Mondoo
Docs
Integrate Your AssetsSaaS

Secure GitLab with Mondoo

Continuously scan GitLab groups for misconfigurations and vulnerabilities.

Mondoo continuously scans GitLab groups for misconfigurations and vulnerabilities. Deploy the integration once and Mondoo keeps assessments up to date as the group changes.

To scan Kubernetes manifests, Terraform configurations, or Docker containers inside a GitLab CI/CD pipeline, read Scan in GitLab CI/CD instead.

Prerequisites

  • Editor or Owner access to the Mondoo space
  • Access to a GitLab group

Create a GitLab personal access token

A personal access token gives Mondoo permission to read GitLab resources on your behalf. To learn more, see Create a personal access token in the GitLab documentation.

  1. Log into GitLab. In the upper-left, select your profile photo, then Edit Profile.

  2. In the left sidebar, select Access Tokens.

  3. Select Add new token and enter a name (for example, mondoo-frontend-repo).

  4. Choose an Expiration date. Note it so you can rotate the token before it lapses.

  5. Under Select scopes, check:

    • read_api
    • read_user
    • read_repository
    • read_registry

  6. Select Create a personal access token and copy the value. You need it in the next section.

Add a GitLab integration

In the Mondoo App, navigate to the space where you want to add the integration. In the side navigation bar, select Integrations. In the top right, select + INSTALL. On the integrations page, find the integration you want by browsing or searching by name:

  1. Under SaaS, select GitLab.

    Add a GitLab Integration in Mondoo

  2. In Choose an integration name, enter a name that identifies the GitLab group.

  3. If you self-host GitLab, enter your custom URL in Provide a GitLab base URL. Otherwise leave it empty.

  4. In Define the GitLab group to scan, enter the group name from the group's URL. For example, the group at gitlab.com/lunalectric is named lunalectric.

    GitLab group name

  5. Paste your personal access token into Provide your personal access token.

  6. Under Discovery options, check what you want Mondoo to scan:

    • Groups the token can access
    • Projects the token can access
    • Terraform files
    • Kubernetes manifests

    GitLab discovery options

  7. Select START SCANNING.

On the Recommended Policies page, enable the policies you want Mondoo to score this integration against. To learn how policies work, read Manage Policies.

Scan from a GitLab CI/CD pipeline

If your GitLab instance has inbound IP allowlists that block Mondoo's hosted integration, you can run an equivalent scan from inside a GitLab pipeline.

  1. Follow the steps above to create a personal access token.

  2. Create Mondoo credentials and store them in GitLab.

  3. Store the personal access token in GitLab as a variable named GITLABTOKEN.

  4. Add a scheduled pipeline job to .gitlab-ci.yml:

    .gitlab-ci.yml
    stages: [security]

cnspec-gitlab-scan:
  stage: security
  image:
    name: mondoo/cnspec:latest-rootless
    entrypoint: ['']
  rules:
    - if: '$CI_PIPELINE_SOURCE == "schedule"'
  script:
    - set -euo pipefail
    - cnspec version
    - cnspec scan gitlab --discover="groups, projects, terraform, k8s-manifests" --detect-cicd=0 --token "$GITLABTOKEN" --url $CI_SERVER_HOST

    Change the --discover flag to control what's scanned.

Learn more

GitHub

Continuously scan GitHub organizations and repositories for misconfigurations and vulnerabilities.

Overview

Continuously scan Google Workspace for security misconfigurations using a GCP service account with domain-wide delegation.

On this page

PrerequisitesCreate a GitLab personal access tokenAdd a GitLab integrationScan from a GitLab CI/CD pipelineLearn more