Check provider logo

CodeBuild project has no sensitive credentials in plaintext environment variables

codebuild_project_no_secrets_in_variables

Severitycritical
Servicecodebuild
by Prowler
secretsci-cd

AWS CodeBuild projects are inspected for plaintext environment variables (PLAINTEXT) that resemble secrets (keys, tokens, passwords).

Such values indicate sensitive data is stored directly in environment variables instead of being sourced securely.

Risk

Plaintext secrets in environment variables reduce confidentiality: values can be viewed in consoles/CLI and may leak into build logs or public outputs. Compromised credentials enable unauthorized AWS actions, artifact tampering, and lateral movement, causing data exfiltration and CI/CD supply-chain compromise.

Run this check with Prowler CLI

prowler aws --checks codebuild_project_no_secrets_in_variables

Run in Prowler Cloud

Recommendation

Store secrets outside the build and reference them via AWS Secrets Manager or AWS Systems Manager Parameter Store instead of PLAINTEXT variables.

  • Enforce least privilege on the build role
  • Rotate secrets; prefer short-lived credentials
  • Avoid logging or exporting secret values and never embed them in artifacts

Remediation

Native IaC
Terraform
Other
  1. In AWS Console, go to CodeBuild > Build projects and open your project
  2. Click Edit in the Environment section
  3. Under Environment variables, for each sensitive variable with Type = Plaintext, change Type to Secrets Manager (or Parameter store)
  4. Select the secret (or parameter) that holds the value, then Save
  5. If the secret/parameter does not exist, create it in Secrets Manager or Systems Manager Parameter Store first, then repeat steps 3-4

Source Code

Resource Type

AwsCodeBuildProject

References