CodeBuild project does not use a user-controlled buildspec file
codebuild_project_user_controlled_buildspec
AWS CodeBuild projects are evaluated for use of a user-controlled buildspec, identified when the project references a repository file like *.yml or *.yaml. Projects using non file-based build instructions are treated as centrally managed.
Risk
Repository-controlled buildspecs let unreviewed changes run in CI, endangering integrity (tampered artifacts), confidentiality (secret leakage), and availability (resource abuse). Attackers can weaponize PRs to execute code and pivot via the build role.
prowler aws --checks codebuild_project_user_controlled_buildspec
Recommendation
Adopt a centrally managed buildspec that contributors cannot modify.
- Enforce protected branches and required reviews for build instructions
- Apply least privilege to the build role and minimize secrets
- Separate duties for pipeline admins vs code authors
Use vetted, versioned templates for defense in depth.
Remediation
- In the AWS Console, go to CodeBuild > Projects and open the target project
- Click Edit
- In Source, under Buildspec, select Insert build commands (not Use a buildspec file)
- Paste minimal inline YAML:
version: 0.2 - Save
Source Code
Resource Type
AwsCodeBuildProject