Skip to main content

Installation

Prerequisites

To use Zenable with GitLab, you’ll need to create a Personal Access Token (PAT) or Group Access Token with the appropriate permissions.
Best Practice: Create a dedicated service account for Zenable rather than using your personal account. The reviews will be easier to attribute to the bot user and it provides better security, easier management, and clearer audit trails.
Creating a Service Account (Recommended)
1

Create Dedicated GitLab User

Create a new GitLab user for Zenable:
  • Username: zenable-bot or zenable-reviewer
  • Email: Use a dedicated email (e.g., zenable-bot@yourcompany.com)
  • Profile picture: Consider using zenable’s logo (here or here) as profile picture so its easier to understand that the reviews are coming from Zenable.
  • Access level: Ensure this user has at least Developer access to the groups or projects where you want Zenable to review code
2

Generate Personal Access Token

Log in as the service account and navigate to access tokens:
  1. Click on your avatar in the top-right corner
  2. Select Edit Profile
  3. Click Access Tokens in the left sidebar
  4. Click Add new token
3

Configure Token Settings

Token name: zenable-integration (or any descriptive name)Expiration date: Set according to your security policy (recommended: Long enough so you don’t have to rotate it often). Remember to update/rotate this token before it expires.Select scopes: Enable the following permissions:
  • api - Full API access (required for reading MRs, posting comments, and listing projects to manage webhooks)
  • read_user - Read user information
4

Generate and Save Token

  1. Click Create personal access token
  2. Critical: Copy the token immediately - it will only be displayed once
Keep your Personal Access Token secure. Anyone with this token can access your GitLab account with the permissions you’ve granted. Never commit tokens to version control or share them in plain text.

Option 2: Group Access Token (GitLab Premium/Ultimate)

If you have GitLab Premium or Ultimate, you can use Group Access Tokens which automatically create a dedicated bot user.
1

Navigate to Group Settings

  1. Go to your GitLab group
  2. Select Settings from the left sidebar
  3. Select Access Tokens within the Settings section
2

Create Group Access Token

  1. Click Create a Group Access Token
  2. Enter a descriptive name (e.g., zenable-reviewer)
  3. Set an expiration date
  4. Select the api scope
  5. Ensure Developer access is provided
  6. Click Create group access token
3

Save the Token

GitLab will automatically create a bot user (e.g., group_123_bot_456...) and display the token. Copy and store it securely immediately.

Step 2: Configure Zenable

1

Navigate to Integrations

Go to zenable.app/integrations and select the GitLab tab
2

Add GitLab Token

  1. Click Add GitLab token
  2. Paste your Personal Access Token or Group Access Token
  3. Click Submit
Zenable will automatically discover all accessible projects from your GitLab account.
3

Select Projects to Review

After the installation is registered:
  1. Select the installation(s) you want to configure
  2. Click Load Projects to see all available projects
  3. Select the projects you want to enable by checking their checkboxes
  4. Click Save Changes to apply your configuration
Only enabled projects will receive automated merge request reviews from Zenable.

How It Works

The Zenable GitLab Reviewer automatically reviews merge requests in your repository, providing valuable feedback on code quality, security, and best practices. It leverages any Policy as Code or context you’ve configured in your tenant on zenable.app, ensuring consistent enforcement across your entire development workflow. Once configured, it will:
  1. Monitor MR events - Responds to merge request opens, updates, and review requests
  2. Analyze code changes - Reviews modified files against your custom policies and organizational context
  3. Provide inline feedback - Adds comments directly on the code with specific suggestions
  4. Maintain standards - Ensures consistent code quality across your team

Re-requesting a Review

You can trigger a new review at any time by commenting /zenable on your merge request. This is useful when:
  • You’ve made changes and want fresh feedback
  • You want to re-run the review after updating your policies
  • The initial review was skipped due to rate limits or other conditions
Simply add a comment with /zenable anywhere in the MR, and Zenable will perform a complete review of the current state of the merge request.

Unified Context Across All Integration Points

All Zenable integration points (GitLab, GitHub, MCP, API) share the same context and policies from your Zenable tenant. This provides continuous enforcement throughout the entire SDLC - consistently reinforced and fully automated. Whether developers are using AI tools locally, committing code, or creating merge requests, the same standards and policies apply everywhere.

Security Best Practices

Always use a dedicated service account instead of personal accounts:
  • Create a separate GitLab user specifically for Zenable (e.g., zenable-bot)
  • Use a dedicated email address for easy identification
  • Provides clear audit trails and easier access management
  • Makes it obvious in MR comments that it’s an automated review
Regularly rotate your Personal Access Tokens:
  • Set expiration dates on all tokens
  • Create new tokens before old ones expire
  • Update the token in Zenable settings promptly
  • Revoke tokens that are no longer needed
  • Document token renewal dates in your team calendar
Only grant the minimum required scopes:
  • Required: api scope (provides all necessary access)
  • Required: read_user scope (for user information)
  • Ensure the service account has Developer access level

Next Steps

After installation, you can:

Troubleshooting

  • Verify your PAT has the correct scopes
  • Check that the token hasn’t expired
  • Ensure the repository is selected in Zenable settings
  • Check GitLab webhook logs for errors
  • Confirm the PAT has api and read_user scopes
  • Verify the token owner has access to the repository
  • Check if branch protection rules are blocking comments
  • Create a new PAT following the steps above
  • Update the token in Zenable settings
For additional support, please submit feedback at zenable.io/feedback.