GitLab
Visualize GitLab users, groups, code repositories, and merge requests, map GitLab users to employees and development/security trainings, and monitor changes through queries and alerts.
- Installation
- Authorization
- Data Model
- Types
- Release Notes
Installation
info
To use this integration, JupiterOne requires a GitLab personal access token configured with read access (read_api scope) and
the API base URL, such as https://gitlab.com).
Configuration in JupiterOne
To install the GitLab integration in JupiterOne, navigate to the Integrations tab in JupiterOne and select GitLab. Click New Instance to begin configuring your integration.
Creating an instance requires the following:
-
Account Name by which you'd like to identify this GitLab account in JupiterOne. Ingested entities will have this value stored in
tag.AccountNamewhen Tag with Account Name is selected. -
Description that will further assist your team when identifying the integration instance.
-
Polling Interval that you feel is sufficient for your monitoring needs. You may leave this as
DISABLEDand manually execute the integration. -
Personal Access Token configured for read access in GitLab.
note
Once your token has expired, the integration will no longer run successfully, and the token will be revoked from your GitLab account. You will need to create another token to replace the expired one.
- Your GitLab API Base URL (e.g.,
https://gitlab.com, or your self-managed instance URL).
Data Volume Configuration
Control how much data is ingested from GitLab to manage storage and processing.
Ingestion Windows (Time Ranges)
| Field | Description | Default | Options |
|---|---|---|---|
| Merge Requests Ingestion Window | Ingestion window for updated merge requests (days ago) | 90 | 90, 180, 275, 365 |
How it affects data volume: Longer windows increase the number of merge requests ingested from GitLab.
Data Filtering Options
| Field | Type | Description | Default |
|---|---|---|---|
| Included Vulnerability Severities | Multi-select | Select vulnerability severities to ingest | Medium, High, Critical |
| Included Vulnerability States | Multi-select | Select vulnerability states to ingest | Confirmed, Detected |
| Included Vulnerability Report Types | Multi-select | Select vulnerability report types to ingest | None (all disabled by default) |
| Ingest Regular Users Only | Boolean | Skip all bot accounts including project and group bots | false |
How it affects data volume:
- Severity filtering reduces vulnerabilities by excluding lower-severity findings. By default, only Medium, High, and Critical severabilities are ingested.
- State filtering limits vulnerabilities to selected states. By default, only Confirmed and Detected vulnerabilities are ingested (Dismissed and Resolved are excluded).
- Report type filtering allows selecting specific vulnerability scan types (SAST, DAST, Container Scanning, etc.). By default, all types are disabled and must be explicitly enabled.
- User filtering, when enabled, excludes bot accounts from ingestion, reducing the number of user entities.
Click Create after all values are provided to finalize the integration.
Next steps
Now that your integration instance has been configured, it will begin running on the polling interval you provided, populating data within JupiterOne. Continue on to our Instance management guide to learn more about working with and editing integration instances.
Roles
RBAC roles that must be assigned to the integration principal.
Show Roles (4)
DeveloperGuestMaintainerReporter
OAuth Scopes
OAuth scopes that must be granted to the application or service principal.
Show OAuth Scopes (2)
read_apiread_user
Endpoints
API endpoints that the integration makes requests to.
Show Endpoints (7)
/api/graphql/api/v4/projects/:id/pipelines/api/v4/projects/:id/pipelines/:pipeline_id/api/v4/projects/:id/pipelines/:pipeline_id/jobs/api/v4/projects/:id/vulnerability_findings/api/v4/users/api/v4/users/:id
Documentation Links
Links to provider documentation relevant to setup and configuration.
Show Documentation Links (12)
- https://docs.gitlab.com/ee/api/graphql/reference/#groups
- https://docs.gitlab.com/ee/api/graphql/reference/#mergerequestcommits
- https://docs.gitlab.com/ee/api/graphql/reference/#projectbranchrules
- https://docs.gitlab.com/ee/api/graphql/reference/#querycurrentuser
- https://docs.gitlab.com/ee/api/graphql/reference/#querymetadata
- https://docs.gitlab.com/ee/api/jobs.html
- https://docs.gitlab.com/ee/api/labels.html
- https://docs.gitlab.com/ee/api/merge_requests.html
- https://docs.gitlab.com/ee/api/pipelines.html
- https://docs.gitlab.com/ee/api/projects.html
- https://docs.gitlab.com/ee/api/users.html
- https://docs.gitlab.com/ee/api/vulnerability_findings.html
Per-Step Breakdown
Detailed authorization requirements for each ingestion step.
Show all steps (9)
| Step | Roles | OAuth Scopes | Endpoints |
|---|---|---|---|
| Fetch Branch Rules | Maintainer | read_api | /api/graphql |
| Fetch CI jobs | Reporter | read_api | /api/v4/projects/:id/pipelines/:pipeline_id/jobs |
| Fetch merge requests | Reporter | read_api | /api/graphql |
| Fetch MR commits | Reporter | read_api | /api/graphql |
| Fetch pipelines | Reporter | read_api | /api/v4/projects/:id/pipelines, /api/v4/projects/:id/pipelines/:pipeline_id |
| Fetch Project Labels | Guest | read_api | /api/graphql |
| Fetch projects | Guest | read_api | /api/graphql |
| Fetch users | Reporter | read_user, read_api | /api/graphql, /api/v4/users, /api/v4/users/:id |
| Fetch Vulnerability Findings | Developer | read_api | /api/graphql, /api/v4/projects/:id/vulnerability_findings |
Entities
The following entities are created:
| Resources | Entity _type | Entity _class |
|---|---|---|
| Account | gitlab_account | Account |
| Branch Rule | gitlab_branch_rule | Rule |
| CI Job | gitlab_ci_job | Task |
| Commit | gitlab_commit | CodeCommit |
| Finding | gitlab_finding | Finding |
| Group | gitlab_group | Group |
| Label | gitlab_label | Record |
| Merge Request | gitlab_merge_request | CodeReview, PR |
| Pipeline | gitlab_pipeline | Workflow |
| Project | gitlab_project | CodeRepo, Project |
| User | gitlab_user | User |
Relationships
The following relationships are created:
Source Entity _type | Relationship _class | Target Entity _type |
|---|---|---|
gitlab_account | HAS | gitlab_group |
gitlab_account | HAS | gitlab_project |
gitlab_group | HAS | gitlab_group |
gitlab_group | HAS | gitlab_project |
gitlab_group | HAS | gitlab_user |
gitlab_merge_request | HAS | gitlab_commit |
gitlab_merge_request | HAS | gitlab_pipeline |
gitlab_pipeline | HAS | gitlab_ci_job |
gitlab_project | HAS | gitlab_user |
gitlab_project | HAS | gitlab_finding |
gitlab_project | HAS | gitlab_merge_request |
gitlab_project | HAS | gitlab_label |
gitlab_project | HAS | gitlab_branch_rule |
gitlab_project | HAS | gitlab_pipeline |
gitlab_user | APPROVED | gitlab_merge_request |
gitlab_user | OPENED | gitlab_merge_request |
Gitlab Account
gitlab_account inherits from Account
| Property | Type | Description | Specifications |
|---|---|---|---|
enterprise * | boolean | ||
id * | string | ||
name * | string | ||
revision * | string | ||
vendor * | string | ||
version * | string |
Gitlab Branch Rule
gitlab_branch_rule inherits from Rule
| Property | Type | Description | Specifications |
|---|---|---|---|
allowForcePush | boolean | ||
codeOwnerApprovalRequired | boolean | ||
createdOn | number | ||
id * | string | ||
isDefault * | boolean | ||
isProtected * | boolean | ||
matchingBranchesCount * | number | ||
name * | string | ||
updatedOn | number |
Gitlab Ci Job
gitlab_ci_job inherits from Task
| Property | Type | Description | Specifications |
|---|---|---|---|
artifactFileTypes | array of strings | List of artifact file types produced by the job (e.g. archive, metadata, trace). | |
artifactsExpireOn | number | Timestamp when this job's artifacts expire. | |
coverage | number | Reported test coverage percentage for the job, if configured. | |
duration | number | Job execution duration in seconds. | |
erasedOn | number | Timestamp the job log was erased, if it was (audit signal). | |
failureReason | string | GitLab-provided enum describing why the job failed (e.g. script_failure, runner_system_failure). | |
finishedOn | number | Timestamp the job finished (epoch millis). | |
hasArtifacts | boolean | True when the job produced one or more artifacts. | |
isAllowedToFail | boolean | True if the job is permitted to fail without failing the pipeline. | |
isArchived | boolean | True when the job has been archived. | |
isRunnerActive | boolean | True when the runner is active. | |
isRunnerShared | boolean | True when the runner is shared (cross-project pool). | |
isTag | boolean | True when the job ran for a Git tag. | |
pipelineId * | number | Numeric ID of the pipeline this job belongs to. | |
projectId * | number | Numeric ID of the project this job belongs to. Used in _key for global uniqueness. | |
queuedDuration | number | Time the job spent queued before starting, in seconds. | |
ref | string | Branch or tag this job ran against. | |
runnerDescription | string | Human-readable description of the runner that executed the job. | |
runnerId | number | Numeric ID of the runner that executed the job (if any). | |
runnerType | string | Runner scope: instance_type, group_type, or project_type. | |
sha | string | Commit SHA the job ran against. | |
source | string | Trigger source for the parent pipeline (push, schedule, merge_request_event, ...). | |
stage | string | CI stage the job belongs to (e.g. build, test, deploy). | |
startedOn | number | Timestamp the job started executing (epoch millis). | |
tagList | array of strings | Runner tags requested by the job (.gitlab-ci.yml tags). | |
userId | number | Numeric ID of the user who triggered the job. | |
userUsername | string | Username of the user who triggered the job. |
Gitlab Commit
gitlab_commit inherits from CodeCommit
| Property | Type | Description | Specifications |
|---|---|---|---|
authoredOn | number | ||
authorEmail | string | ||
authorName | string | ||
branch * | string | ||
committedOn | number | ||
committerEmail | string | ||
committerName | string | ||
commitWebLink * | string | ||
createdOn | number | deprecated: true | |
id * | string | ||
merge * | boolean | ||
message * | string | ||
name * | string | ||
shortId * | string | ||
title | string | ||
versionBump * | boolean | ||
webLink * | string |
Gitlab Finding
gitlab_finding inherits from Finding
| Property | Type | Description | Specifications |
|---|---|---|---|
createVulnerabilityFeedbackDismissalPath * | string | deprecated: true | |
createVulnerabilityFeedbackIssuePath * | string | deprecated: true | |
createVulnerabilityFeedbackMergeRequestPath * | string | deprecated: true | |
description | string | ||
dismissalFeedback | string | deprecated: true | |
dismissalReason | string | ||
falsePositive | boolean | ||
identifiers | array of strings | ||
links | array of strings | ||
projectFingerprint | string | deprecated: true | |
reportType | string | ||
scanner.externalId | string | ||
scanner.name | string | ||
scanner.vendor | string | ||
solution | string | ||
state | string | ||
uuid | string | ||
vulnerabilityPath | string |
Gitlab Group
gitlab_group inherits from Group
| Property | Type | Description | Specifications |
|---|---|---|---|
autoDevopsEnabled | boolean | ||
createdOn | number | ||
description | string | ||
emailsDisabled | boolean | ||
fullName * | string | ||
fullPath * | string | ||
id * | string | ||
lfsEnabled | boolean | ||
mentionsDisabled | boolean | ||
name * | string | ||
parentGroupId | string | ||
path * | string | ||
projectCreationLevel | string | ||
requestAccessEnabled | boolean | ||
requireTwoFactorAuthentication | boolean | ||
shareWithGroupLock | boolean | ||
subgroupCreationLevel | string | ||
twoFactorGracePeriod | number | ||
visibility | string | ||
webUrl * | string |
Gitlab Label
gitlab_label inherits from Record
| Property | Type | Description | Specifications |
|---|---|---|---|
color * | string | ||
description | string | ||
id * | string | ||
lockOnMerge * | boolean | ||
name * | string | ||
textColor * | string |
Gitlab Merge Request
gitlab_merge_request inherits from CodeReview, PR
| Property | Type | Description | Specifications |
|---|---|---|---|
allowCollaboration | boolean | ||
approved * | boolean | ||
approverIds * | array of strings | ||
approverLogins * | array of strings | ||
approvers * | array of strings | ||
authorId | string | ||
authorLogin | string | ||
authorName | string | ||
closedOn | number | ||
commitWebLink | string | ||
createdOn | number | ||
forceRemoveSourceBranch | boolean | ||
id * | string | ||
iid * | string | ||
mergeCommitSha | string | ||
mergedOn | number | ||
mergeWhenPipelineSucceeds | boolean | ||
name * | string | ||
projectId * | number | ||
repository * | string | ||
sha | string | ||
shouldRemoveSourceBranch | boolean | ||
source * | string | ||
squash * | boolean | ||
state * | string | ||
target * | string | ||
title * | string | ||
updatedOn | number | ||
webLink | string |
Gitlab Pipeline
gitlab_pipeline inherits from Workflow
| Property | Type | Description | Specifications |
|---|---|---|---|
beforeSha | string | Previous commit SHA prior to the pipeline run. | |
committedOn | number | Timestamp of the commit that triggered the pipeline (epoch millis). | |
coverage | number | Reported test coverage percentage (0-100), if a coverage parser is configured. | |
duration | number | Pipeline execution duration in seconds. | |
finishedOn | number | Timestamp the pipeline finished (epoch millis). | |
iid | string | Project-internal pipeline number (visible in GitLab UI). | |
isArchived | boolean | True when the pipeline has been archived. | |
isTag | boolean | True when the pipeline ran for a Git tag rather than a branch. | |
projectId * | number | Numeric ID of the project this pipeline belongs to. Used in _key for global uniqueness. | |
queuedDuration | number | Time the pipeline spent queued before starting, in seconds. | |
ref | string | Branch or tag name this pipeline ran against. | |
sha | string | Head commit SHA the pipeline ran against. | |
source | string | Trigger source (push, web, schedule, api, merge_request_event, etc.). | |
startedOn | number | Timestamp the pipeline started running (epoch millis). | |
triggeredByUserId | number | Numeric ID of the user who triggered the pipeline. | |
triggeredByUsername | string | Username of the user who triggered the pipeline. | |
yamlErrors | string | YAML parse/validation errors that prevented the pipeline from running, if any. |
Gitlab Project
gitlab_project inherits from CodeRepo, Project
| Property | Type | Description | Specifications |
|---|---|---|---|
allowMergeOnSkippedPipeline * | boolean | ||
archived | boolean | ||
autocloseReferencedIssues | boolean | ||
containerRegistryEnabled | boolean | ||
createdOn | number | ||
description | string | ||
fullName * | string | ||
id * | string | ||
issuesEnabled | boolean | ||
jobsEnabled | boolean | ||
mergeRequestsEnabled | boolean | ||
name * | string | ||
onlyAllowMergeIfAllDiscussionsAreResolved | boolean | ||
onlyAllowMergeIfPipelineSucceeds | boolean | ||
public * | boolean | ||
publicJobs | boolean | ||
removeSourceBranchAfterMerge | boolean | ||
requestAccessEnabled | boolean | ||
sharedRunnersEnabled | boolean | ||
snippetsEnabled | boolean | ||
topics * | array of strings | ||
visibility | string | ||
webLink | string | ||
wikiEnabled | boolean |
Gitlab User
gitlab_user inherits from User
| Property | Type | Description | Specifications |
|---|---|---|---|
canCreateGroup | boolean | ||
canCreateProject | boolean | ||
external | boolean | ||
privateProfile | boolean | ||
publicEmail | string | ||
state * | string | ||
trial | boolean | ||
twoFactorEnabled | boolean |
Release Notes
- 2025-08-22 — Added configuration option to skip disabled GitLab projects during ingestion.
- 2025-08-21 — Added configuration option to fetch all visible GitLab projects regardless of user membership, enabling ingestion of all projects accessible to the authenticated user.
- 2025-08-19 — Added optional separate token configuration for GitLab vulnerability findings ingestion, enabling auditor users to ingest findings when the main API token lacks sufficient permissions.
- 2025-08-04 — Added configuration option to ingest only human GitLab users, excluding bot and service accounts.