Skip to content

GitLab Deploy Token

Service Name: GitLab

Service Description: GitLab is a DevOps platform that provides a Git repository manager providing wiki, issue-tracking and continuous integration/continuous deployment pipeline features.

Service Address: https://gitlab.com/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the project or group level through GitLab's protected environments feature.

Secret Access Scope: Deploy tokens provide read-only access to repositories and registry images. They can be scoped to specific projects or groups and have specific permissions like read_repository, read_registry, read_package_registry, or write_registry.

Secret Revokement URL: https://gitlab.com/-/profile/personal_access_tokens

Secret Example: glpat-1234567890abcdefghij

Suspicious Activity Investigation Instructions:

  • Review GitLab audit logs for unusual repository access or container registry pulls
  • Check for unexpected deployments or CI/CD pipeline executions
  • Monitor for unusual clone operations or registry image downloads
  • Examine access logs for unusual IP addresses or access patterns
  • Review project activity logs for unauthorized access attempts

Mitigation Instructions:

  • Navigate to the GitLab project where the deploy token was created.
  • Go to Settings > Repository > Deploy Tokens.
  • Identify the compromised token and click "Revoke"
  • Create a new deploy token with appropriate scopes if needed
  • Update all services or applications that were using the revoked token
  • Consider implementing shorter token expiration periods
  • Review and update access controls for the affected repositories
  • Enable audit logging if not already enabled to monitor future token usage