Skip to content

GitLab Legacy PAT

Service Name: GitLab

Service Description: GitLab is a web-based DevOps lifecycle tool that provides a Git repository manager providing wiki, issue-tracking and continuous integration/continuous deployment pipeline features.

Service Address: https://gitlab.com/

Validation Type: API Auth

IP Allow list: Does not exist

Secret Access Scope: Grants access to GitLab resources based on the token's permissions, including repositories, projects, issues, and CI/CD pipelines.

Secret Revokement URL: https://gitlab.com/-/profile/personal_access_tokens

Secret Example: glpat-ABCDefGHijkLMnopQRSTuvwx

Suspicious Activity Investigation Instructions:

  • Check GitLab audit logs for unusual activity associated with the token
  • Review project access history for unauthorized changes or access
  • Examine CI/CD pipeline runs for unexpected or unauthorized jobs
  • Look for repository clones or downloads from unfamiliar IP addresses
  • Monitor for creation of new webhooks or integrations

Mitigation Instructions:

  • Immediately revoke the compromised token by navigating to GitLab user settings
  • Go to User Settings > Access Tokens
  • Find the compromised token and click "Revoke"
  • Create a new token with appropriate scopes if needed
  • Review project permissions and access levels
  • Check for any unauthorized changes to repositories or settings
  • Enable two-factor authentication if not already enabled