There was a critical security compromise of the bash script
that was being downloaded as part of the coverage build:
https://about.codecov.io/security-update/
beginning January 31, 2021, there were periodic, unauthorized
alterations of our Bash Uploader script by a third party, which enabled
them to potentially export information stored in our users' continuous
integration (CI) environments. This information was then sent to a
third-party server outside of Codecov’s infrastructure.
The Bash Uploader is also used in these related uploaders:
Codecov-actions uploader for Github, the Codecov CircleCl Orb, and the
Codecov Bitrise Step (together, the “Bash Uploaders”). Therefore, these
related uploaders were also impacted by this event.
The altered version of the Bash Uploader script could potentially
affect:
Any credentials, tokens, or keys that our customers were passing through
their CI runner that would be accessible when the Bash Uploader script
was executed. Any services, datastores, and application code that could
be accessed with these credentials, tokens, or keys. The git remote
information (URL of the origin repository) of repositories using the
Bash Uploaders to upload coverage to Codecov in CI.
This commit fixes a number of typos throughout the document as well as
providing a verbose explanation of the use of multiple NGINX ingress
controllers which was already mentioned in the document.
