GitHub Repository Set To Public

  • Query id: 5906092d-5f74-490d-9a03-78febe0f65e1
  • Query name: GitHub Repository Set To Public
  • Platform: CloudFormation
  • Severity: Medium
  • Category: Insecure Configurations
  • URL: Github

Description

Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private')
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Resources:
  MyRepo3:
    Type: AWS::CodeStar::GitHubRepository
    Properties:
      Code:
        S3:
          Bucket: "my-bucket"
          Key: "sourcecode.zip"
          ObjectVersion: "1"
      EnableIssues: true
      IsPrivate: false
      RepositoryAccessToken: '{{resolve:secretsmanager:your-secret-manager-name:SecretString:your-secret-manager-key}}'
      RepositoryDescription: a description
      RepositoryName: my-github-repo
      RepositoryOwner: my-github-account
Positive test num. 2 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Resources:
  MyRepo4:
    Type: AWS::CodeStar::GitHubRepository
    Properties:
      Code:
        S3:
          Bucket: "my-bucket"
          Key: "sourcecode.zip"
          ObjectVersion: "1"
      EnableIssues: true
      RepositoryAccessToken: '{{resolve:secretsmanager:your-secret-manager-name:SecretString:your-secret-manager-key}}'
      RepositoryDescription: a description
      RepositoryName: my-github-repo
      RepositoryOwner: my-github-account
Positive test num. 3 - json file
{
  "Resources": {
    "MyRepo5": {
      "Type": "AWS::CodeStar::GitHubRepository",
      "Properties": {
        "Code": {
          "S3": {
            "Bucket": "my-bucket",
            "Key": "sourcecode.zip",
            "ObjectVersion": "1"
          }
        },
        "EnableIssues": true,
        "RepositoryAccessToken": "{{resolve:secretsmanager:your-secret-manager-name:SecretString:your-secret-manager-key}}",
        "RepositoryDescription": "a description",
        "RepositoryName": "my-github-repo",
        "RepositoryOwner": "my-github-account"
      }
    }
  }
}

Positive test num. 4 - json file
{
  "Resources": {
    "MyRepo6": {
      "Type": "AWS::CodeStar::GitHubRepository",
      "Properties": {
        "Code": {
          "S3": {
            "Bucket": "my-bucket",
            "Key": "sourcecode.zip",
            "ObjectVersion": "1"
          }
        },
        "EnableIssues": true,
        "IsPrivate": false,
        "RepositoryAccessToken": "{{resolve:secretsmanager:your-secret-manager-name:SecretString:your-secret-manager-key}}",
        "RepositoryDescription": "a description",
        "RepositoryName": "my-github-repo",
        "RepositoryOwner": "my-github-account"
      }
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Resources:
  MyRepo1:
    Type: AWS::CodeStar::GitHubRepository
    Properties:
      Code:
        S3:
          Bucket: "my-bucket"
          Key: "sourcecode.zip"
          ObjectVersion: "1"
      EnableIssues: true
      IsPrivate: true
      RepositoryAccessToken: '{{resolve:secretsmanager:your-secret-manager-name:SecretString:your-secret-manager-key}}'
      RepositoryDescription: a description
      RepositoryName: my-github-repo
      RepositoryOwner: my-github-account
Negative test num. 2 - json file
{
  "Resources": {
    "MyRepo2": {
      "Type": "AWS::CodeStar::GitHubRepository",
      "Properties": {
        "Code": {
          "S3": {
            "Bucket": "my-bucket",
            "Key": "sourcecode.zip",
            "ObjectVersion": "1"
          }
        },
        "EnableIssues": true,
        "IsPrivate": true,
        "RepositoryAccessToken": "{{resolve:secretsmanager:your-secret-manager-name:SecretString:your-secret-manager-key}}",
        "RepositoryDescription": "a description",
        "RepositoryName": "my-github-repo",
        "RepositoryOwner": "my-github-account"
      }
    }
  }
}