Skip to main content

About GitLab

The GitLab connector reads project metadata, group membership, branch protection, CI/CD configuration, and (where your plan and token allow) audit-oriented events from your GitLab.com group or self-managed instance. Data appears as artifacts in Iru Compliance for mapping to actions and controls. Iru sends credentials using GitLab’s PRIVATE-TOKEN header - typically with a personal access token so reads can span the groups and projects you choose.

How It Works

GitLab’s REST API authenticates with the PRIVATE-TOKEN header: 
PRIVATE-TOKEN: glpat-XXXXXXXXXXXXXXXXXXXX
Personal access tokens are usually the best fit because they can cover multiple projects and groups. Project-scoped or group-scoped tokens work but may narrow what evidence Iru can collect.
DetailValue
CategoryDeveloper tools / source control
AuthenticationPRIVATE-TOKEN header (personal access token recommended)
HostingGitLab SaaS or self-managed
Documentation: Personal access tokens, REST authentication, Token scopes.

Prerequisites

  • GitLab access to the groups and projects compliance cares about.
  • Group Owner or Maintainer where you need membership and audit-style reads (exact needs depend on your controls).
  • For self-managed GitLab, confirm Iru targets your instance base URL (not only gitlab.com).
Starting point for scopes
ScopePurpose
read_apiBroad read access to API endpoints used for inventory and configuration evidence
read_repositoryRepository metadata aligned to branch protection and repo settings
read_userUser profile reads needed for membership evidence
Add scopes only when your security team requires deeper reads.

Connect GitLab to Iru

Complete this tab before you connect the source in Compliance.
1

Sign in to GitLab

Open your GitLab instance (gitlab.com or self-managed URL) and sign in with a user who can create personal access tokens for the namespaces Iru should read.
2

Open your profile

Select your avatar in the upper-right, then choose Edit profile (or Preferences on some versions).
3

Open Access Tokens

In the left sidebar of your profile, select Access Tokens (sometimes under User settingsAccess Tokens).
4

Add a new token

Select Add new token (or Create personal access token).
5

Set name, expiration, and scopes

Enter a name (for example Iru Compliance). Set an expiration (GitLab requires one; maximum duration may be limited by your administrator). Choose the read scopes listed under Prerequisites in this article.
6

Create and copy the token

Create the token and copy it immediately. GitLab shows it once. Tokens typically begin with glpat-.
Continue on the Iru Compliance tab.

Troubleshooting

Check pop-up blocker settings for the Iru site and try again.
Confirm the full token string, check expiry, and verify the account still has access to target groups.
Increase scopes or elevate project/group role - your token cannot read endpoints your account cannot access.
Ensure the integration points at your instance hostname and that network paths allow Iru’s outbound calls.
Some audit APIs require Premium/Ultimate features - compare your GitLab tier to the evidence your framework expects.

Considerations

Tokens expire on a schedule: rotate early and update…

Tokens expire on a schedule - rotate early and update the connector.

GitLab applies rate limits; large groups may take…

GitLab applies rate limits; large groups may take longer during first sync.

Iru reads configuration exposed by the API: it does…

Iru reads configuration exposed by the API - it does not rewrite pipelines or repository settings.

Sources Management

Browse and manage every Compliance source.

Getting Started With Compliance

Frameworks, actions, and Artifacts.

Iru Overview

How Endpoint, Compliance, and Identity fit together.

Artifacts Management

Upload, review, and organize evidence from sources and actions.