NHI Discovery
GitLab
Follow these steps to connect your GitLab.com or self-hosted GitLab (version 9.0+) instance with Cremit using a Group Access Token.

1. Create GitLab Group Access Token

  • Log in to GitLab.
  • Navigate to the desired Group page.
  • From the left sidebar, go to Settings > Access Tokens.
  • Click Add new token.
  • Enter a descriptive Token name (e.g., Cremit Scanner Token).
  • Set an Expiration date for the token (recommended for security).
  • Select a Role. The Developer role is typically sufficient as it grants read access to repositories.
  • Under Select scopes, check the box for read_api. This scope is essential for Cremit to list and access repositories within the group.
  • Click Create group access token.
  • Copy the generated token immediately. Store it securely; you will need it for the Cremit configuration.

2. Configure Cremit Integration

  • Log in to your Cremit Dashboard.
  • Navigate to the Integration tab from the left menu.
  • Click + New and select GitLab.
  • Fill in the required fields:
    • Host: Enter the base URL of your GitLab instance (e.g., https://gitlab.com or https://gitlab.yourcompany.com).
    • Access Token: Paste the Group Access Token you copied earlier.
    • Label: Enter a name to easily identify this integration (e.g., My GitLab Top Group).
  • Click Submit to complete the integration.

(Optional) Granting Access to Multiple Projects via Script

If you need to grant a specific group access to multiple projects simultaneously (instead of using a group access token from a parent group), you can use the script below. This is less common than the Group Access Token method described above.

Prerequisites:
  • Python and pip installed.
  • Install the requests module:

-------------------
$ pip install requests
-------------------

     • Save the script below as 'invite_group_to_all_visible_repositories.py':

-------------------

import sys
import re
import json
from requests import post, get

host = sys.argv[1]
token = sys.argv[2]
group_name = sys.argv[3]

if(host.endswith("/")):
   host = host[:-1]

headers = {
   "Authorization": f"Bearer {token}"
}

def get_groups():
   response = get(f"{host}/api/v4/groups?search={group_name}", headers=headers)
   return response.json()

groups = get_groups()
print(json.dumps(groups))

name_matched_groups = [group for group in groups if group["name"] == group_name]

if len(name_matched_groups) == 0:
   print(f"couldn't find group that has name {group_name}")
   sys.exit(1)

group = name_matched_groups[0]
group_name = group["name"]

payload = {
   "group_access": 10,
   "group_id": group["id"]
}

NEXT_PAGE_PATTERN = re.compile("<(.+)>; rel=\"next\"")
def get_projects():
   projects = []
   response = get(f"{host}/api/v4/projects?order_by=id&sort=asc", headers=headers)
   projects.extend(response.json())

   if "Link" in response.headers:
       match_result = NEXT_PAGE_PATTERN.search(response.headers["Link"])
       if(match_result):
           next_page_url = match_result[1]
       else:
           next_page_url = None
   else:
       next_page_url = None

   while next_page_url:
       response = get(next_page_url, headers=headers)
       if "Link" in response.headers:
           match_result = NEXT_PAGE_PATTERN.search(response.headers["Link"])
           if(match_result):
               next_page_url = match_result[1]
           else:
               next_page_url = None
       else:
           next_page_url = None
       projects.extend(response.json())

   return projects

for project in get_projects():
   project_id = project["id"]
   project_name = project["name"]
   share_proejct_endpoint = host + f"/api/v4/projects/{project_id}/share"

   response = post(share_proejct_endpoint, json=payload, headers=headers)
   if response.status_code == 201:
       print(f"proejct {project_name} is shared with group {group_name}")</(.+)>

-------------------

  • Run the script with the following command:

-------------------

$ python invite_group_to_all_visible_repositories.py {GitLab_host} {user_access_token} {group_name_to_invite}

-------------------

Verification:

• After running the script, check a few projects under Project>Manage>Members>Groups tab to confirm the target group has been added with the specified role.

Notes

  • All access tokens are confidential information and should be managed securely.
  • Tokens should only be used for authorized integration purposes.
  • The 'read_api' permission is essential for querying the list of accessible projects.
  • When granting multiple project permissions to a group, it only applies to projects accessible by the user.w for instructions on how to integrate Cremit’s solution with GitLab.

Need help with this integration? Please Contact Us, and we'll be happy to assist.

experience full nhi security: 14-Day Free trial

essential

Essential

Startups & Small Teams – Manage risk early by securing non-human identities from day one.

Best for scaling businesses
+800 Types NHI Verification
Git & SaaS Integration
No False Positive Alerts
Get started
Get started

enterprise

Enterprise

Custom Solutions – Secure non-human identities at scale, across complex environments.

Custom solutions for large organizations
SIEM Integration
Dedicated Region & On-Premise
24/7 Support
Get started
Get started

FAQ

We're Here to Help

Aenean lobortis, massa a imperdiet iaculis, lorem odio lacinia elit, non hendrerit ligula justo tempor lorem.

How frequently does Cremit update its detection engine?

We continuously update our detection engine to include new non-human identity types and improve accuracy. Updates are automatically applied for cloud users. Subscribe to our newsletter to stay up to date with updates or check our changelog.

What support options are available?

We provide detailed documentation for the integration processes, and dedicated customer support to assist with integrations, troubleshooting, and remediation strategies on paid versions. For more information or to get started, visit our website or contact our support team.

How does Cremit compare to other non-human identities detection tools?

Cremit differentiates itself with a highly accurate detection engine, broad coverage, seamless integration into developer workflows, and the most cost effective tool available.

What is the difference between Cremit’s free and paid versions?

The free version offers core non-human identities detection, while the paid versions include advanced features such as real-time alerts, more integrations, and others. For more information please visit our pricing page.

How can I test Cremit’s detection capabilities?

You can test Cremit using sample repositories with intentionally embedded credentials.

Does Cremit offer on-premise deployments?

Cremit is primarily a cloud-based solution, but Enterprise plan customers can request on-premise deployments to meet specific security requirements.

Is there an API available for automation?

Yes, Cremit offers a robust API for integrating NHI leak detection into your automation pipelines, ensuring security across your development process.

Does Cremit scan public repositories?

Yes, Cremit proactively scans public repositories. If a leak of confidential information is detected, we notify the repository owner and provide guidance on remediation. For more information please visit our Vigilant Ally page.

Can I integrate Cremit with my existing development workflow?

Absolutely. Cremit integrates with CI/CD workflows. Our API and CLI options allow seamless incorporation into development workflows.

How secure is the scanning process?

Cremit prioritizes security and confidentiality. We scan repositories in a secure environment without permanently storing your code. Our protocols ensure privacy throughout the process.

What happens when a NHI is detected?

When a leak is flagged, Cremit provides a detailed alert that includes the file location, type of secret, and risk assessment. This helps teams quickly remediate issues and secure their environment.

How does Cremit detect non-human identities?

Our scanning engine employs advanced pattern matching to identify a wide range of sensitive data, including API keys, private keys, and database credentials.

What types of credentials does Cremit detect?

Cremit is designed to identify over 800+ types of non-human identities and other credential types.

How does Cremit handle false positives?

Our detection engine continuously improves with machine learning to ensure no false positives.

What is Cremit’s Non-Human Identity (NHI) detection solution?

Cremit provides an automated, SaaS-based detection solution that scans your code repositories for non-human identities (NHI) such as API keys, tokens, passwords, certificates, and others to help prevent data breaches and security incidents.

Why is secret detection important for my code security?

Vulnerable NHIs can expose your systems to unauthorized access, data leaks, and compliance violations. By using Cremit, you can continuously monitor and detect leaks early in the development cycle, reducing the risk of security breaches and ensuring your codebase remains secure.

The Future of Analytics
Browse All Resources
Browse All Resources
Trusted by hundered of companies globally