grade F

2 days ago

npm

structured-world/gitlab-mcp

Advanced GitLab MCP server

→ structured-world/gitlab-mcp· npm: @structured-world/gitlab-mcp· listed on npm

Install from

npm npm Glama

M8ven verifies MCPs across every public registry — install directly from whichever one you prefer.

// key findings

✅

No credential exfiltration, no sensitive file access, no obfuscation

Static analysis found nothing flowing your secrets to unexpected places.

✅

Open source with a license and README

Anyone can audit the code, the license is declared, and the publisher documents what it does.

🔐

You'll be asked for 3 credentials: GITLAB_OAUTH_CLIENT_SECRET, GITLAB_TOKEN, OAUTH_SESSION_SECRET

These are read from process.env at runtime. Make sure you trust where they’ll be sent.

// required environment variables

This server reads these from process.env. You'll be asked to provide them before it can run.

configDASHBOARD_ENABLED

configDATABASE_URL

configDEFAULT_NULL

configGITLAB_ALLOWED_PROJECT_IDS

configGITLAB_ALLOWED_TOOLS_REGEX

configGITLAB_API_BODY_TIMEOUT_MS

configGITLAB_API_CONNECT_TIMEOUT_MS

configGITLAB_API_HEADERS_TIMEOUT_MS

configGITLAB_API_RETRY_BASE_DELAY_MS

configGITLAB_API_RETRY_ENABLED

configGITLAB_API_RETRY_MAX_ATTEMPTS

configGITLAB_API_RETRY_MAX_DELAY_MS

configGITLAB_API_URL— "": "https://gitlab.com"

configGITLAB_AUTH_COOKIE_PATH

configGITLAB_CA_CERT_PATH

configGITLAB_CROSS_REFS

configGITLAB_DEFAULT_NAMESPACE

configGITLAB_DEFAULT_PROJECT

configGITLAB_DENIED_ACTIONS

configGITLAB_DENIED_TOOLS_REGEX

configGITLAB_FAILURE_THRESHOLD— 3 Consecutive transient failures before disconnecting

configGITLAB_HEALTH_CHECK_INTERVAL_MS— 60000 Health check interval when connected

configGITLAB_HTTP_KEEPALIVE_TIMEOUT_MS

configGITLAB_INIT_TIMEOUT_MS— Bounded startup — Server starts within (default 5s) regardless of GitLab availability

configGITLAB_INSTANCES

configGITLAB_INSTANCES_FILE

configGITLAB_INSTANCE_CACHE_MAX— 100 Max number of per-URL instance states kept in memory (OAuth multi-tenant; LRU eviction when exceeded)

configGITLAB_INSTANCE_TTL_MS— 3600000 TTL for idle per-URL instance states in ms; evicted on next insert (OAuth multi-tenant)

configGITLAB_IS_OLD

configGITLAB_MCP_PRESET

configGITLAB_OAUTH_CLIENT_ID

🔐 secretGITLAB_OAUTH_CLIENT_SECRET

configGITLAB_OAUTH_SCOPES

configGITLAB_POOL_MAX_CONNECTIONS

configGITLAB_PROJECT_ID

configGITLAB_READONLY

configGITLAB_READ_ONLY_MODE

configGITLAB_RECONNECT_BASE_DELAY_MS— 5000 Initial reconnect delay (doubles each attempt)

configGITLAB_RECONNECT_MAX_DELAY_MS— 60000 Maximum reconnect delay

configGITLAB_RESPONSE_WRITE_TIMEOUT_MS— 10000 Max time to flush a non-SSE response before destroying zombie connection (0 to disable; SSE uses heartbeat)

configGITLAB_SCHEMA_MODE

configGITLAB_SSE_HEARTBEAT_MS

🔐 secretGITLAB_TOKEN— "": "your_gitlab_token",

configGITLAB_TOOL_TIMEOUT_MS— 120000 Max time for tool/bootstrap execution before timeout

configGITLAB_URL

configHOST

configHTTPS_PROXY

configHTTP_PROXY

configJEST_UNIT_ONLY

configJEST_WORKER_ID

configLOG_FILTER

configLOG_FORMAT

configLOG_JSON

configLOG_LEVEL

configOAUTH_DEVICE_POLL_INTERVAL

configOAUTH_DEVICE_TIMEOUT

configOAUTH_ENABLED

configOAUTH_REFRESH_TOKEN_TTL

🔐 secretOAUTH_SESSION_SECRET

configOAUTH_STORAGE_POSTGRESQL_URL

configOAUTH_TOKEN_TTL

configPORT— docker run -e =3002 -e GITLAB_TOKEN=your_token -p 3333:3002 \

configRATE_LIMIT_IP_ENABLED

configRATE_LIMIT_IP_MAX_REQUESTS

configRATE_LIMIT_IP_WINDOW_MS

configRATE_LIMIT_SESSION_ENABLED

configRATE_LIMIT_SESSION_MAX_REQUESTS

configRATE_LIMIT_SESSION_WINDOW_MS

configRELEASE_VERSION

configSKIP_TLS_VERIFY

configSSL_CA_PATH

configSSL_CERT_PATH

configSSL_KEY_PATH

configSSL_PASSPHRASE

configTRUST_PROXY

configUSE_FILES— true File operations

configUSE_GITLAB_WIKI— true Wiki pages

configUSE_INTEGRATIONS— true 50+ integrations

configUSE_ITERATIONS— true Iteration planning (sprints)

configUSE_LABELS— true Label management

configUSE_MEMBERS— true Team members

configUSE_MILESTONE— true Milestones

configUSE_MRS— true Merge requests

configUSE_PIPELINE— true Pipelines & CI/CD

configUSE_REFS— true Branch & tag management

configUSE_RELEASES— true Release management

configUSE_SEARCH— true Cross-project search

configUSE_SNIPPETS— true Code snippets

configUSE_VARIABLES— true CI/CD variables

configUSE_WEBHOOKS— true Webhook management

configUSE_WORKITEMS— true Issues, epics, tasks

// full audit trail

The full breakdown of what we checked, the deductions that landed, the network hosts, the dependency advisories, and concrete fix guidance is available to verified publishers.

// improvement guidance — verified publishers only

We have 3 concrete improvements we can share with the publisher of this MCP. Each comes with specific guidance to raise the trust score.

// embed badge in your README

[![M8ven Score](https://m8ven.ai/badge/mcp/structured-world-gitlab-mcp-5bms0u)](https://m8ven.ai/mcp/structured-world-gitlab-mcp-5bms0u)

commit: c085e7006bee9a8d153a1afc94f00bd7e0fee98f

code hash: 20970a0c931134f145acc9ad60504123bcbf9175d6a4fb1ec720eed5aad8855d

verified: 4/18/2026, 4:06:40 PM

view raw JSON →