GitLab PAT
Service Name: GitLab
Service Description: GitLab is a web-based DevOps lifecycle tool that provides a Git repository manager providing wiki, issue-tracking and continuous integration/continuous deployment pipeline features.
Service Address: https://gitlab.com/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the organization level for self-managed GitLab instances or through GitLab Premium/Ultimate.
Secret Access Scope: Grants programmatic access to GitLab repositories, projects, and APIs based on the token's scope. Can provide access to repositories, runners, cluster agents, registry repositories, and raw files.
Secret Revokement URL: https://gitlab.com/-/profile/personal_access_tokens
Secret Example: glpat-ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz12
Suspicious Activity Investigation Instructions:
- Review GitLab audit logs for unusual repository access or actions
- Check for unauthorized project access, code changes, or repository cloning
- Monitor for unusual API calls or authentication attempts
- Verify if the token was used from unusual geographic locations
- Check for unauthorized runner registrations or deployments
Mitigation Instructions:
- Log in to your GitLab account and navigate to User Settings
- Go to Access Tokens
- Locate the compromised token in the "Active personal access tokens" section
- Click the "Revoke" button next to the compromised token
- Create a new token with appropriate scopes if needed
- Review all repositories for unauthorized changes or commits
- Check for any webhooks or integrations that may have been added
- Update any CI/CD pipelines that were using the revoked token