Codecov API Key
Service Name: Codecov
Service Description: Codecov is a code coverage reporting tool that integrates with CI/CD workflows to help developers track and improve code coverage metrics. It provides insights into which parts of the codebase are covered by tests and which need additional testing.
Service Address: https://codecov.io/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the organization level through the Codecov dashboard.
Secret Access Scope: Grants programmatic access to upload, retrieve, and manage code coverage reports for repositories connected to Codecov. Can access repository coverage data, statistics, and configuration settings.
Secret Revokement URL: https://codecov.io/account/settings
Secret Example: codecov_token_12345678-abcd-efgh-ijkl-1234567890ab
Suspicious Activity Investigation Instructions:
- Review the Codecov dashboard for unusual coverage report uploads or unauthorized repository access.
- Check repository settings for any unauthorized changes to coverage configurations.
- Review CI/CD logs for unexpected or unauthorized coverage report uploads.
- Examine the Codecov audit logs for suspicious API calls or access patterns.
- Verify if the token has been used from unusual geographic locations or IP addresses.
Mitigation Instructions:
- Log in to your Codecov account at https://codecov.io/.
- Navigate to Account Settings or Organization Settings.
- Locate the API Tokens or Repository Tokens section.
- Identify the compromised token and click "Delete" or "Revoke".
- Generate a new token if needed for legitimate services.
- Update the token in all CI/CD configurations and repository settings.
-
Consider implementing repository upload restrictions to limit which repositories can upload coverage reports.
-
Review and update access permissions for team members who have access to the token.