diff --git a/tools/coverage/report.sh b/tools/coverage/report.sh
index ce42944d91ef4a556adc7218c122e13b642cdf6d..fe4c5aecd17db3a4743ce22b7cec491275f7e76e 100755
--- a/tools/coverage/report.sh
+++ b/tools/coverage/report.sh
@@ -41,4 +41,13 @@ for exec_data in "${JACOCO_HOME}"/*.exec; do
     "${JACOCO_HOME}"/"$exec_data".exec
 done
 
-bash <(curl -s https://codecov.io/bash) -X fix -f /tmp/report-*.xml || true
+# Download codecov bash uploader and verify the sha sums before using it.
+curl -s https://codecov.io/bash > codecov
+VERSION=$(grep -o 'VERSION=\"[0-9\.]*\"' codecov | cut -d'"' -f2)
+for i in 1 256 512
+do
+  shasum -a $i -c --ignore-missing <(curl -s "https://raw.githubusercontent.com/codecov/codecov-bash/${VERSION}/SHA${i}SUM") ||
+  shasum -a $i -c <(curl -s "https://raw.githubusercontent.com/codecov/codecov-bash/${VERSION}/SHA${i}SUM")
+done
+
+bash codecov -X fix -f /tmp/report-*.xml || true