Skip to main content
GitLab Connection

Making the initial connection to GitLab

Updated over a month ago

Connecting GitLab to Drata allows for the automated tests and evidence collection to prove to auditors that your company follows its software development lifecycle procedures.

Prerequisite

  • GitLab's Premium or Ultimate subscription: For those who have GitLab Premium or Ultimate subscription, you can restrict group access by IP address.

  • GitLab's access requirement: Make sure you have at least 'Maintainer' access to your company's GitLab account, including your in-scope Groups and Projects.


  • MFA requirement: For enabling MFA, please reference our GitLab MFA configurations article.

    • If a user belongs to a group without MFA enabled, that user will appear as not having MFA in Manage Connected Version Control Accounts page in Drata.

    • This will also cause them to fail Test 87 - MFA on Version Control System.

  • Enforce MFA sync:

    • If MFA is enforced at the parent group level and subgroups are not allowed their own MFA setting, remove the user’s direct membership from the subgroup (ensuring they remain a member through inherited membership). After the next user sync, the MFA status will update correctly.

      • This is because, even though the GitLab UI indicates that the subgroup MFA is inherited from the parent group, their API returns that the subgroup doesn't have MFA turned on. Even if 2-Factor Authentication (2FA) is enforced at the parent group level and subgroups are not allowed their own 2FA settings, the GitLab REST API will still incorrectly report that 2FA is not enabled for those subgroups.

    • If you allow subgroups to set their own MFA, users can have both direct and inherited membership, but you must ensure MFA is enabled for every subgroup. Any direct member of a subgroup without MFA will show as not having MFA, regardless of other settings or memberships.

Verify members group membership:

You can scroll through both the group members list to find direct membership, as well as performing an actual filter/search.

Drata syncs only users with direct group membership, not those who are only direct members of projects or inherited group membership. To verify a member's group membership, follow these steps:

  1. Navigate to the relevant Project.

  2. In the left-hand menu under Manage select Members.

  3. Verify "direct" or "inherited" under the Source column in the group member list.

Connect GitLab

  1. Select Connections on the side navigation menu.

  2. Select the Available connections tab and then search for 'GitLab' to select the connect button for the GitLab integration.

  3. Follow the instructions on the connection drawer. You may be redirected to GitLab to complete the connection.

    • OAuth: The primary way to connect GitLab is through OAuth. The following read API permissions for connecting Gitlab through OAuth:

      • View Groups

      • View Users

      • View Projects

      • View Project Members

      • Branch protection settings

    • Personal Access Token: Alternatively, you can use a Personal Access Token (PAT) to connect. This option is disabled by default. If you prefer to connect through PAT, contact Drata's support team to enable the PAT authentication method. Once PAT is enabled, you must generate a Personal Access Token in your GitLab instance with the appropriate permissions:

      • read_api

      • read_user

Monitoring tests covered

  • Test 6: Only Authorized Employees Access Version Control

  • Test 7: Only Authorized Employees Change Code

  • Test 8: Formal Code Review Process

  • Test 9: Production Code Changes Restricted

  • Test 87: MFA on Version Control System

  • Test 94: Version Control Accounts Removed Properly

Did this answer your question?