lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Gogs

GogsCI/CD3 credentials

Credentials3 documented
01

Local User Password

gogs / local-user-password

Gogs users authenticate to the web UI, Git over HTTP, SSH workflows, and API. Administrators are created during installation or user provisioning.

user definedgenerated on installsecretusername/password

Location

public interface
Gogs web UI, Git HTTP, SSH, and API
database

Gogs user table and password hash state

config file
custom/conf/app.ini

authentication, database, mailer, and security configuration

secret store

password managers and deployment vaults

source code

Docker Compose files, provisioning scripts, and tests

02

Personal Access Token / API Token

gogs / access-token

Gogs supports access tokens for API clients and integrations.

generated on installuser definedsecrettoken

Location

http header
Authorization

token used by Gogs API clients

database

access token records in the Gogs database

config file

CLI configs, .env files, integration scripts, and .netrc

environment
GOGS_TOKEN, GOGS_ACCESS_TOKEN
secret store

CI/CD variables and vault entries

source code

automation repositories and tests

logs

API client debug logs and CI output

03

Secret Key, Database, Mailer, and Webhook Secrets

gogs / security-and-integration-secrets

Gogs app.ini and database records can contain SECRET_KEY, database passwords, mailer credentials, webhook secrets, OAuth app secrets, and external auth bind credentials.

generated on installuser definedsecretsecret value

Looks like

pattern
pattern

Gogs app.ini security secret assignment

^(SECRET_KEY|INTERNAL_TOKEN)\s*=\s*\S+

Location

config file
custom/conf/app.ini

security, database, mailer, webhook, and auth settings

database

webhook, OAuth, token, and login source records

secret store

Docker/Kubernetes secrets and vaults

source code

deployment manifests and committed example configs

artifact

Gogs backups containing config and database dumps

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.