Security
GitLab does not provide true file-level access control (like โonly Alice can read secrets.ymlโ) โ but it does provide tools to restrict access and prevent exposure of sensitive files using:
โ What You Can Do in GitLab (SaaS and Self-managed)
1. โ Push Rules for Sensitive Files
- Prevent commits that contain secrets, keys, passwords, or specific file names.
- Configure under:
Settings โ Repository โ Push Rules
Example:
- Reject commits with
.envor*.pemfiles:
Forbidden file names: ^(.env|.*\.pem)$
- Reject commits with AWS keys using regex:
Secret detection regex: AKIA[0-9A-Z]{16}
2. โ Protected Branches
- Prevent unauthorized push/merge to sensitive branches like
main,release, etc. - Set under:
Settings โ Repository โ Protected Branches
3. โ Code Owners for Sensitive Files
- Define ownership for sensitive files using a
CODEOWNERSfile. - Prevent changes to specific paths unless approved by listed owners.
Example:
/secrets/* @devops-lead @security-team
Code language: PHP (php)
4. โ Secret Detection (SAST/Static Scanning)
- GitLab CI/CD automatically scans for hardcoded secrets and keys.
- Available in GitLab Ultimate and in some parts of Premium.
- Found under:
Security & Compliance โ Vulnerability Report
5. โ File Pattern Merge Request Rules (Paid)
- Use merge request approval rules for changes to specific file paths (e.g., secrets, configs).
Example:
Rule: If /infra/keys/* is changed โ require @security-team to approve
Code language: PHP (php)
โ What You Cannot Do Directly in GitLab
| Feature | GitLab Status |
|---|---|
| Per-file access control (ACL-style) | โ Not supported |
| Per-user permission to view/edit specific files | โ Not supported |
| Encryption-at-rest per file inside repo | โ Not native (requires external tools) |
๐ Recommended Best Practices
| Goal | GitLab Feature to Use |
|---|---|
| Prevent secrets in repo | Push rules + Secret detection + .gitignore |
| Limit merge to sensitive files | CODEOWNERS + Approval Rules |
| Block commits with unsafe patterns | Push Rules + Pre-commit Hooks (externally) |
| Enforce audits of sensitive changes | Merge request rules with approval |
I’m Rajesh Kumar, a DevOps, SRE, DevSecOps, Cloud, and Platform Engineering expert passionate about sharing practical knowledge, real-world experiences, and industry best practices. I have worked at Cotocus and regularly write about technology, travel, investing, health, product reviews, and digital marketing through my various platforms.
I publish technical articles at DevOps School, travel stories at Holiday Landmark, stock market insights at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at TrueReviewNow, and SEO and digital marketing strategies at Wizbrand.
Find Trusted Cardiac Hospitals
Compare heart hospitals by city and services โ all in one place.
Explore Hospitals