GitLab Hardening Recommendations

Tier: Free, Premium, Ultimate Offering: Self-managed, GitLab Dedicated

This documentation is for GitLab instances where the overall system can be “hardened” against common and even not-so-common attacks. It is not designed to completely eradicate attacks, but to provide strong mitigation thereby reducing overall risk. Some of the techniques apply to any GitLab deployment, such as SaaS or self-managed, while other techniques apply to the underlying OS.

These techniques are a work in progress, and have not been tested at scale (such as a large environments with many users). They have been tested on a self-managed single instance running a Linux package installation, and while many of the techniques can translated to other deployment types, they may not all work or apply.

Most of the listed recommendations provide specific recommendations or reference choices one can make based upon the general documentation. Through hardening, there may be impact to certain features your users may specifically want or depend on, so you should communicate with users and do a phased rollout of hardening changes.

The hardening instructions are in five categories for easier understanding. They are listed in the following section.

GitLab hardening general concepts

This details information on hardening as an approach to security and some of the larger philosophies. For more information, see hardening general concepts.

GitLab application settings

Application settings made using the GitLab GUI to the application itself. For more information, see application recommendations.

GitLab CI/CD settings

CI/CD is a core component of GitLab, and while application of security principles are based upon needs, there are several things you can do to make your CI/CD more secure. For more information, see CI/CD Recommendations.

GitLab configuration settings

Configuration file settings used to control and configure the application (such as gitlab.rb) are documented separately. For more information, see the configuration recommendations.

Operating System settings

You can adjust the underlying operating system to increase overall security. For more information, see the operating system recommendations.