AWS CodeCommit

Integrate AWS CodeCommit—Amazon Web Services’ fully-managed Git-based source control—into OX Security. This connector enables scanning and monitoring of CodeCommit repositories to uncover vulnerabilities, secrets, misconfigurations, and open‑source compliance issues across your codebase.

Why Connect CodeCommit to OX Security

Connecting OX to AWS CodeCommit gives you:

• Continuous visibility into code changes across repositories hosted in AWS.

• Seamless integration with the AWS identity and access ecosystem (IAM, federated roles, IAM Identity Center).

• Ability to map findings back to commits and pull requests for actionable remediation.

• Secure, private Git hosting fully managed by AWS under the shared-responsibility model.

Connection Methods and Security Considerations

IAM Role or User Credentials (Recommended)

Security Considerations:

• Uses AWS IAM roles or users with least-privileged policies.

• Supports federated access (via IAM Identity Center or external IdP) with temporary credentials.

• Avoids long-lived credentials and raw AWS keys whenever possible.

Setup Steps:

1. Open the AWS CodeCommit connector in the OX UI.

2. Select role-based authentication by providing:

   • an IAM Role ARN assumable by OX, or

   • IAM User access key and secret.

3. Ensure AWS credentials have CodeCommit permissions such as list, get, git-clone, etc.

4. Allow network access from OX (or OX Broker) to AWS endpoints.

Personal Credentials / Git HTTPS (Optional)

Security Considerations:

• Generates IAM-based Git credentials or uses credential helper.

• Risk arises if credentials are not rotated or are broadly scoped.

• Requires secure storage and scope restriction.

Setup Steps:

1. Use IAM to generate HTTPS Git credentials or configure AWS CLI credential helper.

2. Provide these credentials in the connector configuration.

3. OX will use them for Git pull and clone operations to access repository contents.

Repository Discovery and Scanning Scope

After authentication:

• OX auto-discovers all CodeCommit repositories across linked AWS account(s).

• You may select which repositories to monitor and scan.

• You can enable automatic inclusion of newly created repositories.

• Use the connector gear icon to manage repository scope in the UI.

Recommended Best Practices

• Prefer IAM roles or federated access over static credentials for better credential hygiene.

• Grant least-privilege permissions using managed policies such as AWSCodeCommitReadOnly or PowerUser.

• Support cross-account access via IAM roles and trust policies where applicable.

• For credential-based access, use the AWS CLI credential helper or git-remote-codecommit to manage rotating credentials securely.

• Regularly audit policies and rotation of IAM credentials.

• Ensure OX’s IPs are allowed through AWS security configurations (e.g., VPC, firewall).

Summary Table

Security Posture Impact

By securely integrating AWS CodeCommit with OX:

• You extend OX’s scanning capabilities into AWS-managed code repositories using AWS access controls.

• OX ingests code, metadata, and commit history to perform SCA, SAST, secrets scanning, IaC analysis, and policy enforcement.

• Configured properly, this setup maintains enterprise-level identity controls and minimizes credential exposure while enabling deep security visibility across your software supply chain.