[SECURITY] Don't place repo_token inside the `coveralls.json` file

scoverage / sbt-coveralls

sbt-plugin to upload sbt-scoverage reports to coveralls

https://github.com/scoverage

Other

104 stars 50 forks source link

[SECURITY] Don't place repo_token inside the `coveralls.json` file #305

Open mdedetrich opened 4 months ago

mdedetrich commented 4 months ago

We are using sbt-coveralls for an open source company project and I just got notified from our security team that the repo_token field inside of the coveralls.json file constitutes a security risk, especially when combined with sbt-github-actions since it will place the coveralls.json file inside of an archive that gets cached.

Is it possible to remove this field entirely?

rolandtritsch commented 3 months ago

Hi @mdedetrich. I am trying to reproduce this ...

I am using sbt-coveralls-example.

The github-actions ci pipeline is using secrets. I am not sure what coveralls.json file you are referring to.