GitLab Watchman – Audit Gitlab For Sensitive Data & Credentials

Last updated: February 3, 2021 | 3,106 views

GitLab Watchman is an application that uses the GitLab API to audit GitLab for sensitive data and credentials exposed internally – this includes code, commits, wiki pages and more.

GitLab Watchman searches GitLab for internally shared projects and looks at:

Code
Commits
Wiki pages
Issues
Merge requests
Milestones

For the following data:

GCP keys and service account files
AWS keys
Azure keys and service account files
Google API keys
Slack API tokens & webhooks
Private keys (SSH, PGP, any other misc private key)
Exposed tokens (Bearer tokens, access tokens, client_secret etc.)
S3 config files
Passwords in plaintext
CICD variables exposed publicly
and more

Using GitLab Watchman to Audit Gitlab For Sensitive Data

GitLab Watchman will be installed as a global command, use as follows:

usage: gitlab-watchman [-h] --timeframe {d,w,m,a} --output
                   {file,stdout,stream} [--version] [--all] [--blobs]
                   [--commits] [--wiki-blobs] [--issues] [--merge-requests]
                   [--milestones] [--comments]

Monitoring GitLab for sensitive data shared publicly

optional arguments:
  -h, --help            show this help message and exit
  --version             show program's version number and exit
  --all                 Find everything
  --blobs               Search code blobs
  --commits             Search commits
  --wiki-blobs          Search wiki blobs
  --issues              Search issues
  --merge-requests      Search merge requests
  --milestones          Search milestones
  --comments            Search comments

required arguments:
  --timeframe {d,w,m,a}
                        How far back to search: d = 24 hours w = 7 days, m =
                        30 days, a = all time
  --output {file,stdout,stream}
                        Where to send results

usage: gitlab-watchman [-h] --timeframe {d,w,m,a} --output

{file,stdout,stream} [--version] [--all] [--blobs]

[--commits] [--wiki-blobs] [--issues] [--merge-requests]

[--milestones] [--comments]

Monitoring GitLab for sensitive data shared publicly

optional arguments:

-h, --help show this help message and exit

--version show program's version number and exit

--all Find everything

--blobs Search code blobs

--commits Search commits

--wiki-blobs Search wiki blobs

--issues Search issues

--merge-requests Search merge requests

--milestones Search milestones

--comments Search comments

required arguments:

--timeframe {d,w,m,a}

How far back to search: d = 24 hours w = 7 days, m =

30 days, a = all time

--output {file,stdout,stream}

Where to send results

You can run GitLab Watchman to look for everything, and output to default Stdout:

gitlab-watchman --timeframe a --all

1	gitlab-watchman --timeframe a --all

Or arguments can be grouped together to search more granularly. This will look for commits and milestones for the last 30 days, and output the results to a TCP stream:

gitlab-watchman --timeframe m --commits --milestones --output stream

1	gitlab-watchman --timeframe m --commits --milestones --output stream

Logging in GitLab Watchman to Audit Gitlab For Sensitive Data

GitLab Watchman gives the following logging options:

Log file
Stdout
TCP stream

Results are output in JSON format, perfect for ingesting into a SIEM or other log analysis platform.

For file and TCP stream logging, configuration options need to be passed via .conf file or environment variable. See the file docs/logging.md for instructions on how to set it up.

If no logging option is given, GitLab Watchman defaults to Stdout logging.

You can download Gitlab Watchman here:

gitlab-watchman-1.4.0.tar.gz

Or read more here.

Share186

Tweet15

Buffer4

205 Shares