Gitea
GiteaCI/CD4 credentials
Local User Password
gitea / local-user-password
Gitea local users authenticate to the web UI, Git over HTTP, SSH workflows, and APIs. The first admin is created during installation or user provisioning.
Location
Gitea web UI, Git HTTP, SSH, and APIGitea user table and password hash state
app.inisecurity, auth, mailer, and database configuration
password managers and deployment vaults
Docker Compose files, Helm values, and integration tests
Personal Access Token / OAuth Token
gitea / personal-access-token
Gitea users can create access tokens for API and Git operations. OAuth2 application secrets and tokens are also stored for integrations.
Location
Authorizationtoken or Bearer token used by Gitea API clients
access token and OAuth application/token tables
CLI configs, integration scripts, .netrc, and .env files
GITEA_TOKEN, GITEA_ACCESS_TOKENCI/CD variables and vault entries
automation scripts, GitHub Actions, and tests
API debug logs and CI output
Internal Token, Secret Key, JWT and LFS Secrets
gitea / internal-security-secrets
Gitea app.ini contains generated security values such as SECRET_KEY, INTERNAL_TOKEN, JWT_SECRET, and LFS_JWT_SECRET used for internal signing, sessions, and service communication.
Looks like
pattern^(SECRET_KEY|INTERNAL_TOKEN|JWT_SECRET|LFS_JWT_SECRET)\s*=\s*\S+Location
custom/conf/app.iniGitea security and server secrets
GITEA__security__SECRET_KEY, GITEA__security__INTERNAL_TOKENKubernetes Secrets, Docker secrets, and configuration vaults
application backups and support bundles
Database, Mailer, Webhook, and Integration Secrets
gitea / database-mailer-webhook-secrets
Gitea deployments store database passwords, SMTP credentials, webhook secrets, OAuth app client secrets, and external auth bind credentials.
Location
app.inidatabase, mailer, webhook, OAuth2, and auth source sections
OAuth applications, webhook secrets, and external login source configuration
deployment secrets and cloud secret managers
IaC manifests and committed sample configs
mailer, webhook, and auth source debug logs
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.