Skip to content

Coveralls Repository Token

Service Name: Coveralls

Service Description: Coveralls is a web service that helps developers track their code coverage over time and ensure that all new code is fully covered by tests. It integrates with various CI services and version control systems to provide detailed reports on test coverage.

Service Address: https://coveralls.io/

Validation Type: API Auth

IP Allow list: Does not exist

Secret Access Scope: Grants access to upload and manage code coverage reports for a specific repository in Coveralls. The token is repository-specific and allows CI services to send coverage data to Coveralls.

Secret Revokement URL: https://coveralls.io/repos

Secret Example: abcdefghijklmnopqrstuvwxyz1234567890ABCDEFGH

Suspicious Activity Investigation Instructions:

  • Review recent coverage reports in the Coveralls dashboard for unauthorized uploads
  • Check the repository settings in Coveralls for any unauthorized changes
  • Verify that the CI configuration files haven't been modified to send coverage data to unauthorized locations
  • Review the repository's commit history for any changes to CI configuration files that might expose the token

Mitigation Instructions:

  • Log in to your Coveralls account

  • Navigate to the repository settings page

  • Click on "Reset Repository Token" to invalidate the current token
  • Update the token in all CI configuration files and environment variables
  • Consider using environment variables in CI systems rather than hardcoding the

token in configuration files

  • Ensure the token is only accessible to authorized CI jobs and not exposed in

public build logs