Skip to main content

lacework-global-380

CodeBuild Bitbucket source repository URLs should not contain sensitive credentials (Automated)

Description

This policy checks whether the CodeBuild project Bitbucket source repository URL contains personal access tokens or a user name and password.

You should not store or transmit sign-in credentials in clear text, or have them appear in the source repository URL. Instead of personal access tokens or sign-in credentials, you should access your source provider in CodeBuild, and change your source repository URL to contain only the path to the Bitbucket repository location. Using personal access tokens or sign-in credentials could result in unintended data exposure or unauthorized access.

Remediation

From the AWS Console:

  1. Log in to the AWS Management Console.
  2. Click Services.
  3. Select Developer Tools > CodeBuild.
  4. Select the applicable project.
  5. Click Edit.
  6. Under Source, click Disconnect from Bitbucket.
  7. Select Connect using OAuth, and click Connect to Bitbucket.
  8. In the pop up window, click Grant access, then click Confirm and reconfigure the repository URL and additional settings, if needed.
  9. Click Update project.

References

https://docs.aws.amazon.com/securityhub/latest/userguide/codebuild-controls.html#codebuild-1
https://docs.aws.amazon.com/cli/latest/reference/codebuild/import-source-credentials.html

Last updated on