Skip to content

Woodpecker CI API Key

Service Name: Woodpecker CI

Service Description: Woodpecker CI is an open-source continuous integration and deployment system designed to be simple, scalable, and Docker-native. It allows developers to automate building, testing, and deployment workflows using configuration files in their repositories.

Service Address: https://woodpecker-ci.org/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the server level but not directly for API keys.

Secret Access Scope: Grants programmatic access to Woodpecker CI resources, allowing users to trigger builds, access build information, manage repositories, and perform other CI/CD operations.

Secret Revokement URL: https://woodpecker-ci.org/docs/usage/api-authentication

Secret Example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0ZXh0Ijoic2VjcmV0IiwiaWF0IjoxNjE2M jM5MDIyfQ.WOzXMSCUgLMgLR-OG5iFvC9yw5ZVr1QI0QDYyYJKLKc

Suspicious Activity Investigation Instructions:

  • Review the Woodpecker CI server logs for unusual API calls or access patterns
  • Check for unauthorized repository access or unexpected build triggers
  • Monitor for changes to build configurations or pipeline definitions
  • Examine build history for unauthorized or suspicious builds
  • Review access to sensitive repositories or deployment environments

Mitigation Instructions:

  • Log in to your Woodpecker CI server's web interface
  • Navigate to your user profile or account settings
  • Locate the API keys or tokens section
  • Delete the compromised API key
  • Generate a new API key if needed
  • Update any CI/CD pipelines or integrations that were using the old key
  • Review and adjust permissions for the new API key to follow the principle of

least privilege

  • Consider implementing additional security measures such as IP restrictions at

the server level