Integrate third-party scanner results with GitLab (GA)
Any scanner that outputs SARIF now runs under your GitLab policies across every project, so the security tools you already use give you coverage you can prove.
Secret false positive detection with GitLab Duo (GA)
Spend less time triaging secrets that turn out to be false positives. GitLab Duo Agent Platform analyzes critical and high severity findings, scores confidence, and flags false positives so security teams remediate only genuine exposures.
Compliance framework templates (Beta)
Stand up compliance frameworks faster with 19 pre-built templates covering ISO 27001:2022, SOC 2, FedRAMP, NIST, CIS, TISAX, and more.
Close coverage gaps with the Scanner Enablement Wizard (GA)
Find missing coverage easily by running the wizard to identify projects that require your attention. You can configure profiles that define which scanner to run. Bulk-apply profiles to projects and sub-groups to cut down on manual checks.
New event triggers for flows and external agents
Automate more of the merge request lifecycle without manual handoffs. Four new triggers let flows and external agents respond when a merge request moves from draft to ready, hits a code conflict, receives approval, or a work item is created. Plus, we've shipped new configuration capabilities to the existing Pipeline Events trigger.
Custom and external AI feature controls (GA)
Control which AI agents and flows are available in your environment. Administrators and top-level group owners can prevent users from creating custom agents or flows and restrict agents from outside the group hierarchy.
Custom flows YAML validation (GA)
Catch configuration errors before they reach production. The AI Catalog validates custom flow YAML at save time, surfacing syntax errors and misconfigured parameters in the UI rather than at runtime.
Model selection allowlist (Beta)
Give teams model choice within guardrails. Configure an allowlist of approved AI models and set an organization-wide default for Agentic Chat so users pick from approved options that fit your team’s requirements.
Tool approval guardrails for GitLab Duo agents
Control what your AI agents can do, tool by tool. Configure approval policies with three modes (Allow, Ask, or Deny) across Agentic Chat, IDE, and flows, with audit events for every approval decision.
Automate assigning Code Owners as reviewers (GA)
Get the right reviewers on every merge request without manual assignment. When a merge request is created ready or marked ready from draft, GitLab assigns every Code Owner that matches the changed files.
Stacked merge requests in the UI (GA)
Navigate dependent merge requests without losing context. GitLab detects stacked merge requests automatically and shows them in the header, with a stack control to jump between any merge request in the stack.
Pattern-based tool approval for Agentic Chat (Beta)
Approve a tool once and skip repeated prompts for the rest of the session. Choose "Approve all uses of this tool for session" to approve invocations whenever arguments match the approved pattern. Available in GitLab UI, Duo CLI, VS Code, and JetBrains IDEs.
GPT models for Code Review Flow (GA)
Choose from more models for automated code review. Code Review Flow now supports GPT-5.2 and GPT-5.3 Codex alongside Anthropic Claude, with review quality comparable to the default Claude Sonnet 4.6 Vertex model.
Inline blame in the blob viewer (GA)
Understand who changed what without leaving the file view. Toggle inline blame to see the last author per line, with hover popovers for commit details, prior-change blame, and revision ignore options.
Security Manager role (GA)
Give security teams the access they need without over-provisioning. The Security Manager role provides vulnerability management, dashboards, policy configuration, and compliance tools without requiring Developer or Maintainer roles.
Scheduled pipeline execution policies (Beta)
Keep security coverage consistent even when code isn't changing. Enforce custom CI/CD jobs on a daily, weekly, or monthly cadence across projects, independent of commit activity.
Improved secret detection coverage for feature branch pipelines (GA)
Close a gap where secrets in earlier feature branch commits could go undetected. Secret detection now scans every commit from the branch's divergence point with the default branch to the latest commit.
Stream AI audit events to external destinations (Beta)
Get real-time visibility into AI activity in your existing security toolchain. Stream AI audit events to external destinations through GitLab's audit event streaming infrastructure.
Custom lifetime for OAuth access tokens (GA)
Tighten token lifetimes for security-sensitive integrations. Set a custom lifetime (300 to 7,200 seconds) for new OAuth access tokens, including tokens issued to MCP clients.
Git operation audit events for all actor types
Close a blind spot in Git audit coverage. Audit logging for clone, pull, fetch, and push operations now extends to all actor types, including runners using deploy tokens and SSH certificate users.
