Codecov Security Breach 2021

What is Codecov?

Is a tool that generates a report about your source code test coverage metrics.

Codecov Security Breach:

Last week they had a security breach, a docker container security issue. The attacker gained access because of an error in Codecov’s Docker image creation process that allowed the actor to extract the credential required to modify their Bash Uploader script. Their investigation shows that it started on January 31, 2021, and was disclosed on April 15, 2021. Codecov supports thousands of customers, many private companies, and U.S. government agencies.

What it means:

Developers security best practices rule number one is: don’t add API tokens into GitHub. Inject the API tokens during CI (Continuous Integration) process to secure the tokens. What if your CI gets breach? That’s what happened with the Codecov security breach, the CI processes of many companies were breached.

If you use Codecov for test code coverage metrics, there is a possibility that the attacker made a copy of your codebase “scary”. Developers trusted a third party company “Codecov” to get their test metrics and now thanks to Codecov an attacker could possibly compromised companies code bases.

Future of CodeCov company?:

  • Are they getting sued?
  • Are they going to disappear soon?

Future of CodeCov users?:

  • Are they creating an in-house solution?
  • Are they removing Codecov?
  • Or don’t collect test metrics?


In many companies security, it’s only important when the company gets hacked. I believe mostly because having a security team it’s expensive. What happens when your App source code gets compromised?


Maybe it’s time for a new test code coverage metrics solution from Google.


Because of the breach, many companies had to rotate tokens used on their CI processes. Fun fact: don’t trust free third-party tools. Last week my task was to update tokens for Android Bitrise continuous integration configuration. Hopefully, Google releases a solution for test code coverage metrics. I wonder how Google measures its testing metrics?

Thanks for reading. Let me know if you have any questions.

Thanks, Andres

software engineer, read, swim, travel. apps:

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store