Codecov Security Breach 2021

Andres Sandoval
2 min readApr 23, 2021

What is Codecov?

Is a tool that generates a report about your source code test coverage metrics.

Codecov Security Breach:

Last week they had a security breach, a docker container security issue. The attacker gained access because of an error in Codecov’s Docker image creation process that allowed the actor to extract the credential required to modify their Bash Uploader script. Their investigation shows that it started on January 31, 2021, and was disclosed on April 15, 2021. Codecov supports thousands of customers, many private companies, and U.S. government agencies.

What it means:

Developers security best practices rule number one is: don’t add API tokens into GitHub. Inject the API tokens during CI (Continuous Integration) process to secure the tokens. What if your CI gets breach? That’s what happened with the Codecov security breach, the CI processes of many companies were breached.

If you use Codecov for test code coverage metrics, there is a possibility that the attacker made a copy of your codebase “scary”. Developers trusted a third party company “Codecov” to get their test metrics and now thanks to Codecov an attacker could possibly compromised companies code bases.

Future of CodeCov company?:

  • Are they getting sued?
  • Are they going to disappear soon?

Future of CodeCov users?:

  • Are they creating an in-house solution?
  • Are they removing Codecov?
  • Or don’t collect test metrics?


In many companies security, it’s only important when the company gets hacked. I believe mostly because having a security team it’s expensive. What happens when your App source code gets compromised?


Maybe it’s time for a new test code coverage metrics solution from Google.