Would a malicious gitlab employee be able to clone or somehow gain access to a private repo?
Finally an interesting question
I’m not in a position to answer, but I suspect it would be “Yes”
I wouldn’t find it surprising for this to be the case but I would certainly find it strange - for lack of better word. Why would Gitlab position themselves as an open source alternative to GitHub with enterprise features and pricing and yet fail to solve this conundrum. I would guess, although I am not an expert, that this is not a technical issue.
I wonder if the thought is: if you want complete privacy then you should self-host. Which is a fine answer but I haven’t seen it written anywhere.
From a paranioac point of view, even self-hosting wouldn’t guarantee privacy.
To some organisations everything is open source
At GitLab, we take security of your data extremely seriously. By default, GitLab employees do not have access to private repos. In the rare cases, where troubleshooting is required, all activities are approved, audited and reviewed by the Security team throughout the support session. Please also see this section in our handbook regarding Support access to private repos: