GitLab — Secrets in Code¶
What this is¶
GitLab is the second-largest public git hosting platform after GitHub. It has a slightly different audience: more enterprise users, an active corporate self-hosted segment, popular in Europe.
For leak monitoring, GitLab is essentially the same as GitHub, with a few specific quirks:
- Distinct token formats (GitLab PAT, Project Tokens, Runner Tokens).
- Frequently contains CI/CD variables directly in
.gitlab-ci.ymlfiles that were never moved into Settings. - Self-hosted GitLab instances — a separate concern when the instance is accidentally public.
- Public snippets on gitlab.com — a Pastebin-equivalent that's often forgotten.
Why this matters¶
Same reason as GitHub: developers forget about secrets in commits. Additionally for GitLab:
.gitlab-ci.ymlcontains deployment secrets potentially granting production access.- GitLab Pages (
*.gitlab.io) often publicly servesbuild/folders with embedded API keys.
What we look for¶
In addition to the 80+ standard secret types (AWS, Stripe, OpenAI, JWT, private keys, etc. — same list as for GitHub), GitLab-specific:
- GitLab Personal Access Tokens (
glpat-*). - GitLab Project Tokens — often have broad scope.
- GitLab Runner Tokens — let an attacker attach their own runner to your pipeline.
- GitLab Deploy Tokens — used in CI/CD.
A dedicated processor analyzes .gitlab-ci.yml files for hardcoded credentials in variables:, script:, before_script: blocks.
What we scan¶
gitlab.com (public)¶
- Searches mentions of your DataSources across all public code on gitlab.com.
- With an OAuth-connected group — all public projects in the group, employee forks, snippets, wikis.
Self-hosted GitLab¶
The platform supports monitoring your own GitLab instance if it's reachable from the internet. Connection — via an API token from your instance.
Severity¶
Same as for GitHub, plus:
- Critical for GitLab PATs and Project Tokens — they often carry very broad scope.
- High for secrets in
.gitlab-ci.yml— these are active credentials in production pipelines.
What you see in the dashboard¶
Same as for GitHub:
- A direct link to the project, file, and specific line.
- Secret type.
- Context and commit author.
- Severity and recommended action.
How to connect¶
gitlab.com¶
- Settings → Detection Sources → GitLab → Connect.
- Authorize at gitlab.com.
- Select groups to monitor.
Self-hosted GitLab¶
- In your GitLab instance create an Access Token with permissions
read_api,read_repository. - In BCP Portal: choose Custom GitLab Instance, enter the URL of your instance and paste the token.
- Done.
Scan schedule¶
- Quick mode (search across gitlab.com) — hourly.
- Full scan of a group / instance — every 6 hours or daily.
FAQ¶
Can I monitor a private self-hosted GitLab that's only reachable on an internal network? Not yet — this requires an on-premises BCP Portal install (on our roadmap). If your GitLab is reachable from the internet (even with restrictions), monitoring works.
Do we scan snippets and wikis? Public snippets — yes. Wiki — only for groups connected via OAuth.
Do we actively validate GitLab PATs? Yes, same as for GitHub. Validation reveals the token's scope and owner — giving you a clear picture of how serious the leak is.