GitLab Runner Token
Service Name: GitLab
Service Description: GitLab is a complete DevOps platform that enables professionals to perform all the tasks in a project-from project planning and source code management to CI/CD, monitoring, and security. GitLab Runners are agents that run CI/CD jobs in the GitLab CI/CD pipeline.
Service Address: https://gitlab.com/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the GitLab instance level through network policies or through GitLab's IP-based access restrictions feature.
Secret Access Scope: Grants the ability to register and run CI/CD jobs on behalf of a GitLab project or group. Can access project code, artifacts, and execute commands in CI/CD environments.
Secret Revokement URL: https://docs.gitlab.com/ee/ci/runners/README.html#removing-a-runner
Secret Example: glrt-abcdefghijklmnopqrstuvwxyz123456
Suspicious Activity Investigation Instructions:
- Review the GitLab CI/CD pipeline logs for unusual job executions
- Check the runner's activity history in GitLab Admin area
- Examine which projects the runner has accessed
- Look for unauthorized pipeline executions or job configurations
- Monitor for unusual resource usage or job durations
- Check for unauthorized code or artifact access
Mitigation Instructions:
- Log in to your GitLab instance as an administrator
- Navigate to Admin Area > Runners
- Locate the compromised runner in the list
- Click the "Remove runner" button to revoke the token
- Alternatively, use the GitLab API to remove the runner: DELETE
/api/v4/runners/:id
- Create a new runner with a fresh token if needed
- Review and update any CI/CD configurations that may have been compromised
- Consider implementing more restrictive runner tags to limit access scope
- Enable protected runners for sensitive branches if not already configured