Gogs
GogsCI/CD3 credentials
Local User Password
gogs / local-user-password
Gogs users authenticate to the web UI, Git over HTTP, SSH workflows, and API. Administrators are created during installation or user provisioning.
Location
Gogs web UI, Git HTTP, SSH, and APIGogs user table and password hash state
custom/conf/app.iniauthentication, database, mailer, and security configuration
password managers and deployment vaults
Docker Compose files, provisioning scripts, and tests
Personal Access Token / API Token
gogs / access-token
Gogs supports access tokens for API clients and integrations.
Location
Authorizationtoken used by Gogs API clients
access token records in the Gogs database
CLI configs, .env files, integration scripts, and .netrc
GOGS_TOKEN, GOGS_ACCESS_TOKENCI/CD variables and vault entries
automation repositories and tests
API client debug logs and CI output
Secret Key, Database, Mailer, and Webhook Secrets
gogs / security-and-integration-secrets
Gogs app.ini and database records can contain SECRET_KEY, database passwords, mailer credentials, webhook secrets, OAuth app secrets, and external auth bind credentials.
Looks like
pattern^(SECRET_KEY|INTERNAL_TOKEN)\s*=\s*\S+Location
custom/conf/app.inisecurity, database, mailer, webhook, and auth settings
webhook, OAuth, token, and login source records
Docker/Kubernetes secrets and vaults
deployment manifests and committed example configs
Gogs backups containing config and database dumps
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.