All Collections
Integrations
Connecting to GitLab
Connecting to GitLab

Making the initial connection to GitLab

Ashley Hyman avatar
Written by Ashley Hyman
Updated this week

HERE'S WHY

Connecting GitLab to Drata allows for the automated tests and evidence collection to prove to auditors that your company follows its software development lifecycle procedures.

BEFORE DIVING IN

  • Make sure you have at least 'Maintainer' access to your company's GitLab account, including your in-scope Groups and Projects.

  • NOTE: For GitLab, MFA must be enabled at the group level to be shown in Drata. Please update your GitLab settings accordingly.

    • GitLab does not expose per-user MFA over their API, but rather only the group-level MFA setting. So, if someone is a member of a group that doesn't have MFA turned on, that user will show as false on the Manage Connected Version Control Accounts page in Drata. They will also fail Test 87 - MFA on Version Control System.

      1. If you enforce MFA at the parent group level, and do not allow any subgroups to have their own MFA setting, then you need to find anyone who has both a direct and inherited membership in such a subgroup, and remove their direct membership. This is because, even though the GitLab UI makes it clear that subgroup MFA is inherited from the parent group, their API simply says the subgroup doesn't have MFA turned on. Even when only the parent group has 2FA enforced and subgroups are not allowed to set their own 2FA, the GitLab REST API reports that 2FA is false for the subgroup(s). Remove the user as a direct member from the subgroup, ensure they are still a member via inherited membership, and after the next user sync, MFA will be true.

      2. Conversely, if you do allow subgroups to have their own MFA settings, you can allow your users to have both direct and inherited membership, but that means you must check every single current and future subgroup and ensure they have MFA enabled. Any direct member of any subgroup that doesn't have MFA enabled will show as false, regardless of their personal settings or membership in other groups that do have MFA enabled.

      3. We recommend both scrolling through the group members list to find direct membership, as well as performing an actual filter/search.

  • Drata syncs users that belong to Groups only, via direct group membership. Drata does not currently sync users who are only direct members of Projects. Drata also does not sync memebrs via inherited group membership. You can verify any member's group membership via the following steps:

    1. Navigate to the Project in question. In the left-hand menu under “Manage,” select "Members."

    2. Verify "direct" or "inherited" under the Source column in the group member list.

HERE'S HOW

Follow these instructions to connect GitLab to Drata:


1. Select "Connections" on the side navigational menu.

2. Select the 'Available connections' tab and then search for 'GitLab' to select the connect button for the GitLab integration.

3. Follow the instructions in the connection drawer.

  • The following read API permissions

    • View Groups

    • View Users

    • View Projects

    • View Project Members

    • Branch protection settings

Monitoring tests covered

  • Test 6: Only Authorized Employees Access Version Control

  • Test 7: Only Authorized Employees Change Code

  • Test 8: Formal Code Review Process

  • Test 9: Production Code Changes Restricted

  • Test 87: MFA on Version Control System

  • Test 94: Version Control Accounts Removed Properly

Did this answer your question?