Prerequisites
Before you start, make sure you have:- An instance reachable over HTTPS with a valid TLS certificate.
- Access to wherever your access policy is enforced: your Git provider’s IP restriction settings, a corporate firewall or reverse proxy, or a cloud security group.
- Gecko’s static IP addresses. Get the current values from your Gecko account contact before you apply them.
IP addresses to allow
Gecko reaches your instance from two systems: the scanner, which clones your code, and the frontend, which talks to your instance’s API. Allow all three addresses:| Gecko system | IP address | Used for |
|---|---|---|
| Scanner | <GECKO_SCANNER_IP>/32 | Cloning your repositories during scans |
| Frontend | <GECKO_FRONTEND_IP_1>/32 | API calls, token validation, and merge-request comments |
| Frontend | <GECKO_FRONTEND_IP_2>/32 | Same, plus a second address for high availability |
Where to add them
Add Gecko’s three addresses wherever your access policy is enforced. If you’re on self-managed GitLab or GitLab Dedicated, follow the GitLab-specific steps in Connect GitLab. For everything else:GitHub Enterprise Server
GitHub Enterprise Server
Allow inbound HTTPS from the three addresses to your instance, wherever you
enforce IP access (instance-level allowlist, firewall, or load balancer).
Corporate firewall or reverse proxy
Corporate firewall or reverse proxy
If a firewall, WAF, or proxy sits in front of your instance, allow inbound
HTTPS from the three addresses to your API and Git-over-HTTPS endpoints.
Cloud security group
Cloud security group
If your instance runs in a cloud network, add the three addresses to the
inbound rules that guard port 443.
Behind a load balancer
If Gecko needs to reach several internal services, you can put one load balancer in front of them and allowlist Gecko’s addresses there instead of on each backend. How you filter depends on the load balancer type:| Load balancer | Layer | Source IP | Where to allowlist |
|---|---|---|---|
| Network (NLB) | Layer 4 (TCP) | Preserved, so backends see Gecko’s real source IP | At the NLB, or on backends using the original IP |
| Application (ALB) | Layer 7 (HTTP) | Rewritten via NAT, so backends see the load balancer’s IP | On backends using X-Forwarded-For, since the source IP is no longer Gecko’s |
What each address does
Gecko reaches your instance for two jobs, which is why a partial allowlist causes confusing, partial failures:- Scanner: Gecko clones your repositories to analyze them.
- Frontend: Gecko validates your token, syncs your repository list, and posts merge-request comments.
Webhooks go the other way
Webhooks travel from your instance to Gecko atapp.gecko.security.
That’s ordinary outbound traffic from your network, so it usually needs no
inbound rule, but your instance must be able to reach app.gecko.security over
HTTPS. See Webhooks.
Verify
After you add the addresses, reconnect in Gecko:- A successful connection and a populated repository list confirm the frontend addresses are allowed.
- A successful scan confirms the scanner address is allowed.
Best practices
- Serve your instance over HTTPS with a valid certificate. Gecko rejects non-HTTPS instance URLs and those pointing at private or loopback addresses.
- Use a dedicated service account for the connection so access is easy to audit and revoke.
- Monitor access logs for Gecko’s addresses to confirm expected traffic.
- Re-confirm the addresses with your Gecko contact whenever you tighten your firewall, and review the allowlist during regular security audits.
Troubleshooting
The token is valid but the connection won't validate
The token is valid but the connection won't validate
The frontend addresses are likely blocked. Confirm both are in your allowlist.
The connection works but scans can't clone
The connection works but scans can't clone
The scanner address is likely blocked. Add it and rescan.
It works intermittently
It works intermittently
You probably allowed only one of the two frontend addresses. Both are used
for high availability; add both.
Behind a load balancer, traffic is still blocked
Behind a load balancer, traffic is still blocked
If you use an ALB, your backends see the load balancer’s IP rather than
Gecko’s. Filter on
X-Forwarded-For, or switch to an NLB to preserve
Gecko’s source IP.