New features are regularly released to GitLab SaaS (GitLab.com), with a packaged release available for GitLab Self-Managed every month. Read on to learn more about the new features available on GitLab.com. Note that it may take a few days for a feature to become fully available on GitLab.com, due to deployment schedule and potential
feature flags.
Additional information on
past
releases is available; be sure to check out the
release for other features we've launched recently. We also have information about
what's new
if you're interested in seeing what we are doing next.
Preview
Key improvements released in GitLab Preview
The Planner Agent now includes create and edit features in beta! The Planner Agent is a foundational agent built to support product managers directly in GitLab. Use the Planner Agent to create, edit, and analyze GitLab work items. Instead of manually chasing updates, prioritizing work, or summarizing planning data, the Planner Agent helps you analyze backlogs, apply frameworks like RICE or MoSCoW, and surface what truly needs your attention. It’s like having a proactive teammate who understands your planning workflow and works with you to make better, more efficient decisions. Please provide your feedback in issue 576622.
Security teams often spend significant time investigating SAST findings that turn out to be false positives, diverting attention from genuine security risks.
In GitLab 18.7, we’re introducing AI-powered SAST False Positive Detection to help teams focus on the vulnerabilities that matter.
When a security scan runs, GitLab Duo automatically analyzes each Critical and High severity SAST vulnerability to determine the likelihood that it’s a false positive. The AI assessment appears directly in the vulnerability report, giving security engineers immediate context to make faster, more confident triage decisions.
Key capabilities include:
- Automatic analysis: False positive detection runs automatically after each security scan with no manual triggering required.
- Manual trigger option: Users can manually trigger FP detection for individual vulnerabilities on the vulnerability details page for on-demand analysis.
- Focused on high-impact findings: Scoped to Critical and High severity vulnerabilities to maximize signal-to-noise improvement.
- Contextual AI reasoning: Each assessment includes an explanation of why the finding may or may not be a true positive, based on code context and vulnerability characteristics.
- Seamless workflow integration: Results surface directly in the vulnerability report alongside existing severity, status, and remediation information.
This feature is available as a free beta for Ultimate customers. We welcome your feedback in issue.
The new security dashboards have been updated and modernized. The dashboards were previously available on GitLab.com, and are now enabled by default on GitLab Dedicated and GitLab Self-Managed. Please note that using the new dashboard requires ElasticSearch. The new features include:
A vulnerabilities over time chart that supports:
Filtering based on project or report type.
Grouping by report type and severity.
Direct links to vulnerabilities in the vulnerability report.
A risk score module that calculates the estimated risk for a group or project based on a GitLab algorithm.
Administrators of GitLab Self-Managed and GitLab Dedicated can now restrict which projects are allowed to publish components to the CI/CD Catalog. This new setting enables organizations to maintain a curated, trusted CI/CD Catalog by controlling what components can be published.
Administrators can now specify an allowlist of projects authorized to publish components. When the allowlist is populated with projects, only those projects can publish components. This prevents unauthorized or unapproved components from cluttering the list of published components and ensures all components meet organizational standards and security requirements.
This addresses a key governance challenge for enterprise customers who want to maintain control over their CI/CD component ecosystem while enabling their teams to discover and reuse approved components.
You can set up your CI/CD pipelines to make use of dynamic input selection when creating new pipelines through the intuitive web interface. Now, with dynamic input options, you can configure your pipelines so that input selection options update dynamically based on previous selections. For example, when you select an input in one dropdown, it automatically populates a list of related input options in a second dropdown.
With CI/CD inputs, you can:
Trigger pipelines with pre-configured inputs, reducing errors and streamlining deployments.
Enable your users to select different inputs than the defaults from dropdown menus.
Now have cascading dropdowns where options dynamically update based on previous selections.
This dynamic capability enables you to create more intelligent, context-aware input configurations that guide you through the pipeline creation process, reducing errors and ensuring only valid combinations of inputs are selected.
Heading anchor links now announce with the same text as their corresponding heading, improving the experience for screen reader users. The links also appear after the heading text, providing a cleaner visual presentation.
These changes make it easier for all users to understand and navigate to specific sections of documentation, issues, and other content.
These changes make it easier for all users to understand and navigate to specific sections of documentation, issues, and other content.
Teams using parent-child CI/CD pipelines previously had to navigate through multiple pipeline pages to check test results, code quality reports, and infrastructure changes, disrupting their merge request review workflow.
You can now view and download all reports in a unified view, including unit tests, code quality checks, Terraform plans, and custom metrics, without leaving the merge request.
This eliminates context switching and accelerates merge request velocity, giving teams the ability to deliver features faster without compromising quality.
Security teams can now use warn mode to test and validate the impact of security policies before applying enforcement or to roll out soft gates for accelerating your security program. Warn mode helps to reduce developer friction during security policy rollouts, while continuing to ensure detected vulnerabilities are addressed.
When you create or edit a merge request approval policy, you can now choose between warn or enforce enforcement options.
Policies in warn mode generate informative bot comments without blocking merge requests. Optional approvers can be designated as points of contact for policy questions. This approach enables security teams to assess policy impact and build developer trust through transparent, gradual policy adoption.
Clear indicators in merge requests tell users when policies are in warn or enforce mode, and audit events track policy violations and dismissals for compliance reporting. Developers can bypass scan finding and license policy violations by providing a reasoning for the policy dismissal, creating a collaborative feedback loop between developers and security teams for more effective policy enablement.
When policy violations are detected on a project’s default branch, policies identify vulnerabilities that violate the policy in the vulnerability reports for projects and groups. The dependency list for projects also displays badges that indicate license compliance policy violations.
Additionally, you can use the API to query a filtered list of policy violations on the default branch in a project.
The compliance violations report provides a centralized view of all compliance violations across your
organization’s projects. The report displays comprehensive details about control violations, related audit events,
and enables teams to track violation statuses effectively.
In GitLab 18.7, we’ve introduced powerful filtering capabilities to help you quickly find the violations that
matter most. You can now filter by:
Status
Project
Control
Teams can now also collaborate directly on resolving violations through comments. Within the violation record
itself, teams can:
Tag team members for investigation
Discuss remediation approaches
Document findings—all within the violation record itself.
Together, these features evolve the compliance violations report into a dynamic collaboration platform,
enabling organizations to efficiently discover, analyze, and resolve compliance violations in their groups and
projects.
GitLab Self-Managed users on an Ultimate trial can now access their active trial status, remaining days, accessible features, and expiration notifications from the left sidebar. These enhancements help eliminate confusion about trial duration and make it easier to evaluate paid features before purchase.
You can now control which foundational agents are available in your top-level group or instance. Turn all foundational agents on or off by default, or toggle individual agents to align with your organization’s security and governance policies.
The GitLab Duo and SDLC trends dashboard delivers improved analytics capabilities to measure Duo’s impact on software delivery. The dashboard now provides 6-month trend analysis across Duo feature adoption, pipeline performance, and common development metrics such as deployment frequency and mean time to merge. You can now track code generation volumes and IDE or language trends for Code Suggestions, and observe as your teams adopt new Duo Agent Platform flows. Enhanced user-level metrics enable teams to gain deeper insight into the key Duo features providing continuous value.
A new endpoint for instance-level AI usage is now available for instance administrators to extract all Duo data from either Postgres (3-month retention) or ClickHouse.
Powered by the ClickHouse integration, this dashboard delivers sub-second query performance across millions of data points. For self-managed instances, see improved recommendations and configuration guidance for ClickHouse integration.
Separate models can now be selected for Agentic Chat and for all other agents for top-level groups or instances. This provides more options for model selection for GitLab Duo Agent Platform.
We’re also releasing GitLab Runner 18.7 today! GitLab Runner is the highly-scalable build agent that runs your CI/CD jobs and sends the results back to a GitLab instance. GitLab Runner works in conjunction with GitLab CI/CD, the open-source continuous integration service included with GitLab.
Advanced vulnerability management is available to all Ultimate customers and includes the following features:
- Grouping data by OWASP 2021 categories in the vulnerability report for a project or group.
- Filtering based on a vulnerability identifier in the vulnerability report for a project or group.
- Filtering based on the reachability value in the vulnerability report for a project or group.
- Filtering by policy violation bypass reason.
GitLab compliance controls can be used in compliance frameworks. Controls are checks against the configuration or
behavior of projects that are assigned to a compliance framework.
Previously, controls related to scanners (for example, checking if SAST is enabled) required your projects to have
a passing pipeline in the default branch before the compliance centre displayed the success or failure status of your
controls.
In GitLab 18.7, we have changed this behaviour to show whether your controls have succeeded or failed based solely on
scan completion, regardless of the overall pipeline status. This helps ease confusion because the compliance status
of your controls reflects whether security scans ran and completed, not whether the entire pipeline passed.
When you enable an agent or flow from the AI Catalog in your project, GitLab now pins it to a specific version. This means your AI-powered workflows stay stable and predictable even as catalog items evolve, so you can test and validate new versions before you upgrade.
Advanced search now returns matching results from both merge request descriptions and comments. Previously, users had to search merge request descriptions and comments separately. This improvement provides a more streamlined and comprehensive search workflow for GitLab merge requests.
The Data Analyst Agent is a specialized AI assistant that helps you query, visualize, and surface data across the GitLab platform. It uses GitLab Query Language (GLQL) to retrieve and analyze data, then provides clear, actionable insights about your projects.
You can find example prompts and use cases in the documentation.
This agent is currently in beta status, so please share your thoughts in the feedback issue to help us improve and provide insight into where you’d like to see this go next.
You can now report agents and flows to instance administrators when you encounter problematic content. Submit an abuse report that includes your feedback, and an administrator can choose to hide or delete the harmful item. Use this feature to keep your agents and flows safe across your entire organization.
GitLab Duo Chat now supports the AGENTS.md specification, an emerging standard for providing context and instructions to AI coding assistants.
Unlike custom rules that are only available to GitLab Duo, AGENTS.md files are also available for other AI coding tools to use. This makes your build commands, testing instructions, code style guidelines, and project-specific context available to any AI tool that supports the specification.
GitLab Duo Chat in your IDE automatically applies available instructions from AGENTS.md files in your repository, set at the user or workspace level. For monorepos, you can place AGENTS.md files in subdirectories to provide tailored instructions for different components.
