Security

Security @ Codecov

Here at Codecov, we strive to implement security best practices, industry leading security tooling, and then certify our company and products using independent security audits that result in SOC2 Type II. By doing so, we’re able to secure and protect our customer’s data and privacy.

Codecov Security
Codecov security
Codecov SOC II

Security Compliance

Codecov is SOC 2 Type II certified, which means a third-party audits and attests to our practices to secure our systems and your data.

Audit Period: Through August 31, 2023

Codecov’s Security & DevOps Teams

Codecov has dedicated Security and DevOps teams whose primary mission is responsibility for architecting, building and owning security. From infrastructure (GCP Kubernetes deployments, OpenVPN, and cloud-based SIEM), security tooling (endpoint EDR agents, vulnerability scanning, static code and dependency scanning), to security code reviews, our staff is focused on Codecov’s security posture. Our team holds the following industry certifications:

CISSP
AWS Advanced Networking Specialty
GIAC
GCUX
GPYC

Codecov Infrastructure Security

  • Codecov utilizes GCP (Google Cloud Platform) for our cloud-based products, Terraform for IaC (Infrastructure as Code), and Docker/Kubernetes for microservices. See Google’s SOC3 report here.
  • Docker images are squashed and/or multistaged to prevent docker layer attacks.
  • All publicly available assets hosted in GCP, virtual servers in GCP, and employee endpoints are vulnerability scanned on a daily basis. Tickets for vulnerabilities are automatically created and assigned a due date based on our IR (Incident Response) policy SLA ( < 30 days for Critical and High, < 60 days for Medium, < 120 days for Low).
  • All GCP Kubernetes nodes and employee endpoints run EDR (Endpoint Detection and Response) agents configured to quarantine any malware detected and log to our cloud-based SIEM.
  • Use of SSO and endpoint compliance monitoring tools to ensure 2FA is used whenever possible and endpoints are full disk encrypted, screen-lock enabled, etc.

Codecov Code Security

  • Codecov utilizes numerous tools to detect vulnerabilities and protect our code, including:
    • Static application security testing (SAST)
    • Dynamic application security testing (DAST)
    • Repository dependency scanning
    • Scanning repos for secrets (API keys, passwords, etc) to ensure they are not stored or hard coded in our code base.
    • Usage of GCP’s Secret Manager and environment variables for proper secret protection and inclusion at runtime.
    • All commits to Codecov repos are GPG signed and require a code review before merging.
    • All commits to repos that have security relevant changes undergo a code review by our Security Team.
    • 2FA is enabled for access to our code base, with 2FA and VPN required for access to our GCP resources.
    • All Codecov uploader binaries are SHA256 signed, and changes to uploader binaries are monitored and immediately reported to staff. For instructions on how to verify uploader binaries, see here.

Codecov Vulnerability Testing/Pentesting

  • Codecov undergoes third party vulnerability/pentesting to support our SOC2 compliance efforts.
  • Codecov also performs internal network and application security scanning as follows:
    • Daily network and host-based vulnerability scanning for endpoints, virtual servers in GCP, and publicly accessible assets in GCP

Codecov Security Awareness

  • Codecov requires yearly security awareness training for all staff.
  • Secure coding training for development, security, and devops teams is given yearly.

Codecov Responsible Disclosure Policy

Data security is a top priority for Codecov, and Codecov believes that working with skilled security researchers can identify weaknesses in any technology.

Codecov participates in the Sentry.io HackerOne bug bounty program. You may request an invite by sending an email to security@sentry.io and we will ensure that your findings get passed along to the security team for remediation if you’ve found a security vulnerability in Codecov’s service.

Follow this repo to get the latest security advisories about our codebase.

Disclosure Policy

  • If you believe you’ve discovered a potential vulnerability, please let us know by emailing us at security@codecov.io . We will acknowledge your email within five business days.
  • Provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or a third party. We aim to resolve critical issues within five business days of disclosure.
  • Make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the Codecov service. Please only interact with accounts you own or for which you have explicit permission from the account holder.

Exclusions

While researching, we’d like you to refrain from:

  • Distributed Denial of Service (DDoS)
  • Spamming
  • Social engineering or phishing of Codecov employees or contractors
  • Any attacks against Codecov’s physical property or data centers

Thank you for helping to keep Codecov and our users safe!

Changes

We may revise these guidelines from time to time. The most current version of the guidelines will be available at https://codecov.io/security

Contact

Codecov is always open to feedback, questions, and suggestions. If you would like to talk to us, please feel free to email us at security@codecov.io, and our PGP key is at https://codecov.io/.well-known/security.txt.

Responsibility

It is the Security Team’s responsibility to see this policy is enforced. Last updated: October 11, 2022
For questions and feedback, contact security@codecov.io

Current PGP Public Keys

Codecov’s current PGP public key can be fetched from Keybase or from most keyservers with the key ID ED779869 and fingerprint 2703 4E7F DB85 0E0B BC2C 62FF 806B B28A ED77 9869 it can also be found below:

Current Key
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGCsMn0BEACiCKZOhkbhUjb+obvhH49p3ShjJzU5b/GqAXSDhRhdXUq7ZoGq
KEKCd7sQHrCf16Pi5UVacGIyE9hS93HwY15kMlLwM+lNeAeCglEscOjpCly1qUIr
sN1wjkd2cwDXS6zHBJTqJ7wSOiXbZfTAeKhd6DuLEpmA+Rz4Yc+4qZP+fVxVG3Pv
2v06m+E5CP/JQVQPO8HYi+S36hJImTh+zaDspu+VujSai5KzJ6YKmgwslVNIp5X5
GnEr2uAh5w6UTnt9UQUjFFliAvQ3lPLWzm7DWs6AP9hslYxSWzwbzVF5qbOIjUJL
KfoUpvCYDs2ObgRn8WUQO0ndkRCBIxhlF3HGGYWKQaCEsiom7lyi8VbAszmUCDjw
HdbQHFmm5yHLpTXJbg+iaxQzKnhWVXzye5/x92IJmJswW81Ky346VxYdC1XFL/+Y
zBaj9oMmV7WfRpdch09Gf4TgosMzWf3NjJbtKE5xkaghJckIgxwzcrRmF/RmCJue
IMqZ8A5qUUlK7NBzj51xmAQ4BtkUa2bcCBRV/vP+rk9wcBWz2LiaW+7Mwlfr/C/Q
Swvv/JW2LsQ4iWc1BY7m7ksn9dcdypEq/1JbIzVLCRDG7pbMj9yLgYmhe5TtjOM3
ygk25584EhXSgUA3MZw+DIqhbHQBYgrKndTr2N/wuBQY62zZg1YGQByD4QARAQAB
tEpDb2RlY292IFVwbG9hZGVyIChDb2RlY292IFVwbG9hZGVyIFZlcmlmaWNhdGlv
biBLZXkpIDxzZWN1cml0eUBjb2RlY292LmlvPokCTgQTAQoAOBYhBCcDTn/bhQ4L
vCxi/4Brsortd5hpBQJgrDJ9AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJ
EIBrsortd5hpxLMP/3Fbgx5EG7zUUOqPZ+Ya9z8JlZFIkh3FxYMfMFE8jH9Es26F
V2ZTJLO259MxM+5N0XzObi3h4XqIzBn42pDRfwtojY5wl2STJ9Bzu+ykPog7OB1u
yfWXDRKcqPTUIxI1/WdU+c0/WNE6wjyzK+lRc1YUlp4pdNU7l+j2vKN+jGi2b6nV
PTPRsMcwy3B90fKf5h2wNMNqO+KX/rjgpG9Uhej+xyFWkGM1tZDQQYFj+ugQUj61
BMsQrUmxOnaVVnix21cHnACDCaxqgQZH3iZyEOKPNMsRFRP+0fLEnUMP+DVnQE6J
Brk1Z+XhtjGI9PISQVx5KKDKscreS/D5ae2Cw/FUlQMf57kir6mkbZVhz2khtccz
atD0r59WomNywIDyk1QfAKV0+O0WeJg8A69/Jk6yegsrUb5qEfkih/I38vvI0OVL
BYve/mQIHuQo5ziBptNytCrN5TXHXzguX9GOW1V1+3DR+w/vXcnz67sjlYDysf1f
JUZv9edZ2RGKW7agbrgOw2hB+zuWZ10tjoEcsaSGOLtKRGFDfmu/dBxzl8yopUpa
Tn79QKOieleRm5+uCcKCPTeKV0GbhDntCZJ+Yiw6ZPmrpcjDowAoMQ9kiMVa10+Q
WwwoaRWuqhf+dL6Q2OLFOxlyCDKVSyW0YF4Vrf3fKGyxKJmszAL+NS1mVcdxuQIN
BGCsMn0BEADLrIesbpfdAfWRvUFDN+PoRfa0ROwa/JOMhEgVsowQuk9No8yRva/X
VyiA6oCq6na7IvZXMxT7di4FWDjDtw5xHjbtFg336IJTGBcnzm7WIsjvyyw8kKfB
8cvG7D2OkzAUF8SVXLarJ1zdBP/Dr1Nz6F/gJsx5+BM8wGHEz4DsdMRV7ZMTVh6b
PaGuPZysPjSEw62R8MFJ1fSyDGCKJYwMQ/sKFzseNaY/kZVR5lq0dmhiYjNVQeG9
HJ6ZCGSGT5PKNOwx/UEkT6jhvzWgfr2eFVGJTcdwSLEgIrJIDzP7myHGxuOiuCmJ
ENgL1f7mzGkJ/hYXq1RWqsn1Fh2I9KZMHggqu4a+s3RiscmNcbIlIhJLXoE1bxZ/
TfYZ9Aod6Bd5TsSMTZNwV2am9zelhDiFF60FWww/5nEbhm/X4suC9W86qWBxs3Kh
vk1dxhElRjtgwUEHA5OFOO48ERHfR7COH719D/YmqLU3EybBgJbGoC/yjlGJxv0R
kOMAiG2FneNKEZZihReh8A5Jt6jYrSoHFRwL6oJIZfLezB7Rdajx1uH7uYcUyIaE
SiDWlkDw/IFM315NYFA8c1TCSIfnabUYaAxSLNFRmXnt+GQpm44qAK1x8EGhY633
e5B4FWorIXx0tTmsVM4rkQ6IgAodeywKG+c2Ikd+5dQLFmb7dW/6CwARAQABiQI2
BBgBCgAgFiEEJwNOf9uFDgu8LGL/gGuyiu13mGkFAmCsMn0CGwwACgkQgGuyiu13
mGkYWxAAkzF64SVpYvY9nY/QSYikL8UHlyyqirs6eFZ3Mj9lMRpHM2Spn9a3c701
0Ge4wDbRP2oftCyPP+p9pdUA77ifMTlRcoMYX8oXAuyE5RT2emBDiWvSR6hQQ8bZ
WFNXal+bUPpaRiruCCUPD2b8Od1ftzLqbYOosxr/m5Du0uahgOuGw6zlGBJCVOo7
UB2Y++oZ8P7oDGF722opepWQ+bl2a6TRMLNWWlj4UANknyjlhyZZ7PKhWLjoC6MU
dAKcwQUdp+XYLc/3b00bvgju0e99QgHZMX2fN3d3ktdN5Q2fqiAi5R6BmCCO4ISF
o5j10gGU/sdqGHvNhv5C21ibun7HEzMtxBhnhGmytfBJzrsj7GOReePsfTLoCoUq
dFMOAVUDciVfRtL2m8cv42ZJOXtPfDjsFOf8AKJk40/tc8mMMqZP7RVBr9RWOoq5
y9D37NfI6UB8rPZ6qs0a1Vfm8lIh2/k1AFECduXgftMDTsmmXOgXXS37HukGW7AL
QKWiWJQF/XopkXwkyAYpyuyRMZ77oF7nuqLFnl5VVEiRo0Fwu45erebc6ccSwYZU
8pmeSx7s0aJtxCZPSZEKZ3mn0BXOR32Cgs48CjzFWf6PKucTwOy/YO0/4Gt/upNJ
3DyeINcYcKyD08DEIF9f5tLyoiD4xz+N23ltTBoMPyv4f3X/wCQ=
=ch7z
-----END PGP PUBLIC KEY BLOCK-----

Terms

  • Codecov: Codecov and its technology/product/services
  • Service: One of the following companies: GitHub, Bitbucket or GitLab
  • Team: A team or organization in Service
  • Repo: A Service (public or private) repository
  • User: A single person who has logged into Codecov via Service therefore has an active user session
  • Guest: A http request performed without an active user sessions
  • Worker: Codecov’s sync back-end which handles uploading, report processing, and other tasks
  • Bot: The User who was chosen to consume Service endpoints during Worker tasks
  • Web: Codecov front-end service that handles page builds and all HTTP requests (GET, POST, etc.)
  • Extension: The Codecov Browser Extension
  • Token: A Users Oauth2 auth token/secret granted by Service upon logging-in to Codecov
  • Scope: What level of permission a User has on a Repository in Service, provided by Services
  • CI: continuous integration provider. Including (not limited to) Travis-CI, Circle CI, Jenkins, etc.
  • API: HTTP requests to Service
  • 3rd Party: A SaaS tool used by Codecov. Examples – Rippling and Tenable IO

Frequently Asked Questions

Authorization / Authentication

How does Codecov authorize access to a repository?
  • Public Repos are visible to all Users and Guests
  • Private Repos are visible to Users who have at least read access according to Service
  • Codecov checks the User’s Scope by making an API request with the User’s Token
  • If the User does not have at least read access to the Repo: Codecov will return a 404 HTTP Error
  • Codecov always uses the acting User’s Token to make API requests to Service when navigating Codecov
  • Codecov always uses the Bot’s Token when performing Worker tasks
How does Codecov store passwords?
  • Codecov does not use passwords in the product.
  • Codecov does not, ever, ask for any “passwords”.
  • Codecov stores Tokens for Users upon logging-in.
How does Codecov store Tokens?
  • Codecov receives Tokens when a User logs into Codecov.
  • Tokens are encrypted using AES-256. The key used to encrypt Tokens is broken into two chunks stored in different locations in the Stack to reduce a single point of failure. In order to compromise Tokens, an attacker must breach multiple levels of the Codecov Stack.
  • Only Codecov staff have access to User Tokens, which are stored encrypted at rest in the database
  • Tokens are aggressively removed from any logs and tracebacks and are never sent to 3rd Party solutions
How do I add collaborators/members to my private repository?
  • A User’s access is always verified with Service.
  • If using GitHub: once a User logs in they must grant Codecov Private Repository Access in order to interact with Private repositories hosted on GitHub that User has appropriate access to.

This allows us to have 100% transparency on who can access source code and view reports on Codecov.

Repository / Code Access

Does Codecov store source code?

We do not store source code. Some archived raw uploads may contain source code, which you can elect to disable.

There is only one opportunity for source code to be stored: while uploading reports. Coverage reporting tools for some languages, gcov for C++ for example, produce reports that include source code in the report data in order to apply report fixes. Codecov scrubs some source code out (and we plan to support this effort more) but may not find it all. These uploads, by default, are archived for 1 month. You may elect to prevent all uploads from archiving by disabling this feature.

How to disable archiving

In your codecov.yml set the following value to false:


codecov:
  archive:
    uploads: false
If Codecov doesn't store my source code, why is it visible in the UI?

At display time, Codecov uses an OAuth access token token from your repository provider (e.g., GitHub, GitLab, BitBucket) to retrieve the code from the repository provider to display on the page with the coverage overlaid. The code is not stored anywhere and should the oauth2 token be revoked or access to the repo change, this page will not load and will instead show an error.

Does Codecov ever clone the repository?

No, never. Codecov uses API requests to retrieve information necessary to perform its job and never stores source code in the result of an API request.

When does Codecov read source code from my repository?
  • When a User requests to view source code by a Web request.
  • Or, during several Worker tasks in order to perform analysis of the uploaded reports.

Specifically, there is only one opportunity for source code to be stored: while uploading reports. Some languages, C++ for example, produce reports that include source code in the report data in order to apply report fixes. Codecov scrubs some source code out (and we plan to support this effort more) but may not find it all. These uploads, by default, are archived for 1 month. You may elect to prevent all uploads from archiving by disabling this feature.

When does Codecov write to my repository?

The only times Codecov will “write” to your repository is in the following processes:
1. Create/Update a Webhook
2. Create/Update/Delete a Pull Request Comment
3. Create/Update the Commit Status

Codecov never adjusts source code, deletes branches, closes pull requests, or performs any other ‘write’ action.

Reports

How does Codecov archive reports?

Codecov archives both the pre-processed reports (preventing vendor lock-in and verifying report accuracy) and the post-processed reports (which never contain source code) in GCP. Archives are accessible publicly to Users who have access to the encrypted location of the content.

Is my Team's data isolated from other Teams?

No, Teams/Repos/Users data is stored in one or more databases, all property of Codecov, but not isolated from other Teams/Repos/Users utilizing Codecov services.

How long are uploaded reports archived?
  • Documentation for Codecov self-hosted report archiving is located here.
  • For Codecov cloud:
    • Uploaded coverage reports are stored in GCP indefinitely, unless archiving is disabled.

How to disable archiving:
In your codecov.yml, set the following line to false as follows:


codecov:
   archive:
      uploads: false

Impact Analysis

What kind of information is collected by Impact Analysis?

Once deployed, the Impact Analysis dependency sends to Codecov: lines of source executed by users, including file path, file name, line number, and execution count (but not actual source code, similar to a coverage report). In the case of HTTP requests, the request route and HTTP verb.

Where does Codecov store Impact Analysis data?

For Codecov SaaS customers, in the same GCP environment alongside code coverage data uploaded by customers.

Can a customer’s Impact Analysis / OpenTelemetry data be deleted upon request?

Yes, in the same fashion that customer’s code coverage data may be requested for deletion.

Who can access Impact Analysis data uploaded to Codecov?

Currently customers in open beta for Impact Analysis do not have the ability to download span data that has been uploaded. Allowing for downloading will be a potential feature in the future.

What software is required to run the consumer Impact Analysis libraries?

In order to use Impact Analysis, a Impact Analysis consumer library must be installed as a production-level dependency along with any required third-party dependencies required by the library. Specific dependencies vary based on the language of the Impact Analysis library in use; however, key requirements are specified in a dependency manifest file based on the language of the Open Telemetry instrumentation. An exception to this is the PHP consumer library’s requirement of PCOV which must be installed independently.

Misc

Are logs kept on who accesses what data on Codecov?

Yes. Each and every Web request is logged for a period of one year. Logs are accessible by Codecov staff and are used to analyze User behavior and help debug the product.

Who can adjust the Team configuration?

The following can adjust team configuration:
a. the User, if the account is their own profile, OR b. a Codecov Team Admin, OR c. the first User to create a billing account for the Team, OR d. a User with admin status according to Service

  • By default, the first User to set up billing for a Team will be added as the first Codecov Team Admin
  • Note if you want to transfer administration to another User please (1) add the new User, (b) remove the old user in your Team account page.
Who can adjust billing/plans information?

The following can adjust team configuration:
a. the User, if the account is their own profile, OR b. a Codecov Team Admin, OR c. the first User to create a billing account for the Team, OR d. a User with admin status according to Service

  • Please contact Codecov staff if there are any discrepancies or issues with billing.
  • Note if you want to transfer administration to another User please (1) add the new User, (b) remove the old user in your Team account page.
How do I change the configuration on the repository?

Most Repo configuration is recorded in a file called codecov.yml within the Repo. The location of this configuration file may be anywhere within the Repo and must be named codecov.yml or .codecov.yml in order to be detected. Having configuration stored in the codecov.yml allows for complete transparency and version controlled configuration. For more details please see our configuration docs.

Do you have a different question? Contact us
Before we redirect you to GitHub...
In order to use Codecov an admin must approve your org.