Control: 1 CodeBuild Bitbucket source repository URLs should not contain sensitive credentials
Description
This control checks whether the GitHub or Bitbucket source repository URL contains either personal access tokens or a user name and password.
Authentication credentials should never be stored or transmitted in clear text or appear in the repository URL. Instead of personal access tokens or user name and password, you should use OAuth to grant authorization for accessing GitHub or Bitbucket repositories. Using personal access tokens or a user name and password could expose your credentials to unintended data exposure and unauthorized access.
Remediation
You can update your CodeBuild project to use OAuth.
To remove basic authentication / (GitHub) Personal Access Token from CodeBuild project source
- Open the CodeBuild console.
- Choose the build project that contains personal access tokens or a user name and password.
- From
Edit
, chooseSource
. - Choose
Disconnect from GitHub / Bitbucket
. - Choose
Connect using OAuth
, then chooseConnect to GitHub / Bitbucket
. - When prompted, choose
authorize as appropriate
. - Reconfigure your repository URL and additional configuration settings, as needed.
- Choose
Update source
.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_codebuild_1
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_codebuild_1 --share
SQL
This control uses a named query:
codebuild_project_source_repo_oauth_configured