Security
GitLab does not provide true file-level access control (like “only Alice can read secrets.yml”) — but it does provide tools to restrict access and prevent exposure of sensitive files using:
✅ What You Can Do in GitLab (SaaS and Self-managed)
1. ✅ Push Rules for Sensitive Files
- Prevent commits that contain secrets, keys, passwords, or specific file names.
- Configure under:
Settings → Repository → Push Rules
Example:
- Reject commits with
.envor*.pemfiles:
Forbidden file names: ^(.env|.*\.pem)$
- Reject commits with AWS keys using regex:
Secret detection regex: AKIA[0-9A-Z]{16}
2. ✅ Protected Branches
- Prevent unauthorized push/merge to sensitive branches like
main,release, etc. - Set under:
Settings → Repository → Protected Branches
3. ✅ Code Owners for Sensitive Files
- Define ownership for sensitive files using a
CODEOWNERSfile. - Prevent changes to specific paths unless approved by listed owners.
Example:
/secrets/* @devops-lead @security-team
Code language: PHP (php)4. ✅ Secret Detection (SAST/Static Scanning)
- GitLab CI/CD automatically scans for hardcoded secrets and keys.
- Available in GitLab Ultimate and in some parts of Premium.
- Found under:
Security & Compliance → Vulnerability Report
5. ✅ File Pattern Merge Request Rules (Paid)
- Use merge request approval rules for changes to specific file paths (e.g., secrets, configs).
Example:
Rule: If /infra/keys/* is changed → require @security-team to approve
Code language: PHP (php)❌ What You Cannot Do Directly in GitLab
| Feature | GitLab Status |
|---|---|
| Per-file access control (ACL-style) | ❌ Not supported |
| Per-user permission to view/edit specific files | ❌ Not supported |
| Encryption-at-rest per file inside repo | ❌ Not native (requires external tools) |
🔐 Recommended Best Practices
| Goal | GitLab Feature to Use |
|---|---|
| Prevent secrets in repo | Push rules + Secret detection + .gitignore |
| Limit merge to sensitive files | CODEOWNERS + Approval Rules |
| Block commits with unsafe patterns | Push Rules + Pre-commit Hooks (externally) |
| Enforce audits of sensitive changes | Merge request rules with approval |
I’m a DevOps/SRE/DevSecOps/Cloud Expert passionate about sharing knowledge and experiences. I have worked at Cotocus. I share tech blog at DevOps School, travel stories at Holiday Landmark, stock market tips at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at TrueReviewNow , and SEO strategies at Wizbrand.
Do you want to learn Quantum Computing?
Please find my social handles as below;
Rajesh Kumar Personal Website
Rajesh Kumar at YOUTUBE
Rajesh Kumar at INSTAGRAM
Rajesh Kumar at X
Rajesh Kumar at FACEBOOK
Rajesh Kumar at LINKEDIN
Rajesh Kumar at WIZBRAND
