Codeberg detector #4719
Description
Description
Request a new detector for Codeberg API tokens. Codeberg is a non-profit, privacy-focused Git forge hosting significant open-source projects including FSFE, KDE community
projects, and Libreoffice extensions. Tokens are 40-character lowercase hexadecimal strings that provide authenticated API access.
Preferred Solution
Add a detector that identifies Codeberg API tokens. Tokens commonly appear with these variable names:
- CODEBERG_TOKEN
- CODEBERG_API_TOKEN
- CODEBERG_ACCESS_TOKEN
Suggested regex pattern:
(?i)(?:codeberg[-]?(?:api[-]?)?(?:access[_-]?)?token)\s*[:=]\s*["']?([a-f0-9]{40})["']?
Tokens also appear in git remote URLs and Authorization headers:
https://:@codeberg.org/owner/repo.git
Authorization: token
Verification
curl -s -H "Authorization: token " "https://codeberg.org/api/v1/user"
┌──────────────────┬───────────────────────┐
│ Response │ Meaning │
├──────────────────┼───────────────────────┤
│ 200 + user JSON │ Valid token │
├──────────────────┼───────────────────────┤
│ 401 Unauthorized │ Invalid/revoked token │
└──────────────────┴───────────────────────┘
Alternative verification endpoints:
- /api/v1/user - Returns authenticated user info
- /api/v1/user/repos - Lists accessible repositories
Additional Context
Codeberg tokens grant significant access depending on scopes:
- repo: Full repository read/write, clone private repos
- admin:org: Manage organization settings and members
- admin:repo_hook: Create/modify webhooks
- write:issue: Create and modify issues/PRs
- package: Read/write package registry
- sudo: Impersonate other users (admin only)
Common locations where tokens leak:
- CI/CD configs (.woodpecker.yml, .github/workflows/*.yml, .gitlab-ci.yml)
- Docker Compose files and .env files
- Shell scripts and automation tools
- Git config files (.gitconfig, .git/config)
- Terraform/Ansible/Kubernetes configurations
Codeberg receives ~2.5M monthly visits and is growing as a privacy-focused GitHub alternative.
References