Remediation

Using Console

  1. Go to the AWS CodeBuild console.
  2. Navigate to “Build projects”.
  3. Select the CodeBuild project where credentials are stored in plaintext.
  4. Click on “Edit”.
  5. Navigate to the “Environment” section.
  6. Find the environment variable containing the plaintext credential.
  7. Change the variable type from “Plaintext” to “Parameter Store” or “Secrets Manager”, depending on your preference.
  8. Click “Save”.

Using CLI

aws codebuild update-project --name <project-name> --environment-variables-override name=<variable-name>,type=PARAMETER_STORE
Replace <project-name> with the name of your CodeBuild project and <variable-name> with the name of the environment variable containing the plaintext credential.

Using Python

You can use Boto3 to achieve this programmatically: 
import boto3

def update_codebuild_project(project_name, variable_name):
    client = boto3.client('codebuild')
    response = client.update_project(
        name=project_name,
        environment={
            'environmentVariablesOverride': [
                {
                    'name': variable_name,
                    'type': 'PARAMETER_STORE'
                }
            ]
        }
    )
    print(f"Updated CodeBuild project {project_name} to use Parameter Store for credential {variable_name}")

def main():
    project_name = 'your-project-name'
    variable_name = 'your-variable-name'

    update_codebuild_project(project_name, variable_name)

if __name__ == "__main__":
    main()
Replace 'your-project-name' with the name of your CodeBuild project and 'your-variable-name' with the name of the environment variable containing the plaintext credential. This script will update the specified CodeBuild project to use Parameter Store for the specified environment variable containing the plaintext credential.