AWS CodeBuild

Security scanning in AWS CodeBuild projects.

Warning Current as of writing (Vulnetix CLI v3.55.2). If a snippet no longer works, open an issue with the CLI version you are on.

Before You Start

Credentials come from AWS Secrets Manager or SSM Parameter Store, referenced from the env.secrets-manager / env.parameter-store block.

VariableValue
VULNETIX_ORG_IDOrganization UUID
VULNETIX_API_KEYApiKey hex digest

Environment variables authenticate on their own. Do not run vulnetix auth login on an ephemeral runner — see Authentication in CI/CD.

Quick Start

buildspec.yml:

version: 0.2
env:
  secrets-manager:
    VULNETIX_ORG_ID: vulnetix:org-id
phases:
  install:
    runtime-versions:
      golang: 1.21
    commands:
      - go install github.com/vulnetix/cli/v3@latest
  build:
    commands:
      - vulnetix auth verify
      - vulnetix scan --severity high

vulnetix auth verify on the first line fails the build immediately when the credential is missing or revoked, rather than halfway through a scan.

Note CodeBuild echoes each command by default. Never place a credential in the command line; use the environment.

Running Individual Scans

Each subcommand runs standalone and uploads its own findings. Swap vulnetix scan for any of them:

vulnetix sca --severity high -o dist/sbom.cdx.json     # dependencies
vulnetix sast --severity high -o dist/sast.sarif       # source code
vulnetix secrets -o dist/secrets.sarif                 # hardcoded credentials
vulnetix license --allow MIT,Apache-2.0                # SPDX policy
vulnetix cbom --output-file dist/cbom.cdx.json         # cryptography, PQC posture
vulnetix aibom --output-file dist/aibom.cdx.json       # AI agents, SDKs, models

Note the flag split: the scan family takes -o <path>, while cbom, aibom, and malscan take --output-file. license takes neither. The full table is in the Subcommand Reference.

Keeping the Report

The artifacts: block, uploaded to S3.

The SARIF-producing scans write their file only when there are findings, so a clean run leaves nothing behind. Tolerate the missing path rather than failing on it.

Quality Gates

Gates are opt-in; without a gate flag the command reports and exits 0.

vulnetix scan --severity high --block-malware --block-eol --exploits active

To surface a breach without blocking the merge: Add - vulnetix scan ... || true, or set on-failure: CONTINUE on the phase.

Full gate list in the Subcommand Reference.

Uploading Third-Party Artifacts

The scans upload themselves. upload is for reports produced by other tools:

vulnetix upload --file reports/semgrep.sarif --format sarif

Accepted formats: cyclonedx, spdx, sarif, openvex, csaf_vex.

See Also