-
Notifications
You must be signed in to change notification settings - Fork 155
Do not print private token to stdout #22
Comments
Hey @pvorb I do agree hiding the token would be the best practice. We will be working to remove this shortly. The token is only used to upload reports and cannot expose any sensitive information. There is no security issues/vulnerabilities with exposed tokens in this manner. But we will hide them in upcoming versions. Thank you! |
Yes, I'm aware that the information is not super sensitive, but even project pages on codecov.io state:
So tokens shouldn't be published accidentally through codecov's own tools. Thanks for your effort. |
@pvorb @stevepeak it looks like this was solved. |
Correct, this has been resolved in the bash uploader. Thank you for pointing the ticket out. |
I am using codecov-bash (commit 5ca7b8c) on GitLab CI. I use the
-t
parameter to provide the private token of my project on codecov.io. Unfortunately, this private token gets printed to stdout and thus is visible in the build log. Build logs are public on GitLab (I'm not sure what's the case for other build servers).I think this behavior should be avoided. When I first configured CI and code coverage I didn't notice that my private token got published.
My current workaround pipes all output of codecov-bash into sed, which filters the token from the output and then prints what's left.
The text was updated successfully, but these errors were encountered: