Skip to main content

GitLab Integration Setup

This guide walks you through connecting GitLab to RAD Security, enabling application security scanning and vulnerability findings across your GitLab instance or groups.

Prerequisites

Before you begin, ensure you have:
Access to the web interface of your GitLab instance
GitLab instance administrator access or an account with the Owner role (recommended)
Access to RAD Security workspace with integration permissions

Required Token Scopes

The GitLab integration requires the following API token scope:
OperationRequired Scope
Query Applicationsread_api
Query Application Findingsread_api
Query findings across all applicationsread_api
Get Application Finding Detailsread_api
Only the read_api scope is required. This provides read-only access to the API, including all groups and projects, the container registry, and the package registry.

Generating an API Access Token

GitLab supports three methods for creating API access tokens. The recommended method is using a service account, but service accounts are not available on GitLab Free instances. If you’re using GitLab Free, use a group access token instead.

Creating the Access Token

Once you’re on the new API access token creation screen:
1

Configure Token Details

Fill out the following fields:
  • Token name: A descriptive name (e.g., “RAD Security Integration”)
  • Description (optional): Purpose of the token
  • Expiration date: Set according to your security policies
2

Select Scopes

Under the Select scopes section, check the box next to:
  • read_api
3

Create Token

Click Create token.
4

Save Token

Copy the token immediately — it will not be shown again.
Store your token securely. If you lose it, you’ll need to generate a new one.
Also take note of your GitLab instance URL (e.g., https://gitlab.com or https://gitlab.yourcompany.com). You’ll need this when configuring the integration.

Configure in RAD Security

Once you have your token, configure the integration in RAD Security:
1

Navigate to Integrations

Go to your RAD Security workspace and navigate to Integrations.
2

Add GitLab Integration

Click Add Integration and select GitLab from the available options.
3

Enter Configuration

Fill in the required fields:
ParameterDescriptionExample
Integration NameA descriptive name for this integrationGitLab Production
SecretThe API access token you generatedglpat-xxxxxxxxxxxx
Base URLThe URL of your GitLab instancehttps://gitlab.com
4

Save and Test

Click Save to create the integration. RAD Security will validate the connection.
Your token is encrypted and stored securely by RAD Security.

Verify Integration

After completing the setup, verify your integration is working:
  1. Navigate to Integrations in your RAD Security workspace
  2. Locate your GitLab integration
  3. Check the connection status shows as Active
  4. Verify applications and findings are being discovered
Your GitLab integration is now configured! RAD Security will begin syncing application security data from your GitLab instance.

What Data is Synced

  • Projects and repositories within your GitLab instance or group
  • Application metadata and configurations
  • SAST (Static Application Security Testing) findings
  • DAST (Dynamic Application Security Testing) findings
  • Dependency scanning results
  • Container scanning results
  • Secret detection findings
  • Vulnerability severity and classification
  • Affected files and line numbers
  • Remediation guidance
  • Finding status (detected, confirmed, dismissed)

Use Cases

Centralized Vulnerability View

Aggregate security findings from GitLab alongside other security tools for a unified view.

Security Posture Tracking

Track application security trends over time across all GitLab projects.

Compliance Reporting

Generate compliance reports that include GitLab security scanning results.

Risk Prioritization

Correlate GitLab findings with other data sources to prioritize remediation efforts.

Troubleshooting

  • Verify your access token is correct and hasn’t expired
  • Ensure the token has the read_api scope
  • Check that the Base URL is correct and accessible
  • For self-hosted GitLab, verify network connectivity from RAD Security
  • Confirm the token has access to the groups/projects you expect
  • For group tokens, verify the token is scoped to the correct group
  • Check that the service account or user has appropriate role assignments
  • Verify that GitLab security scanning is enabled for your projects
  • Check that CI/CD pipelines with security jobs have run successfully
  • Ensure the token user/service account has access to security reports
  • Generate a new token following the steps above
  • Update the integration in RAD Security with the new token
  • Consider setting longer expiration dates or using calendar reminders for rotation

Security Best Practices

Use Service Accounts

Create dedicated service accounts rather than using personal tokens to avoid disruption when team members leave.

Minimal Scope

Only grant the read_api scope required for the integration. Avoid granting write permissions.

Rotate Tokens Regularly

Set appropriate expiration dates and rotate tokens according to your security policies.

Audit Token Usage

Regularly review service account and token activity in GitLab’s audit logs.

Token Rotation

To rotate your GitLab access token:
1

Generate New Token

Create a new token following the steps above with the same scope.
2

Update RAD Security

Edit your GitLab integration in RAD Security and update the Secret field.
3

Verify Connection

Confirm the integration status remains Active after the update.
4

Revoke Old Token

Delete the old token from GitLab to complete the rotation.

Next Steps

AppSec Integrations Overview

Learn about other application security integrations

Evidence Room

View and analyze collected security data