diff --git a/CHANGELOG.md b/CHANGELOG.md
index d6bc09d..44c6f4c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,9 @@
 
 All notable changes to this project will be documented in this file.
 
+## [1.37.0]
+- GitLab: include nested subgroup projects when enumerating group repositories
+
 ## [1.36.0]
 - Fixed GitHub organization and GitLab group scans when using `--git-history=none`
 - JWT tokens without both `iss` and `aud` are no longer reported as active credentials
diff --git a/Cargo.toml b/Cargo.toml
index 4114e10..aec70d4 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -10,7 +10,7 @@ publish = false
 
 [package]
 name = "kingfisher"
-version = "1.36.0"
+version = "1.37.0"
 description = "MongoDB's blazingly fast secret scanning and validation tool"
 edition.workspace = true
 rust-version.workspace = true
diff --git a/src/gitlab.rs b/src/gitlab.rs
index f5b6ee3..c0a85e2 100644
--- a/src/gitlab.rs
+++ b/src/gitlab.rs
@@ -100,10 +100,10 @@ pub async fn enumerate_repo_urls(
                 builder.membership(true);
             }
             RepoType::All => {
-                // nothing
+                //  this doesn’t set any owned() or membership() flags on the builder, which in GitLab’s API defaults to "all visible repos"
             }
         }
-        
+
         // Extract the builder to a separate variable to avoid borrowing a temporary,
         // allowing us to modify its fields before building the endpoint.
         let projects_ep = builder.build()?;
@@ -137,6 +137,8 @@ pub async fn enumerate_repo_urls(
     for group in groups {
         let mut gp_builder = GroupProjects::builder();
         gp_builder.group(group.id);
+        // Ensure projects from nested subgroups are also enumerated
+        gp_builder.include_subgroups(true);
 
         if matches!(repo_specifiers.repo_filter, RepoType::Owner) {
             gp_builder.owned(true);
diff --git a/tests/int_rules_no_validated_findings.rs b/tests/int_rules_no_validated_findings.rs
index a6d171d..01a6ad9 100644
--- a/tests/int_rules_no_validated_findings.rs
+++ b/tests/int_rules_no_validated_findings.rs
@@ -61,11 +61,7 @@ fn scan_rules_has_no_validated_findings() -> Result<()> {
         }
 
         // Fail only on genuinely validated secrets
-        assert_ne!(
-            &status,
-            "active credential",
-            "Validated finding detected in rule {rule_id}"
-        );
+        assert_ne!(&status, "active credential", "Validated finding detected in rule {rule_id}");
     }
 
     Ok(())