Open mskrip opened 7 months ago
Thanks for reporting! It looks the like CodeBuild Project CloudFormation resource has also had a number of updates, including SourceAuth being a console only feature.
All to say that this rule needs some serious rework
What is the problem?
Current implementation of check for
CodeBuildProjectSourceRepoUrl
checks if source of CodeBuild project has OAUTH as authentication type. Description of the rule says this should be applied only for GitHub or BitBucket sources but as far as I understand the implementation it ignores that part. Moreover, current description of the rule is different now (https://docs.aws.amazon.com/config/latest/developerguide/codebuild-project-source-repo-url-check.html)Old:
The Codebuild project which utilizes either a GitHub or BitBucket repository does not utilize OAuth.
New:
Checks if the Bitbucket source repository URL contains sign-in credentials or not. The rule is NON_COMPLIANT if the URL contains any sign-in information and COMPLIANT if it doesn't.
Reproduction Steps
I noticed this when creating a CDK pipeline with Github repo as source for it through a CodeStar connection:
This pipeline AFAIK creates 2 CodeBuild projects, none of which have Github as their source, instead source for them is
CODE_PIPELINE
What did you expect to happen?
I expected the check for
CodeBuildProjectSourceRepoUrl
to just passWhat actually happened?
It didn't
cdk-nag version
2.28.27
Language
Python
Other information
No response