Skip to content

GitLab Runner Token

Service Name: GitLab

Service Description: GitLab is a complete DevOps platform that enables professionals to perform all the tasks in a project-from project planning and source code management to CI/CD, monitoring, and security. GitLab Runners are agents that run CI/CD jobs in the GitLab CI/CD pipeline.

Service Address: https://gitlab.com/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the GitLab instance level through network policies or through GitLab's IP-based access restrictions feature.

Secret Access Scope: Grants the ability to register and run CI/CD jobs on behalf of a GitLab project or group. Can access project code, artifacts, and execute commands in CI/CD environments.

Secret Revokement URL: https://docs.gitlab.com/ee/ci/runners/README.html#removing-a-runner

Secret Example: glrt-abcdefghijklmnopqrstuvwxyz123456

Suspicious Activity Investigation Instructions:

  • Review the GitLab CI/CD pipeline logs for unusual job executions
  • Check the runner's activity history in GitLab Admin area
  • Examine which projects the runner has accessed
  • Look for unauthorized pipeline executions or job configurations
  • Monitor for unusual resource usage or job durations
  • Check for unauthorized code or artifact access

Mitigation Instructions:

  • Log in to your GitLab instance as an administrator
  • Navigate to Admin Area > Runners
  • Locate the compromised runner in the list
  • Click the "Remove runner" button to revoke the token
  • Alternatively, use the GitLab API to remove the runner: DELETE

/api/v4/runners/:id

  • Create a new runner with a fresh token if needed
  • Review and update any CI/CD configurations that may have been compromised
  • Consider implementing more restrictive runner tags to limit access scope
  • Enable protected runners for sensitive branches if not already configured