A shared library of reusable and specialized agents, allowing developers to:

• Create custom agents with defined behaviors and tools.

• Share agents project-wide or across the organization.

• Test agents before rollout to ensure predictable performance.

• Build common use cases like security scanning, docs drafting, or deployment validation.

Enables AI agents to act as teammates, allowing developers to:

• Start fresh conversations or resume previous ones with custom agents.

• Run agents synchronously or asynchronously.

• Access session views with logs, user info, and tool metadata for visibility.

Developers and AI agents use the Knowledge Graph to accelerate large codebase navigation and quickly answer complex questions. Developers can:

• Utilize real-time indexing to map files, routes, and references across projects.

• Use go-to-definition, reference tracking, and in-chat search.

• Ask precise questions like "show me all route files" or "what does this change impact?"

• Accelerates onboarding, deep research, and confident refactors.

New flow keeps software development pipelines functional by balancing technical fixes and business priorities. To keep developers in the flow state, it is designed to:

• Detect and prioritize failures based on business importance.

• Perform root-cause analysis across logs, dependencies, and recent changes.

• Suggest and apply fixes aligned with deadlines and priorities.

• Automatically create merge requests with business context.

Ensure consistent and compliant AI use across features and namespaces. GitLab 18.4 allows teams to:

• Set model defaults at org or feature level.

• Apply consistent preferences across namespaces.

• Support GPT-OSS and GPT-5.

• Note: Model selection is not available for gitlab.com customers, and GPT models are not supported on gitlab.com.

When group-level model selection is not active, developers can choose their preferred model in Agentic Chat. It allows for:

• A dropdown selection in Agentic Chat to easily switch models.

• The selection to persist between conversations.

Helps developers protect sensitive information by controlling the context shared with AI models. It makes it possible to:

• Exclude specific files (e.g., secrets, proprietary algorithms).

• Apply path-based rules by directory or file type.

• Configure at project level with audit visibility.

Developers can accelerate their workflows even further with new workflows to:

• Simulate pipelines against any branch to test and validate changes before commit.

• Utilize CI/CD job tokens to authenticate Git push requests with fine-grained permissions.

In GitLab 18.4, new security capabilities allow developers to:

• Speed up secret detection scans and reduce noise by excluding low-signal files.

• Quickly trace original pipeline IDs for resolved vulnerabilities in case they reappear.

Additional flexibility for developers with newly added models for Duo Enterprise self-hosted deployments:

• GPT-5 on Azure OpenAI.

• GPT-OSS 20B/120B via vLLM and Azure.

Developers can run pipelines with increased reliability thanks to these improvements in GitLab Runner:

• FIPS startup fixes.

• New fastzip flag support.

• Improved long-polling in Kubernetes.

DevOps teams can now deploy GitLab Dedicated in more regions with enterprise-grade availability and disaster recovery (DR) thanks to following improvements in 18.4:

• io2-backed storage and disaster recovery.

• Availability of all AWS regions in Switchboard.

Enable first- and third-party agents within development workflows, giving developers the ability to choose the right AI tools within GitLab's governance and context:

• MCP server provides standardized, secure AI integration with GitLab projects and APIs.

• CLI agent support allows @mention Claude Code, Codex, Amazon Q, Google Gemini, or opencode in issues/MRs to generate code or comments.

• Agentic Chat for Visual Studio + GitLab UI provides access to Duo agents natively where you work to reduce context-switching.

• Expanded AI model support (Self-Hosted) allows running GPT (20B/120B), Claude 4, and more through vLLM, Azure, or AWS Bedrock.

Watch the integrations demo

See how GitLab 18.4 integrates any AI agent into your workflow. No more tool switching—mention @Claude in merge requests.

Eliminate repetitive tasks with multi-agent workflows that take ideas from concept to code in minutes, freeing developers to focus on higher-value work:

• Issue to MR Flow automatically converts issues into merge requests with implementation plans and production-ready code.

• Convert CI File Flow migrates Jenkins CI/CD configurations into GitLab CI pipelines without manual rewriting.

Watch the Issue to MR Flow demo

See AI turn a simple issue into production-ready code with implementation plans. No more manual coding—just describe the problem.

Watch the Convert CI File Flow demo here

See how AI automatically converts your Jenkins configurations into GitLab CI pipelines. Reliable code conversion, quick and easy validation.

Context-aware insights that help agents and developers understand complex codebases and cut hours off discovery and refactoring tasks:

• Real-time code indexing accelerates search and navigation.

• Maps dependencies and file relationships across the codebase.

• Provides AI agents with richer context for more accurate answers.

Adopt AI confidently with visibility and control. New governance features ensure agent actions are transparent and compliant with organizational security standards:

• Agent Insights track and optimize how agents make decisions.

• Duo Code Review for Self-Hosted provides AI code review with data sovereignty.

• Hybrid model configurations combine self-hosted and GitLab-managed AI models.

• OAuth 2.0 for MCP server provides modern, secure authentication to protected resources.

Watch the Agent Insights demo

Discover how Agent Insights tracks every AI decision with full transparency. Complete control – every agent action accounted for.

Watch the GitLab Duo Code Review for Self-hosted demo

See how Duo Code Review provides intelligent feedback while keeping your code secure. Your data never leaves your infrastructure.

Apply least-privilege principles and compliance at scale. GitLab 18.3 embeds security and governance across the SDLC so organizations can standardize without slowing teams down:

• Custom admin roles create specialized roles with precise admin access.

• Instance-level compliance frameworks apply policies once and cascade across groups and projects.

• Enhanced violations reporting provides immediate, actionable alerts tied to compliance controls.

• Fine-grained CI/CD job tokens limit tokens to only required API endpoints.

• AWS Secrets Manager integration retrieves secrets securely in CI/CD jobs via OIDC.

Protect against vulnerabilities and outages by ensuring artifacts and images are immutable and consistently governed across the supply chain:

• Conan revisions support provides immutable identifiers for C++ packages.

• Immutable container tags prevent modification of critical production images.

• Extended immutability protections across npm, PyPI, Maven, NuGet, Helm, and more.

Allow developers access to live project data where they work. Embedded views turn wikis, issues, and epics into living dashboards that update automatically:

• Insert live GLQL queries in issues, epics, and MRs.

• Personalize with functions like currentUser() and today().

• Filter by 25+ fields including labels, milestones, and health.

• Display as auto-refreshing tables or lists.

More flexibility in how developers use AI models and manage projects with features that improve customization, security, and productivity:

• Customize Duo Code Review instructions to define project-specific review standards in YAML.

• Bring your own models (Self-Hosted) to run any compatible model with Duo.

• Hybrid model selection (Self-Hosted) assigns models per feature to balance scale and security.

• Surfacing compliance violations with enhanced reports directly map violations to framework controls.

• Web IDE source control allows creating/deleting branches, amending commits, and force-pushing directly in the browser.

• Migration by direct transfer reliably moves large groups/projects between GitLab instances.

Developers can go beyond basic tracking of projects with configurable statuses that reflect actual workflows:

• Define workflows for accurate reporting and replace label workarounds with real visibility.

• Update the status of multiple items with bulk operations across portfolios simultaneously.

• Board automations can be configured with precise workflow transitions to improve accuracy in workflow stages.

Improved layout makes it possible to juggle dozens of MRs across multiple projects for developers:

• Role-based views separate author vs. reviewer responsibilities so developers can focus on specific tasks.

• Workflow view organizes group flows by the review state of MRs for clear next actions.

• Expanded visibility combines authored and assigned MRs to ensure nothing is missed across projects.

• The Active merge requests tab makes it easy to find what needs attention now.

Protect production stability and maintain compliance with tags that cannot be modified after creation:

• Deployment integrity enforces production tags that remain unchanged in order to prevent accidental modifications.

• Audit trails provide a complete view into container modifications for compliance reporting and security reviews.

• Pattern-based rules support up to 5 RE2 regex patterns per project to help automatically protect semantic versions and critical tags.

• Automated exclusions respect immutable tags in cleanup policies to prevent accidental deletion of critical images.

Major enhancements to vulnerability detection help development teams identify and fix security issues faster:

• Multi-architecture support provides native Linux Arm64 scanning to eliminate emulation and speeds up scans.

• Enhanced archive scanning delivers better vulnerability attribution across images to understand where the issues exist.

• JavaScript reachability analysis identifies actually-used vulnerable code to reduce false positives and focus remediation efforts.

• Reachability filtering highlights the most critical vulnerabilities.

Native AWS integration with GitLab CI/CD streamlines enterprise secret management and strengthens security controls:

• Native AWS support enables direct Secrets Manager and Parameter Store access to eliminate the need for custom scripting.

• Removes third-party tools to simplify architecture and reduce attack surface.

• OIDC authentication provides keyless access so teams can manage secrets without storing credentials.

• Centralized management consolidates secret handling to enable comprehensive security auditing.

Single point of control for organization-wide security policies, eliminating fragmentation across projects:

• Define once in the CSP, apply everywhere with instance-wide policy enforcement.

• Business unit flexibility allows teams to inherit and extend organizational policies from the CSP group.

• Least privilege ensures centralized control with delegated execution.

• Complete coverage supports all existing security policy types.

Comprehensive improvements to security visibility and reporting help developers quickly demonstrate compliance adherence:

• PDF Security Reports enable dashboard export for board reporting.

• Audit Stream controls allow updates to streaming without reconfiguration, preventing manual maintenance.

• Enhanced filtering by event type, groups, or projects are now available.

• Vulnerability GraphQL API tracks introduction and resolution pipelines.

• Credentials Inventory now includes service accounts to show complete token visibility.

The new aggregated compliance view gives stakeholders instant visibility into organizational compliance standards, along with dashboards for:

• Framework coverage, which shows the percentage of projects with compliance frameworks.

• Requirement status, which tracks pass/fail rates across the organization.

• Control effectiveness, which measures aggregate performance data to provide actionable compliance insights.

• Risk prioritization, which identifies frameworks to focus on the highest-impact improvements.

Comprehensive planning improvements give developers the ability to coordinate complex projects more effectively:

• Epic assignments provide clear ownership for strategic initiatives.

• Milestone-to-epic linking connects quarterly objectives to daily work.

• Unified references introduce new [work_item:123] syntax across GitLab, making it easier to cross-reference items.

• Display preferences offer customizable metadata visibility for teams to find relevant information.

• Drawer/full-page toggle lets users choose how to view epic details for their specific needs and preferences.

Enterprise administration capabilities for managing GitLab at scale:

• Custom Admin Role (Beta) provides granular permissions for Admin Area.

• Workspace Kubernetes Agents enable instance-wide agent mapping.

Bringing intelligent assistance directly into VS Code and JetBrains IDEs as an enhancement layer so developers can stay in flow:

• Natural workflow integration gives full context in the IDE to eliminate context switching.

• Comprehensive access provides Issues, MRs, pipelines, and security data to enable better-informed code decisions.

• MCP support connects to external tools and data sources to expand capabilities.

• Pattern-based search enables advanced grep and file discovery to help developers find code quickly.

Fine-grained control over AI features helps organizations balance innovation with governance in GitLab Premium and Ultimate:

• Hierarchical controls cascade from instance to project to simplify policy management.

• Feature-specific toggles separate Code Suggestions and Chat controls to enable a controlled rollout.

• Compliance alignment meets diverse regulatory requirements to ensure responsible AI usage.

• User flexibility balances innovation with control to support varying team needs.

The Maven registry combines multiple repositories into one endpoint, eliminates sequential queries, and reduces setup complexity so developers can focus on coding instead of managing repositories:

• Intelligent caching accelerates build times to enable teams to iterate and ship faster.

• Real-time security scanning across all dependencies provides continuous vulnerability detection without manual checks.

• Enterprise scale supports 20 virtual registries with 20 upstreams each to accommodate for large organizations' complex needs.

New pre-built CI/CD components deliver immediate SLSA compliance for software supply chain security without custom development:

• Automatic provenance generation by GitLab Runner creates SLSA-compliant attestation which eliminates manual compliance steps.

• Cryptographic signing and verification ensures artifact integrity to provide auditable proof of secure builds.

• Verification Summary Attestations (VSA) for job artifacts enable compliance reporting with minimal maintenance.

Automatic credential checking against breaches help prevent account compromise:

• Zero-configuration deployment provides immediate protection without setup.

• Real-time threat detection checks credentials against known compromised password databases instantly to enable immediate response to emerging threats.

• Instant security alerts notify users via banner and email when credentials are at risk with clear remediation steps when action is needed.

Strengthened compliance capabilities help organizations manage regulatory standards at scale:

• Custom control naming enables clear identification to help compliance teams organize external controls effectively.

• Pagination for framework UI compliance requirements expanded to 50 to improve navigation for large frameworks.

• Granular status reporting shows individual control details to provide actionable compliance insights.

• Variable precedence controls balance security with flexibility to enable customization within policy boundaries.

Production-ready automated code review addresses bottlenecks in software development workflows while maintaining quality standards:

• Initial automated code review reduces review cycles from hours to minutes to help developers merge code faster.

• Interactive refinement with @GitLabDuo mentions provides direct feedback to address specific code concerns.

• Context-aware analysis leverages project understanding to deliver relevant, project-specific recommendations.