Secure GitLab with Mondoo
You can configure Mondoo to continuously scan your GitLab groups. Mondoo scans find misconfigurations and vulnerabilities that put your organization at risk. You deploy the integration once and always get the latest security assessments.
You can also use Mondoo to automatically scan Kubernetes manifests, Terraform configuration files, and Docker containers in GitLab CI/CD. To learn more, read Scan in GitLab CI/CD.
Prerequisite
-
A Mondoo account with Owner or Editor access to the space where you want to add the GitLab integration
-
Access to a GitLab group
Create a personal access token to give Mondoo access to the GitLab group
A personal access token gives Mondoo the ability to access GitLab resources on your behalf. For Mondoo to continuously monitor your GitLab groups, you must create a personal access token.
-
Log into GitLab.
-
In the upper-left corner of any GitLab page, select your profile photo and then select Edit Profile.
-
In the left sidebar, select Access Tokens.
-
Select the Add new token button.
-
In the Token name box, enter a name for the token, such as
mondoo-frontend-repo
. -
Under Expiration date, specify the date on which to expire the token. (Be sure to note the expiration date so that, as it approaches, you can create a new one without interrupting the Mondoo-GitHub integration.)
-
Under Select scopes, check these scopes:
-
read_api
-
read_user
-
read_repository
-
read_registry
-
-
Select the Create a personal access token button.
-
When GitLab finishes creating the token, it displays this message: "Your new personal access token has been created." Below the message, locate the Your new personal access token box. Use the copy icon to the right of the box to copy the token.
To learn more, read Create a personal access token in the GitLab documentation.
Set up a GitLab integration
-
In a new browser tab, access the Integrations > Add > GitLab page in one of two ways:
-
New space setup: After creating a new Mondoo account or creating a new space, the initial setup guide welcomes you. Select BROWSE INTEGRATIONS and then under SaaS, select GitLab.
-
INTEGRATIONS page: In the side navigation bar, under INTEGRATIONS, select Add New Integration. Under SaaS, select GitLab.
-
-
In the Choose an integration name box, enter a name for the integration. Make it a name that lets you easily recognize the GitLab group.
-
If you self-host GitLab, enter your custom GitLab URL in the Provide a GitLab base URL box. If you don't self-host GitLab, leave the box empty.
-
In the Define the GitLab group to scan box, enter the name of the GitLab group you want to monitor. Find this value in the URL path to the group landing page. For example, this group's name is lunalectric:
-
In the Provide your personal access token box, paste the GitLab token you generated in the previous section.
-
Choose Discovery options to determine the extent of Mondoo scanning:
-
To scan all the GitLab groups to which your token provides access, check Groups the token can access.
-
To scan all the GitLab projects to which your token provides access, check Projects the token can access.
-
To scan all Terraform files in the projects to which your token provides access, check Terraform files.
-
To scan all Kubernetes manifests in the projects to which your token provides access, check Kubernetes manifests.
-
-
Select the START SCANNING button.
-
On the Recommended Policies page, enable the policies on which you want to base assessments of your GitLab group. To learn more, read Manage Policies.
Mondoo begins scanning your GitLab group and, when completed, presents results on the INVENTORY page.
Learn more
For more information, explore the complete Mondoo GitLab Resource Pack Reference.