{"id":49504,"date":"2025-05-28T01:22:46","date_gmt":"2025-05-28T01:22:46","guid":{"rendered":"https:\/\/www.devopsschool.com\/blog\/?p=49504"},"modified":"2025-05-28T01:25:19","modified_gmt":"2025-05-28T01:25:19","slug":"gitlab-faq","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/blog\/gitlab-faq\/","title":{"rendered":"Gitlab FAQ"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Security<\/h2>\n\n\n\n<p>GitLab <strong>does not provide true file-level access control<\/strong> (like \u201conly Alice can read <code>secrets.yml<\/code>\u201d) \u2014 but it <strong>does provide tools<\/strong> to <strong>restrict access and prevent exposure<\/strong> of sensitive files using:<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\u2705 What You <strong>Can<\/strong> Do in GitLab (SaaS and Self-managed)<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">1. \u2705 <strong>Push Rules for Sensitive Files<\/strong><\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Prevent commits that contain secrets, keys, passwords, or specific file names<\/strong>.<\/li>\n\n\n\n<li>Configure under:<br><code>Settings \u2192 Repository \u2192 Push Rules<\/code><\/li>\n<\/ul>\n\n\n\n<p><strong>Example:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Reject commits with <code>.env<\/code> or <code>*.pem<\/code> files:<\/li>\n<\/ul>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Forbidden file names: ^(.env|.*\\.pem)$\n<\/code><\/span><\/pre>\n\n\n<ul class=\"wp-block-list\">\n<li>Reject commits with AWS keys using regex:<\/li>\n<\/ul>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Secret detection regex: AKIA&#91;0-9A-Z]{16}\n<\/code><\/span><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\">2. \u2705 <strong>Protected Branches<\/strong><\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Prevent unauthorized push\/merge to sensitive branches like <code>main<\/code>, <code>release<\/code>, etc.<\/li>\n\n\n\n<li>Set under:<br><code>Settings \u2192 Repository \u2192 Protected Branches<\/code><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\">3. \u2705 <strong>Code Owners for Sensitive Files<\/strong><\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Define <strong>ownership for sensitive files<\/strong> using a <a href=\"https:\/\/www.devopsschool.com\/blog\/gitlab-codeowners-file-enforce-code-reviews-approvals-and-accountability\/\"><code>CODEOWNERS<\/code> <\/a>file.<\/li>\n\n\n\n<li>Prevent changes to specific paths unless approved by listed owners.<\/li>\n<\/ul>\n\n\n\n<p><strong>Example:<\/strong><\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-1\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\">\/secrets<span class=\"hljs-comment\">\/*  <span class=\"hljs-doctag\">@devops<\/span>-lead <span class=\"hljs-doctag\">@security<\/span>-team\n<\/span><\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-1\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\">4. \u2705 <strong>Secret Detection (SAST\/Static Scanning)<\/strong><\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>GitLab CI\/CD <strong>automatically scans<\/strong> for hardcoded secrets and keys.<\/li>\n\n\n\n<li>Available in GitLab <strong>Ultimate<\/strong> and in some parts of Premium.<\/li>\n\n\n\n<li>Found under: <code>Security &amp; Compliance \u2192 Vulnerability Report<\/code><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\">5. \u2705 <strong>File Pattern Merge Request Rules<\/strong> (Paid)<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use <strong>merge request approval rules<\/strong> for changes to specific file paths (e.g., secrets, configs).<\/li>\n<\/ul>\n\n\n\n<p><strong>Example:<\/strong><\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-2\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\">Rule: <span class=\"hljs-keyword\">If<\/span> \/infra\/keys<span class=\"hljs-comment\">\/* is changed \u2192 require <span class=\"hljs-doctag\">@security<\/span>-team to approve\n<\/span><\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-2\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\u274c What You <strong>Cannot<\/strong> Do Directly in GitLab<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Feature<\/th><th>GitLab Status<\/th><\/tr><\/thead><tbody><tr><td>Per-file access control (ACL-style)<\/td><td>\u274c Not supported<\/td><\/tr><tr><td>Per-user permission to view\/edit specific files<\/td><td>\u274c Not supported<\/td><\/tr><tr><td>Encryption-at-rest per file inside repo<\/td><td>\u274c Not native (requires external tools)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udd10 Recommended Best Practices<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Goal<\/th><th>GitLab Feature to Use<\/th><\/tr><\/thead><tbody><tr><td>Prevent secrets in repo<\/td><td>Push rules + Secret detection + <code>.gitignore<\/code><\/td><\/tr><tr><td>Limit merge to sensitive files<\/td><td>CODEOWNERS + Approval Rules<\/td><\/tr><tr><td>Block commits with unsafe patterns<\/td><td>Push Rules + Pre-commit Hooks (externally)<\/td><\/tr><tr><td>Enforce audits of sensitive changes<\/td><td>Merge request rules with approval<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Security GitLab does not provide true file-level access control (like \u201conly Alice can read secrets.yml\u201d) \u2014 but it does provide tools to restrict access and prevent exposure of sensitive files&#8230; <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"_joinchat":[],"footnotes":""},"categories":[2],"tags":[],"class_list":["post-49504","post","type-post","status-publish","format-standard","hentry","category-uncategorised"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/49504","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=49504"}],"version-history":[{"count":3,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/49504\/revisions"}],"predecessor-version":[{"id":49510,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/49504\/revisions\/49510"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=49504"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=49504"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=49504"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}