CodeBuild Blacklisted Source Providers

This plugin ensures that CodeBuild projects are using only valid source providers.

Risk Level: Low

Description

This plugin ensures that CodeBuild projects are using only valid source providers. CodeBuild should use only desired source providers in order to follow your organization’s security and compliance requirements.

Configuration Parameters


Disallowed Source Providers: This parameter denotes the invalid/disallowed source providers. AWS CodeBuild supports code from various sources such as bitbucket, codecommit, codepipeline, github, github_enterprise and s3. 

By default, the value is empty, therefore it will not return a vulnerability alert in any case. 

About the Service

AWS CodeBuild: AWS CodeBuild is a continuous integration service that offers the complete pipeline of deploying source code in a specified runtime environment. It manages and integrates the complete process of compiling source code, running tests, and in the end, producing software packages that are ready to deploy.

Impact

AWS CodeBuild supports various sources from where code can be imported for the project. It is important to follow standard practice for any organisation regarding the code source.

Steps to Reproduce

Using AWS Console-

  1. Log In to your AWS Console.
  2. Open the CodeBuild Management Console. You can use this link (https://console.aws.amazon.com/codebuild) to navigate directly if already logged in. 
  3. Move to the Build projects in the Build section from the left navigation pane.
  4. A list of projects will be displayed. In the Source Provider column, check if it is a valid source or not. If it is in the blacklisted list, the vulnerability exists.
  5. Repeat steps for all the Projects you want to investigate.

Steps for Remediation

Edit CodeBuild project source provider information and remove disallowed source providers.

  1. Log In to your AWS Console.
  2. Open the CodeBuild Management Console. You can use this link (https://console.aws.amazon.com/codebuild) to navigate directly if already logged in. 
  3. Move to the Build projects in the Build section from the left navigation pane.
  4. A list of projects will be displayed. Select the vulnerable project by clicking on its Name. 
  5. From the Edit menu, select the Source option.
  6. From the drop-down menu, select the desired source for your project and click on Update Source after doing the changes.
  7. Repeat steps for all the vulnerable Projects.