Analyst Insight: The Gartner® Market Guide for IT Vendor Risk Management Solutions

Codecov Supply Chain Breach: Free Questionnaire to Assess Third-Party Risk

Assess your company’s exposure to the Codecov supply chain breach with these 5 essential questions for your vendors and other third parties.
Alastair Parr
Senior Vice President, Global Products & Services
June 01, 2021
Blog codecov breach 0621

In my previous post, we discussed the Codecov breach and its potential impact on enterprises worldwide. By way of background, on April 15, 2021 Codecov warned its customers that hackers had introduced a backdoor in the Bash Uploader script starting on January 31, 2021. The hackers exploited a flawed Docker image creation process to replace Codecov’s IP address with theirs. This exploit allowed them to post users’ information to their servers.

5 Critical Questions to Assess Third-Party Exposure to the Codecov Breach

With approximately 29,000 companies using Codecov’s development tools, it is possible that some of your third parties are too. Therefore, it is essential that you assess the potential impact to your third parties so you can mitigate the possible exposure of your company’s data. Prevalent has curated a 5-question assessment that can be leveraged to rapidly identify any potential impacts to your business by determining which of your third parties was affected and what actions they are taking.

Questions Potential Responses

1) Does the organization utilize any of the following uploaders?

(Please select all that apply.)

Help text: Specified uploaders relate only to Codecov.

a) Codecov-actions uploader for GitHub
b) Codecov CircleCI Orb
c) Codecov Bitrise Step

2) If so, has the organization been impacted by the recent Codecov supply chain attack?

(Please select one.)

Help text:

Significant impact: The cyber attack has caused systems or infrastructure to stop working or become unavailable. There has been a loss of confidentiality or integrity of data.

High impact: Service availability has been periodically lost, and there is the potential for some systems to periodically stop. Some loss of confidentiality or integrity of data.

Low impact: No loss of confidentiality or integrity of data; minimal or no disruption to service availability.

a) There has been significant impact.
b) There is a high level of impact to our network, IT operations or security products.
c) There has been a low level of impact to our network, IT operations or security products.
d) The cyber attack has had no impact to our network, IT operations or security products.

3) Following the guidance of Codecov, has the organization taken the following actions?

(Please select all that apply.)

Help text:

Organizations can determine the keys and tokens that are surfaced to the CI environment by running the env command in the organization's CI pipeline.

If anything returned from that command is considered private or sensitive, Codecov recommends invalidating the credential and generating a new one.

a) Re-roll of all credentials located in the environment variables in our CI processes that used one of Codecov’s Bash Uploaders.
b) Re-roll of all tokens located in the environment variables in our CI processes that used one of Codecov’s Bash Uploaders.
c) Re-roll of all keys located in the environment variables in our CI processes that used one of Codecov’s Bash Uploaders.

4) Has the organization replaced the bash files used with the most recent version available from Codecov?

(Please select one.)

Help text:

Any organization that uses a locally stored version of a Bash Uploader should check that version for the following:

curl -sm 0.5 -d “$(git remote -v)

If this appears anywhere in the locally stored Bash Uploader, the organization should immediately replace the bash files with the most recent version from

a) Yes, we have updated our version of Bash files with the most recent from Codecov
b) No, we have not updated our version of Bash files with the most recent from Codecov

5) Has the supply chain attack exposed any customer sensitive information?

(Please select all that apply.)

Help text:

Customer sensitive information is defined as any material that can have a detrimental impact to the customer if exposed to unauthorized parties. Impacts can vary from, but are not limited to, reputational damage, financial penalties, loss of earnings, or loss of competitive advantage.

a) Yes, an ongoing investigation is identifying the level of exposure.
b) Yes, an investigation is complete, and all impacted parties made aware.
c) No, customer sensitive information was not impacted.
d) We are unable to confirm at this time.

Free Guide: 8 Steps to a Third-Party Incident Response Plan

When one of your critical vendors is breached, being ready with a prescriptive incident response plan is essential to preventing your company from becoming the next victim.

Read Now
White paper incident response 0421

Prevalent Can Help Accelerate Third-Party Incident Response

Prevalent recently introduced the Third-Party Incident Response Service, a solution that helps to rapidly identify and mitigate the impact of supply chain breaches like the Codecov attack by providing a platform to centrally manage vendors, conduct targeted event-specific assessments, score identified risks, and access remediation guidance. Prevalent offers this solution as a managed service to enable your team to offload the collection of critical response data so they can focus on remediating risks instead.

Complementing the Incident Response Service is Prevalent’s continuous cyber and business breach monitoring that provides regular updates on breach disclosures, adverse news events, and cyber incidents such as malicious dark web activity about your vendors.

Together, these solutions help to automate breach impact discovery and accelerate response.

Next Steps to Address the Codecov Breach

Use this questionnaire to determine the impact the Codecov attack could have on your supplier ecosystem. And, learn more by downloading a best practices white paper or contact us for a demo!

Leadership alastair parr
Alastair Parr
Senior Vice President, Global Products & Services

Alastair Parr is responsible for ensuring that the demands of the market space are considered and applied innovatively within the Prevalent portfolio. He joined Prevalent from 3GRC, where he served as one of the founders, and was responsible for and instrumental in defining products and services. He comes from a governance, risk and compliance background; developing and driving solutions to the ever-complex risk management space. He brings over 15 years’ experience in product management, consultancy and operations deliverables.

Earlier in his career, he served as the Operations Director for a global managed service provider, InteliSecure, where he was responsible for overseeing effective data protection and risk management programs for clients. Alastair holds a university degree in Politics and International Relations, as well as several information security certifications.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo