stackpeek
← back to leaderboard

audit report

GitLab

https://gitlab.com · devops

warn
scanned 2026-04-16 23:34:37 utc permalink · /audit/gitlab

GitLab loaded 9 third-party domain(s), of which 4 are privacy-sensitive. 1 warn finding(s): No privacy policy found. Privacy-sensitive vendors observed: Bizible, Google Tag Manager, OneTrust, Optimizely.

findings

  1. warn

    No privacy policy found

    stackpeek could not discover a privacy policy for this page. This is unusual for anything serving real users.

    how we detected this →
  2. note

    Google Tag Manager loaded (tag_manager)

    Observed 2 time(s) on the page.

    
            inline: window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} const defaultConsents = win
inline: window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(ar
    how we detected this →
  3. note

    OneTrust loaded (tag_manager)

    Observed 2 time(s) on the page.

    
            script src: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location/geofeed
link preconnect: https://geolocation.onetrust.com
    how we detected this →
  4. note

    Bizible loaded (analytics)

    Observed 1 time(s) on the page.

    
            script src: https://cdn.bizible.com/scripts/bizible.js
    how we detected this →
  5. note

    Optimizely loaded (ab_testing)

    Observed 1 time(s) on the page.

    
            script src: https://cdn.optimizely.com/js/5113954737848320.js
    how we detected this →
  6. note

    No Content-Security-Policy header

    A CSP header restricts what scripts the page can load. Its absence isn't a policy mismatch but is worth noting in a transparency report.

    how we detected this →

third parties observed

vendor domain category hits disclosure
Bizible bizible.com analytics 1 not named
Google Tag Manager googletagmanager.com tag_manager 2 not named
OneTrust onetrust.com tag_manager 2 not named
Optimizely optimizely.com ab_testing 1 not named
Cloudinary cloudinary.com cdn 46 not named
Marketo marketo.net api 1 not named
Mutiny mutinycdn.com cdn 1 not named
OneTrust cookielaw.org other 3 not named
Vimeo vimeocdn.com cdn 2 not named

policy claims

No privacy policy could be located on this site.

response headers

hsts
yes
csp
no
server
cloudflare

run this yourself

Every audit on this site is reproducible. Install stackpeek and run the same check against https://gitlab.com from your own machine — the tool is MIT-licensed and runs locally. 

pip install stackpeek
stackpeek audit https://gitlab.com

source on GitHub · methodology · cli docs

provenance

This audit was generated by running stackpeek against https://gitlab.com from a public IP, using only HTTP GET and standard browser headers. The findings compare the observed HTML against the policy discovery results (no policy document was located) using the public methodology. Re-scans append new findings at new permalinks and never overwrite the historical record.