Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SECURITY] Don't place repo_token inside the coveralls.json file #305

Open
mdedetrich opened this issue Apr 17, 2024 · 1 comment
Open

[SECURITY] Don't place repo_token inside the coveralls.json file #305

mdedetrich opened this issue Apr 17, 2024 · 1 comment

Comments

@mdedetrich
Copy link
Contributor

We are using sbt-coveralls for an open source company project and I just got notified from our security team that the repo_token field inside of the coveralls.json file constitutes a security risk, especially when combined with sbt-github-actions since it will place the coveralls.json file inside of an archive that gets cached.

Is it possible to remove this field entirely?
@rolandtritsch
Copy link
Member

Hi @mdedetrich. I am trying to reproduce this ...

I am using sbt-coveralls-example.

The github-actions ci pipeline is using secrets. I am not sure what coveralls.json file you are referring to.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rolandtritsch @mdedetrich