Skip to content

Gitea API Token Detector #4718

New issue
New issue
Open
Open
Gitea API Token Detector#4718
Labels
enhancement
@random-robbie

Description

@random-robbie
random-robbie
opened on Jan 29, 2026

Description

Request a new detector for Gitea API tokens. Gitea is a widely-used self-hosted Git service (similar to GitHub/GitLab) with a public hosted instance at gitea.com. API tokens
are 40-character lowercase hexadecimal strings that provide authenticated access to repositories, organizations, issues, and administrative functions.

Preferred Solution

Add a detector that identifies Gitea API tokens. Tokens commonly appear with these variable names:

  • GITEA_TOKEN
  • GITEA_API_TOKEN
  • GITEA_ACCESS_TOKEN

Suggested regex pattern:

(?i)(?:gitea[-]?(?:api[-]?)?(?:access[_-]?)?token)\s*[:=]\s*["']?([a-f0-9]{40})["']?

Additionally, tokens appear in git remote URLs and Authorization headers:

https://:@gitea.com/owner/repo.git
Authorization: token

Verification

Tokens can be verified against any Gitea instance API. For gitea.com:

curl -s -H "Authorization: token " "https://gitea.com/api/v1/user"
┌──────────────────┬───────────────────────┐
│ Response │ Meaning │
├──────────────────┼───────────────────────┤
│ 200 + user JSON │ Valid token │
├──────────────────┼───────────────────────┤
│ 401 Unauthorized │ Invalid/revoked token │
└──────────────────┴───────────────────────┘
Alternative verification endpoints:

  • /api/v1/user - Returns authenticated user info
  • /api/v1/user/repos - Lists accessible repositories
  • /api/v1/settings/api - Returns API settings (if permitted)

Additional Context

Gitea tokens grant significant access depending on scopes:

  • repo: Full repository read/write, clone private repos
  • admin:org: Manage organization settings and members
  • admin:repo_hook: Create/modify webhooks
  • write:issue: Create and modify issues/PRs
  • sudo: Impersonate other users (admin only)

Common locations where tokens leak:

  • CI/CD configs (.drone.yml, .github/workflows/*.yml, .gitlab-ci.yml)
  • Docker Compose files and environment files
  • Shell scripts and automation tools
  • Git config files (.gitconfig, .git/config)
  • Terraform/Ansible configurations

Self-hosted instances are common, so the detector should not be limited to gitea.com domains.

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancement

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions