Skip to content

Codecov API Key

Service Name: Codecov

Service Description: Codecov is a code coverage reporting tool that integrates with CI/CD workflows to help developers track and improve code coverage metrics. It provides insights into which parts of the codebase are covered by tests and which need additional testing.

Service Address: https://codecov.io/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the organization level through the Codecov dashboard.

Secret Access Scope: Grants programmatic access to upload, retrieve, and manage code coverage reports for repositories connected to Codecov. Can access repository coverage data, statistics, and configuration settings.

Secret Revokement URL: https://codecov.io/account/settings

Secret Example: codecov_token_12345678-abcd-efgh-ijkl-1234567890ab

Suspicious Activity Investigation Instructions:

  • Review the Codecov dashboard for unusual coverage report uploads or unauthorized repository access.
  • Check repository settings for any unauthorized changes to coverage configurations.
  • Review CI/CD logs for unexpected or unauthorized coverage report uploads.
  • Examine the Codecov audit logs for suspicious API calls or access patterns.
  • Verify if the token has been used from unusual geographic locations or IP addresses.

Mitigation Instructions:

  • Log in to your Codecov account at https://codecov.io/.
  • Navigate to Account Settings or Organization Settings.
  • Locate the API Tokens or Repository Tokens section.
  • Identify the compromised token and click "Delete" or "Revoke".
  • Generate a new token if needed for legitimate services.
  • Update the token in all CI/CD configurations and repository settings.
  • Consider implementing repository upload restrictions to limit which repositories can upload coverage reports.

  • Review and update access permissions for team members who have access to the token.