Summary
pkg/git/gitlab/gitlab.go creates project hooks with EnableSSLVerification set to false (&f), which disables TLS certificate verification for the webhook URL.
webhook := &gitlab.AddProjectHookOptions{
EnableSSLVerification: &f,
PushEvents: &t,
Token: &webhookSecret,
URL: &payloadURL,
}Problem
For HTTPS payload URLs, disabling SSL verification is an insecure default and is inconsistent with tightening GitHub repository webhooks (pkg/git/github).
Proposal
Default EnableSSLVerification to true for HTTPS webhook targets (or always true unless an explicit opt-in exists for dev/self-signed).
This idea came as followup of #3714
Summary
pkg/git/gitlab/gitlab.gocreates project hooks withEnableSSLVerificationset tofalse(&f), which disables TLS certificate verification for the webhook URL.Problem
For HTTPS payload URLs, disabling SSL verification is an insecure default and is inconsistent with tightening GitHub repository webhooks (pkg/git/github).
Proposal
Default EnableSSLVerification to true for HTTPS webhook targets (or always true unless an explicit opt-in exists for dev/self-signed).
This idea came as followup of #3714