Scan

pipeleek gitea scan

Scan Gitea Actions

Synopsis

Scan Gitea Actions workflow runs and artifacts for secrets

Token Authentication

You can create a personal access token in Gitea by navigating to your user settings, selecting "Applications", and then "Generate New Token".

Due to differences between Gitea Actions API and UI access rights validation, a session cookie may be required in some cases. The Actions API and UI are not yet fully in sync, causing some repositories to return 403 errors via API even when accessible through the UI.

To obtain the cookie: 1. Open your Gitea instance in a web browser 2. Open Developer Tools (F12) 3. Navigate to Application/Storage > Cookies 4. Find and copy the value of the 'i_like_gitea' cookie 5. Use it with the --cookie flag

1	`pipeleek gitea scan [flags]`

Examples

# Scan all accessible repositories (including public) and their artifacts
pipeleek gitea scan --token gitea_token_xxxxx --gitea https://gitea.example.com --artifacts --cookie your_cookie_value

# Scan without downloading artifacts
pipeleek gitea scan --token gitea_token_xxxxx --gitea https://gitea.example.com --cookie your_cookie_value

# Scan only repositories owned by the user
pipeleek gitea scan --token gitea_token_xxxxx --gitea https://gitea.example.com --owned --cookie your_cookie_value

# Scan all repositories of a specific organization
pipeleek gitea scan --token gitea_token_xxxxx --gitea https://gitea.example.com --organization my-org --cookie your_cookie_value

# Scan a specific repository
pipeleek gitea scan --token gitea_token_xxxxx --gitea https://gitea.example.com --repository owner/repo-name --cookie your_cookie_value

# Scan a specific repository but limit the number of workflow runs to scan
pipeleek gitea scan --token gitea_token_xxxxx --gitea https://gitea.example.com --repository owner/repo-name --runs-limit 20 --cookie your_cookie_value

Options

  -a, --artifacts                  Scan artifacts
      --confidence strings         Filter for confidence level, separate by comma if multiple. See readme for more info.
  -c, --cookie string              Gitea session cookie (i_like_gitea). Needed when scanning where you are NOT the owner of the repository
  -h, --help                       help for scan
      --hit-timeout duration       Maximum time to wait for hit detection per scan item (e.g., 30s, 2m, 1h) (default 1m0s)
      --max-artifact-size string   Maximum artifact size to scan. Larger files are skipped. Format: https://pkg.go.dev/github.com/docker/go-units#FromHumanSize (default "500Mb")
      --organization string        Scan all repositories of a specific organization
  -o, --owned                      Scan only user owned repositories
  -r, --repository string          Scan a specific repository (format: owner/repo)
      --runs-limit int             Limit the number of workflow runs to scan per repository (0 = unlimited)
      --start-run-id int           Start scanning from a specific run ID (only valid with --repository flag, 0 = start from latest)
      --threads int                Number of concurrent threads for scanning (default 4)
      --truffle-hog-verification   Enable TruffleHog credential verification to actively test found credentials and only report verified ones (enabled by default, disable with --truffle-hog-verification=false) (default true)

Options inherited from parent commands

      --color              Enable colored log output (auto-disabled when using --logfile) (default true)
  -g, --gitea string       Gitea instance URL (default "https://gitea.com")
      --ignore-proxy       Ignore HTTP_PROXY environment variable
      --json               Use JSON as log output format
      --log-level string   Set log level globally (debug, info, warn, error). Example: --log-level=warn
  -l, --logfile string     Log output to a file
  -t, --token string       Gitea API Token
  -v, --verbose            Enable debug logging (shortcut for --log-level=debug)