---
title: GitLab SCM
description: Merge requests, discussions, and pipelines via the glab CLI.
---
Slot: scm · Name: gitlab
## Setup
```bash
glab auth login
```
```yaml title="agent-orchestrator.yaml"
scm: gitlab
scmConfig:
host: gitlab.com # default; override for self-hosted
```
## Mapping
| Concept | GitHub term | GitLab term |
|---|---|---|
| Review request | Pull request | Merge request |
| Review | Review | Discussion / note |
| CI status | Check runs | Pipelines / jobs |
AO normalises these internally — the dashboard and lifecycle state machine don't know which you use.
## Webhook endpoint
AO's dashboard receives webhook events at:
```
POST /api/webhooks
```
The absolute URL is `https:///api/webhooks`. To expose your local dashboard publicly, see [Remote access](/docs/configuration/remote-access).
### GitLab project settings
In your GitLab project go to **Settings → Webhooks → Add new webhook**:
- **URL**: `https:///api/webhooks`
- **Secret token**: the value of your `secretEnvVar` environment variable
- **Trigger events**: Merge request events, Pipeline events, Push events, Note events (review comments)
### Config
```yaml
scm: gitlab
projects:
myproject:
repo: group/project
scm:
webhook:
secretEnvVar: GITLAB_WEBHOOK_TOKEN # env var holding the token
```
Full `webhook.*` sub-object:
| Field | Default | Description |
|---|---|---|
| `enabled` | `true` | Enable or disable webhook processing |
| `path` | `/api/webhooks` | Override the receive path |
| `secretEnvVar` | — | Name of the env var holding the token |
| `signatureHeader` | `x-gitlab-token` | Header carrying the secret token |
| `eventHeader` | `x-gitlab-event` | Header carrying the event type |
| `deliveryHeader` | `x-gitlab-event-uuid` | Header carrying the delivery UUID |
| `maxBodyBytes` | unlimited | Reject payloads larger than this (bytes) |
**Verification**: GitLab sends the configured secret as a literal string in `X-Gitlab-Token`. AO compares this value directly (no HMAC — unlike GitHub's SHA-256 approach).
Polling is still active as a fallback — webhooks are a latency optimisation, not a hard dependency.
## Automated review authors
AO ignores review comments from known bot accounts so they don't block the merge-readiness check. The full list:
**Hardcoded bots:**
| Username |
|---|
| `gitlab-bot` |
| `ghost` |
| `dependabot[bot]` |
| `renovate[bot]` |
| `sast-bot` |
| `codeclimate[bot]` |
| `sonarcloud[bot]` |
| `snyk-bot` |
**Runtime catch-all:** any username matching `/^project_\d+_bot/` (GitLab project access tokens) or ending in `[bot]`.
See [Review loop — bot detection](/docs/guides/review-loop#automated-review-bugbot-detection) for how AO uses this list during the review-pending → mergeable transition.