Security

Security @ Codecov

Here at Codecov, we strive to implement security best practices, industry leading security tooling, and then certify our company and products using independent security audits that result in SOC2 Type II and SOC 3 compliance. By doing so, we’re able to secure and protect our customer’s data and privacy.

Codecov Security
Codecov security
Codecov SOC II

Security Compliance:

Codecov is SOC 2 Type II and SOC 3 certified, which means a third-party audits and attests to our practices to secure our systems and your data.

Audit Period: Through April 30, 2022

Codecov’s Security & DevOps Teams

Codecov has dedicated Security and DevOps teams whose primary mission is responsibility for architecting, building and owning security. From infrastructure (GCP Kubernetes deployments, OpenVPN, and cloud-based SIEM), security tooling (endpoint EDR agents, vulnerability scanning, static code and dependency scanning), to security code reviews, our staff is focused on Codecov’s security posture. Our team holds the following industry certifications:

CISSP
AWS Advanced Networking Specialty
GIAC
GCUX
GPYC

Codecov Infrastructure Security

  • Codecov utilizes GCP (Google Cloud Platform) for our cloud-based products, Terraform for IaC (Infrastructure as Code), and Docker/Kubernetes for microservices. See Google’s SOC3 report here.
  • Docker images are squashed and/or multistaged to prevent docker layer attacks.
  • All publicly available assets hosted in GCP, virtual servers in GCP, and employee endpoints are vulnerability scanned on a daily basis. Tickets for vulnerabilities are automatically created and assigned a due date based on our IR (Incident Response) policy SLA ( < 30 days for Critical and High, < 60 days for Medium, < 120 days for Low).
  • All GCP Kubernetes nodes and employee endpoints run EDR (Endpoint Detection and Response) agents configured to quarantine any malware detected and log to our cloud-based SIEM.
  • Use of SSO and endpoint compliance monitoring tools to ensure 2FA is used whenever possible and endpoints are full disk encrypted, screen-lock enabled, etc.

Codecov Code Security

  • Codecov utilizes numerous tools to detect vulnerabilities and protect our code, including:
    • Static application security testing (SAST)
    • Dynamic application security testing (DAST)
    • Repository dependency scanning
    • Scanning repos for secrets (API keys, passwords, etc) to ensure they are not stored or hard coded in our code base.
    • Usage of GCP’s Secret Manager and environment variables for proper secret protection and inclusion at runtime.
    • All commits to Codecov repos are GPG signed and require a code review before merging.
    • All Codecov code repositories are only accessible via employee specific accounts registered to the @codecov.io domain.
    • All commits to repos that have security relevant changes undergo a code review by our Security Team.
    • 2FA is enabled for access to our code base, with 2FA and VPN required for access to our GCP resources.
    • All Codecov uploader binaries are SHA256 signed, and changes to uploader binaries are monitored and immediately reported to staff. For instructions on how to verify uploader binaries, see here.

Codecov Vulnerability Testing/Pentesting

  • Codecov undergoes third party vulnerability/pentesting to support our SOC2 compliance efforts.
  • Codecov also performs internal network and application security scanning as follows:
    • Daily network and host-based vulnerability scanning for endpoints, virtual servers in GCP, and publicly accessible assets in GCP
    • Quarterly at least, and more often as deemed necessary, web application security testing of our products and API endpoints.

Codecov Security Awareness

  • Codecov requires yearly security awareness training for all staff.
  • Secure coding training for development, security, and devops teams is given yearly.

Codecov Responsible Disclosure Policy

Data security is a top priority for Codecov, and Codecov believes that working with skilled security researchers can identify weaknesses in any technology.

If you believe you’ve found a security vulnerability in Codecov’s service, please notify us; we will work with you to resolve the issue promptly.

Disclosure Policy

  • If you believe you’ve discovered a potential vulnerability, please let us know by emailing us at security@codecov.io . We will acknowledge your email within five business days.
  • Provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or a third party. We aim to resolve critical issues within five business days of disclosure.
  • Make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the Codecov service. Please only interact with accounts you own or for which you have explicit permission from the account holder.

Exclusions

While researching, we’d like you to refrain from:

  • Distributed Denial of Service (DDoS)
  • Spamming
  • Social engineering or phishing of Codecov employees or contractors
  • Any attacks against Codecov’s physical property or data centers

Thank you for helping to keep Codecov and our users safe!

Changes

We may revise these guidelines from time to time. The most current version of the guidelines will be available at https://codecov.io/security

Contact

Codecov is always open to feedback, questions, and suggestions. If you would like to talk to us, please feel free to email us at security@codecov.io, and our PGP key is at https://codecov.io/.well-known/security.txt.

Responsibility

It is the Security Team’s responsibility to see this policy is enforced. Last updated: January 31st, 2022
For questions and feedback, contact security@codecov.io

Terms

  • Codecov: Codecov and its technology/product/services
  • Service: One of the following companies: GitHub, Bitbucket or GitLab
  • Team: A team or organization in Service
  • Repo: A Service (public or private) repository
  • User: A single person who has logged into Codecov via Service therefore has an active user session
  • Guest: A http request performed without an active user sessions
  • Worker: Codecov’s sync back-end which handles uploading, report processing, and other tasks
  • Bot: The User who was chosen to consume Service endpoints during Worker tasks
  • Web: Codecov front-end service that handles page builds and all HTTP requests (GET, POST, etc.)
  • Extension: The Codecov Browser Extension
  • Token: A Users Oauth2 auth token/secret granted by Service upon logging-in to Codecov
  • Scope: What level of permission a User has on a Repository in Service, provided by Services
  • CI: continuous integration provider. Including (not limited to) Travis-CI, Circle CI, Jenkins, etc.
  • API: HTTP requests to Service
  • 3rd Party: A SaaS tool used by Codecov. Examples – Rippling and Tenable IO

Frequently Asked Questions

Authorization / Authentication

How does Codecov authorize access to a repository?
  • Public Repos are visible to all Users and Guests
  • Private Repos are visible to Users who have at least read access according to Service
  • Codecov checks the User’s Scope by making an API request with the User’s Token
  • If the User does not have at least read access to the Repo: Codecov will return a 404 HTTP Error
  • Codecov always uses the acting User’s Token to make API requests to Service when navigating Codecov
  • Codecov always uses the Bot’s Token when performing Worker tasks
How does Codecov store passwords?
  • Codecov does not use passwords in the product.
  • Codecov does not, ever, ask for any “passwords”.
  • Codecov stores Tokens for Users upon logging-in.
How does Codecov store Tokens?
  • Codecov receives Tokens when a User logs into Codecov.
  • Tokens are encrypted using AES-256. The key used to encrypt Tokens is broken into two chunks stored in different locations in the Stack to reduce a single point of failure. In order to compromise Tokens, an attacker must breach multiple levels of the Codecov Stack.
  • Only Codecov staff have access to User Tokens, which are stored encrypted at rest in the database
  • Tokens are aggressively removed from any logs and tracebacks and are never sent to 3rd Party solutions
How do I add collaborators/members to my private repository?
  • A User’s access is always verified with Service.
  • If using GitHub: once a User logs in they must grant Codecov Private Repository Access in order to interact with Private repositories hosted on GitHub that User has appropriate access to.

This allows us to have 100% transparency on who can access source code and view reports on Codecov.

Repository / Code Access

Does Codecov store source code?

We do not store source code. Some archived raw uploads may contain source code, which you can elect to disable.

There is only one opportunity for source code to be stored: while uploading reports. Coverage reporting tools for some languages, gcov for C++ for example, produce reports that include source code in the report data in order to apply report fixes. Codecov scrubs some source code out (and we plan to support this effort more) but may not find it all. These uploads, by default, are archived for 1 month. You may elect to prevent all uploads from archiving by disabling this feature.

How to disable archiving

In your codecov.yml set the following value to false:
codecov:
archive:
uploads: false

If Codecov doesn't store my source code, why is it visible in the UI?

At display time, Codecov uses an OAuth access token token from your repository provider (e.g., GitHub, GitLab, BitBucket) to retrieve the code from the repository provider to display on the page with the coverage overlaid. The code is not stored anywhere and should the oauth2 token be revoked or access to the repo change, this page will not load and will instead show an error.

Does Codecov ever clone the repository?

No, never. Codecov uses API requests to retrieve information necessary to perform its job and never stores source code in the result of an API request.

When does Codecov read source code from my repository?
  • When a User requests to view source code by a Web request.
  • Or, during several Worker tasks in order to perform analysis of the uploaded reports.

Specifically, there is only one opportunity for source code to be stored: while uploading reports. Some languages, C++ for example, produce reports that include source code in the report data in order to apply report fixes. Codecov scrubs some source code out (and we plan to support this effort more) but may not find it all. These uploads, by default, are archived for 1 month. You may elect to prevent all uploads from archiving by disabling this feature.

When does Codecov write to my repository?

The only times Codecov will “write” to your repository is in the following processes:
1. Create/Update a Webhook
2. Create/Update/Delete a Pull Request Comment
3. Create/Update the Commit Status

Codecov never adjusts source code, deletes branches, closes pull requests, or performs any other ‘write’ action.

Reports

How does Codecov archive reports?

Codecov archives both the pre-processed reports (preventing vendor lock-in and verifying report accuracy) and the post-processed reports (which never contain source code) in GCP. Archives are accessible publicly to Users who have access to the encrypted location of the content.

Is my Team's data isolated from other Teams?

No, Teams/Repos/Users data is stored in one or more databases, all property of Codecov, but not isolated from other Teams/Repos/Users utilizing Codecov services.

How long are uploaded reports archived?
  • Documentation for Codecov self-hosted report archiving is located here.
  • For Codecov cloud:
    • Uploaded coverage reports are stored in GCP indefinitely, unless archiving is disabled.

How to disable archiving:
In your codecov.yml, set the following line to false as follows:
codecov:
archive:
uploads: false

Impact Analysis

What kind of information is collected by Impact Analysis?

Once deployed, the Impact Analysis dependency sends to Codecov: lines of source executed by users, including file path, file name, line number, and execution count (but not actual source code, similar to a coverage report). In the case of HTTP requests, the request route and HTTP verb.

Where does Codecov store Impact Analysis data?

For Codecov SaaS customers, in the same GCP environment alongside code coverage data uploaded by customers.

Can a customer’s Impact Analysis / OpenTelemetry data be deleted upon request?

Yes, in the same fashion that customer’s code coverage data may be requested for deletion.

Who can access Impact Analysis data uploaded to Codecov?

Currently customers in open beta for Impact Analysis do not have the ability to download span data that has been uploaded. Allowing for downloading will be a potential feature in the future.

What software is required to run the consumer Impact Analysis libraries?

In order to use Impact Analysis, a Impact Analysis consumer library must be installed as a production-level dependency along with any required third-party dependencies required by the library. Specific dependencies vary based on the language of the Impact Analysis library in use; however, key requirements are specified in a dependency manifest file based on the language of the Open Telemetry instrumentation. An exception to this is the PHP consumer library’s requirement of PCOV which must be installed independently.

Misc

Are logs kept on who accesses what data on Codecov?

Yes. Each and every Web request is logged for a period of one year. Logs are accessible by Codecov staff and are used to analyze User behavior and help debug the product.

Who can adjust the Team configuration?

The following can adjust team configuration:
a. the User, if the account is their own profile, OR b. a Codecov Team Admin, OR c. the first User to create a billing account for the Team, OR d. a User with admin status according to Service

  • By default, the first User to set up billing for a Team will be added as the first Codecov Team Admin
  • Note if you want to transfer administration to another User please (1) add the new User, (b) remove the old user in your Team account page.
Who can adjust billing/plans information?

The following can adjust team configuration:
a. the User, if the account is their own profile, OR b. a Codecov Team Admin, OR c. the first User to create a billing account for the Team, OR d. a User with admin status according to Service

  • Please contact Codecov staff if there are any discrepancies or issues with billing.
  • Note if you want to transfer administration to another User please (1) add the new User, (b) remove the old user in your Team account page.
How do I change the configuration on the repository?

Most Repo configuration is recorded in a file called codecov.yml within the Repo. The location of this configuration file may be anywhere within the Repo and must be named codecov.yml or .codecov.yml in order to be detected. Having configuration stored in the codecov.yml allows for complete transparency and version controlled configuration. For more details please see our configuration docs.

Do you have a different question? Contact us
Before we redirect you to GitHub...
In order to use Codecov an admin must approve your org.