Sensitive information is any information that your organization deems sensitive. Commonly:
These would all be generally be considered sensitive, but your organization likely has its own data classification policies. Your security team might also consider hostnames, IP addresses or other environmental information to be sensitive.
Depending on your configuration, this type of sensitive information can occasionally be in GitLab's configuration files and its components.
Specifically (but not exhaustively):
gitlab.rbfor the GitLab application
config.tomlfor GitLab Runners
.gitlab-ci.ymlfor GitLab projects
All could contain information your organization might consider sensitive.
Please do not submit or share files without verifying that the contents have been scrubbed of secrets and private information.
If you or your company/organization is not comfortable sharing it, do not submit it - please.
To sanitize a
gitlab.rb file, review and redact secrets manually, or use a command line utility to automate this process.
gitlab.rb sanitizer redacts and replaces all sensitive config variables with placeholders, and can be executed as a one-liner.
/opt/gitlab/embedded/bin/curl https://gitlab.com/gitlab-com/support/toolbox/gitlabrb_sanitizer/raw/master/sanitizer | /opt/gitlab/embedded/bin/ruby
You can also scrub sensitive data using the
grep command line utility.
grep -Ev "password|_key|token|secret|app_id|bind_dn|^$|^\s*#" /etc/gitlab/gitlab.rb
In addition to configuration files, log files and traces may include details like internal IP addresses and URLs.
To redact details in certain log files, we suggest replacing the sensitive information with placeholder text. There are a number of ways to quickly do a find and replace operation, including common command line utilities like
sed -i 's/secret-project/project1/g' attachment.log sed -i 's/private.com/app1.com/g' attachment.log sed -i 's/10.10.0.2/ip1/g' attachment.log
If secrets were accidentally shared or attached to a Support ticket, please notifiy GitLab Support immediately to ensure this data is redacted and deleted.
Conversely, if a Support Engineer suspects that secrets were accidentally submitted to a Support ticket, we will bring this to your attention and take action to remove any sensitive information.