Code Climate API Key
Service Name: Code Climate
Service Description: Code Climate is a platform that provides automated code review and quality metrics for software development teams. It helps identify technical debt, security issues, and maintainability problems in codebases.
Service Address: https://codeclimate.com/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the organization level through access policies.
Secret Access Scope: Grants programmatic access to Code Climate's API, allowing users to retrieve quality metrics, test coverage data, and integrate with CI/CD pipelines.
Secret Revokement URL: https://codeclimate.com/profile/tokens
Secret Example: cc_test_AbCdEfGhIjKlMnOpQrStUvWxYz0123456789
Suspicious Activity Investigation Instructions:
- Review the Code Climate audit logs for unusual API calls or access patterns.
- Check for unauthorized repositories being added to your Code Climate account.
- Monitor for changes in user permissions or organization settings.
- Look for unexpected integrations with third-party services.
- Verify if there are any unusual analysis reports being generated.
Mitigation Instructions:
- Log in to your Code Climate account and navigate to your profile settings.
- Go to the API Access Tokens section.
-
Identify the compromised token and click the "Revoke" button next to it.
-
Generate a new API token if needed for legitimate services.
- Review and update access permissions for all users in your organization.
- Enable two-factor authentication for all users with access to Code Climate.
- Consider implementing IP restrictions for API access if available for your plan.
- Update any CI/CD pipelines or integrations to use the new token.