Steampipe mods are now Powerpipe →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
26Dashboards
1161Controls
568Queries
2Variables
GitHub
Loading controls...

Control: 1 CodeBuild Bitbucket source repository URLs should not contain sensitive credentials

Description

This control checks whether the GitHub or Bitbucket source repository URL contains either personal access tokens or a user name and password.

Authentication credentials should never be stored or transmitted in clear text or appear in the repository URL. Instead of personal access tokens or user name and password, you should use OAuth to grant authorization for accessing GitHub or Bitbucket repositories. Using personal access tokens or a user name and password could expose your credentials to unintended data exposure and unauthorized access.

Remediation

You can update your CodeBuild project to use OAuth.

To remove basic authentication / (GitHub) Personal Access Token from CodeBuild project source

  1. Open the CodeBuild console.
  2. Choose the build project that contains personal access tokens or a user name and password.
  3. From Edit, choose Source.
  4. Choose Disconnect from GitHub / Bitbucket.
  5. Choose Connect using OAuth, then choose Connect to GitHub / Bitbucket.
  6. When prompted, choose authorize as appropriate.
  7. Reconfigure your repository URL and additional configuration settings, as needed.
  8. Choose Update source.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_codebuild_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_codebuild_1 --share

SQL

This control uses a named query:

codebuild_project_source_repo_oauth_configured

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = secure_development
foundational_security_item_id = codebuild_1
plugin = aws
service = AWS/CodeBuild