Skip to main content

Sourcegraph Token

A Sourcegraph token is a credential used to authenticate API requests to the Sourcegraph platform, which provides code search and intelligence across multiple repositories. This token allows users to interact programmatically with Sourcegraph's features, such as searching codebases, managing repositories, and accessing user data. Exposure of a Sourcegraph token is a significant security concern because it can grant unauthorized access to sensitive code and data, potentially leading to data breaches or unauthorized modifications.

How Does It Look

Sourcegraph tokens can appear in various contexts, such as:

  • Environment variables:

    export SOURCEGRAPH_TOKEN="sgp_1234567890abcdef"

  • Configuration files (JSON, YAML, .env):

    {
      "sourcegraph": {
        "token": "sgp_1234567890abcdef"
      }
    }

  • Code snippets:

    headers = {"Authorization": "token sgp_1234567890abcdef"}

  • Connection strings (if applicable):

    sourcegraph://sgp_1234567890abcdef@sourcegraph.example.com

Severity

  • 🟠 High

This severity level is due to the token's ability to provide access to potentially sensitive code repositories and user data. The blast radius includes unauthorized access to codebases, which could lead to intellectual property theft or unauthorized code changes. If the token has elevated permissions, the impact could be even more severe.

What Can an Attacker Do?

With immediate access to a Sourcegraph token, an attacker can perform several actions:

  • Access code repositories (if the token has read permissions), allowing them to view sensitive code and intellectual property.
  • Modify or delete code (if the token has write permissions), potentially introducing vulnerabilities or disrupting development processes.
  • Access user data (if the token has user scope enabled), which could lead to privacy violations.
  • Integrate malicious code into repositories (if not restricted by branch protection rules).

An attacker could also use the token to escalate privileges or move laterally within the network, especially if the token grants access to other integrated services or systems.

Real-World Impact

Exposure of a Sourcegraph token poses significant business risks:

The primary impact includes unauthorized access to codebases, which could lead to:

  • Data Exposure: Proprietary code and intellectual property (if the token has read access to sensitive repositories).
  • Financial Loss: Costs associated with incident response and potential intellectual property theft (if sensitive code is exposed).
  • Operational Disruption: Development processes could be halted or corrupted (if the attacker modifies or deletes code).
  • Reputational Damage: Loss of trust from clients and partners due to data breaches.

In worst-case scenarios, the exposure could lead to cascading effects, such as further breaches in integrated systems or services.

Prerequisites for Exploitation

To exploit a Sourcegraph token, an attacker needs:

  • Network access to the Sourcegraph instance or API endpoint.
  • Additional context such as repository names or user accounts to target specific data.
  • No rate limits or IP restrictions that could hinder unauthorized access attempts.

How to Verify If It's Active

To verify if a Sourcegraph token is active, use the following command:

curl -H "Authorization: token [TOKEN]" https://sourcegraph.example.com/.api/user

Valid credential response: A successful response will return user information associated with the token.

Invalid/expired credential response: An error message indicating unauthorized access or token expiration.

Detection Patterns

Common Variable Names:

  • SOURCEGRAPH_TOKEN
  • SG_TOKEN
  • SG_API_KEY
  • SOURCEGRAPH_API_TOKEN
  • SG_AUTH_TOKEN
  • SOURCEGRAPH_ACCESS_TOKEN

File Locations:

  • .env
  • config.json
  • settings.yaml
  • credentials.txt
  • sourcegraph_config.json

Regex Pattern:

sgp_[a-zA-Z0-9]{16,}

Remediation Steps

  1. Revoke immediately - Go to Sourcegraph > Settings > Access Tokens and delete the compromised token.
  2. Audit access logs - Review Sourcegraph audit logs for unauthorized access or modifications during the exposure window.
  3. Assess blast radius - Identify all systems, applications, and environments that used the exposed token.
  4. Rotate credential - Generate a new token in Sourcegraph with least-privilege permissions.
  5. Update dependent systems - Deploy the new token to all applications and update CI/CD pipelines securely.
  6. Harden access controls - Enable IP allowlisting in Sourcegraph and require two-factor authentication for access.
  7. Implement secrets management - Migrate tokens to a secrets manager (HashiCorp Vault, AWS Secrets Manager) to prevent hardcoding.
  8. Add detection controls - Set up pre-commit hooks and repository scanning to catch token leaks before they reach production.

Credential exposures often go undetected for extended periods, increasing the window for exploitation. As a long-term strategy, plan to establish an internal process or engage an external vendor for continuous external exposure monitoring. This helps identify leaked secrets across public repositories, paste sites, dark web forums, and other external sources before attackers can leverage them. Proactive detection and rapid response are essential to minimizing the impact of credential leaks.

References