Codecov Supply Chain Breach: Free Questionnaire to Assess Third-Party Risk

1) Does the organization utilize any of the following uploaders?

(Please select all that apply.)

Help text: Specified uploaders relate only to Codecov.

a) Codecov-actions uploader for GitHub
b) Codecov CircleCI Orb
c) Codecov Bitrise Step

2) If so, has the organization been impacted by the recent Codecov supply chain attack?

(Please select one.)

Help text:

Significant impact: The cyber attack has caused systems or infrastructure to stop working or become unavailable. There has been a loss of confidentiality or integrity of data.

High impact: Service availability has been periodically lost, and there is the potential for some systems to periodically stop. Some loss of confidentiality or integrity of data.

Low impact: No loss of confidentiality or integrity of data; minimal or no disruption to service availability.

a) There has been significant impact.
b) There is a high level of impact to our network, IT operations or security products.
c) There has been a low level of impact to our network, IT operations or security products.
d) The cyber attack has had no impact to our network, IT operations or security products.

3) Following the guidance of Codecov, has the organization taken the following actions?

(Please select all that apply.)

Help text:

Organizations can determine the keys and tokens that are surfaced to the CI environment by running the env command in the organization's CI pipeline.

If anything returned from that command is considered private or sensitive, Codecov recommends invalidating the credential and generating a new one.

a) Re-roll of all credentials located in the environment variables in our CI processes that used one of Codecov’s Bash Uploaders.
b) Re-roll of all tokens located in the environment variables in our CI processes that used one of Codecov’s Bash Uploaders.
c) Re-roll of all keys located in the environment variables in our CI processes that used one of Codecov’s Bash Uploaders.

4) Has the organization replaced the bash files used with the most recent version available from Codecov?

(Please select one.)

Help text:

Any organization that uses a locally stored version of a Bash Uploader should check that version for the following:

curl -sm 0.5 -d “$(git remote -v)

If this appears anywhere in the locally stored Bash Uploader, the organization should immediately replace the bash files with the most recent version from https://codecov.io/bash

a) Yes, we have updated our version of Bash files with the most recent from Codecov
b) No, we have not updated our version of Bash files with the most recent from Codecov

5) Has the supply chain attack exposed any customer sensitive information?

(Please select all that apply.)

Help text:

Customer sensitive information is defined as any material that can have a detrimental impact to the customer if exposed to unauthorized parties. Impacts can vary from, but are not limited to, reputational damage, financial penalties, loss of earnings, or loss of competitive advantage.

a) Yes, an ongoing investigation is identifying the level of exposure.
b) Yes, an investigation is complete, and all impacted parties made aware.
c) No, customer sensitive information was not impacted.
d) We are unable to confirm at this time.