Skip to main content Link Menu Expand (external link) Document Search Copy Copied
DevSecOps Guides

Gitlab Hardening for DevSecOps

Table of contents

  1. Update GitLab to the latest version
  2. Enable SSL/TLS for GitLab
  3. Disable GitLab sign up
  4. Set a strong password policy
  5. Limit the maximum file size
  6. Enable two-factor authentication (2FA)
  7. Enable audit logging
  8. Configure GitLab backups
  9. Restrict SSH access
  10. Enable firewall rules

List of some best practices to harden Gitlab for DevSecOps

Update GitLab to the latest version

sudo apt-get update && sudo apt-get upgrade gitlab-ee

Enable SSL/TLS for GitLab

Edit /etc/gitlab/gitlab.rb and add the following lines:
external_url ‘https://gitlab.example.com’
nginx[‘redirect_http_to_https’] = true
nginx[‘ssl_certificate’] = “/etc/gitlab/ssl/gitlab.example.com.crt”
nginx[‘ssl_certificate_key’] = “/etc/gitlab/ssl/gitlab.example.com.key”
gitlab_rails[‘gitlab_https’] = true
gitlab_rails[‘trusted_proxies’] = [‘192.168.1.1’] (replace 192.168.1.1 with the IP address of your proxy)
Then run sudo gitlab-ctl reconfigure

Disable GitLab sign up

Edit /etc/gitlab/gitlab.rb and add the following line:
gitlab_rails[‘gitlab_signup_enabled’] = false
Then run sudo gitlab-ctl reconfigure

Set a strong password policy

Edit /etc/gitlab/gitlab.rb and add the following lines:
gitlab_rails[‘password_minimum_length’] = 12
gitlab_rails[‘password_complexity’] = 2
Then run sudo gitlab-ctl reconfigure

Limit the maximum file size

Edit /etc/gitlab/gitlab.rb and add the following line:
gitlab_rails[‘max_attachment_size’] = 10.megabytes
Then run sudo gitlab-ctl reconfigure

Enable two-factor authentication (2FA)

Go to GitLab’s web interface, click on your profile picture in the top-right corner, and select “Settings”. Then select “Account” from the left-hand menu and follow the prompts to set up 2FA.

Enable audit logging

Edit /etc/gitlab/gitlab.rb and add the following line:
gitlab_rails[‘audit_events_enabled’] = true
Then run sudo gitlab-ctl reconfigure

Configure GitLab backups

Edit /etc/gitlab/gitlab.rb and add the following lines:
gitlab_rails[‘backup_keep_time’] = 604800
gitlab_rails[‘backup_archive_permissions’] = 0644
gitlab_rails[‘backup_pg_schema’] = ‘public’
gitlab_rails[‘backup_path’] = “/var/opt/gitlab/backups”
Then run sudo gitlab-ctl reconfigure

Restrict SSH access

Edit /etc/gitlab/gitlab.rb and add the following line:
gitlab_rails[‘gitlab_shell_ssh_port’] = 22
Then run sudo gitlab-ctl reconfigure

Enable firewall rules

Configure your firewall to only allow incoming traffic on ports that are necessary for GitLab to function, such as 80, 443, and 22. Consult your firewall documentation for instructions on how to configure the firewall rules.