AWS/Wiz — CodeBreach: unanchored ACTOR_ID filters in CodeBuild webhooks
• Category: Security
- AWS published an advisory about a configuration issue in several AWS-managed OSS repos using CodeBuild webhooks with insufficient regex filters for actor IDs.
- The core bug pattern: using regex allowlists without start/end anchors (
^/$) can turn “exact match” into “substring match.” - Wiz describes how sequential GitHub numeric IDs create windows where newly created IDs can contain older, shorter “trusted” IDs as substrings (“eclipses”).
- Once an attacker can trigger privileged CI from an untrusted PR, the biggest risk is credential exposure inside the build environment (tokens in memory / cache).
- AWS says this was project-specific misconfiguration (not a CodeBuild service vulnerability) and that no inappropriate code was introduced.
- Defense-in-depth is shifting toward explicit build gates for untrusted PRs (e.g., “comment approval” / human approval) rather than regex cleverness.
- Broader trend: CI/CD misconfigurations are becoming “single-line” supply chain primitives with outsized blast radius.
Why it matters
CI is a security boundary. If an untrusted contributor can run code in a build that has write-capable GitHub credentials, you’re one logging bug or one memory scrape away from repo takeover. This isn’t hypothetical: the most damaging supply chain incidents often begin as “small” pipeline assumptions that quietly stopped being true.
What to do
- Audit webhook filters: if you use regex for identity allowlists, anchor it (
^…$) and keep it minimal. - Prefer explicit PR build policies (human approval gates) for any build that can access secrets or publish artifacts.
- Split pipelines: run untrusted PRs in a low-privilege build that has no secrets; only promote after review.
- Rotate and scope tokens: one PAT per project, least privilege, and assume build memory is readable if the build can be influenced.