GitLab

GitLab 19.0

On May 21, 2026, GitLab 19.0 was released with the following features. We’d also like to announce this month’s Notable Contributor: Norman Debald! We are excited to recognize Norman, a Level 3 contributor with more than 40 merged improvements across GitLab since joining in May 2022. Primary features Group-level custom review instructions for GitLab Duo Tier: Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated Add-ons: GitLab Duo Enterprise Links: Documentation, Related issue In previous versions of GitLab, you could only define custom review instructions for GitLab Duo at the project level. Teams working across many projects in the same group had to duplicate the same instructions in every project. Now you can configure shared custom review instructions for an entire group and its subgroups. Select a project in your group to use as a template. When GitLab Duo performs a code review, it combines the group-level .gitlab/duo/mr-review-instructions.yaml file with any instructions defined in the individual project. Both Code Review Flow and GitLab Duo Code Review support group-level custom instructions. Configure work item types Tier: Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated Links: Documentation, Related epic Previously, work item types could be either an Issue or a Task. You can now configure custom work item types in a project to match the way your team plans and tracks work. You can create or rename types to User Story, Bug, or Maintenance. Each work items displays with it’s type name and a unique icon. The new types support custom fields and status lifecycles, and appear in your saved views and issue boards. Type configuration in the top-level group (GitLab.com) or organization (GitLab Self-Managed) cascades down to all projects. You can also control which types are available for each project. Enable or disable a type across all projects at once, or let individual projects manage their own type visibility. When you disable a type in a project, existing work items are not affected. GitLab Secrets Manager now available in open beta Tier: Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed Links: Documentation, Related epic In previous versions of GitLab, the GitLab Secrets Manager was available only to a closed beta cohort. Most teams relied on external services such as HashiCorp Vault or AWS Secrets Manager. The GitLab Secrets Manager is now available in open beta for Premium and Ultimate customers on GitLab.com and GitLab Self-Managed. When the GitLab Secrets Manager is enabled, project and group Owners can store, retrieve, and reference CI/CD secrets in GitLab. Secrets are scoped to a project or group and are accessible to only pipeline jobs that explicitly request them. During open beta, GitLab Secrets Manager follows the beta support policy and might not be ready for production use. To share feedback, see issue 598100. GitLab Duo Developer enhancements for merge request workflows Tier: Free, Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated Links: Documentation, Related issue GitLab Duo Developer now supports multiple trigger methods: assign it to an issue, select Generate MR, or @mention it in any issue or MR discussion thread to turn feedback, To-do items, and design questions into code changes, follow-up MRs, or research summaries. With AGENTS.md and agent-config.yml configured, GitLab Duo Developer runs your tests and checks before committing. After a top-level group or instance administrator enables the Developer Flow, GitLab automatically adds mention and assign triggers to eligible projects. Dependency scanning by using SBOM generally available Tier: Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated Links: Documentation, Related epic The GitLab SBOM-based dependency scanner is now generally available. Maven, Gradle, and Python projects now have complete visibility into vulnerabilities across their full dependency tree, including vulnerable packages introduced transitively, not just those declared directly. The analyzer now includes automatic dependency resolution for Maven, Gradle, and Python projects. When a lockfile or resolved dependency graph is not present, the analyzer automatically invokes tooling to resolve the full transitive dependency graph before scanning. Dependency resolution is enabled by default and requires little-to-no additional configuration beyond including the v2 Dependency Scanning template. For projects where dependency resolution is not possible, the analyzer falls back to manifest scanning. It parses pom.xml, requirements.txt, build.gradle, and build.gradle.kts to identify direct dependencies. Manifest scanning ensures teams always get a starting point for vulnerability coverage, even for projects without lock or build files. Manifest scanning is enabled by default and returns direct dependencies only. For full transitive coverage, enable dependency resolution or provide a dependency lockfile or graph export manually. Agentic Core GitLab Duo Core moves to usage-based billing Tier: Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated Links: Documentation, Related issue Starting in GitLab 19.0, GitLab Duo Core moves to usage-based billing. Code Suggestions in the Web IDE and desktop IDEs now consume GitLab Credits. GitLab Duo Chat is also changing. For GitLab Duo Core users, Chat is now agentic and runs on GitLab Duo Agent Platform. To use GitLab Duo Chat in the GitLab UI or desktop IDEs, enable GitLab Duo Agent Platform for your instance or top-level group. Filter exact code search results by repository Tier: Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed Links: Documentation, Related issue You can now filter exact code search results by repository. With the repo: syntax, you can directly scope your search query to specific repositories or repository patterns without having to go to individual projects. For example, searching for def authenticate repo:my-group/my-project returns results only from that repository. You can also use partial paths or patterns to match multiple repositories. Merge request ready event trigger Tier: Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed Links: Documentation, Related issue You can now configure flows and external agents to run on the Merge request ready event. When a draft merge request is marked as ready for review, GitLab Duo automatically runs the flow or external agent. To configure a trigger, go to AI > Triggers in your project. This feature is behind the merge_request_ready_flow_trigger feature flag, disabled by default. Claude Opus 4.7 now available in GitLab Duo Agent Platform Tier: Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated Links: Documentation, Related issue Claude Opus 4.7 is now available in GitLab Duo Agent Platform. Opus 4.7 delivers meaningful improvements to complex, multistep tasks that require sustained reasoning, precise instruction following, and self-verification before surfacing results. This includes flows supporting CI/CD pipelines, code review, vulnerability resolution, and more. Support for self-hosted Gemini models Tier: Premium, Ultimate Offering: GitLab Self-Managed Links: Documentation, Related issue GitLab Duo Agent Platform Self-Hosted is now compatible with Gemini models. Gemini models support multiple flows, including the Code Review Flow, SAST Vulnerability Resolution Flow, Fix CI/CD Pipeline Flow, and more. Expanded open source model support in GitLab Duo Agent Platform Tier: Premium, Ultimate Offering: GitLab Self-Managed Links: Documentation, Related issue GitLab Duo Agent Platform now supports additional open source models for self-hosted deployments, including Devstral 2 123B, GLM-5.1-FP8, and others. This helps customers power agentic workflows across a variety of environments, including offline and network-restricted deployments. Per-session tool approvals with admin controls Tier: Free, Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated Links: Documentation, Related issue Before GitLab Duo Agentic Chat can use a tool on your behalf, it requires your approval. Each tool invocation requires a separate approval. Now, you can approve a trusted tool once for an entire session and streamline your workflows. Administrators control whether tool approval for sessions is available. The following settings cascade from instance to group to project: On by default Off by default Always off Groups and subgroups can modify the setting unless an administrator sets it to Always off. The default setting is Off by default, ensuring each tool invocation requires explicit approval unless an administrator changes it. Resolve merge conflicts with GitLab Duo (Beta) Tier: Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated Links: Documentation, Related issue In previous versions of GitLab, you had to resolve merge conflicts manually in the GitLab UI or from the command line, even for straightforward cases. Now GitLab Duo can autonomously analyze merge conflicts, edit the conflicting files, create a commit, and push to the source branch. Trigger conflict resolution from the Resolve conflicts page or directly from the merge request widget. When complete, GitLab Duo posts a summary comment so reviewers can see what changed. GitLab Duo respects branch protection rules and does not force-push to protected branches. This feature is in beta and is gated behind the mr_ai_resolve_conflicts feature flag, enabled by default. Restrict the AI Catalog to a group hierarchy Tier: Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated Links: Documentation, Related issue Top-level group Owners can now restrict the AI Catalog to show only agents and flows owned by projects within their group hierarchy. This blocks agents, external agents, or flows not in this hierarchy from being visible or enabled by any user in that group. Purchase credits on the Free tier on GitLab Self-Managed Tier: Free Offering: GitLab Self-Managed Links: Documentation, Related issue Free tier users on GitLab Self-Managed can now unlock the full power of GitLab Duo Agent Platform, no Premium or Ultimate subscription required. Choose your monthly credit amount, commit to an annual term, and get instant access to AI-powered development tools. Credits refresh automatically each month, so your team always has what it needs to build faster and smarter. Admin-defined network access controls for Agent Platform remote flows Tier: Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated Links: Documentation, Related issue Administrators can now define centralized network policies for GitLab Duo Agent Platform remote flows directly in Settings. Top-level group administrators on GitLab.com, and instance administrators on GitLab Self-Managed and Dedicated, can configure organization-wide domain denylists and allowlists that projects inherit automatically. An additional setting controls whether projects can extend the approved domain list with custom entries. Policies are enforced at runtime across all remote flows, giving security and platform teams a consistent governance layer for agent network egress. Scale and Deployments PostgreSQL 17 minimum requirement Tier: Free, Premium, Ultimate Offering: GitLab Self-Managed Links: Documentation, Related issue The minimum supported version of PostgreSQL is now version 17. If you use the packaged PostgreSQL 16, upgrade the packaged PostgreSQL server before installing GitLab 19.0. Linux package support for Ubuntu 20.04 discontinued Tier: Free, Premium, Ultimate Offering: GitLab Self-Managed Links: Documentation, Related issue Ubuntu 20.04 reached end of standard support in May 2025. From GitLab 19.0, Linux packages are no longer provided for Ubuntu 20.04. GitLab 18.11 is the last release with packages for this distribution. Before upgrading to GitLab 19.0, migrate to Ubuntu 22.04 or another supported operating system. Redis 6 support removed Tier: Free, Premium, Ultimate Offering: GitLab Self-Managed Links: Documentation, Related issue Support for Redis 6 is removed in GitLab 19.0. If you use an external Redis 6 deployment, migrate to Redis 7.2 or Valkey 7.2 before upgrading. The bundled Redis included with the Linux package has used Redis 7 since GitLab 16.2 and is not affected. Mattermost removed from the Linux package Tier: Free, Premium, Ultimate Offering: GitLab Self-Managed Links: Documentation, Related issue Bundled Mattermost is removed from the Linux package in GitLab 19.0. If you currently use the bundled Mattermost, refer to Migrating from the Linux package to Mattermost Standalone for migration instructions. Customers not using the bundled Mattermost are not impacted. Linux package support for SUSE distributions discontinued Tier: Free, Premium, Ultimate Offering: GitLab Self-Managed Links: Documentation, Related issue Linux package support for SUSE distributions ends in GitLab 19.0, which affects openSUSE Leap 15.6, SUSE Linux Enterprise Server 12.5, and SUSE Linux Enterprise Server 15.6. GitLab 18.11 is the last version with Linux packages for these distributions. To continue to use SUSE distributions, migrate to a Docker deployment of GitLab. Spamcheck removed from Linux package and GitLab Helm chart Tier: Free, Premium, Ultimate Offering: GitLab Self-Managed Links: Documentation, Related issue Spamcheck is removed from the Linux package and GitLab Helm chart in GitLab 19.0. Customers not currently using Spamcheck are not impacted. If you use the bundled Spamcheck, you can deploy it separately using Docker. No data migration is required. NGINX Ingress replaced by Gateway API with Envoy Gateway Tier: Free, Premium, Ultimate Offering: GitLab Self-Managed Links: Documentation, Related issue Gateway API with Envoy Gateway becomes the default networking configuration in the GitLab Helm chart in GitLab 19.0, replacing NGINX Ingress which reached end-of-life in March 2026. If migration to Envoy Gateway is not immediately feasible, you can explicitly re-enable the bundled NGINX Ingress, which remains available until its planned removal in GitLab 20.0. This change does not impact the NGINX used in the Linux package, or Helm chart instances using an externally managed Ingress or Gateway API controller. Bundled PostgreSQL, Redis, and MinIO removed from GitLab Helm chart Tier: Free, Premium, Ultimate Offering: GitLab Self-Managed Links: Documentation, Related issue The bundled Bitnami PostgreSQL, Bitnami Redis, and MinIO charts are removed from the GitLab Helm chart and GitLab Operator in GitLab 19.0 with no replacement. These components were intended only for proof-of-concept and test environments and are not recommended for production use. If you run an instance with any of these bundled services, follow the migration guide to configure external services before upgrading to GitLab 19.0. Reliable SCIM user deprovisioning for large groups Tier: Premium, Ultimate Offering: GitLab.com Links: Documentation, Related issue For organizations managing large numbers of users through SCIM, deprovisioning group members could time out and return 500 errors. SCIM DELETE and PATCH requests now return a success response immediately. Membership removal is handled asynchronously, so identity providers and SCIM clients receive consistent success responses. Unified DevOps and Security Auto remediation for vulnerable dependencies (Experiment) Tier: Ultimate Offering: GitLab.com Links: Documentation, Related epic Auto remediation for dependencies is now available as an experiment in GitLab 19.0. When dependency scanning detects a vulnerable Ruby dependency with a known fix, GitLab automatically opens a merge request to update it to a safe version without human input. Only Ruby projects are supported in the experiment. After each pipeline, GitLab identifies the highest-severity vulnerability with an available patch or minor version upgrade. GitLab generates the manifest file change and opens a merge request through a service account. The merge request then goes through your project’s standard review and approval workflow. During the experiment, up to three auto-remediation merge requests can be open per project at a time. To share feedback or request to try out the experiment make a comment on epic 600511. To enable the experiment on your project, a GitLab team member must enable the dependency_management_auto_remediation feature flag for your project. Dependency scanning in security configuration profiles Tier: Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation, Related issue GitLab 18.11 introduced security configuration profiles for SAST and secret detection. Now, dependency scanning is also available with the Dependency Scanning - Default profile. This profile gives you a unified control surface to apply standardized SCA coverage across all of your projects without editing a single CI/CD configuration file. The profile activates two scan triggers: Merge Request Pipelines: Automatically runs a dependency scanning scan each time new commits are pushed to a branch with an open merge request. Results include only new vulnerabilities introduced by the merge request. Branch Pipelines (default only): Runs automatically when changes are merged or pushed to the default branch, providing a complete view of your default branch’s dependency posture. Dependency resolution for Gradle SBOM scanning Tier: Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation, Related epic GitLab dependency scanning using SBOM now automatically generates a dependency graph (gradle.graph.txt) for Gradle projects. Previously, Gradle dependency scanning required you to generate a dependency graph manually as part of your build. Now, when a graph file is not available, the analyzer generates one automatically, removing this manual step for Java and Kotlin projects using Gradle. Remediation guidance for API security testing findings Tier: Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation, Related issue API security vulnerability reports now include remediation guidance for each finding. Previously, API security testing identified vulnerabilities but provided no guidance on how to fix them. Developers had to research remediation steps independently. Now, each finding includes vulnerability-specific remediation steps and references to relevant OWASP and CWE identifiers directly in the vulnerability report. Remediation guidance is now included for the following checks: Application information Cleartext authentication CORS DNS rebinding Framework debug mode Heartbleed OpenSSL vulnerability HTML injection Insecure HTTP methods JSON hijacking JSON injection Open redirect OS command injection Path traversal Sensitive file Sensitive information Session cookie Shellshock SQL injection TLS configuration Authentication token XML injection Security data in merge request Reports tab Tier: Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation, Related epic Merge requests include a new Reports tab that shows all findings from security scans, license compliance results, and code quality reports for the pipeline. GitLab bot comments in the activity feed are still available to view any policy violations that prevent the merge request from being merged. Improved array support for CI/CD inputs Tier: Free, Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation, Related issue CI/CD inputs now have improved support for working with arrays. Use the array index operator [] to access specific elements within array inputs. This enhancement provides more flexible and powerful input interpolation capabilities in your pipeline configurations, enabling you to reference individual array items directly without additional processing steps. Select multiple values for pipeline inputs Tier: Free, Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation, Related issue Previously, you could only select a single value when selecting input options in the UI, limiting flexibility for pipelines with more complex options. Now when you run a pipeline with inputs from the UI, you can select multiple values from a dropdown list and the selected values are combined into an array, for example ["option1","option2"]. This makes it easy to restart services on multiple instances, build multiple Docker images, run tests with multiple tag combinations, or perform any operation across multiple targets in a single pipeline run. Detailed CI/CD Catalog component usage analytics Tier: Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated Links: Documentation, Related issue When you manage a CI/CD component in the GitLab Catalog, usage details are critical for managing upgrades, enforcing compliance, and communicating breaking changes. You need to know which projects use your components, and which versions they are using. Previously, this information was not available, making it difficult to notify the right maintainers, plan deprecations safely, or ensure projects stay current with the latest security patches. The component usage details view in the catalog resource page now shows exactly which projects use each component, the version they are running, and whether they are on the latest version or an outdated one. Projects using older versions are surfaced at the top, so you can prioritize outreach, drive adoption of security fixes, and ensure a smooth upgrade path across your organization. Configure parallel pipeline limits for merge trains Tier: Premium, Ultimate Offering: GitLab Self-Managed, GitLab Dedicated Links: Documentation, Related issue In previous versions of GitLab, you couldn’t change the maximum of 20 parallel pipelines in a merge train, which forced you to either overwhelm your runners or skip merge trains entirely. Now you can configure the parallel pipeline limit per merge train to balance runner load and merge throughput. You can set the limit per project or instance-wide. Setting the limit to 1 means each merge request runs one at a time, against a clean target branch. Thanks to Norman Debald (@Modjo85) for this community contribution. Customize default merge request titles Tier: Free, Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed Links: Documentation, Related issue In previous versions of GitLab, the default title for a new merge request came from the source branch or first commit, and you couldn’t enforce a consistent naming convention across your project. Now you can configure a default merge request title template per project. Templates support variables for the source branch, target branch, first commit subject, linked issue ID, issue title, and a human-readable version of the source branch name. For example, the template Resolve %{issue_id} "%{issue_title}" produces titles like Resolve 123 "Fix login bug". You can still edit the title before creating the merge request. Secure webhooks with HMAC signing tokens Tier: Free, Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation, Related issue The existing X-Gitlab-Token header sends a static secret in plain text, making webhooks susceptible to interception and replay attacks. You can now add a signing token to any webhook. GitLab uses the signing token to compute an HMAC-SHA256 signature over: The unique webhook ID. The request timestamp. The webhook payload. GitLab then sends the result in the webhook-signature header alongside webhook-id and webhook-timestamp headers, following the Standard Webhooks specification. You can recompute the signature to confirm requests genuinely came from GitLab and that the payload has not been modified. By also validating the timestamp, you can reject replayed requests. Thanks to Van Anderson and Norman Debald for their community contributions! Cross-project pushes using CI/CD job tokens Tier: Free, Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation, Related issue In previous versions of GitLab, you could only use a CI/CD job token (CI_JOB_TOKEN) to push to the same repository where the pipeline runs. Cross-project pushes required a personal access token or deploy token. You can now use a job token to push to another project when: The target project opts in. The user who starts the pipeline has at least the Developer role in the target project. This feature is behind the allow_push_to_allowlisted_projects feature flag, disabled by default in GitLab 19.0. Ask your administrator to enable it. Mermaid diagram rendering upgraded to version 11 Tier: Free, Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated Links: Documentation, Related issue GitLab now uses Mermaid version 11 for rendering diagrams in Markdown. Previously, GitLab supported Mermaid version 10. With this upgrade, you get access to all the new diagram types, syntax improvements, and bug fixes introduced in Mermaid 11, including enhanced rendering for flowcharts, sequence diagrams, and more. Rapid Diffs for merge request reviews (Beta) Tier: Free, Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed Links: Documentation, Related issue In previous versions of GitLab, you would have to wait for the Changes tab to load all files before you could begin reviewing, which slowed down large reviews. Now you can use Rapid Diffs to review merge requests with faster initial load, smoother scrolling, and more responsive interactions across files. Rapid Diffs uses the same technology that already powers the commits page. Rapid Diffs is in beta. Some features from the classic diff experience aren’t yet available. You can switch back at any time. Watch the overview video and share your experience in the feedback issue. GitLab Runner 19.0 Tier: Free, Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation We’re also releasing GitLab Runner 19.0 today! GitLab Runner is the highly-scalable build agent that runs your CI/CD jobs and sends the results back to a GitLab instance. GitLab Runner works in conjunction with GitLab CI/CD, the open-source continuous integration service included with GitLab. What’s New Runner instrumentation: Feature negotiation, OTLP export client, and first job_execution span Add configurable prepare stage timeout to runner configuration Bug Fixes Comprehensive fixes for FF_SCRIPTS_TO_STEPS feature flag implementation SignatureDoesNotMatch error when downloading S3 cache Runtime error when GitLab Runner runs in AWS with S3 cache Broken RPM S3 download links for amd64, arm64, arm, and armhf in GitLab Runner 18.9.0 and later Negative exit codes are reported incorrectly on Windows Incorrect Kubernetes executor service container naming documentation The list of all changes is in the GitLab Runner CHANGELOG.

GitLab 18.11 released with automated remediation & new foundational agents

GitLab 18.11 release notes

On April 16, 2026, GitLab 18.11 was released with the following features. In addition, we want to thank all of our contributors, including this month’s notable contributor. This month’s Notable Contributor: Rinku C We are excited to recognize Rinku C, a Level 4 contributor with over 80 merged improvements across GitLab since joining in September 2025. Nominated by Arianna Haradon, Senior Fullstack Engineer on the Developer Relations team, this award celebrates his sustained and meaningful impact over time. Rinku has strengthened security-sensitive flows by requiring scopes on project and group access token creation forms, and improved everyday GitLab experience with numerous updates like next/previous navigation in job logs, excluding empty searches from recent, and reducing file tree clutter through thoughtful UI refinements that make common workflows clearer and easier to navigate. Rinku tackles the work that often goes unclaimed, keeping the codebase healthy and compounding to meaningful, lasting value. Thank you for your contributions! Primary features Vulnerability resolution generally available on GitLab Duo Agent Platform Tier: Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated Links: Documentation | Related issue Agentic SAST Vulnerability Resolution is now generally available in GitLab 18.11 on the GitLab Duo Agent Platform. It runs as part of your SAST scan, after SAST false positive detection runs, or when manually triggered for individual SAST vulnerabilities. Agentic SAST Vulnerability Resolution: Autonomously analyzes the finding and reasons through the surrounding code context. Automatically creates a ready-to-review merge request with proposed code fixes for critical and high severity SAST vulnerabilities. Provides quality assessments so reviewers can quickly gauge confidence in the proposed remediation. Allows you to apply resolutions directly from vulnerability details pages. We welcome your feedback in issue 585626. GitLab Data Analyst Foundational Agent now generally available Tier: Free, Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated Links: Documentation | Related epic The Data Analyst Agent is a specialized AI chat assistant that helps you query, visualize, and surface data across the GitLab platform. Backed by the GitLab Query Language (GLQL), the Data Analyst can retrieve and analyze data about each of the supported data sources, and provide clear, actionable insights about your software development health and engineering efficiency. These insights can be visualized directly in the agent output and embedded directly into issues and epics for further evaluation. CI Expert Agent launches in beta Tier: Free, Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related issue The AI-powered CI Expert Agent is now available in beta. This agent helps teams get from GitLab code to a first working pipeline without starting from a blank .gitlab-ci.yml. Using GitLab Duo Agent Platform, the agent inspects your repository, asks a few guided questions about your build and test process, and generates a ready-to-run pipeline you can review, edit, and commit. This turns pipeline creation into a conversational, context-aware experience, while still letting you take full control of the YAML after you’re ready to evolve and optimize your configuration. Automated vulnerability severity overrides Tier: Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related epic Default vulnerability severities don’t always reflect your organization’s actual risk. A critical CVE in an internal-only service might not warrant the same urgency as one in a public-facing application, yet teams spend significant time triaging findings that don’t match their risk model. Vulnerability management policies can now automatically adjust the severity of vulnerabilities based on conditions like CVE ID, CWE ID, file path, and directory. When applied, the policy updates the severity of any vulnerability that matches the criteria on the default branch. Manual overrides still take precedence, and all changes are logged in the vulnerability’s history and audit events. This reduces triage work and ensures developers focus on the findings that matter most to your business. Create Service Account in subgroups and projects Tier: Free, Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related epic Teams can now create service accounts in subgroups and projects. Instead of broad, top-level group bots, you can attach a dedicated service account to a single subgroup or project and manage its access like any other member of that namespace. Group and subgroup service accounts can be invited to the group where they were created or to any descendant subgroups and projects. Project service accounts are limited to their own project. Service Accounts available on GitLab Free Tier: Free, Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related epic Service accounts are now available on GitLab.com in all tiers. Previously limited to Premium and Ultimate, service accounts let you perform automated actions, access data, or run scheduled processes without tying credentials to individual team members. They’re commonly used in pipelines and third-party integrations where credentials must stay stable regardless of team changes. On GitLab Free, you can create up to 100 service accounts per top-level group, including those created in subgroups or projects. Fine-grained permissions for personal access tokens now available (Beta) Tier: Free, Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related epic Fine-grained personal access tokens (PATs) are now available in beta. Unlike legacy PATs, which grant access to every project and group you belong to, fine-grained PATs let you limit each token to specific resources and actions. This reduces the potential impact of a leaked or compromised token. Your existing PATs continue to work as before, and you can still create legacy PATs without fine-grained permissions. This beta release covers approximately 75% of the GitLab REST API. Full REST API coverage, GraphQL enforcement, and administrator policy controls are planned for the GA release. To share feedback, see epic 18555. Top CWE chart in security dashboards Tier: Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related epic The top CWE chart is now available on the new security dashboards. Identify the most common CWEs across your project or instance to identify opportunities for training, improvement, or program optimization. Users can group the dashboard data by severity and filter the dashboard by severity, project, and report type. Deploy Gitaly on Kubernetes Tier: Free, Premium, Ultimate Offering: GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related issue You can now deploy Gitaly on Kubernetes as a fully supported deployment method. This gives you greater flexibility in managing your GitLab infrastructure by using Kubernetes orchestration capabilities for scaling, high availability, and resource management. Previously, Kubernetes deployments required custom configurations and weren’t officially supported, making it difficult to maintain reliable Gitaly deployments in containerized environments. Reconfigure inputs when manually running MR pipelines Tier: Free, Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related issue A powerful aspect of CI/CD inputs is that you can manually run new pipelines with new values for runtime customization. This was not available in merge request (MR) pipelines before, but in this release you can now customize inputs in MR pipelines too. After you configure inputs for MR pipelines, you can optionally modify those inputs and change the pipeline behavior any time you run a new pipeline for a merge request. Agentic Core Default model for GitLab Duo Agentic Chat updated from Haiku 4.5 to Sonnet 4.6 Tier: Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated Links: Documentation | Related issue We’ve made an update to improve your Agentic Chat experience in GitLab. The default model for Agentic Chat was upgraded from Claude Haiku 4.5 to Claude Sonnet 4.6, hosted on Vertex AI. Claude Sonnet 4.6 offers improved reasoning and response quality but uses a higher GitLab Credit multiplier than Haiku 4.5. You can select an alternative model, including Haiku, using the model selection setting. If you’ve already selected a specific model, your choice is preserved. This update only affects the default and will not override any existing selections. For information about credit multipliers by model, see the GitLab Credits documentation. Configure tools in custom flow definitions Tier: Free, Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related issue You can now configure tool options and parameter values directly in your custom flow definitions to supersede the LLM default values. This gives you more precise, consistent control over how tools behave within a custom flow, making it easier to enforce guardrails and specific parameter values across that flow. Mistral AI now supported as a self-hosted model in GitLab Duo Agent Platform Tier: Premium, Ultimate Offering: GitLab Self-Managed Links: Documentation | Related issue GitLab Duo Agent Platform now supports Mistral AI as an LLM platform for self-hosted model deployments. GitLab Self-Managed customers can configure Mistral AI alongside existing supported platforms, including AWS Bedrock, Google Vertex AI, Azure OpenAI, Anthropic, and OpenAI. This gives teams more choice in how they run AI-powered features. Scale and Deployments View historical months in GitLab Credits dashboard Tier: Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related issue The GitLab Credits dashboard in Customers Portal now supports historical month navigation. Billing managers can browse past billing months to review daily usage trends, compare consumption patterns across periods, and reconcile usage with invoices. Previously, the dashboard only displayed the current billing month. With this improvement, administrators can make more informed decisions about credit allocation and forecast future needs based on historical data. Set subscription-level usage cap for GitLab Credits Tier: Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation Administrators can now set a monthly usage cap for On-Demand Credits at the subscription level. When total on-demand credit consumption reaches the configured cap, GitLab Duo Agent Platform access is automatically suspended for all users on that subscription until the next billing period begins or the admin adjusts the cap. This setting gives organizations a hard guardrail against unexpected overage bills, removing a key barrier to broader Agent Platform rollout. Caps reset automatically each billing period, and administrators receive an email notification when the cap is reached. Set per-user GitLab Credits cap Tier: Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation Administrators can now set an optional per-user usage cap for GitLab Credits per billing period. When an individual user’s total credit consumption reaches the configured limit, GitLab Duo Agent Platform access is suspended only for that user, while other users continue unaffected. This prevents any single user from consuming a disproportionate share of the organization’s credit pool, and gives administrators fine-grained control over usage distribution. Per-user usage caps work alongside subscription-level usage caps, by applying the cap that is reached first. Linux package improvements Tier: Free, Premium, Ultimate Offering: GitLab Self-Managed Links: Documentation | Related issue In GitLab 19.0, the minimum-supported version of PostgreSQL will be version 17. To prepare for this change, on instances that don’t use PostgreSQL Cluster, upgrades to GitLab 18.11 will attempt to automatically upgrade PostgreSQL to version 17. If you use PostgreSQL Cluster or opt out of this automated upgrade, you must manually upgrade to PostgreSQL 17 to be able to upgrade to GitLab 19.0. Backup and Restore Support for Container Registry Metadata Database Tier: Free, Premium, Ultimate Offering: GitLab Self-Managed Links: Documentation | Related issue The GitLab backup Rake task for Linux package installations and the [backup-utility](https://docs.gitlab.com/charts/backup-restore/) for Cloud Native (Helm) installations now support the container registry metadata database. You can now back up references to blobs, manifests, tags, and other data stored in the metadata database, enabling recovery in the event of malicious or accidental data corruption. New navigation experience for groups in Explore Tier: Free, Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related epic We’re excited to announce improvements to the groups list in Explore, making it easier to discover groups across your GitLab instance. The redesigned interface introduces a tabbed layout with two views: Active tab: Browse all accessible groups, helping you discover relevant communities and projects. Inactive tab: View archived groups and groups pending deletion for visibility into group lifecycle status. These changes streamline group discovery and provide clearer visibility into which groups are available to join. Asynchronous transfer of projects Tier: Free, Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related epic In previous versions of GitLab, transfers of large groups and projects could timeout. As we move groups and projects to use a unified state model for operations such as transfer, archive, and deletion, you get more consistent behavior, better visibility into state history and audit details, and fewer timeouts, specifically, for long running transfer operations through asynchronous processing. Unified DevOps and Security ClickHouse is generally available for Self-Managed deployments Tier: Free, Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated Links: Documentation | Related issue For GitLab Self-Managed instances, we now have improved recommendations and configuration guidance for the GitLab ClickHouse integration. Customers have options to bring their own cluster, or use the ClickHouse Cloud (recommended) setup option. This integration powers multiple dashboards and unlocks access to various API endpoints within the analytics space. This scalable, high-performance database is part of the larger architectural improvements planned for the GitLab analytics infrastructure. Enhanced GitLab Duo Agent Platform analytics on Duo and SDLC trends dashboard Tier: Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated Add-ons: Duo Pro, Duo Enterprise Links: Documentation | Related epic The GitLab Duo and SDLC trends dashboard delivers improved analytics capabilities to measure the impact of GitLab Duo on software delivery. The dashboard now includes new single stat panels for monthly Agent Platform unique users and Agentic Chat sessions. Additionally, metrics previously displayed as a % usage compared to seat assignments have been updated to strictly report usage counts. This change resolves the issue where counts were missing Agent Platform usage controlled under the new usage billing model. GLQL now has access to projects, pipelines, and jobs data sources Tier: Free, Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated Links: Documentation The GitLab Query Language (GLQL) now has access to three new data sources: projects, pipelines, and jobs. These new data sources are also available as embedded views, letting teams surface pipeline results, job statuses, and project overviews directly in wikis, issue and merge request descriptions, and repository Markdown files. GLQL also powers the Data Analyst Agent. With these new types, the agent can inspect CI/CD job results, debug failures, and provide detailed overviews of pipeline execution, as well as provide an accurate overview of projects in a namespace. Dependency resolution for Maven and Python SBOM scanning Tier: Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related epic GitLab dependency scanning using SBOM now supports generating a dependency graph automatically for Maven and Python projects. Previously, dependency scanning required users to provide a lock file or a graph file to get an accurate dependency analysis. Now, when a lock file or graph file is not available, the analyzer automatically attempts to generate one. This improvement makes it easier for Maven and Python projects to enable dependency scanning without requiring a lock file. Incremental scanning for Advanced SAST Tier: Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related epic You can now perform incremental scans that analyze only changed parts of the codebase with GitLab Advanced SAST, significantly reducing scan times compared to full repository scans. This feature is a further iteration of diff-based scanning, because it produces full results for codebases. By scanning just the code that has changed rather than the entire codebase, your teams can integrate security testing more seamlessly into their development workflow without sacrificing speed or adding friction. Unverified vulnerabilities (Beta) Tier: Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related epic Advanced SAST can now surface unverified vulnerabilities (findings that cannot be fully traced from source to sink) directly in the vulnerability report. Enable this feature if you have a higher tolerance for false positives over false negatives. This feature is in beta status. Provide feedback in issue 596512. Kubernetes 1.35 support Tier: Free, Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related issue GitLab now fully supports Kubernetes version 1.35. If you want to deploy your applications to Kubernetes and access all features, upgrade your connected clusters to the most recent version. For more information, see supported Kubernetes versions for GitLab features. Prefer mode for the container registry metadata database Tier: Free, Premium, Ultimate Offering: GitLab Self-Managed Links: Documentation | Related issue You can now set the container registry metadata database to prefer mode, a new configuration option alongside the existing true and false values. In prefer mode, the registry automatically detects whether it should use the metadata database or fall back to legacy storage based on the current state of your installation. If your registry has existing filesystem metadata that has not been imported to the database, the registry continues to use legacy storage until you complete a metadata import. If the database is already in use, or on a fresh installation, the registry uses the database directly. In a later release, prefer mode will become the default for new Linux package installations. Existing installations will not be affected. For more information, see issue 595480. Package protection rules now support Terraform modules Tier: Free, Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related issue Teams publishing Terraform modules through the built-in GitLab Terraform module registry had no way to restrict who could push new module versions. Package protection rules supported several package formats but did not include terraform_module, leaving infrastructure teams without a project-level push control. You can now create package protection rules scoped to terraform_module, restricting push access based on minimum role. Support is available in the UI package type dropdown, the REST API, the GraphQL API, and the GitLab Terraform provider resource. Release evidence now includes packages Tier: Free, Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related issue When creating a GitLab Release, packages published to the package registry were not automatically associated with it. Teams had to manually construct package URLs and attach them as release links through the API or pipeline scripts, adding friction and risk of incomplete release records. GitLab now automatically includes packages in release evidence when the package version matches the release tag. This creates a verifiable, auditable link between your release and its associated packages without any manual steps, keeping source code, artifacts, and packages together in one complete release snapshot. Wiki sidebar toggle repositioned for easier access Tier: Free, Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related issue The wiki sidebar toggle is now positioned on the left side, directly next to the sidebar it controls. When the sidebar is collapsed, the toggle remains visible as a floating control so you can reopen it without scrolling back to the top of the page. Sticky action bar on wiki pages Tier: Free, Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related issue The action bar on wiki pages is now sticky, so it remains visible as you scroll through a page. Previously, you had to scroll back to the top to access actions like editing, viewing page history, or managing templates. Now the page title and key actions, including Edit, New page, Templates, Page history, and more, stay within reach no matter how far down the page you are. Epic weights Tier: Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related epic Epics now support weights, making it easier to estimate and prioritize large-scale initiatives during planning. Before breaking down an epic into child issues, you can assign a preliminary weight to represent your initial estimate. As you decompose the epic, the weight automatically updates to reflect the rolled-up total from all child issues. This is consistent with how weight rollup works for issues and tasks. On the epic detail page, you can see both the preliminary weight and the rolled-up weight from child issues, giving you the insight needed to refine estimates over time. Block merge requests with high exploitability risk Tier: Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related epic Previously, merge request (MR) approval policies could block MRs based on vulnerability severity, but not all vulnerabilities carry the same risk. CVSS severity alone doesn’t tell you whether a CVE is being exploited or how likely exploitation is. This leads to noisy approval policies and wasted time for developers and security teams. You can now configure MR approval policies using Known Exploited Vulnerability (KEV) and Exploit Prediction Scoring System (EPSS) data. Block or require approval when a finding is in the KEV catalog (actively exploited in the wild), or when its EPSS score is above a threshold. Policy violations in the MR include KEV and EPSS context so developers understand why the security gate was triggered. This gives security teams precise control over which findings block or warn, reduces alert fatigue, and keeps enforcement aligned with the current threat landscape. Assign CVSS 4.0 scores to vulnerabilities Tier: Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related epic CVSS 4.0 is the latest version of the industry standard used to assess and rate the severity of a vulnerability. You can now view and access CVSS 4.0 score in the UI, including the vulnerability details page and the vulnerability report. You can also query the score using the API. Improved row interaction in the vulnerability report Tier: Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related issue Previously, you had to select the row description to navigate to a vulnerability details page from the vulnerability report. You can now select anywhere in the row to go directly to its details. Link styling for the vulnerability description and file location only appears when you hover over each link, and keyboard navigation has been improved. These changes make the vulnerability report more intuitive and accessible. Export a security dashboard as a PDF Tier: Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related epic You can export the security dashboard as a PDF for use in reports and presentations. The export captures the current state of all of the charts and panels in the dashboard, including any active filters. SAST scanning in security configuration profiles Tier: Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related epic In GitLab 18.9, we introduced security configuration profiles with the Secret Detection - Default profile. In GitLab 18.11, profiles now extend to SAST with the Static Application Security Testing (SAST) - Default profile, giving you a unified control surface to apply standardized static analysis coverage across all your projects without touching a single CI/CD configuration file. The profile activates two scan triggers: Merge Request Pipelines: Automatically runs a SAST scan each time new commits are pushed to a branch with an open merge request. Results only include new vulnerabilities introduced by the merge request. Branch Pipelines (default only): Runs automatically when changes are merged or pushed to the default branch, providing a complete view of your default branch’s SAST posture. Security attribute filters in group security dashboards Tier: Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related epic You can now filter the results in a group security dashboard based on the security attributes that you have applied to the projects in that group. The available security attributes include the following: Business impact Application Business unit Internet exposure Location Security Manager role (Beta) Tier: Free, Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation The Security Manager role is now available as a beta feature, providing a new default set of permissions designed specifically for security professionals. Security teams no longer need Developer or Maintainer roles to access security features, eliminating over-privileging concerns while maintaining separation of duties. Users with the Security Manager role have the following access: Vulnerability management: View, triage, and manage vulnerabilities across groups and projects, including vulnerability reports and security dashboards. Security inventory: View a group’s security inventory to understand scanner coverage across all projects. Security configuration profiles: View security configuration profiles for a group. Compliance tools: View audit events, compliance center, compliance frameworks, and dependency lists for a group or project. Secret push protection: Enable secret push protection for a group. On-demand DAST: Create and run on-demand DAST scans for a group. To get started, go to a group and select Manage > Members to invite and assign members to the Security Manager role. Identifier list popover in the vulnerability report Tier: Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related issue The vulnerability report now shows the primary CVE identifier as a clickable link in each row. When multiple identifiers exist, a "+N more" popover lists all of the identifiers. Each identifier in the list links to its external reference (for example, in the CVE, CWE, or WASC databases) so you can quickly access more details without leaving the report. GitLab Runner 18.11 Tier: Free, Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation We’re also releasing GitLab Runner 18.11 today! GitLab Runner is the highly-scalable build agent that runs your CI/CD jobs and sends the results back to a GitLab instance. GitLab Runner works in conjunction with GitLab CI/CD, the open-source continuous integration service included with GitLab. What’s New Create concrete helper image with bundled dependencies Read the job router feature flag from the runner configuration instead of an environment variable Bug Fixes Incorrect runner binary path after refactoring Pipeline hangs on cache operations The docker-machine binary in GitLab Runner 18.9.0 references CVE-2025-68121 Runner silently falls back to job payload credentials when credential helper binary is missing from DOCKER_AUTH_CONFIG CONCURRENT_PROJECT_ID not unique in different jobs, which causes a conflict in the builds directory Artifact upload fails with timeout awaiting response headers User-defined after_script executes after failed pre_build_script and bypasses post_build_script The list of all changes is in the GitLab Runner CHANGELOG. Related topics Bug fixes Performance improvements UI improvements Deprecations and removals Upgrade notes

GitLab 18.10 released with agentic SAST FP detection and free-tier credits

Today, we are excited to announce the release of GitLab 18.10 with SAST false positive detection with GitLab Duo Agent Platform, credits for free tier users, passwordless sign-in with passkeys, work items list and saved views, and much more! These are just a few highlights from the 60+ improvements in this release. Read on to check out all of the great updates below. To the wider GitLab community, thank you for the 212 contributions you provided to GitLab 18.10! At GitLab, everyone can contribute and we couldn't have done it without you! To preview what's coming in next month’s release, check out our What's new page.

GitLab 18.10 release notes

On March 19, 2026, GitLab 18.10 was released with the following features. In addition, we want to thank all of our contributors, including this month’s notable contributor. This month’s Notable Contributor: Harshith Sudar Harshith is currently a Level 3 Contributor who has made impactful contributions improving community tooling and analytics, from triage automation and contributor recognition to GitLab Duo usage insights. Harshith’s contributions were first recognized by Lee Tickett, Fullstack Engineer in DevRel Engineering at GitLab, who nominated him. His work has strengthened how we support contributors behind the scenes through improvements to our automation and contributor-facing experiences. For example, he expanded our triage automation by updating the IssueSummary processor in triage-ops to work with multiple projects, including contributors.gitlab.com, making it easier for us to keep more community projects consistently summarized and visible. He also helped recognize community-created content through the new “Add content” button and flow, which lets contributors log blog posts, videos, and other content directly from their profile and get rewarded. Harshith has also contributed to our analytics and GitLab Duo usage insights. Highlights include refining how GitLab Duo usage is calculated, improving how AI impact over time can be explored by removing the 180-day default, and consolidating DORA metric date range constants, as well as enhancing analytics at scale with improvements like adding infinite scroll for the Value Stream Analytics custom stage label picker. Together, these changes help teams better understand how GitLab is used in real projects. In his own words: “One thing I’ve really enjoyed while contributing is how thoughtfully ideas are discussed within the community. It’s encouraging to see suggestions explored collaboratively, like in the discussion around MR !1288, which turned into a great learning experience. I’m really happy to be part of this community and look forward to making many more contributions in the future.”Thank you, Harshith, for your ongoing work to improve the GitLab codebase and contributor experience! Want to connect with Harshith and learn more about his contributions? Visit Harshith’s GitLab profile and his LinkedIn profile. Primary features SAST false positive detection with GitLab Duo Agent Platform Tier: Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated Add-ons: Duo Core, Duo Pro, Duo Enterprise Links: Documentation | Related epic SAST false positive detection, which was first introduced as a beta in GitLab 18.7, is now generally available in GitLab 18.10. When a security scan runs, GitLab Duo Agent Platform analyzes each critical and high severity SAST vulnerability and determines the likelihood that it’s a false positive. The assessment appears directly in the vulnerability report, giving teams the context they need to triage with confidence rather than uncertainty. Key capabilities include: Automatic analysis: False positive detection runs automatically after each security scan with no manual intervention required. Manual option: Users can manually run false positive detection for individual vulnerabilities on the vulnerability details page for on-demand analysis. Focus on high-impact findings: Limiting the analysis to critical and high severity SAST vulnerabilities cuts through the noise where it matters most. Contextual AI reasoning: Each assessment explains why a finding may or may not be a false positive, factoring in code context, data flow, and vulnerability characteristics specific to static analysis. Seamless workflow integration: Results surface directly in the vulnerability report alongside existing severity, status, and remediation information — no changes to existing workflows required. This feature is available for Ultimate customers with GitLab Duo Agent Platform. The feature must be enabled in your group or project settings. We welcome your feedback in issue 583697. Purchase GitLab Credits on the Free tier on GitLab.com Tier: Free Offering: GitLab.com Add-ons: GitLab Credits Links: Documentation | Related epic Free tier group Owners on GitLab.com can now unlock AI with GitLab Credits. Purchase a monthly credit amount, commit to an annual term, and get access to GitLab Duo Agent Platform agents and flows. Credits refresh automatically each month, so your team always has what it needs to build faster and smarter. Key highlights: Usage-based pricing: Purchase a monthly credit commitment without needing a base plan subscription. Self-service purchasing: Buy credits through the GitLab purchase flow. Seamless upgrade path: Your credit commitment transfers if you later upgrade to Premium or Ultimate. Consumption tracking: Monitor your credit usage through the GitLab Credits dashboard. This purchase option is currently only available for free GitLab.com top-level groups. Sign in securely with passkeys Tier: Free, Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related epic GitLab now supports passkeys for passwordless sign-in and as a phishing-resistant two-factor authentication (2FA) method. Passkeys use public-key cryptography and biometric authentication (fingerprint, face recognition) or your device PIN to securely access your account. Passkeys offer the following benefits: Passwordless convenience: Sign in with your device’s biometrics or PIN instead of remembering a password. Multi-device support: Use passkeys on desktop browsers, mobile devices (iOS 16 or later, Android 9 or later), and FIDO2/WebAuthn-compatible hardware security keys. Phishing-resistant security: Your private key never leaves your device. GitLab only stores the public key, protecting your account even if GitLab servers are compromised. Automatic 2FA integration: For accounts with 2FA enabled, passkeys become available as your default 2FA method. To get started, add a passkey in your account settings. We welcome your questions and feedback in issue 366758. Introducing the work items list and saved views Tier: Free, Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related epic The GitLab planning experience is getting a significant upgrade with the work items list and saved views, bringing together two long-requested capabilities: The work items list combines epics, issues, and other work items into a single unified list, eliminating the need to switch between separate pages for different work item types. This makes it easier to understand relationships across your planning objects. Saved views allow you to create and save customized list configurations, including filters, sort order, and display options. This makes routine checks more efficient, and supports standardized ways of viewing work across your team. This is the next step in the GitLab work items journey, a unified architecture designed to deliver consistency and unlock new capabilities across GitLab planning tools. Share your thoughts and feedback in issue 590689. Custom agents can use MCP to access external data Tier: Premium, Ultimate Offering: GitLab.com Links: Documentation | Related issue You can now connect custom agents in the AI Catalog to external data sources and tools through the Model Context Protocol (MCP), without leaving GitLab. This feature is an experiment. Share your feedback in issue 593219. Enforce merge request title naming conventions with regex Tier: Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related epic Maintaining consistent merge request titles is important for teams that rely on structured naming conventions. Whether that’s following the Conventional Commits format, or linking to an internal tracking system. Teams previously needed external tooling or custom CI/CD pipeline jobs to enforce these conventions, but this approach had a critical gap. If someone changed the merge request title after the pipeline ran, there was no re-validation, and the MR could still be merged with a non-compliant title. You can now configure a required title regex for merge requests in your project settings. When configured, GitLab evaluates the merge request title against the pattern as a mergeability check — blocking the merge until the title is updated to comply, regardless of when the title was last changed. To set this up, go to your project’s Settings > Merge requests and enter a regex pattern in the Merge request title must match regex field. Your existing merge request workflows continue to work as before. This check only applies to projects where you explicitly configure a title regex. Secret false positive detection with AI (beta) Tier: Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated Add-ons: Duo Core, Duo Pro, Duo Enterprise Links: Documentation | Related epic Security teams spend significant time investigating secret detection findings that turn out to be false positives. For example, test credentials, example values, and placeholder tokens that are incorrectly flagged as actual secrets. False positives create alert fatigue, erode trust in scan results, and divert attention from genuine security risks. GitLab 18.10 introduces AI-powered secret false positive detection (beta) to focus on the secrets that actually matter. When a security scan runs, GitLab Duo automatically analyzes each Critical and High severity secret detection vulnerability to determine if it’s a false positive. The AI assessment appears directly in the vulnerability report, giving security engineers immediate context to make faster and confident triage decisions. Key capabilities include: Automatic analysis: False positive detection runs automatically after each security scan without manual trigger. Manual trigger option: You can manually trigger false positive detection for individual vulnerabilities on the vulnerability details page for on-demand analysis. Focus on high-impact findings: Scoped for Critical and High severity vulnerabilities to maximize signal-to-noise improvement. Contextual AI reasoning: Each assessment includes an explanation of why the finding may or may not be a true positive, based on code context and vulnerability characteristics. Confidence scoring: Each detection includes a confidence score to help teams prioritize review based on the model’s certainty. Seamless workflow integration: Results surface directly in the vulnerability report alongside existing severity, status, and remediation information. This feature is available as a free beta for Ultimate customers and must be enabled in your group or project settings. Share feedback in issue 592861. Use runtime inputs with CI/CD jobs Tier: Free, Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related epic Using CI/CD variables for dynamic job configuration can be challenging. Variables follow a complex override hierarchy that’s difficult to manage, and they can’t be used for a variety of use cases. Now you can use inputs to define explicit, typed inputs at the job level. Use job inputs to define and control the values that a job accepts at runtime. With job inputs, you get: Type safety (string, number, boolean, array). Default values that can be static or reference existing variables. The option to define a strict list of possible values to use. Regex support for validating input values. Job inputs can use the default values without any user interaction, but you can modify the values when retrying a job or running a manual job. Agentic Core GitLab Blob Search for group and instance code search Tier: Free, Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related issue The [gitlab_blob_search](../../user/duo_agent_platform/agents/tools.md) tool now enables GitLab AI agents to search your code: Across all projects in a group. Across all accessible projects on an instance. Previously, blob search was limited to a single project, or required specifying explicit project IDs. This change makes it easier for AI-powered workflows to discover and reuse code that’s spread across multiple related projects. GitLab MCP server tool for pipeline management Tier: Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related issue You can now manage your CI/CD pipelines in a GitLab project with the new manage_pipeline tool. This GitLab MCP server tool lets AI agents create, cancel, retry, delete, and update pipeline metadata in a single call. With this tool, you no longer have to piece together multiple steps to automate your pipeline workflows. If you want to see other GitLab MCP sever tools, let us know in the feedback issue. Project Maintainers can enable custom agents and flows Tier: Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related issue Previously, enabling AI agents and flows from the AI Catalog required top-level group permissions. Now, when browsing the AI Catalog at the explore level or project level, project Maintainers can enable agents and flows directly in their projects. Configure network access control for remote flows in projects Tier: Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related issue You can now configure network access controls for flows using GitLab runners in projects. This provides secure external integrations, while maintaining control over network destinations. This also gives project maintainers the flexibility to allow necessary API connections, MCP servers, and third-party services while enforcing security boundaries. Configure network access controls in the network_policy section of agent-config.yml. The agent-config.yml is protected by branch protection rules and MR approval workflows. Self-hosted Vertex AI for GitLab Duo Agent Platform Tier: Premium, Ultimate Offering: GitLab Self-Managed Links: Documentation | Related issue Vertex AI is now a supported LLM platform within GitLab Duo Agent Platform Self-Hosted. Customers can now configure Anthropic models hosted on Vertex AI for use with GitLab Duo Agent Platform features. Users can enable agents and flows directly from projects Tier: Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related issue Maintainers and Owners can now enable agents and flows directly from their project or the explore page, without navigating away from their current context. Top-level group Owners can also select their group, and the specific projects where they want to activate agents and flows, streamlining their workflow setup. Support for Agent Skills in IDEs and CI/CD pipelines Tier: Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated Links: Documentation | Related issue GitLab Duo Agent Platform now supports the Agent Skills specification, an emerging standard for giving AI agents new capabilities and expertise. You can define Agent Skills at the workspace level for your project to give agents specialized knowledge and workflows for specific tasks, like writing tests in a specific framework. Agents automatically discover and load relevant skills as they encounter matching tasks. You can also trigger skills manually by name, file path, or custom slash commands. Agent Skills are accessible for flows and Agentic Chat in your IDE, and for flows run in CI/CD pipelines. They also work with any other AI tool that supports the specification. Scale and Deployments Download credit usage data as CSV Tier: Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related issue Billing managers can now download credit usage data as a CSV file directly from the GitLab Credits dashboard in Customers Portal. The export provides a daily, per-action breakdown of credit consumption for the current billing month, including commitment, waiver, trial, on-demand, and included credits used. Finance and operations teams can use this data to perform cost allocation, chargeback reporting, and usage analysis in Excel, Google Sheets, or BI tools without manual data gathering or support requests. Link credit usage to GitLab Duo Agent Platform sessions Tier: Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related issue The GitLab Credits dashboard now links credit consumption directly to the GitLab Duo Agent Platform session that generated it. In the per-user drill-down view, the Action column for Agent Platform usage rows (such as Agentic Chat or Foundational Agents) is now a clickable hyperlink that navigates to the corresponding session details. This link provides a direct audit trail from billing to AI session behavior, so administrators can investigate credit usage, support escalations, and compliance reviews without manually correlating timestamps across separate systems. Sort users in the GitLab Credits dashboard Tier: Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related issue Enterprise administrators can now sort the Usage by User table in the GitLab Credits dashboard by total credits used or by username. The default sort order is by total credits consumed (highest first), so the top consumers are immediately visible without scrolling. With this view, administrators managing thousands of GitLab Duo users can quickly identify high-usage individuals for cost allocation, chargeback reporting, and license utilization audits. New navigation experience for projects in Explore Tier: Free, Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related epic We’ve streamlined the projects page in Explore to reduce clutter and remove redundant options that accumulated over time. The simplified interface now focuses on two core views: Active tab: Discover projects with recent activity and ongoing development. Inactive tab: Access archived projects and those scheduled for deletion. We’ve removed several redundant tabs: Most starred projects can be found by sorting Active or Inactive tabs by star count. All projects are available by viewing both Active and Inactive tabs. Trending tab will be fully removed in GitLab 19.0 due to limited functionality and low usage. The cleaner design aligns with other project lists for visual consistency. You can still access all the same content through more logical organization and flexible sorting options. Unified DevOps and Security Dependency Scanning with SBOM support for Java Gradle build files Tier: Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related issue GitLab dependency scanning by using SBOM now supports scanning Java build.gradle and build.gradle.kts build files. Previously, dependency scanning for Java projects using Gradle required a lock file to be present. Now, when a lock file is not available, the analyzer automatically falls back to scanning build.gradle and build.gradle.kts files, extracting and reporting only direct dependencies for vulnerability analysis. This improvement makes it easier for Java projects using Gradle to enable dependency scanning without requiring a lock file. To enable manifest fallback, set the DS_ENABLE_MANIFEST_FALLBACK CI/CD variable to "true". Dependency scanning SBOM-based scanning extended to self-managed Tier: Ultimate Offering: GitLab.com, GitLab Self-Managed Links: Documentation | Related issue In GitLab 18.10, we’re extending limited availability status to self-managed instances for the new SBOM-based dependency scanning feature. This feature was initially released in GitLab 18.5 with limited availability for GitLab.com only, behind the feature flag dependency_scanning_sbom_scan_api and disabled by default. With additional improvements and fixes, we now have confidence to reliably use the new SBOM scanning internal API and enable this feature flag by default. This internal API allows the dependency scanning analyzer to generate a dependency scanning report containing all component vulnerabilities. Unlike the previous behavior (Beta) that processed SBOM reports after CI/CD pipeline completion, this improved process generates scan results immediately during the CI/CD job, giving users instant access to vulnerability data for custom workflows. Self-managed customers who encounter issues can disable the dependency_scanning_sbom_scan_api feature flag. The analyzer will then fall back to the previous behavior. To use this feature, import the v2 dependency scanning template Jobs/Dependency-Scanning.v2.gitlab-ci.yml. We welcome feedback on this feature. If you have questions, comments, or would like to engage with our team, please reach out in this feedback issue. License scanning support for Dart/Flutter projects using Pub package manager Tier: Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related epic GitLab now supports license scanning for Dart and Flutter projects that use the pub package manager. Previously, teams building with Dart or Flutter were unable to identify the licenses of their open source dependencies directly within GitLab, creating compliance blind spots for organizations with license policy requirements. License data is sourced directly from pub.dev, the official Dart package repository, and results are surfaced alongside other supported ecosystems. Dart/Flutter dependency scanning and vulnerability detection were already supported. Conan 2.0 package registry support (Beta) Tier: Free, Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related issue C and C++ development teams using Conan as their package manager have long requested registry support in GitLab. Previously, the Conan package registry was experimental and only supported Conan 1.x clients, limiting adoption for teams that have migrated to the modern Conan 2.0 toolchain. The Conan package registry now supports Conan 2.0 and has been promoted from Experimental to Beta. This release includes full v2 API compatibility, recipe revision support, improved search capabilities, and proper handling of upload policies including the --force flag. Teams can publish and install Conan 2.0 packages directly from GitLab using standard Conan client workflows, reducing the need for external artifact management solutions like JFrog Artifactory. With this update, platform engineering teams managing C and C++ dependencies can consolidate their package management within GitLab alongside their source code, CI/CD pipelines, and security scanning. The Conan registry supports both project-level and instance-level endpoints, and works with personal access tokens, deploy tokens, and CI/CD job tokens for authentication. We welcome feedback as we work toward general availability. Please share your experience in the epic. Manage container virtual registries with a dedicated UI (Beta) Tier: Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related epic When the container virtual registry launched in beta last milestone, platform engineers could aggregate multiple upstream container registries — Docker Hub, Harbor, Quay, and others — behind a single pull endpoint. However, all configuration required direct API calls, meaning teams had to maintain scripts or manual curl commands to create and manage their registries, configure upstreams, and handle changes over time. This added operational overhead and made the feature inaccessible to users who weren’t comfortable working directly with the API. Container virtual registries can now be created and managed directly from the GitLab UI. From the group-level container registry page, you can create new virtual registries, configure upstream sources with authentication credentials, edit existing configurations, and delete registries you no longer need — all without leaving GitLab or writing a single API call. The UI integrates seamlessly with the existing container registry experience, making virtual registries a first-class part of your group’s artifact management workflow. This feature is in beta. To share feedback, please comment in the feedback issue. GitLab Helm Chart registry generally available Tier: Free, Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related issue Teams using Helm to manage Kubernetes application deployments can now rely on the GitLab Helm Chart registry for production workloads. Previously in beta, the registry is now generally available following the resolution of key architectural and reliability concerns. The path to GA included resolving a hard limit that prevented the index.yaml endpoint from returning more than 1,000 charts, fixing a background indexing bug that caused newly published chart versions to be missing from the index, completing a full AppSec security review, and adding Geo replication support for Helm metadata cache, ensuring high availability for self-managed customers running GitLab Geo. Platform and DevOps teams can publish and install Helm charts directly from GitLab using standard Helm client workflows, with support for project-level endpoints and authentication using personal access tokens, deploy tokens, and CI/CD job tokens. Now you can keep charts alongside the source code, pipelines, and security scanning that depend on them. Task item support in Markdown tables Tier: Free, Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related issue You can now use task item checkbox syntax directly in Markdown table cells. Previously, achieving this required a combination of raw HTML and Markdown, which was cumbersome and difficult to maintain. This improvement makes it easier to track task completion directly within structured table layouts in issues, epics, and other content. Pipeline secret detection in security configuration profiles Tier: Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation In GitLab 18.9, we introduced security configuration profiles with the Secret Detection - Default profile, starting with push protection. You use the profile to apply standardized secret scanning across hundreds of projects without touching a single CI/CD configuration file. The Secret Detection - Default profile now also covers pipeline-based scanning, providing a unified control surface for secret detection across your entire development workflow. The profile activates three scan triggers: Push Protection: Scans all Git push events and blocks pushes where secrets are detected, preventing secrets from ever entering your codebase. Merge Request Pipelines: Automatically runs a scan each time new commits are pushed to a branch with an open merge request. Results only include new vulnerabilities introduced by the merge request. Branch Pipelines (default only): Runs automatically when changes are merged or pushed to the default branch, providing a complete view of your default branch’s secret detection posture. Applying the profile requires no YAML configuration. The profile can be applied to a group to propagate coverage across all projects in the group, or to individual projects for more granular control. macOS Tahoe 26 and Xcode 26 job image Tier: Premium, Ultimate Offering: GitLab.com Links: Documentation | Related epic You can now create, test, and deploy applications for the newest generations of Apple devices using macOS Tahoe 26 and Xcode 26. With hosted runners on macOS, your development teams can build and deploy macOS applications faster in a secure, on-demand build environment integrated with GitLab CI/CD. Try it out today by using the macos-26-xcode-26 image in your .gitlab-ci.yml file. GitLab Runner 18.10 Tier: Free, Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation We’re also releasing GitLab Runner 18.10 today! GitLab Runner is the highly-scalable build agent that runs your CI/CD jobs and sends the results back to a GitLab instance. GitLab Runner works in conjunction with GitLab CI/CD, the open-source continuous integration service included with GitLab. What’s New Allow k8s runner to define Pod Level Resources for build pod Add automation to update Go versions and packages for all Runner projects Bug Fixes S3 cache with RoleARN returns 403 instead of 404 for non-existent cache Using helper image gitlab-runner-helper:x86_64-v16.11.1-nanoserver21H2 results in init-permissions error MacOS: LaunchAgent - Service could not initialize on M1 architecture The list of all changes is in the GitLab Runner CHANGELOG. Related topics Bug fixes Performance improvements UI improvements Deprecations and removals Upgrade notes

GitLab 18.9 released with self-hosted AI models

Today, we are excited to announce the release of GitLab 18.9 with GitLab Duo Agent Platform self-hosted models now available for cloud licenses, vulnerability resolution with GitLab Duo Agent Platform, navigate repositories with collapsible file tree, include CI/CD inputs from a file, new security dashboard chart: vulnerabilities by age and much more! New to GitLab Duo? Ultimate with GitLab Duo Agent Platform trials are now available for both GitLab.com and GitLab Self-Managed. These are just a few highlights from the 25+ improvements in this release. Read on to check out all of the great updates below. To the wider GitLab community, thank you for the 530+ contributions you provided to GitLab 18.9! At GitLab, everyone can contribute and we couldn't have done it without you! To preview what's coming in next month’s release, check out our What's new page.

GitLab 18.9 release notes

On February 19, 2026, GitLab 18.9 was released with the following features. In addition, we want to thank all of our contributors, including this month’s notable contributor. This month’s Notable Contributor: Pooja Ghanghas Pooja has made significant contributions to ongoing efforts at GitLab to migrate legacy dropdown components to our modern dropdown architecture. These migrations require careful attention to detail and an understanding of both the old and new component systems. Pooja has consistently delivered high-quality work across multiple migrations, including updates to the diff file header, code block bubble menu, oncall schedules rotation assignee component, and the new resource dropdown. Peter Hegman, Staff Frontend Engineer on Tenant Scale::Organizations at GitLab, nominated Pooja for this recognition, noting: “These migrations can be pretty tricky and she has completed a number of them. Thanks for your contributions!” Beyond these migration efforts, Pooja has also contributed to feature development, including adding statuses to milestones and iterations, a feature she put significant effort into getting merged. Marc Saleiko, Staff Fullstack Engineer on Plan:Project Management at GitLab, recognised her work: “This is a valuable contribution and you did a great job delivering this functionality!” Reflecting on her experience, Pooja shared: “I’m proud of how it turned out and it was a great learning experience for me.” She has also contributed numerous bug fixes and maintenance improvements across the GitLab codebase. Pooja’s work directly improves the maintainability and consistency of the GitLab user interface, making it easier for both contributors and team members to build and maintain features, and helping move the GitLab frontend architecture forward. Thank you, Pooja, for your continued contributions to improving the GitLab codebase and for being such a reliable member of our contributor community! Want to learn more about Pooja’s contributions? Check out her GitLab profile. Primary features GitLab Duo Agent Platform Self-Hosted models now available for cloud licenses Tier: Premium, Ultimate Offering: GitLab Self-Managed Links: Documentation | Related epic GitLab Duo Agent Platform is now generally available for GitLab Self-Managed customers with a cloud license. Billing for this feature is usage-based. Administrators can configure compatible models for use with GitLab Duo Agent Platform. Administrators using AWS Bedrock or Azure OpenAI can also configure Anthropic Claude or OpenAI GPT models. Not yet on Ultimate? Start a free trial with Duo Agent Platform included. Vulnerability resolution with GitLab Duo Agent Platform (Beta) Tier: Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related epic Triaging and remediating SAST vulnerabilities is one of the most time-consuming tasks in application security. After identifying a real vulnerability, developers need to understand the finding, locate the affected code, and write an appropriate fix. All of which take time and specialized knowledge. In GitLab 18.9, we’re introducing Agentic SAST Vulnerability Resolution. When you trigger resolution for a SAST vulnerability, GitLab Duo autonomously analyzes the finding, reasons through the surrounding code context, generates a context-aware fix, and creates a merge request without any manual intervention. Key capabilities include: Agentic multi-step resolution: Rather than producing a single code suggestion, the GitLab Duo Agent Platform reasons through the vulnerability, evaluates the codebase, and produces a well-informed fix. Automatic merge request creation: Generates a ready-to-review merge request with the proposed code fix for critical and high severity SAST vulnerabilities. Quality scoring: Each generated fix includes a quality assessment so reviewers can quickly gauge confidence in the proposed remediation. SAST vulnerability resolution is available from the vulnerability report and the individual vulnerability details pages. You can trigger a resolution directly from the individual vulnerability details page. This feature is available as a free beta for Ultimate customers. We welcome your feedback in issue 585626. Navigate repositories with collapsible file tree Tier: Free, Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related epic You can now browse repository files with a collapsible file tree. The tree provides a comprehensive view of your project structure, so you can expand and collapse directories inline, jump between files in different parts of your repository, and maintain context while you work. The file tree appears as a resizable sidebar when you view repository files or directories. You can toggle visibility with keyboard shortcuts, filter files by name or extension, and navigate through complex project hierarchies. The tree synchronizes with your current location, so when you select a file in the main content area, the tree updates to show that file. Your existing repository structure and file organization remain unchanged. With fewer page loads required to move between files, this feature scales from small projects to large codebases with thousands of files. Include CI/CD inputs from a file Tier: Free, Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related issue Previously, pipeline inputs could only be defined directly within a pipeline’s spec section. This limitation made it challenging to reuse input configuration across multiple projects. In this release you can now include input definitions from external files using the familiar include keyword. Being able to maintain a list of inputs in a separate place helps you have a manageable solution across many projects or pipelines. You can maintain centralized input configurations and even dynamically manage input values from external sources. Web-based commit signing on GitLab.com Tier: Free, Premium, Ultimate Offering: GitLab.com Links: Documentation | Related epic Ensuring commits are cryptographically signed is essential for code integrity and meeting compliance requirements. Previously, web-based commit signing was only available for GitLab Self-Managed. GitLab.com now supports web-based commit signing. When enabled for a group or project, commits created through the GitLab web interface are automatically signed with the GitLab signing key and are displayed with a Verified badge, providing cryptographic proof of authenticity for your repositories. Key details: Enable in group or project settings based on your requirements. All web-based commits (Web IDE edits, merges, API operations) are automatically signed when enabled. This brings the GitLab.com security capabilities in line with GitLab Self-Managed and provides the foundation for comprehensive commit signing policies across your organization. Container virtual registry now available (Beta) Tier: Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed Links: Documentation | Related epic Modern container-based development requires accessing images from multiple registries including Docker Hub, Harbor, Quay, and private registries. Without a container virtual registry, platform engineers must configure each project and CI/CD pipeline to authenticate with and pull from multiple registries individually. This creates configuration complexity, slows pulls with sequential registry queries, and makes it difficult to implement consistent security policies across container sources. The container virtual registry addresses these challenges by aggregating multiple upstream container registries behind a single endpoint. Platform engineers can configure Docker Hub, Harbor, Quay, and other registries with long-lived token authentication through one URL. Intelligent caching improves pull performance while integrating with the GitLab authentication systems for centralized access control and audit logging. The container virtual registry API is currently available in beta for GitLab Premium and Ultimate customers. Beta participants can use the GitLab API to create container virtual registries, configure multiple upstream sources with shareable configurations, and pull container images through the virtual registry. Please note the beta does not support registries that require IAM authentication. Support for cloud provider registries requiring IAM authentication is tracked in this epic. On GitLab.com, this feature is behind a feature flag. To request access or share feedback, please comment in the feedback issue. New security dashboard chart: Vulnerabilities by age Tier: Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related epic The new Vulnerabilities by age chart helps you understand how long vulnerabilities have been open in your environment. The chart shows the distribution of unresolved vulnerabilities based on the amount of time since they were first detected. You can group vulnerabilities by severity or by report type, helping you identify where remediation activities may be needed. Agentic Core OAuth support in JetBrains IDEs for Self-Managed and Dedicated Tier: Premium, Ultimate Offering: GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Add-ons: Duo Core, Duo Pro, Duo Enterprise Links: Documentation | Related issue The GitLab Duo plugin for JetBrains IDEs now supports OAuth authentication for GitLab Self-Managed and GitLab Dedicated. This means all JetBrains users can now enjoy a faster, more secure sign-in experience. No personal access token required. Scale and Deployments Non-billable Minimal Access users Tier: Premium Offering: GitLab Self-Managed Links: Documentation | Related issue Previously, organizations that used identity providers to automate user provisioning on GitLab Self-Managed Premium might run into a potential problem. When identity provider syncs attempt to add users beyond the licensed seat limit, administrators must either purchase extra seats for users who don’t need active access, or manually intervene to prevent failures. Now, users with the Minimal Access role on GitLab Self-Managed Premium subscriptions no longer count as billable seats, bringing them in line with how minimal access works on GitLab.com Premium, GitLab.com Ultimate, and GitLab Self-Managed Ultimate. This change unlocks the restricted access feature, which automatically assigns the Minimal Access role to users who would otherwise exceed the seat limit during identity provider syncs. This change keeps syncs running smoothly without unexpected billing overages or manual intervention. Geo data management view on primary site Tier: Premium, Ultimate Offering: GitLab Self-Managed, GitLab Dedicated Links: Documentation You can now troubleshoot and verify data integrity directly from the primary site, thanks to the new data management view that brings detailed verification status information to the primary Geo site. This enhancement eliminates the need to access secondary sites for basic verification and troubleshooting tasks. Previously, this verification status was only accessible through the secondary site UI. Now, with the data management view on the primary site, you can: View detailed verification status for all replicable data types on the primary site Perform data sanitization and troubleshooting tasks directly from the primary UI Set up and verify your Geo configuration on the primary site before adding secondary sites This enhancement is the first step toward comprehensive self-serve troubleshooting with the UI, reducing the need to access multiple sites for routine maintenance and issue resolution. GitLab Duo Agent Platform available in Ultimate trials Tier: Ultimate Offering: GitLab.com, GitLab Self-Managed Links: Documentation | Related epic Teams evaluating GitLab can now test agentic AI capabilities that automate complex development workflows and reduce manual tasks. Sign up for a GitLab Ultimate trial and get access to Duo Agent Platform with 24 evaluation credits per user, enabling hands-on experience with autonomous task execution and multi-step workflow orchestration during a 30-day evaluation. Evaluation credits are available for 30 days from the provision date, so consider your team’s readiness before starting. Start your free trial. Current paid customers can access evaluation credits through their account team. Contact Sales to learn more. Zero Downtime Upgrades now supported for Cloud Native Hybrid deployments Tier: Free, Premium, Ultimate Offering: GitLab Self-Managed Links: Documentation Zero Downtime Upgrades are now officially supported for Cloud Native Hybrid deployments. Enterprise customers require their DevSecOps platform to be available at all times, making upgrade-related downtime a significant operational concern. Until now, Zero Downtime Upgrades were only supported for Linux package-based high availability deployments, which drove many customers toward VM-based architectures even when cloud-native Kubernetes deployments would have better suited their infrastructure strategy. We’ve been upgrading our own Cloud Native Hybrid SaaS instances with zero downtime for years. With this release, we’re bringing that same operational experience to self-managed customers running GitLab on Kubernetes. The upgrade procedure has been comprehensively tested and is now fully documented, giving you the confidence to maintain availability during version upgrades. Archive a group and its content Tier: Free, Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related epic Managing completed initiatives and abandoned projects is now easier. You can now archive entire groups, including all subgroups and projects, in one action, eliminating the need to manually archive each project individually. When you archive a group: All nested subgroups and projects are automatically archived. Archived content moves to the Inactive tab with clear status badges. Group data remains fully accessible in read-only mode for reference or restoration. Write permissions are disabled across the archived group and its content. Beyond the Settings page, you can archive groups and projects directly from the actions menu in list views. No more navigating through multiple screens for simple administrative tasks. This highly requested feature dramatically reduces administrative overhead while keeping your workspace organized with clear separation between active and inactive work. Share your feedback in epic 18616. Valkey as replacement option for Redis (Beta) Tier: Free, Premium, Ultimate Offering: GitLab Self-Managed Links: Documentation Starting with GitLab 18.9, Valkey is bundled as an opt-in replacement for Redis in the Linux package. Redis changed their license to AGPLv3, which is not suitable for open source customers. To guarantee security and maintainability for our GitLab Self-Managed customers, we are transitioning from Redis to Valkey, a community-driven fork that maintains the permissive BSD license. Transition timeline: GitLab 18.9 (this release): Valkey is bundled as an opt-in replacement (beta). You can switch from Redis to Valkey at your convenience. Valkey Sentinel support is included. GitLab 19.0 (May 2026): Valkey becomes the default and Redis binaries are removed from the Linux package. Existing Redis configuration settings remain functional and are honored for backwards compatibility. This transition only affects the bundled Redis in Linux packages. Customers on scaled architectures using external Redis deployments can continue to use Redis. We are monitoring the potential feature divergence between Redis and Valkey and will provide guidance as the ecosystem evolves. Unified DevOps and Security Dependency Scanning with SBOM support for Java pom.xml manifest files Tier: Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related issue GitLab dependency scanning by using SBOM now supports scanning Java pom.xml manifest files. Previously, dependency scanning for Java projects using Maven required a graph file to be present. Now, when a graph file is not available, the analyzer automatically falls back to scanning pom.xml files, extracting and reporting only direct dependencies for vulnerability analysis. This improvement makes it easier for Java projects to enable dependency scanning without requiring a graph file. To enable manifest fallback, set the DS_ENABLE_MANIFEST_FALLBACK CI/CD variable to "true". Dependency Scanning with SBOM support for Python requirements.txt manifest files Tier: Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related issue GitLab dependency scanning by using SBOM now supports scanning Python requirements.txt manifest files. Previously, dependency scanning for Python projects required a lock file to be present. Now, when a lock file is not available, the analyzer automatically falls back to scanning requirements.txt files, extracting and reporting only direct dependencies for vulnerability analysis. This improvement makes it easier for Python projects to enable dependency scanning without requiring a lock file. To enable manifest fallback, set the DS_ENABLE_MANIFEST_FALLBACK CI/CD variable to "true". Restrict personal snippets for enterprise users Tier: Premium, Ultimate Offering: GitLab.com Links: Documentation Organizations using GitLab.com need to ensure that enterprise users don’t accidentally expose sensitive code through personal snippets. Previously, there was no way to prevent users from creating snippets in their personal namespace, which can pose a security risk if snippets are inadvertently set to public. Group Owners can now restrict personal snippet creation for enterprise users, helping maintain tighter control over where code is shared. When restricted, enterprise users cannot create snippets in their personal namespace. Rapid Diffs improves performance for commit changes Tier: Free, Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related epic Reviewing commits with many changed files or substantial modifications can be slow. Rapid Diffs technology now powers the commits page (/-/commits/), delivering faster loading times, smoother scrolling, and more responsive interactions. With Rapid Diffs, you’ll notice: A pagination-free experience. Faster initial load, so you can start working with code sooner. A refreshed interface with a new file browser for quicker navigation between files. Responsive interactions, even with large numbers of changed files. All existing functionality is preserved. As Rapid Diffs expands to other areas of GitLab, the same performance benefits will follow. Support for Bitbucket Cloud API tokens in import API Tier: Free, Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation The GitLab import API now supports Bitbucket Cloud API tokens, providing a more secure way to import repositories from Bitbucket Cloud. Atlassian has deprecated app passwords in favor of API tokens, and we’re planning to remove support for app passwords in 19.0. Importing from Bitbucket Cloud through the GitLab UI is not affected by this change. Centralized security governance and configuration Tier: Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation Manage and visualize security scanner coverage across your organization. This release introduces security configuration profiles, starting with the secret detection profile. Security teams now have a more powerful command center to secure your organization at scale. Profile-based security configuration Instead of manually editing YAML files for each project, you can now use preconfigured security configuration profiles that provide several advantages: Standardized governance: Preconfigured profiles apply appropriate boundaries without interrupting productivity. You can apply standardized security best practices, without requiring custom role configurations. Scalable management: Apply the same profile across hundreds or thousands of projects with a single action. The secret detection profile is the first security configuration profile available. It provides the following advantages: Actively identifies and blocks secrets from being committed to your repositories. One profile manages secret detection across your entire development workflow. No need to manage separate configurations for different trigger types. Enhanced security inventory The security inventory has been upgraded to act as your primary dashboard to assess each group’s security posture: Group and project hierarchies: Easily distinguish between subgroups and projects in the inventory with clear iconography. Bulk actions: A new Bulk Action menu allows you to apply or disable security scanner profiles across all selected projects and subgroups simultaneously. Visual coverage status: Quickly identify gaps with color-coded status bars (Enabled, Not Enabled, or Failed) with tooltips for details. Profile status indicators: See which trigger types are available in the profile details. Security attributes Tier: Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation Security attributes, introduced as a beta in GitLab 18.6, are now generally available. Security attributes allow security teams to apply business context to their projects, including business impact, application, business unit, internet exposure, and location. You can also create custom attribute categories to match your organization’s taxonomy. By applying these attributes, you can filter and prioritize the items in your security inventory based on risk posture and organizational context. Security dashboards: Vulnerabilities over time chart improvements Tier: Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related epic The Vulnerabilities over time chart is updated to provide a more accurate view of your vulnerability inventory. The chart previously included vulnerabilities that were no longer detected, leading to inflated numbers that did not accurately represent the state of active vulnerabilities. We are aware of two additional issues that may slightly alter counts in some cases. Follow issue 590022 and issue 590018 for updates. View CI/CD job metrics for projects (limited availability) Tier: Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated Links: Documentation | Related epic GitLab CI/CD analytics now combines CI/CD pipeline and CI/CD job performance trends, which enables developers to identify inefficient or problematic CI/CD jobs quickly. These capabilities are included directly in the GitLab UI, so developers have the tools they need in context to identify and fix CI/CD performance problems that can significantly impact development teams’ velocity and overall productivity. For platform administrators, the CI/CD jobs data in this view also reduces the need to rely on external or custom-built CI/CD observability solutions when you operate GitLab at an enterprise scale. Add timestamps to CI job logs Tier: Free, Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related issue You can now view timestamps on each CI job log line to identify performance bottlenecks and debug long-running jobs. Timestamps are displayed in UTC format. Use timestamps to troubleshoot performance issues, identify bottlenecks, and measure the duration of specific build steps. Requires GitLab Runner 18.7 or later for GitLab Self-Managed. CI/CD Catalog component analytics Tier: Free, Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related issue Previously, teams lacked visibility into how CI/CD Catalog component projects were being used across their organization. Now you can view usage counts and adoption patterns at a high level, helping you understand which component projects are most valuable and optimize your catalog investments. View security reports from child pipelines in merge requests Tier: Free, Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related epic You can now view security and compliance reports from child pipelines directly in merge request widgets. Previously, you had to manually navigate through multiple pipelines to identify security issues, creating inefficient workflows especially with monorepos and complex testing setups. With this enhancement, the merge request widget displays reports from child pipelines directly alongside parent pipeline results, with each child pipeline’s reports presented individually and artifacts available for download. This provides a unified view of all security checks, significantly reducing time spent investigating failures and enables faster merge request reviews when using parent-child pipelines. Related topics Bug fixes Performance improvements UI improvements Deprecations and removals Upgrade notes

GitLab 18.8 released with GitLab Duo Agent Platform now generally available

Today, we are excited to announce the release of GitLab 18.8 with GitLab Duo Agent Platform now generally available, GitLab Duo Planner Agent, GitLab Duo Security Analyst Agent, auto-dismiss irrelevant vulnerabilities, and much more! These are just a few highlights from the 10+ improvements in this release. Read on to check out all of the great updates below. To the wider GitLab community, thank you for the 119 contributions you provided to GitLab 18.8! At GitLab, everyone can contribute and we couldn't have done it without you! To preview what's coming in next month’s release, check out our What's new page.

GitLab 18.8 release notes

On January 15, 2026, GitLab 18.8 was released with the following features. In addition, we want to thank all of our contributors, including this month’s notable contributor. This month’s Notable Contributor: Wesley Yarde This month’s Notable Contributor is Wesley Yarde for building a foundational new feature that allows organizations to disable SSH keys for their enterprise users. Wesley’s contribution stands out for several reasons: Security and compliance: This feature enables organizations to enforce SSH key requirements and enhance security across their enterprise. Foundational work: With no existing implementation to follow, Wesley had to collaborate extensively with the GitLab team to define requirements and architecture from scratch. First contribution: Remarkably, this was Wesley’s first contribution to GitLab—demonstrating exceptional ability to navigate a complex codebase and tackle a challenging feature. Enables future development: This work establishes the foundation for similar features like instance-level SSH key disabling and service account controls. The implementation spanned multiple merge requests (!205020, !210482) with thorough review cycles. Despite the complexity, Wesley demonstrated outstanding collaboration and patience throughout the process. “It was a pleasure to collaborate with Wesley on this feature request! While both the contributor and reviewers may have felt that the review process was overwhelming, both sides showed understanding and superb collaboration to ensure the implementation is solid and complete.” — Bogdan Denkovych, who nominated Wesley for this recognition. Congratulations Wesley, and thank you for this valuable contribution to GitLab! Primary features GitLab Duo Agent Platform now generally available Tier: Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated Links: Documentation | Related issue GitLab Duo Agent Platform is now generally available, bringing agentic AI orchestration across your entire software development lifecycle. Unlike AI tools that speed up individual tasks in isolation, the Agent Platform helps teams coordinate AI agents across planning, building, securing, and shipping software, closing the gap between faster individual work and the collaborative, multi-stage reality of software delivery. The platform provides a central AI Catalog where teams can discover, manage, and share agents and flows across their organization. Built-in foundational agents like Planner, Security Analyst, and Data Analyst handle structured work at key decision points, while customizable flows automate multi-step agents and tasks in development workflows from issue to merge request, CI/CD migration, pipeline troubleshooting, and code reviews. With governance controls, usage visibility, and flexible deployment options including self-hosted models for offline environments, organizations can adopt AI at scale with the transparency and control they need. GitLab Premium and Ultimate users can start using the Agent Platform today on GitLab.com and GitLab Self-Managed instances with promotional GitLab Credits. GitLab Duo Planner Agent now generally available Tier: Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated Links: Documentation | Related issue The Planner Agent is now generally available! The Planner Agent is a foundational agent built to support product managers directly in GitLab. Use the Planner Agent to create, edit, and analyze GitLab work items. Instead of manually chasing updates, prioritizing work, or summarizing planning data, the Planner Agent helps you analyze backlogs, apply frameworks like RICE or MoSCoW, and surface what truly needs your attention. It’s like having a proactive teammate who understands your planning workflow and works with you to make better, more efficient decisions. Please provide your feedback in issue 583008. GitLab Duo Security Analyst Agent now generally available Tier: Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated Links: Documentation | Related epic The GitLab Duo Security Analyst Agent, introduced as beta in GitLab 18.5, is now generally available in GitLab 18.8. The Security Analyst Agent enables engineers to manage vulnerabilities through natural language commands in GitLab Duo Agentic Chat. Instead of manually clicking through vulnerability dashboards or writing custom scripts for bulk operations, security teams can now triage, assess, and provide guidance for vulnerabilities in Chat conversations. As a foundational agent, the Security Analyst Agent is available by default in GitLab Duo Agentic Chat, with no manual setup required. Auto-dismiss irrelevant vulnerabilities with vulnerability management policies Tier: Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related epic Security teams can now automatically dismiss vulnerabilities that don’t apply to their organization using vulnerability management policies. Dismissing vulnerabilities that are not relevant to your organization reduces noise and helps developers focus on vulnerabilities that pose actual risk. You can create policies to auto-dismiss vulnerabilities based on: File path Directory Identifier (CVE, CWE, or OWASP) Auto-dismissed vulnerabilities appear in the merge request’s security widget with an Auto-dismissed label and are tracked in the vulnerability report activity with a dismissal reason for audit purposes. Agentic Core Turn the GitLab Duo Agent Platform on or off Tier: Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated Links: Documentation | Related issue You can now turn on or off the GitLab Duo Agent Platform, including GitLab Duo Chat (Agentic), agents, and flows for a top-level group or the entire instance. When this setting is turned off, these features are not available. Group access control for GitLab Duo features Tier: Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated Links: Documentation | Related issue You can now define group access rules to control who can use GitLab Duo features, enabling flexible adoption strategies from immediate organization-wide access to phased rollouts. This feature provides granular governance control so you can scale adoption at your pace while maintaining security and compliance. GitLab Duo Agent Platform for GitLab Duo Self-Hosted (offline licensing) now generally available Tier: Premium, Ultimate Offering: GitLab Self-Managed Add-ons: Duo Enterprise Links: Documentation | Related epic GitLab Duo Agent Platform is now generally available for Duo Self-Hosted. This feature is available to GitLab Self-Managed customers with an offline license, and uses seat-based pricing. Self-Managed administrators can configure compatible models for use with GitLab Duo Agent Platform. Administrators using AWS Bedrock or Azure OpenAI can also configure Anthropic Claude or OpenAI GPT models. Unified DevOps and Security C/C++ support in Advanced SAST now generally available Tier: Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related epic Cross-file, cross-function scanning support for C/C++ is now generally available in GitLab Advanced SAST. Multiple Container Scanning Tier: Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation | Related epic In GitLab 18.8, we released multi-container scanning in Beta. Users are now able to pass in an array of images to be scanned as part of many Container Scanning jobs. Centralized credential management API for group owners Tier: Silver, Gold Offering: GitLab.com Links: Documentation | Related epic The Credentials Inventory API is now available for Enterprise users on GitLab.com. This adds credential management capabilities previously only available on self-hosted instances, and enables organizations to better manage and secure their authentication tokens and keys. The Credentials Inventory API provides programmatic access to view credentials across your organization, including: Personal Access Tokens (PATs) Group Access Tokens (GrATs) Project Access Tokens (PrATs) SSH Keys GPG Keys This API complements the existing Credentials Inventory UI, allowing enterprise administrators to automate credential management tasks that previously required manual intervention. With the Credentials Inventory API, you can: Automate security workflows: Build automated processes to monitor, audit, and revoke credentials. Enforce credential policies: Identify and revoke unused or expired tokens. Improve security posture: Reduce the risk of credential misuse through regular auditing. Streamline operations: Integrate credential management into your existing security tools and workflows. Group Owners can disable SSH keys for enterprise users Tier: Silver, Gold Offering: GitLab.com Links: Documentation | Related issue Group Owners can now disable SSH keys for all enterprise users in their group. When disabled, users cannot add new SSH keys and their existing keys are deactivated. This applies to all enterprise users in the group, including those with the Owner role. Thank you to Wesley Yarde for helping build this feature! GitLab Runner 18.8 Tier: Free, Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government Links: Documentation We’re also releasing GitLab Runner 18.8 today! GitLab Runner is the highly-scalable build agent that runs your CI/CD jobs and sends the results back to a GitLab instance. GitLab Runner works in conjunction with GitLab CI/CD, the open-source continuous integration service included with GitLab. What’s New Improved error messages for job inputs interpolation errors Bug Fixes WaitForServicesTimeout no longer supports -1 to disable timeout Custom URL breaks submodule authentication with insteadOf rules Custom runner short-token on Windows 2025 uses 9 characters instead 8 PowerShell default helper image missing for Docker executor in GitLab Runner 17.8.3 GitLab Runner with Docker Autoscaler does not reuse available cache volumes VirtualBox leaves dangling VM when job is cancelled The list of all changes is in the GitLab Runner CHANGELOG. Related topics Bug fixes Performance improvements UI improvements Deprecations and removals Upgrade notes

GitLab 18.7 released with improved GitLab Duo analytics dashboard and secret validity checks

Today, we are excited to announce the release of GitLab 18.7 with improved GitLab Duo Analytics dashboard, improved secret validity checks, model selection for chat and agents, and much more! These are just a few highlights from the 25+ improvements in this release. Read on to check out all of the great updates below. To the wider GitLab community, thank you for the 169 contributions you provided to GitLab 18.7! At GitLab, everyone can contribute and we couldn't have done it without you! To preview what's coming in next month’s release, check out our What's new page.