Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

CodeBuild GitHub or Bitbucket Source Repository URLs Should Use OAuth Rule

This rule ensures that CodeBuild project source repository URLs are configured to use OAuth for GitHub or Bitbucket.

RuleCodeBuild GitHub or Bitbucket source repository URLs should use OAuth
FrameworkFedRAMP Moderate Revision 4
Severity
Critical

Rule Description: In order to comply with the FedRAMP Moderate Revision 4 requirements, any CodeBuild source repository URLs for GitHub or Bitbucket must utilize OAuth for authentication. This ensures secure access to the source code repositories and helps protect sensitive data.

Troubleshooting Steps: If you encounter any issues or errors during the OAuth setup for GitHub or Bitbucket source repository URLs in CodeBuild, you can follow these troubleshooting steps:

  1. 1.

    Verify OAuth Configuration: Ensure that the OAuth configuration for the chosen source repository is correctly set up. Double-check the client ID, client secret, and callback URL.

  2. 2.

    Check Repository Access Permissions: Confirm that the CodeBuild service has the necessary permissions to access the repository. Make sure the OAuth token provided has the required scopes (e.g., read-only or read/write access) to avoid any authentication failures.

  3. 3.

    Review Error Messages: Carefully review any error messages displayed during the OAuth setup process. The messages often provide useful guidance on what might be causing the issue.

  4. 4.

    Verify OAuth Permissions: If the authentication fails or returns an error, confirm that the OAuth token associated with CodeBuild has the necessary permissions to interact with the GitHub or Bitbucket repository.

Necessary Code: To enable OAuth for GitHub or Bitbucket source repository URLs in CodeBuild, you can refer to the following code examples:

For GitHub:

resource "aws_codebuild_project" "example_project" {
  # Other project configurations

  source {
    type            = "GITHUB"
    location        = "<<GITHUB_REPOSITORY_URL>>"
    oauth_token     = "<<GITHUB_OAUTH_TOKEN>>"
    report_build_status = true
  }

  # Other project configurations
}

For Bitbucket:

resource "aws_codebuild_project" "example_project" {
  # Other project configurations

  source {
    type            = "BITBUCKET"
    location        = "<<BITBUCKET_REPOSITORY_URL>>"
    oauth_token     = "<<BITBUCKET_OAUTH_TOKEN>>"
    report_build_status = true
  }

  # Other project configurations
}

Note: Replace

<<GITHUB_REPOSITORY_URL>>
,
<<GITHUB_OAUTH_TOKEN>>
,
<<BITBUCKET_REPOSITORY_URL>>
, and
<<BITBUCKET_OAUTH_TOKEN>>
with appropriate values specific to your setup.

Step-by-Step Guide for Remediation:

Follow the step-by-step guide below to ensure CodeBuild GitHub or Bitbucket source repository URLs use OAuth for FedRAMP Moderate Revision 4 compliance:

  1. 1.

    Determine the repository type: Identify whether the CodeBuild project uses GitHub or Bitbucket as the source repository.

  2. 2.

    Generate an OAuth token: For the respective repository, generate an OAuth token or locate an existing one with appropriate permissions. Ensure the token has access to the necessary repositories and scopes (read-only or read/write).

  3. 3.

    Update CodeBuild configuration: Locate the CodeBuild project configuration, either in CloudFormation, AWS CLI, or Terraform. Modify the project definition to include the OAuth token and repository URL following the code examples provided earlier.

  4. 4.

    Apply the changes: Apply the updated configuration to your CodeBuild project using the appropriate deployment method. This may involve executing a CloudFormation update stack command, running an AWS CLI command, or executing a Terraform apply.

  5. 5.

    Test the build: Trigger a build in CodeBuild and verify that it can access the GitHub or Bitbucket repository using the OAuth authentication. Monitor the build logs and check for any authentication-related errors.

By following these steps, you will ensure that your CodeBuild projects using GitHub or Bitbucket as the source repository comply with the FedRAMP Moderate Revision 4 requirements by utilizing OAuth authentication.

Is your System Free of Underlying Vulnerabilities?
Find Out Now