **Specific repositories**, scanning is enabled only for the repositories that you specify.
1. Choose **Next**.
1. Review your choices, and then choose **Create scan configuration**.
**Note**
General scan configurations are applied to all existing code repositories only. They will not be applied to new code repositories.
# Viewing scan configurations
The following procedure describes how to view scan configurations in the Amazon Inspector console.
**Note**
When you view your scan configuration at the organization level, some of the details in the **Code Security** screen will differ to reflect your Amazon Web Services account.
**To view details for a scan configuration**
1. Sign in using your credentials, and then open the Amazon Inspector console at [https://console.aws.amazon.com/inspector/v2/home](https://console.amazonaws.cn/inspector/v2/home).
1. From the navigation pane, choose **Code Security**.
1. Choose **Configurations** to view a list of your scan configurations. If you're the delegated administrator, the list include your organization’s scan configurations. You can see the name of each scan configuration and who created each scan configuration (Amazon Web Services account ID or organization ID). You can also view which scanning types and scan analysis type are applied to the configuration. You can even filter your scan configuration by different fields in the search bar.
# Viewing details for a scan configuration
The following procedure describes how to view details for a scan configuration in the Amazon Inspector console.
**To view details for a scan configuration**
1. Sign in using your credentials, and then open the Amazon Inspector console at [https://console.aws.amazon.com/inspector/v2/home](https://console.amazonaws.cn/inspector/v2/home).
1. From the navigation pane, choose **Code Security**.
1. Choose **Configurations**.
1. Choose the configuration you want to view details for. The scan configuration details screen provides an overview of the scan configuration. From this screen, you can view the scan configuration ARN, which scan frequency types are enabled, and which scan analysis types are enabled. You can also [delete](https://docs.amazonaws.cn/inspector/latest/user/code-security-assessments-delete-configuration.html) the scan configuration from this screen. If you're viewing a scan configuration that belongs to your organization, you can [edit](https://docs.amazonaws.cn/inspector/latest/user/code-security-assessments-edit-configuration.html) from this screen, too.
# Editing a scan configuration
You can edit a scan configuration at any time. When editing a scan configuration, you can change the scan frequency, scan analysis, tags, and repositories to be scanned. For example, you edit a scan configuration to pause scanning for a particular repository. The following procedure describes how to edit a scan configuration.
**To edit a scan configuration**
1. Sign in using your credentials, and then open the Amazon Inspector console at [https://console.aws.amazon.com/inspector/v2/home](https://console.amazonaws.cn/inspector/v2/home).
1. From the navigation pane, choose **Code Security**.
1. Choose **Configurations**.
1. Select the configuration you want to edit, and then choose **Edit**. You can also choose the configuration you want to edit, and then choose **Edit**.
# Deleting a scan configuration
You can delete a scan configuration at any time. This topic describes how to delete a scan configuration.
**To delete a scan configuration**
1. Sign in using your credentials, and then open the Amazon Inspector console at [https://console.aws.amazon.com/inspector/v2/home](https://console.amazonaws.cn/inspector/v2/home).
1. From the navigation pane, choose **Code security**.
1. Choose **Configurations**.
1. Select the configuration you want to delete, and then choose **Delete**. Or choose the configuration you want to delete, and then choose **Delete**.
# Performing an on-demand scan
You can perform an on-demand for your projects. When you perform an on-demand scan, a union of all your configured scan configurations is applied to your selected project. If your account is the delegated administrator account for an organization, you can perform an on-demand scan for projects that belong to member accounts. The following procedure describes how to perform an on-demand scan in the Amazon Inspector console.
**To perform an on-demand scan**
1. Sign in using your credentials, and then open the Amazon Inspector console at [https://console.aws.amazon.com/inspector/v2/home](https://console.amazonaws.cn/inspector/v2/home).
1. From the navigation pane, choose **Code security**.
1. Choose **Code repositories**.
1. Select the project you want to scan, and then choose **On-demand** scan.
# Supported languages for Amazon Inspector code security
This topic includes the supported languages for Amazon Inspector Code Security.
**Supported languages for SAST**
+ C\$1 (all versions but .Net 6.0 and later is recommended)
+ C (C11 or earlier)
+ C\$1\$1 (C\$1\$1 17 or earlier)
+ Go (Go 1.18 only)
+ Java (Java 25 or earlier)
+ JavaScript (EMCMAScript 2021 or earlier)
+ JSX (React 17 or earlier)
+ Kotlin (Kotlin 2.0 or earlier)
+ PHP (PHP 8.2 or earlier)
+ Python (Python 3.13 or earlier within the Python 3 series)
+ Ruby (Ruby 2.7 and 3.2 only)
+ Rust
+ Scala (Scala 3.2.2 or earlier)
+ Shell
+ TSX
+ TypeScript (all versions)
**Supported languages for software composition analysis**
+ Go (Go 1.18 only)
+ Java (Java 25 or earlier)
+ JavaScript (EMCMAScript 2021 or earlier)
+ PHP (PHP 8.2 or earlier)
+ Python (Python 3.13 or earlier within the Python 3 series)
+ .Net
+ Ruby (Ruby 2.7 and 3.2 only)
+ Rust
**Languages for Infrastructure as Code**
+ Amazon CDK (Python and TypeScript)
+ Amazon CloudFormation (2010–09–09)
+ Terraform (1.6.2 or earlier)
# Deactivating Code Security
For more information about deactivating Code Security, see [Deactivating a scan type](https://docs.amazonaws.cn/inspector/latest/user/deactivate-scans.html).