diff --git a/cmd/server/flags.go b/cmd/server/flags.go
index d2ec152b8..d8485f40c 100644
--- a/cmd/server/flags.go
+++ b/cmd/server/flags.go
@@ -91,6 +91,11 @@ var flags = []cli.Flag{
 		Name:    "open",
 		Usage:   "enable open user registration",
 	},
+	&cli.BoolFlag{
+		EnvVars: []string{"WOODPECKER_AUTHENTICATE_PUBLIC_REPOS"},
+		Name:    "authenticate-public-repos",
+		Usage:   "Always use authentication to clone repositories even if they are public. Needed if the SCM requires to always authenticate as used by many companies.",
+	},
 	&cli.StringFlag{
 		EnvVars: []string{"WOODPECKER_DOCS"},
 		Name:    "docs",
diff --git a/cmd/server/server.go b/cmd/server/server.go
index 079c65c54..2b4266820 100644
--- a/cmd/server/server.go
+++ b/cmd/server/server.go
@@ -271,6 +271,9 @@ func setupEvilGlobals(c *cli.Context, v store.Store, r remote.Remote) {
 		server.Config.Services.Senders = sender.NewRemote(endpoint)
 	}
 
+	// authentication
+	server.Config.Pipeline.AuthenticatePublicRepos = c.Bool("authenticate-public-repos")
+
 	// limits
 	server.Config.Pipeline.Limits.MemSwapLimit = c.Int64("limit-mem-swap")
 	server.Config.Pipeline.Limits.MemLimit = c.Int64("limit-mem")
diff --git a/docs/docs/30-administration/10-server-config.md b/docs/docs/30-administration/10-server-config.md
index 4304f63b2..2085102ad 100644
--- a/docs/docs/30-administration/10-server-config.md
+++ b/docs/docs/30-administration/10-server-config.md
@@ -159,6 +159,11 @@ Enable to allow user registration.
 
 Link to documentation in the UI.
 
+### `WOODPECKER_AUTHENTICATE_PUBLIC_REPOS`
+> Default: `false`
+
+Always use authentication to clone repositories even if they are public. Needed if the SCM requires to always authenticate as used by many companies.
+
 ### `WOODPECKER_SESSION_EXPIRES`
 > Default: `72h`
 
diff --git a/server/config.go b/server/config.go
index 8e5e39233..6d4a2019f 100644
--- a/server/config.go
+++ b/server/config.go
@@ -66,10 +66,11 @@ var Config = struct {
 		AuthToken string
 	}
 	Pipeline struct {
-		Limits     model.ResourceLimit
-		Volumes    []string
-		Networks   []string
-		Privileged []string
+		AuthenticatePublicRepos bool
+		Limits                  model.ResourceLimit
+		Volumes                 []string
+		Networks                []string
+		Privileged              []string
 	}
 	FlatPermissions bool // TODO(485) temporary workaround to not hit api rate limits
 }{}
diff --git a/server/shared/procBuilder.go b/server/shared/procBuilder.go
index 6859d4502..fd8710744 100644
--- a/server/shared/procBuilder.go
+++ b/server/shared/procBuilder.go
@@ -244,7 +244,7 @@ func (b *ProcBuilder) toInternalRepresentation(parsed *yaml.Config, environ map[
 				b.Netrc.Password,
 				b.Netrc.Machine,
 			),
-			b.Repo.IsSCMPrivate,
+			b.Repo.IsSCMPrivate || server.Config.Pipeline.AuthenticatePublicRepos,
 		),
 		compiler.WithRegistry(registries...),
 		compiler.WithSecret(secrets...),