When it comes to email addresses, it’s better to be safe than sorry, so it’s always a good idea to keep them in a secure environment. Depending on the version of GitLab, you may receive one of the following alerts:

GitLab 10.0 and above — Insecure database when checking email

If you’re using an email address that is not in a secure environment, it’s possible that the email address has been exposed in the logs as an insecure database query may result in the email address being displayed. To determine if this has happened, check the WebHook logs. If you’re using an email address that is not in a secure environment, it’s possible that the email address has been exposed in the logs as an insecure database query may result in the email address being displayed. To determine if this has happened, check the WebHook logs.

GitLab 10.0 and above

If you’re using GitLab 10.0 and above, you will see the following message in the logs when looking at WebHook events:
Insecure database when checking email
This means that a database query was done for an email address that is not stored in a secure environment. If this happens, it’s likely your email address has been exposed in the logs by GitLab.
If you’re using GitLab 9.0-9.4, the default configuration of WebHook logs will only show one event for each query, but if you are using an email address that is not stored in a secure environment like Gmail, Yahoo Mail or another free provider, then this event will also be present.

What you need to do to resolve the issue

You can resolve the issue by using a secure email address. For more information, see Using Secure Addresses in WebHooks.

SSH Keys

In order to ensure your email address is secure, you can generate an SSH key and use this for authenticating with GitLab’s WebHook. With SSH keys, your email address won't be accessible by others as part of the logs.

GitLab 9.0 and below — Insecure database when checking email

If you’re using an email address that is not in a secure environment, it’s possible that the email address has been exposed in the logs as an insecure database query may result in the email address being displayed. To determine if this has happened, check the WebHook logs. If you’re using an email address that is not in a secure environment, it’s possible that the email address has been exposed in the logs as an insecure database query may result in the email address being displayed. To determine if this has happened, check the WebHook logs.

Timeline

Published on: 10/17/2022 16:15:00 UTC
Last modified on: 10/20/2022 14:35:00 UTC

References