Merge requests for confidential issues

Tier: Free, Premium, Ultimate Offering: GitLab.com, Self-managed, GitLab Dedicated

Merge requests in a public repository are also public, even when you create a merge request for a confidential issue. To avoid leaking confidential information when working on a confidential issue, create your merge request from a private fork in the same namespace.

Roles are inherited from parent groups. If you create your private fork in the same namespace (same group or subgroup) as the original (public) repository, developers receive the same permissions in your fork. This inheritance ensures:

  • Developer users have the needed permissions to view confidential issues and resolve them.
  • You do not need grant individual users access to your fork.

To learn more, see Patch release runbook for GitLab engineers: Preparing security fixes for a patch release.

Create a confidential merge request

Branches are public by default. To protect the confidentiality of your work, you must create your branches and merge requests in the same namespace, but downstream in a private fork. If you create your private fork in the same namespace as the public repository, your fork inherits the permissions of the upstream public repository. Users with the Developer role for the upstream public repository inherit those upstream permissions in your downstream private fork without action by you. These users can immediately push code to branches in your private fork to help fix the confidential issue.

caution
Your private fork might expose confidential information if you create it in a different namespace than the upstream repository. The two namespaces might not contain the same users.

Prerequisites:

  • You have the Owner or Maintainer role for the public repository, as you need one of these roles to create a subgroup.
  • You have forked the public repository.
  • Your fork has a Visibility level of Private.

To create a confidential merge request:

  1. On the left sidebar, select Search or go to and find your project.
  2. Select Plan > Issues and find the issue you want to create a merge request for.
  3. Scroll below the issue description, and select Create confidential merge request.
  4. Select the item that meets your needs:
    • To create both a branch and a merge request, select Create confidential merge request and branch. Your merge request will target the default branch of your fork, not the default branch of the public upstream project.
    • To create only a branch, select Create branch.
  5. Select a Project to use. These projects have merge requests enabled, and you have the Developer role (or greater) in them.
  6. Provide a Branch name, and select a Source (branch or tag). GitLab checks whether these branches are available in your private fork, because both branches must be available in your selected fork.
  7. Select Create.

This merge request targets your private fork, not the public upstream project. Your branch, merge requests, and commits remain in your private fork. This prevents prematurely revealing confidential information.

Open a merge request from your fork to the upstream repository when:

  • You believe the problem is resolved in your private fork.
  • You are ready to make the confidential commits public.