# GitLab Integration

GitLab is a web-based DevOps platform that enables teams to manage source code, CI/CD pipelines, issue tracking, code reviews, and project management in a single application.

Integrating GitLab with Sprinto allows Sprinto to automatically retrieve and evaluate your repository configurations to validate change management and access controls. This helps ensure enforcement of security best practices such as:

* Multi-factor authentication (MFA)
* Peer reviews before merge
* Branch protection rules
* Access control reviews
* Audit logging

If you are running an on-premise GitLab, refer to our detailed [integration guide](https://docs.sprinto.com/integrations/overview/self-hosted-gitlab-integration) for self-hosted GitLab.

{% hint style="info" %}

#### Note

Sprinto takes *read-only* access through this integration and does not read or store your source code. The permissions granted are used only to compute configuration states and map compliance checks.
{% endhint %}

#### Sprinto checks for GitLab

Below are the available Sprinto checks for GitLab:

<table><thead><tr><th width="506.1796875">Sprinto check</th><th width="186.97265625">Reference procedure</th></tr></thead><tbody><tr><td>Gitlab group level MFA should be enforced</td><td><a href="../../monitors/authentication-and-access-monitors/enforce-org-level-and-root-level-mfa">How to fix</a></td></tr><tr><td>Peer review should be enforced for code changes</td><td><a href="../../monitors/code-and-repository-monitors/pr-reviewer-is-different-from-author">How to fix</a></td></tr><tr><td>Merging of code changes should require passing status-checks</td><td><a href="../../monitors/code-and-repository-monitors/how-to-resolve-sprinto-check-for-enabling-branch-protection-rules">How to fix</a></td></tr><tr><td>Branch Protection rules should be enforced for admins</td><td><a href="../../monitors/code-and-repository-monitors/how-to-resolve-sprinto-check-for-enabling-branch-protection-rules">How to fix</a></td></tr><tr><td>Code changes should be reviewed by peers before merging</td><td><a href="../../monitors/code-and-repository-monitors/how-to-resolve-sprinto-check-for-enabling-branch-protection-rules">How to fix</a></td></tr><tr><td>Code repo should be classified</td><td><a href="../../data-library/change-management/dashboard-actions/classify-code-repositories">How to fix</a></td></tr><tr><td>Critical system access should be removed for offboarded users</td><td><a href="../../data-library/access/dashboard-actions/add-and-manage-critical-systems">How to fix</a></td></tr><tr><td>GitLab access should be removed for offboarded user</td><td><a href="../../monitors/authentication-and-access-monitors/resolve-sprinto-check-for-removing-access-for-offboarded-users">How to fix</a></td></tr></tbody></table>

### Supported Environments

* **GitLab Cloud (gitlab.com)** – Fully supported
* **Self-hosted GitLab** – Supported for **Change Management only**
* Self-hosted GitLab is **not supported for Vulnerability Scanning**

***

### How It Works

Once connected, Sprinto integrates with your GitLab account using OAuth and continuously syncs metadata required for compliance monitoring.

#### Group and Subgroup Coverage

Sprinto automatically discovers your GitLab group hierarchy, including nested subgroups at any depth.

* Selecting a parent group automatically includes all subgroups.
* Monitoring applies across all levels, including repositories, users, and permissions.
* Newly created subgroups are detected automatically during subsequent syncs.

This ensures complete coverage without requiring manual configuration for each subgroup.

#### Monitoring and Checks

Sprinto enables multiple monitors across access control, change management, and vulnerabilities.

**Access Control Monitoring**

* Ensures all GitLab users have MFA enabled.
* Detects offboarded users who still retain access.
* Identifies unknown or unclassified users for review.

**Change Management Monitoring**

* Verifies merge request approvals are enforced.
* Ensures CI/CD status checks are required before merging.
* Monitors branch protection settings, including admin overrides.

**Vulnerability Monitoring**

* Imports vulnerability data from CI/CD pipelines.
* Tracks remediation timelines against defined SLAs.

#### Multi-Connection Support

Sprinto supports connecting multiple GitLab accounts or instances. If a group is already tracked in one integration, Sprinto prevents duplicate tracking to avoid conflicts.

***

### Permissions and Data Access

Sprinto uses OAuth 2.0 to securely connect to GitLab.

#### Permissions Required

The following scopes are required:

* `read_api` – Access repository and configuration data.
* `read_repository` – Read repository metadata.
* `read_user` – Access user profile information.

#### Data Collected

Sprinto only collects metadata required for compliance:

* Repository details (name, visibility, configuration).
* Group and project configurations.
* User roles and membership information.
* Merge request metadata (excluding source code).
* CI/CD configuration for vulnerability monitoring.
* MFA status for users.

Sprinto does not access or store your source code.

All data is transmitted securely over HTTPS, and tokens are encrypted at rest.

***

### Prerequisites

Before connecting GitLab to Sprinto, ensure:

* You have Owner or Maintainer access in GitLab.
* OAuth authorisation is permitted for your GitLab account.
* For self-hosted GitLab:
  * The instance is accessible from Sprinto.
  * Required network configurations (firewalls, VPNs) allow API access.
* Understand the permissions required for Gitlab [here](https://docs.sprinto.com/data-library/understand-sprinto-permissions-and-resource-access#gitlab).

***

## How to Integrate GitLab with Sprinto

### Step 1: Connect GitLab in Sprinto

1. Log in to the Sprinto dashboard.
2. Navigate to **Settings**.
3. Open the **Integrations** section.
4. Search for **GitLab** in the *All* tab.
5. Click **Connect** next to GitLab.

<figure><img src="https://3220032727-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEsyn5VMU6e0OyGjRtKgx%2Fuploads%2FpmzW4EU5Zuj0oHTERfCE%2FScreenshot%202026-02-26%20at%2015.38.27.png?alt=media&#x26;token=43f6b723-ad22-44ee-bc34-4fec9dbdf4fe" alt="" width="563"><figcaption></figcaption></figure>

On the integration drawer:

1. Review the supported controls and automated checks.
2. Review the permissions required and data used by Sprinto.
3. Click **Next**.

<figure><img src="https://3220032727-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEsyn5VMU6e0OyGjRtKgx%2Fuploads%2FxkRGpRR3DPe7aE2E68e1%2FScreenshot%202026-02-26%20at%2015.39.08.png?alt=media&#x26;token=1049f779-4d25-443a-8fae-43feac9f3413" alt="" width="375"><figcaption></figcaption></figure>

On the setup screen:

1. Confirm the connection type (OAuth).
2. Review the prerequisites.
3. Click **Connect**.

{% hint style="warning" %}

#### Important

Do not select the **Are you using self-hosted GitLab Service?** check box. For self-hosted gitlab integration, check [here](https://docs.sprinto.com/integrations/overview/self-hosted-gitlab-integration).
{% endhint %}

<figure><img src="https://3220032727-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEsyn5VMU6e0OyGjRtKgx%2Fuploads%2FeLR3Qur8GiOJ92pcEaVU%2FScreenshot%202026-02-26%20at%2015.39.38.png?alt=media&#x26;token=d0cb27a3-427f-41d3-90bb-2952f44d8822" alt="" width="375"><figcaption></figcaption></figure>

***

### Step 2: Authorize Sprinto in GitLab

You will be redirected to GitLab.

1. Log in using:
   * Username and password, or
   * SSO options (Google, GitHub, Bitbucket, Salesforce, and so on)

<figure><img src="https://3220032727-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEsyn5VMU6e0OyGjRtKgx%2Fuploads%2F27ls36Dmo2GVUjiTmgBw%2FScreenshot%202026-02-26%20at%2015.42.50.png?alt=media&#x26;token=dd719a17-35d3-4cfe-a1e6-9678a321c1d3" alt="" width="563"><figcaption></figcaption></figure>

2. Review the authorization screen for **Sprinto Audit Application**.
3. Click **Authorize** to grant access.

<figure><img src="https://3220032727-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEsyn5VMU6e0OyGjRtKgx%2Fuploads%2F9HUI80K0zxVglwaJ3KVb%2Fgittu.png?alt=media&#x26;token=8bae9c60-3955-4a96-92c8-9b745e62cc31" alt=""><figcaption></figcaption></figure>

Once authorized, you will be redirected back to Sprinto, and the integration will be marked as **Connected**.

***

## Post-Connection Configuration

After connecting GitLab, configure it within Sprinto to activate monitoring and compliance checks.

#### Initial Sync

* Initial sync typically completes within 5–20 minutes.
* Full compliance computation may take up to 24 hours depending on data size.

#### Change Management Configuration

* Set GitLab as your Change Management source to track merge requests automatically.
* Sprinto begins collecting evidence for code changes and approvals.

#### Access Control Setup

* GitLab is added as a critical access system.
* Sprinto tracks user access, MFA status, and offboarding compliance.

#### Sync Behaviour

* Repository and user data sync periodically (typically every 12–24 hours).
* Vulnerability data syncs every 6–12 hours.
* Certain updates may reflect in near real-time depending on system events.

#### Vulnerability Scanning (Optional)

To enable vulnerability monitoring:

* Add a scanning job (for example, SLScan) to your GitLab CI/CD pipeline.
* Ensure reports are generated and stored as pipeline artifacts.
* Sprinto automatically retrieves and maps vulnerabilities for compliance tracking.

### Configure GitLab as a Change Management System

1. Navigate to **Data Library > Change Management**.
2. Click **Add system** under the Change Management Systems tab.
3. Click **Add** next to GitLab.
   * If integration was successful, GitLab will appear as **Connected**.
4. On the configuration page:
   * Review the groups selected for monitoring.
   * Click **Add another group** if needed.
5. Click **Add as a change management system**.

The groups selected in Change Management will begin to appear on the GitLab Integration sync.

### Configure GitLab as a Critical Access System

To enable access reviews:

1. Navigate to **Data Library > Access > Overview**.
2. Click **Add Critical System**.
3. Select **GitLab**.
4. Click **Add System**.

After adding:

1. Select GitLab from the list of critical systems.
2. Under the **Summary** tab, click **Configure** for Access Validity.
3. Choose how access is managed:
   * **All staff members are allowed access**, or
   * **Role-based access**

#### Sync Timeline

After configuration:

* Initial sync begins immediately.
* Allow **15–20 minutes** for the first data sync.
* Full configuration computation may take up to **24 hours**, depending on repository size and data volume.

***

## Troubleshooting

#### Connection Issues

* Re-authorise the integration if the OAuth token has expired.
* Ensure the connected user still has required permissions.
* Verify network connectivity for self-hosted GitLab instances.

#### Missing Repositories or Groups

* Ensure the repositories are not archived or deleted.
* Confirm the connected user has access to those repositories.
* Verify the relevant groups were selected during setup.

#### MFA Enforcement Failures

* Identify users without MFA in Sprinto.
* Enable MFA for those users in GitLab.
* Re-run the check to validate compliance.

#### Offboarded Users Still Have Access

* Remove the user’s access from GitLab.
* Wait for the next sync cycle.
* The check will automatically pass once access is revoked.

***

### Support

Please contact [Sprinto Support](mailto:www.support@sprinto.com) If you have any queries related to the integration or need any assistance.