Skip to main content


This page will help you install Port's GitLab integration (powered by the Ocean framework).

This page outlines the following steps:

  • How to create a GitLab group access token to give the integration permissions to query your GitLab account.
  • How to configure and customize the integration before deploying it.
  • How to deploy the integration in the configuration that fits your use case.
  • A gitlab account with admin privileges.
  • A gitlab group account with the api scope.
  • If you choose the real time & always on installation method - a kubernetes cluster to install the integration on.
  • Your Port user role is set to Admin.

Creating a GitLab group access token

A group access token can be used for the group it was generated at, as well as for all sub-groups underneath it.

The GitLab integration is able to query multiple GitLab root groups. To do so, it will require multiple group access tokens, each at the correct root group.

GitLab group access tokens example

For example, let's assume the following GitLab account structure:

GitLab account
├── microservices-group
│   ├──microservice1-group
│   └──microservice2-group
├── apis-group
│   ├── rest-api-group
│   └── graphql-api-group

In this example:

  • To map only the microservices-group, we require one group access token - one for the microservices-group.
  • To map the microservices-group and all of its subgroups, we require only one group access token - one for the microservices-group.
  • To map the microservices-group, the apis-group and all of their subgroups, we require only two group access tokens - one for the microservices-group and one for the apis-group.
  • To map the microservice1-group, we have 2 options:
    • Create a group access token for the microservices-group and use the token mapping to select just the microservice1-group.
    • Create a group access token for the microservice1-group directly.

See the token mapping section for more information.

The following steps will guide you how to create a GitLab group access token.

  1. Sign in to GitLab and go to your desired group's settings page:

  2. In the "Access Tokens" section, you need to provide the token details, including the name and an optional expiration date. Additionally, select the api scope, and then proceed to click on the "Create access token" button.

  3. Click "Create group access token".

  4. Copy the generated token and use it when deploying the integration in the following steps.

Configuring the GitLab integration


The GitLab integration supports fetching data related to specific paths in your GitLab groups. The integration is also able to fetch data from different GitLab parent groups by providing additional group tokens. In order to do so, you need to map the desired paths to the relevant access tokens. The tokenMapping parameter supports specifying the paths that the integration will search for files and information in, using globPatterns.

Mapping format:

{"MY_FIRST_GITLAB_PROJECT_GROUP_TOKEN": ["**/MyFirstGitLabProject/**","**/MySecondGitLabProject/*"]}


{"glpat-QXbeg-Ev9xtu5_5FsaAQ": ["**/DevopsTeam/*Service", "**/RnDTeam/*Service"]}
Helm installation parameter

When using the tokenMapping parameter in the integration's Helm installation, make sure to escape the necessary characters, for example:

--set integration.secrets.tokenMapping=“\{\“glpat-oh1YXc54pR4eofx6hYy5\“: [\“**\“]\}”

Multiple GitLab group access tokens example:

{"glpat-QXbeg-Ev9xtu5_5FsaAQ": ["**/DevopsTeam/*Service", "**/RnDTeam/*Service"],"glpat-xF7Ae-vXu5ts5_QbEgAQ9": ["**/MarketingTeam/*Service"]}

Configuring Realtime webhook events

Exposing Endpoint for events

App Host

The appHost parameter is used specifically to enable the real-time functionality of the integration.

If it is not provided, the integration will continue to function correctly. In such a configuration, to retrieve the latest information from the target system, the scheduledResyncInterval parameter has to be set, or a manual resync will need to be triggered through Port's UI.

In order for the GitLab integration to update the data in Port on every change in the GitLab repository, you need to specify the appHost parameter. The appHost parameter should be set to the url of your GitLab integration instance. In addition, your GitLab instance (whether it is GitLab SaaS or a self-hosted version of GitLab) needs to have the option to send webhook requests to the GitLab integration instance, so please configure your network accordingly.

The default webhook events behavior

The GitLab integration supports listening to GitLab webhooks and updating the relevant entities in Port accordingly.

Supported webhooks are Group webhooks and System hooks.

As part of the installation process, the integration will create a webhook in your GitLab instance, and will use it to listen to the relevant events.

There are a few points to consider before deciding on which webhook to choose :

  • If you choose system hooks, the integration will create a single webhook for the entire GitLab instance. If you choose group webhooks, the integration will create a webhook for each root group in your GitLab instance, unless you provide the tokenGroupHooksOverrideMapping parameter- and then it will create a webhook for each specified group in this parameter.

  • The system hooks has much less event types than the group webhooks.

    • Group Webhooks supported event types:

      • push_events
      • issues_events
      • jobs_events
      • merge_requests_events
      • pipeline_events
      • releases_events
      • tag_push_events
      • subgroup_events
      • confidential_issues_events
    • System Hooks supported event types:

      • push_events
      • merge_requests_events
      • repository_update_events

      This means that if you choose system hooks, the integration will not be able to update the relevant entities in Port on events such as issues_events, pipeline_events and etc.

  • Creating a system hook requires admin privileges in GitLab. Due to this, the integration supports that the system hook will be created manually, and the integration will use it to listen to the relevant events.

Specific Group Webhooks

By default, if appHost is provided, the integration will create group webhooks for each root group in your GitLab instance. If you need to create webhooks only for specific groups, you should configure the tokenGroupHooksOverrideMapping parameter.

System Webhooks

To create a system hook there are two options:


In both options you'll need to provide the useSystemHook parameter with the value true.

  1. Provide a token with admin privileges in GitLab using the tokenMapping parameter.
    • When choosing this option, the integration will create the system hook in your GitLab account automatically.
  2. Create the system hook manually
    • Follow the instructions for creating a system hook in GitLab here.
    • In the URL field, provide the appHost parameter value with the path /integration/system/hook. e.g.
    • From the Triggers section, the GitLab integration currently supports the following events:
      • push
      • merge_request

GitLab System Hook


the integration can support listening to webhooks on specified groups, by configuring the tokenGroupHooksOverrideMapping parameter. this parameter is not required, and when you don't use it, the integration will listen to all of the root groups (if not using useSystemHooks=true)

Mapping format:



{"glpat-QXbeg-Ev9xtu5_5FsaAQ": {"groups": {"path/to/my-first-group": {"events": ["push_events", "merge_requests_events]}, "path/to/my-other-group": {"events": ["pipelines_events"]}}}}

You can configure multiple tokens, and multiple groups per token (the token should have admin access to those groups), but there are some rules:

  • All of the tokens mentioned here must be contained in tokenMapping.
  • A "groups" key is required for each token.
  • All of the groups in all of the tokens must be non-hierarchical to each other, and not identical (duplicated).
  • The group path is the full path in gitlab. If a group path is incorrect, the webhook will not be created.
  • The events for each group must match the supported event types mentioned below. if you would like to have all the events provided in the webhook, you can use: {"events" = []}, but not eliminate this key completely, because it is required.

Deploying the GitLab integration

Choose one of the following installation methods:

Using this installation option means that the integration will be able to update Port in real time using webhooks.

This table summarizes the available parameters for the installation. Set them as you wish in the script below, then copy it and run it in your terminal:

port.clientIdYour Port client id
port.clientSecretYour Port client secret
port.baseUrlYour Port API URL - for EU, for US
integration.secrets.tokenMappingThe token mapping configuration used to query GitLab
integration.config.appHostThe host of the Port Ocean app. Used to set up the integration endpoint as the target for webhooks created in GitLab
integration.config.gitlabHost(for self-hosted GitLab) the URL of your GitLab instance
integration.secrets.tokenGroupHooksOverrideMappingThe token group hooks override mapping configuration used to create custom webhooks on groups

Advanced configuration

integration.eventListener.typeThe event listener type. Read more about event listeners
integration.typeThe integration to be installed
scheduledResyncIntervalThe number of minutes between each resync. When not set the integration will resync for each event listener resync event. Read more about scheduledResyncInterval
initializePortResourcesDefault true, When set to true the integration will create default blueprints and the port App config Mapping. Read more about initializePortResources
sendRawDataExamplesEnable sending raw data examples from the third party API to port for testing and managing the integration mapping. Default is true

To install the integration using Helm, run the following command:

helm repo add --force-update port-labs
helm upgrade --install my-gitlab-integration port-labs/port-ocean \
--set port.clientId="PORT_CLIENT_ID" \
--set port.clientSecret="PORT_CLIENT_SECRET" \
--set port.baseUrl="" \
--set initializePortResources=true \
--set sendRawDataExamples=true \
--set scheduledResyncInterval=120 \
--set integration.identifier="my-gitlab-integration" \
--set integration.type="gitlab" \
--set integration.eventListener.type="POLLING" \
--set integration.secrets.tokenMapping="\{\"TOKEN\": [\"GROUP_NAME/**\"]\}"
Selecting a Port API URL by account region

The baseUrl, port_region, port.baseUrl, portBaseUrl, port_base_url and OCEAN__PORT__BASE_URL parameters are used to select which instance or Port API will be used.

Port exposes two API instances, one for the EU region of Port, and one for the US region of Port.

It is also possible to get Port's UI to generate your installation command for you, Port will inject values such as your Port client ID and client secret directly into the command, making it easier to get started.

Follow these steps to setup the integration through Port's UI:

  1. Click the ingest button in Port Builder Page for the blueprint you want to ingest using GitLab:

    DevPortal Builder ingest button

  2. Select GitLab under the Git providers category:

    DevPortal Builder GitLab option

  3. Copy the helm installation command and set the required configuration;

  4. Run the helm command with the updated parameters to install the integration in your Kubernetes cluster.

Advanced integration configuration

For advanced configuration such as proxies or self-signed certificates, click here.