Auditing GitLab: Public Gitlab Projects on Internal Networks

This blog post demonstrates an unauthenticated technique to enumerate public projects on self-hosted GitLab instances via the projects API, mass-clone repositories, run secret-scanning tools (Gitleaks) on the repos, and aggregate findings into a single CSV; it includes proof-of-concept Python and Go scripts, workflow examples (Nuclei), and remediation/mitigation guidance to prevent leakage of credentials and tokens.