GitLab Security Baseline

Purpose: this page is the short entry point for GitLab hardening and delivery-control design. It helps reviewers decide whether they should focus on the platform plane, the runner plane, or the environment and approval plane first.

Minimum baseline

• protect production-like environments and define who may deploy;
• separate platform administration from runner administration where possible;
• avoid privileged shared runners unless they are isolated, justified, and monitored;
• keep secrets scoped to the smallest project, environment, and pipeline context that still works;
• make deployment approvals and evidence part of the release path, not an afterthought.

Start with these pages

• GitLab System Security Baseline
• Runner Isolation and Trust Boundaries
• Protected Environments and Deployment Approvals
• GitLab Top 10 Misconfigurations

Useful reminder

A GitLab review is incomplete if it only looks at .gitlab-ci.yml. The real trust model spans projects, groups, runners, environments, artifacts, variables, approvals, and who can merge what.