A checklist to help pentesters and auditors assess Self-Hosted GitLab instances. Checks include misconfigurations and weaknesses that could lead to privilege escalation and code or secrets theft/abuse. It's a first version focused on Authentication, CI/CD Runners, CI/CD Variables and Project configurations.
Good start, covers the big GitLab pitfalls (auth, runners, vars, project config). The the fun part to be added: runner isolation/cleanup, built-in scans (SAST/dep/secret), logging/audit trails, push-rules (signed commits), and secret management practices. Solid so far tho.
