GitLab Integration
Integrate GitLab (SaaS or self-hosted) with Cremit Argus to scan every project, commit, and issue for exposed secrets. Group-level or project-level scope granularity.
About this guide
This comprehensive guide will walk you through the complete setup process. Expected completion time: 5-10 minutes.
Overview
Argus's GitLab integration scans every project, commit, merge request, and issue in your GitLab organization for exposed credentials, API keys, and tokens. Works with both GitLab SaaS (gitlab.com) and self-hosted GitLab instances (Data Center or Dedicated).
Prerequisites
- GitLab group Owner or Maintainer role for the target group
- A GitLab Personal Access Token or Group Access Token with `read_api` and `read_repository` scopes
- For self-hosted: the GitLab API endpoint URL (for example, https://gitlab.yourcompany.com)
- A Cremit Argus account
Step-by-Step Setup
Step 1: Create a GitLab access token
Generate a token that Argus will use to call GitLab's API.
- In GitLab, go to User Settings > Access Tokens (for a personal token) or Group > Settings > Access Tokens (for a group token)
- Name the token 'Cremit Argus' and set an expiration at least 6 months out
- Grant the `read_api` and `read_repository` scopes
- Copy the generated token immediately; GitLab will not show it again
Step 2: Add GitLab as a Scan Source in Argus
Connect the token to your Argus workspace.
- Log in to the Argus dashboard
- Go to Configuration > Scan Sources and click New
- Select GitLab as the source type
- For GitLab.com, leave the default host; for self-hosted, enter your GitLab API URL
- Paste the access token you created in Step 1
- Click Create
Step 3: Select projects to scan
Choose which projects Argus should scan. You can narrow scope to specific subgroups or include everything.
- Argus automatically lists every project the token can access
- Use Bulk Enable to include all projects, or enable projects individually
- Toggle Auto-enable New Projects if you want new projects to be scanned without manual intervention
Step 4: Configure scan schedule
Choose between continuous scanning (default) or a custom cadence.
- Continuous scanning runs on every push and every merge request
- Historical scan walks the full commit history on the first run
- You can pause an individual project at any time without losing its history
Verification
To confirm the integration is configured correctly:
- A green Enabled badge appears next to each configured project
- The Last Scan column shows a recent timestamp after the initial sync
- The Scan Source status on the Sources list is Healthy
- New pushes to enabled projects trigger an automatic scan within a few minutes
Troubleshooting
Issue: The token is rejected with a 401 Unauthorized error.
- Solution: Regenerate the token with `read_api` AND `read_repository` scopes. A token missing either scope cannot enumerate projects or read file contents.
Issue: Some private projects are missing from the list.
- Solution: The token only sees projects its owner has access to. Use a Group Access Token at the correct group level, or a service account with the right group membership.
Issue: Self-hosted GitLab connection times out.
- Solution: Verify Argus's IP ranges are allowed through your firewall or GitLab IP allowlist. Outbound egress from Argus to your GitLab must be reachable on port 443.
Key Benefits
- Works across GitLab SaaS and self-hosted in the same workspace
- Full commit history, not just the current HEAD
- Merge request and issue body scanning covers paste-debugging patterns
- Auto-inclusion of new projects means coverage keeps up as your org grows