Skip to main content

Ensure CodeBuild Project Source Repository URLs Do Not Contain Sensitive Credentials

Overview

This check verifies that AWS CodeBuild project source repository URLs do not contain embedded credentials such as personal access tokens (PATs) or username/password combinations. Credentials should never be hardcoded in repository URLs.

Risk

Embedding credentials directly in repository URLs is a critical security vulnerability:

  • Credential exposure: Tokens and passwords appear in plain text in CloudFormation templates, Terraform state files, AWS Console, and CloudTrail logs
  • Unauthorized access: Attackers who discover these credentials can access your source code repositories
  • Supply chain attacks: Compromised tokens may allow malicious code commits or CI/CD pipeline manipulation
  • Lateral movement: Exposed credentials often grant access to other systems where the same tokens are reused

Remediation Steps

Prerequisites

You need:

  • AWS Console access with permissions to modify CodeBuild projects
  • Access to your source code provider (GitHub, Bitbucket, GitLab) to authorize a connection
Required IAM permissions

To remediate this issue, you need the following IAM permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "codebuild:UpdateProject",
        "codebuild:BatchGetProjects",
        "codestar-connections:CreateConnection",
        "codestar-connections:GetConnection",
        "codestar-connections:ListConnections"
      ],
      "Resource": "*"
    }
  ]
}

AWS Console Method

Step 1: Create a secure connection to your source provider

  1. Open the AWS Developer Tools Console
  2. Click Create connection
  3. Select your provider (GitHub, Bitbucket, or GitLab)
  4. Enter a connection name (e.g., my-github-connection)
  5. Click Connect to GitHub (or your provider)
  6. In the popup window, authorize AWS to access your repositories
  7. Click Install a new app if prompted, then select which repositories to allow
  8. Click Connect to finish

Step 2: Update the CodeBuild project

  1. Open the CodeBuild Console
  2. Select the project with the failing check
  3. Click Edit then Source
  4. Under Source provider, confirm your provider is selected
  5. For Connection, choose the connection you created in Step 1
  6. Update the Repository URL to remove any credentials. Use the clean format:
    • GitHub: https://github.com/<owner>/<repo>
    • Bitbucket: https://bitbucket.org/<workspace>/<repo>
    • GitLab: https://gitlab.com/<group>/<repo>
  7. Click Update source

Step 3: Check secondary sources (if applicable)

If your project uses secondary sources:

  1. On the project page, click Edit then Secondary sources
  2. Review each secondary source URL for embedded credentials
  3. Update any URLs that contain tokens or passwords
AWS CLI

Step 1: Create a CodeStar Connection

aws codestar-connections create-connection \
    --provider-type GitHub \
    --connection-name my-github-connection \
    --region us-east-1

Note the ConnectionArn from the output. The connection will be in PENDING status until you complete the handshake in the AWS Console.

Step 2: Complete the connection handshake

You must complete this step in the AWS Console:

  1. Go to Developer Tools Settings > Connections
  2. Find your pending connection and click Update pending connection
  3. Authorize the connection with your source provider

Step 3: Get current project configuration

aws codebuild batch-get-projects \
    --names <your-project-name> \
    --region us-east-1 \
    --query 'projects[0].source' \
    --output json

Step 4: Update the project source

aws codebuild update-project \
    --name <your-project-name> \
    --source '{
        "type": "GITHUB",
        "location": "https://github.com/<owner>/<repo>",
        "auth": {
            "type": "CODECONNECTIONS",
            "resource": "<connection-arn>"
        }
    }' \
    --region us-east-1

Replace <your-project-name>, <owner>/<repo>, and <connection-arn> with your actual values.

CloudFormation

This template creates a CodeBuild project with a secure OAuth-based source connection:

AWSTemplateFormatVersion: '2010-09-09'
Description: CodeBuild project with secure source connection (no embedded credentials)

Parameters:
  ProjectName:
    Type: String
    Description: Name of the CodeBuild project
  ConnectionArn:
    Type: String
    Description: ARN of the CodeStar Connection for repository access
  RepositoryUrl:
    Type: String
    Description: Repository URL without credentials (e.g., https://github.com/org/repo)
  ServiceRoleArn:
    Type: String
    Description: ARN of the IAM service role for CodeBuild

Resources:
  CodeBuildProject:
    Type: AWS::CodeBuild::Project
    Properties:
      Name: !Ref ProjectName
      Description: CodeBuild project with secure OAuth-based source access
      ServiceRole: !Ref ServiceRoleArn
      Source:
        Type: GITHUB
        Location: !Ref RepositoryUrl
        Auth:
          Type: CODECONNECTIONS
          Resource: !Ref ConnectionArn
      Environment:
        Type: LINUX_CONTAINER
        ComputeType: BUILD_GENERAL1_SMALL
        Image: aws/codebuild/amazonlinux2-x86_64-standard:5.0
      Artifacts:
        Type: NO_ARTIFACTS

Outputs:
  ProjectArn:
    Description: ARN of the CodeBuild project
    Value: !GetAtt CodeBuildProject.Arn

Important: You must create the CodeStar Connection separately and complete the OAuth handshake in the AWS Console before using the connection ARN in this template.

Terraform
terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

variable "project_name" {
  description = "Name of the CodeBuild project"
  type        = string
}

variable "repository_url" {
  description = "Repository URL without credentials"
  type        = string
}

variable "connection_arn" {
  description = "ARN of the CodeStar Connection"
  type        = string
}

variable "service_role_arn" {
  description = "ARN of the IAM service role for CodeBuild"
  type        = string
}

resource "aws_codebuild_project" "secure_project" {
  name         = var.project_name
  description  = "CodeBuild project with secure OAuth-based source access"
  service_role = var.service_role_arn

  source {
    type            = "GITHUB"
    location        = var.repository_url
    git_clone_depth = 1

    auth {
      type     = "CODECONNECTIONS"
      resource = var.connection_arn
    }
  }

  environment {
    compute_type                = "BUILD_GENERAL1_SMALL"
    image                       = "aws/codebuild/amazonlinux2-x86_64-standard:5.0"
    type                        = "LINUX_CONTAINER"
    image_pull_credentials_type = "CODEBUILD"
  }

  artifacts {
    type = "NO_ARTIFACTS"
  }
}

output "project_arn" {
  description = "ARN of the CodeBuild project"
  value       = aws_codebuild_project.secure_project.arn
}

Important: Create the CodeStar Connection separately using aws_codestar_connections_connection resource or manually in the console, then complete the OAuth handshake before referencing the connection ARN.

Verification

After remediation, verify the fix:

  1. Open the CodeBuild Console
  2. Select your project and click Edit then Source
  3. Confirm the repository URL does not contain any tokens, usernames, or passwords
  4. Check that Connection shows your CodeStar Connection name
  5. Run a test build to confirm the project can still access the repository
CLI verification
# Check the source configuration
aws codebuild batch-get-projects \
    --names <your-project-name> \
    --region us-east-1 \
    --query 'projects[0].source.location' \
    --output text

The output should show a clean URL without any embedded credentials (no @ symbol with credentials before the domain).

# Verify auth type is CODECONNECTIONS
aws codebuild batch-get-projects \
    --names <your-project-name> \
    --region us-east-1 \
    --query 'projects[0].source.auth.type' \
    --output text

The output should be CODECONNECTIONS.

Additional Resources

Notes

  • Connection handshake required: CodeStar Connections must be authorized via the AWS Console. The CLI can create the connection, but OAuth authorization requires a browser.
  • Existing tokens: After switching to OAuth, revoke any personal access tokens that were previously embedded in URLs.
  • Repository permissions: Ensure the OAuth connection has appropriate permissions for the repositories your CodeBuild project needs to access.
  • Secondary sources: Remember to check and update all secondary sources, not just the primary source.
  • Compliance frameworks: This check is part of AWS Foundational Security Best Practices, PCI-DSS, and several other compliance frameworks.