Skip to content

GitLab — Secrets in Code

What this is

GitLab is the second-largest public git hosting platform after GitHub. It has a slightly different audience: more enterprise users, an active corporate self-hosted segment, popular in Europe.

For leak monitoring, GitLab is essentially the same as GitHub, with a few specific quirks:

  • Distinct token formats (GitLab PAT, Project Tokens, Runner Tokens).
  • Frequently contains CI/CD variables directly in .gitlab-ci.yml files that were never moved into Settings.
  • Self-hosted GitLab instances — a separate concern when the instance is accidentally public.
  • Public snippets on gitlab.com — a Pastebin-equivalent that's often forgotten.

Why this matters

Same reason as GitHub: developers forget about secrets in commits. Additionally for GitLab:

  • .gitlab-ci.yml contains deployment secrets potentially granting production access.
  • GitLab Pages (*.gitlab.io) often publicly serves build/ folders with embedded API keys.

What we look for

In addition to the 80+ standard secret types (AWS, Stripe, OpenAI, JWT, private keys, etc. — same list as for GitHub), GitLab-specific:

  • GitLab Personal Access Tokens (glpat-*).
  • GitLab Project Tokens — often have broad scope.
  • GitLab Runner Tokens — let an attacker attach their own runner to your pipeline.
  • GitLab Deploy Tokens — used in CI/CD.

A dedicated processor analyzes .gitlab-ci.yml files for hardcoded credentials in variables:, script:, before_script: blocks.

What we scan

gitlab.com (public)

  • Searches mentions of your DataSources across all public code on gitlab.com.
  • With an OAuth-connected group — all public projects in the group, employee forks, snippets, wikis.

Self-hosted GitLab

The platform supports monitoring your own GitLab instance if it's reachable from the internet. Connection — via an API token from your instance.

Severity

Same as for GitHub, plus:

  • Critical for GitLab PATs and Project Tokens — they often carry very broad scope.
  • High for secrets in .gitlab-ci.yml — these are active credentials in production pipelines.

What you see in the dashboard

Same as for GitHub:

  • A direct link to the project, file, and specific line.
  • Secret type.
  • Context and commit author.
  • Severity and recommended action.

How to connect

gitlab.com

  1. Settings → Detection Sources → GitLab → Connect.
  2. Authorize at gitlab.com.
  3. Select groups to monitor.

Self-hosted GitLab

  1. In your GitLab instance create an Access Token with permissions read_api, read_repository.
  2. In BCP Portal: choose Custom GitLab Instance, enter the URL of your instance and paste the token.
  3. Done.

Scan schedule

  • Quick mode (search across gitlab.com) — hourly.
  • Full scan of a group / instance — every 6 hours or daily.

FAQ

Can I monitor a private self-hosted GitLab that's only reachable on an internal network? Not yet — this requires an on-premises BCP Portal install (on our roadmap). If your GitLab is reachable from the internet (even with restrictions), monitoring works.

Do we scan snippets and wikis? Public snippets — yes. Wiki — only for groups connected via OAuth.

Do we actively validate GitLab PATs? Yes, same as for GitHub. Validation reveals the token's scope and owner — giving you a clear picture of how serious the leak is.