Skip to content

GitLab PAT

Service Name: GitLab

Service Description: GitLab is a web-based DevOps lifecycle tool that provides a Git repository manager providing wiki, issue-tracking and continuous integration/continuous deployment pipeline features.

Service Address: https://gitlab.com/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the organization level for self-managed GitLab instances or through GitLab Premium/Ultimate.

Secret Access Scope: Grants programmatic access to GitLab repositories, projects, and APIs based on the token's scope. Can provide access to repositories, runners, cluster agents, registry repositories, and raw files.

Secret Revokement URL: https://gitlab.com/-/profile/personal_access_tokens

Secret Example: glpat-ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz12

Suspicious Activity Investigation Instructions:

  • Review GitLab audit logs for unusual repository access or actions
  • Check for unauthorized project access, code changes, or repository cloning
  • Monitor for unusual API calls or authentication attempts
  • Verify if the token was used from unusual geographic locations
  • Check for unauthorized runner registrations or deployments

Mitigation Instructions:

  • Log in to your GitLab account and navigate to User Settings
  • Go to Access Tokens
  • Locate the compromised token in the "Active personal access tokens" section
  • Click the "Revoke" button next to the compromised token
  • Create a new token with appropriate scopes if needed
  • Review all repositories for unauthorized changes or commits
  • Check for any webhooks or integrations that may have been added
  • Update any CI/CD pipelines that were using the revoked token