lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Concourse CI

ConcourseCI/CD4 credentials

Credentials4 documented
01

Local Team User Password

concourse / local-user-password

Concourse web authentication can define local users and team membership for web UI, fly CLI, and API access.

user definedsecretusername/password

Location

public interface
Concourse web UI, fly CLI, and ATC API
config file

web node flags, Helm values, docker-compose files, and team auth config

environment
CONCOURSE_ADD_LOCAL_USER, CONCOURSE_MAIN_TEAM_LOCAL_USER
secret store

BOSH vars, Kubernetes Secrets, CredHub, Vault, and SOPS files

source code

deployment manifests and platform automation repos

logs

web startup logs and auth traces

02

OAuth / OIDC Client Secret

concourse / oauth-client-secret

Concourse can authenticate teams through GitHub, OIDC, LDAP, and other providers using client secrets and bind credentials.

user definedsecretsecret value

Location

config file

Concourse web auth flags, Helm values, and BOSH manifests

environment
CONCOURSE_GITHUB_CLIENT_SECRET, CONCOURSE_OIDC_CLIENT_SECRET, CONCOURSE_LDAP_BIND_PW
secret store

CredHub, Vault, Kubernetes Secrets, and BOSH variable stores

source code

platform deployment repositories

logs

auth provider debug logs

03

TSA / Worker SSH Keys

concourse / tsa-worker-keys

Concourse workers authenticate to the web TSA using SSH key material. Leaked worker keys can affect worker registration and pipeline execution trust.

generated on installuser definedsecretkey pair

Looks like

pattern
pattern

Concourse TSA or worker private key material

-----BEGIN (RSA |OPENSSH |EC |)PRIVATE KEY-----

Location

config file

TSA host key, authorized worker keys, worker private key files, and Helm/BOSH manifests

secret store

Kubernetes Secrets, BOSH variables, and Vault/CredHub entries

artifact

deployment backups and support bundles

04

Pipeline Credential Manager Secret

concourse / pipeline-credential

Concourse pipelines resolve secrets from Vault, CredHub, Kubernetes, SSM, or other credential managers; these values include deploy keys, cloud credentials, passwords, and tokens used by jobs.

user definedsecretsecret value

Location

secret store

Vault, CredHub, Kubernetes Secrets, AWS SSM/Secrets Manager, and other configured credential managers

config file

pipeline var files, vars, credential manager config, and task params

source code

pipeline YAML, task files, and test fixtures

logs

build logs when tasks print secrets or masking fails

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.