Skip to main content

Restrict Token Scopes in GitLab

Type: Rule
ID: gitlab-org-allowed-token-scope
Source: v2/rules/gitlab/org/allow-token-scopes.yaml
Rego Source: allow-token-scopes.rego
Labels: Gitlab, Organization

Verify all tokens in the GitLab organization are restricted to allowed scopes to prevent excessive permission.

note

This rule requires Gitlab Organization Discovery Evidence. See here for more details.

tip

Signed Evidence for this rule IS NOT required by default but is recommended.

warning

Rule requires evaluation with a target. Without one, it will be disabled unless the --all-evidence flag is provided.

Usage example

uses: gitlab/org/allow-token-scopes@v2
with:
allowed_token_scopes:
- api
- read_api
- read_repository
- read_registry

Description

This rule ensures that all tokens in the GitLab organization are restricted to allowed scopes to prevent excessive permission. It performs the following steps:

  1. Checks the settings of the GitLab organization.
  2. Verifies that all tokens are restricted to allowed scopes.

Evidence Requirements:

  • Evidence must be provided by the Scribe Platform's CLI tool through scanning GitLab organization resources.

Evidence Requirements

FieldValue
signedFalse
content_body_typegeneric
target_typedata
predicate_typehttp://scribesecurity.com/evidence/discovery/v0.1
labels- platform=gitlab
- asset_type=organization

Input Definitions

ParameterTypeRequiredDescription
allowed_token_scopesarrayFalseList of allowed token scopes in the GitLab organization.