AWS Security ChangesHomeSearch

AWS cli medium security documentation change

Service: cli · 2025-08-10 · Security-related medium

File: cli/latest/reference/codebuild/update-webhook.md

Summary

Added pull-request-build-policy parameter with comment approval requirements

Security assessment

Mirrors the create-webhook security controls by adding approval requirements for pull request builds. This provides consistent security controls across webhook operations, mitigating risks of unauthorized build execution through updated configurations.

Diff

diff --git a/cli/latest/reference/codebuild/update-webhook.md b/cli/latest/reference/codebuild/update-webhook.md
index f05d07ee7..d16ccba2f 100644
--- a//cli/latest/reference/codebuild/update-webhook.md
+++ b//cli/latest/reference/codebuild/update-webhook.md
@@ -15 +15 @@
-  * [AWS CLI 2.28.4 Command Reference](../../index.html) »
+  * [AWS CLI 2.28.6 Command Reference](../../index.html) »
@@ -76,0 +77 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/codebu
+    [--pull-request-build-policy <value>]
@@ -268,0 +270,35 @@ JSON Syntax:
+`--pull-request-build-policy` (structure)
+
+> A PullRequestBuildPolicy object that defines comment-based approval requirements for triggering builds on pull requests. This policy helps control when automated builds are executed based on contributor permissions and approval workflows.
+> 
+> requiresCommentApproval -> (string)
+>
+>> Specifies when comment-based approval is required before triggering a build on pull requests. This setting determines whether builds run automatically or require explicit approval through comments.
+>> 
+>>   * _DISABLED_ : Builds trigger automatically without requiring comment approval
+>>   * _ALL_PULL_REQUESTS_ : All pull requests require comment approval before builds execute (unless contributor is one of the approver roles)
+>>   * _FORK_PULL_REQUESTS_ : Only pull requests from forked repositories require comment approval (unless contributor is one of the approver roles)
+>> 
+
+> 
+> approverRoles -> (list)
+>
+>> List of repository roles that have approval privileges for pull request builds when comment approval is required. Only users with these roles can provide valid comment approvals. If a pull request contributor is one of these roles, their pull request builds will trigger automatically. This field is only applicable when `requiresCommentApproval` is not _DISABLED_ .
+>> 
+>> (string)
+
+Shorthand Syntax:
+    
+    
+    requiresCommentApproval=string,approverRoles=string,string
+    
+
+JSON Syntax:
+    
+    
+    {
+      "requiresCommentApproval": "DISABLED"|"ALL_PULL_REQUESTS"|"FORK_PULL_REQUESTS",
+      "approverRoles": ["GITHUB_READ"|"GITHUB_TRIAGE"|"GITHUB_WRITE"|"GITHUB_MAINTAIN"|"GITHUB_ADMIN"|"GITLAB_GUEST"|"GITLAB_PLANNER"|"GITLAB_REPORTER"|"GITLAB_DEVELOPER"|"GITLAB_MAINTAINER"|"GITLAB_OWNER"|"BITBUCKET_READ"|"BITBUCKET_WRITE"|"BITBUCKET_ADMIN", ...]
+    }
+    
+
@@ -637 +673 @@ webhook -> (structure)
-  * [AWS CLI 2.28.4 Command Reference](../../index.html) »
+  * [AWS CLI 2.28.6 Command Reference](../../index.html) »