Codecov Token in codecov Command
ID |
codecov_key |
Severity |
high |
Vendor |
Codecov |
Family |
API Token |
Description
Codecov provides metrics and insights into the results of tests through code coverage reports. Coverage reports are used to determine which lines of code were tested and which lines were not tested, which may contain bugs and syntax errors. These reports are uploaded to Codecov to be analyzed and stored historically.
Security
Any hardcoded Codecov Token is a potential secret reported by this detector.
Accidentally checking-in the token to source control repositories could compromise your Codecov account.
Mitigation / Fix
-
Follow your policy for handling leaked secrets, which typically require you to regenerate the token: go to the
Settingspage, clickAccessin the left menu, and in theAPI Tokenssection click theRevokebutton at the right of the leaked token. Click onGenerate Tokento generate a new one, and take note of the value. -
Remove the leaked Codecov token from the source code or committed configuration file. Do not hard-code it again! Replace it with the new token using a more secure alternative, such as one of the options documented in How to Prevent Hard-Coded Secrets.
-
(Optional) If under a git repository, you may remove unwanted files from the repository history using tools like
git filter-repoorBFG Repo-Cleaner. You may follow the procedure listed here for GitHub.
|
You should consider any hardcoded token leaked as compromised. Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories. |