AWS deployment feature added to Claude Code, AI detection added to Code Security on GitHub
Contents
On March 24, 2026, AWS released “Agent Plugins for AWS” that incorporates AWS deployment capabilities into Claude Code and Cursor, and GitHub announced an AI function that detects vulnerabilities in Shell, Dockerfile, Terraform, and PHP that are not covered by CodeQL. Both announcements were made on the same day, and the scope of AI coding tools is expanding from code generation to infrastructure management and security verification.
AWS Agent Plugins for Claude Code
Just by commanding “Deploy this XXXX app to AWS,” everything from architecture selection to cost estimation, CDK code generation, and actual deployment will be automatically executed. “Agent Plugins for AWS” released by AWS is a mechanism that incorporates AWS deployment capability into Claude Code and Cursor as a plugin.
The plugin consists of four components.
| Component | Role |
|---|---|
| Agent Skills | Define AWS best practices, deployment, and code review as agent capabilities |
| MCP Server | See AWS documentation, real-time pricing, and CDK/CloudFormation best practices |
| Hooks | Workflow trigger/guardrail (automatic validation when saving SAM template, etc.) |
| References | AWS configuration information/documents that agents should refer to |
The MCP server connects to AWS’s latest price API at runtime, so the quote does not depend on static information.
Deployment flow
When you command “Deploy this app to AWS,” a five-step workflow runs.
graph TD
A[指示: Deploy this app to AWS] --> B[Analyze<br/>コードスキャン・依存関係特定]
B --> C[Recommend<br/>AWSサービス選定・構成提案]
C --> D[Estimate<br/>リアルタイム月額コスト算出]
D --> E{ユーザー確認}
E -->|承認| F[Generate<br/>CDK/Dockerfile/GitHub Actions生成]
F --> G[Deploy<br/>プロビジョニング・デプロイ・DB移行]
G --> H[完了<br/>URL・ダッシュボードを提示]
E -->|中止| I[キャンセル]Analyze scans your entire codebase for frameworks, databases, and external dependencies. If updating an existing system, understand the current load.
Recommend suggests combinations of AWS services based on the scan results. Typical examples of web apps include configurations such as AWS App Runner (container hosting), Amazon RDS PostgreSQL (DB), Amazon CloudFront (CDN), and AWS Secrets Manager (credential management).
Estimate connects to AWS’s real-time pricing API to calculate monthly costs. You can check the cost before deployment.
Generate generates the actual code. Infrastructure code by AWS CDK, Dockerfile, database migration script, environment configuration script, and GitHub Actions workflow are output.
Deploy provisions AWS services after the user confirms and approves, builds and deploys containers, performs DB migration, and even stores credentials.
It is also possible to call only individual abilities without going through a series of processes. “AWS architecture for this app” only executes architecture design, “Estimate AWS cost” only executes cost estimation, and “Generate infrastructure” executes only IaC code generation.
Available plugins
As of the first release (v1.0.0, February 18, 2026), five plugins are provided.
deploy-on-aws Main deployment plugin. It recognizes phrases such as “deploy to AWS,” “host on AWS,” “run this on AWS,” “AWS architecture,” and “estimate AWS cost” and launches a workflow. Three types of MCP servers are used internally.
| MCP server | Information provided |
|---|---|
awsknowledge | AWS documentation, architecture guidance, and best practices |
awspricing | Real-time AWS service pricing |
aws-iac-mcp | IaC Best Practices for CDK/CloudFormation |
migration-to-aws Plugin to migrate GCP infrastructure to AWS. Scans Terraform files to extract all resources and generates a cost comparison report with mapping to AWS equivalent services.
aws-amplify Plugin to build full stack apps with Amplify Gen 2. It covers everything from configuring authentication, data, storage, and serverless functions to sandbox deployment and deployment to a production environment.
aws-serverless A plugin that specializes in building serverless architectures using Lambda, API Gateway, EventBridge, and Step Functions. It has a built-in hook that automatically runs sam validate every time you edit a SAM template (template.yaml) and reports errors inline.
amazon-location-service A plugin that adds geospatial functionality such as maps, geocoding, and routing.
install
Requires Claude Code 2.1.29 or later. You will also need to set up AWS CLI credentials in advance.
/plugin marketplace add awslabs/agent-plugins
/plugin install deploy-on-aws@agent-plugins-for-aws
/plugin install migration-to-aws@agent-plugins-for-aws
/plugin install aws-amplify@agent-plugins-for-aws
/plugin install aws-serverless@agent-plugins-for-awsYou can install Cursor by searching for “AWS” on the Cursor Marketplace.
design philosophy
“Instead of pasting long AWS guidance into a prompt, we encode that guidance as a reusable, versioned capability,” the GitHub repo’s README says.
The benefits of plugging in include increased determinism (the same best practices are applied every time), reduced context overhead (doesn’t overwhelm the agent’s context window), and standardization of agent behavior across teams.
The Hooks mechanism is particularly practical, allowing you to incorporate guardrails into your workflow that automatically run certain commands after changing certain files, such as SAM template validation. The cycle for detecting mistakes in infrastructure code before deployment is shortened.
The source code is published under the Apache-2.0 license at awslabs/agent-plugins.
GitHub Code Security’s AI-driven vulnerability detection
On the same day, GitHub announced that it will add “AI-powered security detections” to GitHub Code Security. By combining static analysis with CodeQL and AI detection, it becomes possible to detect vulnerabilities in Shell/Bash, Dockerfile, Terraform, and PHP on a pull request basis, which were previously not covered. Public preview is scheduled for early Q2 2026.
Why combine AI?
Modern repositories consist not only of application code, but also a diverse ecosystem of shell scripts, Dockerfiles, Terraform configurations (HCL), PHP scripts, and more. CodeQL is good at deep semantic analysis, but the supported languages and configuration file types are limited. AI detection plays a role in supplementing areas outside of CodeQL’s coverage.
The mechanism is a hybrid selection type. When a pull request is opened, GitHub Code Security automatically analyzes the changes and chooses the most appropriate detection method. If the language is supported by CodeQL, use CodeQL, otherwise use AI-powered detections. Detection results are displayed in a unified format within PR.
Vulnerabilities that can be detected
AI detection primarily targets three types of problems.
Dangerous query command constructed with string concatenation
Detect patterns such as combining user input directly into commands in shell scripts, and building SQL queries with string concatenation in PHP. This is a classic problem that leads to command injection and SQL injection.
Use of insecure cryptographic algorithms
Detects the use of cryptographic algorithms that are now deprecated, such as MD5 and SHA-1. This also includes settings with insufficient key lengths and the use of insecure modes.
Infrastructure configuration mistake
Detect cases where API keys and authentication information are written directly to ENV instructions in Dockerfile, settings where resources are unintentionally exposed to the public in Terraform, etc. IaC code, like application code, contains security risks, but until now it has been difficult to benefit from static analysis.
Integration with Copilot Autofix
When AI detection finds a problem, Copilot Autofix automatically generates a fix. Developers can see, test, and apply fixes during PR code reviews. Everything from detection to remediation is completed within the PR workflow, eliminating the need for escalation to the security team or switching to another tool.
The effectiveness of Copilot Autofix has also been confirmed by existing data. Autofix fixed over 460,000 security alerts in 2025. The average resolution time with Autofix was 0.66 hours, and without it was 1.29 hours, a difference of nearly twice that.
The feature was tested for 30 days prior to the announcement and produced over 170,000 detections. Positive reviews from developers were over 80%.
When to force enforcement
From a security team’s perspective, the important question is “where can we enforce the rules?” If risks are discovered in the production environment after deployment, the cost of remediation increases. GitHub Code Security allows you to enforce enforcement at PR merge points, allowing you to block problematic code before it enters your default branch.
GitHub describes this feature as part of its “agentic detection platform.” Positioned as a foundation for integrating security detection, code quality checking, and code review experiences across developer workflows, RSAC 2026 (GitHub booth #2327) will demonstrate the integration of hybrid detection, automatic remediation, and platform governance.