Table: aws_codebuild_projects

This table shows data for AWS CodeBuild Projects.

https://docs.aws.amazon.com/codebuild/latest/APIReference/API_Project.html (opens in a new tab)

The primary key for this table is arn.

Relations

The following tables depend on aws_codebuild_projects:

Columns

NameType
_cq_iduuid
_cq_parent_iduuid
account_idutf8
regionutf8
arn (PK)utf8
tagsjson
artifactsjson
badgejson
build_batch_configjson
cachejson
concurrent_build_limitint64
createdtimestamp[us, tz=UTC]
descriptionutf8
encryption_keyutf8
environmentjson
file_system_locationsjson
last_modifiedtimestamp[us, tz=UTC]
logs_configjson
nameutf8
project_visibilityutf8
public_project_aliasutf8
queued_timeout_in_minutesint64
resource_access_roleutf8
secondary_artifactsjson
secondary_source_versionsjson
secondary_sourcesjson
service_roleutf8
sourcejson
source_versionutf8
timeout_in_minutesint64
vpc_configjson
webhookjson

Example Queries

These SQL queries are sampled from CloudQuery policies and are compatible with PostgreSQL.

CodeBuild project environment variables should not contain clear text credentials

SELECT
  DISTINCT
  'CodeBuild project environment variables should not contain clear text credentials'
    AS title,
  account_id,
  arn AS resource_id,
  CASE
  WHEN e->>'Type' = 'PLAINTEXT'
  AND (
      upper(e->>'Name') LIKE '%ACCESS_KEY%'
      OR upper(e->>'Name') LIKE '%SECRET%'
      OR upper(e->>'Name') LIKE '%PASSWORD%'
    )
  THEN 'fail'
  ELSE 'pass'
  END
    AS status
FROM
  aws_codebuild_projects,
  jsonb_array_elements(environment->'EnvironmentVariables') AS e;

CodeBuild GitHub or Bitbucket source repository URLs should use OAuth

SELECT
  'CodeBuild GitHub or Bitbucket source repository URLs should use OAuth'
    AS title,
  account_id,
  arn AS resource_id,
  CASE
  WHEN source->>'Type' IN ('GITHUB', 'BITBUCKET')
  AND source->'Auth'->>'Type' != 'OAUTH'
  THEN 'fail'
  ELSE 'pass'
  END
    AS status
FROM
  aws_codebuild_projects;