GitLab CE includes web, API, git transport, CI/CD runners, container/package registry, and background workers. Harden all layers, not only the web UI.
# /etc/gitlab/gitlab.rb (example)
external_url "https://gitlab.example.com"
nginx['redirect_http_to_https'] = true
gitlab_rails['gitlab_default_can_create_group'] = false
gitlab_rails['gitlab_signup_enabled'] = false
gitlab_rails['gitlab_default_projects_features_container_registry'] = false
- Disable open sign-up unless explicitly required.
- Restrict default group creation to prevent uncontrolled namespace sprawl.
- Disable default features you do not use (for example registry) to reduce attack surface.
- Reconfigure and validate after every change.
¶ 2) CI/CD and runner isolation
- Use dedicated runners for sensitive projects.
- Disable shared runners for high-trust internal groups when possible.
- Protect CI variables and scope them to protected branches/tags.
- Rotate runner registration/auth tokens and remove orphaned runners.
¶ 3) Secrets, SSH, and API controls
- Restrict access to
/etc/gitlab/gitlab-secrets.json and backup artifacts.
- Enforce branch protections, signed commits where feasible, and approval rules.
- Limit personal/group/project access token scopes and lifetimes.
- Restrict admin and API endpoints with network controls for private deployments.
- Follow monthly GitLab security release announcements and patch quickly.
- Test upgrades in staging with representative repositories and pipelines.
- Validate rollback, backup restore, and post-upgrade migrations.
¶ Verification commands
sudo gitlab-rake gitlab:check SANITIZE=true
sudo grep -E \"gitlab_signup_enabled|gitlab_default_can_create_group\" /etc/gitlab/gitlab.rb
sudo gitlab-ctl status
- GitLab hardening overview: https://docs.gitlab.com/security/hardening/
- Application hardening: https://docs.gitlab.com/security/hardening_application_recommendations/
- Configuration hardening: https://docs.gitlab.com/security/hardening_configuration_recommendations/
- OS hardening: https://docs.gitlab.com/security/hardening_operating_system_recommendations/
- GitLab release posts: https://about.gitlab.com/releases/categories/releases/
Any questions?
Feel free to contact us. Find all contact information on our contact page.