GitLab Scanner — Phase 1 (Project Listing + Department Classification)

Tool written in Crystal to list GitLab repositories and identify which ones belong to your department. Department classification is based on user/group metadata. Also includes a secret scanning mode for detecting secrets in repositories.

Features

• Finder Mode: Lists public or internal repositories with optional department filtering
• Scanner Mode: Scans repositories for secrets using configurable YAML rules
• Token can be passed via:
  • --token parameter
  • GITLAB_TOKEN environment variable
• Detects if a repository belongs to your department
  • User owners → checks organization and work_information
  • Group owners → inspects every group member
• Stores positive matches using --out-file

Build

shards build

Usage

General Options

• --base-url <url> - GitLab base URL (default: https://gitlab.com)
• --mode <mode> - Execution mode: finder or scanner (default: finder)
• -h, --help - Show help message

Finder Mode (Default)

The finder mode lists GitLab repositories with optional department filtering.

Options:

• --visibility <type> - Repository visibility: public or internal (default: public)
  • public - List public repositories (no token required)
  • internal - List internal repositories (requires authentication token)
• --token <TOKEN> - GitLab API token (overrides GITLAB_TOKEN environment variable)
• --department-prefix <prefix> - Filter by department prefix (e.g., SI)
  • If omitted, all repositories are considered positive matches
• --per-page <number> - Number of results per API page (default: 100)
• --first-page-only - Only fetch the first page (useful for quick testing)
• --out-file <path> - Save matched repository URLs (one per line)

Examples:

# List all public repositories
./bin/gitlab-scanner

# List public repos from SI department
./bin/gitlab-scanner --department-prefix DEPARTMENT_NAME --out-file results.txt

# List internal repos (requires token)
./bin/gitlab-scanner --visibility internal --token $GITLAB_TOKEN

# Quick test with first page only
./bin/gitlab-scanner --first-page-only

Scanner Mode

The scanner mode scans repositories for secrets using configurable YAML rules.

Required Options:

• --in-file <path> - File containing repository URLs (one per line)
• --rules <path> - YAML file with secret detection rules

Optional Options:

• --out-file <path> - Save scan findings to file (default: stdout)
• --token <TOKEN> - GitLab API token for accessing private repositories

Examples:

# Scan repositories for secrets
./bin/gitlab-scanner --mode scanner --in-file repos.txt --rules rules.yml

# Save findings to file
./bin/gitlab-scanner --mode scanner --in-file repos.txt --rules rules.yml --out-file findings.txt

# Scan internal repos with authentication
./bin/gitlab-scanner --mode scanner --in-file repos.txt --rules rules.yml --token $GITLAB_TOKEN