GitLab Token

Description

General

• Documentation: https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html
• Summary: GitLab is an open-source code hosting website that provides issue tracking, continuous integration and deployment pipeline. This detector aims at detecting tokens used to programmatically act on behalf of a user.
• IPs allowlist: Allowlists are supported for self-managed installs.
• Scopes: A range of scopes can be set when creating an access token, more information in the scopes documentation.

Revoke the secret

Tokens can be revoked from the user's dashboard or programmatically.

Check for suspicious activity

For each personal token, GitLab displays the last used date, under Settings and Access Tokens.

Details for Gitlab token

• Family: Api

• Category: Version control platform

• Company: GitLab

• High recall: False

• Validity check available: True

• On-premise instances exist: True

• Only valid secrets raise an alert: False

• Minimum number of matches: 1

• Occurrences found for one million commits: 5.51

• Prefixed: False

• PreValidators:

- type: FilenameBanlistPreValidator
  banlist_extensions: []
  banlist_filenames: []
  check_binaries: false
  include_default_banlist_extensions: true
  ban_markup: true
- type: ContentWhitelistPreValidator
  patterns:
    - gitlab

Examples

- text: |
    git+https://gitlab+deploy-token-4:jaiveyYredWX3wixerW-@git.alpha-beta.fr/some/project

  apikey: jaiveyYredWX3wixerW-

- text: |
    +gitlab_config
    +set _SCRIPTDIR=%CD%
    +popd
    +
    +set _TOKEN=u_zx0envC23WEwvCzEKp

  apikey: u_zx0envC23WEwvCzEKp

- text: |
    GitLab Runner
    +  runnerRegistrationToken: "tQgCbx5UPy_ByM2FczhU"
    +  # resources:
    +  #   limits:
    +  #     memory:

  apikey: tQgCbx5UPy_ByM2FczhU

- text: |
    begin {
       $ErrorActionPreference = "Stop"
       $env:GITLAB_TOKEN = "LkaPhTfdsPhdVZaHUGhG"

  apikey: LkaPhTfdsPhdVZaHUGhG

Details for Gitlab personal token

• Family: Api

• Category: Version control platform

• Company: GitLab

• High recall: False

• Validity check available: True

• On-premise instances exist: True

• Only valid secrets raise an alert: True

• Minimum number of matches: 1

• Occurrences found for one million commits: 0.08

• Prefixed: False

• PreValidators:

- type: FilenameBanlistPreValidator
  banlist_extensions: []
  banlist_filenames: []
  check_binaries: false
  include_default_banlist_extensions: true
  ban_markup: false
- type: ContentWhitelistPreValidator
  patterns:
    - gitlab

Examples

- text: |
    'my gitlab token is set below.
    I want something that is not handled by the AssignmentRegexMatcher not to interfere
    with the gitlab_token detector
    "qZ3do4vK3MiSHbE29vAQ"'
  apikey: qZ3do4vK3MiSHbE29vAQ
- text: |
    'my gitlab token is set below.
    I want something that is not handled by the AssignmentRegexMatcher not to interfere
    with the gitlab_token detector
    "qZ3do4vK3MiSHbE29vAQ"'

  apikey: qZ3do4vK3MiSHbE29vAQ

Details for Gitlab personal token v2

• Family: Api

• Category: Version control platform

• Company: GitLab

• High recall: True

• Validity check available: True

• On-premise instances exist: True

• Only valid secrets raise an alert: False

• Minimum number of matches: 1

• Occurrences found for one million commits: 15.16

• Prefixed: True

• PreValidators:

- type: ContentWhitelistPreValidator
  patterns:
    - glpat-

Examples

- text: |
    The prefixed gitlab personal token
    glpat-SNixgZ5e6NWeo1Wwga11
  apikey: glpat-SNixgZ5e6NWeo1Wwga11

- text: |
    glpat-SNixgZZeXNWeoWWwgaef
  apikey: glpat-SNixgZZeXNWeoWWwgaef

# Fat-fingered secret
- text: |
    gglpat-SNixgZ5e6NWeo1Wwga11
  apikey: glpat-SNixgZ5e6NWeo1Wwga11