For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-github-repository-set-to-public.md. A documentation index is available at /llms.txt.

GitHub repository set to public

This product is not supported for your selected Datadog site. ().

Metadata

Id: cloudformation-aws-github-repository-set-to-public

Provider: AWS

Platform: CloudFormation

Severity: Medium

Category: Insecure Configurations

Learn More

Description

Public code repositories can expose source code, credentials, and intellectual property, increasing risk of data leakage and supply-chain compromise.

In CloudFormation, AWS::CodeStar::GitHubRepository resources must include the IsPrivate property and set it to true. Resources that omit IsPrivate or have IsPrivate set to a non-true value will be flagged.

Secure configuration example:

MyRepo:
  Type: AWS::CodeStar::GitHubRepository
  Properties:
    RepositoryName: my-repo
    IsPrivate: true

Compliant Code Examples

AWSTemplateFormatVersion: "2010-09-09"
Resources:
  MyRepo1:
    Type: AWS::CodeStar::GitHubRepository
    Properties:
      Code:
        S3:
          Bucket: "my-bucket"
          Key: "sourcecode.zip"
          ObjectVersion: "1"
      EnableIssues: true
      IsPrivate: true
      RepositoryAccessToken: '{{resolve:secretsmanager:your-secret-manager-name:SecretString:your-secret-manager-key}}'
      RepositoryDescription: a description
      RepositoryName: my-github-repo
      RepositoryOwner: my-github-account

{
  "Resources": {
    "MyRepo2": {
      "Type": "AWS::CodeStar::GitHubRepository",
      "Properties": {
        "Code": {
          "S3": {
            "Bucket": "my-bucket",
            "Key": "sourcecode.zip",
            "ObjectVersion": "1"
          }
        },
        "EnableIssues": true,
        "IsPrivate": true,
        "RepositoryAccessToken": "{{resolve:secretsmanager:your-secret-manager-name:SecretString:your-secret-manager-key}}",
        "RepositoryDescription": "a description",
        "RepositoryName": "my-github-repo",
        "RepositoryOwner": "my-github-account"
      }
    }
  }
}

Non-Compliant Code Examples

AWSTemplateFormatVersion: "2010-09-09"
Resources:
  MyRepo3:
    Type: AWS::CodeStar::GitHubRepository
    Properties:
      Code:
        S3:
          Bucket: "my-bucket"
          Key: "sourcecode.zip"
          ObjectVersion: "1"
      EnableIssues: true
      IsPrivate: false
      RepositoryAccessToken: '{{resolve:secretsmanager:your-secret-manager-name:SecretString:your-secret-manager-key}}'
      RepositoryDescription: a description
      RepositoryName: my-github-repo
      RepositoryOwner: my-github-account

AWSTemplateFormatVersion: "2010-09-09"
Resources:
  MyRepo4:
    Type: AWS::CodeStar::GitHubRepository
    Properties:
      Code:
        S3:
          Bucket: "my-bucket"
          Key: "sourcecode.zip"
          ObjectVersion: "1"
      EnableIssues: true
      RepositoryAccessToken: '{{resolve:secretsmanager:your-secret-manager-name:SecretString:your-secret-manager-key}}'
      RepositoryDescription: a description
      RepositoryName: my-github-repo
      RepositoryOwner: my-github-account

{
  "Resources": {
    "MyRepo5": {
      "Type": "AWS::CodeStar::GitHubRepository",
      "Properties": {
        "Code": {
          "S3": {
            "Bucket": "my-bucket",
            "Key": "sourcecode.zip",
            "ObjectVersion": "1"
          }
        },
        "EnableIssues": true,
        "RepositoryAccessToken": "{{resolve:secretsmanager:your-secret-manager-name:SecretString:your-secret-manager-key}}",
        "RepositoryDescription": "a description",
        "RepositoryName": "my-github-repo",
        "RepositoryOwner": "my-github-account"
      }
    }
  }
}