GitLab Hardening Recommendations (FREE SELF)
This documentation is for GitLab instances where the overall system can be "hardened" against common and even not-so-common attacks. It is not designed to completely eradicate attacks, but to provide strong mitigation thereby reducing overall risk. Some of the techniques apply to any GitLab deployment, such as SaaS or self-managed, while other techniques apply to the underlying OS.
These techniques are a work in progress, and have not been tested at scale (such as a large environments with many users). They have been tested on a self-managed single instance running a Linux package installation, and while many of the techniques can translated to other deployment types, they may not all work or apply.
Most of the listed recommendations provide specific recommendations or reference choices one can make based upon the general documentation. Through hardening, there may be impact to certain features your users may specifically want or depend on, so you should communicate with users and do a phased rollout of hardening changes.
The hardening instructions are in five categories for easier understanding. They are listed in the following section.
GitLab hardening general concepts
This details information on hardening as an approach to security and some of the larger philosophies. For more information, see hardening general concepts.
GitLab application settings
Application settings made using the GitLab GUI to the application itself. For more information, see application recommendations.
GitLab CI/CD settings
CI/CD is a core component of GitLab, and while application of security principles are based upon needs, there are several things you can do to make your CI/CD more secure. For more information, see CI/CD Recommendations.
GitLab configuration settings
Configuration file settings used to control and configure the
application (such as
gitlab.rb) are documented separately. For more information, see the
Operating System settings
You can adjust the underlying operating system to increase overall security. For more information, see the operating system recommendations.