GitLab Token

Bridgecrew Policy ID: BC_GIT_44
Chekov Check ID: CKV_SECRET_44
Severity: LOW

GitLab Token

Description

Personal access tokens can be an alternative to OAuth2 and used to:

  • Authenticate with the GitLab API.
  • Authenticate with Git using HTTP Basic Authentication.
    In both cases, you authenticate with a personal access token in place of your password.

Personal access tokens are:

  • Required when two-factor authentication (2FA) is enabled.
  • Used with a GitLab username to authenticate with GitLab features that require usernames. For example, GitLab-managed Terraform state backend and Docker container registry,
  • Similar to project access tokens and group access tokens, but are attached to a user rather than a project or group.

Fix - Buildtime

GitLab

  1. In the top-right corner, select your avatar.
  2. Select Edit profile.
  3. On the left sidebar, select Access Tokens.
  4. In the Active personal access tokens area, next to the key, select Revoke.