GitLab Watchman is an application that uses the GitLab API to audit GitLab for sensitive data and credentials exposed internally – this includes code, commits, wiki pages and more.
GitLab Watchman searches GitLab for internally shared projects and looks at:
- Code
- Commits
- Wiki pages
- Issues
- Merge requests
- Milestones
For the following data:
- GCP keys and service account files
- AWS keys
- Azure keys and service account files
- Google API keys
- Slack API tokens & webhooks
- Private keys (SSH, PGP, any other misc private key)
- Exposed tokens (Bearer tokens, access tokens, client_secret etc.)
- S3 config files
- Passwords in plaintext
- CICD variables exposed publicly
- and more
Using GitLab Watchman to Audit Gitlab For Sensitive Data
GitLab Watchman will be installed as a global command, use as follows:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
usage: gitlab-watchman [-h] --timeframe {d,w,m,a} --output {file,stdout,stream} [--version] [--all] [--blobs] [--commits] [--wiki-blobs] [--issues] [--merge-requests] [--milestones] [--comments] Monitoring GitLab for sensitive data shared publicly optional arguments: -h, --help show this help message and exit --version show program's version number and exit --all Find everything --blobs Search code blobs --commits Search commits --wiki-blobs Search wiki blobs --issues Search issues --merge-requests Search merge requests --milestones Search milestones --comments Search comments required arguments: --timeframe {d,w,m,a} How far back to search: d = 24 hours w = 7 days, m = 30 days, a = all time --output {file,stdout,stream} Where to send results |
You can run GitLab Watchman to look for everything, and output to default Stdout:
1 |
gitlab-watchman --timeframe a --all |
Or arguments can be grouped together to search more granularly. This will look for commits and milestones for the last 30 days, and output the results to a TCP stream:
1 |
gitlab-watchman --timeframe m --commits --milestones --output stream |
Logging in GitLab Watchman to Audit Gitlab For Sensitive Data
GitLab Watchman gives the following logging options:
- Log file
- Stdout
- TCP stream
Results are output in JSON format, perfect for ingesting into a SIEM or other log analysis platform.
For file and TCP stream logging, configuration options need to be passed via .conf file or environment variable. See the file docs/logging.md for instructions on how to set it up.
If no logging option is given, GitLab Watchman defaults to Stdout logging.
You can download Gitlab Watchman here:
Or read more here.