Codecov bash uploader security issue

How minimizing our attack surface with CircleCI Contexts helped us pass the Codecov bash uploader security issue unharmed

What is Codecov

For those who don’t know Codecov, it is an online platform for hosted code coverage reports and statistics founded in 2014. According to their website, over 29,000 organizations and more than 1 million developers use their tools. The list includes Google, Atlassian, The Washington Post, RBC, and Procter & Gamble Co.

What about the breach?

On April 15th, 2021, Codecov reported in a press release that someone had gained unauthorized access to its script and modified it without its permission.

  • Any service, datastore, and application code that could be accessed with these credentials, tokens, or keys;
  • The git remote information (URL of the origin repository) of repositories using the Bash Uploader to upload coverage to Codecov in their continuous integration.

Why are we safe from that at CloudSkiff?

We use CircleCI to continuously build, test and deploy our open-source drift detection CLI, driftctl. Like most projects, we need to manipulate sensitive environment variables which could mean that this event could impact us.

version: 2.1# Jobs declaration for build, test and deploy not displayedworkflows:
- build
- test
- deploy:
context: restricted-context
- build
- test

We could have avoided that threat

One way we could have avoided that is the same way Codecov started investigating the attack. The company reported on the morning of April 1, 2021, that one customer was using the shasum that is available on its Bash Uploader to confirm the integrity of the uploader fetched from

$ curl -s -o codecov \
&& VERSION=$(grep 'VERSION=\".*\"' codecov | cut -d'"' -f2) \
&& shasum -a 512 -c --ignore-missing <(curl -s${VERSION}/SHA512SUM)
- image: golang:1.16
- checkout
- run: make install-tools
- run: make test
- run:
name: Check Codecov
command: |
curl -s -o codecov \
&& VERSION=$(grep 'VERSION=\".*\"' codecov | cut -d'"' -f2) \
&& shasum -a 512 -c --ignore-missing <(curl -s${VERSION}/SHA512SUM)
- run:
name: Codecov upload
command: |
chmod +x codecov



Protecting codified infrastructures

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store