lacework-global-380
CodeBuild Bitbucket source repository URLs should not contain sensitive credentials (Automated)
Description
This policy checks whether the CodeBuild project Bitbucket source repository URL contains personal access tokens or a user name and password.
You should not store or transmit sign-in credentials in clear text, or have them appear in the source repository URL. Instead of personal access tokens or sign-in credentials, you should access your source provider in CodeBuild, and change your source repository URL to contain only the path to the Bitbucket repository location. Using personal access tokens or sign-in credentials could result in unintended data exposure or unauthorized access.
Remediation
From the AWS Console:
- Log in to the AWS Management Console.
- Click Services.
- Select Developer Tools > CodeBuild.
- Select the applicable project.
- Click Edit.
- Under Source, click Disconnect from Bitbucket.
- Select Connect using OAuth, and click Connect to Bitbucket.
- In the pop up window, click Grant access, then click Confirm and reconfigure the repository URL and additional settings, if needed.
- Click Update project.
References
https://docs.aws.amazon.com/securityhub/latest/userguide/codebuild-controls.html#codebuild-1
https://docs.aws.amazon.com/cli/latest/reference/codebuild/import-source-credentials.html