The site that you are currently viewing is a static version of the Software Factory documentation delivered with the

version v7.2.
For up-to-date documentation, see the latest version.

GitLab secure repo

How to secure your GitLab repository

Proctecting branches

  1. Navigate to Your Repository Settings:

    • Go to your GitLab project.
    • Navigate to Settings > Repository.
    • Scroll down to the Protected branches and expand section.
    • Select Add protected branch protect-branch
  2. Configure a Protected Branch:

    • In the Protect a branch form, select or type the name of the branch you want to protect (e.g., main, develop, or prod*).
    • Select values to Allowed to Merge (ex: Select Maintainers).
    • Select values to Allowed to Push: (ex: Maintainers or specific trusted users).
  3. Define more settings:

    • Allowed to Force Push: Force pushing is not recommended on shared branches, so it is recommended to leave this option unchecked.
    • Require Approval from code Owners: If applicable, check the box to require code owners’ approval.
  4. Finalize the configuration:

    • Select Protect

Set Up CI/CD Secret Variables in GitLab

CI/CD secret variables are used to securely store sensitive information (like passwords, API keys, and tokens) that your CI/CD pipelines require. Here’s a detailed guide on how to set up and manage those secret variables in GitLab:

Steps to Set Up CI/CD Secret Variables

  1. Navigate to CI/CD Settings:

    • Go to your GitLab project.
    • Navigate to Settings> CI/CD
  2. Expand Variables Section:

    • Scroll down to the Variables and expand the section.
  3. Add a New Secret Variable:

    • Select the Add variable button to create a new variable.
    • Fill in the following fields:
      • Type: select your variable type (variable or file).
      • Environment Scope: Specify the environment scope if the variable should apply only to specific environments (e.g., production, staging).
      • Protect Variable: Check this box if the variable should only be available for protected branches. This ensures the variable is not exposed in lower environments or unprotected branches.
      • Mask Variable: Check this box if the variable should be masked in job logs. Masking hides the value in the CI/CD log output.
      • Description (optional)
      • Key: Enter a name for your variable (e.g., AZURE_SECRET_KEY, DATABASE_PASSWORD).
      • Value: Enter the secret value for the variable (e.g., the actual password or key).
  4. Save the Variable:

    • After filling in the details, select the Add variable button to save the secret variable.

Example of Using CI/CD Secret Variables in .gitlab-ci.yml

Once you have set up your secret variables, you can reference them in your .gitlab-ci.yml file as follows:

stages:
  - build
  - deploy

build:
  stage: build
  script:
    - echo "Building application"

deploy:
  stage: deploy
  script:
    - echo "Deploying application"
    - echo "Using database password: $DATABASE_PASSWORD"
  only:
    - main

In the example above, the $DATABASE_PASSWORD is a CI/CD secret variable that will be securely injected into the job when the pipeline runs.

Commit Signing with GPG in GitLab

  1. Generate a GPG Key:

    • Generate a GPG key pair on your local machine. Follow the steps to generate a key according to the GitLab guide:

      gpg --full-generate-key
      
    • Choose the desired key type (e.g., RSA and RSA) and key size (a minimum of 2048 bits is recommended).

    • Set the key’s expiration date and provide your user ID information, such as your name and email address.

    • Protect your private key with a strong passphrase.

  2. Find Your GPG Key ID:

    • List your GPG keys to find the key ID of your new key:

      gpg --list-secret-keys --keyid-format LONG
      
    • Look for the section containing sec, which lists your secret keys. The key ID follows 4096R/. It looks like this:

      sec   4096R/ABCDEF12 2025-01-01 [expires: 2026-01-01]
      
  3. Configure Git with Your GPG Key:

    • Configure Git to use your GPG key for signing commits:

      git config --global user.signingkey YOUR_GPG_KEY_ID
      
  4. Add Your GPG Key to GitLab:

    • Export your GPG public key:

      gpg --armor --export YOUR_GPG_KEY_ID
      
    • Copy the output of the command, which looks like this:

      -----BEGIN PGP PUBLIC KEY BLOCK-----
      ...
      -----END PGP PUBLIC KEY BLOCK-----
      
    • Go to your GitLab profile settings: User Settings > SSH Keys.

    • Select GPG Keys.

    • Paste the copied public key into the Add GPG Key field and select Add Key.

  5. Sign Your Commits:

    • When making a commit, add the -S flag to sign the commit:

      git commit -S -m "Your commit message"
      
    • Enter your GPG key passphrase when prompted to sign the commit.

  6. Verify Signed Commits in GitLab:

    • Navigate to your project in GitLab.
    • Go to the Commits tab to view the commit history.
    • Signed commits will display a “Verified” badge next to them, indicating they have been successfully signed and verified.

Benefits of Commit Signing

  • Authentication: Ensures that the commit actually came from the person who claims to have made it.
  • Integrity: Guarantees that the commit has not been altered since it was signed by the original author.
  • Accountability: Helps in tracking down the origin of changes, which is useful for auditing and forensic purposes.

Best Practices

  • Use Strong Passphrases: Protect your private key with a strong, unique passphrase.
  • Manage Key Revocation: If your private key is compromised, revoke it promptly and generate a new one.
  • Regularly Update Keys: Periodically update your GPG key pair to maintain security.

For further details, refer to the official GitLab documentation on signed commits with GPG .