GitLab Deploy Token
Service Name: GitLab
Service Description: GitLab is a DevOps platform that provides a Git repository manager providing wiki, issue-tracking and continuous integration/continuous deployment pipeline features.
Service Address: https://gitlab.com/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the project or group level through GitLab's protected environments feature.
Secret Access Scope: Deploy tokens provide read-only access to repositories and registry images. They can be scoped to specific projects or groups and have specific permissions like read_repository, read_registry, read_package_registry, or write_registry.
Secret Revokement URL: https://gitlab.com/-/profile/personal_access_tokens
Secret Example: glpat-1234567890abcdefghij
Suspicious Activity Investigation Instructions:
- Review GitLab audit logs for unusual repository access or container registry pulls
- Check for unexpected deployments or CI/CD pipeline executions
- Monitor for unusual clone operations or registry image downloads
- Examine access logs for unusual IP addresses or access patterns
- Review project activity logs for unauthorized access attempts
Mitigation Instructions:
- Navigate to the GitLab project where the deploy token was created.
- Go to Settings > Repository > Deploy Tokens.
- Identify the compromised token and click "Revoke"
- Create a new deploy token with appropriate scopes if needed
- Update all services or applications that were using the revoked token
- Consider implementing shorter token expiration periods
- Review and update access controls for the affected repositories
- Enable audit logging if not already enabled to monitor future token usage