Codacy Project Token

ID

codacy_project_token

Severity

high

Vendor

Codacy

Family

API Token

Description

Codacy automates code reviews and monitors code quality on every commit and pull request on more than 40 programming languages reporting back the impact of every commit or pull request, issues concerning code style, best practices, security, and many others.

Security

Any hardcoded Codacy Project Token is a potential secret reported by this detector.

Accidentally checking-in the key to source control repositories could compromise your Codacy account.

Examples

CODACY_TOKEN=F8lQ8O9pALvS206XGpId

CODACY_PROJECT_TOKEN=F8lQ8O9pALvS206XGpIdab5e6fbaa462

Mitigation / Fix

  1. Remove the credentials from the source code or committed configuration file.

  2. Follow your policy for handling leaked secrets, which typically require revoking the secret in the target system(s). Go to API Documentation to know more about revoking your token.

  3. If under a git repository, you may remove unwanted files from the repository history using tools like git filter-repo or BFG Repo-Cleaner. You may follow the procedure listed here for GitHub.

You should consider any sensitive data in commits with secrets as compromised.

Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories.

Reference

https://docs.codacy.com/codacy-api/using-the-codacy-api/