Security Recommendations
The following includes areas of concern for the GitLab configuration.
- Disabling Self-Registration
- Disabling Shared Gitlab-runner
- Disabling Public Projects
- Account Limitations
- External Authorization
- Repository Mirroring
- Spam/Anti-bot Protection
- Import and Export Rate limits
- Prevent Pushing Secret Files
- Prohibited File Names
Configuring Gitlab via the UI
The root (default admin username in GitLab) credentials can be retrieved from the cluster. The password is stored in the gitlab-gitlab-initial-root-password secret in the gitlab namespace.
Disabling Self-Registration
It is highly recommended to disable self-registration for GitLab. Ideally only users who have a user in Keycloak are allowed to login to GitLab.
Documentation from GitLab.
As an admin, select Menu -> Admin, under Settings -> General -> Sign-up restrictions. The settings for enabling/disabling Self Registration are located within.
Turn off Sign-up enabled.
Disable Shared Gitlab-runner
Documentation from GitLab.
As an admin on the left panel, click Admin, under the Settings -> CI/CD -> Continuous Integration and Deployment. The settings for Auto DevOps, shared runners, and artifacts are located within.
Turn the following off:
- Default to Auto DevOps pipeline for all projects.
- Enable shared runners for new projects.
- Enable pipeline suggestion banner.
Disable Public Project
Documentation from GitLab.
As an admin on the left panel, click Admin, under the Settings -> General -> Visibility and access controls. The settings for visibility are located within.
Set the following:
- Default project creation protection ->
Maintainers - Restricted visibility levels ->
Public - Note: If the public level is selected, it prevents outside users from seeing in and inside users from giving outside visibility.
- Enable Git Access protocols to
Only HTTP(S) - Disable Project export enabled.
Account Limitations
As an admin on the left panel, click Admin, under the Settings -> General -> Account and Limit. The settings for Account/Limits are located within.
Set the following:
- Uncheck
User OAuth Applications. - Uncheck
Prompt users to upload SSH keys. - Set
Personal Access Token Prefixto'smoothglue-'. - Set
Default project limitsto 0. - Check
Deactivate dormant users after 90 days of inactivity. - Uncheck the box for allow new users to create top-level groups.
- Uncheck the box for allow users to delete their own accounts.
External Authorization
Documentation from GitLab.
As an admin on the left panel, click Admin, under the Settings -> General -> External authorization. The settings for external authorizations are located within.
Repository Mirroring
Documentation from GitLab.
As an admin on the left panel, click Admin, under the Settings -> Repository -> Repository Mirroring. The setting for mirroring repositories is located within.
Set the following:
- Uncheck
Allow Repository mirroring configuration.
Spam/Anti-bot Protection
As an admin on the left panel, click Admin, under the Settings -> Reporting -> Spam and Anti-bot Protection. The setting for Spam/Anti-bot protection is located within.
Set the following:
- Enable reCAPTCHA.
- Enable reCAPTCHA for login.
- Limit sign-in from multiple IP addresses.
Import and Export Rate limits
As an admin on the left panel, click Admin, under the Settings -> Network -> User and IP rate limits. The setting for Import/Export Rate limits is located within.
- Enable all Rate Limits
Prevent Pushing Secret Files
Documentation from GitLab.
As an admin, on the left sidebar, at the bottom, select Admin, select Push rules, expand Push rules. Set the rule as described in the link above to prevent committing secrets, such as credential files and SSH private keys to the repository. Select Save push rules.
Prohibited File Names
Documentation from GitLab.
As an admin, on the left sidebar, at the bottom, select Admin, select Push rules, expand Push rules. Set the rule as described in the link above to prevent committing prohibited file names to the repository. Select Save push rules.
All committed filenames cannot match this regular expression. If empty, any filename is allowed. This is to prevent accidental commits of sensitive files or malicious files.
Unfortunately there is a limit of 511 characters for this field.
| Extension | Function | OS | Notes |
|---|---|---|---|
| .7z | Phishing File Archiver | Windows Mac Linux | |
| .a3x | Executable Script | Windows | |
| .appinstaller | Executable Double Click | Windows | |
| .application | Phishing Executable Double Click | Windows | |
| .appref-ms | Phishing Executable Double Click | Windows | |
| .appx | Phishing Executable Double Click | Windows | |
| .appxbundle | Phishing Executable Double Click | Windows | |
| .cmd | Executable Script Double Click | Windows | |
| .com | Executable Double Click | Windows | |
| .cpl | Phishing Executable Double Click | Windows | |
| .dll | Executable | Windows | |
| .dmg | Executable Double Click | Mac | |
| .docm | Phishing Double Click Macros | Windows Mac | |
| .dotm | Phishing Double Click Macros | Windows Mac | |
| .eml | Phishing | Windows Linux Mac | |
| .exe | Executable Double Click | Windows | |
| .hta | Executable Script Double Click | Windows | |
| .lnk | Phishing Executable Double Click | Windows | |
| .msc | Executable Double Click | Windows | |
| .msi | Executable Double Click | Windows | |
| .msix | Executable | Windows | |
| .odt | Exploit Phishing | Windows | |
| .pif | Executable Double Click | Windows | |
| .potm | Phishing Double Click Macros | Windows Mac | |
| .ppam | Phishing Double Click | Windows Mac | |
| .ppsm | Phishing Double Click Macros | Windows Mac | |
| .pptm | Phishing Double Click Macros | Windows Mac | |
| .rar | Phishing File Archiver | Windows Mac Linux | |
| .reg | Executable Script Double Click | Windows | |
| .scr | Executable Double Click | Windows | |
| .sldm | Phishing Double Click Macros | Windows Mac | |
| .slk | Phishing Double Click Macros | Windows Mac | |
| .theme | Phishing Double Click | Windows | |
| .vbe | Executable Script Double Click | Windows | |
| .vbs | Executable Script Double Click | Windows | |
| .vhd | File Archiver | Windows | |
| .vhdx | File Archiver | Windows | |
| .wsf | Executable Script Double Click | Windows | |
| .xlam | Phishing Double Click Macros | Windows Mac | |
| .xlsb | Phishing Double Click Macros | Windows Mac | |
| .xlsm | Phishing Double Click Macros | Windows Mac | |
| .xpi | Package Management | Windows Mac Linux | |
| .z | Phishing File Archiver | Windows Linux | |
| .zip | Phishing File Archiver | Windows Mac Linux | |
| .deb | Package Management | Debian-Based Distros | |
| .rpm | Package Management | Windows Linux |