Security

> v1.0.0

 

Protection SOC 2

Codecov is SOC 2 Type II certified, which means a third-party audits and attests to our practices to secure our systems and your data.

 

Table of Contents

Terms

  • Codecov Codecov and its technology/product/services
  • Service one of the following companies: GitHub, Bitbucket or GitLab
  • Team a team or organization in Service
  • Repo a Service (public or private) repository
  • User a single person who has logged into Codecov via Service therefore has an active user session
  • Guest a http request performed without an active user sessions
  • Worker Codecov's sync back-end which handles uploading, report processing, and other tasks
  • Bot the User who was chosen to consume Service endpoints during Worker tasks
  • Web Codecov front-end service that handles page builds and all HTTP requests (GET, POST, etc.)
  • Extension the Codecov Browser Extension
  • Token a Users auth token/secret granted by Service upon logging-in to Codecov
  • Scope what level of permission a User has on a Repository in Service, provided by Services
  • CI continuous integration provider. Including (not limited to) Travis-CI, Circle CI, Jenkins, etc.
  • API HTTP requests to Service
  • 3rd Party a SaaS tool used by Codecov. Example Sentry and Logentries

How does Codecov authenticate access to a repository?

  • Public Repos are visible to all Users and Guests
  • Private Repos are visible to Users who have at least read access according to Service
  • Codecov checks the User's Scope by making an API request with the User's Token
  • If the User does not have at least read access to the Repo: Codecov will return a 404 HTTP Error
  • Codecov always uses the acting User's Token to make API requests to Service when navigating Codecov
  • Codecov always uses the Bot's Token in when preforming Worker tasks

How does Codecov store passwords?

  • Codecov does not use passwords in the product.
  • Codecov does not, ever, ask for any "passwords".
  • Codecov stores Tokens for Users upon logging-in.

How does Codecov store Tokens?

  • Codecov receives Tokens when a User logs into Codecov.
  • Tokens are encrypted by AES. The key used to encrypt Tokens is broken into three chunks stored in different locations in the Stack to reduce a single point of failure. In order to compromise Tokens an attacker must breach multiple levels of the Codecov Stack (database, source code, server environment, and more)
  • Only Codecov staff have access to User Tokens
  • Tokens are aggressively removed from any logs and tracebacks and are never sent to 3rd Party solutions

Does Codecov store source code?

> TLDR; We do not store source code. > Some archived raw uploads may contain source code, which you can elect to disable.

There is only one opportunity for source code to be stored: while uploading reports. Some languages, C++ for example, produce reports that include source code in the report data. Codecov scrubs some source code out (and we plan to support this effort more) but may not find it all. These uploads, by default, are archived for 1 month. You may elect to prevent all uploads from archiving by disabling this feature.

How to disable archiving

In your codecov.yml set the following value to false:
codecov: archive: uploads: false

If Codecov doesn't store my source code, why is it visible in the UI?

At display time, Codecov uses an oauth token from your repository provider (e.g., GitHub, GitLab, BitBucket) to retrieve the code from the repository provider to display on the page with the coverage overlaid. The code is not stored anywhere and should the oauth token be revoked or access to the repo change, this page will not load and will instead show an error.

How does Codecov archive reports?

Codecov archives both the pre-processed reports (preventing vendor-lockin and verifying report accuracy) and the post-processed reports (which never contain source code) in AWS S3. Archives are accessible publicly to Users who have access to the encrypted location of the content. The location is kept secret in a way that is nearly impossible to find by an unauthorized users. Below is an example path of such an archive, note how there are several unique variables that must be known in order to discover the location of the archive.

in) /v4/raw/<yyyy-mm-dd>/<unique-repo-hash>/<commitid>/<uuid>.txt
out) /v4/raw/2016-01-01/4434BC2A2EC4FCA57F77B473D83F928C/9ac8f27fb300b8ab415b31ec19d2d29eb153bfce/869a4b41-882f-474b-8763-e673444cab25.txt

Is my Team's data isolated from other Teams?

No, Teams/Repos/Users data is stored in one or more databases, all property of Codecov, but not isolated from other Teams/Repos/Users utilizing Codecov services.

How do I add collaborators/members to my private repository?

  • A User's access is always verified with Service.
  • If using GitHub: once a User logs in they must grant Codecov Private Repository Access in order to interact with Private repositories hosted on GitHub that User has appropriate access to.

This allows us to have 100% transparency on who can access source code and view reports on Codecov.

What Scope is used when signing-up using GitHub?

Codecov first asks for user:email, read:org, repo:status, write:repo_hook Scope, note this is for Public Repos only. Once a User is logged-in they may elect to grant Codecov extended privileges which enable the User to interact with Private Repos.

> Read more on GitHub Scopes here

Can I restrict which Teams Codecov has access to?

No. This is currently a limitation to GitHub (and all other Services). This feature would have to be implemented by the Service; not by Codecov.

Does Codecov ever clone the repository?

No, never. Codecov uses API requests to retrieve information necessary to perform its job and never stores source code in the result of an API request.

When does Codecov read source code from my repository?

  • When a User requests to view source code by a Web request.
  • Or, during several Worker tasks in order to perform analysis of the uploaded reports.

> Source code is never stored in the processes mentioned above.

When does Codecov write to my repository?

The only times Codecov will "write" to your repository is in the following processes: 1. Create/Update a Webhook 2. Create/Update/Delete a Pull Request Comment 3. Create/Update the Commit Status

> Codecov never adjusts source code, deletes branches, closes pull requests, or performs any other 'write' action.

How long are uploaded reports archived?

  • By default, pre-processed reports are archived in AWS-S3 for

    1 month

    . This feature may be disabled.

  • Codecov archives post-processed reports in AWS-S3 indefinitely.

Are logs kept on who accesses what data on Codecov?

Yes. Each and every Web request is logged for a period of one year or longer. Logs are accessible by Codecov staff and are used to analyze User behavior and help debug the product.

Who can adjust the Team configuration?

The following can adjust team configuration:
a. the User, if the account is their own profile, OR b. a Codecov Team Admin, OR c. the first User to create a billing account for the Team, OR d. a User with admin status according to Service

  • By default, the first User to setup billing for a Team will be added as the first Codecov Team Admin
  • Note if you want to transfer administration to another User please (1) add the new User, (b) remove the old user in your Team account page.

Who can adjust billing/plans information?

The following can adjust team configuration:
a. the User, if the account is their own profile, OR b. a Codecov Team Admin, OR c. the first User to create a billing account for the Team, OR d. a User with admin status according to Service

  • Please contact Codecov staff if there are any discrepancies or issues with billing.
  • Note if you want to transfer administration to another User please (1) add the new User, (b) remove the old user in your Team account page.

How do I change the configuration on the repository?

Most Repo configuration is recorded in a file called codecov.yml within the Repo. The location of this configuration file may be anywhere within the Repo and must be named codecov.yml or .codecov.yml in order to be detected. Having configuration stored in the codecov.yml allows for complete transparency and version controlled configuration. For more details please our configuration docs.

Codecov Responsible Disclosure Policy

Data security is a top priority for Codecov, and Codecov believes that working with skilled security researchers can identify weaknesses in any technology.

If you believe you’ve found a security vulnerability in Codecov’s service, please notify us; we will work with you to resolve the issue promptly.

Disclosure Policy

  • If you believe you’ve discovered a potential vulnerability, please let us know by emailing us at security@codecov.io . We will acknowledge your email within five business days
  • Provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or a third party. We aim to resolve critical issues within five business days of disclosure.
  • Make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the Codecov service. Please only interact with accounts you own or for which you have explicit permission from the account holder.

Exclusions

While researching, we’d like you to refrain from:

  • Distributed Denial of Service (DDoS)
  • Spamming
  • Social engineering or phishing of Codecov employees or contractors
  • Any attacks against Codecov’s physical property or data centers

Thank you for helping to keep Codecov and our users safe!

Changes

We may revise these guidelines from time to time. The most current version of the guidelines will be available at https://codecov.io/security.

Contact

Codecov is always open to feedback, questions, and suggestions. If you would like to talk to us, please feel free to email us at security@codecov.io

Responsibility

It is the VP of Engineering’s responsibility to see this policy is enforced.
Last updated: 06/10/2020

For questions and feedback, contact security@codecov.io

Before we redirect you to GitHub...
In order to use Codecov an admin must approve your org.