In this post we show how to use a malicious Docker Image to monitor network traffic within CodeBuild and find undocumented AWS API calls. From this we’ll find a CodeBuild API that gives the source code provider credentials in plaintext including the raw CodeConnection credentials.