Like most of the security industry, the consultants at Zerosource are avid users of open source software. Many of our most frequently-used tools for penetration testing and application assessments have been released freely by security professionals who are generous enough to share their creativity with the world.
Over time, we’ve seen an increased number of our clients building their development and deployment environments around GitLab. After several configuration reviews, we started our search for a tool to perform automated security audits of GitLab environments, similar to GitHub auditing tools such as the one developer by our friends at Crash Override.
We were looking for a tool we could share with out clients that was:
- relatively easy to use
- checked for common security misconfigurations without the need to access various menus
- checked for users who had been inactive for a long period of time (and possibly left the organisation)
When couldn’t find such a tool we started writing our own! After several months of testing with out clients, and in the spirit of giving back to the community, we’ve released a small script we call gitlab_checks.
gitlab_checks is a CLI tool for auditing security configuration checks against private GitLab.com groups that aren’t intended to be open to the public, such as internal development projects and at software companies. It’s in early-release at the moment and we hope to add more features and checks in the near future.
If you find it useful, have feedback or have a pull request you’d like to contribute, reach out! You can find us using the Contact Us link above.