Amazon Web Services (AWS) this week made Amazon Inspector, a code scanning tool for surfacing vulnerabilities that is designed to be natively integrated with GitHub and GitLab platforms, generally available.

Announced at the AWS re:Inforce 2025 conference, Amazon Inspector combines a static application security testing (SAST) tool for analyzing application source-code with a software composition analysis (SCA) tool for evaluating third-party dependencies and an ability to scan infrastructure as code (IaC) for valid definitions.

Findings from these scans are then surfaced both in the Amazon Inspector console and within the source code management platform as fast feedback for the developers.

Mitch Ashley, vice president and practice lead for software lifecycle engineering at The Futurum Group, said the expansion of the DevSecOps capabilities provided by AWS into code, dependencies, and IaC enable a critical ‘shift left’ for cloud security, fundamentally embedding vulnerability management earlier into the development lifecycle. That unified approach addresses a long-standing challenge for DevOps teams by accelerating feedback and fostering truly secure-by-design applications, he added.

Additionally, AWS also revealed it has made available under an open source license a software package, dubbed @verifiedpermissions/authorization-clients-js, that enables developers to implement authorization in Express.js web application APIs in minutes. That approach reduces the custom authorization code that developers would have previously needed to create on their own.

Finally, AWS demonstrated how it is internally using Amazon Q Developer, an artificial intelligence (AI) agent framework, to identify vulnerabilities in code as it is being developed.

George Argyros, applied science manager of AWS, told conference attendees Amazon Q Developer makes it possible to “squash bugs” early in the application development process in a way that ultimately serves to improve the quality of the code being created. The overall goal is review code at the time a pull request is made and then surface recommendations to mitigate any issue, with Amazon Q Developer also being used to create and test any patch required.

It’s not clear how widely the DevSecOps tool and platform being provided by AWS have been adopted, but it’s clear the cloud services provider is now moving well beyond securing infrastructure. It’s still the responsibility of organizations to secure the applications deployed on the cloud, but AWS is making the tools and services needed to achieve that goal more accessible.

Hopefully, there will even come a day soon when application development teams are routinely using AI tools to prevent vulnerabilities and misconfigurations from being created in the first place.

In the meantime, however, DevOps teams need to be sure to review the code being generated by AI tools that have been trained using examples of code that is of varying quality. In one instance, that code might be better than what some developers might write on their own. In other cases, segments of code with known vulnerabilities might have been copied multiple times over. In fact, about the only thing that is for certain is that there will soon be more code than ever to scan and review as developers continue to lean on AI tools to create code that they are becoming less inclined to write themselves.