# GitLab Top 10 Misconfigurations > **Intro:** GitLab becomes risky when the instance, runners, and deployment model are trusted too broadly. Most failures are not about missing one setting. They are about mixing trust zones carelessly. | # | Misconfiguration | Why it is dangerous | Short fix | | -- | --------------------------------------------------- | ------------------------------------------------------ | -------------------------------------------------------------- | | 1 | Shared runners with weak isolation | Untrusted job code reaches sensitive context | Isolate runners by trust boundary | | 2 | Broad runner registration or management rights | Attackers can plant infrastructure in the release path | Restrict runner admin workflows | | 3 | Protected variables reachable from unsafe pipelines | Secret exfiltration path | Align protected variables with protected refs and environments | | 4 | Weak environment protection | Deployments happen without clear control | Use protected environments and approvals | | 5 | No release evidence discipline | Hard to prove what was shipped | Attach evidence artifacts consistently | | 6 | Unreviewed includes and pipeline inheritance | Hidden control drift | Centralize and version shared components | | 7 | No pipeline or secret detection policies | Prevention remains inconsistent | Use group-level templates and scan policies | | 8 | Self-managed instance hardening ignored | Platform itself becomes the weak point | Apply GitLab hardening guidance deliberately | | 9 | Broad project or group admin access | Weak separation of duties | Minimize administrative roles | | 10 | Security gates based on noisy signals | Teams bypass the system | Tune rules and block only on meaningful conditions | ## How to use this page Use this page as a fast review sheet during: * self-managed GitLab security reviews; * CI/CD control workshops; * runner trust-boundary design sessions; * backlog prioritization when too many GitLab issues appear at once. ## Read next * [GitLab System Security Baseline](/devsecops-cicd-and-supply-chain/index-1/gitlab-system-security-baseline.md) * [Runner Isolation and Trust Boundaries](/devsecops-cicd-and-supply-chain/index-1/runner-isolation-and-trust-boundaries.md) * [Protected Environments and Deployment Approvals](/devsecops-cicd-and-supply-chain/index-1/protected-environments-and-deployment-approvals.md) * [Repository Governance — CODEOWNERS, SECURITY.md, and Default Files](/devsecops-cicd-and-supply-chain/index-1/repository-governance-codeowners-security-md-and-default-files.md) * [GitLab Release Evidence](/devsecops-cicd-and-supply-chain/index-1/gitlab-release-evidence.md) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.product-security.expert/devsecops-cicd-and-supply-chain/index-1/gitlab-top-10-misconfigurations.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.