Assess the configuration of GitLab organizations and repositories with cnspec
Rely on cnspec to ensure your GitLab groups and projects follow recommended security and operational best practices.
Give cnspec access using a GitLab personal access token
To scan GitLab groups and projects, cnspec needs access. You give cnspec the access it needs through the GitLab API. First, you create GitLab personal access token. Then you provide that token with cnspec commands. The token's level of access determines how much information cnspec can retrieve.
To learn how to create a personal access token, read Personal access tokens in the GitLab documentation.
Scan GitLab groups and projects
To scan the configuration of a GitLab group, run this command:
cnspec scan gitlab --group <GROUP_NAME> --token <YOUR_TOKEN>
To scan all the groups you have access to, run this command:
cnspec scan gitlab --discover projects --token <YOUR_TOKEN>
To scan a project, run this command:
cnspec scan gitlab --group <GROUP_NAME> --project <PROJECT_NAME> --token <YOUR_TOKEN>
To scan all projects in a group, run this command:
cnspec scan gitlab --group <GROUP_NAME> --discover projects --token <YOUR_TOKEN>
To scan all Terraform files in all the projects discovered in all the groups you have access to, run this command:
cnspec scan gitlab --discover terraform --token <YOUR_TOKEN>
Example checks
Run cnspec shell --token <YOUR_TOKEN>
to open the cnspec interactive shell. From there you can make checks like the examples below.
Ensure group email notifications are disabled for a GitLab group:
cnspec> gitlab.group.emailsDisabled
[failed] gitlab.group.emailsDisabled
expected: == true
actual: false
Ensure the GitLab group is private:
cnspec> gitlab.group.visibility=="private"
[ok] value: "private"
Learn more
-
To learn about all the GitLab resources and properties, read the Mondoo GitLab Resource Pack Reference.
-
To learn how to write checks, read Write Effective MQL.