GitLab 18.6: From configuration to control

With GitLab 18.6, we’re continuing to advance how AI integrates into everyday software development with enhancements that give teams greater choice and control. GitLab 18.6 will help plan, build, and secure software more intelligently across the entire software lifecycle. Teams now have greater flexibility to select the right models for their workflows, extend AI into secure and self-managed environments, and strengthen visibility and governance across every stage of development.

AI that adapts to you

With 18.6, GitLab’s AI becomes more adaptable to real-world workflows. GitLab Duo Agents now plan with greater context, work seamlessly across IDEs and self-managed instances, and offer new open-source model options — helping teams accelerate delivery without compromising compliance or control.

GitLab Duo Planner and Security Analyst agent enhancements

In 18.6, GitLab Duo Planner and GitLab Duo Security Analyst are now available by default in the Agentic Chat dropdown — no configuration or setup required. Both agents can be used immediately across projects and groups, giving teams built-in assistance for planning, issue refinement, and security analysis.

GitLab Duo Planner agent now works at the group level with awareness of the epic being viewed and supports milestone and iteration workflows. Security Analyst agent provides automated vulnerability review, context interpretation, and guided remediation suggestions. Both agents are also available to self-managed customers.

For a full list of what these agents can do, see the documentation.

gpt-oss-120b model support for GitLab Duo Agent Platform

GitLab Duo Self-Hosted customers can now deploy the gpt-oss-120b model within the GitLab Duo Agent Platform — a high-performance, fully open-source model optimized for agentic workflows. This addition enables teams to execute complex tasks and reasoning-driven processes while maintaining control over model transparency and infrastructure. For organizations that require open, auditable models to address compliance or data sovereignty requirements, gpt-oss-120b provides a reliable alternative to proprietary models without sacrificing performance.

For more information on supported models, please see our documentation.

End-user model selection for cloud-connected self-managed instances (GA)

Cloud-connected self-managed end users can now choose which AI model powers their GitLab Duo Agentic Chat experience directly from the GitLab UI. This gives administrators and end users more control over how conversations perform and how costs and governance requirements are managed.

No matter the deployment environment — on-premises, private cloud, or public cloud — teams can select regionally compliant or in-house models to help satisfy data residency needs and compare model quality for speed or accuracy. This flexibility ensures that every organization can tailor Agentic Chat to its operational priorities.

For full details on how to select a model in Agentic Chat, see the model selection section of the GitLab documentation.

Web IDE support for air-gapped deployments

Air-gapped or tightly controlled environments — such as public sector organizations, defense agencies, and regulated enterprises — can now run the Web IDE with full functionality even without internet access. By allowing administrators to configure their own Web IDE extension host domain, GitLab enables markdown preview, code editing, and GitLab Duo Chat capabilities in isolated or offline systems. This makes it possible for development teams in secure or restricted networks to benefit from modern IDE workflows without sacrificing security and compliance.

Modern interface now default for self-managed instances

Self-managed GitLab instances now default to the modern interface in 18.6, bringing the same streamlined experience already available on GitLab.com to on-premises deployments. The updated layout improves navigation consistency and makes core workflows more intuitive across the platform. Administrators maintain full flexibility with opt-out controls via feature flag or user-level toggling if needed. This update ensures self-managed customers benefit from GitLab's latest interface improvements while maintaining the control and customization options enterprise environments require.

Platform security with awareness and authority

GitLab 18.6 strengthens platform security with deeper context and clearer control, helping security teams focus on the risks that matter most while maintaining governance across every project.

Security attributes and context filtering

Security teams can now apply custom business context labels to projects and groups, transforming raw scan results into prioritized, risk-based insights. Instead of viewing vulnerabilities in isolation, teams can tag projects by business unit, application type, or criticality — then filter and sort security data by impact. This allows organizations to focus remediation on the areas of greatest business risk, helping to accelerate time to resolution for the issues that matter most.

Security Manager default role

To simplify access control and onboarding for security professionals, GitLab introduces a new Security Manager role. This role provides comprehensive permissions across vulnerability management, policy configuration, and compliance features — while maintaining separation of duties by restricting administrative and code modification rights. Security teams gain the access they need from day one, along with governance, consistency, and accountability across the platform.

AI that adapts to your workflow

This release represents more than new capabilities — it's about how GitLab Duo Agent Platform is becoming an embedded part of everyday software development workflows. Watch a walkthrough video that shows how a member of your software development team can start on a new project using GitLab Duo Agent Platform:

Get started today

GitLab Premium and Ultimate users can start using these capabilities today on GitLab.com and self-managed environments, with availability for GitLab Dedicated customers planned for next month.

New to GitLab? Start your free trial and see why the future of development is AI-powered, secure, and orchestrated through the world’s most comprehensive DevSecOps platform.

Note: GitLab Duo Agent Platform is currently in beta. Platform capabilities that are in beta are available as part of the GitLab Beta program. They are free to use during the beta period, and when generally available, they are planned to be made available with a paid add-on option for GitLab Duo Agent Platform.

Stay up to date with GitLab

To make sure you’re getting the latest features, security updates, and performance improvements, we recommend keeping your GitLab instance up to date. The following resources can help you plan and complete your upgrade:

• Upgrade Path Tool — enter your current version and see the exact upgrade steps for your instance

• Upgrade Documentation — detailed guides for each supported version, including requirements, step-by-step instructions, and best practices

By upgrading regularly, you’ll ensure your team benefits from the newest GitLab capabilities and remains secure and supported.

For organizations that want a hands-off approach, consider GitLab’s Managed Maintenance service. With Managed Maintenance, your team stays focused on innovation while GitLab experts keep your Self-Managed instance reliably upgraded, secure, and ready to lead in DevSecOps. Ask your account manager for more information.

This blog post contains "forward‑looking statements" within the meaning of Section 27A of the Securities Act of 1933, as amended, and Section 21E of the Securities Exchange Act of 1934. Although we believe that the expectations reflected in these statements are reasonable, they are subject to known and unknown risks, uncertainties, assumptions and other factors that may cause actual results or outcomes to differ materially. Further information on these risks and other factors is included under the caption "Risk Factors" in our filings with the SEC. We do not undertake any obligation to update or revise these statements after the date of this blog post, except as required by law.