Security in Managed Service for GitLab
Written by
Updated at May 13, 2024
Detecting vulnerabilities in CI/CD
Managed Service for GitLab offers protection of your pipeline with built-in GitLab tools.
The tools available depend on the GitLab license type. The free license offers several security tools, such as Static Application Security Testing (SAST) and Secret Detection. You can also develop custom jobs using open-source tools.
See the table for a complete list of pipeline security tools with respective licenses:
| Pipeline security tools | Free | Premium | Ultimate |
|---|---|---|---|
| API Fuzzing | |||
| Cluster Image Scanning | |||
| Container Scanning | |||
| Dependency Scanning | |||
| Dynamic Application Security Testing (DAST) | |||
| License Compliance | |||
| Secret Detection | |||
| Security Dashboard | |||
| Static Application Security Testing (SAST) |
As Managed Service for GitLab develops, the list may change.
Pipeline security usage examples
The following options of pipeline usage are available for your projects:
- Create a pipeline in an individual project and add it to other projects using the
includefunction. Available for all license types. - Use the
Compliance framework and pipelinemechanism. You can run it in any group project. Available for theUltimatelicense. - Copy pipeline sections to the
.gitlab-ci.ymlfile of your projects.
Extra materials
See examples of pipeline security prepared as part of Yandex Cloud Security Solution Library:
- Detecting vulnerabilities in CI/CD (
Ultimatelicense). - Detecting vulnerabilities in CI/CD (
Freelicense).
Recommendations on security settings for a GitLab instance
Tip
Before configuring an instance, see general recommendations on GitLab security.
Use these sets of recommendations to ensure security of your GitLab instance:
- For audit and analysis of security events, configure export of audit logs to a third-party event analysis system, e.g., Splunk.
- Sign commits using a GPG key.
- Organize the
approvalof changes to code by at least two people. This will help reduce the number of errors. - To prevent denial of service, use the
User and IP rate limits.
Working with Docker from inside GitLab
- Review best practices on the secure operation of Docker images.
- Operate Docker in
non-privilegedmode. Use thecap_addandcap_dropsettings to fine-tune the setup of container privileges. - For building secure containers, use kaniko.
- Do not use
Shell executor,Docker-in-Docker, andDocker socket bindingbecause this gives access toDocker socketandprivileged mode. For more information, see Securing GitLab CI pipelines with Sysbox.
Integration with Yandex Managed Service for Kubernetes
- For secure integration, use GitLab Agent for Kubernetes.
- To make it impossible to use service accounts with the
cluster-adminrole and open the Kubernetes API to the internet, do not use certificate-based integration. - To prevent connectivity of GitLab Runner and Kubernetes, deploy using the CI/CD tunnel.
Using variables
- To restrict access to variables, use the
Protect variablesetting. - To mask variables in logs, use the
Mask variablesetting. - Do not store secrets (such as keys, passwords, API tokens, and so on) in the code. To search for secrets in the code, use the Secret Scanning tool.
Access differentiation
- Provide access to your projects to a limited number of personnel. Grant employees only the minimum required rights.
- Configure access to projects using GitLab groups.
- Limit project connections only to specific IP addresses and enable two-factor authentication. To do this, go to Settings → General → Permissions, LFS, 2FA in the properties of the appropriate group.
- To grant your company users access to projects, configure SAML SSO.
- If possible, disable
forkusage.
Secure configuration for GitLab Runner
- Use the most isolated and safest
DockerandKubernetesexecutors. We do not recommend using the deprecatedShell executor. - To restrict network access to GitLab Runner, use security groups.
- Assign a service account to a virtual machine to interact with the cloud API from inside jobs. This approach is more secure than specifying credentials via
env.