What the connector discovers

• Groups, Subgroups, Projects

  Hierarchy, visibility, default branch & settings; transfer history; shared groups/projects and project forks.

---

• Members & Access Levels

  Owner/Maintainer/Developer/Reporter/Guest roles at group/project; inherited vs direct members; external users.

---

• Protected Branches & Tags

  Rules to push/merge, approvals required, status checks, allowed users/groups, protected tags & release process guardrails.

---

• Merge Request Approvals & Rules

  Approval rules (min count, CODEOWNERS, security approvals), pipelines required to pass, squash/rebase enforcement and bypass patterns.

---

• CI/CD: Runners, Pipelines, Variables & Environments

  Shared/specific runners, ephemeral runners, protected variables, masked variables, environment approvals and deployment rules.

---

• Deploy Keys & Access Tokens

  Project/group access tokens, personal access tokens (metadata), deploy keys (read-only vs write) and rotation windows.

---

• Webhooks, Integrations & Audit Events

  Project/group/system hooks (endpoints), integrations (Jira, Slack, etc.) and audit events for installs, perms and security settings.

---

• Effective Permissions

  Identity (app/token/runner) → permissions/policy → project/environment → allowed actions at time-of-execution.

GitLab unifies code, CI/CD and environments. Apps, tokens, runners and variables can move code and secrets at scale. ClarioSec adds **runtime governance**: drift-aware scoring, pre-execution controls and audit-grade narratives.

Connect GitLab (SaaS or self-managed)

Use a **Personal Access Token (PAT)** with read scopes, or a **Group/Project Access Token** with least privilege. For Enterprise/self-managed, provide the **base URL** of your instance.

• 1) Identify your instance URL

  GitLab SaaS: https://gitlab.com — Self-managed: https://gitlab.yourdomain (API path /api/v4).

• 2) Create a token (least privilege)

  Recommended PAT scopes: read_api, read_user, read_repository, read_registry. For group/project tokens, grant the minimal read scopes needed for discovery.

• 3) Add in ClarioSec

  Open the GitLab connector and paste Base URL (if self-managed) and Token. We store credentials per tenant and honor rate limits.

• 4) Optional — Webhooks

  Configure system/project hooks (merge request, push, tag, pipeline, job) to enrich runtime governance.

High-value signals via GitLab REST/GraphQL (metadata only):

• Groups/subgroups/projects, visibility and default branch settings
• Members & access levels (inherited/direct), external users & groups
• Protected branches/tags, approval rules, required pipelines/checks
• CI/CD: runners, variables (masked/protected), environments & approvals
• Deploy keys, personal/group/project tokens (metadata), rotation windows
• Project/group/system hooks, integrations and audit events

• Missing protections & broad access

  Unprotected default branches, low approval counts, developers with direct pushes to protected branches, broad group shares.

• Runner exposure & secret leakage

  Shared runners across many projects, unpinned images, masked variables not enforced, secrets echoed in logs.

• Ownerless hooks & stale tokens

  Project hooks to external endpoints without owners; long-lived tokens and deploy keys not rotated.

• Just-in-time approvals for privileged jobs & secret reads
• Automatic permission minimization & rotation guidance (tokens/keys)
• Enforce protected branches/tags and approval rules for sensitive repos
• Audit-grade narratives mapped to SOC 2 / GDPR / ISO / AI Act