Skip to content

The 28 GitLab security checks Black Cat runs

Black Cat SSPM evaluates 28 security policies against your GitLab configuration on every scan, classifies each finding by risk, and provides remediation steps. Below is the full list, grouped by category.

access control

mediumGroup Membership Unlocked

Lock GitLab group membership to prevent subgroup owners from adding members outside the hierarchy

criticalProject Merge Approvals Disabled

Require at least one merge request approval for GitLab projects

criticalProject Branch Protection Disabled

Enable branch protection on the default GitLab project branch to restrict direct pushes

highProject Force Push Allowed

Disable force push on the default protected branch of the GitLab project

mediumProject No Code Owner Approval

Require code owner approval on the default GitLab project branch and create a CODEOWNERS file

lowDeactivated Member Not Removed

Remove deactivated GitLab members from the group and any subgroups

lowPending Invitation Not Accepted

Review and resend or revoke long-pending GitLab group invitations

mediumGroup Subgroup Creation Permissive

Restrict subgroup creation to group owners only

mediumBlocked Member Not Removed

Remove blocked members from the GitLab group

configuration

mediumGroup No IP Restriction

Add IP address restrictions to the GitLab group to limit access to organization networks

mediumProject Container Scanning Disabled

Enable container scanning in the GitLab CI/CD pipeline for the project

mediumProject Discussions Not Required

Require all merge request discussions to be resolved before merging in GitLab

mediumShared Runner Not Locked

Disable shared runners on sensitive GitLab projects and use project-specific runners instead

lowActive Runner Offline

Investigate and restore offline GitLab runners by checking connectivity and runner service status

highIntegration Insecure URL

Update GitLab integration webhook URLs to use HTTPS and enable SSL verification

lowNo Compliance Framework

Assign a compliance framework to the GitLab project to enforce governance pipelines

highProject Pipeline Not Required

Require CI pipelines to succeed before merge requests can be merged

lowRunner Not Locked to Project

Lock group or project runners to prevent unauthorized use across projects

mediumProject Shared Runners Enabled

Disable shared runners on projects that should use dedicated runners

mfa

criticalGroup 2FA Not Enforced

Enforce two-factor authentication for all members of the GitLab group

mediumGroup 2FA Grace Period Too Long

Reduce the GitLab group 2FA grace period to 48 hours or less

highMember Without 2FA

Contact GitLab group members who have not enrolled in 2FA and direct them to set it up

criticalGroup Owner Without 2FA

Ensure all group owners have two-factor authentication enabled immediately

sharing

highGroup Public Visibility

Change GitLab group visibility from Public to Private or Internal

mediumGroup Sharing Unlocked

Enable Share with group lock in GitLab to prevent projects from being shared outside the group

highGroup Forking Allowed Outside

Prevent project forking outside the GitLab group to protect source code

highGroup Sharing Outside Organization

Prevent GitLab groups from being shared outside the organization hierarchy

mediumPublic Project

Review public GitLab projects and change visibility to Private or Internal if they contain sensitive code

See these checks run on your stack

Start a free 14-day trial — no credit card required.

Start Free Trial