zereight/gitlab-mcp

GitLab MCP server for projects, merge requests, issues, pipelines, wiki, releases, and more

→ zereight/gitlab-mcp· npm: @zereight/mcp-gitlab· listed on npm

Install from

npm npm

M8ven verifies MCPs across every public registry — install directly from whichever one you prefer.

// key findings

🚨

Known vulnerabilities in dependencies: 1 critical, 2 high

Affects packages this MCP installs at runtime. Upgrade or remove the affected dependency.

🔐

You'll be asked for 3 credentials: GITLAB_OAUTH_CLIENT_SECRET, GITLAB_PERSONAL_ACCESS_TOKEN, GITLAB_TOKEN

These are read from process.env at runtime. Make sure you trust where they’ll be sent.

// required environment variables

This server reads these from process.env. You'll be asked to provide them before it can run.

configDEFAULT_NULL

configDISCUSSION_ID

configGITLAB_ALLOWED_PROJECT_IDS

configGITLAB_API_URL— api-url - GitLab API URL (replaces )

configGITLAB_COMMIT_FILES_PER_PAGE

configGITLAB_GRAPHQL_URL

configGITLAB_OAUTH_CLIENT_ID— Local OAuth: GITLAB_USE_OAUTH=true, , GITLAB_OAUTH_REDIRECT_URI, GITLAB_API_URL

🔐 secretGITLAB_OAUTH_CLIENT_SECRET

configGITLAB_OAUTH_REDIRECT_URI— Local OAuth: GITLAB_USE_OAUTH=true, GITLAB_OAUTH_CLIENT_ID, , GITLAB_API_URL

configGITLAB_OAUTH_TOKEN_PATH

🔐 secretGITLAB_PERSONAL_ACCESS_TOKEN— 1. Personal Access Token () — simplest setup

configGITLAB_PROJECT_ID

configGITLAB_READ_ONLY_MODE— read-only=true - Enable read-only mode (replaces )

🔐 secretGITLAB_TOKEN

configGITLAB_TOKEN_TEST

configHOST— e =0.0.0.0 \

configISSUE_IID

configLOG_LEVEL

configMAX_REQUESTS_PER_MINUTE— Rate limiting: Each session is limited to requests per minute (default 60)

configMAX_SESSIONS— Capacity limit: Server accepts up to concurrent sessions (default 1000)

configMCP_DANGEROUSLY_ALLOW_INSECURE_ISSUER_URL— No Set true for local HTTP dev only

configMERGE_REQUEST_IID

configNOTE_ID

configPROJECT_ID

configSESSION_TIMEOUT_SECONDS— Session timeout: Auth tokens expire after (default 1 hour) of inactivity. After timeout, the client must send auth headers again. The transport session remains active.

configTEST_PROJECT_ID

configWORKSPACE_ROOT

// full audit trail

The full breakdown of what we checked, the deductions that landed, the network hosts, the dependency advisories, and concrete fix guidance is available to verified publishers.

// improvement guidance — verified publishers only

We have 7 concrete improvements we can share with the publisher of this MCP. Each comes with specific guidance to raise the trust score.

// embed badge in your README

[![M8ven Score](https://m8ven.ai/badge/mcp/zereight-mcp-gitlab-14pdxb)](https://m8ven.ai/mcp/zereight-mcp-gitlab-14pdxb)

commit: 5bd7c81e422bf9666dfd6f0d89c49ed9e80e2409

code hash: 2cec22178a611f7a72fae1e7c6659c7652e1f35c1906c720af7d614f25737b14

verified: 4/18/2026, 4:00:44 PM

view raw JSON →