Tooltip

docs

.env.example

@@ -107,6 +107,10 @@ INF_APP_CONNECTION_GITHUB_APP_PRIVATE_KEY=
 INF_APP_CONNECTION_GITHUB_APP_SLUG=
 INF_APP_CONNECTION_GITHUB_APP_ID=
 
+#gitlab app connection
+INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_ID=
+INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_SECRET=
+
 #github radar app connection
 INF_APP_CONNECTION_GITHUB_RADAR_APP_CLIENT_ID=
 INF_APP_CONNECTION_GITHUB_RADAR_APP_CLIENT_SECRET=

backend/package-lock.json

@@ -30,6 +30,7 @@
         "@fastify/static": "^7.0.4",
         "@fastify/swagger": "^8.14.0",
         "@fastify/swagger-ui": "^2.1.0",
+        "@gitbeaker/rest": "^42.5.0",
         "@google-cloud/kms": "^4.5.0",
         "@infisical/quic": "^1.0.8",
         "@node-saml/passport-saml": "^5.0.1",
@@ -7807,6 +7808,48 @@
         "p-limit": "^3.1.0"
       }
     },
+    "node_modules/@gitbeaker/core": {
+      "version": "42.5.0",
+      "resolved": "https://registry.npmjs.org/@gitbeaker/core/-/core-42.5.0.tgz",
+      "integrity": "sha512-rMWpOPaZi1iLiifnOIoVO57p2EmQQdfIwP4txqNyMvG4WjYP5Ez0U7jRD9Nra41x6K5kTPBZkuQcAdxVWRJcEQ==",
+      "license": "MIT",
+      "dependencies": {
+        "@gitbeaker/requester-utils": "^42.5.0",
+        "qs": "^6.12.2",
+        "xcase": "^2.0.1"
+      },
+      "engines": {
+        "node": ">=18.20.0"
+      }
+    },
+    "node_modules/@gitbeaker/requester-utils": {
+      "version": "42.5.0",
+      "resolved": "https://registry.npmjs.org/@gitbeaker/requester-utils/-/requester-utils-42.5.0.tgz",
+      "integrity": "sha512-HLdLS9LPBMVQumvroQg/4qkphLDtwDB+ygEsrD2u4oYCMUtXV4V1xaVqU4yTXjbTJ5sItOtdB43vYRkBcgueBw==",
+      "license": "MIT",
+      "dependencies": {
+        "picomatch-browser": "^2.2.6",
+        "qs": "^6.12.2",
+        "rate-limiter-flexible": "^4.0.1",
+        "xcase": "^2.0.1"
+      },
+      "engines": {
+        "node": ">=18.20.0"
+      }
+    },
+    "node_modules/@gitbeaker/rest": {
+      "version": "42.5.0",
+      "resolved": "https://registry.npmjs.org/@gitbeaker/rest/-/rest-42.5.0.tgz",
+      "integrity": "sha512-oC5cM6jS7aFOp0luTw5mWSRuMgdxwHRLZQ/aWkI+ETMfsprR/HyxsXfljlMY/XJ/fRxTbRJiodR5Axf66WjO3w==",
+      "license": "MIT",
+      "dependencies": {
+        "@gitbeaker/core": "^42.5.0",
+        "@gitbeaker/requester-utils": "^42.5.0"
+      },
+      "engines": {
+        "node": ">=18.20.0"
+      }
+    },
     "node_modules/@google-cloud/kms": {
       "version": "4.5.0",
       "resolved": "https://registry.npmjs.org/@google-cloud/kms/-/kms-4.5.0.tgz",
@@ -24628,6 +24671,18 @@
         "url": "https://github.com/sponsors/jonschlinkert"
       }
     },
+    "node_modules/picomatch-browser": {
+      "version": "2.2.6",
+      "resolved": "https://registry.npmjs.org/picomatch-browser/-/picomatch-browser-2.2.6.tgz",
+      "integrity": "sha512-0ypsOQt9D4e3hziV8O4elD9uN0z/jtUEfxVRtNaAAtXIyUx9m/SzlO020i8YNL2aL/E6blOvvHQcin6HZlFy/w==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=8.6"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/jonschlinkert"
+      }
+    },
     "node_modules/pify": {
       "version": "4.0.1",
       "resolved": "https://registry.npmjs.org/pify/-/pify-4.0.1.tgz",
@@ -25562,6 +25617,12 @@
         "node": ">= 0.6"
       }
     },
+    "node_modules/rate-limiter-flexible": {
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/rate-limiter-flexible/-/rate-limiter-flexible-4.0.1.tgz",
+      "integrity": "sha512-2/dGHpDFpeA0+755oUkW+EKyklqLS9lu0go9pDsbhqQjZcxfRyJ6LA4JI0+HAdZ2bemD/oOjUeZQB2lCZqXQfQ==",
+      "license": "ISC"
+    },
     "node_modules/raw-body": {
       "version": "2.5.2",
       "resolved": "https://registry.npmjs.org/raw-body/-/raw-body-2.5.2.tgz",
@@ -31039,6 +31100,12 @@
         }
       }
     },
+    "node_modules/xcase": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/xcase/-/xcase-2.0.1.tgz",
+      "integrity": "sha512-UmFXIPU+9Eg3E9m/728Bii0lAIuoc+6nbrNUKaRPJOFp91ih44qqGlWtxMB6kXFrRD6po+86ksHM5XHCfk6iPw==",
+      "license": "MIT"
+    },
     "node_modules/xml-crypto": {
       "version": "6.0.1",
       "resolved": "https://registry.npmjs.org/xml-crypto/-/xml-crypto-6.0.1.tgz",

backend/package.json

@@ -149,6 +149,7 @@
     "@fastify/static": "^7.0.4",
     "@fastify/swagger": "^8.14.0",
     "@fastify/swagger-ui": "^2.1.0",
+    "@gitbeaker/rest": "^42.5.0",
     "@google-cloud/kms": "^4.5.0",
     "@infisical/quic": "^1.0.8",
     "@node-saml/passport-saml": "^5.0.1",

backend/src/ee/services/audit-log-stream/audit-log-stream-fns.ts

@@ -0,0 +1,21 @@
+export function providerSpecificPayload(url: string) {
+  const { hostname } = new URL(url);
+
+  const payload: Record<string, string> = {};
+
+  switch (hostname) {
+    case "http-intake.logs.datadoghq.com":
+    case "http-intake.logs.us3.datadoghq.com":
+    case "http-intake.logs.us5.datadoghq.com":
+    case "http-intake.logs.datadoghq.eu":
+    case "http-intake.logs.ap1.datadoghq.com":
+    case "http-intake.logs.ddog-gov.com":
+      payload.ddsource = "infisical";
+      payload.service = "audit-logs";
+      break;
+    default:
+      break;
+  }
+
+  return payload;
+}

backend/src/ee/services/audit-log-stream/audit-log-stream-service.ts

@@ -13,6 +13,7 @@ import { TLicenseServiceFactory } from "../license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "../permission/org-permission";
 import { TPermissionServiceFactory } from "../permission/permission-service-types";
 import { TAuditLogStreamDALFactory } from "./audit-log-stream-dal";
+import { providerSpecificPayload } from "./audit-log-stream-fns";
 import { LogStreamHeaders, TAuditLogStreamServiceFactory } from "./audit-log-stream-types";
 
 type TAuditLogStreamServiceFactoryDep = {
@@ -69,10 +70,11 @@ export const auditLogStreamServiceFactory = ({
       headers.forEach(({ key, value }) => {
         streamHeaders[key] = value;
       });
+
     await request
       .post(
         url,
-        { ping: "ok" },
+        { ...providerSpecificPayload(url), ping: "ok" },
         {
           headers: streamHeaders,
           // request timeout
@@ -137,7 +139,7 @@ export const auditLogStreamServiceFactory = ({
     await request
       .post(
         url || logStream.url,
-        { ping: "ok" },
+        { ...providerSpecificPayload(url || logStream.url), ping: "ok" },
         {
           headers: streamHeaders,
           // request timeout

backend/src/ee/services/audit-log/audit-log-queue.ts

@@ -1,13 +1,15 @@
-import { RawAxiosRequestHeaders } from "axios";
+import { AxiosError, RawAxiosRequestHeaders } from "axios";
 
 import { SecretKeyEncoding } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { request } from "@app/lib/config/request";
 import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
+import { logger } from "@app/lib/logger";
 import { QueueJobs, QueueName, TQueueServiceFactory } from "@app/queue";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 
 import { TAuditLogStreamDALFactory } from "../audit-log-stream/audit-log-stream-dal";
+import { providerSpecificPayload } from "../audit-log-stream/audit-log-stream-fns";
 import { LogStreamHeaders } from "../audit-log-stream/audit-log-stream-types";
 import { TLicenseServiceFactory } from "../license/license-service";
 import { TAuditLogDALFactory } from "./audit-log-dal";
@@ -128,13 +130,29 @@ export const auditLogQueueServiceFactory = async ({
                   headers[key] = value;
                 });
 
-              return request.post(url, auditLog, {
+              try {
-                headers,
+                logger.info(`Streaming audit log [url=${url}] for org [orgId=${orgId}]`);
-                // request timeout
+                const response = await request.post(
-                timeout: AUDIT_LOG_STREAM_TIMEOUT,
+                  url,
-                // connection timeout
+                  { ...providerSpecificPayload(url), ...auditLog },
-                signal: AbortSignal.timeout(AUDIT_LOG_STREAM_TIMEOUT)
+                  {
-              });
+                    headers,
+                    // request timeout
+                    timeout: AUDIT_LOG_STREAM_TIMEOUT,
+                    // connection timeout
+                    signal: AbortSignal.timeout(AUDIT_LOG_STREAM_TIMEOUT)
+                  }
+                );
+                logger.info(
+                  `Successfully streamed audit log [url=${url}] for org [orgId=${orgId}] [response=${JSON.stringify(response.data)}]`
+                );
+                return response;
+              } catch (error) {
+                logger.error(
+                  `Failed to stream audit log [url=${url}] for org [orgId=${orgId}] [error=${(error as AxiosError).message}]`
+                );
+                return error;
+              }
             }
           )
         );
@@ -218,13 +236,29 @@ export const auditLogQueueServiceFactory = async ({
               headers[key] = value;
             });
 
-          return request.post(url, auditLog, {
+          try {
-            headers,
+            logger.info(`Streaming audit log [url=${url}] for org [orgId=${orgId}]`);
-            // request timeout
+            const response = await request.post(
-            timeout: AUDIT_LOG_STREAM_TIMEOUT,
+              url,
-            // connection timeout
+              { ...providerSpecificPayload(url), ...auditLog },
-            signal: AbortSignal.timeout(AUDIT_LOG_STREAM_TIMEOUT)
+              {
-          });
+                headers,
+                // request timeout
+                timeout: AUDIT_LOG_STREAM_TIMEOUT,
+                // connection timeout
+                signal: AbortSignal.timeout(AUDIT_LOG_STREAM_TIMEOUT)
+              }
+            );
+            logger.info(
+              `Successfully streamed audit log [url=${url}] for org [orgId=${orgId}] [response=${JSON.stringify(response.data)}]`
+            );
+            return response;
+          } catch (error) {
+            logger.error(
+              `Failed to stream audit log [url=${url}] for org [orgId=${orgId}] [error=${(error as AxiosError).message}]`
+            );
+            return error;
+          }
         }
       )
     );

backend/src/lib/api-docs/constants.ts

@@ -2228,6 +2228,12 @@ export const AppConnections = {
     },
     FLYIO: {
       accessToken: "The Access Token used to access fly.io."
+    },
+    GITLAB: {
+      instanceUrl: "The GitLab instance URL to connect with.",
+      accessToken: "The Access Token used to access GitLab.",
+      code: "The OAuth code to use to connect with GitLab.",
+      accessTokenType: "The type of token used to connect with GitLab."
     }
   }
 };
@@ -2402,6 +2408,17 @@ export const SecretSyncs = {
     FLYIO: {
       appId: "The ID of the Fly.io app to sync secrets to."
     },
+    GITLAB: {
+      projectId: "The GitLab Project ID to sync secrets to.",
+      projectName: "The GitLab Project Name to sync secrets to.",
+      groupId: "The GitLab Group ID to sync secrets to.",
+      groupName: "The GitLab Group Name to sync secrets to.",
+      scope: "The GitLab scope that secrets should be synced to. (default: project)",
+      targetEnvironment: "The GitLab environment scope that secrets should be synced to. (default: *)",
+      shouldProtectSecrets: "Whether variables should be protected",
+      shouldMaskSecrets: "Whether variables should be masked in logs",
+      shouldHideSecrets: "Whether variables should be hidden"
+    },
     CLOUDFLARE_PAGES: {
       projectName: "The name of the Cloudflare Pages project to sync secrets to.",
       environment: "The environment of the Cloudflare Pages project to sync secrets to."

backend/src/lib/config/env.ts

@@ -247,6 +247,10 @@ const envSchema = z
     INF_APP_CONNECTION_GITHUB_RADAR_APP_ID: zpStr(z.string().optional()),
     INF_APP_CONNECTION_GITHUB_RADAR_APP_WEBHOOK_SECRET: zpStr(z.string().optional()),
 
+    // gitlab oauth
+    INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_ID: zpStr(z.string().optional()),
+    INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_SECRET: zpStr(z.string().optional()),
+
     // gcp app
     INF_APP_CONNECTION_GCP_SERVICE_ACCOUNT_CREDENTIAL: zpStr(z.string().optional()),
 

backend/src/server/routes/v1/app-connection-routers/app-connection-router.ts

@@ -35,6 +35,10 @@ import {
   CamundaConnectionListItemSchema,
   SanitizedCamundaConnectionSchema
 } from "@app/services/app-connection/camunda";
+import {
+  CloudflareConnectionListItemSchema,
+  SanitizedCloudflareConnectionSchema
+} from "@app/services/app-connection/cloudflare/cloudflare-connection-schema";
 import {
   DatabricksConnectionListItemSchema,
   SanitizedDatabricksConnectionSchema
@@ -46,6 +50,7 @@ import {
   GitHubRadarConnectionListItemSchema,
   SanitizedGitHubRadarConnectionSchema
 } from "@app/services/app-connection/github-radar";
+import { GitLabConnectionListItemSchema, SanitizedGitLabConnectionSchema } from "@app/services/app-connection/gitlab";
 import {
   HCVaultConnectionListItemSchema,
   SanitizedHCVaultConnectionSchema
@@ -80,10 +85,6 @@ import {
   WindmillConnectionListItemSchema
 } from "@app/services/app-connection/windmill";
 import { AuthMode } from "@app/services/auth/auth-type";
-import {
-  CloudflareConnectionListItemSchema,
-  SanitizedCloudflareConnectionSchema
-} from "@app/services/app-connection/cloudflare/cloudflare-connection-schema";
 
 // can't use discriminated due to multiple schemas for certain apps
 const SanitizedAppConnectionSchema = z.union([
@@ -114,6 +115,7 @@ const SanitizedAppConnectionSchema = z.union([
   ...SanitizedHerokuConnectionSchema.options,
   ...SanitizedRenderConnectionSchema.options,
   ...SanitizedFlyioConnectionSchema.options,
+  ...SanitizedGitLabConnectionSchema.options,
   ...SanitizedCloudflareConnectionSchema.options
 ]);
 
@@ -145,6 +147,7 @@ const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
   HerokuConnectionListItemSchema,
   RenderConnectionListItemSchema,
   FlyioConnectionListItemSchema,
+  GitLabConnectionListItemSchema,
   CloudflareConnectionListItemSchema
 ]);
 

backend/src/server/routes/v1/app-connection-routers/gitlab-connection-router.ts

@@ -0,0 +1,90 @@
+import z from "zod";
+
+import { readLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  CreateGitLabConnectionSchema,
+  SanitizedGitLabConnectionSchema,
+  TGitLabGroup,
+  TGitLabProject,
+  UpdateGitLabConnectionSchema
+} from "@app/services/app-connection/gitlab";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
+
+export const registerGitLabConnectionRouter = async (server: FastifyZodProvider) => {
+  registerAppConnectionEndpoints({
+    app: AppConnection.GitLab,
+    server,
+    sanitizedResponseSchema: SanitizedGitLabConnectionSchema,
+    createSchema: CreateGitLabConnectionSchema,
+    updateSchema: UpdateGitLabConnectionSchema
+  });
+
+  // The below endpoints are not exposed and for Infisical App use
+  server.route({
+    method: "GET",
+    url: `/:connectionId/projects`,
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        connectionId: z.string().uuid()
+      }),
+      response: {
+        200: z
+          .object({
+            id: z.string(),
+            name: z.string()
+          })
+          .array()
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { connectionId } = req.params;
+
+      const projects: TGitLabProject[] = await server.services.appConnection.gitlab.listProjects(
+        connectionId,
+        req.permission
+      );
+
+      return projects;
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: `/:connectionId/groups`,
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        connectionId: z.string().uuid()
+      }),
+      response: {
+        200: z
+          .object({
+            id: z.string(),
+            name: z.string()
+          })
+          .array()
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { connectionId } = req.params;
+
+      const groups: TGitLabGroup[] = await server.services.appConnection.gitlab.listGroups(
+        connectionId,
+        req.permission
+      );
+
+      return groups;
+    }
+  });
+};

backend/src/server/routes/v1/app-connection-routers/index.ts

@@ -10,11 +10,13 @@ import { registerAzureClientSecretsConnectionRouter } from "./azure-client-secre
 import { registerAzureDevOpsConnectionRouter } from "./azure-devops-connection-router";
 import { registerAzureKeyVaultConnectionRouter } from "./azure-key-vault-connection-router";
 import { registerCamundaConnectionRouter } from "./camunda-connection-router";
+import { registerCloudflareConnectionRouter } from "./cloudflare-connection-router";
 import { registerDatabricksConnectionRouter } from "./databricks-connection-router";
 import { registerFlyioConnectionRouter } from "./flyio-connection-router";
 import { registerGcpConnectionRouter } from "./gcp-connection-router";
 import { registerGitHubConnectionRouter } from "./github-connection-router";
 import { registerGitHubRadarConnectionRouter } from "./github-radar-connection-router";
+import { registerGitLabConnectionRouter } from "./gitlab-connection-router";
 import { registerHCVaultConnectionRouter } from "./hc-vault-connection-router";
 import { registerHerokuConnectionRouter } from "./heroku-connection-router";
 import { registerHumanitecConnectionRouter } from "./humanitec-connection-router";
@@ -27,7 +29,6 @@ import { registerTeamCityConnectionRouter } from "./teamcity-connection-router";
 import { registerTerraformCloudConnectionRouter } from "./terraform-cloud-router";
 import { registerVercelConnectionRouter } from "./vercel-connection-router";
 import { registerWindmillConnectionRouter } from "./windmill-connection-router";
-import { registerCloudflareConnectionRouter } from "./cloudflare-connection-router";
 
 export * from "./app-connection-router";
 
@@ -60,5 +61,6 @@ export const APP_CONNECTION_REGISTER_ROUTER_MAP: Record<AppConnection, (server:
     [AppConnection.Heroku]: registerHerokuConnectionRouter,
     [AppConnection.Render]: registerRenderConnectionRouter,
     [AppConnection.Flyio]: registerFlyioConnectionRouter,
+    [AppConnection.GitLab]: registerGitLabConnectionRouter,
     [AppConnection.Cloudflare]: registerCloudflareConnectionRouter
   };

backend/src/server/routes/v1/secret-sync-routers/gitlab-sync-router.ts

@@ -0,0 +1,13 @@
+import { CreateGitLabSyncSchema, GitLabSyncSchema, UpdateGitLabSyncSchema } from "@app/services/secret-sync/gitlab";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+
+import { registerSyncSecretsEndpoints } from "./secret-sync-endpoints";
+
+export const registerGitLabSyncRouter = async (server: FastifyZodProvider) =>
+  registerSyncSecretsEndpoints({
+    destination: SecretSync.GitLab,
+    server,
+    responseSchema: GitLabSyncSchema,
+    createSchema: CreateGitLabSyncSchema,
+    updateSchema: UpdateGitLabSyncSchema
+  });

backend/src/server/routes/v1/secret-sync-routers/index.ts

@@ -13,6 +13,7 @@ import { registerDatabricksSyncRouter } from "./databricks-sync-router";
 import { registerFlyioSyncRouter } from "./flyio-sync-router";
 import { registerGcpSyncRouter } from "./gcp-sync-router";
 import { registerGitHubSyncRouter } from "./github-sync-router";
+import { registerGitLabSyncRouter } from "./gitlab-sync-router";
 import { registerHCVaultSyncRouter } from "./hc-vault-sync-router";
 import { registerHerokuSyncRouter } from "./heroku-sync-router";
 import { registerHumanitecSyncRouter } from "./humanitec-sync-router";
@@ -45,5 +46,6 @@ export const SECRET_SYNC_REGISTER_ROUTER_MAP: Record<SecretSync, (server: Fastif
   [SecretSync.Heroku]: registerHerokuSyncRouter,
   [SecretSync.Render]: registerRenderSyncRouter,
   [SecretSync.Flyio]: registerFlyioSyncRouter,
+  [SecretSync.GitLab]: registerGitLabSyncRouter,
   [SecretSync.CloudflarePages]: registerCloudflarePagesSyncRouter
 };

backend/src/server/routes/v1/secret-sync-routers/secret-sync-router.ts

@@ -22,10 +22,15 @@ import {
 import { AzureDevOpsSyncListItemSchema, AzureDevOpsSyncSchema } from "@app/services/secret-sync/azure-devops";
 import { AzureKeyVaultSyncListItemSchema, AzureKeyVaultSyncSchema } from "@app/services/secret-sync/azure-key-vault";
 import { CamundaSyncListItemSchema, CamundaSyncSchema } from "@app/services/secret-sync/camunda";
+import {
+  CloudflarePagesSyncListItemSchema,
+  CloudflarePagesSyncSchema
+} from "@app/services/secret-sync/cloudflare-pages/cloudflare-pages-schema";
 import { DatabricksSyncListItemSchema, DatabricksSyncSchema } from "@app/services/secret-sync/databricks";
 import { FlyioSyncListItemSchema, FlyioSyncSchema } from "@app/services/secret-sync/flyio";
 import { GcpSyncListItemSchema, GcpSyncSchema } from "@app/services/secret-sync/gcp";
 import { GitHubSyncListItemSchema, GitHubSyncSchema } from "@app/services/secret-sync/github";
+import { GitLabSyncListItemSchema, GitLabSyncSchema } from "@app/services/secret-sync/gitlab";
 import { HCVaultSyncListItemSchema, HCVaultSyncSchema } from "@app/services/secret-sync/hc-vault";
 import { HerokuSyncListItemSchema, HerokuSyncSchema } from "@app/services/secret-sync/heroku";
 import { HumanitecSyncListItemSchema, HumanitecSyncSchema } from "@app/services/secret-sync/humanitec";
@@ -34,10 +39,6 @@ import { TeamCitySyncListItemSchema, TeamCitySyncSchema } from "@app/services/se
 import { TerraformCloudSyncListItemSchema, TerraformCloudSyncSchema } from "@app/services/secret-sync/terraform-cloud";
 import { VercelSyncListItemSchema, VercelSyncSchema } from "@app/services/secret-sync/vercel";
 import { WindmillSyncListItemSchema, WindmillSyncSchema } from "@app/services/secret-sync/windmill";
-import {
-  CloudflarePagesSyncListItemSchema,
-  CloudflarePagesSyncSchema
-} from "@app/services/secret-sync/cloudflare-pages/cloudflare-pages-schema";
 
 const SecretSyncSchema = z.discriminatedUnion("destination", [
   AwsParameterStoreSyncSchema,
@@ -60,6 +61,7 @@ const SecretSyncSchema = z.discriminatedUnion("destination", [
   HerokuSyncSchema,
   RenderSyncSchema,
   FlyioSyncSchema,
+  GitLabSyncSchema,
   CloudflarePagesSyncSchema
 ]);
 
@@ -84,6 +86,7 @@ const SecretSyncOptionsSchema = z.discriminatedUnion("destination", [
   HerokuSyncListItemSchema,
   RenderSyncListItemSchema,
   FlyioSyncListItemSchema,
+  GitLabSyncListItemSchema,
   CloudflarePagesSyncListItemSchema
 ]);
 

backend/src/services/app-connection/app-connection-enums.ts

@@ -26,6 +26,7 @@ export enum AppConnection {
   Heroku = "heroku",
   Render = "render",
   Flyio = "flyio",
+  GitLab = "gitlab",
   Cloudflare = "cloudflare"
 }
 

backend/src/services/app-connection/app-connection-fns.ts

@@ -51,6 +51,11 @@ import {
   validateAzureKeyVaultConnectionCredentials
 } from "./azure-key-vault";
 import { CamundaConnectionMethod, getCamundaConnectionListItem, validateCamundaConnectionCredentials } from "./camunda";
+import { CloudflareConnectionMethod } from "./cloudflare/cloudflare-connection-enum";
+import {
+  getCloudflareConnectionListItem,
+  validateCloudflareConnectionCredentials
+} from "./cloudflare/cloudflare-connection-fns";
 import {
   DatabricksConnectionMethod,
   getDatabricksConnectionListItem,
@@ -64,6 +69,7 @@ import {
   GitHubRadarConnectionMethod,
   validateGitHubRadarConnectionCredentials
 } from "./github-radar";
+import { getGitLabConnectionListItem, GitLabConnectionMethod, validateGitLabConnectionCredentials } from "./gitlab";
 import {
   getHCVaultConnectionListItem,
   HCVaultConnectionMethod,
@@ -99,11 +105,6 @@ import {
   validateWindmillConnectionCredentials,
   WindmillConnectionMethod
 } from "./windmill";
-import {
-  getCloudflareConnectionListItem,
-  validateCloudflareConnectionCredentials
-} from "./cloudflare/cloudflare-connection-fns";
-import { CloudflareConnectionMethod } from "./cloudflare/cloudflare-connection-enum";
 
 export const listAppConnectionOptions = () => {
   return [
@@ -134,6 +135,7 @@ export const listAppConnectionOptions = () => {
     getHerokuConnectionListItem(),
     getRenderConnectionListItem(),
     getFlyioConnectionListItem(),
+    getGitLabConnectionListItem(),
     getCloudflareConnectionListItem()
   ].sort((a, b) => a.name.localeCompare(b.name));
 };
@@ -213,6 +215,7 @@ export const validateAppConnectionCredentials = async (
     [AppConnection.Heroku]: validateHerokuConnectionCredentials as TAppConnectionCredentialsValidator,
     [AppConnection.Render]: validateRenderConnectionCredentials as TAppConnectionCredentialsValidator,
     [AppConnection.Flyio]: validateFlyioConnectionCredentials as TAppConnectionCredentialsValidator,
+    [AppConnection.GitLab]: validateGitLabConnectionCredentials as TAppConnectionCredentialsValidator,
     [AppConnection.Cloudflare]: validateCloudflareConnectionCredentials as TAppConnectionCredentialsValidator
   };
 
@@ -230,6 +233,7 @@ export const getAppConnectionMethodName = (method: TAppConnection["method"]) =>
     case GitHubConnectionMethod.OAuth:
     case AzureDevOpsConnectionMethod.OAuth:
     case HerokuConnectionMethod.OAuth:
+    case GitLabConnectionMethod.OAuth:
       return "OAuth";
     case HerokuConnectionMethod.AuthToken:
       return "Auth Token";
@@ -327,6 +331,7 @@ export const TRANSITION_CONNECTION_CREDENTIALS_TO_PLATFORM: Record<
   [AppConnection.Heroku]: platformManagedCredentialsNotSupported,
   [AppConnection.Render]: platformManagedCredentialsNotSupported,
   [AppConnection.Flyio]: platformManagedCredentialsNotSupported,
+  [AppConnection.GitLab]: platformManagedCredentialsNotSupported,
   [AppConnection.Cloudflare]: platformManagedCredentialsNotSupported
 };
 

backend/src/services/app-connection/app-connection-maps.ts

@@ -28,6 +28,7 @@ export const APP_CONNECTION_NAME_MAP: Record<AppConnection, string> = {
   [AppConnection.Heroku]: "Heroku",
   [AppConnection.Render]: "Render",
   [AppConnection.Flyio]: "Fly.io",
+  [AppConnection.GitLab]: "GitLab",
   [AppConnection.Cloudflare]: "Cloudflare"
 };
 
@@ -59,5 +60,6 @@ export const APP_CONNECTION_PLAN_MAP: Record<AppConnection, AppConnectionPlanTyp
   [AppConnection.Heroku]: AppConnectionPlanType.Regular,
   [AppConnection.Render]: AppConnectionPlanType.Regular,
   [AppConnection.Flyio]: AppConnectionPlanType.Regular,
+  [AppConnection.GitLab]: AppConnectionPlanType.Regular,
   [AppConnection.Cloudflare]: AppConnectionPlanType.Regular
 };

backend/src/services/app-connection/app-connection-service.ts

@@ -58,6 +58,8 @@ import { gcpConnectionService } from "./gcp/gcp-connection-service";
 import { ValidateGitHubConnectionCredentialsSchema } from "./github";
 import { githubConnectionService } from "./github/github-connection-service";
 import { ValidateGitHubRadarConnectionCredentialsSchema } from "./github-radar";
+import { ValidateGitLabConnectionCredentialsSchema } from "./gitlab";
+import { gitlabConnectionService } from "./gitlab/gitlab-connection-service";
 import { ValidateHCVaultConnectionCredentialsSchema } from "./hc-vault";
 import { hcVaultConnectionService } from "./hc-vault/hc-vault-connection-service";
 import { ValidateHerokuConnectionCredentialsSchema } from "./heroku";
@@ -116,6 +118,7 @@ const VALIDATE_APP_CONNECTION_CREDENTIALS_MAP: Record<AppConnection, TValidateAp
   [AppConnection.Heroku]: ValidateHerokuConnectionCredentialsSchema,
   [AppConnection.Render]: ValidateRenderConnectionCredentialsSchema,
   [AppConnection.Flyio]: ValidateFlyioConnectionCredentialsSchema,
+  [AppConnection.GitLab]: ValidateGitLabConnectionCredentialsSchema,
   [AppConnection.Cloudflare]: ValidateCloudflareConnectionCredentialsSchema
 };
 
@@ -524,7 +527,8 @@ export const appConnectionServiceFactory = ({
     onepass: onePassConnectionService(connectAppConnectionById),
     heroku: herokuConnectionService(connectAppConnectionById, appConnectionDAL, kmsService),
     render: renderConnectionService(connectAppConnectionById),
-    cloudflare: cloudflareConnectionService(connectAppConnectionById),
+    flyio: flyioConnectionService(connectAppConnectionById),
-    flyio: flyioConnectionService(connectAppConnectionById)
+    gitlab: gitlabConnectionService(connectAppConnectionById, appConnectionDAL, kmsService),
+    cloudflare: cloudflareConnectionService(connectAppConnectionById)
   };
 };

backend/src/services/app-connection/app-connection-types.ts

@@ -62,6 +62,12 @@ import {
   TCamundaConnectionInput,
   TValidateCamundaConnectionCredentialsSchema
 } from "./camunda";
+import {
+  TCloudflareConnection,
+  TCloudflareConnectionConfig,
+  TCloudflareConnectionInput,
+  TValidateCloudflareConnectionCredentialsSchema
+} from "./cloudflare/cloudflare-connection-types";
 import {
   TDatabricksConnection,
   TDatabricksConnectionConfig,
@@ -92,6 +98,12 @@ import {
   TGitHubRadarConnectionInput,
   TValidateGitHubRadarConnectionCredentialsSchema
 } from "./github-radar";
+import {
+  TGitLabConnection,
+  TGitLabConnectionConfig,
+  TGitLabConnectionInput,
+  TValidateGitLabConnectionCredentialsSchema
+} from "./gitlab";
 import {
   THCVaultConnection,
   THCVaultConnectionConfig,
@@ -153,12 +165,6 @@ import {
   TWindmillConnectionConfig,
   TWindmillConnectionInput
 } from "./windmill";
-import {
-  TCloudflareConnection,
-  TCloudflareConnectionConfig,
-  TCloudflareConnectionInput,
-  TValidateCloudflareConnectionCredentialsSchema
-} from "./cloudflare/cloudflare-connection-types";
 
 export type TAppConnection = { id: string } & (
   | TAwsConnection
@@ -188,6 +194,7 @@ export type TAppConnection = { id: string } & (
   | THerokuConnection
   | TRenderConnection
   | TFlyioConnection
+  | TGitLabConnection
   | TCloudflareConnection
 );
 
@@ -223,6 +230,7 @@ export type TAppConnectionInput = { id: string } & (
   | THerokuConnectionInput
   | TRenderConnectionInput
   | TFlyioConnectionInput
+  | TGitLabConnectionInput
   | TCloudflareConnectionInput
 );
 
@@ -266,6 +274,7 @@ export type TAppConnectionConfig =
   | THerokuConnectionConfig
   | TRenderConnectionConfig
   | TFlyioConnectionConfig
+  | TGitLabConnectionConfig
   | TCloudflareConnectionConfig;
 
 export type TValidateAppConnectionCredentialsSchema =
@@ -296,6 +305,7 @@ export type TValidateAppConnectionCredentialsSchema =
   | TValidateHerokuConnectionCredentialsSchema
   | TValidateRenderConnectionCredentialsSchema
   | TValidateFlyioConnectionCredentialsSchema
+  | TValidateGitLabConnectionCredentialsSchema
   | TValidateCloudflareConnectionCredentialsSchema;
 
 export type TListAwsConnectionKmsKeys = {

backend/src/services/app-connection/gitlab/gitlab-connection-enums.ts

@@ -0,0 +1,9 @@
+export enum GitLabConnectionMethod {
+  OAuth = "oauth",
+  AccessToken = "access-token"
+}
+
+export enum GitLabAccessTokenType {
+  Project = "project",
+  Personal = "personal"
+}

backend/src/services/app-connection/gitlab/gitlab-connection-fns.ts

@@ -0,0 +1,351 @@
+/* eslint-disable no-await-in-loop */
+import { GitbeakerRequestError, Gitlab } from "@gitbeaker/rest";
+import { AxiosError } from "axios";
+
+import { getConfig } from "@app/lib/config/env";
+import { request } from "@app/lib/config/request";
+import { BadRequestError, InternalServerError } from "@app/lib/errors";
+import { removeTrailingSlash } from "@app/lib/fn";
+import { logger } from "@app/lib/logger";
+import { blockLocalAndPrivateIpAddresses } from "@app/lib/validator";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { encryptAppConnectionCredentials } from "@app/services/app-connection/app-connection-fns";
+import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
+import { TKmsServiceFactory } from "@app/services/kms/kms-service";
+
+import { TAppConnectionDALFactory } from "../app-connection-dal";
+import { GitLabAccessTokenType, GitLabConnectionMethod } from "./gitlab-connection-enums";
+import { TGitLabConnection, TGitLabConnectionConfig, TGitLabGroup, TGitLabProject } from "./gitlab-connection-types";
+
+interface GitLabOAuthTokenResponse {
+  access_token: string;
+  token_type: string;
+  expires_in: number;
+  refresh_token: string;
+  created_at: number;
+  scope?: string;
+}
+
+export const getGitLabConnectionListItem = () => {
+  const { INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_ID } = getConfig();
+
+  return {
+    name: "GitLab" as const,
+    app: AppConnection.GitLab as const,
+    methods: Object.values(GitLabConnectionMethod) as [
+      GitLabConnectionMethod.AccessToken,
+      GitLabConnectionMethod.OAuth
+    ],
+    oauthClientId: INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_ID
+  };
+};
+
+export const getGitLabInstanceUrl = async (instanceUrl?: string) => {
+  const gitLabInstanceUrl = instanceUrl ? removeTrailingSlash(instanceUrl) : IntegrationUrls.GITLAB_URL;
+
+  await blockLocalAndPrivateIpAddresses(gitLabInstanceUrl);
+
+  return gitLabInstanceUrl;
+};
+
+export const getGitLabClient = async (accessToken: string, instanceUrl?: string, isOAuth = false) => {
+  const host = await getGitLabInstanceUrl(instanceUrl);
+
+  const client = new Gitlab<true>({
+    host,
+    ...(isOAuth ? { oauthToken: accessToken } : { token: accessToken }),
+    camelize: true
+  });
+
+  return client;
+};
+
+export const refreshGitLabToken = async (
+  refreshToken: string,
+  appId: string,
+  orgId: string,
+  appConnectionDAL: Pick<TAppConnectionDALFactory, "updateById">,
+  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">,
+  instanceUrl?: string
+): Promise<string> => {
+  const { INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_ID, INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_SECRET, SITE_URL } =
+    getConfig();
+  if (!INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_SECRET || !INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_ID || !SITE_URL) {
+    throw new InternalServerError({
+      message: `GitLab environment variables have not been configured`
+    });
+  }
+
+  const payload = new URLSearchParams({
+    grant_type: "refresh_token",
+    refresh_token: refreshToken,
+    client_id: INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_ID,
+    client_secret: INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_SECRET,
+    redirect_uri: `${SITE_URL}/organization/app-connections/gitlab/oauth/callback`
+  });
+
+  try {
+    const url = await getGitLabInstanceUrl(instanceUrl);
+    const { data } = await request.post<GitLabOAuthTokenResponse>(`${url}/oauth/token`, payload.toString(), {
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+        Accept: "application/json"
+      }
+    });
+
+    const expiresAt = new Date(Date.now() + data.expires_in * 1000 - 600000);
+
+    const encryptedCredentials = await encryptAppConnectionCredentials({
+      credentials: {
+        instanceUrl,
+        tokenType: data.token_type,
+        createdAt: new Date(data.created_at * 1000).toISOString(),
+        refreshToken: data.refresh_token,
+        accessToken: data.access_token,
+        expiresAt
+      },
+      orgId,
+      kmsService
+    });
+
+    await appConnectionDAL.updateById(appId, { encryptedCredentials });
+    return data.access_token;
+  } catch (error: unknown) {
+    if (error instanceof AxiosError) {
+      throw new BadRequestError({
+        message: `Failed to refresh GitLab token: ${error.message}`
+      });
+    }
+    throw new BadRequestError({
+      message: "Unable to refresh GitLab token"
+    });
+  }
+};
+
+export const exchangeGitLabOAuthCode = async (
+  code: string,
+  instanceUrl?: string
+): Promise<GitLabOAuthTokenResponse> => {
+  const { INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_ID, INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_SECRET, SITE_URL } =
+    getConfig();
+  if (!INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_SECRET || !INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_ID || !SITE_URL) {
+    throw new InternalServerError({
+      message: `GitLab environment variables have not been configured`
+    });
+  }
+
+  try {
+    const payload = new URLSearchParams({
+      grant_type: "authorization_code",
+      code,
+      client_id: INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_ID,
+      client_secret: INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_SECRET,
+      redirect_uri: `${SITE_URL}/organization/app-connections/gitlab/oauth/callback`
+    });
+    const url = await getGitLabInstanceUrl(instanceUrl);
+
+    const response = await request.post<GitLabOAuthTokenResponse>(`${url}/oauth/token`, payload.toString(), {
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+        Accept: "application/json"
+      }
+    });
+
+    if (!response.data) {
+      throw new InternalServerError({
+        message: "Failed to exchange OAuth code: Empty response"
+      });
+    }
+
+    return response.data;
+  } catch (error: unknown) {
+    if (error instanceof AxiosError) {
+      throw new BadRequestError({
+        message: `Failed to exchange OAuth code: ${error.message}`
+      });
+    }
+    throw new BadRequestError({
+      message: "Unable to exchange OAuth code"
+    });
+  }
+};
+
+export const validateGitLabConnectionCredentials = async (config: TGitLabConnectionConfig) => {
+  const { credentials: inputCredentials, method } = config;
+
+  let accessToken: string;
+  let oauthData: GitLabOAuthTokenResponse | null = null;
+
+  if (method === GitLabConnectionMethod.OAuth && "code" in inputCredentials) {
+    oauthData = await exchangeGitLabOAuthCode(inputCredentials.code, inputCredentials.instanceUrl);
+    accessToken = oauthData.access_token;
+  } else if (method === GitLabConnectionMethod.AccessToken && "accessToken" in inputCredentials) {
+    accessToken = inputCredentials.accessToken;
+  } else {
+    throw new BadRequestError({
+      message: "Invalid credentials for the selected connection method"
+    });
+  }
+
+  try {
+    const client = await getGitLabClient(
+      accessToken,
+      inputCredentials.instanceUrl,
+      method === GitLabConnectionMethod.OAuth
+    );
+    await client.Users.showCurrentUser();
+  } catch (error: unknown) {
+    logger.error(error, "Error validating GitLab connection credentials");
+
+    if (error instanceof GitbeakerRequestError) {
+      throw new BadRequestError({
+        message: `Failed to validate credentials: ${error.message ?? "Unknown error"}${error.cause?.description && error.message !== "Unauthorized" ? `. Cause: ${error.cause.description}` : ""}`
+      });
+    }
+
+    throw new BadRequestError({
+      message: `Failed to validate credentials: ${(error as Error)?.message || "verify credentials"}`
+    });
+  }
+
+  if (method === GitLabConnectionMethod.OAuth && oauthData) {
+    return {
+      accessToken,
+      instanceUrl: inputCredentials.instanceUrl,
+      refreshToken: oauthData.refresh_token,
+      expiresAt: new Date(Date.now() + oauthData.expires_in * 1000 - 60000),
+      tokenType: oauthData.token_type,
+      createdAt: new Date(oauthData.created_at * 1000)
+    };
+  }
+
+  return inputCredentials;
+};
+
+export const listGitLabProjects = async ({
+  appConnection,
+  appConnectionDAL,
+  kmsService
+}: {
+  appConnection: TGitLabConnection;
+  appConnectionDAL: Pick<TAppConnectionDALFactory, "updateById">;
+  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
+}): Promise<TGitLabProject[]> => {
+  let { accessToken } = appConnection.credentials;
+
+  if (
+    appConnection.method === GitLabConnectionMethod.OAuth &&
+    appConnection.credentials.refreshToken &&
+    new Date(appConnection.credentials.expiresAt) < new Date()
+  ) {
+    accessToken = await refreshGitLabToken(
+      appConnection.credentials.refreshToken,
+      appConnection.id,
+      appConnection.orgId,
+      appConnectionDAL,
+      kmsService,
+      appConnection.credentials.instanceUrl
+    );
+  }
+
+  try {
+    const client = await getGitLabClient(
+      accessToken,
+      appConnection.credentials.instanceUrl,
+      appConnection.method === GitLabConnectionMethod.OAuth
+    );
+    const projects = await client.Projects.all({
+      archived: false,
+      includePendingDelete: false,
+      membership: true,
+      includeHidden: false,
+      imported: false
+    });
+
+    return projects.map((project) => ({
+      name: project.pathWithNamespace,
+      id: project.id.toString()
+    }));
+  } catch (error: unknown) {
+    if (error instanceof GitbeakerRequestError) {
+      throw new BadRequestError({
+        message: `Failed to fetch GitLab projects: ${error.message ?? "Unknown error"}${error.cause?.description && error.message !== "Unauthorized" ? `. Cause: ${error.cause.description}` : ""}`
+      });
+    }
+
+    if (error instanceof InternalServerError) {
+      throw error;
+    }
+
+    throw new InternalServerError({
+      message: "Unable to fetch GitLab projects"
+    });
+  }
+};
+
+export const listGitLabGroups = async ({
+  appConnection,
+  appConnectionDAL,
+  kmsService
+}: {
+  appConnection: TGitLabConnection;
+  appConnectionDAL: Pick<TAppConnectionDALFactory, "updateById">;
+  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
+}): Promise<TGitLabGroup[]> => {
+  let { accessToken } = appConnection.credentials;
+
+  if (
+    appConnection.method === GitLabConnectionMethod.AccessToken &&
+    appConnection.credentials.accessTokenType === GitLabAccessTokenType.Project
+  ) {
+    return [];
+  }
+
+  if (
+    appConnection.method === GitLabConnectionMethod.OAuth &&
+    appConnection.credentials.refreshToken &&
+    new Date(appConnection.credentials.expiresAt) < new Date()
+  ) {
+    accessToken = await refreshGitLabToken(
+      appConnection.credentials.refreshToken,
+      appConnection.id,
+      appConnection.orgId,
+      appConnectionDAL,
+      kmsService,
+      appConnection.credentials.instanceUrl
+    );
+  }
+
+  try {
+    const client = await getGitLabClient(
+      accessToken,
+      appConnection.credentials.instanceUrl,
+      appConnection.method === GitLabConnectionMethod.OAuth
+    );
+
+    const groups = await client.Groups.all({
+      orderBy: "name",
+      sort: "asc",
+      minAccessLevel: 50
+    });
+
+    return groups.map((group) => ({
+      id: group.id.toString(),
+      name: group.name
+    }));
+  } catch (error: unknown) {
+    if (error instanceof GitbeakerRequestError) {
+      throw new BadRequestError({
+        message: `Failed to fetch GitLab groups: ${error.message ?? "Unknown error"}${error.cause?.description && error.message !== "Unauthorized" ? `. Cause: ${error.cause.description}` : ""}`
+      });
+    }
+
+    if (error instanceof InternalServerError) {
+      throw error;
+    }
+
+    throw new InternalServerError({
+      message: "Unable to fetch GitLab groups"
+    });
+  }
+};

backend/src/services/app-connection/gitlab/gitlab-connection-schemas.ts

@@ -0,0 +1,138 @@
+import z from "zod";
+
+import { AppConnections } from "@app/lib/api-docs";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  BaseAppConnectionSchema,
+  GenericCreateAppConnectionFieldsSchema,
+  GenericUpdateAppConnectionFieldsSchema
+} from "@app/services/app-connection/app-connection-schemas";
+
+import { GitLabAccessTokenType, GitLabConnectionMethod } from "./gitlab-connection-enums";
+
+export const GitLabConnectionAccessTokenCredentialsSchema = z.object({
+  accessToken: z
+    .string()
+    .trim()
+    .min(1, "Access Token required")
+    .describe(AppConnections.CREDENTIALS.GITLAB.accessToken),
+  instanceUrl: z
+    .string()
+    .trim()
+    .url("Invalid Instance URL")
+    .optional()
+    .describe(AppConnections.CREDENTIALS.GITLAB.instanceUrl),
+  accessTokenType: z.nativeEnum(GitLabAccessTokenType).describe(AppConnections.CREDENTIALS.GITLAB.accessTokenType)
+});
+
+export const GitLabConnectionOAuthCredentialsSchema = z.object({
+  code: z.string().trim().min(1, "OAuth code required").describe(AppConnections.CREDENTIALS.GITLAB.code),
+  instanceUrl: z
+    .string()
+    .trim()
+    .url("Invalid Instance URL")
+    .optional()
+    .describe(AppConnections.CREDENTIALS.GITLAB.instanceUrl)
+});
+
+export const GitLabConnectionOAuthOutputCredentialsSchema = z.object({
+  accessToken: z.string().trim(),
+  refreshToken: z.string().trim(),
+  expiresAt: z.date(),
+  tokenType: z.string().optional().default("bearer"),
+  createdAt: z.string().optional(),
+  instanceUrl: z
+    .string()
+    .trim()
+    .url("Invalid Instance URL")
+    .optional()
+    .describe(AppConnections.CREDENTIALS.GITLAB.instanceUrl)
+});
+
+export const GitLabConnectionRefreshTokenCredentialsSchema = z.object({
+  refreshToken: z.string().trim().min(1, "Refresh token required"),
+  instanceUrl: z
+    .string()
+    .trim()
+    .url("Invalid Instance URL")
+    .optional()
+    .describe(AppConnections.CREDENTIALS.GITLAB.instanceUrl)
+});
+
+const BaseGitLabConnectionSchema = BaseAppConnectionSchema.extend({
+  app: z.literal(AppConnection.GitLab)
+});
+
+export const GitLabConnectionSchema = z.intersection(
+  BaseGitLabConnectionSchema,
+  z.discriminatedUnion("method", [
+    z.object({
+      method: z.literal(GitLabConnectionMethod.AccessToken),
+      credentials: GitLabConnectionAccessTokenCredentialsSchema
+    }),
+    z.object({
+      method: z.literal(GitLabConnectionMethod.OAuth),
+      credentials: GitLabConnectionOAuthOutputCredentialsSchema
+    })
+  ])
+);
+
+export const SanitizedGitLabConnectionSchema = z.discriminatedUnion("method", [
+  BaseGitLabConnectionSchema.extend({
+    method: z.literal(GitLabConnectionMethod.AccessToken),
+    credentials: GitLabConnectionAccessTokenCredentialsSchema.pick({
+      instanceUrl: true,
+      accessTokenType: true
+    })
+  }),
+  BaseGitLabConnectionSchema.extend({
+    method: z.literal(GitLabConnectionMethod.OAuth),
+    credentials: GitLabConnectionOAuthOutputCredentialsSchema.pick({
+      instanceUrl: true
+    })
+  })
+]);
+
+export const ValidateGitLabConnectionCredentialsSchema = z.discriminatedUnion("method", [
+  z.object({
+    method: z.literal(GitLabConnectionMethod.AccessToken).describe(AppConnections.CREATE(AppConnection.GitLab).method),
+    credentials: GitLabConnectionAccessTokenCredentialsSchema.describe(
+      AppConnections.CREATE(AppConnection.GitLab).credentials
+    )
+  }),
+  z.object({
+    method: z.literal(GitLabConnectionMethod.OAuth).describe(AppConnections.CREATE(AppConnection.GitLab).method),
+    credentials: z
+      .union([
+        GitLabConnectionOAuthCredentialsSchema,
+        GitLabConnectionRefreshTokenCredentialsSchema,
+        GitLabConnectionOAuthOutputCredentialsSchema
+      ])
+      .describe(AppConnections.CREATE(AppConnection.GitLab).credentials)
+  })
+]);
+
+export const CreateGitLabConnectionSchema = ValidateGitLabConnectionCredentialsSchema.and(
+  GenericCreateAppConnectionFieldsSchema(AppConnection.GitLab)
+);
+
+export const UpdateGitLabConnectionSchema = z
+  .object({
+    credentials: z
+      .union([
+        GitLabConnectionAccessTokenCredentialsSchema,
+        GitLabConnectionOAuthOutputCredentialsSchema,
+        GitLabConnectionRefreshTokenCredentialsSchema,
+        GitLabConnectionOAuthCredentialsSchema
+      ])
+      .optional()
+      .describe(AppConnections.UPDATE(AppConnection.GitLab).credentials)
+  })
+  .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.GitLab));
+
+export const GitLabConnectionListItemSchema = z.object({
+  name: z.literal("GitLab"),
+  app: z.literal(AppConnection.GitLab),
+  methods: z.nativeEnum(GitLabConnectionMethod).array(),
+  oauthClientId: z.string().optional()
+});

backend/src/services/app-connection/gitlab/gitlab-connection-service.ts

@@ -0,0 +1,47 @@
+import { logger } from "@app/lib/logger";
+import { OrgServiceActor } from "@app/lib/types";
+import { TKmsServiceFactory } from "@app/services/kms/kms-service";
+
+import { TAppConnectionDALFactory } from "../app-connection-dal";
+import { AppConnection } from "../app-connection-enums";
+import { listGitLabGroups, listGitLabProjects } from "./gitlab-connection-fns";
+import { TGitLabConnection } from "./gitlab-connection-types";
+
+type TGetAppConnectionFunc = (
+  app: AppConnection,
+  connectionId: string,
+  actor: OrgServiceActor
+) => Promise<TGitLabConnection>;
+
+export const gitlabConnectionService = (
+  getAppConnection: TGetAppConnectionFunc,
+  appConnectionDAL: Pick<TAppConnectionDALFactory, "updateById">,
+  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">
+) => {
+  const listProjects = async (connectionId: string, actor: OrgServiceActor) => {
+    try {
+      const appConnection = await getAppConnection(AppConnection.GitLab, connectionId, actor);
+      const projects = await listGitLabProjects({ appConnection, appConnectionDAL, kmsService });
+      return projects;
+    } catch (error) {
+      logger.error(error, `Failed to establish connection with GitLab for app ${connectionId}`);
+      return [];
+    }
+  };
+
+  const listGroups = async (connectionId: string, actor: OrgServiceActor) => {
+    try {
+      const appConnection = await getAppConnection(AppConnection.GitLab, connectionId, actor);
+      const groups = await listGitLabGroups({ appConnection, appConnectionDAL, kmsService });
+      return groups;
+    } catch (error) {
+      logger.error(error, `Failed to establish connection with GitLab for app ${connectionId}`);
+      return [];
+    }
+  };
+
+  return {
+    listProjects,
+    listGroups
+  };
+};

backend/src/services/app-connection/gitlab/gitlab-connection-types.ts

@@ -0,0 +1,56 @@
+import z from "zod";
+
+import { DiscriminativePick } from "@app/lib/types";
+
+import { AppConnection } from "../app-connection-enums";
+import {
+  CreateGitLabConnectionSchema,
+  GitLabConnectionSchema,
+  ValidateGitLabConnectionCredentialsSchema
+} from "./gitlab-connection-schemas";
+
+export type TGitLabConnection = z.infer<typeof GitLabConnectionSchema>;
+
+export type TGitLabConnectionInput = z.infer<typeof CreateGitLabConnectionSchema> & {
+  app: AppConnection.GitLab;
+};
+
+export type TValidateGitLabConnectionCredentialsSchema = typeof ValidateGitLabConnectionCredentialsSchema;
+
+export type TGitLabConnectionConfig = DiscriminativePick<TGitLabConnectionInput, "method" | "app" | "credentials"> & {
+  orgId: string;
+};
+
+export type TGitLabProject = {
+  name: string;
+  id: string;
+};
+
+export type TGitLabAccessTokenCredentials = {
+  accessToken: string;
+  instanceUrl: string;
+};
+
+export type TGitLabOAuthCredentials = {
+  accessToken: string;
+  refreshToken: string;
+  expiresAt: Date;
+  tokenType?: string;
+  createdAt?: Date;
+  instanceUrl: string;
+};
+
+export type TGitLabOAuthCodeCredentials = {
+  code: string;
+  instanceUrl: string;
+};
+
+export type TGitLabRefreshTokenCredentials = {
+  refreshToken: string;
+  instanceUrl: string;
+};
+
+export interface TGitLabGroup {
+  id: string;
+  name: string;
+}

backend/src/services/app-connection/gitlab/index.ts

@@ -0,0 +1,4 @@
+export * from "./gitlab-connection-enums";
+export * from "./gitlab-connection-fns";
+export * from "./gitlab-connection-schemas";
+export * from "./gitlab-connection-types";

backend/src/services/secret-sync/aws-parameter-store/aws-parameter-store-sync-fns.ts

@@ -307,7 +307,6 @@ export const AwsParameterStoreSyncFns = {
       awsParameterStoreSecretsRecord,
       Boolean(syncOptions.tags?.length || syncOptions.syncSecretMetadataAsTags)
     );
-    const syncTagsRecord = Object.fromEntries(syncOptions.tags?.map((tag) => [tag.key, tag.value]) ?? []);
 
     for await (const entry of Object.entries(secretMap)) {
       const [key, { value, secretMetadata }] = entry;
@@ -342,13 +341,13 @@ export const AwsParameterStoreSyncFns = {
         }
       }
 
-      if (shouldManageTags) {
+      if ((syncOptions.tags !== undefined || syncOptions.syncSecretMetadataAsTags) && shouldManageTags) {
         const { tagsToAdd, tagKeysToRemove } = processParameterTags({
           syncTagsRecord: {
             // configured sync tags take preference over secret metadata
             ...(syncOptions.syncSecretMetadataAsTags &&
               Object.fromEntries(secretMetadata?.map((tag) => [tag.key, tag.value]) ?? [])),
-            ...syncTagsRecord
+            ...(syncOptions.tags && Object.fromEntries(syncOptions.tags?.map((tag) => [tag.key, tag.value]) ?? []))
           },
           awsTagsRecord: awsParameterStoreTagsRecord[key] ?? {}
         });

backend/src/services/secret-sync/aws-secrets-manager/aws-secrets-manager-sync-fns.ts

@@ -366,37 +366,39 @@ export const AwsSecretsManagerSyncFns = {
           }
         }
 
-        const { tagsToAdd, tagKeysToRemove } = processTags({
+        if (syncOptions.tags !== undefined || syncOptions.syncSecretMetadataAsTags) {
-          syncTagsRecord: {
+          const { tagsToAdd, tagKeysToRemove } = processTags({
-            // configured sync tags take preference over secret metadata
+            syncTagsRecord: {
-            ...(syncOptions.syncSecretMetadataAsTags &&
+              // configured sync tags take preference over secret metadata
-              Object.fromEntries(secretMetadata?.map((tag) => [tag.key, tag.value]) ?? [])),
+              ...(syncOptions.syncSecretMetadataAsTags &&
-            ...syncTagsRecord
+                Object.fromEntries(secretMetadata?.map((tag) => [tag.key, tag.value]) ?? [])),
-          },
+              ...(syncOptions.tags !== undefined && syncTagsRecord)
-          awsTagsRecord: Object.fromEntries(
+            },
-            awsDescriptionsRecord[key]?.Tags?.map((tag) => [tag.Key!, tag.Value!]) ?? []
+            awsTagsRecord: Object.fromEntries(
-          )
+              awsDescriptionsRecord[key]?.Tags?.map((tag) => [tag.Key!, tag.Value!]) ?? []
-        });
+            )
+          });
 
-        if (tagsToAdd.length) {
+          if (tagsToAdd.length) {
-          try {
+            try {
-            await addTags(client, key, tagsToAdd);
+              await addTags(client, key, tagsToAdd);
-          } catch (error) {
+            } catch (error) {
-            throw new SecretSyncError({
+              throw new SecretSyncError({
-              error,
+                error,
-              secretKey: key
+                secretKey: key
-            });
+              });
+            }
           }
-        }
 
-        if (tagKeysToRemove.length) {
+          if (tagKeysToRemove.length) {
-          try {
+            try {
-            await removeTags(client, key, tagKeysToRemove);
+              await removeTags(client, key, tagKeysToRemove);
-          } catch (error) {
+            } catch (error) {
-            throw new SecretSyncError({
+              throw new SecretSyncError({
-              error,
+                error,
-              secretKey: key
+                secretKey: key
-            });
+              });
+            }
           }
         }
       }
@@ -439,32 +441,34 @@ export const AwsSecretsManagerSyncFns = {
         });
       }
 
-      const { tagsToAdd, tagKeysToRemove } = processTags({
+      if (syncOptions.tags !== undefined) {
-        syncTagsRecord,
+        const { tagsToAdd, tagKeysToRemove } = processTags({
-        awsTagsRecord: Object.fromEntries(
+          syncTagsRecord,
-          awsDescriptionsRecord[destinationConfig.secretName]?.Tags?.map((tag) => [tag.Key!, tag.Value!]) ?? []
+          awsTagsRecord: Object.fromEntries(
-        )
+            awsDescriptionsRecord[destinationConfig.secretName]?.Tags?.map((tag) => [tag.Key!, tag.Value!]) ?? []
-      });
+          )
+        });
 
-      if (tagsToAdd.length) {
+        if (tagsToAdd.length) {
-        try {
+          try {
-          await addTags(client, destinationConfig.secretName, tagsToAdd);
+            await addTags(client, destinationConfig.secretName, tagsToAdd);
-        } catch (error) {
+          } catch (error) {
-          throw new SecretSyncError({
+            throw new SecretSyncError({
-            error,
+              error,
-            secretKey: destinationConfig.secretName
+              secretKey: destinationConfig.secretName
-          });
+            });
+          }
         }
-      }
 
-      if (tagKeysToRemove.length) {
+        if (tagKeysToRemove.length) {
-        try {
+          try {
-          await removeTags(client, destinationConfig.secretName, tagKeysToRemove);
+            await removeTags(client, destinationConfig.secretName, tagKeysToRemove);
-        } catch (error) {
+          } catch (error) {
-          throw new SecretSyncError({
+            throw new SecretSyncError({
-            error,
+              error,
-            secretKey: destinationConfig.secretName
+              secretKey: destinationConfig.secretName
-          });
+            });
+          }
         }
       }
     }

backend/src/services/secret-sync/gitlab/gitlab-sync-constants.ts

@@ -0,0 +1,10 @@
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+import { TSecretSyncListItem } from "@app/services/secret-sync/secret-sync-types";
+
+export const GITLAB_SYNC_LIST_OPTION: TSecretSyncListItem = {
+  name: "GitLab",
+  destination: SecretSync.GitLab,
+  connection: AppConnection.GitLab,
+  canImportSecrets: false
+};

backend/src/services/secret-sync/gitlab/gitlab-sync-enums.ts

@@ -0,0 +1,4 @@
+export enum GitLabSyncScope {
+  Project = "project",
+  Group = "group"
+}

backend/src/services/secret-sync/gitlab/gitlab-sync-fns.ts

@@ -0,0 +1,452 @@
+/* eslint-disable no-await-in-loop */
+import { GitbeakerRequestError } from "@gitbeaker/rest";
+
+import { TAppConnectionDALFactory } from "@app/services/app-connection/app-connection-dal";
+import {
+  getGitLabClient,
+  GitLabConnectionMethod,
+  refreshGitLabToken,
+  TGitLabConnection
+} from "@app/services/app-connection/gitlab";
+import { TKmsServiceFactory } from "@app/services/kms/kms-service";
+import { TGitLabSyncWithCredentials, TGitLabVariable } from "@app/services/secret-sync/gitlab/gitlab-sync-types";
+import { SecretSyncError } from "@app/services/secret-sync/secret-sync-errors";
+import { matchesSchema } from "@app/services/secret-sync/secret-sync-fns";
+import { TSecretMap } from "@app/services/secret-sync/secret-sync-types";
+
+import { SECRET_SYNC_NAME_MAP } from "../secret-sync-maps";
+import { GitLabSyncScope } from "./gitlab-sync-enums";
+
+interface TGitLabVariablePayload {
+  key?: string;
+  value: string;
+  variable_type?: "env_var" | "file";
+  environment_scope?: string;
+  protected?: boolean;
+  masked?: boolean;
+  masked_and_hidden?: boolean;
+  description?: string;
+}
+
+interface TGitLabVariableCreate extends TGitLabVariablePayload {
+  key: string;
+}
+
+interface TGitLabVariableUpdate extends Omit<TGitLabVariablePayload, "key"> {}
+
+type TGitLabSyncFactoryDeps = {
+  appConnectionDAL: Pick<TAppConnectionDALFactory, "updateById">;
+  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
+};
+
+const getValidAccessToken = async (
+  connection: TGitLabConnection,
+  appConnectionDAL: Pick<TAppConnectionDALFactory, "updateById">,
+  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">
+): Promise<string> => {
+  if (
+    connection.method === GitLabConnectionMethod.OAuth &&
+    connection.credentials.refreshToken &&
+    new Date(connection.credentials.expiresAt) < new Date()
+  ) {
+    const accessToken = await refreshGitLabToken(
+      connection.credentials.refreshToken,
+      connection.id,
+      connection.orgId,
+      appConnectionDAL,
+      kmsService,
+      connection.credentials.instanceUrl
+    );
+    return accessToken;
+  }
+  return connection.credentials.accessToken;
+};
+
+const getGitLabVariables = async ({
+  accessToken,
+  connection,
+  scope,
+  resourceId,
+  targetEnvironment
+}: {
+  accessToken: string;
+  connection: TGitLabConnection;
+  scope: GitLabSyncScope;
+  resourceId: string;
+  targetEnvironment?: string;
+}): Promise<TGitLabVariable[]> => {
+  try {
+    const client = await getGitLabClient(
+      accessToken,
+      connection.credentials.instanceUrl,
+      connection.method === GitLabConnectionMethod.OAuth
+    );
+
+    let variables: TGitLabVariable[] = [];
+
+    if (scope === GitLabSyncScope.Project) {
+      variables = await client.ProjectVariables.all(resourceId);
+    } else {
+      variables = await client.GroupVariables.all(resourceId);
+    }
+
+    if (targetEnvironment) {
+      variables = variables.filter((v) => v.environmentScope === targetEnvironment);
+    }
+
+    return variables;
+  } catch (error) {
+    if (error instanceof GitbeakerRequestError) {
+      throw new SecretSyncError({
+        error: new Error(
+          `Failed to fetch variables: ${error.message ?? "Unknown error"}${error.cause?.description && error.message !== "Unauthorized" ? `. Cause: ${error.cause.description}` : ""}`
+        )
+      });
+    }
+    throw new SecretSyncError({
+      error
+    });
+  }
+};
+
+const createGitLabVariable = async ({
+  accessToken,
+  connection,
+  scope,
+  resourceId,
+  variable
+}: {
+  accessToken: string;
+  connection: TGitLabConnection;
+  scope: GitLabSyncScope;
+  resourceId: string;
+  variable: TGitLabVariableCreate;
+}): Promise<void> => {
+  try {
+    const client = await getGitLabClient(
+      accessToken,
+      connection.credentials.instanceUrl,
+      connection.method === GitLabConnectionMethod.OAuth
+    );
+
+    const payload = {
+      key: variable.key,
+      value: variable.value,
+      variableType: "env_var",
+      environmentScope: variable.environment_scope || "*",
+      protected: variable.protected || false,
+      masked: variable.masked || false,
+      masked_and_hidden: variable.masked_and_hidden || false,
+      raw: false
+    };
+
+    if (scope === GitLabSyncScope.Project) {
+      await client.ProjectVariables.create(resourceId, payload.key, payload.value, {
+        variableType: "env_var",
+        environmentScope: payload.environmentScope,
+        protected: payload.protected,
+        masked: payload.masked,
+        masked_and_hidden: payload.masked_and_hidden,
+        raw: false
+      });
+    } else {
+      await client.GroupVariables.create(resourceId, payload.key, payload.value, {
+        variableType: "env_var",
+        environmentScope: payload.environmentScope,
+        protected: payload.protected,
+        masked: payload.masked,
+        ...(payload.masked_and_hidden && { masked_and_hidden: payload.masked_and_hidden }),
+        raw: false
+      });
+    }
+  } catch (error) {
+    if (error instanceof GitbeakerRequestError) {
+      throw new SecretSyncError({
+        error: new Error(
+          `Failed to create variable: ${error.message ?? "Unknown error"}${error.cause?.description && error.message !== "Unauthorized" ? `. Cause: ${error.cause.description}` : ""}`
+        ),
+        secretKey: variable.key
+      });
+    }
+    throw new SecretSyncError({
+      error,
+      secretKey: variable.key
+    });
+  }
+};
+
+const updateGitLabVariable = async ({
+  accessToken,
+  connection,
+  scope,
+  resourceId,
+  key,
+  variable,
+  targetEnvironment
+}: {
+  accessToken: string;
+  connection: TGitLabConnection;
+  scope: GitLabSyncScope;
+  resourceId: string;
+  key: string;
+  variable: TGitLabVariableUpdate;
+  targetEnvironment?: string;
+}): Promise<void> => {
+  try {
+    const client = await getGitLabClient(
+      accessToken,
+      connection.credentials.instanceUrl,
+      connection.method === GitLabConnectionMethod.OAuth
+    );
+
+    const options = {
+      ...(variable.environment_scope && { environmentScope: variable.environment_scope }),
+      ...(variable.protected !== undefined && { protected: variable.protected }),
+      ...(variable.masked !== undefined && { masked: variable.masked })
+    };
+
+    if (targetEnvironment) {
+      options.environmentScope = targetEnvironment;
+    }
+
+    if (scope === GitLabSyncScope.Project) {
+      await client.ProjectVariables.edit(resourceId, key, variable.value, {
+        ...options,
+        filter: { environment_scope: targetEnvironment || "*" }
+      });
+    } else {
+      await client.GroupVariables.edit(resourceId, key, variable.value, {
+        ...options,
+        filter: { environment_scope: targetEnvironment || "*" }
+      });
+    }
+  } catch (error) {
+    if (error instanceof GitbeakerRequestError) {
+      throw new SecretSyncError({
+        error: new Error(
+          `Failed to update variable: ${error.message ?? "Unknown error"}${error.cause?.description && error.message !== "Unauthorized" ? `. Cause: ${error.cause.description}` : ""}`
+        ),
+        secretKey: key
+      });
+    }
+    throw new SecretSyncError({
+      error,
+      secretKey: key
+    });
+  }
+};
+
+const deleteGitLabVariable = async ({
+  accessToken,
+  connection,
+  scope,
+  resourceId,
+  key,
+  targetEnvironment,
+  allVariables
+}: {
+  accessToken: string;
+  connection: TGitLabConnection;
+  scope: GitLabSyncScope;
+  resourceId: string;
+  key: string;
+  targetEnvironment?: string;
+  allVariables?: TGitLabVariable[];
+}): Promise<void> => {
+  if (allVariables && !allVariables.find((v) => v.key === key)) {
+    return;
+  }
+  try {
+    const client = await getGitLabClient(
+      accessToken,
+      connection.credentials.instanceUrl,
+      connection.method === GitLabConnectionMethod.OAuth
+    );
+
+    const options: { filter?: { environment_scope: string } } = {};
+    if (targetEnvironment) {
+      options.filter = { environment_scope: targetEnvironment || "*" };
+    }
+
+    if (scope === GitLabSyncScope.Project) {
+      await client.ProjectVariables.remove(resourceId, key, options);
+    } else {
+      await client.GroupVariables.remove(resourceId, key);
+    }
+  } catch (error: unknown) {
+    if (error instanceof GitbeakerRequestError) {
+      throw new SecretSyncError({
+        error: new Error(
+          `Failed to delete variable: ${error.message ?? "Unknown error"}${error.cause?.description && error.message !== "Unauthorized" ? `. Cause: ${error.cause.description}` : ""}`
+        ),
+        secretKey: key
+      });
+    }
+    throw new SecretSyncError({
+      error,
+      secretKey: key
+    });
+  }
+};
+
+export const GitLabSyncFns = {
+  syncSecrets: async (
+    secretSync: TGitLabSyncWithCredentials,
+    secretMap: TSecretMap,
+    { appConnectionDAL, kmsService }: TGitLabSyncFactoryDeps
+  ): Promise<void> => {
+    const { connection, environment, destinationConfig } = secretSync;
+    const { scope, targetEnvironment } = destinationConfig;
+
+    const resourceId = scope === GitLabSyncScope.Project ? destinationConfig.projectId : destinationConfig.groupId;
+
+    const accessToken = await getValidAccessToken(connection, appConnectionDAL, kmsService);
+
+    try {
+      const currentVariables = await getGitLabVariables({
+        accessToken,
+        connection,
+        scope,
+        resourceId,
+        targetEnvironment
+      });
+
+      const currentVariableMap = new Map(currentVariables.map((v) => [v.key, v]));
+
+      for (const [key, { value }] of Object.entries(secretMap)) {
+        if (value?.length < 8 && destinationConfig.shouldMaskSecrets) {
+          throw new SecretSyncError({
+            message: `Secret ${key} is too short to be masked. GitLab requires a minimum of 8 characters for masked secrets.`,
+            secretKey: key
+          });
+        }
+        try {
+          const existingVariable = currentVariableMap.get(key);
+
+          if (existingVariable) {
+            if (
+              existingVariable.value !== value ||
+              existingVariable.environmentScope !== targetEnvironment ||
+              existingVariable.protected !== destinationConfig.shouldProtectSecrets ||
+              existingVariable.masked !== destinationConfig.shouldMaskSecrets
+            ) {
+              await updateGitLabVariable({
+                accessToken,
+                connection,
+                scope,
+                resourceId,
+                key,
+                variable: {
+                  value,
+                  environment_scope: targetEnvironment,
+                  protected: destinationConfig.shouldProtectSecrets,
+                  masked: destinationConfig.shouldMaskSecrets || existingVariable.hidden
+                },
+                targetEnvironment
+              });
+            }
+          } else {
+            await createGitLabVariable({
+              accessToken,
+              connection,
+              scope,
+              resourceId,
+              variable: {
+                key,
+                value,
+                variable_type: "env_var",
+                environment_scope: targetEnvironment || "*",
+                protected: destinationConfig.shouldProtectSecrets || false,
+                masked: destinationConfig.shouldMaskSecrets || false,
+                masked_and_hidden: destinationConfig.shouldHideSecrets || false
+              }
+            });
+          }
+        } catch (error) {
+          throw new SecretSyncError({
+            error,
+            secretKey: key
+          });
+        }
+      }
+
+      if (!secretSync.syncOptions.disableSecretDeletion) {
+        for (const variable of currentVariables) {
+          try {
+            const shouldDelete =
+              matchesSchema(variable.key, environment?.slug || "", secretSync.syncOptions.keySchema) &&
+              !(variable.key in secretMap);
+
+            if (shouldDelete) {
+              await deleteGitLabVariable({
+                accessToken,
+                connection,
+                scope,
+                resourceId,
+                key: variable.key,
+                targetEnvironment
+              });
+            }
+          } catch (error) {
+            throw new SecretSyncError({
+              error,
+              secretKey: variable.key
+            });
+          }
+        }
+      }
+    } catch (error) {
+      if (error instanceof SecretSyncError) {
+        throw error;
+      }
+      throw new SecretSyncError({
+        message: "Failed to sync secrets",
+        error
+      });
+    }
+  },
+
+  removeSecrets: async (
+    secretSync: TGitLabSyncWithCredentials,
+    secretMap: TSecretMap,
+    { appConnectionDAL, kmsService }: TGitLabSyncFactoryDeps
+  ): Promise<void> => {
+    const { connection, destinationConfig } = secretSync;
+    const { scope, targetEnvironment } = destinationConfig;
+
+    const resourceId = scope === GitLabSyncScope.Project ? destinationConfig.projectId : destinationConfig.groupId;
+
+    const accessToken = await getValidAccessToken(connection, appConnectionDAL, kmsService);
+
+    const allVariables = await getGitLabVariables({
+      accessToken,
+      connection,
+      scope,
+      resourceId,
+      targetEnvironment
+    });
+
+    for (const key of Object.keys(secretMap)) {
+      try {
+        await deleteGitLabVariable({
+          accessToken,
+          connection,
+          scope,
+          resourceId,
+          key,
+          targetEnvironment,
+          allVariables
+        });
+      } catch (error) {
+        throw new SecretSyncError({
+          error,
+          secretKey: key
+        });
+      }
+    }
+  },
+
+  getSecrets: async (secretSync: TGitLabSyncWithCredentials): Promise<TSecretMap> => {
+    throw new Error(`${SECRET_SYNC_NAME_MAP[secretSync.destination]} does not support importing secrets.`);
+  }
+};

backend/src/services/secret-sync/gitlab/gitlab-sync-schemas.ts

@@ -0,0 +1,97 @@
+import { z } from "zod";
+
+import { SecretSyncs } from "@app/lib/api-docs";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+import {
+  BaseSecretSyncSchema,
+  GenericCreateSecretSyncFieldsSchema,
+  GenericUpdateSecretSyncFieldsSchema
+} from "@app/services/secret-sync/secret-sync-schemas";
+import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
+
+import { GitLabSyncScope } from "./gitlab-sync-enums";
+
+const GitLabSyncDestinationConfigSchema = z.discriminatedUnion("scope", [
+  z.object({
+    scope: z.literal(GitLabSyncScope.Project).describe(SecretSyncs.DESTINATION_CONFIG.GITLAB.scope),
+    projectId: z.string().min(1, "Project ID is required").describe(SecretSyncs.DESTINATION_CONFIG.GITLAB.projectId),
+    projectName: z
+      .string()
+      .min(1, "Project name is required")
+      .describe(SecretSyncs.DESTINATION_CONFIG.GITLAB.projectName),
+    targetEnvironment: z
+      .string()
+      .optional()
+      .default("*")
+      .describe(SecretSyncs.DESTINATION_CONFIG.GITLAB.targetEnvironment),
+    shouldProtectSecrets: z
+      .boolean()
+      .optional()
+      .default(false)
+      .describe(SecretSyncs.DESTINATION_CONFIG.GITLAB.shouldProtectSecrets),
+    shouldMaskSecrets: z
+      .boolean()
+      .optional()
+      .default(false)
+      .describe(SecretSyncs.DESTINATION_CONFIG.GITLAB.shouldMaskSecrets),
+    shouldHideSecrets: z
+      .boolean()
+      .optional()
+      .default(false)
+      .describe(SecretSyncs.DESTINATION_CONFIG.GITLAB.shouldHideSecrets)
+  }),
+  z.object({
+    scope: z.literal(GitLabSyncScope.Group).describe(SecretSyncs.DESTINATION_CONFIG.GITLAB.scope),
+    groupId: z.string().min(1, "Group ID is required").describe(SecretSyncs.DESTINATION_CONFIG.GITLAB.groupId),
+    groupName: z.string().min(1, "Group name is required").describe(SecretSyncs.DESTINATION_CONFIG.GITLAB.groupName),
+    targetEnvironment: z
+      .string()
+      .optional()
+      .default("*")
+      .describe(SecretSyncs.DESTINATION_CONFIG.GITLAB.targetEnvironment),
+    shouldProtectSecrets: z
+      .boolean()
+      .optional()
+      .default(false)
+      .describe(SecretSyncs.DESTINATION_CONFIG.GITLAB.shouldProtectSecrets),
+    shouldMaskSecrets: z
+      .boolean()
+      .optional()
+      .default(false)
+      .describe(SecretSyncs.DESTINATION_CONFIG.GITLAB.shouldMaskSecrets),
+    shouldHideSecrets: z
+      .boolean()
+      .optional()
+      .default(false)
+      .describe(SecretSyncs.DESTINATION_CONFIG.GITLAB.shouldHideSecrets)
+  })
+]);
+
+const GitLabSyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: false };
+
+export const GitLabSyncSchema = BaseSecretSyncSchema(SecretSync.GitLab, GitLabSyncOptionsConfig).extend({
+  destination: z.literal(SecretSync.GitLab),
+  destinationConfig: GitLabSyncDestinationConfigSchema
+});
+
+export const CreateGitLabSyncSchema = GenericCreateSecretSyncFieldsSchema(
+  SecretSync.GitLab,
+  GitLabSyncOptionsConfig
+).extend({
+  destinationConfig: GitLabSyncDestinationConfigSchema
+});
+
+export const UpdateGitLabSyncSchema = GenericUpdateSecretSyncFieldsSchema(
+  SecretSync.GitLab,
+  GitLabSyncOptionsConfig
+).extend({
+  destinationConfig: GitLabSyncDestinationConfigSchema.optional()
+});
+
+export const GitLabSyncListItemSchema = z.object({
+  name: z.literal("GitLab"),
+  connection: z.literal(AppConnection.GitLab),
+  destination: z.literal(SecretSync.GitLab),
+  canImportSecrets: z.literal(false)
+});

backend/src/services/secret-sync/gitlab/gitlab-sync-types.ts

@@ -0,0 +1,58 @@
+import { z } from "zod";
+
+import { TGitLabConnection } from "@app/services/app-connection/gitlab";
+
+import { CreateGitLabSyncSchema, GitLabSyncListItemSchema, GitLabSyncSchema } from "./gitlab-sync-schemas";
+
+export type TGitLabSync = z.infer<typeof GitLabSyncSchema>;
+export type TGitLabSyncInput = z.infer<typeof CreateGitLabSyncSchema>;
+export type TGitLabSyncListItem = z.infer<typeof GitLabSyncListItemSchema>;
+
+export type TGitLabSyncWithCredentials = TGitLabSync & {
+  connection: TGitLabConnection;
+};
+
+export type TGitLabVariable = {
+  key: string;
+  value: string;
+  protected: boolean;
+  masked: boolean;
+  environmentScope?: string;
+  hidden?: boolean;
+};
+
+export type TGitLabVariableCreate = {
+  key: string;
+  value: string;
+  variable_type?: "env_var" | "file";
+  protected?: boolean;
+  masked?: boolean;
+  raw?: boolean;
+  environment_scope?: string;
+  description?: string;
+};
+
+export type TGitLabVariableUpdate = {
+  value: string;
+  variable_type?: "env_var" | "file";
+  protected?: boolean;
+  masked?: boolean;
+  raw?: boolean;
+  environment_scope?: string;
+  description?: string | null;
+};
+
+export type TGitLabListVariables = {
+  accessToken: string;
+  projectId: string;
+  environmentScope?: string;
+};
+
+export type TGitLabCreateVariable = TGitLabListVariables & {
+  variable: TGitLabVariableCreate;
+};
+
+export type TGitLabUpdateVariable = TGitLabListVariables & {
+  key: string;
+  variable: TGitLabVariableUpdate;
+};

backend/src/services/secret-sync/gitlab/index.ts

@@ -0,0 +1,4 @@
+export * from "./gitlab-sync-constants";
+export * from "./gitlab-sync-fns";
+export * from "./gitlab-sync-schemas";
+export * from "./gitlab-sync-types";

backend/src/services/secret-sync/secret-sync-enums.ts

@@ -19,6 +19,7 @@ export enum SecretSync {
   Heroku = "heroku",
   Render = "render",
   Flyio = "flyio",
+  GitLab = "gitlab",
   CloudflarePages = "cloudflare-pages"
 }
 

backend/src/services/secret-sync/secret-sync-fns.ts

@@ -34,6 +34,7 @@ import { CloudflarePagesSyncFns } from "./cloudflare-pages/cloudflare-pages-fns"
 import { FLYIO_SYNC_LIST_OPTION, FlyioSyncFns } from "./flyio";
 import { GCP_SYNC_LIST_OPTION } from "./gcp";
 import { GcpSyncFns } from "./gcp/gcp-sync-fns";
+import { GITLAB_SYNC_LIST_OPTION, GitLabSyncFns } from "./gitlab";
 import { HC_VAULT_SYNC_LIST_OPTION, HCVaultSyncFns } from "./hc-vault";
 import { HEROKU_SYNC_LIST_OPTION, HerokuSyncFns } from "./heroku";
 import { HUMANITEC_SYNC_LIST_OPTION } from "./humanitec";
@@ -66,6 +67,7 @@ const SECRET_SYNC_LIST_OPTIONS: Record<SecretSync, TSecretSyncListItem> = {
   [SecretSync.Heroku]: HEROKU_SYNC_LIST_OPTION,
   [SecretSync.Render]: RENDER_SYNC_LIST_OPTION,
   [SecretSync.Flyio]: FLYIO_SYNC_LIST_OPTION,
+  [SecretSync.GitLab]: GITLAB_SYNC_LIST_OPTION,
   [SecretSync.CloudflarePages]: CLOUDFLARE_PAGES_SYNC_LIST_OPTION
 };
 
@@ -230,6 +232,8 @@ export const SecretSyncFns = {
         return RenderSyncFns.syncSecrets(secretSync, schemaSecretMap);
       case SecretSync.Flyio:
         return FlyioSyncFns.syncSecrets(secretSync, schemaSecretMap);
+      case SecretSync.GitLab:
+        return GitLabSyncFns.syncSecrets(secretSync, schemaSecretMap, { appConnectionDAL, kmsService });
       case SecretSync.CloudflarePages:
         return CloudflarePagesSyncFns.syncSecrets(secretSync, schemaSecretMap);
       default:
@@ -318,6 +322,9 @@ export const SecretSyncFns = {
       case SecretSync.Flyio:
         secretMap = await FlyioSyncFns.getSecrets(secretSync);
         break;
+      case SecretSync.GitLab:
+        secretMap = await GitLabSyncFns.getSecrets(secretSync);
+        break;
       case SecretSync.CloudflarePages:
         secretMap = await CloudflarePagesSyncFns.getSecrets(secretSync);
         break;
@@ -394,6 +401,8 @@ export const SecretSyncFns = {
         return RenderSyncFns.removeSecrets(secretSync, schemaSecretMap);
       case SecretSync.Flyio:
         return FlyioSyncFns.removeSecrets(secretSync, schemaSecretMap);
+      case SecretSync.GitLab:
+        return GitLabSyncFns.removeSecrets(secretSync, schemaSecretMap, { appConnectionDAL, kmsService });
       case SecretSync.CloudflarePages:
         return CloudflarePagesSyncFns.removeSecrets(secretSync, schemaSecretMap);
       default:

backend/src/services/secret-sync/secret-sync-maps.ts

@@ -22,6 +22,7 @@ export const SECRET_SYNC_NAME_MAP: Record<SecretSync, string> = {
   [SecretSync.Heroku]: "Heroku",
   [SecretSync.Render]: "Render",
   [SecretSync.Flyio]: "Fly.io",
+  [SecretSync.GitLab]: "GitLab",
   [SecretSync.CloudflarePages]: "Cloudflare Pages"
 };
 
@@ -46,6 +47,7 @@ export const SECRET_SYNC_CONNECTION_MAP: Record<SecretSync, AppConnection> = {
   [SecretSync.Heroku]: AppConnection.Heroku,
   [SecretSync.Render]: AppConnection.Render,
   [SecretSync.Flyio]: AppConnection.Flyio,
+  [SecretSync.GitLab]: AppConnection.GitLab,
   [SecretSync.CloudflarePages]: AppConnection.Cloudflare
 };
 
@@ -70,5 +72,6 @@ export const SECRET_SYNC_PLAN_MAP: Record<SecretSync, SecretSyncPlanType> = {
   [SecretSync.Heroku]: SecretSyncPlanType.Regular,
   [SecretSync.Render]: SecretSyncPlanType.Regular,
   [SecretSync.Flyio]: SecretSyncPlanType.Regular,
+  [SecretSync.GitLab]: SecretSyncPlanType.Regular,
   [SecretSync.CloudflarePages]: SecretSyncPlanType.Regular
 };

backend/src/services/secret-sync/secret-sync-types.ts

@@ -72,8 +72,15 @@ import {
   TAzureKeyVaultSyncListItem,
   TAzureKeyVaultSyncWithCredentials
 } from "./azure-key-vault";
+import {
+  TCloudflarePagesSync,
+  TCloudflarePagesSyncInput,
+  TCloudflarePagesSyncListItem,
+  TCloudflarePagesSyncWithCredentials
+} from "./cloudflare-pages/cloudflare-pages-types";
 import { TFlyioSync, TFlyioSyncInput, TFlyioSyncListItem, TFlyioSyncWithCredentials } from "./flyio/flyio-sync-types";
 import { TGcpSync, TGcpSyncInput, TGcpSyncListItem, TGcpSyncWithCredentials } from "./gcp";
+import { TGitLabSync, TGitLabSyncInput, TGitLabSyncListItem, TGitLabSyncWithCredentials } from "./gitlab";
 import {
   THCVaultSync,
   THCVaultSyncInput,
@@ -106,12 +113,6 @@ import {
   TTerraformCloudSyncWithCredentials
 } from "./terraform-cloud";
 import { TVercelSync, TVercelSyncInput, TVercelSyncListItem, TVercelSyncWithCredentials } from "./vercel";
-import {
-  TCloudflarePagesSync,
-  TCloudflarePagesSyncInput,
-  TCloudflarePagesSyncListItem,
-  TCloudflarePagesSyncWithCredentials
-} from "./cloudflare-pages/cloudflare-pages-types";
 
 export type TSecretSync =
   | TAwsParameterStoreSync
@@ -134,6 +135,7 @@ export type TSecretSync =
   | THerokuSync
   | TRenderSync
   | TFlyioSync
+  | TGitLabSync
   | TCloudflarePagesSync;
 
 export type TSecretSyncWithCredentials =
@@ -157,6 +159,7 @@ export type TSecretSyncWithCredentials =
   | THerokuSyncWithCredentials
   | TRenderSyncWithCredentials
   | TFlyioSyncWithCredentials
+  | TGitLabSyncWithCredentials
   | TCloudflarePagesSyncWithCredentials;
 
 export type TSecretSyncInput =
@@ -180,6 +183,7 @@ export type TSecretSyncInput =
   | THerokuSyncInput
   | TRenderSyncInput
   | TFlyioSyncInput
+  | TGitLabSyncInput
   | TCloudflarePagesSyncInput;
 
 export type TSecretSyncListItem =
@@ -203,6 +207,7 @@ export type TSecretSyncListItem =
   | THerokuSyncListItem
   | TRenderSyncListItem
   | TFlyioSyncListItem
+  | TGitLabSyncListItem
   | TCloudflarePagesSyncListItem;
 
 export type TSyncOptionsConfig = {

docs/api-reference/endpoints/app-connections/gitlab/available.mdx

@@ -0,0 +1,4 @@
+---
+title: "Available"
+openapi: "GET /api/v1/app-connections/gitlab/available"
+---

docs/api-reference/endpoints/app-connections/gitlab/create.mdx

@@ -0,0 +1,10 @@
+---
+title: "Create"
+openapi: "POST /api/v1/app-connections/gitlab"
+---
+
+<Note>
+    Gitlab OAuth Connections must be created through the Infisical UI.
+    Check out the configuration docs for [Gitlab OAuth Connections](/integrations/app-connections/gitlab) for a step-by-step
+    guide.
+</Note>

docs/api-reference/endpoints/app-connections/gitlab/delete.mdx

@@ -0,0 +1,4 @@
+---
+title: "Delete"
+openapi: "DELETE /api/v1/app-connections/gitlab/{connectionId}"
+---

docs/api-reference/endpoints/app-connections/gitlab/get-by-id.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get by ID"
+openapi: "GET /api/v1/app-connections/gitlab/{connectionId}"
+---

docs/api-reference/endpoints/app-connections/gitlab/get-by-name.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get by Name"
+openapi: "GET /api/v1/app-connections/gitlab/connection-name/{connectionName}"
+---

docs/api-reference/endpoints/app-connections/gitlab/list.mdx

@@ -0,0 +1,4 @@
+---
+title: "List"
+openapi: "GET /api/v1/app-connections/gitlab"
+---

docs/api-reference/endpoints/app-connections/gitlab/update.mdx

@@ -0,0 +1,10 @@
+---
+title: "Update"
+openapi: "PATCH /api/v1/app-connections/gitlab/{connectionId}"
+---
+
+<Note>
+    Gitlab OAuth Connections must be updated through the Infisical UI.
+    Check out the configuration docs for [Gitlab OAuth Connections](/integrations/app-connections/gitlab) for a step-by-step
+    guide.
+</Note>

docs/api-reference/endpoints/secret-syncs/gitlab/create.mdx

@@ -0,0 +1,4 @@
+---
+title: "Create"
+openapi: "POST /api/v1/secret-syncs/gitlab"
+---

docs/api-reference/endpoints/secret-syncs/gitlab/delete.mdx

@@ -0,0 +1,4 @@
+---
+title: "Delete"
+openapi: "DELETE /api/v1/secret-syncs/gitlab/{syncId}"
+---

docs/api-reference/endpoints/secret-syncs/gitlab/get-by-id.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get by ID"
+openapi: "GET /api/v1/secret-syncs/gitlab/{syncId}"
+---

docs/api-reference/endpoints/secret-syncs/gitlab/get-by-name.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get by Name"
+openapi: "GET /api/v1/secret-syncs/gitlab/sync-name/{syncName}"
+---

docs/api-reference/endpoints/secret-syncs/gitlab/list.mdx

@@ -0,0 +1,4 @@
+---
+title: "List"
+openapi: "GET /api/v1/secret-syncs/gitlab"
+---

docs/api-reference/endpoints/secret-syncs/gitlab/remove-secrets.mdx

@@ -0,0 +1,4 @@
+---
+title: "Remove Secrets"
+openapi: "POST /api/v1/secret-syncs/gitlab/{syncId}/remove-secrets"
+---

docs/api-reference/endpoints/secret-syncs/gitlab/sync-secrets.mdx

@@ -0,0 +1,4 @@
+---
+title: "Sync Secrets"
+openapi: "POST /api/v1/secret-syncs/gitlab/{syncId}/sync-secrets"
+---

docs/api-reference/endpoints/secret-syncs/gitlab/update.mdx

@@ -0,0 +1,4 @@
+---
+title: "Update"
+openapi: "PATCH /api/v1/secret-syncs/gitlab/{syncId}"
+---

docs/docs.json

@@ -475,6 +475,7 @@
                   "integrations/app-connections/gcp",
                   "integrations/app-connections/github",
                   "integrations/app-connections/github-radar",
+                  "integrations/app-connections/gitlab",
                   "integrations/app-connections/hashicorp-vault",
                   "integrations/app-connections/heroku",
                   "integrations/app-connections/humanitec",
@@ -512,6 +513,7 @@
                   "integrations/secret-syncs/flyio",
                   "integrations/secret-syncs/gcp-secret-manager",
                   "integrations/secret-syncs/github",
+                  "integrations/secret-syncs/gitlab",
                   "integrations/secret-syncs/hashicorp-vault",
                   "integrations/secret-syncs/heroku",
                   "integrations/secret-syncs/humanitec",
@@ -1317,6 +1319,18 @@
                       "api-reference/endpoints/app-connections/github/delete"
                     ]
                   },
+                  {
+                    "group": "GitLab",
+                    "pages": [
+                      "api-reference/endpoints/app-connections/gitlab/list",
+                      "api-reference/endpoints/app-connections/gitlab/available",
+                      "api-reference/endpoints/app-connections/gitlab/get-by-id",
+                      "api-reference/endpoints/app-connections/gitlab/get-by-name",
+                      "api-reference/endpoints/app-connections/gitlab/create",
+                      "api-reference/endpoints/app-connections/gitlab/update",
+                      "api-reference/endpoints/app-connections/gitlab/delete"
+                    ]
+                  },
                   {
                     "group": "GitHub Radar",
                     "pages": [
@@ -1667,6 +1681,19 @@
                       "api-reference/endpoints/secret-syncs/github/remove-secrets"
                     ]
                   },
+                  {
+                    "group": "GitLab",
+                    "pages": [
+                      "api-reference/endpoints/secret-syncs/gitlab/list",
+                      "api-reference/endpoints/secret-syncs/gitlab/get-by-id",
+                      "api-reference/endpoints/secret-syncs/gitlab/get-by-name",
+                      "api-reference/endpoints/secret-syncs/gitlab/create",
+                      "api-reference/endpoints/secret-syncs/gitlab/update",
+                      "api-reference/endpoints/secret-syncs/gitlab/delete",
+                      "api-reference/endpoints/secret-syncs/gitlab/sync-secrets",
+                      "api-reference/endpoints/secret-syncs/gitlab/remove-secrets"
+                    ]
+                  },
                   {
                     "group": "Hashicorp Vault",
                     "pages": [
@@ -2018,7 +2045,7 @@
         "tab": "SDKs",
         "groups": [
           {
-            "group": "",
+            "group": "Overview",
             "pages": ["sdks/overview"]
           },
           {
@@ -2038,7 +2065,7 @@
         "tab": "Changelog",
         "groups": [
           {
-            "group": "",
+            "group": "Overview",
             "pages": ["changelog/overview"]
           }
         ]

docs/integrations/app-connections/gitlab.mdx

@@ -0,0 +1,192 @@
+---
+title: "GitLab Connection"
+description: "Learn how to configure a GitLab Connection for Infisical using OAuth or Access Token methods."
+---
+
+Infisical supports two methods for connecting to GitLab: **OAuth** and **Access Token**. Choose the method that best fits your setup and security requirements.
+
+<Tabs>
+  <Tab title="OAuth Method">
+    The OAuth method provides secure authentication through GitLab's OAuth flow.
+
+    <Accordion title="Self-Hosted Instance Setup">
+      Using the GitLab Connection with OAuth on a self-hosted instance of Infisical requires configuring an OAuth application in GitLab and registering your instance with it.
+
+      **Prerequisites:**
+      - A GitLab account with existing projects
+      - Self-hosted Infisical instance
+
+      <Steps>
+        <Step title="Create an OAuth application in GitLab">
+          Navigate to your user Settings > Applications to create a new GitLab application.
+
+          ![GitLab Dashboard](/images/app-connections/gitlab/gitlab-dashboard.png)
+          ![GitLab Applications Settings](/images/app-connections/gitlab/gitlab-applications.png)
+
+
+          Create the application. As part of the form, set the **Redirect URI** to `https://your-domain.com/organization/app-connections/gitlab/oauth/callback`.
+
+          ![GitLab New Application Form](/images/app-connections/gitlab/gitlab-create-application-top.png)
+          ![GitLab New Application Form](/images/app-connections/gitlab/gitlab-create-application-bottom.png)
+
+          <Tip>
+            The domain you defined in the Redirect URI should be equivalent to the `SITE_URL` configured in your Infisical instance.
+          </Tip>
+
+          <Note>
+            If you have a GitLab group, you can create an OAuth application under it in your group Settings > Applications.
+          </Note>
+        </Step>
+        <Step title="Add your GitLab OAuth application credentials to Infisical">
+          Obtain the **Application ID** and **Secret** for your GitLab OAuth application.
+
+          ![GitLab Application Credentials](/images/app-connections/gitlab/gitlab-config-credentials.png)
+
+          Back in your Infisical instance, add two new environment variables for the credentials of your GitLab OAuth application:
+
+          - `INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_ID`: The **Application ID** of your GitLab OAuth application.
+          - `INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_SECRET`: The **Secret** of your GitLab OAuth application.
+
+          Once added, restart your Infisical instance and use the GitLab Connection.
+        </Step>
+      </Steps>
+    </Accordion>
+
+    ## Setup GitLab OAuth Connection in Infisical
+
+    <Steps>
+      <Step title="Navigate to App Connections">
+        Navigate to the **App Connections** tab on the **Organization Settings** page.
+        ![App Connections Tab](/images/app-connections/general/add-connection.png)
+      </Step>
+      <Step title="Add Connection">
+        Select the **GitLab Connection** option from the connection options modal.
+        ![Select GitLab Connection](/images/app-connections/gitlab/select-gitlab-connection.png)
+      </Step>
+      <Step title="Choose OAuth Method">
+        Select the **OAuth** method and click **Connect to GitLab**.
+
+        ![Connect via GitLab OAuth](/images/app-connections/gitlab/create-gitlab-oauth-connection.png)
+      </Step>
+      <Step title="Grant Access">
+        You will be redirected to GitLab to grant Infisical access to your GitLab account. Once granted, you will be redirected back to Infisical's App Connections page.
+        ![GitLab Authorization](/images/app-connections/gitlab/gitlab-authorization-page.png)
+      </Step>
+      <Step title="Connection Created">
+        Your **GitLab Connection** is now available for use.
+        ![GitLab OAuth Connection](/images/app-connections/gitlab/gitlab-oauth-connection.png)
+      </Step>
+    </Steps>
+
+  </Tab>
+
+  <Tab title="Access Token Method">
+    The Access Token method uses a GitLab access token for authentication, providing a straightforward setup process.
+
+    ## Generate GitLab Access Token
+
+    <Tabs>
+      <Tab title="Personal Access Token">
+        Personal access tokens provide access to your GitLab account and all projects you have access to.
+
+        <Steps>
+          <Step title="Navigate to Access Tokens">
+            Log in to your GitLab account and navigate to User Settings > Access tokens. Click **Add new token** to create a new personal access token.
+
+            ![GitLab Personal Access Tokens](/images/app-connections/gitlab/gitlab-add-access-token.png)
+          </Step>
+          <Step title="Configure Token">
+            <Tabs>
+              <Tab title="Secret Sync">
+              For Secret Syncs, your token will require the ability to access the API:
+              Fill in the token details:
+              - **Token name**: A descriptive name for the token (e.g., "connection-token")
+              - **Expiration date**: Set an appropriate expiration date
+              - **Select scopes**: Choose the **api** scope for full API access
+
+              ![GitLab Personal Token Form](/images/app-connections/gitlab/gitlab-personal-access-token-form.png)
+              </Tab>
+            </Tabs>
+
+            <Info>
+              Personal Access Token connections require manual token rotation when your GitLab access token expires or is regenerated. Monitor your connection status and update the token as needed.
+            </Info>
+          </Step>
+          <Step title="Copy Token">
+            Copy the generated token immediately as it won't be shown again.
+
+            ![GitLab Personal Token Created](/images/app-connections/gitlab/gitlab-copy-token.png)
+
+            <Warning>
+              Keep your access token secure and do not share it. Anyone with access to this token can access your GitLab account and projects.
+            </Warning>
+          </Step>
+        </Steps>
+      </Tab>
+
+      <Tab title="Project Access Token">
+        Project access tokens provide access to a specific GitLab project, offering more granular control.
+
+        <Steps>
+          <Step title="Navigate to Project Settings">
+            Go to your GitLab project and navigate to Settings > Access Tokens. Click **Add new token** to create a new project access token.
+
+            ![GitLab Project Access Tokens](/images/app-connections/gitlab/gitlab-project-access-token-list.png)
+          </Step>
+          <Step title="Configure Token">
+            <Tabs>
+            <Tab title="Secret Sync">
+                  For Secret Syncs, your token will require the ability to access the API and be at least an **Owner**:
+                  Fill in the token details:
+                  - **Token name**: A descriptive name for the token
+                  - **Expiration date**: Set an appropriate expiration date
+                  - **Select role**: Choose **Owner** or higher role
+                  - **Select scopes**: Choose the **api** scope for API access
+
+                  ![GitLab Create Project Token](/images/app-connections/gitlab/gitlab-project-access-token-form.png)
+              </Tab>
+            </Tabs>
+
+            <Info>
+              Project Access Token connections require manual token rotation when your GitLab access token expires or is regenerated. Monitor your connection status and update the token as needed.
+            </Info>
+          </Step>
+          <Step title="Copy Token">
+            Copy the generated token immediately as it won't be shown again.
+
+            ![GitLab Project Token Form](/images/app-connections/gitlab/gitlab-project-access-token-created.png)
+
+            <Warning>
+              Keep your access token secure and do not share it. Anyone with access to this token can access your GitLab account and projects.
+            </Warning>
+          </Step>
+        </Steps>
+      </Tab>
+    </Tabs>
+
+    ## Setup GitLab Access Token Connection in Infisical
+
+    <Steps>
+      <Step title="Navigate to App Connections">
+        Navigate to the **App Connections** tab on the **Organization Settings** page.
+        ![App Connections Tab](/images/app-connections/general/add-connection.png)
+      </Step>
+      <Step title="Add Connection">
+        Select the **GitLab Connection** option from the connection options modal.
+        ![Select GitLab Connection](/images/app-connections/gitlab/select-gitlab-connection.png)
+      </Step>
+      <Step title="Configure Access Token">
+        Select the **Access Token** method, paste your GitLab access token in the provided field, and select the appropriate token type.
+
+        ![Configure Access Token](/images/app-connections/gitlab/create-gitlab-access-token-connection.png)
+
+        Click **Connect** to establish the connection.
+      </Step>
+      <Step title="Connection Created">
+        Your **GitLab Connection** is now available for use.
+        ![GitLab Access Token Connection](/images/app-connections/gitlab/gitlab-access-token-connection.png)
+      </Step>
+    </Steps>
+
+  </Tab>
+</Tabs>

docs/integrations/app-connections/heroku.mdx

@@ -1,6 +1,6 @@
 ---
-title: "Heroku App Connection"
+title: "Heroku Connection"
-description: "Learn how to configure a Heroku App Connection for Infisical using OAuth or Auth Token methods."
+description: "Learn how to configure a Heroku Connection for Infisical using OAuth or Auth Token methods."
 ---
 
 Infisical supports two methods for connecting to Heroku: **OAuth** and **Auth Token**. Choose the method that best fits your setup and security requirements.
@@ -10,7 +10,7 @@ Infisical supports two methods for connecting to Heroku: **OAuth** and **Auth To
     The OAuth method provides secure authentication through Heroku's OAuth flow.
 
     <Accordion title="Self-Hosted Instance Setup">
-      Using the Heroku App Connection with OAuth on a self-hosted instance of Infisical requires configuring an API client in Heroku and registering your instance with it.
+      Using the Heroku Connection with OAuth on a self-hosted instance of Infisical requires configuring an API client in Heroku and registering your instance with it.
 
       **Prerequisites:**
       - A Heroku account with existing applications
@@ -42,7 +42,7 @@ Infisical supports two methods for connecting to Heroku: **OAuth** and **Auth To
           - `CLIENT_ID_HEROKU`: The **Client ID** of your Heroku API client.
           - `CLIENT_SECRET_HEROKU`: The **Client Secret** of your Heroku API client.
 
-          Once added, restart your Infisical instance and use the Heroku App Connection.
+          Once added, restart your Infisical instance and use the Heroku Connection.
         </Step>
       </Steps>
     </Accordion>
@@ -55,7 +55,7 @@ Infisical supports two methods for connecting to Heroku: **OAuth** and **Auth To
         ![App Connections Tab](/images/app-connections/general/add-connection.png)
       </Step>
       <Step title="Add Connection">
-        Select the **Heroku App Connection** option from the connection options modal.
+        Select the **Heroku Connection** option from the connection options modal.
         ![Select Heroku Connection](/images/app-connections/heroku/heroku-select-connection.png)
       </Step>
       <Step title="Choose OAuth Method">
@@ -68,7 +68,7 @@ Infisical supports two methods for connecting to Heroku: **OAuth** and **Auth To
         ![Heroku Authorization](/images/integrations/heroku/integrations-heroku-auth.png)
       </Step>
       <Step title="Connection Created">
-        Your **Heroku App Connection** is now available for use.
+        Your **Heroku Connection** is now available for use.
         ![Heroku OAuth Connection](/images/app-connections/heroku/heroku-connection.png)
       </Step>
     </Steps>
@@ -97,7 +97,7 @@ Infisical supports two methods for connecting to Heroku: **OAuth** and **Auth To
         ![App Connections Tab](/images/app-connections/general/add-connection.png)
       </Step>
       <Step title="Add Connection">
-        Select the **Heroku App Connection** option from the connection options modal.
+        Select the **Heroku Connection** option from the connection options modal.
         ![Select Heroku Connection](/images/app-connections/heroku/heroku-select-connection.png)
       </Step>
       <Step title="Configure Auth Token">
@@ -108,7 +108,7 @@ Infisical supports two methods for connecting to Heroku: **OAuth** and **Auth To
         Click **Connect** to establish the connection.
       </Step>
       <Step title="Connection Created">
-        Your **Heroku App Connection** is now available for use.
+        Your **Heroku Connection** is now available for use.
         ![Heroku Auth Token Connection](/images/app-connections/heroku/heroku-connection.png)
       </Step>
     </Steps>

docs/integrations/secret-syncs/aws-parameter-store.mdx

@@ -148,3 +148,11 @@ description: "Learn how to configure an AWS Parameter Store Sync for Infisical."
         ```
     </Tab>
 </Tabs>
+
+## FAQ
+
+<AccordionGroup>
+    <Accordion title="What's the relationship between 'path' and 'key schema'?">
+        The path is required and will be prepended to the key schema. For example, if you have a path of `/demo/path/` and a key schema of `INFISICAL_{{secretKey}}`, then the result will be `/demo/path/INFISICAL_{{secretKey}}`.
+    </Accordion>
+</AccordionGroup>

docs/integrations/secret-syncs/gitlab.mdx

@@ -0,0 +1,180 @@
+---
+title: "GitLab Sync"
+description: "Learn how to configure a GitLab Sync for Infisical."
+---
+
+**Prerequisites:**
+
+    - Set up and add secrets to [Infisical Cloud](https://app.infisical.com)
+    - Create a [GitLab Connection](/integrations/app-connections/gitlab)
+
+<Tabs>
+    <Tab title="Infisical UI">
+        1. Navigate to **Project** > **Integrations** and select the **Secret Syncs** tab. Click on the **Add Sync** button.
+        ![Secret Syncs Tab](/images/secret-syncs/general/secret-sync-tab.png)
+
+        2. Select the **GitLab** option.
+        ![Select GitLab](/images/secret-syncs/gitlab/gitlab-secret-sync-option.png)
+
+        3. Configure the **Source** from where secrets should be retrieved, then click **Next**.
+        ![Configure Source](/images/secret-syncs/gitlab/gitlab-secret-sync-source.png)
+
+            - **Environment**: The project environment to retrieve secrets from.
+            - **Secret Path**: The folder path to retrieve secrets from.
+
+        <Tip>
+            If you need to sync secrets from multiple folder locations, check out [secret imports](/documentation/platform/secret-reference#secret-imports).
+        </Tip>
+
+        4. Configure the **Destination** to where secrets should be deployed, then click **Next**.
+        ![Configure Destination](/images/secret-syncs/gitlab/gitlab-secret-sync-destination.png)
+
+            - **GitLab Connection**: The GitLab Connection to authenticate with.
+            - **Scope**: The GitLab scope to sync secrets to.
+                - **Project**: Sync secrets to a GitLab project.
+                - **Group**: Sync secrets to a GitLab group.
+            <p class="height:1px"  />
+            The remaining fields are determined by the selected **Scope**:
+            <AccordionGroup>
+                <Accordion title="Project">
+                    - **GitLab Project**: The project to deploy secrets to.
+                    - **GitLab Environment Scope**: The environment scope to deploy secrets to (optional, defaults to "*" for all environments).
+                    - **Mark secrets as Protected**: If enabled, synced secrets will be marked as protected in GitLab.
+                    - **Mark secrets as Masked**: If enabled, synced secrets will be masked in GitLab CI/CD logs.
+                    - **Mark secrets as Hidden**: If enabled, synced secrets will be hidden from the GitLab UI.
+                </Accordion>
+                <Accordion title="Group">
+                    - **GitLab Group**: The group to deploy secrets to.
+                    - **GitLab Environment Scope**: The environment scope to deploy secrets to (optional, defaults to "*" for all environments).
+                    - **Mark secrets as Protected**: If enabled, synced secrets will be marked as protected in GitLab.
+                    - **Mark secrets as Masked**: If enabled, synced secrets will be masked in GitLab CI/CD logs.
+                    - **Mark secrets as Hidden**: If enabled, synced secrets will be hidden from the GitLab UI.
+                </Accordion>
+            </AccordionGroup>
+            <Note>
+                Be aware that GitLab only allows to mark secrets as hidden for new secrets. If you try to mark an existing secret as hidden, it produces an error.
+            </Note>
+            <Warning>
+                If you enable **Mark secrets as Hidden**, Infisical will not be able to unhide/unmask secrets from the sync destination if you disable the option later. This is because GitLab does not allow to unhide/unmask existing secrets.
+            </Warning>
+
+        5. Configure the **Sync Options** to specify how secrets should be synced, then click **Next**.
+        ![Configure Options](/images/secret-syncs/gitlab/gitlab-secret-sync-options.png)
+
+            - **Initial Sync Behavior**: Determines how Infisical should resolve the initial sync.
+                - **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
+                <Note>
+                    GitLab does not support importing secrets.
+                </Note>
+            - **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name and `{{environment}}` for the environment.
+            <Note>
+                We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
+            </Note>
+            - **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
+            - **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
+
+        6. Configure the **Details** of your GitLab Sync, then click **Next**.
+        ![Configure Details](/images/secret-syncs/gitlab/gitlab-secret-sync-details.png)
+
+            - **Name**: The name of your sync. Must be slug-friendly.
+            - **Description**: An optional description for your sync.
+
+        7. Review your GitLab Sync configuration, then click **Create Sync**.
+        ![Confirm Configuration](/images/secret-syncs/gitlab/gitlab-secret-sync-review.png)
+
+        8. If enabled, your GitLab Sync will begin syncing your secrets to the destination endpoint.
+        ![Sync Secrets](/images/secret-syncs/gitlab/gitlab-secret-sync-created.png)
+
+    </Tab>
+    <Tab title="API">
+        To create a **GitLab Sync**, make an API request to the [Create GitLab Sync](/api-reference/endpoints/secret-syncs/gitlab/create) API endpoint.
+
+        ### Sample request
+
+        ```bash Request
+        curl    --request POST \
+        --url https://app.infisical.com/api/v1/secret-syncs/gitlab \
+        --header 'Content-Type: application/json' \
+        --data '{
+            "name": "my-gitlab-sync",
+            "projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+            "description": "an example sync",
+            "connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+            "environment": "dev",
+            "secretPath": "/my-secrets",
+            "isEnabled": true,
+            "syncOptions": {
+                "initialSyncBehavior": "overwrite-destination"
+            },
+            "destinationConfig": {
+                "scope": "project",
+                "projectId": "70998370",
+                "projectName": "test",
+                "targetEnvironment": "*",
+                "shouldProtectSecrets": true,
+                "shouldMaskSecrets": true,
+                "shouldHideSecrets": false
+            }
+        }'
+        ```
+
+        ### Sample response
+
+        ```bash Response
+        {
+            "secretSync": {
+                "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+                "name": "my-gitlab-sync",
+                "description": "an example sync",
+                "isEnabled": true,
+                "version": 1,
+                "folderId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+                "connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+                "createdAt": "2023-11-07T05:31:56Z",
+                "updatedAt": "2023-11-07T05:31:56Z",
+                "syncStatus": "succeeded",
+                "lastSyncJobId": "123",
+                "lastSyncMessage": null,
+                "lastSyncedAt": "2023-11-07T05:31:56Z",
+                "importStatus": null,
+                "lastImportJobId": null,
+                "lastImportMessage": null,
+                "lastImportedAt": null,
+                "removeStatus": null,
+                "lastRemoveJobId": null,
+                "lastRemoveMessage": null,
+                "lastRemovedAt": null,
+                "syncOptions": {
+                    "initialSyncBehavior": "overwrite-destination"
+                },
+                "projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+                "connection": {
+                    "app": "gitlab",
+                    "name": "my-gitlab-connection",
+                    "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
+                },
+                "environment": {
+                    "slug": "dev",
+                    "name": "Development",
+                    "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
+                },
+                "folder": {
+                    "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+                    "path": "/my-secrets"
+                },
+                "destination": "gitlab",
+                "destinationConfig": {
+                    "scope": "project",
+                    "projectId": "70998370",
+                    "projectName": "test",
+                    "targetEnvironment": "*",
+                    "shouldProtectSecrets": true,
+                    "shouldMaskSecrets": true,
+                    "shouldHideSecrets": false
+                }
+            }
+        }
+        ```
+    </Tab>
+
+</Tabs>

docs/integrations/secret-syncs/heroku.mdx

@@ -6,7 +6,7 @@ description: "Learn how to configure a Heroku Sync for Infisical."
 **Prerequisites:**
 
 - Set up and add secrets to [Infisical Cloud](https://app.infisical.com)
-- Create a [Heroku App Connection](/integrations/app-connections/heroku)
+- Create a [Heroku Connection](/integrations/app-connections/heroku)
 
 <Tabs>
     <Tab title="Infisical UI">
@@ -29,7 +29,7 @@ description: "Learn how to configure a Heroku Sync for Infisical."
         4. Configure the **Destination** to where secrets should be deployed, then click **Next**.
         ![Configure Destination](/images/secret-syncs/heroku/heroku-destination.png)
 
-            - **Heroku App Connection**: The Heroku App Connection to authenticate with.
+            - **Heroku Connection**: The Heroku Connection to authenticate with.
             - **Heroku App**: The Heroku application to sync secrets to.
 
         5. Configure the **Sync Options** to specify how secrets should be synced, then click **Next**.

docs/sdks/languages/java.mdx

@@ -1,7 +1,7 @@
 ---
 title: "Infisical Java SDK"
 sidebarTitle: "Java"
-url: "https://github.com/Infisical/java-sdk?tab=readme-ov-file#infisical-nodejs-sdk"
+url: "https://github.com/Infisical/java-sdk?tab=readme-ov-file#infisical-java-sdk"
 icon: "java"
 ---
 

docs/sdks/languages/node.mdx

@@ -1,7 +1,7 @@
 ---
 title: "Infisical Node.js SDK"
 sidebarTitle: "Node.js"
-url: "https://github.com/Infisical/node-sdk-v2"
+url: "https://github.com/Infisical/node-sdk-v2?tab=readme-ov-file#infisical-nodejs-sdk"
 icon: "node"
 ---
 

docs/sdks/languages/python.mdx

@@ -43,7 +43,7 @@ def hello_world():
 This example demonstrates how to use the Infisical Python SDK with a Flask application. The application retrieves a secret named "NAME" and responds to requests with a greeting that includes the secret value.
 
 <Warning>
-	We do not recommend hardcoding your [Machine Identity Tokens](/platform/identities/overview). Setting it as an environment variable would be best.
+  We do not recommend hardcoding your [Machine Identity Tokens](/platform/identities/overview). Setting it as an environment variable would be best.
 </Warning>
 
 ## Installation
@@ -314,32 +314,32 @@ By default, `getSecret()` fetches and returns a shared secret. If not found, it
 #### Parameters
 
 <ParamField query="Parameters" type="object" optional>
-	<Expandable title="properties">
+  <Expandable title="properties">
-		<ParamField query="secret_name" type="string" required>
+    <ParamField query="secret_name" type="string" required>
-			The key of the secret to retrieve
+      The key of the secret to retrieve
-		</ParamField>
+    </ParamField>
     <ParamField query="include_imports" type="boolean">
           Whether or not to include imported secrets from the current path. Read about [secret import](/documentation/platform/secret-reference)
     </ParamField>
-		<ParamField query="environment" type="string" required>
+    <ParamField query="environment" type="string" required>
-			The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
+      The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
-		</ParamField>
+    </ParamField>
-		<ParamField query="project_id" type="string" required>
+    <ParamField query="project_id" type="string" required>
-			The project ID where the secret lives in.
+      The project ID where the secret lives in.
-		</ParamField>
+    </ParamField>
-		<ParamField query="path" type="string" optional>
+    <ParamField query="path" type="string" optional>
-			The path from where secret should be fetched from.
+      The path from where secret should be fetched from.
-		</ParamField>
+    </ParamField>
-		<ParamField query="type" type="string" optional>
+    <ParamField query="type" type="string" optional>
-			The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "personal".
+      The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "personal".
-		</ParamField>
+    </ParamField>
-		<ParamField query="include_imports" type="boolean" default="false" optional>
+    <ParamField query="include_imports" type="boolean" default="false" optional>
-			Whether or not to include imported secrets from the current path. Read about [secret import](/documentation/platform/secret-reference)
+      Whether or not to include imported secrets from the current path. Read about [secret import](/documentation/platform/secret-reference)
-		</ParamField>
+    </ParamField>
     <ParamField query="expand_secret_references" type="boolean" default="true" optional>
       Whether or not to expand secret references in the fetched secrets. Read about [secret reference](/documentation/platform/secret-reference)
     </ParamField>
-	</Expandable>
+  </Expandable>
 </ParamField>
 
 ### client.createSecret(options)
@@ -358,26 +358,26 @@ Create a new secret in Infisical.
 #### Parameters
 
 <ParamField query="Parameters" type="object" optional>
-	<Expandable title="properties">
+  <Expandable title="properties">
-		<ParamField query="secret_name" type="string" required>
+    <ParamField query="secret_name" type="string" required>
-			The key of the secret to create.
+      The key of the secret to create.
-		</ParamField>
+    </ParamField>
-		<ParamField query="secret_value" type="string" required>
+    <ParamField query="secret_value" type="string" required>
-			The value of the secret.
+      The value of the secret.
-		</ParamField>
+    </ParamField>
-		<ParamField query="project_id" type="string" required>
+    <ParamField query="project_id" type="string" required>
-			The project ID where the secret lives in.
+      The project ID where the secret lives in.
-		</ParamField>
+    </ParamField>
-		<ParamField query="environment" type="string" required>
+    <ParamField query="environment" type="string" required>
-			The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
+      The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
-		</ParamField>
+    </ParamField>
-		<ParamField query="path" type="string" optional>
+    <ParamField query="path" type="string" optional>
-			The path from where secret should be created.
+      The path from where secret should be created.
-		</ParamField>
+    </ParamField>
-		<ParamField query="type" type="string" optional>
+    <ParamField query="type" type="string" optional>
-			The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "shared".
+      The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "shared".
-		</ParamField>
+    </ParamField>
-	</Expandable>
+  </Expandable>
 </ParamField>
 
 ### client.updateSecret(options)
@@ -396,26 +396,26 @@ Update an existing secret in Infisical.
 #### Parameters
 
 <ParamField query="Parameters" type="object" optional>
-	<Expandable title="properties">
+  <Expandable title="properties">
-		<ParamField query="secret_name" type="string" required>
+    <ParamField query="secret_name" type="string" required>
-			The key of the secret to update.
+      The key of the secret to update.
-		</ParamField>
+    </ParamField>
-		<ParamField query="secret_value" type="string" required>
+    <ParamField query="secret_value" type="string" required>
-			The new value of the secret.
+      The new value of the secret.
-		</ParamField>
+    </ParamField>
-		<ParamField query="project_id" type="string" required>
+    <ParamField query="project_id" type="string" required>
-			The project ID where the secret lives in.
+      The project ID where the secret lives in.
-		</ParamField>
+    </ParamField>
-		<ParamField query="environment" type="string" required>
+    <ParamField query="environment" type="string" required>
-			The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
+      The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
-		</ParamField>
+    </ParamField>
-		<ParamField query="path" type="string" optional>
+    <ParamField query="path" type="string" optional>
-			The path from where secret should be updated.
+      The path from where secret should be updated.
-		</ParamField>
+    </ParamField>
-		<ParamField query="type" type="string" optional>
+    <ParamField query="type" type="string" optional>
-			The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "shared".
+      The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "shared".
-		</ParamField>
+    </ParamField>
-	</Expandable>
+  </Expandable>
 </ParamField>
 
 ### client.deleteSecret(options)
@@ -433,23 +433,23 @@ Delete a secret in Infisical.
 #### Parameters
 
 <ParamField query="Parameters" type="object" optional>
-	<Expandable title="properties">
+  <Expandable title="properties">
-		<ParamField query="secret_name" type="string">
+    <ParamField query="secret_name" type="string">
-			The key of the secret to update.
+      The key of the secret to update.
-		</ParamField>
+    </ParamField>
-		<ParamField query="project_id" type="string" required>
+    <ParamField query="project_id" type="string" required>
-			The project ID where the secret lives in.
+      The project ID where the secret lives in.
-		</ParamField>
+    </ParamField>
-		<ParamField query="environment" type="string" required>
+    <ParamField query="environment" type="string" required>
-			The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
+      The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
-		</ParamField>
+    </ParamField>
-		<ParamField query="path" type="string" optional>
+    <ParamField query="path" type="string" optional>
-			The path from where secret should be deleted.
+      The path from where secret should be deleted.
-		</ParamField>
+    </ParamField>
-		<ParamField query="type" type="string" optional>
+    <ParamField query="type" type="string" optional>
-			The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "shared".
+      The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "shared".
-		</ParamField>
+    </ParamField>
-	</Expandable>
+  </Expandable>
 </ParamField>
 
 ## Cryptography
@@ -480,14 +480,14 @@ encryptedData = client.encryptSymmetric(encryptOptions)
 #### Parameters
 
 <ParamField query="Parameters" type="object" required>
-	<Expandable title="properties">
+  <Expandable title="properties">
-		<ParamField query="plaintext" type="string">
+    <ParamField query="plaintext" type="string">
-			The plaintext you want to encrypt.
+      The plaintext you want to encrypt.
-		</ParamField>
+    </ParamField>
-		<ParamField query="key" type="string" required>
+    <ParamField query="key" type="string" required>
-			The symmetric key to use for encryption.
+      The symmetric key to use for encryption.
-		</ParamField>
+    </ParamField>
-	</Expandable>
+  </Expandable>
 </ParamField>
 
 #### Returns (object)
@@ -512,20 +512,20 @@ decryptedString = client.decryptSymmetric(decryptOptions)
 #### Parameters
 
 <ParamField query="Parameters" type="object" required>
-	<Expandable title="properties">
+  <Expandable title="properties">
-		<ParamField query="ciphertext" type="string">
+    <ParamField query="ciphertext" type="string">
-			The ciphertext you want to decrypt.
+      The ciphertext you want to decrypt.
-		</ParamField>
+    </ParamField>
-		<ParamField query="key" type="string" required>
+    <ParamField query="key" type="string" required>
-			The symmetric key to use for encryption.
+      The symmetric key to use for encryption.
-		</ParamField>
+    </ParamField>
-		<ParamField query="iv" type="string" required>
+    <ParamField query="iv" type="string" required>
-			The initialization vector to use for decryption.
+      The initialization vector to use for decryption.
-		</ParamField>
+    </ParamField>
-		<ParamField query="tag" type="string" required>
+    <ParamField query="tag" type="string" required>
-			The authentication tag to use for decryption.
+      The authentication tag to use for decryption.
-		</ParamField>
+    </ParamField>
-	</Expandable>
+  </Expandable>
 </ParamField>
 
 #### Returns (string)

docs/sdks/overview.mdx

@@ -10,24 +10,23 @@ From local development to production, Infisical SDKs provide the easiest way for
 -   Fetch secrets on demand
 
 <CardGroup cols={2}>
-    <Card title="Node" href="https://github.com/Infisical/node-sdk-v2" icon="node" color="#68a063">
+    <Card title="Node.js" href="https://github.com/Infisical/node-sdk-v2?tab=readme-ov-file#infisical-nodejs-sdk" icon="node" color="#68a063">
-        Manage secrets for your Node application on demand
+      Manage secrets for your Node application on demand
     </Card>
-    <Card href="https://github.com/Infisical/python-sdk-official" title="Python" icon="python" color="#4c8abe">
+    <Card href="https://github.com/Infisical/python-sdk-official?tab=readme-ov-file#infisical-python-sdk" title="Python" icon="python" color="#4c8abe">
-        Manage secrets for your Python application on demand
+      Manage secrets for your Python application on demand
     </Card>
-    <Card href="https://github.com/Infisical/java-sdk?tab=readme-ov-file#infisical-nodejs-sdk" title="Java" icon="java" color="#e41f23">
+    <Card href="https://github.com/Infisical/java-sdk?tab=readme-ov-file#infisical-java-sdk" title="Java" icon="java" color="#e41f23">
-        Manage secrets for your Java application on demand
+      Manage secrets for your Java application on demand
     </Card>
     <Card href="/sdks/languages/go" title="Go" icon="golang" color="#367B99">
-        Manage secrets for your Go application on demand
+      Manage secrets for your Go application on demand
     </Card>
-    <Card href="/sdks/languages/csharp" title="C#" icon="bars" color="#368833">
+    <Card href="https://github.com/Infisical/infisical-dotnet-sdk?tab=readme-ov-file#infisical-net-sdk" title=".NET" icon="bars" color="#368833">
-        Manage secrets for your C#/.NET application on demand
+      Manage secrets for your .NET application on demand
     </Card>
-
+    <Card href="/sdks/languages/ruby" title="Ruby" icon="diamond" color="#367B99">
-      <Card href="/sdks/languages/ruby" title="Ruby" icon="diamond" color="#367B99">
+      Manage secrets for your Ruby application on demand
-        Manage secrets for your Ruby application on demand
     </Card>
 </CardGroup>
 

docs/self-hosting/configuration/envars.mdx

@@ -590,6 +590,17 @@ You can configure third-party app connections for re-use across Infisical Projec
 
 </Accordion>
 
+<Accordion title="GitLab OAuth Connection">
+    <ParamField query="INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_ID" type="string" default="none" optional>
+        The Application ID of your GitLab OAuth application.
+    </ParamField>
+
+    <ParamField query="INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_SECRET" type="string" default="none" optional>
+        The Secret of your GitLab OAuth application.
+    </ParamField>
+
+</Accordion>
+
 ## Native Secret Integrations
 
 To help you sync secrets from Infisical to services such as Github and Gitlab, Infisical provides native integrations out of the box.

frontend/src/components/permissions/AccessTree/AccessTree.tsx

@@ -2,10 +2,9 @@ import { useCallback, useEffect, useState } from "react";
 import { MongoAbility, MongoQuery } from "@casl/ability";
 import {
   faAnglesUp,
-  faArrowUpRightFromSquare,
-  faDownLeftAndUpRightToCenter,
   faUpRightAndDownLeftFromCenter,
-  faWindowRestore
+  faWindowRestore,
+  faXmark
 } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 import {
@@ -23,8 +22,8 @@ import {
 } from "@xyflow/react";
 import { twMerge } from "tailwind-merge";
 
-import { Button, IconButton, Spinner, Tooltip } from "@app/components/v2";
+import { Button, IconButton, Select, SelectItem, Spinner, Tooltip } from "@app/components/v2";
-import { ProjectPermissionSet } from "@app/context/ProjectPermissionContext";
+import { ProjectPermissionSet, ProjectPermissionSub } from "@app/context/ProjectPermissionContext";
 
 import { AccessTreeSecretPathInput } from "./nodes/FolderNode/components/AccessTreeSecretPathInput";
 import { ShowMoreButtonNode } from "./nodes/ShowMoreButtonNode";
@@ -36,15 +35,17 @@ import { ViewMode } from "./types";
 
 export type AccessTreeProps = {
   permissions: MongoAbility<ProjectPermissionSet, MongoQuery>;
+  subject: ProjectPermissionSub;
+  onClose: () => void;
 };
 
 const EdgeTypes = { base: BasePermissionEdge };
 
 const NodeTypes = { role: RoleNode, folder: FolderNode, showMoreButton: ShowMoreButtonNode };
 
-const AccessTreeContent = ({ permissions }: AccessTreeProps) => {
+const AccessTreeContent = ({ permissions, subject, onClose }: AccessTreeProps) => {
   const [selectedPath, setSelectedPath] = useState<string>("/");
-  const accessTreeData = useAccessTree(permissions, selectedPath);
+  const accessTreeData = useAccessTree(permissions, selectedPath, subject);
   const { edges, nodes, isLoading, viewMode, setViewMode, environment } = accessTreeData;
   const [initialRender, setInitialRender] = useState(true);
 
@@ -78,32 +79,32 @@ const AccessTreeContent = ({ permissions }: AccessTreeProps) => {
 
   useEffect(() => {
     setInitialRender(true);
-  }, [selectedPath, environment]);
+  }, [selectedPath, environment, subject, viewMode]);
 
   useEffect(() => {
     let timer: NodeJS.Timeout;
     if (initialRender) {
       timer = setTimeout(() => {
-        goToRootNode();
+        fitView({ duration: 500 });
         setInitialRender(false);
-      }, 500);
+      }, 50);
     }
     return () => clearTimeout(timer);
-  }, [nodes, edges, getViewport(), initialRender, goToRootNode]);
+  }, [nodes, edges, getViewport(), initialRender, fitView]);
 
   const handleToggleModalView = () =>
     setViewMode((prev) => (prev === ViewMode.Modal ? ViewMode.Docked : ViewMode.Modal));
 
-  const handleToggleUndockedView = () =>
+  const handleToggleView = () =>
-    setViewMode((prev) => (prev === ViewMode.Undocked ? ViewMode.Docked : ViewMode.Undocked));
+    setViewMode((prev) => (prev === ViewMode.Modal ? ViewMode.Undocked : ViewMode.Modal));
 
-  const undockButtonLabel = `${viewMode === ViewMode.Undocked ? "Dock" : "Undock"} View`;
+  const expandButtonLabel = viewMode === ViewMode.Modal ? "Anchor View" : "Expand View";
-  const windowButtonLabel = `${viewMode === ViewMode.Modal ? "Dock" : "Expand"} View`;
+  const hideButtonLabel = "Hide Access Tree";
 
   return (
     <div
       className={twMerge(
-        "w-full",
+        "mt-4 w-full",
         viewMode === ViewMode.Modal && "fixed inset-0 z-50 p-10",
         viewMode === ViewMode.Undocked &&
           "fixed bottom-4 left-20 z-50 h-[40%] w-[38%] min-w-[32rem] lg:w-[34%]"
@@ -130,7 +131,7 @@ const AccessTreeContent = ({ permissions }: AccessTreeProps) => {
                 type="submit"
                 className="h-10 rounded-r-none bg-mineshaft-700"
                 leftIcon={<FontAwesomeIcon icon={faWindowRestore} />}
-                onClick={handleToggleUndockedView}
+                onClick={handleToggleView}
               >
                 Undock
               </Button>
@@ -176,48 +177,62 @@ const AccessTreeContent = ({ permissions }: AccessTreeProps) => {
                   <Spinner />
                 </Panel>
               )}
+              {viewMode !== ViewMode.Undocked && (
+                <Panel position="top-left" className="flex gap-2">
+                  <Select
+                    value={environment}
+                    onValueChange={accessTreeData.setEnvironment}
+                    className="w-60"
+                    position="popper"
+                    dropdownContainerClassName="max-w-none"
+                    aria-label="Environment"
+                  >
+                    {Object.values(accessTreeData.environments).map((env) => (
+                      <SelectItem
+                        key={env.slug}
+                        value={env.slug}
+                        className="relative py-2 pl-6 pr-8 text-sm hover:bg-mineshaft-700"
+                      >
+                        <div className="ml-3 truncate font-medium">{env.name}</div>
+                      </SelectItem>
+                    ))}
+                  </Select>
+                  <AccessTreeSecretPathInput
+                    placeholder="Provide a path, default is /"
+                    environment={environment}
+                    value={selectedPath}
+                    onChange={setSelectedPath}
+                  />
+                </Panel>
+              )}
               {viewMode !== ViewMode.Docked && (
-                <Panel position="top-right" className="flex gap-1.5">
+                <Panel position="top-right" className="flex gap-2">
-                  {viewMode !== ViewMode.Undocked && (
+                  <Tooltip position="bottom" align="center" content={expandButtonLabel}>
-                    <AccessTreeSecretPathInput
-                      placeholder="Provide a path, default is /"
-                      environment={environment}
-                      value={selectedPath}
-                      onChange={setSelectedPath}
-                    />
-                  )}
-                  <Tooltip position="bottom" align="center" content={undockButtonLabel}>
                     <IconButton
-                      className="ml-1 w-10 rounded"
+                      className="rounded p-2"
                       colorSchema="secondary"
                       variant="plain"
-                      onClick={handleToggleUndockedView}
+                      onClick={handleToggleView}
-                      ariaLabel={undockButtonLabel}
+                      ariaLabel={expandButtonLabel}
                     >
                       <FontAwesomeIcon
                         icon={
                           viewMode === ViewMode.Undocked
-                            ? faArrowUpRightFromSquare
+                            ? faUpRightAndDownLeftFromCenter
                             : faWindowRestore
                         }
                       />
                     </IconButton>
                   </Tooltip>
-                  <Tooltip align="end" position="bottom" content={windowButtonLabel}>
+                  <Tooltip align="end" position="bottom" content={hideButtonLabel}>
                     <IconButton
-                      className="w-10 rounded"
+                      className="rounded p-2"
                       colorSchema="secondary"
                       variant="plain"
-                      onClick={handleToggleModalView}
+                      onClick={onClose}
-                      ariaLabel={windowButtonLabel}
+                      ariaLabel={hideButtonLabel}
                     >
-                      <FontAwesomeIcon
+                      <FontAwesomeIcon icon={faXmark} />
-                        icon={
-                          viewMode === ViewMode.Modal
-                            ? faDownLeftAndUpRightToCenter
-                            : faUpRightAndDownLeftFromCenter
-                        }
-                      />
                     </IconButton>
                   </Tooltip>
                 </Panel>
@@ -253,6 +268,9 @@ const AccessTreeContent = ({ permissions }: AccessTreeProps) => {
 };
 
 export const AccessTree = (props: AccessTreeProps) => {
+  const { subject } = props;
+  if (!subject) return null;
+
   return (
     <AccessTreeErrorBoundary {...props}>
       <AccessTreeProvider>

frontend/src/components/permissions/AccessTree/components/AccessTreeContext.tsx

@@ -29,7 +29,7 @@ export type AccessTreeForm = { metadata: { key: string; value: string }[] };
 export const AccessTreeProvider: React.FC<AccessTreeProviderProps> = ({ children }) => {
   const [secretName, setSecretName] = useState("");
   const formMethods = useForm<AccessTreeForm>({ defaultValues: { metadata: [] } });
-  const [viewMode, setViewMode] = useState(ViewMode.Docked);
+  const [viewMode, setViewMode] = useState(ViewMode.Modal);
 
   const value = useMemo(
     () => ({

frontend/src/components/permissions/AccessTree/hooks/index.ts

@@ -33,7 +33,8 @@ type LevelFolderMap = Record<
 
 export const useAccessTree = (
   permissions: MongoAbility<ProjectPermissionSet, MongoQuery>,
-  searchPath: string
+  searchPath: string,
+  subject: ProjectPermissionSub
 ) => {
   const { currentWorkspace } = useWorkspace();
   const { secretName, setSecretName, setViewMode, viewMode } = useAccessTreeContext();
@@ -41,7 +42,6 @@ export const useAccessTree = (
   const metadata = useWatch({ control, name: "metadata" });
   const [nodes, setNodes] = useNodesState<Node>([]);
   const [edges, setEdges] = useEdgesState<Edge>([]);
-  const [subject, setSubject] = useState(ProjectPermissionSub.Secrets);
   const [environment, setEnvironment] = useState(currentWorkspace.environments[0]?.slug ?? "");
   const { data: environmentsFolders, isPending } = useListProjectEnvironmentsFolders(
     currentWorkspace.id
@@ -147,9 +147,7 @@ export const useAccessTree = (
     const roleNode = createRoleNode({
       subject,
       environment: slug,
-      environments: environmentsFolders,
+      environments: environmentsFolders
-      onSubjectChange: setSubject,
-      onEnvironmentChange: setEnvironment
     });
 
     const actionRuleMap = getSubjectActionRuleMap(subject, permissions);
@@ -280,7 +278,6 @@ export const useAccessTree = (
     subject,
     environment,
     setEnvironment,
-    setSubject,
     isLoading: isPending,
     environments: currentWorkspace.environments,
     secretName,

frontend/src/components/permissions/AccessTree/nodes/FolderNode/components/AccessTreeSecretPathInput.tsx

@@ -81,7 +81,7 @@ export const AccessTreeSecretPathInput = ({
             <FontAwesomeIcon icon={faSearch} />
           </div>
         ) : (
-          <Tooltip position="bottom" content="Search paths">
+          <Tooltip position="bottom" content="Search Paths">
             <div
               className="flex h-10 w-10 cursor-pointer items-center justify-center text-mineshaft-300 hover:text-white"
               onClick={toggleSearch}

frontend/src/components/permissions/AccessTree/nodes/RoleNode.tsx

@@ -3,7 +3,6 @@ import { faFileImport, faFingerprint, faFolder, faKey } from "@fortawesome/free-
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 import { Handle, NodeProps, Position } from "@xyflow/react";
 
-import { Select, SelectItem } from "@app/components/v2";
 import { ProjectPermissionSub } from "@app/context";
 import { TProjectEnvironmentsFolders } from "@app/hooks/api/secretFolders/types";
 
@@ -29,7 +28,7 @@ const formatLabel = (text: string) => {
 };
 
 export const RoleNode = ({
-  data: { subject, environment, onSubjectChange, onEnvironmentChange, environments }
+  data: { subject }
 }: NodeProps & {
   data: ReturnType<typeof createRoleNode>["data"] & {
     onSubjectChange: Dispatch<SetStateAction<ProjectPermissionSub>>;
@@ -44,61 +43,10 @@ export const RoleNode = ({
         className="pointer-events-none !cursor-pointer opacity-0"
         position={Position.Top}
       />
-      <div className="flex w-full flex-col items-center justify-center rounded-md border-2 border-mineshaft-500 bg-gradient-to-b from-mineshaft-700 to-mineshaft-800 px-5 py-4 font-inter shadow-2xl">
+      <div className="flex h-14 w-full flex-col items-center justify-center rounded-md border border-mineshaft bg-mineshaft-800 px-2 py-3 font-inter shadow-lg transition-opacity duration-500">
-        <div className="flex w-full min-w-[240px] flex-col gap-4">
+        <div className="flex items-center space-x-2 text-mineshaft-100">
-          <div className="flex w-full flex-col gap-1.5">
+          {getSubjectIcon(subject)}
-            <div className="ml-1 text-xs font-semibold text-mineshaft-200">Subject</div>
+          <span className="text-sm">{formatLabel(subject)} Access</span>
-            <Select
-              value={subject}
-              onValueChange={(value) => onSubjectChange(value as ProjectPermissionSub)}
-              className="w-full rounded-md border border-mineshaft-600 bg-mineshaft-900/90 text-sm shadow-inner backdrop-blur-sm transition-all hover:border-amber-600/50 focus:border-amber-500"
-              position="popper"
-              dropdownContainerClassName="max-w-none"
-              aria-label="Subject"
-            >
-              {[
-                ProjectPermissionSub.Secrets,
-                ProjectPermissionSub.SecretFolders,
-                ProjectPermissionSub.DynamicSecrets,
-                ProjectPermissionSub.SecretImports
-              ].map((sub) => {
-                return (
-                  <SelectItem
-                    className="relative flex items-center gap-2 py-2 pl-8 pr-8 text-sm capitalize hover:bg-mineshaft-700"
-                    value={sub}
-                    key={sub}
-                  >
-                    <div className="flex items-center gap-3">
-                      {getSubjectIcon(sub)}
-                      <span className="font-medium">{formatLabel(sub)}</span>
-                    </div>
-                  </SelectItem>
-                );
-              })}
-            </Select>
-          </div>
-
-          <div className="flex w-full flex-col gap-1.5">
-            <div className="ml-1 text-xs font-semibold text-mineshaft-200">Environment</div>
-            <Select
-              value={environment}
-              onValueChange={onEnvironmentChange}
-              className="w-full rounded-md border border-mineshaft-600 bg-mineshaft-900/90 text-sm shadow-inner backdrop-blur-sm transition-all hover:border-amber-600/50 focus:border-amber-500"
-              position="popper"
-              dropdownContainerClassName="max-w-none"
-              aria-label="Environment"
-            >
-              {Object.values(environments).map((env) => (
-                <SelectItem
-                  key={env.slug}
-                  value={env.slug}
-                  className="relative py-2 pl-6 pr-8 text-sm hover:bg-mineshaft-700"
-                >
-                  <div className="ml-3 font-medium">{env.name}</div>
-                </SelectItem>
-              ))}
-            </Select>
-          </div>
         </div>
       </div>
       <Handle

frontend/src/components/permissions/AccessTree/utils/createRoleNode.ts

@@ -1,5 +1,3 @@
-import { Dispatch, SetStateAction } from "react";
-
 import { ProjectPermissionSub } from "@app/context";
 import { TProjectEnvironmentsFolders } from "@app/hooks/api/secretFolders/types";
 
@@ -8,24 +6,18 @@ import { PermissionNode } from "../types";
 export const createRoleNode = ({
   subject,
   environment,
-  environments,
+  environments
-  onSubjectChange,
-  onEnvironmentChange
 }: {
-  subject: string;
+  subject: ProjectPermissionSub;
   environment: string;
   environments: TProjectEnvironmentsFolders;
-  onSubjectChange: Dispatch<SetStateAction<ProjectPermissionSub>>;
-  onEnvironmentChange: (value: string) => void;
 }) => ({
   id: `role-${subject}-${environment}`,
   position: { x: 0, y: 0 },
   data: {
     subject,
     environment,
-    environments,
+    environments
-    onSubjectChange,
-    onEnvironmentChange
   },
   type: PermissionNode.Role,
   height: 48,

frontend/src/components/permissions/AccessTree/utils/positionElements.ts

@@ -39,16 +39,6 @@ export const positionElements = (nodes: Node[], edges: Edge[]) => {
   const positionedNodes = nodes.map((node) => {
     const { x, y } = dagre.node(node.id);
 
-    if (node.type === "role") {
-      return {
-        ...node,
-        position: {
-          x: x - (node.width ? node.width / 2 : 0),
-          y: y - 150
-        }
-      };
-    }
-
     return {
       ...node,
       position: {

frontend/src/components/projects/ProjectSettings/components/ProjectTemplatesTab/components/EditProjectTemplateSection/components/ProjectTemplateEditRoleForm.tsx

@@ -173,17 +173,19 @@ export const ProjectTemplateEditRoleForm = ({
         <div className="p-4">
           <div className="mb-2 text-lg">Policies</div>
           <PermissionEmptyState />
-          {(Object.keys(PROJECT_PERMISSION_OBJECT) as ProjectPermissionSub[]).map((subject) => (
+          <div>
-            <GeneralPermissionPolicies
+            {(Object.keys(PROJECT_PERMISSION_OBJECT) as ProjectPermissionSub[]).map((subject) => (
-              subject={subject}
+              <GeneralPermissionPolicies
-              actions={PROJECT_PERMISSION_OBJECT[subject].actions}
+                subject={subject}
-              title={PROJECT_PERMISSION_OBJECT[subject].title}
+                actions={PROJECT_PERMISSION_OBJECT[subject].actions}
-              key={`project-permission-${subject}`}
+                title={PROJECT_PERMISSION_OBJECT[subject].title}
-              isDisabled={isDisabled}
+                key={`project-permission-${subject}`}
-            >
+                isDisabled={isDisabled}
-              {renderConditionalComponents(subject, isDisabled)}
+              >
-            </GeneralPermissionPolicies>
+                {renderConditionalComponents(subject, isDisabled)}
-          ))}
+              </GeneralPermissionPolicies>
+            ))}
+          </div>
         </div>
       </FormProvider>
     </form>

frontend/src/components/secret-syncs/forms/SecretSyncDestinationFields/AwsParameterStoreSyncFields.tsx

@@ -30,7 +30,29 @@ export const AwsParameterStoreSyncFields = () => {
       />
       <Controller
         render={({ field: { value, onChange }, fieldState: { error } }) => (
-          <FormControl isError={Boolean(error)} errorText={error?.message} label="Path">
+          <FormControl
+            isError={Boolean(error)}
+            errorText={error?.message}
+            label="Path"
+            tooltipText={
+              <>
+                The path is required and will be prepended to the key schema. For example, if you
+                have a path of{" "}
+                <code className="rounded bg-mineshaft-600 px-0.5 py-px text-sm text-mineshaft-300">
+                  /demo/path/
+                </code>{" "}
+                and a key schema of{" "}
+                <code className="rounded bg-mineshaft-600 px-0.5 py-px text-sm text-mineshaft-300">
+                  INFISICAL_{"{{secretKey}}"}
+                </code>
+                , then the result will be{" "}
+                <code className="rounded bg-mineshaft-600 px-0.5 py-px text-sm text-mineshaft-300">
+                  /demo/path/INFISICAL_{"{{secretKey}}"}
+                </code>
+              </>
+            }
+            tooltipClassName="max-w-lg"
+          >
             <Input value={value} onChange={onChange} placeholder="Path..." />
           </FormControl>
         )}

frontend/src/components/secret-syncs/forms/SecretSyncDestinationFields/GitLabSyncFields.tsx

@@ -0,0 +1,282 @@
+import { Controller, useFormContext, useWatch } from "react-hook-form";
+import { SingleValue } from "react-select";
+import { faCircleInfo, faQuestionCircle } from "@fortawesome/free-solid-svg-icons";
+import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
+
+import { SecretSyncConnectionField } from "@app/components/secret-syncs/forms/SecretSyncConnectionField";
+import {
+  FilterableSelect,
+  FormControl,
+  Input,
+  Select,
+  SelectItem,
+  Switch,
+  Tooltip
+} from "@app/components/v2";
+import {
+  TGitLabGroup,
+  TGitLabProject,
+  useGitlabConnectionListGroups,
+  useGitlabConnectionListProjects
+} from "@app/hooks/api/appConnections/gitlab";
+import { SecretSync } from "@app/hooks/api/secretSyncs";
+import { GitLabSyncScope } from "@app/hooks/api/secretSyncs/types/gitlab-sync";
+
+import { TSecretSyncForm } from "../schemas";
+
+const SecretProtectionOption = ({
+  title,
+  isEnabled,
+  onChange,
+  id,
+  isDisabled = false,
+  tooltip
+}: {
+  title: string;
+  isEnabled: boolean;
+  onChange: (checked: boolean) => void;
+  id: string;
+  isDisabled?: boolean;
+  tooltip?: string;
+}) => {
+  return (
+    <Switch
+      className="bg-mineshaft-400/80 shadow-inner data-[state=checked]:bg-green/80"
+      id={id}
+      thumbClassName="bg-mineshaft-800"
+      onCheckedChange={onChange}
+      isChecked={isEnabled}
+      isDisabled={isDisabled}
+      containerClassName="w-full"
+    >
+      <p>
+        {title}{" "}
+        {tooltip && (
+          <Tooltip className="max-w-md" content={tooltip}>
+            <FontAwesomeIcon icon={faQuestionCircle} size="sm" className="ml-1" />
+          </Tooltip>
+        )}
+      </p>
+    </Switch>
+  );
+};
+
+export const GitLabSyncFields = () => {
+  const { control, setValue } = useFormContext<
+    TSecretSyncForm & { destination: SecretSync.GitLab }
+  >();
+
+  const connectionId = useWatch({ name: "connection.id", control });
+  const scope = useWatch({ name: "destinationConfig.scope", control });
+  const shouldMaskSecrets = useWatch({ name: "destinationConfig.shouldMaskSecrets", control });
+
+  const { data: groups, isLoading: isGroupsLoading } = useGitlabConnectionListGroups(connectionId, {
+    enabled: Boolean(connectionId) && scope === GitLabSyncScope.Group
+  });
+
+  const { data: projects, isLoading: isProjectsLoading } = useGitlabConnectionListProjects(
+    connectionId,
+    {
+      enabled: Boolean(connectionId)
+    }
+  );
+
+  return (
+    <div className="h-full overflow-auto">
+      <SecretSyncConnectionField
+        onChange={() => {
+          setValue("destinationConfig.projectId", "");
+          setValue("destinationConfig.projectName", "");
+          setValue("destinationConfig.groupId", "");
+          setValue("destinationConfig.groupName", "");
+          setValue("destinationConfig.scope", GitLabSyncScope.Project);
+        }}
+      />
+
+      <Controller
+        name="destinationConfig.scope"
+        control={control}
+        defaultValue={GitLabSyncScope.Project}
+        render={({ field: { value, onChange }, fieldState: { error } }) => (
+          <FormControl errorText={error?.message} isError={Boolean(error?.message)} label="Scope">
+            <Select
+              value={value}
+              onValueChange={(val) => {
+                onChange(val);
+                setValue("destinationConfig.projectId", "");
+                setValue("destinationConfig.projectName", "");
+                setValue("destinationConfig.groupId", "");
+                setValue("destinationConfig.groupName", "");
+              }}
+              className="w-full border border-mineshaft-500 capitalize"
+              position="popper"
+              placeholder="Select a scope..."
+              dropdownContainerClassName="max-w-none"
+            >
+              {Object.values(GitLabSyncScope).map((projectScope) => (
+                <SelectItem className="capitalize" value={projectScope} key={projectScope}>
+                  {projectScope.replace("-", " ")}
+                </SelectItem>
+              ))}
+            </Select>
+          </FormControl>
+        )}
+      />
+
+      {scope === GitLabSyncScope.Group && (
+        <Controller
+          name="destinationConfig.groupId"
+          control={control}
+          render={({ field: { value, onChange }, fieldState: { error } }) => (
+            <FormControl
+              isError={Boolean(error)}
+              errorText={error?.message}
+              label="Group"
+              helperText={
+                <Tooltip
+                  className="max-w-md"
+                  content="Ensure the group exists in the connection's GitLab instance URL."
+                >
+                  <div>
+                    <span>Don&#39;t see the group you&#39;re looking for?</span>{" "}
+                    <FontAwesomeIcon icon={faCircleInfo} className="text-mineshaft-400" />
+                  </div>
+                </Tooltip>
+              }
+            >
+              <FilterableSelect
+                menuPlacement="top"
+                isLoading={isGroupsLoading && Boolean(connectionId)}
+                isDisabled={!connectionId}
+                value={groups?.find((group) => group.id === value) ?? null}
+                onChange={(option) => {
+                  onChange((option as SingleValue<TGitLabGroup>)?.id ?? "");
+                  setValue(
+                    "destinationConfig.groupName",
+                    (option as SingleValue<TGitLabGroup>)?.name ?? ""
+                  );
+                }}
+                options={groups}
+                placeholder="Select a group..."
+                getOptionLabel={(option) => option.name}
+                getOptionValue={(option) => option.id}
+              />
+            </FormControl>
+          )}
+        />
+      )}
+
+      {scope === GitLabSyncScope.Project && (
+        <Controller
+          name="destinationConfig.projectId"
+          control={control}
+          render={({ field: { value, onChange }, fieldState: { error } }) => (
+            <FormControl
+              isError={Boolean(error)}
+              errorText={error?.message}
+              label="GitLab Project"
+              helperText={
+                <Tooltip
+                  className="max-w-md"
+                  content="Ensure the project exists in the connection's GitLab instance URL and the connection has access to it."
+                >
+                  <div>
+                    <span>Don&#39;t see the project you&#39;re looking for?</span>{" "}
+                    <FontAwesomeIcon icon={faCircleInfo} className="text-mineshaft-400" />
+                  </div>
+                </Tooltip>
+              }
+            >
+              <FilterableSelect
+                menuPlacement="top"
+                isLoading={isProjectsLoading && Boolean(connectionId)}
+                isDisabled={!connectionId}
+                value={projects?.find((project) => project.id === value) ?? null}
+                onChange={(option) => {
+                  onChange((option as SingleValue<TGitLabProject>)?.id ?? "");
+                  setValue(
+                    "destinationConfig.projectName",
+                    (option as SingleValue<TGitLabProject>)?.name ?? ""
+                  );
+                }}
+                options={projects}
+                placeholder="Select a project..."
+                getOptionLabel={(option) => option.name}
+                getOptionValue={(option) => option.id}
+              />
+            </FormControl>
+          )}
+        />
+      )}
+
+      <Controller
+        control={control}
+        defaultValue=""
+        name="destinationConfig.targetEnvironment"
+        render={({ field, fieldState: { error } }) => (
+          <FormControl
+            label="GitLab Environment Scope (Optional)"
+            isError={Boolean(error)}
+            errorText={error?.message}
+          >
+            <Input {...field} placeholder="*" />
+          </FormControl>
+        )}
+      />
+
+      {/* Secret Protection Settings Section */}
+      <div className="mt-6">
+        <div className="space-y-4">
+          <Controller
+            control={control}
+            name="destinationConfig.shouldProtectSecrets"
+            render={({ field: { onChange, value } }) => (
+              <SecretProtectionOption
+                id="should-protect-secrets"
+                title="Mark secrets as Protected"
+                isEnabled={value || false}
+                onChange={onChange}
+              />
+            )}
+          />
+
+          <Controller
+            control={control}
+            name="destinationConfig.shouldMaskSecrets"
+            render={({ field: { onChange, value } }) => (
+              <SecretProtectionOption
+                id="should-mask-secrets"
+                title="Mark secrets as Masked"
+                tooltip="GitLab has limitations for masked variables: secrets must be at least 8 characters long and not match existing CI/CD variable names. Secrets not meeting these criteria won't be masked."
+                isEnabled={value || false}
+                onChange={(checked) => {
+                  onChange(checked);
+                  if (!checked) {
+                    setValue("destinationConfig.shouldHideSecrets", false);
+                  }
+                }}
+              />
+            )}
+          />
+
+          <Controller
+            control={control}
+            name="destinationConfig.shouldHideSecrets"
+            render={({ field: { onChange, value } }) => (
+              <div className="max-h-32 opacity-100 transition-all duration-300">
+                <SecretProtectionOption
+                  id="should-hide-secrets"
+                  title="Mark secrets as Hidden"
+                  tooltip="Secrets can only be marked as hidden if they are also masked. If this is enabled, Infisical will not be able to unhide/unmask secrets from the sync destination if you disable the option later."
+                  isEnabled={value || false}
+                  onChange={onChange}
+                  isDisabled={!shouldMaskSecrets}
+                />
+              </div>
+            )}
+          />
+        </div>
+      </div>
+    </div>
+  );
+};

frontend/src/components/secret-syncs/forms/SecretSyncDestinationFields/SecretSyncDestinationFields.tsx

@@ -15,6 +15,7 @@ import { DatabricksSyncFields } from "./DatabricksSyncFields";
 import { FlyioSyncFields } from "./FlyioSyncFields";
 import { GcpSyncFields } from "./GcpSyncFields";
 import { GitHubSyncFields } from "./GitHubSyncFields";
+import { GitLabSyncFields } from "./GitLabSyncFields";
 import { HCVaultSyncFields } from "./HCVaultSyncFields";
 import { HerokuSyncFields } from "./HerokuSyncFields";
 import { HumanitecSyncFields } from "./HumanitecSyncFields";
@@ -71,6 +72,8 @@ export const SecretSyncDestinationFields = () => {
       return <RenderSyncFields />;
     case SecretSync.Flyio:
       return <FlyioSyncFields />;
+    case SecretSync.GitLab:
+      return <GitLabSyncFields />;
     case SecretSync.CloudflarePages:
       return <CloudflarePagesSyncFields />;
     default: