aws-codebuild-run-build icon indicating copy to clipboard operation
aws-codebuild-run-build copied to clipboard
verified publisher icon aws-actions

Prevent build spec override

Open jaidisido opened this issue 2 years ago • 1 comments

We are interested in leveraging this Github action to trigger CB projects when a PR is created in our repo, however we are not comfortable with the idea that the buildspec can be overridden. A malicious user could modify the spec to perform actions beyond those allowed. Is there a way to prevent this behaviour via an IAM condition or any other way?

jaidisido avatar Jul 14 '23 16:07 jaidisido

The apparent inability to securely trigger a build through StartBuild is a blocker for adoption for us as well. Combined with the lack of flexibility of the AWS Connecter (GitHub App) to support multiple AWS accounts and this makes for a pretty poor look for CodeBuild's support for GitHub.

jcw- avatar Jan 29 '25 05:01 jcw-