GitLab 15.9 Release

GitLab 15.9 released with new guest roles for viewing private repositories and license approval policies

GitLab 15.9 released with new guest roles for viewing private repositories, license approval policies, notifications in the GitLab for Slack app, a new code suggestions closed beta and much more!

Today, we are excited to announce the release of GitLab 15.9 with guest roles viewing private repositories, license approval policies and license compliance scanner, notifications in the GitLab for Slack app, code suggestions in closed beta and much more!

These are just a few highlights from the 105+ improvements in this release. Read on to check out all of the great updates below.

We thank the wider GitLab community for the 410+ contributions they provided to GitLab 15.9! At GitLab, everyone can contribute and we couldn't have done it without you!

To preview what's coming in next month’s release, check out our Upcoming Releases page, which includes our 15.10 release kickoff video.

GitLab MVP badge

MVP This month's Most Valuable Person (MVP) is awarded to Kyle Edwards

Kyle Edwards contributed the ability to set custom text in a user deactivation email. This feature allows customers to specify why a user account was deactivated, and what steps to take for reactivating it. Kyle was praised for following GitLab’s collaboration value.

“When Kyle was doing the user deactivation email work he was very collaborative with our review process and kept the MRs moving, including writing docs ASAP in order to get the feature over the line for %15.9,” said Hannah Sutor, Sr. Product Manager at GitLab. “The efficient back and forth is truly appreciated, and we recognize that he does not have to do this as a contributor.”

Kyle’s past contributions to GitLab include the runner token rotation, which was recognized by GitLab’s Security Awards Program. Kyle was also recognized for the contribution of .strong_memoize_attr() and RuboCop changes made to enforce its use.

Kyle works at Kitware as co-maintainer of the CMake buildsystem. He joined the GitLab community in 2019 and has been making regular code contributions to GitLab since 2021.

Our thanks go out to Kyle, our latest MVP, for all the amazing work contributing to GitLab 🙌

15.9 Key improvements released in GitLab 15.9

Users with the Guest role can view private repositories

Users with the Guest role can view private repositories

Users with the Guest role and an Ultimate license can now view private repository content if their administrator gives them permission. Administrators must create a new role through the API, and assign that role to users who the administrator wants to have view repository permissions. Previously, users with the Guest role could not view code in private projects, limiting their utility.

Require multiple approvals from Code Owners

Require multiple approvals from Code Owners

You can now precisely define for which files, file types, or directories approval has been designated as optional, required approval by one user, or by multiple users. The latter being the new improvement of the CODEOWNERS file.

So far, if you needed to require multiple approvers be it for compliance reasons or other reasons, you could only do so with an approval rule. However, unlike Code Owner approvals, approval rules apply to entire branches and cannot be refined to apply to specific parts of your code base. So, the multiple approvals would have also been required for changes that do not need a high level of scrutiny leading to unnecessary reviews.

Require multiple approvals from Code Owners

Manage license approval policies

Manage license approval policies

GitLab now supports flexible license approval policies as the replacement for the deprecated License-Check feature. License approval policies improve the experience over the License-check feature in several ways:

  • Users can choose who is allowed to edit license approval policies.
  • Multiple policy rules can be created and chained together.
  • A two-step approval process can be enforced for any desired changes to license approval policies.
  • A single set of license policies can be applied to multiple development projects, or can be applied at the group or subgroup level, to allow for ease in maintaining a single, centralized ruleset.
  • Policies can be used to require approval for any license that is not specifically allowed.

License approval policies can be used alongside the existing License-Check feature, as the two policies are additive and don’t conflict. To get started, verify that the license_scanning_policies feature flag is enabled for your instance and then navigate to Security & Compliance > Policies, create a new Scan Result type policy, and select License scanning for your policy rule.

Notifications now available in the GitLab for Slack app

Notifications now available in the GitLab for Slack app

The GitLab for Slack app is the new home for managing notifications from GitLab to your Slack workspace. Not only can you use existing app features such as slash commands, but you can now also specify which Slack channels you want to notify based on merge request changes, push events, issue changes, and many other GitLab events.

The Slack notifications integration is now deprecated for SaaS customers and will eventually be removed as we continue to expand support for our GitLab for Slack app to better meet your needs. To keep your teams in sync with what’s happening in GitLab, get the GitLab for Slack app today!

Notifications now available in the GitLab for Slack app

Code Suggestions available in closed beta

Code Suggestions available in closed beta

Every day millions of developers use GitLab to contribute code. We’re starting to empower developers to code more efficiently and effectively with a closed beta of GitLab Code Suggestions.

Closed beta participants can use the GitLab Workflow VSCode extension to get code suggestions as they type. Depending on the prompt, the extension either provides entire code snippets like generating functions, or completes the current line. Simply pressing the tab key allows you to accept the suggestions.

Currently we support the following languages with the highest confidence: Python, C, C++, Java, Javascript, and Go.

GitLab Code Suggestions can improve developer productivity, focus, and innovation without context switching and within a single DevSecOps platform. While currently limited in closed beta, interested Ultimate customers can express interest by filling out this form to be considered for early access.

Code Suggestions available in closed beta

Track important incident timestamps on the incident timeline

Track important incident timestamps on the incident timeline

Incident metrics are a set of standard, quantifiable measurements used to track the incident response process. Accurately tracking these metrics will help DevSecOps teams understand how they are performing and whether responses to unplanned outages are getting better or worse. With this release, you can specify optional incident tags to capture relevant incident timestamps. Added tags are displayed next to the timestamp.

Track important incident timestamps on the incident timeline

New License Compliance scanner

New License Compliance scanner

GitLab now supports a new method of detecting licenses that is capable of parsing and identifying over 500 different types of licenses and can extract license information from packages that are dual-licensed or have multiple different licenses that apply. In GitLab’s development testing, this has empirically resulted in dramatically improved accuracy and completeness of results. Fewer CI pipeline minutes are consumed because the License Compliance job is no longer required. Additionally the new method has support for the same languages and versions as GitLab Dependency Scanning.

To use this new scanner, remove the inclusion of the Jobs/License-Scanning.gitlab-ci.yml template in your CI configuration and instead include the Jobs/Dependency-Scanning.gitlab-ci.yml template. After GitLab 16.0, the old method of scanning with the Jobs/License-Scanning.gitlab-ci.yml template will no longer be supported.

Currently this feature is available for GitLab SaaS users behind the license_scanning_sbom_scanner and package_metadata_synchronization feature flags. Users can follow along in GitLab to track the work to enable the license_scanning_sbom_scanner and the package_metadata_synchronization feature flags by default along with work to add support for self-managed instances and offline instances.

New License Compliance scanner

Secure your CI/CD workflows with OpenID Connect (OIDC)

Secure your CI/CD workflows with OpenID Connect (OIDC)

Your software supply chain should include everything needed to deliver and run your software. Securing that supply chain means securing not only your software, but also the surrounding cloud-native infrastructure as well.

In GitLab 15.9 we added additional layers of protection to move our OIDC token from Alpha to production-ready, increasing the security of your CI/CD workflows. A key improvement is the ability to configure the audience claim (aud:), a reserved claim which identifies the audience the JWT is intended for (the target of the token).

Additionally, we increased the security of JWT tokens themselves. Previously, JSON web tokens were pre-defined variables that were made available to all jobs in a pipeline. In this release, you can now restrict the tokens from being available everywhere in the pipeline, and instead specify the exact jobs that need a token. As a result, the risk of a compromised job leaking a token is reduced.

Secure your CI/CD workflows with OpenID Connect (OIDC)

Remove character limitations in unexpanded (raw) masked variables

Remove character limitations in unexpanded (raw) masked variables

Previously it was impossible to mask variables containing certain special characters, for example $, ', or ". This sometimes prevented masked variables from being used for keys or passwords which typically contained one of those characters. In this release, we’ve removed that masking limitation for non-expanded (raw) variables. Note that the value still has an 8-character minimum length, and must not use spaces.

Remove character limitations in unexpanded (raw) masked variables

15.9 Other improvements in GitLab 15.9

API support for bulk user access management

API support for bulk user access management

Users with the Owner role for a group can now use the GraphQL API to change the maximum access level of non-inherited users of a group. This release brings more administrative features to users with the Owner role for groups on GitLab.com, and lays the foundation for future administrative bulk actions.

Dashboard filter to explore projects by programming language

Dashboard filter to explore projects by programming language

Previously, in the Explore Projects tab of the Projects dashboard you could filter projects by name. Now, you can also filter by programming language. By applying this filter, you can narrow down the search results to projects that use only the programming language you’re interested in. This way you can find an open-source project in your favorite programming language to contribute to.

Group owners can disable 2FA for enterprise users

Group owners can disable 2FA for enterprise users

Previously, when a user lost access to their two-factor authentication (2FA), that user had to ask GitLab support to reset their 2FA. Now, group owners are able to disable 2FA for enterprise users. After a user’s 2FA is disabled, that user is prompted to set it up again.

Group owners can disable 2FA for enterprise users

View and filter your activity in one location

View and filter your activity in one location

It can be challenging to retrace your own activity across GitLab. You can view your contributions calendar or the Activity page of your projects, but it is not filtered to just your contributions.

In this release of GitLab, we’ve added a new default tab to the Activity page within the Your work section called Your activity. This gives a focused place to see your contributions in one place and filter by type of activity. You can view your push events, merge events, issue events, comments, wiki, designs, and team. This makes it easier to keep track of your work in GitLab.

View and filter your activity in one location

:active attribute added to the SCIM API

:active attribute added to the SCIM API

The SCIM API now returns the :active attribute for each user. Group Owners can now use this attribute to distinguish between active and inactive users, which is useful as a user can be outside of their group, but still have a SCIM identity.

Convert a Markdown checklist item to a task

Convert a Markdown checklist item to a task

Teams often use Markdown checklist items to outline tasks or completion criteria for an issue, but tracking more in-depth information related to the checklist item has always been limited and cumbersome. With the release of 15.9, you can seamlessly convert a Markdown checklist item in an issue to a task, enabling teams to have a more robust experience tracking and managing an issue’s dependencies by assigning and estimating tasks separately from issues.

Convert a Markdown checklist item to a task

Epics can have child epics from different group hierarchies

Epics can have child epics from different group hierarchies

Until now, epics could only contain sub-epic children from the same group. This was limiting and inconvenient for users who are trying to manage, organize, and communicate on large scale projects that have different sub-initiatives in other groups.

As a continuation of improving cross-functional workflows, you can now add child epics from unrelated groups to a parent epic.

View performance of DORA metrics over the last 180 days

View performance of DORA metrics over the last 180 days

Previously, you could view the performance of DORA metrics over the last week, month, and 90 days. Now, you can view it over the last 180 days as well. This new 180-day visualization allows software leaders to track quarterly metrics improvements and identify historical trends in their DevOps performance.

View performance of DORA metrics over the last 180 days

Control which projects can access your project with a CI/CD job token

Control which projects can access your project with a CI/CD job token

The CI/CD job token stored in the CI_JOB_TOKEN CI/CD variable makes authenticating API calls within jobs more intuitive, enabling advanced automation. For example, the token can be used with bot automation projects that run pipelines in other projects. The token is short-lived, but has the same permissions as the user that triggered the pipeline.

In an effort to make its usage even more secure we are adding a setting that lets you define a list of trusted projects that you allow to use job tokens to access your project. This added layer of security means that only these projects will be able to access your project’s API with a job token. In the bot automation example, it lets you control which bot projects can interact with your own project.

This setting is currently disabled by default in existing projects to avoid impacting pipelines, but we strongly recommend enabling it in all your projects. It is enabled by default for all new projects.

New jobs tab in group runners page

New jobs tab in group runners page

To create a consistent runner experience across admin, group, and project views, the group runners details view now includes a list of past and current jobs that the runner runs. Among other details, you can see the job duration, as well as how much time each job was in queue before it was picked up by the runner. Having an overview of the queued duration can help you further analyze the runner’s queue performance.

New jobs tab in group runners page

Clean up stale environments

Clean up stale environments

You can now more easily stop and clean up stale environments in your projects. Using the API or UI, you can stop all environments that have not been modified since a specified date, excluding protected environments. You can use this to manage the number of environments in your project and keep only the relevant environments in the project.

Clean up stale environments

The first iteration of showing related tags for a deployment only supported completed deployments. With this release, you can now see tags for deployed commits in the Environment page for deployments that are pending approvals as well. This information helps provide the people involved in executing and approving the deployment with more context about what is being deployed.

Automatic revocation of leaked personal access tokens

Automatic revocation of leaked personal access tokens

GitLab Secret Detection now automatically revokes GitLab personal access tokens if they’re found on the default branch of a public project. To activate this protection, you need to use GitLab Secret Detection in the project and use tokens that are prefixed with glpat-.

We previously offered this feature as part of a Beta release and enabled it by default on GitLab.com on 2023-01-23. The feature flag has been removed, so the feature is also active in self-managed instances starting in GitLab 15.9. Leaked tokens are processed on the same system where they’re found: tokens detected on GitLab.com stay on GitLab.com and tokens detected in self-managed instances stay on those instances.

You can read more about the feature in our public blog post.

Secret Detection scans all commits in merge requests

Secret Detection scans all commits in merge requests

Due to technical limitations, GitLab Secret Detection previously scanned only the latest commit on branch pipelines.

Now, when Secret Detection runs in a merge request (MR) pipeline, it scans all of the MR’s commits so you can catch leaks made in earlier commits. This improvement builds on recently-added support for security scanning in MR pipelines, so it’s only available in the Latest version of the Secret Detection CI/CD template, not the Stable version.

You can enable this new feature now by switching to the Latest version of the Secret Detection CI/CD template. We plan to update the Stable templates with this change in GitLab 16.0.

Note that Latest templates can receive breaking changes in any release. To learn more about Stable and Latest templates, see documentation on CI/CD template versioning.

See all commits on the Chain of Custody report

See all commits on the Chain of Custody report

You can now see all commits on the Chain of Custody report. This is useful when:

  • You are interested in a specific non-merge commit.
  • Your organization doesn’t use merge commits.

Previously, you could only select merge commits for the report.

Customize message for user deactivation emails

Customize message for user deactivation emails

You can now add custom text to the email sent to a user when they are deactivated. You can customize this text in the Admin application settings. Previously, you could not change the text in this email.

Thank you Kyle Edwards for your contribution!

Customize message for user deactivation emails

Discord user ID in GitLab profile

Discord user ID in GitLab profile

Users can now add a link to their Discord user ID to their GitLab profile. This link is also returned through the Users API.

Thank you ideclon UK for contributing!

Discord user ID in GitLab profile

Re-import projects from external providers

Re-import projects from external providers

Previously, it was not possible to import projects from external providers more than once. Now you can import projects from external providers many times using different target paths. The re-imported project doesn’t override or merge with previously imported project. External providers include GitHub, Bitbucket Cloud, Bitbucket Server, FogBugz, and Gitea.

Your work sidebar

Your work sidebar

While using GitLab, you may have noticed that some pages don’t have a left sidebar. These pages are primarily user-orientated pages such as your assigned items (issues, merge requests, and to-do items) as well as pages related to your work environment such as groups, projects, and activity. Not having a left sidebar on those pages creates some inconsistency and layout shifting within GitLab.

In this release, we’ve added a new Your work sidebar to add consistency and a dedicated place in our navigation for the things you are working on.

This new sidebar paves the way for our navigation redesign, where the top navigation will move into the left sidebar.

Your work sidebar

Allow filtering by group in epic list and roadmaps

Allow filtering by group in epic list and roadmaps

You can now filter epic lists and roadmaps to show epics from a specific group. This makes it more efficient and flexible to target the information you need.

Display labels on roadmaps

Display labels on roadmaps

Within the roadmap view, we provided limited context about the epics displayed which makes it difficult for users to identify information without leaving the roadmap view. This feature will display assigned labels on the epic list in the sidebar, providing easy access and visibility without leaving the page. In addition, the ability to turn the feature off will be available in roadmap settings.

Display labels on roadmaps

Use quick actions when editing a task’s description

Use quick actions when editing a task’s description

Quick actions are helpful for efficiently updating issues, merge requests, and epics. With this release, you can now use a subset of quick actions when editing a task’s description. Future iterations will introduce additional quick actions and the ability to use them in comments in a task.

Use quick actions when editing a task's description

More control over your SSH connections with gitlab-sshd

More control over your SSH connections with gitlab-sshd

gitlab-sshd is a standalone SSH server, written in Go, that provides more insight and control than OpenSSH. It’s lightweight and contains minimal external dependencies. If you host a self-managed instance, switching from OpenSSH to gitlab-sshd gives you metrics collection, detailed logging, and graceful shutdowns for SSH connections. Unlike OpenSSH, it supports the PROXY protocol and can pass on the original IP address when operated behind a proxy. This enables you to restrict SSH access by IP address when your instance is operated behind a proxy.

GitLab.com has used gitlab-sshd since 15.2, and 100% of the SSH traffic passes through gitlab-sshd. To learn more, read this blog post. To understand how to enable it refer to the documentation.

gitlab-sshd began as a community contribution from @lorenz. Thank you very much for your contribution!

GitLab Runner 15.9

GitLab Runner 15.9

We’re also releasing GitLab Runner 15.9 today! GitLab Runner is the lightweight, highly-scalable agent that runs your CI/CD jobs and sends the results back to a GitLab instance. GitLab Runner works in conjunction with GitLab CI/CD, the open-source continuous integration service included with GitLab.

Bug Fixes:

The list of all changes is in the GitLab Runner CHANGELOG.

Import npm packages by using CI/CD pipelines

Import npm packages by using CI/CD pipelines

Have you been thinking about moving your npm registry to GitLab but haven’t been able to invest the time in planning a migration? GitLab is proud to announce the MVC launch of an npm package importer. You can now create a config.yml file that defines the packages you want to import from any npm compliant registry into GitLab, such as Artifactory. Then you add the importer to a .gitlab-ci.yml pipeline configuration file, and the importer does the rest. It runs in the pipeline, dynamically generating jobs that import all the packages into your GitLab package registry.

Setting to allow self-approval of a deployment to a protected environment

Setting to allow self-approval of a deployment to a protected environment

You can now allow the person who triggered a deployment pipeline to also approve the deployment to a protected environment. This is useful in emergency situations or for teams where users are allowed to deploy to special environments like production on their own.

Redact Service Desk email addresses in issues

Redact Service Desk email addresses in issues

GitLab Service Desk makes it easy to interact with customers and provide support. To ensure that customer email addresses are kept private, you now need to have at least the Reporter role in a project or group to see the sender address of a Service Desk issue. This applies to both public and private projects.

Redact Service Desk email addresses in issues

New SAST rules

New SAST rules

We’ve added new rules to GitLab SAST for Go, Java, JavaScript/TypeScript, and Python. The new rules add better protection against potential SQL injection, resource exhaustion, and directory traversal vulnerabilities, and identify insecure configurations in common libraries.

The updated rules are included in the latest release of the Semgrep-based SAST analyzer. If you use the default GitLab-managed CI/CD template for SAST on GitLab 15.0 or higher, your pipelines automatically update the Semgrep-based SAST analyzer to use the new rules.

On your first scan after the update, new findings may be created for these new rules.

Static Analysis analyzer updates

Static Analysis analyzer updates

GitLab Static Analysis includes many security analyzers that the GitLab Static Analysis team actively manages, maintains, and updates. The following analyzer updates were published during the 15.9 release milestone. These updates bring additional coverage, bug fixes, and improvements.

  • KICS-based analyzer updated to version 1.6.7. See CHANGELOG for further details. This version includes new rules, bug fixes, and improvements.
  • Kubesec-based analyzer updated to version 2.12.0. See CHANGELOG for further details.
  • PMD Apex-based analyzer updated to version 6.53.0. See CHANGELOG for further details.
  • Secrets analyzer updated to version 8.15.2. See CHANGELOG for further details. This version also improves the detection rule for Google Cloud service account keys.
  • Semgrep-based analyzer updated to improve debug logging. See CHANGELOG for further details.

If you include the GitLab-managed SAST template (SAST.gitlab-ci.yml), you don’t need to do anything to receive these updates. However, if you override or customize your own CI/CD template, you need to update your CI/CD configurations.

To remain on a specific version of any analyzer, you can pin to a minor version of an analyzer. Pinning to a previous version prevents you from receiving automatic analyzer updates and requires you to manually bump your analyzer version in your CI/CD template.

For previous changes, see last month’s updates.

Documentation of Elasticsearch advanced search role privilege requirements

Documentation of Elasticsearch advanced search role privilege requirements

The Elasticsearch advanced search documentation now lists the minimum role privileges required to integrate with Elasticsearch.

Bug fixes, performance improvements, and usability improvements

Bug fixes, performance improvements, and usability improvements

At GitLab, we’re dedicated to providing the best possible experience for our users. With every release, we work tirelessly to fix bugs, improve performance, and enhance usability. Whether you’re one of the over 1 million users on GitLab.com or using our platform elsewhere, we’re committed to making sure your time with us is smooth and seamless.

Click the links below to see all the bug fixes, performance enhancements, and usability improvements we’ve delivered in 15.9.

Deprecations Deprecations

New deprecations and the complete list of all features that are currently deprecated can be viewed in the GitLab documentation. To be notified of upcoming breaking changes, subscribe to our Breaking Changes RSS feed.

  • Default CI/CD job token (`CI_JOB_TOKEN`) scope changed
  • CI/CD jobs will fail when no secret is returned from Hashicorp Vault
  • Secure scanning CI/CD templates will use new job `rules`
  • HashiCorp Vault integration will no longer use CI_JOB_JWT by default
  • Required Pipeline Configuration is deprecated
  • Trigger jobs can mirror downstream pipeline status exactly
  • External field in Releases and Release Links APIs
  • Legacy URLs replaced or removed
  • Filepath field in Releases and Release Links APIs
  • Development dependencies reported for PHP and Python
  • Support for Praefect custom metrics endpoint configuration
  • Secure analyzers major version update
  • SAST analyzer coverage changing in GitLab 16.0
  • Managed Licenses API
  • `omniauth-authentiq` gem no longer available
  • License Compliance CI Template
  • License-Check and the Policies tab on the License Compliance page
  • Legacy Praefect configuration method
  • Default CI/CD job token (`CI_JOB_TOKEN`) scope changed
  • Embedding Grafana panels in Markdown is deprecated
  • The GitLab legacy requirement IID is deprecated in favor of work item IID
  • GitLab Runner platforms and setup instructions in GraphQL API
  • Queue selector for running Sidekiq is deprecated
  • Option to delete projects immediately is deprecated from deletion protection settings
  • External field in GraphQL ReleaseAssetLink type
  • Deprecation and planned removal for `CI_PRE_CLONE_SCRIPT` variable on GitLab SaaS
  • Single database connection is deprecated
  • Enforced validation of CI/CD parameter character lengths
  • Old versions of JSON web tokens are deprecated
  • Slack notifications integration
  • Removals and breaking changes Removals and breaking changes

    The complete list of all removed features can be viewed in the GitLab documentation. To be notified of upcoming breaking changes, subscribe to our Breaking Changes RSS feed.

    • `omniauth-authentiq` gem no longer available
    • Live Preview no longer available in the Web IDE
    • SaaS certificate-based integration with Kubernetes
    • Changelog Changelog

      Please check out the changelog to see all the named changes:

      Installing Installing

      If you are setting up a new GitLab installation please see the download GitLab page.

      Updating Updating

      Check out our update page.

      Questions? Questions?

      We'd love to hear your thoughts! Visit the GitLab Forum and let us know if you have questions about the release.

      GitLab Subscription Plans GitLab Subscription Plans

      • Free

        Free-forever features for individual users

      • Premium

        Enhance team productivity and coordination

      • Ultimate

        Organization wide security, compliance, and planning

      Try all GitLab features - free for 30 days

      We want to hear from you

      Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum.

      Share your feedback

      Take GitLab for a spin

      See what your team could do with The DevSecOps Platform.

      Get free trial

      Have a question? We're here to help.

      Talk to an expert
      Edit this page View source