Handling Sensitive Information With GitLab Support
Sensitive information is any information that your organization deems sensitive. Commonly:
These would all be generally be considered sensitive, but your organization likely has its own data classification policies. Your security team might also consider hostnames, IP addresses or other environmental information to be sensitive.
Where do I need to be careful about divulging sensitive information in interacting with GitLab Support?
Depending on your configuration, this type of sensitive information can occasionally be in GitLab's configuration files and its components.
Specifically (but not exhaustively):
gitlab.rbfor the GitLab application
config.tomlfor GitLab Runners
.gitlab-ci.ymlfor GitLab projects
All could contain information your organization might consider sensitive.
Please do not submit or share files without verifying that the contents have been scrubbed of secrets and private information.
If you or your company/organization is not comfortable sharing it, do not submit it - please.
To sanitize a
gitlab.rb file, review and redact secrets manually, or use a command line utility to automate this process, for example our
gitlab.rb sanitizer tool.
You can also scrub sensitive data using the grep command line utility.
grep -Ev "password|_key|token|secret|app_id|bind_dn|^$|^\s*#" \
/etc/gitlab/gitlab.rb > /tmp/_clean.gitlab.rb
In addition to configuration files, log files and traces may include details like internal IP addresses and URLs.
To redact details in certain log files, we suggest replacing the sensitive information with placeholder text. There are a number of ways to quickly do a find and replace operation, including common command line utilities like
sed -i 's/secret-project/project1/g' attachment.log
sed -i 's/private.com/app1.com/g' attachment.log
sed -i 's/10.10.0.2/ip1/g' attachment.log
If secrets were accidentally shared or attached to a Support ticket, please notify GitLab Support immediately to ensure this data is redacted and deleted.
Conversely, if a Support Engineer suspects that secrets were accidentally submitted to a Support ticket, we will bring this to your attention and take action to remove any sensitive information.