Control: CodeBuild GitHub or Bitbucket source repository URLs should use OAuth
Description
Ensure the GitHub or Bitbucket source repository URL does not contain personal access tokens, user name and password within AWS Codebuild project environments.
Usage
Run the control in your terminal:
powerpipe control run terraform_aws_compliance.control.codebuild_project_source_repo_oauth_configuredSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run terraform_aws_compliance.control.codebuild_project_source_repo_oauth_configured --shareSQL
This control uses a named query:
with codebuild_projects as ( select * from terraform_resource where type = 'aws_codebuild_project'), codebuild_source_credential as ( select * from terraform_resource where type = 'aws_codebuild_source_credential')select a.address as resource, case when (a.attributes_std -> 'source' ->> 'type') not in ('GITHUB', 'BITBUCKET') then 'skip' when (b.attributes_std ->> 'auth_type') = 'OAUTH' then 'ok' else 'alarm' end as status, split_part(a.address, '.', 2) || case when (a.attributes_std -> 'source' ->> 'type') = 'NO_SOURCE' then ' doesn''t have input source code.' when (a.attributes_std -> 'source' ->> 'type') not in ('GITHUB', 'BITBUCKET') then ' source code isn''t in GitHub/Bitbucket repository' when (b.attributes_std ->> 'auth_type') = 'OAUTH' then ' using OAuth to connect source repository' else ' not using OAuth to connect source repository' end || '.' reason , a.path || ':' || a.start_linefrom codebuild_projects as a left join codebuild_source_credential as b on (b.attributes_std -> 'server_type') = (a.attributes_std -> 'source' -> 'type');