GitLab has launched GitLab 19.0, shifting its agentic AI from code era into the work that surrounds it: securing credentials, reviewing and merging modifications, and scanning launched packages. The twenty first Could launch provides a public beta of GitLab Secrets and techniques Supervisor, extends the Developer Movement agent throughout the total merge request lifecycle, and makes software program invoice of supplies (SBOM) dependency scanning typically obtainable.
GitLab Secrets Manager, in public beta for Premium and Final customers, saves credentials throughout the similar platform that runs code and pipelines, and restricts every secret to the roles authorised to make use of it. Entry management and audit logging use the present group and undertaking hierarchy in GitLab, avoiding a separate authorisation mannequin. If a credential is compromised, responders can hint each job that used it from the GitLab audit path. It really works with HashiCorp Vault, AWS Secrets and techniques Supervisor, Azure Key Vault, and Google Cloud Secret Supervisor as an alternative of changing them.
On merge requests, Developer Flow now addresses reviewer suggestions, splits outsized MRs, and resolves conflicts. The stream reads undertaking requirements from an AGENTS.md file earlier than committing, so output displays staff context reasonably than generic defaults. A brand new Resolve with Duo button (beta) evaluates each branches, commits a proposed repair, and leaves a abstract remark for the subsequent reviewer. One-click rebase-and-merge helps fast-forward and semi-linear merges. GitLab Duo respects department safety guidelines and doesn’t force-push to protected branches.
This launch additionally strikes the GitLab Duo Core to usage-based billing. Code Solutions within the Net IDE and desktop IDEs now use GitLab Credits, and GitLab Duo Chat turns into agent-based, operating on the GitLab Duo Agent Platform that groups should allow to maintain utilizing it. Platform engineers acquire Parts Analytics, which reveals which CI/CD Catalog parts and variations run throughout an organisation and the place safety fixes haven’t but landed.
On the availability chain, the SBOM-based dependency scanner turns into typically obtainable, protecting ecosystems together with Maven, npm, NuGet, PyPI, Go, and Cargo. Computerized dependency decision, which generates the required lockfiles or dependency graph exports when a undertaking hasn’t dedicated them, is enabled by default for Maven, Gradle, and Python, with manifest scanning as a fallback when essential. Safety configuration profiles let groups activate Secret Detection, SAST, and dependency scanning by insurance policies reasonably than per-project CI modifications. For self-hosted groups, the GitLab Duo Agent Platform provides 4 open-source fashions, together with Mistral Devstral 2 123B and GLM-5.1, for air-gapped environments, and now helps Claude Opus 4.7 and Gemini.
Manav Khurana, chief product and advertising and marketing officer at GitLab, stated that “AI made it sooner to generate code, however it did not make it simpler to belief or safe it at scale.” He added that “when safety, automation, and governance share the identical platform because the code, groups can transfer quick on AI with out shedding management of what ships, and that is precisely what GitLab 19.0 delivers.”
GitLab 19.0 additionally tightens platform necessities, setting PostgreSQL 17 because the minimal, ending Redis 6 help, and dropping Linux packages for Ubuntu 20.04 and SUSE distributions. Competing corporations, together with GitHub and Atlassian, are pursuing comparable agentic options, so the sensible choice for platform groups is which governance and pricing mannequin aligns finest with their safety wants and finances constraints.