Connect
Create a GitLab access token
In GitLab, create a personal, group, or service-account token on an account
that can access the repositories you want Gecko to scan:
- Name:
Gecko Security - Expiration: 1 year, or your team’s standard rotation window
- Role: Developer or higher on the target projects
- Scope:
api
The
api scope is required to post comments on merge requests. With a
narrower scope, scans still run but MR comments fail with 403.Add the token in Gecko
Go to Settings > GitLab and enter your instance URL and token. Use
the base URL only. Do not include Gecko validates the token with
/api/v4.- GitLab.com
- Self-managed
- GitLab Dedicated
Use
https://gitlab.com as the instance URL. No IP allowlisting needed.GET {instance}/api/v4/user. For security,
Gecko rejects instance URLs that aren’t HTTPS or that point at private or
loopback addresses.Select repositories
Gecko syncs the projects your token can access
(
GET /api/v4/projects?membership=true). Select the repositories you want
Gecko to track.Configure the webhook
Gecko shows a webhook URL and a secret token. In GitLab, go to Settings >
Webhooks, paste the URL, put the secret in Secret token, and enable:
- Merge request events
- Push events
- Vulnerability events
X-Gitlab-Token header on every webhook. See
Webhooks.Where Gecko runs
| Deployment | Instance URL | Notes |
|---|---|---|
| GitLab.com | https://gitlab.com | Cloud; no IP allowlist needed. |
| Self-managed | Your base URL | Reachable over HTTPS. Allowlist Gecko’s IP addresses if access is IP-restricted. |
| GitLab Dedicated | Your tenant URL | Add Gecko’s IP addresses to the Switchboard IP allowlist. |
Network and IP allowlist (self-managed)
Self-managed GitLab and GitLab Dedicated usually restrict access by IP. If yours does, allowlist Gecko’s three IP addresses (one scanner, two frontend) before you connect, or token validation, repo sync, and clones all fail even with a valid token. GitLab.com needs none of this.Confirm prerequisites
Your instance must be reachable over HTTPS with a valid certificate, and
you need access to wherever IP access is enforced (GitLab settings, Switchboard,
or your firewall). Get Gecko’s current IP addresses from your Gecko account
contact; the canonical list lives on
Network & IP allowlist.
Add the addresses where GitLab enforces IP access
Self-managed: group IP restriction
Self-managed: group IP restriction
Settings > General > Permissions and group features >
Restrict access by IP address. Enter each address in CIDR notation
(for example,
203.0.113.5/32). See
GitLab group access and permissions.GitLab Dedicated: Switchboard allowlist
GitLab Dedicated: Switchboard allowlist
In Switchboard, open Configuration > IP allowlist and add each
address. See
GitLab Dedicated network security.
Behind a firewall or load balancer
Behind a firewall or load balancer
If a firewall, proxy, or load balancer sits in front of your instance,
allow inbound HTTPS from the three addresses there. For the NLB-vs-ALB
source-IP details, see
Network & IP allowlist.
What Gecko uses the token for
- Validate the connection:
GET /api/v4/user - List projects:
GET /api/v4/projects?membership=true - Read branches, languages, commits, and merge-request details
- Clone repositories over HTTPS for scan workers
- Post merge-request comments and open fix merge requests
Export findings back to GitLab
Gecko can push findings into GitLab’s native Security Dashboard. See GitLab vulnerability export.Troubleshooting
Token validation fails
Token validation fails
Confirm the token is active, has the
api scope, and that Gecko’s IP addresses
can reach your instance. See Network & IP allowlist.Empty repository list or clone failures
Empty repository list or clone failures
Usually an IP restriction. A valid token still can’t help if the network
blocks Gecko. Allowlist the IP addresses and retry the sync.
MR comments fail with 403
MR comments fail with 403
The token is missing the
api scope. Recreate it with api and reconnect.