🦊 GitLab System Security Baseline

Intro: GitLab is simultaneously a source platform, CI engine, artifact hub, and release-control plane. Hardening it means hardening both the platform and the runner boundary.

Platform baseline

external_url 'https://gitlab.example.com'
nginx['redirect_http_to_https'] = true
gitlab_rails['gitlab_default_can_create_group'] = false
gitlab_rails['gitlab_signup_enabled'] = false
gitlab_rails['gitlab_restricted_visibility_levels'] = ['public']

Runner baseline

[[runners]]
  name = "isolated-docker-runner"
  executor = "docker"
  environment = ["FF_ENABLE_JOB_CLEANUP=1"]
  [runners.docker]
    privileged = false
    pull_policy = "always"
    disable_cache = true
    cap_drop = ["ALL"]

Control goals

• isolate runners from the GitLab application plane
• avoid privileged runners except in isolated special cases
• protect variables, branches, tags, and environments
• use pinned CI/CD components
• retain evidence, backups, and auditability

Cross-links

• Runner Isolation and Trust Boundaries
• Protected Environments and Deployment Approvals
• 🚨 GitLab Top 10 Misconfigurations