GitLab Runner Authentication Token

Detects GitLab runner authentication tokens (glrt- prefix). These tokens authenticate a CI/CD runner to a GitLab instance; a leak lets an attacker impersonate a runner and capture job payloads.

Type

regex

Engine

universal

Confidence

high

Confidence justification

High confidence: the distinctive glrt- prefix with a fixed 20-character body makes false positives extremely unlikely.

Jurisdictions

global

Regulations

Criminal Code Act 1995 (Cth), Computer Fraud and Abuse Act, Computer Misuse Act 1990

Frameworks

CIS Controls, ISO 27001, NIST CSF, SOC 2

Data categories

credentials, security

Scope

narrow

Risk rating

8

Platform compatibility

Purview: Compatible, GCP DLP: Unsupported, Macie: Unsupported, Zscaler: Compatible, Palo Alto: Unsupported, Netskope: Unsupported

Pattern

(?<![A-Za-z0-9_-])glrt-[A-Za-z0-9_-]{20}(?![A-Za-z0-9_-])

Corroborative evidence keywords

gitlab, runner, runner authentication, gitlab-runner, CI/CD

Proximity: 300 characters

Should match

• glrt-ABCDEFGHIJ1234567890 — GitLab runner authentication token, glrt- prefix + 20 chars
• CI_SERVER_TOKEN=glrt-zZyYxXwWvVuU01234567 — Labelled runner authentication token in env var
• glrt-aB3dE6gH9jK2mN5pQ8sT — Mixed-case runner authentication token

Should not match

• glrt-tooShort — Too short to be a runner authentication token
• glpat-ABCDEFGHIJ1234567890 — GitLab PAT prefix, not a runner token
• register the gitlab runner with a fresh authentication token — Prose mention without a token value

Known false positives

• Documentation or examples showing placeholder glrt- strings. Mitigation: Require corroborative GitLab runner keywords and exclude placeholder markers.

References

• GitLab Runner security
• GitLab token overview