Given recent Codecov bash uploader vulnerability, are alternatives being considered?

[x448]

On April 15, Security Week reported,

Security response professionals are scrambling to measure the fallout from a software supply chain compromise of Codecov Bash Uploader that went undetected since January and exposed sensitive secrets like tokens, keys and credentials from organizations around the world.

The hack occurred four months ago but was only discovered in the wild by a Codecov customer on the morning of April 1, 2021, the company said in a note acknowledging the severity of the breach. ... Codecov is strongly encouraging software development teams to “immediately re-roll all of your credentials, tokens, or keys located in the environment variables in your CI process.”

Examples: https://github.com/search?q=org%3Ahashicorp+codecov.io%2Fbash&type=code

Projects using Go, like fxamacker/cbor avoided this type of problem for over a year by embedding a simple script to handle code coverage instead of downloading it from a 3rd-party.

[SwampDragons]

Hi, thanks for reaching out.

HashiCorp is a customer of Codecov and was affected by the security event disclosed at https://about.codecov.io/security-update/. Incident response activities are ongoing, and relevant updates and outcomes will be shared promptly when available via https://discuss.hashicorp.com/c/security.

Thanks for sharing the go library. We'll be taking a look at it and other options.