Auditing GitLab: The CI/CD Kill Chain

This blog-style research report details a three-phase large-scale audit of public GitLab projects using GoGatoZ to find CI/CD misconfigurations and supply-chain risks: Phase 1 (broad DevOps keyword sweep), Phase 2 (Fortune 500–targeted), and Phase 3 (industry verticals). Across 3,757 projects the authors reported 7,331 findings (1,580 HIGH), with prevalent issues including unprotected fork merge pipelines, privileged/self-hosted runners, remote script execution (curl | bash), variable injection, and plaintext secrets; the report also describes a systematic false-positive filtering workflow and provides specific remediation, mitigation, and prevention guidance.