gitlab-org/gitlab

Security

How GitLab itself defends against abuse, builds defense in depth, and handles vulnerability disclosure.

For security features users get (SAST, DAST, etc.), see Security features. This page is about securing GitLab.

Trust boundaries

graph TB
    Internet
    Front[Front of house: Workhorse + NGINX]
    App[Rails app + Sidekiq]
    DB[(Database)]
    Repo[Gitaly]
    OS[(Object storage)]
    AIGW[AI Gateway]

    Internet --> Front
    Front --> App
    App --> DB
    App --> Repo
    App --> OS
    App --> AIGW

The internet boundary sits at the edge proxy / Workhorse.
The application boundary sits between Rails and the data services. Cross-DB queries are forbidden at runtime.
The AI boundary sits at AI Gateway; the monolith never calls LLMs directly.

Authentication

See Authentication. Highlights for security:

Session cookies are HTTPOnly + Secure + SameSite=Lax.
2FA is enforceable per-instance and per-group.
OAuth tokens have short-lived access tokens + refresh tokens.
All tokens are stored hashed at rest (Gitlab::Auth::CryptoHelper).
Token introspection logs every use; abuse detection runs on the pat_revoke events.

Authorization

See Authorization. Highlights:

All action checks go through declarative_policy; no ad-hoc current_user.admin? outside of policies.
Custom roles (EE) extend the access-level model with fine-grained permissions.
Cross-project access is gated by Gitlab::CrossProjectAccess.

Input safety

Markdown rendering passes through Banzai, which uses an allowlist HTML sanitizer.
File path traversal is blocked by Gitlab::Middleware::PathTraversalCheck.
URL fetching (webhooks, integrations) goes through gems/gitlab-http, which blocks SSRF target ranges (127.0.0.1, link-local, etc.).
Untrusted regexes use Gitlab::UntrustedRegexp (re2-backed) to prevent ReDoS.
Frontend escapes all user content by default; v-html usage is rare and reviewed.

Rate limiting and abuse

See Rate limiting.

Rack-attack throttles login, API, and password-reset paths.
ApplicationRateLimiter provides per-user/per-project throttles.
Spam check (Akismet + gitlab-spamcheck) flags suspicious user content.
lib/gitlab/anti_abuse/ (FOSS) and ee/lib/anti_abuse/ (EE) hold heuristics.

Audit and compliance

audit_events (partitioned table) records sensitive actions.
EE streams audit events to external SIEM via audit_events_streaming_destination.
Compliance frameworks (EE) attach to projects and enforce merge rules.

Secrets

lib/gitlab/encryption/, gems/gitlab-glaz, and Gitlab::CryptoHelper handle data encryption.
Devise.secret_key_base plus per-attribute attr_encrypted for tokens stored in DB.
KMS-style key derivation supported via lib/gitlab/encryption/.
Push-time secret detection uses gems/gitlab-secret_detection.

CSP and frame defenses

A strict Content-Security-Policy is built by Gitlab::ContentSecurityPolicy.
Subresource integrity (SRI) hashes are emitted for static bundles.
The frontend rejects framing except for designated paths (X-Frame-Options, CSP frame-ancestors).

Vulnerability disclosure

Reports go to https://about.gitlab.com/security/disclosure/ via HackerOne.
Internal security issues live in https://gitlab.com/gitlab-org/security/gitlab, a private mirror.
The .gitlab-ci.yml has special branches for security-canonical syncs.

CI security

The CI scripts (scripts/security-harness, scripts/ingest-reports-to-siem) feed security-scan reports into internal SIEM.
scripts/semgrep_result_processor.rb triages Semgrep findings.
.gitleaks.toml and .gitleaksignore keep secrets out of the codebase.

Cryptography choices

Ruby OpenSSL ≥ 3.3.
FIPS mode (lib/gitlab/fips.rb) for U.S. federal deployments — restricts to FIPS-approved algorithms.
All TLS traffic uses TLS 1.2+; configurable.

Supply chain

Gemfile.checksum (committed) records expected gem checksums; bundler-checksum (gems/bundler-checksum/) verifies during install.
dependency_decisions.yml records license review decisions.
Container images use UBI (Red Hat Universal Base Image) for FIPS variants.

Authentication, Authorization, Rate limiting.
Security features — what GitLab offers customers.

Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.