Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: CodeBuild GitHub or Bitbucket Source Repository URLs Should Use OAuth

This rule ensures that CodeBuild projects are configured to use OAuth for GitHub or Bitbucket source repository URLs.

RuleCodeBuild GitHub or Bitbucket source repository URLs should use OAuth
FrameworkNIST Cybersecurity Framework (CSF) v1.1
Severity
Critical

Ensuring CodeBuild GitHub or Bitbucket Repository URLs Use OAuth for NIST CSF Compliance

Overview of the Rule

Amazon Web Services (AWS) CodeBuild is a fully managed build service that compiles source code, runs tests, and produces software packages that are ready to deploy. For enhanced security and compliance with the NIST Cybersecurity Framework, it is recommended that AWS CodeBuild projects use OAuth tokens when integrating with GitHub or Bitbucket repositories. OAuth tokens enable CodeBuild to connect to these repositories securely without the need to store personal credentials.

Remediation Steps

Step 1: Verify Current Repository Authentication Method

Check if existing CodeBuild projects are using OAuth tokens or basic authentication (username and password) for the source repository URL.

CLI command to list the current source for all CodeBuild projects:

aws codebuild list-projects | xargs -n1 aws codebuild batch-get-projects --names

Examine the 

source
attribute in the output. Look for any source URLs that do not include OAuth tokens.

Step 2: Update Repository URLs to Use OAuth

If any CodeBuild source repository URLs are not using OAuth, they will need to be updated to comply with NIST CSF standards.

For GitHub:

Steps to generating and using OAuth tokens:

  2. 1.
    Go to GitHub and navigate to Settings > Developer settings > Personal access tokens.
  4. 2.
    Select Generate new token.
  6. 3.
    Choose the scopes or permissions you would like to grant this token. For AWS CodeBuild, select repo and admin:repo_hook for full control of private repositories.
  8. 4.
    Generate the token and copy it to a secure location.

Updating the CodeBuild Project with the OAuth token:

aws codebuild update-project --name my-codebuild-project \
    --source type=GITHUB,location='https://github.com/my-repo/my-project.git',auth={type=OAUTH,resource=MY_OAUTH_TOKEN}

Replace 

my-codebuild-project
with your project's name, 
https://github.com/my-repo/my-project.git
with your GitHub repository URL and 
MY_OAUTH_TOKEN
with the token you generated.

For Bitbucket:

Steps to generating and using OAuth tokens:

  2. 1.
    Log in to your Bitbucket account.
  4. 2.
    Navigate to your Bitbucket settings and select Access Management > OAuth.
  6. 3.
    Click on Add consumer.
  8. 4.
    Enter the required details and set the permissions for repositories.
  10. 5.
    Save the consumer, and then use the generated key and secret to create an OAuth token.

Updating the CodeBuild project with the OAuth token:

aws codebuild update-project --name my-codebuild-project \
    --source type=BITBUCKET,location='https://bitbucket.org/my-repo/my-project.git',auth={type=OAUTH,resource=MY_OAUTH_TOKEN}

Replace 

my-codebuild-project
with your CodeBuild project's name, 
https://bitbucket.org/my-repo/my-project.git
with your Bitbucket repository URL, and 
MY_OAUTH_TOKEN
with the token you generated.

Troubleshooting Steps

  • If builds fail after changing to OAuth, verify the OAuth token has the correct permissions.
  • Ensure the OAuth token has not expired or been revoked.
  • Make sure there are no typos in your CLI command when updating the CodeBuild source configuration.

By following the above remediation steps carefully, your AWS CodeBuild project configuration should be updated to use OAuth tokens, enhancing security in line with the NIST Cybersecurity Framework.

Is your System Free of Underlying Vulnerabilities?
Find Out Now