In March, Wiz disclosed a command injection flaw in GitHub. Anyone with push access to any repository on github.com could run code as the git user on the storage node that held millions of other people's repositories. GitHub patched the public site in two hours. Most on-premise Enterprise installs were still unpatched when the news landed. The detail that mattered most for the rest of us: Wiz found the bug using AI.
One platform, four ways in
Look at the GitHub-shaped headlines from the last eighteen months. The Wiz finding sat alongside tj-actions/changed-files, a GitHub Action used by twenty-three thousand repositories that got quietly rewritten under everyone who depended on it after an attacker sat on a stolen Personal Access Token for six months. Then CamoLeak, where invisible markdown in a pull request told Copilot Chat to exfiltrate secrets through GitHub's own image proxy. Then the Lasso disclosure that Bing's cache, and later Copilot itself, were still serving the contents of repositories that had been made private.
Four different attack classes. Eighteen months. One platform.
This is a shape-of-the-problem problem
Centralised SaaS for source code is a target for the same reason it is useful: it puts a lot of valuable code in one place, on one operator's infrastructure, behind one set of defences. Whatever gets through that set of defences gets through to everyone hosted on the platform at once. The pace is the other half. The Wiz researchers used AI tools to read closed-source binaries and reverse-engineer the internal protocols. The same kind of tool the rest of us use to autocomplete a function found a vulnerability that put millions of repositories within reach. Whatever you think the rate of disclosure is going to be over the next decade, the real number is going to be higher. AI does not fatigue.
The Dutch government read the same headlines and acted. In April they soft-launched code.overheid.nl, a self-hosted Forgejo instance run by their own Open Source office. Their reasoning, exact words: "Hosting source code is a critical component of the Dutch government's infrastructure. The government cannot afford the risk of code or binaries in repositories being tampered with, as people could execute them directly." A national government on the record saying it cannot have its code tampered with on someone else's box. That is the grown-up answer.
What managed self-hosting means
Managed self-hosting is the answer for teams that want the sovereignty without running the operations team. Your Git platform runs on dedicated single-tenant hardware. The keys, the data, and the audit trail are yours. We deploy it, patch it, back it up, monitor it, and reach you if something needs your attention. No shared application. No other tenants in the same instance. The defence perimeter ends at your team, not at a platform's edge.
The practical part that matters most to operators is proximity. Your data is right there when you need it. You can log into your server and read the backup off the disk yourself. You can audit who has access and revoke it without a support ticket. When the next disclosure lands, you are not in a queue with eighty thousand other companies waiting for a patch window.
Why Gitea
Gitea looks and feels like GitHub. Pull requests, issues, project boards, Actions runners for CI, a container and package registry. Most teams move across in an afternoon and discover the daily workflow is the same. It runs comfortably on modest hardware, scales horizontally for the parts that need it, and is open source, so the migration path out is real if your needs change.
We run our own engineering on Gitea. Every line of code our team ships goes through it: pull requests, Actions-driven releases, the package registry hosting our Go modules and container images. Our CRM, helpdesk, project tracker, and the Platform Demo our agents operate on all live on the same dedicated hardware. Everything we ship runs on the infrastructure we would put a customer on tomorrow.
Who this is for
This is for software teams of five to fifty people who write code that matters. Digital agencies whose clients' codebases are part of the deliverable. Software firms with sensitive IP, public-sector contract work, or compliance obligations under DORA, NIS2, or GDPR that get easier when the audit boundary is your own server. It is not for hobby projects or three-person startups burning runway; for those, the SaaS premium is still worth it. The question is whether the tool that holds your team's source code should sit on someone else's platform with everyone else's.
Time to take control?
The headlines are not going to slow down. The next disclosure is being written right now by a researcher running a reverse-engineering loop overnight while the world sleeps. The answer is the same one the Dutch government landed on: get your source code onto hardware you control, with keys you hold, and someone competent to keep it running.