terraform.aws.security.aws-codebuild-artifacts-unencrypted.aws-codebuild-artifacts-unencrypted
semgrep
Author
unknown
Download Count*
License
The CodeBuild project artifacts are unencrypted. All artifacts produced by your CodeBuild project pipeline should be encrypted to prevent them from being read if compromised.
Run Locally
Run in CI
Defintion
rules:
- id: aws-codebuild-artifacts-unencrypted
patterns:
- pattern-inside: |
resource "aws_codebuild_project" "$ANYTHING" {
...
}
- pattern: |
$ARTIFACTS {
...
type = "$TYPE"
encryption_disabled = true
...
}
- metavariable-regex:
metavariable: $ARTIFACTS
regex: ^(artifacts|secondary_artifacts)$
- metavariable-regex:
metavariable: $TYPE
regex: ^(CODEPIPELINE|S3)$
message: The CodeBuild project artifacts are unencrypted. All artifacts produced
by your CodeBuild project pipeline should be encrypted to prevent them
from being read if compromised.
languages:
- hcl
severity: WARNING
metadata:
category: security
technology:
- terraform
- aws
owasp:
- A03:2017 - Sensitive Data Exposure
- A04:2021 - Insecure Design
cwe:
- "CWE-311: Missing Encryption of Sensitive Data"
references:
- https://owasp.org/Top10/A04_2021-Insecure_Design
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_project#encryption_disabled
- https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codebuild-project-artifacts.html
- https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-codebuild-project.html
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
Examples
aws-codebuild-artifacts-unencrypted.tf
resource "aws_codebuild_project" "fail_1" {
name = "test-project"
service_role = aws_iam_role.example.arn
# ruleid: aws-codebuild-artifacts-unencrypted
artifacts {
encryption_disabled = true
type = "CODEPIPELINE"
}
environment {
compute_type = "BUILD_GENERAL1_SMALL"
image = "aws/codebuild/standard:1.0"
type = "LINUX_CONTAINER"
}
source {
type = "GITHUB"
location = "https://github.com/mitchellh/packer.git"
git_clone_depth = 1
git_submodules_config {
fetch_submodules = true
}
}
}
resource "aws_codebuild_project" "fail_2" {
name = "test-project"
service_role = aws_iam_role.example.arn
# ruleid: aws-codebuild-artifacts-unencrypted
artifacts {
encryption_disabled = true
type = "S3"
}
environment {
compute_type = "BUILD_GENERAL1_SMALL"
image = "aws/codebuild/standard:1.0"
type = "LINUX_CONTAINER"
}
source {
type = "GITHUB"
location = "https://github.com/mitchellh/packer.git"
git_clone_depth = 1
git_submodules_config {
fetch_submodules = true
}
}
}
resource "aws_codebuild_project" "fail_3" {
name = "test-project"
service_role = aws_iam_role.example.arn
# ruleid: aws-codebuild-artifacts-unencrypted
artifacts {
encryption_disabled = true
type = "CODEPIPELINE"
}
environment {
compute_type = "BUILD_GENERAL1_SMALL"
image = "aws/codebuild/standard:1.0"
type = "LINUX_CONTAINER"
}
source {
type = "GITHUB"
location = "https://github.com/mitchellh/packer.git"
git_clone_depth = 1
git_submodules_config {
fetch_submodules = true
}
}
}
resource "aws_codebuild_project" "fail_4" {
name = "test-project"
service_role = aws_iam_role.example.arn
# ruleid: aws-codebuild-artifacts-unencrypted
artifacts {
encryption_disabled = true
type = "S3"
}
environment {
compute_type = "BUILD_GENERAL1_SMALL"
image = "aws/codebuild/standard:1.0"
type = "LINUX_CONTAINER"
}
source {
type = "GITHUB"
location = "https://github.com/mitchellh/packer.git"
git_clone_depth = 1
git_submodules_config {
fetch_submodules = true
}
}
}
resource "aws_codebuild_project" "fail_5" {
name = "test-project"
service_role = aws_iam_role.example.arn
# ruleid: aws-codebuild-artifacts-unencrypted
artifacts {
encryption_disabled = true
type = "S3"
}
# ruleid: aws-codebuild-artifacts-unencrypted
secondary_artifacts {
artifact_identifier = "example-artifact-1"
type = "CODEPIPELINE"
encryption_disabled = true
}
# ruleid: aws-codebuild-artifacts-unencrypted
secondary_artifacts {
artifact_identifier = "example-artifact-2"
type = "S3"
encryption_disabled = true
}
environment {
compute_type = "BUILD_GENERAL1_SMALL"
image = "aws/codebuild/standard:1.0"
type = "LINUX_CONTAINER"
}
source {
type = "GITHUB"
location = "https://github.com/mitchellh/packer.git"
git_clone_depth = 1
git_submodules_config {
fetch_submodules = true
}
}
}
resource "aws_codebuild_project" "pass_fail" {
name = "test-project"
service_role = aws_iam_role.example.arn
# ok: aws-codebuild-artifacts-unencrypted
artifacts {
type = "S3"
encryption_disabled = false
}
# ok: aws-codebuild-artifacts-unencrypted
secondary_artifacts {
artifact_identifier = "example-artifact-1"
type = "CODEPIPELINE"
encryption_disabled = false
}
# ruleid: aws-codebuild-artifacts-unencrypted
secondary_artifacts {
artifact_identifier = "example-artifact-1"
type = "CODEPIPELINE"
encryption_disabled = true
}
# ok: aws-codebuild-artifacts-unencrypted
secondary_artifacts {
artifact_identifier = "example-artifact-3"
type = "S3"
encryption_disabled = false
}
# ruleid: aws-codebuild-artifacts-unencrypted
secondary_artifacts {
artifact_identifier = "example-artifact-4"
type = "S3"
encryption_disabled = true
}
environment {
compute_type = "BUILD_GENERAL1_SMALL"
image = "aws/codebuild/standard:1.0"
type = "LINUX_CONTAINER"
}
source {
type = "GITHUB"
location = "https://github.com/mitchellh/packer.git"
git_clone_depth = 1
git_submodules_config {
fetch_submodules = true
}
}
}
resource "aws_codebuild_project" "pass_1" {
name = "test-project"
service_role = aws_iam_role.example.arn
# ok: aws-codebuild-artifacts-unencrypted
artifacts {
type = "NO_ARTIFACTS"
}
environment {
compute_type = "BUILD_GENERAL1_SMALL"
image = "aws/codebuild/standard:1.0"
type = "LINUX_CONTAINER"
}
source {
type = "GITHUB"
location = "https://github.com/mitchellh/packer.git"
git_clone_depth = 1
git_submodules_config {
fetch_submodules = true
}
}
}
resource "aws_codebuild_project" "pass_2" {
name = "test-project"
service_role = aws_iam_role.example.arn
# ok: aws-codebuild-artifacts-unencrypted
artifacts {
type = "CODEPIPELINE"
}
environment {
compute_type = "BUILD_GENERAL1_SMALL"
image = "aws/codebuild/standard:1.0"
type = "LINUX_CONTAINER"
}
source {
type = "GITHUB"
location = "https://github.com/mitchellh/packer.git"
git_clone_depth = 1
git_submodules_config {
fetch_submodules = true
}
}
}
resource "aws_codebuild_project" "pass_3" {
name = "test-project"
service_role = aws_iam_role.example.arn
# ok: aws-codebuild-artifacts-unencrypted
artifacts {
type = "S3"
}
environment {
compute_type = "BUILD_GENERAL1_SMALL"
image = "aws/codebuild/standard:1.0"
type = "LINUX_CONTAINER"
}
source {
type = "GITHUB"
location = "https://github.com/mitchellh/packer.git"
git_clone_depth = 1
git_submodules_config {
fetch_submodules = true
}
}
}
resource "aws_codebuild_project" "pass_4" {
name = "test-project"
service_role = aws_iam_role.example.arn
# ok: aws-codebuild-artifacts-unencrypted
artifacts {
type = "CODEPIPELINE"
encryption_disabled = false
}
environment {
compute_type = "BUILD_GENERAL1_SMALL"
image = "aws/codebuild/standard:1.0"
type = "LINUX_CONTAINER"
}
source {
type = "GITHUB"
location = "https://github.com/mitchellh/packer.git"
git_clone_depth = 1
git_submodules_config {
fetch_submodules = true
}
}
}
resource "aws_codebuild_project" "pass_5" {
name = "test-project"
service_role = aws_iam_role.example.arn
# ok: aws-codebuild-artifacts-unencrypted
artifacts {
encryption_disabled = false
type = "S3"
}
environment {
compute_type = "BUILD_GENERAL1_SMALL"
image = "aws/codebuild/standard:1.0"
type = "LINUX_CONTAINER"
}
source {
type = "GITHUB"
location = "https://github.com/mitchellh/packer.git"
git_clone_depth = 1
git_submodules_config {
fetch_submodules = true
}
}
}
resource "aws_codebuild_project" "pass_6" {
name = "test-project"
service_role = aws_iam_role.example.arn
# ok: aws-codebuild-artifacts-unencrypted
artifacts {
type = "S3"
}
# ok: aws-codebuild-artifacts-unencrypted
secondary_artifacts {
artifact_identifier = "example-artifact-1"
type = "CODEPIPELINE"
}
# ok: aws-codebuild-artifacts-unencrypted
secondary_artifacts {
artifact_identifier = "example-artifact-2"
type = "CODEPIPELINE"
encryption_disabled = false
}
# ok: aws-codebuild-artifacts-unencrypted
secondary_artifacts {
artifact_identifier = "example-artifact-3"
type = "S3"
}
# ok: aws-codebuild-artifacts-unencrypted
secondary_artifacts {
artifact_identifier = "example-artifact-4"
type = "S3"
encryption_disabled = false
}
environment {
compute_type = "BUILD_GENERAL1_SMALL"
image = "aws/codebuild/standard:1.0"
type = "LINUX_CONTAINER"
}
source {
type = "GITHUB"
location = "https://github.com/mitchellh/packer.git"
git_clone_depth = 1
git_submodules_config {
fetch_submodules = true
}
}
}
Short Link: https://sg.run/0wrB