So, in light of today’s massive CodeCov disclosure, I was wondering what CircleCI can do to reduce the impact of this kind of vulnerability.
Apart from environment variables, what other mechanism can we use in CircleCI projects to store credentials?
- Jenkins has withCredentials, which ensures the credentials are scoped to only that block
- Solutions using, for example, Hashicorp Vault still require the authentication for Vault to be stored in an environment variable.
I see that the CodeCov orb has been updated today to at least check the shasum of the uploader script, so this particular attack will no longer be possible. But more generally, how can credentials/secrets be scoped so they are only accessible for certain jobs (eg a deploy job in a larger pipeline), or even a single step in a job.
There’s no need for the
test job in a pipeline to have access to any credentials relating to deployment, and yet environment variables can only be set at the project level.