B
GitLab MCP Server
Community-maintained MCP server for GitLab API providing merge request, issue, pipeline, wiki, and repository tools.
Overall Score71/100
Score Breakdown
Server Info
- Package
- @zereight/mcp-gitlab
- Registry
- npm
- Repository
- zereight/gitlab-mcp
- Maintainer
- Community
- Category
- Developer Tools
- Tags
- gitci-cddevops
- Last Scanned
- 7 Apr 2026
Findings
9 issuesAuthentication & Identity
LOWImplements MCP OAuth spec for per-user authentication
Supports multiple auth methods: PAT via env var (default), GitLab OAuth flow, job tokens, cookie auth. Has full MCP OAuth spec support (GITLAB_MCP_OAUTH=true) with SSE and StreamableHTTP transports. Also supports session-based multi-user mode. Read-only mode available via GITLAB_READ_ONLY_MODE.
Remediation
Document the required OAuth scopes for each tool.
Tool Schema Quality
MEDIUMOnly 0 of 141 schemas have parameter constraints
Most schemas lack maxLength, enum, or pattern constraints on string parameters.
Remediation
Add constraints to string parameters, especially on write operations.
CRITICALDangerous execution surface: execute_graphql
Tool allows raw code/query execution which could be exploited via prompt injection.
Remediation
Use parameterized queries or validated command sets.
Permission Granularity
HIGH4 destructive operations not isolated
Admin/delete tools are mixed with regular operations and cannot be independently disabled.
Remediation
Namespace admin tools separately for independent access control.
LLM Safety
HIGHTool descriptions contain instructional language
Descriptions include directives that could influence LLM behavior beyond tool selection.
Remediation
Remove instructional language. Descriptions should be purely factual.
MEDIUMOverlapping tool descriptions may cause wrong selection
Similar descriptions between tools could cause the LLM to pick the wrong one.
Remediation
Differentiate descriptions with unique use cases.
Data Exposure
MEDIUM15 list operations lack pagination
Some list tools have pagination parameters (per_page, page), but many list endpoints do not expose pagination. No field selection. The execute_graphql tool could potentially return any data.
Remediation
Add limit/offset or cursor-based pagination.
LOWNo field selection on responses
Responses return full records rather than projected fields.
Remediation
Implement field selection to return only relevant fields.
Maintenance & Trust
LOWCommunity-maintained by zereight
No official vendor backing.
Remediation
Seek vendor verification.
Tools
141 total| Name | Description | Risk |
|---|---|---|
| merge_merge_request | Merge a merge request in a GitLab project | write |
| approve_merge_request | Approve a merge request. Requires appropriate permissions. | write |
| unapprove_merge_request | Unapprove a previously approved merge request. Requires appropriate permissions. | write |
| get_merge_request_approval_state | Get merge request approval details including approvers | read |
| get_merge_request_conflicts | Get the conflicts of a merge request in a GitLab project | read |
| execute_graphql | Execute a GitLab GraphQL query | admin |
| create_or_update_file | Create or update a single file in a GitLab project | write |
| search_repositories | Search for GitLab projects | read |
| create_repository | Create a new GitLab project | write |
| get_file_contents | Get the contents of a file or directory from a GitLab project | read |
| push_files | Push multiple files to a GitLab project in a single commit | write |
| create_issue | Create a new issue in a GitLab project | write |
| create_merge_request | Create a new merge request in a GitLab project | write |
| fork_repository | Fork a GitLab project to your account or specified namespace | write |
| create_branch | Create a new branch in a GitLab project | write |
| get_merge_request | Get details of a merge request with compact deployment, commit addition, and approval summaries | read |
| get_merge_request_diffs | Get the changes/diffs of a merge request | read |
| list_merge_request_changed_files | STEP 1 of code review workflow. Returns ONLY the list of changed file paths in a merge request. | read |
| list_merge_request_diffs | List merge request diffs with pagination support | read |
| get_merge_request_file_diff | STEP 2 of code review workflow. Get diffs for one or more files from a merge request. | read |
| list_merge_request_versions | List all versions of a merge request | read |
| get_merge_request_version | Get a specific version of a merge request | read |
| get_branch_diffs | Get the changes/diffs between two branches or commits in a GitLab project | read |
| update_merge_request | Update a merge request | write |
| create_note | Create a new note (comment) to an issue or merge request | write |
| create_merge_request_thread | Create a new thread on a merge request | write |
| resolve_merge_request_thread | Resolve a thread on a merge request | write |
| mr_discussions | List discussion items for a merge request | read |
| delete_merge_request_discussion_note | Delete a discussion note on a merge request | write |
| update_merge_request_discussion_note | Update a discussion note on a merge request | write |
| create_merge_request_discussion_note | Add a new discussion note to an existing merge request thread | write |
| create_merge_request_note | Add a new note to a merge request | write |
| delete_merge_request_note | Delete an existing merge request note | write |
| get_merge_request_note | Get a specific note for a merge request | read |
| get_merge_request_notes | List notes for a merge request | read |
| update_merge_request_note | Modify an existing merge request note | write |
| get_draft_note | Get a single draft note from a merge request | read |
| list_draft_notes | List draft notes for a merge request | read |
| create_draft_note | Create a draft note for a merge request | write |
| update_draft_note | Update an existing draft note | write |
| delete_draft_note | Delete a draft note | write |
| publish_draft_note | Publish a single draft note | write |
| bulk_publish_draft_notes | Publish all draft notes for a merge request | write |
| update_issue_note | Modify an existing issue thread note | write |
| create_issue_note | Add a new note to an existing issue thread | write |
| list_issues | List issues (default: created by current user only; use scope='all' for all accessible issues) | read |
| my_issues | List issues assigned to the authenticated user (defaults to open issues) | read |
| get_issue | Get details of a specific issue in a GitLab project | read |
| update_issue | Update an issue in a GitLab project | write |
| delete_issue | Delete an issue from a GitLab project | admin |
| list_issue_links | List all issue links for a specific issue | read |
| list_issue_discussions | List discussions for an issue in a GitLab project | read |
| get_issue_link | Get a specific issue link | read |
| create_issue_link | Create an issue link between two issues | write |
| delete_issue_link | Delete an issue link | write |
| list_namespaces | List all namespaces available to the current user | read |
| get_namespace | Get details of a namespace by ID or path | read |
| verify_namespace | Verify if a namespace path exists | read |
| get_project | Get details of a specific project | read |
| list_projects | List projects accessible by the current user | read |
| list_project_members | List members of a GitLab project | read |
| list_labels | List labels for a project | read |
| get_label | Get a single label from a project | read |
| create_label | Create a new label in a project | write |
| update_label | Update an existing label in a project | write |
| delete_label | Delete a label from a project | write |
| list_group_projects | List projects in a GitLab group with filtering options | read |
| list_wiki_pages | List wiki pages in a GitLab project | read |
| get_wiki_page | Get details of a specific wiki page | read |
| create_wiki_page | Create a new wiki page in a GitLab project | write |
| update_wiki_page | Update an existing wiki page in a GitLab project | write |
| delete_wiki_page | Delete a wiki page from a GitLab project | write |
| list_group_wiki_pages | List wiki pages in a GitLab group | read |
| get_group_wiki_page | Get details of a specific group wiki page | read |
| create_group_wiki_page | Create a new wiki page in a GitLab group | write |
| update_group_wiki_page | Update an existing wiki page in a GitLab group | write |
| delete_group_wiki_page | Delete a wiki page from a GitLab group | write |
| get_repository_tree | Get the repository tree for a GitLab project (list files and directories) | read |
| list_pipelines | List pipelines in a GitLab project with filtering options | read |
| get_pipeline | Get details of a specific pipeline in a GitLab project | read |
| list_deployments | List deployments in a GitLab project with filtering options | read |
| get_deployment | Get details of a specific deployment in a GitLab project | read |
| list_environments | List environments in a GitLab project | read |
| get_environment | Get details of a specific environment in a GitLab project | read |
| list_pipeline_jobs | List all jobs in a specific pipeline | read |
| list_pipeline_trigger_jobs | List all trigger jobs (bridges) in a specific pipeline that trigger downstream pipelines | read |
| get_pipeline_job | Get details of a GitLab pipeline job number | read |
| get_pipeline_job_output | Get the output/trace of a GitLab pipeline job with optional pagination | read |
| create_pipeline | Create a new pipeline for a branch or tag | write |
| retry_pipeline | Retry a failed or canceled pipeline | write |
| cancel_pipeline | Cancel a running pipeline | write |
| play_pipeline_job | Run a manual pipeline job | write |
| retry_pipeline_job | Retry a failed or canceled pipeline job | write |
| cancel_pipeline_job | Cancel a running pipeline job | write |
| list_job_artifacts | List artifact files in a job's artifacts archive. | read |
| download_job_artifacts | Download the entire artifact archive (zip) for a job to a local path. | read |
| get_job_artifact_file | Get the content of a single file from a job's artifacts by its path within the archive | read |
| list_merge_requests | List merge requests. Without project_id, lists MRs assigned to the authenticated user by default. | read |
| list_milestones | List milestones in a GitLab project with filtering options | read |
| get_milestone | Get details of a specific milestone | read |
| create_milestone | Create a new milestone in a GitLab project | write |
| edit_milestone | Edit an existing milestone in a GitLab project | write |
| delete_milestone | Delete a milestone from a GitLab project | admin |
| get_milestone_issue | Get issues associated with a specific milestone | read |
| get_milestone_merge_requests | Get merge requests associated with a specific milestone | read |
| promote_milestone | Promote a milestone to the next stage | write |
| get_milestone_burndown_events | Get burndown events for a specific milestone | read |
| get_users | Get GitLab user details by usernames | read |
| list_commits | List repository commits with filtering options | read |
| get_commit | Get details of a specific commit | read |
| get_commit_diff | Get changes/diffs of a specific commit | read |
| list_group_iterations | List group iterations with filtering options | read |
| upload_markdown | Upload a file to a GitLab project for use in markdown content | write |
| download_attachment | Download an uploaded file from a GitLab project by secret and filename. | read |
| list_events | List all events for the currently authenticated user. | read |
| get_project_events | List all visible events for a specified project. | read |
| list_releases | List all releases for a project | read |
| get_release | Get a release by tag name | read |
| create_release | Create a new release in a GitLab project | write |
| update_release | Update an existing release in a GitLab project | write |
| delete_release | Delete a release from a GitLab project (does not delete the associated tag) | admin |
| create_release_evidence | Create release evidence for an existing release (GitLab Premium/Ultimate only) | write |
| download_release_asset | Download a release asset file by direct asset path | read |
| get_work_item | Get a single work item with full details including status, hierarchy, type, labels, assignees, and all widgets. | read |
| list_work_items | List work items in a project with filters (type, state, search, assignees, labels). | read |
| create_work_item | Create a new work item (issue, task, incident, test_case, epic, etc.). | write |
| update_work_item | Update a work item. Can modify title, description, labels, assignees, weight, state, status, parent hierarchy, and more. | write |
| convert_work_item_type | Convert a work item to a different type (e.g. issue to task). | write |
| list_work_item_statuses | List available statuses for a work item type in a project. | read |
| list_custom_field_definitions | List available custom field definitions for a work item type in a project. | read |
| move_work_item | Move a work item to a different project. | write |
| list_work_item_notes | List notes and discussions on a work item. | read |
| create_work_item_note | Add a note/comment to a work item. | write |
| get_timeline_events | List timeline events for an incident. | read |
| create_timeline_event | Create a timeline event on an incident. | write |
| list_webhooks | List all configured webhooks for a GitLab project or group. | read |
| list_webhook_events | List recent webhook events (past 7 days) for a project or group webhook. | read |
| get_webhook_event | Get full details of a specific webhook event by ID. | read |
| search_code | Search for code across all projects on the GitLab instance. | read |
| search_project_code | Search for code within a specific GitLab project. | read |
| search_group_code | Search for code within a specific GitLab group. | read |
Deploy GitLab MCP Server securely
CompleteFlow adds per-user authentication, permission scoping, and audit logging to any MCP server out of the box.
Deploy on CompleteFlow