Securing your GitLab: Best Practices To Implement

Eylam Milner
Jul 14 · 4 min read
Securing Gitlab

What is GitLab

GitLab is a free open-source service designed to manage and share code in a distributed version control system (e.g. SVN, Git, Hg). GitLab helps developers share code with other people, project managers, and teammates (when working on the same project). It provides an interface for all the relevant people to manage a software project in the fastest and most reliable way possible.

Gitlab Security

If you don’t like the idea of storing your code in multiple places and using a centralized version control system, GitLab comes with an extensible and flexible design that supports many kinds of projects (small, large scale, open source), and works with various VCS (like Git, Subversion and Mercurial). This means that you do not need to know the details of what kind of version control system your project uses, and GitLab always makes it easy for you to pick the right VCS to fit your project’s needs.

The main difference between GitLab and any other distributed version control system that you are already familiar with (Git, Mercurial or SVN) is that GitLab supports distributed version control that are not only hierarchical and linear, but can be asynchronously distributed as well.

GitLab is also the most widely used by developers because of its powerful workflow for Git, continuous integration, and easy deployment. It also offers more productivity options than other Git hosting services. While productivity is great, security needs to be a top priority when using GitLab. 

GitLab security attacks in the news

Waydev recently reported that their systems were attacked by hackers who stole OAuth tokens of GitLab and GitHub. They used an SQL injection vulnerability to gain access to the database containing the tokens. Beyond Waydev the hackers also gained access to the code bases of Waydev’s customers, two of whom came forward to disclose the details. Waydev worked with GitHub and GitLab to reissue new OAuth tokens on the same day and invalidate the old ones.

Earlier, in 2019, GitLab reported an attack where a user account was broken into using passwords that were stored in plain-text in a separate repository. The hacker then left a warning in one of the repositories that he would wipe all repos in that account if the company doesn’t pay him a certain amount. GitLab confirmed that the attacker had access to 131 users and 163 repositories at least. 

Attacks like these have forced GitLab to push out numerous security patches that prevent DDoS attacks originating from tools like Prometheus, NuGet API, and during package uploads. Incorrect project headers are also a cause for concern as they give temporary access to hackers. While GitLab proactively does its part  to counter security attacks, every organization using GitLab needs to be aware of the threats, and do their part to secure their use of GitLab. 

GitLab security best practices

Here is a list of things you can do to secure your GitLab accounts from attacks:

1. Require multi-factor authentication for group members: Ensuring only those allowed to access your repositories in GitLab have access to them is half the battle. This is best done with multi-factor authentication (MFA) or two-factor authentication (2FA). It requires any user attempting to log in to also receive an access code on their mobile device or email. This is table stakes in security today, and is essential for securing GitLab.

2. Restrict IP access: This is a network-level security measure. It is not new, but is often overlooked. IP addresses are still a great way to track where your users come from. In today’s world of remote work this is more of a challenge as the number of IPs accessing your resources has grown exponentially. Still, by noticing patterns of daily access, you can use systems to easily spot suspicious new IPs that access your systems from strange locations. An extra step to whitelist IP addresses of all employee devices will greatly improve this security measure. It is important to not block off access to genuine users while doing this.

3. Disallow forking of project: We now move to the application-level security measures. Forking is easy to do in GitLab and can result in code getting around to places that you have no control over. While the basic GitLab tier doesn’t restrict forking, the Premium or Silver tiers do enable you to block forking of a project outside that group. This gives you more control over your source code. 

4. Enable Secret Detection: Many attacks, even the ones listed above, were successful because someone carelessly left a secret token or password out in the open somewhere. GitLab has a built-in feature to check for accidentally exposed secret information anywhere in your repositories. Activate and use this capability, and it will prevent an inevitable attack in the future. 

5. Disallow unsecured URLs in webhook: Webhooks are unavoidable in modern cloud operations, and they contain sensitive information in the form of payload. To secure webhooks it is essential to use SSL verification (HTTPS) so that the data sent is delivered only to the intended endpoint and no man-in-the-middle has access to the payload. 

Argon for policy-based GitLab security

You can use Argon to implement all the above best practices in your GitLab accounts and the rest of CICD tools that are communicating with it. Argon is a policy-based security solution for end-to-end CI/CD security. It allows you to implement fine-grained and strategic security measures that secure GitLab from external attacks and internal mistakes. View a demo of Argon today to see what more it can do to secure your organization on GitLab. 

software supply chain security, CICD security, Gitlab security, software supply chain attacks

Eylam Milner
Jul 14 · 4 min read

Related Articles

Securing your GitLab: Best Practices To Implement

What is GitLab GitLab is a free open-source service designed to manage and share code in a distributed version control…

Eylam Milner
Jul 14 · 4 min read

President Biden’s Executive Order Demands Cybersecurity for Software...

The SolarWinds Attack Was the Industry’s Wakeup Call The new wave of software supply chain attacks that targeted SolarWinds, Codecov,…

Eran Orzel
Jun 23 · 5 min read

The importance of having visibility over your pipeline’s plugins...

Hardly a week goes by these days without hearing about a new supply chain attack. A recent headline featured yet…

Eilon Elhadad
Jun 21 · 4 min read

End-to-End CI/CD Security Platform

open source vulnerability scanner