Redmine
Redminedevops3 credentials
Database Credentials
redmine / database-credentials
Redmine installation requires database users for MySQL, PostgreSQL, SQL Server, or SQLite. Redmine docs show creating a database role/user and setting a password before configuring the application.
Looks like
patternpassword:\s*[^\r\n]+Location
config/database.ymlRedmine Rails database connection configuration
REDMINE_DB_PASSWORD, DATABASE_URLDocker/Kubernetes secrets, cloud secret managers, and database password vaults
committed database.yml files, Docker Compose files, and tests
application backups and container images containing database.yml
installer logs and database connection traces
Notes
Database access can expose Redmine users, password hashes, API keys, issues, projects, and plugin settings.
Rails Session Secret Token
redmine / secret-token
Redmine installation generates a random secret token used by Rails to encode cookies storing session data. Redmine documents generating it with bundle exec rake generate_secret_token and optionally storing it in config/secrets.yml.
Location
config/initializers/secret_token.rb, config/secrets.ymlRedmine Rails session secret
SECRET_KEY_BASE, REDMINE_SECRET_KEY_BASEdeployment vaults, Kubernetes Secrets, and cloud secret managers
committed Rails config, examples, and backups
application backups and container images
Notes
Rotating the secret invalidates sessions and protects against tampering with stolen session cookie material.
REST API Key
redmine / api-key
Redmine REST API supports authentication with either regular login/password via HTTP Basic authentication or a per-user API key. Redmine documents passing the API key as key parameter, Basic username, or X-Redmine-API-Key header.
Location
X-Redmine-API-Key, AuthorizationRedmine API key header or Basic authentication context
Redmine user account records containing API key state
REDMINE_API_KEYintegration config, .env files, and automation scripts
CI/CD variables, bot secrets, and cloud secret managers
API scripts, tests, and committed clients
API request logs and automation traces
Notes
API key permissions follow the owning Redmine user.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.