Skip to content

feat(aws): add check to ensure Codebuild Github projects are only use allowed Github orgs #7595

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 9 commits into
base: master
Choose a base branch
from
Open

feat(aws): add check to ensure Codebuild Github projects are only use allowed Github orgs #7595

wants to merge 9 commits into from

Conversation

andoniaf
Copy link
Contributor

Description

As described in this article, attacker can use Codebuild and Github Actions to gain persistence when compromising an AWS account.

Checking if Codebuild projects are configured against a list of allowed Github organizations can help detect this kind of attacks.

Checklist

API

  • Verify if API specs need to be regenerated.
  • Check if version updates are required (e.g., specs, Poetry, etc.).
  • Ensure new entries are added to CHANGELOG.md, if applicable.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

andoniaf added 2 commits April 23, 2025 17:09
@andoniaf
feat(aws): add check to ensure Codebuild Github projects are only usi…
18d3bf9 
…ng allowed Github orgs

Can be used to attempt to detect long term persistence using Github Actions and Codebuild
as explained in this article:
https://medium.com/@adan.alvarez/gaining-long-term-aws-access-with-codebuild-and-github-873324638784
@andoniaf
refactor(codebuild): rename check
8b4457b
@andoniaf andoniaf requested review from a team as code owners April 23, 2025 16:27
@github-actions github-actions bot added the provider/aws Issues/PRs related with the AWS provider label Apr 23, 2025
@andoniaf andoniaf changed the title Prwlr 6690 add check to prevent using codebuild and GitHub for persistence feat(aws): add check to ensure Codebuild Github projects are only using allowed Github orgs Apr 23, 2025
@andoniaf andoniaf changed the title feat(aws): add check to ensure Codebuild Github projects are only using allowed Github orgs feat(aws): add check to ensure Codebuild Github projects are only use allowed Github orgs Apr 23, 2025
@codecov Codecov
Copy link

codecov bot commented Apr 23, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 87.50000% with 7 lines in your changes missing coverage. Please review.

Project coverage is 88.26%. Comparing base (02ca820) to head (7a177f1).
Report is 2 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #7595      +/-   ##
==========================================
+ Coverage   82.95%   88.26%   +5.31%     
==========================================
  Files         350      895     +545     
  Lines       12581    27330   +14749     
==========================================
+ Hits        10436    24124   +13688     
- Misses       2145     3206    +1061
Flag Coverage Δ
prowler 88.26% <87.50%> (+5.31%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Components Coverage Δ
prowler 88.26% <87.50%> (+5.31%) ⬆️
api ∅ <ø> (∅)
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@github-actions GitHub Actions
Copy link
Contributor

You can check the documentation for this PR here -> Prowler Documentation

MrCloudSec
MrCloudSec requested changes May 12, 2025
View reviewed changes
Copy link
Member

@MrCloudSec MrCloudSec left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great idea!! Thanks for adding this, however, please pay attention to all the use cases of the policies, you can check them in https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/aws/services/iam/lib/policy.py. Also, check the actions of the statement, thanks!

@github-actions GitHub Actions
Copy link
Contributor

You can check the documentation for this PR here -> Prowler Documentation

@andoniaf andoniaf requested a review from MrCloudSec May 20, 2025 08:20
@github-actions GitHub Actions
Copy link
Contributor

You can check the documentation for this PR here -> Prowler Documentation

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MrCloudSec MrCloudSec Awaiting requested review from MrCloudSec

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
documentation provider/aws Issues/PRs related with the AWS provider
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@andoniaf @MrCloudSec