What's changing

Here is what you need to know:

Enhanced testing guidance

We're placing stronger emphasis on local testing environments to protect both researchers and our production infrastructure. We're strongly recommending local GitLab Development Kit (GDK) testing for most security research. The GDK gives you access to cutting-edge features before public release and the freedom to experiment without production infrastructure concerns.

If you need to demonstrate denial-of-service (DoS) impact, we recommend testing on a self-managed GitLab instance with specifications and resources equal to or greater than the self-managed GitLab installation requirements.

For vulnerabilities requiring GitLab.com production architecture, you must use test accounts created with your HackerOne email alias: yourhandle@wearehackerone.com.

Refined scope for better focus

We've clarified several scope areas based on community feedback:

DoS is out of scope: Exceptions may be considered for application layer DoS vulnerabilities that achieve persistent total service disruption AND can be executed through unauthenticated endpoints. Some examples include ReDoS, logic bombs, etc.

Prompt injection: Standalone prompt injection is out of scope, but prompt injection may be eligible if it serves as an initial vector to achieve harm beyond its security boundary.

Metadata and enumeration: General information gathering remains out of scope while privacy breaches exposing confidential data are in scope. We've provided new, detailed examples distinguishing between these two types of issues on the program policy page.

Transition period for researchers

We recognize that policy changes can create uncertainty for researchers with active investigations. To maintain trust during this transition and avoid disrupting valuable research already under way:

• GitLab is offering a 7-day grace period for DoS reports submitted before 2026-01-22, 9:00 p.m. Pacific Time (2026-01-23T00:05:00Z). Reports submitted before then will be evaluated under our previous policy.

Your investment in GitLab's security matters to us, and we're committed to honoring the policy under which you began your research.

Our commitment to the community

These changes reflect our deep commitment to the researcher community through three key principles.

1. We're prioritizing transparency by establishing clearer boundaries and objective criteria that reduce ambiguity and prevent disputes.

2. We're enhancing safety through improved testing platform guidance that protects both production systems and researchers from accidental service disruption.

3. We're ensuring fairness through consistent evaluation standards and provisions that guarantee equitable treatment for all researchers, including those already in the program.

Scope refinements also support program sustainability by focusing resources on high-impact security issues while maintaining broad coverage.

Get started

Ready to contribute to GitLab's security?

• New researchers: Visit our HackerOne program page.
• Set up local testing: Download the GitLab Development Kit.
• Review full policy: Check our complete documentation for detailed guidelines.
• Understand severity assessment: Explore our CVSS calculator.

We're grateful for the security research community's ongoing partnership in keeping GitLab secure. Your expertise and dedication make a real difference for millions of users worldwide.

Questions about these changes? Reach out to our team by creating an issue in our HackerOne questions project on GitLab.

AI tools have been rapidly improving developers’ ability to write code, and in some cases, developers are reporting 10x productivity gains. Unfortunately, since only about 20% of a developer’s time is spent writing code, the associated improvement in total innovation velocity and delivery gained by AI is incremental. This is often described as the AI paradox in software delivery.

In addition, for many teams, increasing the speed of code authoring has led to new bottlenecks including a larger backlog of code reviews, security vulnerabilities, compliance checks and downstream bug fixes.

GitLab Duo Agent Platform addresses the AI paradox by unlocking intelligent orchestration and agentic AI automation across the software lifecycle.

Learn more in this video, and read more below.

💡 Join GitLab Transcend on February 10 to learn how agentic AI transforms software delivery. Hear from customers and discover how to jumpstart your own modernization journey. Register now.

We're also excited to announce that GitLab customers with active GitLab Premium and Ultimate subscriptions are being credited with $12 and $24 dollars, respectively, in GitLab Credits per user at no additional cost.* These credits will refresh every month and give users access to all GitLab Duo Agent Platform features.

Here is a simple explanation for how GitLab Credits work: a GitLab Credit is a virtual currency used for GitLab’s usage-based products. GitLab Duo Agent Platform usage will draw down on available credits, starting with the included credits mentioned above. From there, customers can decide to commit to a shared pool of credits for their entire organization, or pay for them monthly, on demand. For more information, please check out our article introducing GitLab Credits.

Customers of GitLab Duo Pro or Duo Enterprise subscriptions are welcome to continue using those products, or migrate to Duo Agent Platform at any time. The remainder of your Duo Enterprise contract value can be converted into GitLab Credits at any time. Contact your GitLab representative to learn more.

Here are exciting use cases and capabilities you can try today:

A unified experience for human and agent collaboration

GitLab Duo Agent Platform introduces a unified user experience designed for seamless integration between humans and their AI agents inside GitLab. Developers and their teams can engage Duo Agentic Chat on nearly every page, ask questions contextually, follow async agentic sessions and interact with agents within familiar workflows like issues, merge requests, and pipeline activities — making AI actions transparent and easy to guide through everyday work.

Agentic Chat: Intelligent, context-aware assistance

Gitlab Duo Agentic Chat brings true multi-step reasoning across the GitLab Web UI and IDEs, using full lifecycle context from issues, merge requests, pipelines, security findings, and more. Building on the previously released Duo Chat, Agentic Chat can perform actions on your behalf autonomously and help you answer complex questions more comprehensively. It gives every member of the software team accurate, context-aware guidance that helps improve onboarding, code quality, and delivery speed.

GitLab Duo Agentic Chat supports numerous use cases to enable developer <> AI collaboration. For additional details on how to get started, please see our "Getting started with GitLab Duo Agent Platform" guide and check out this growing set of suggested prompts.

• Analyze In the Web UI, Agentic Chat can create issues, epics, merge requests, and provide summaries, highlight key findings, and offer actionable guidance based on real-time context from the specific project, issue, epic, merge request, and more. Agentic Chat helps developers understand unfamiliar code, dependencies, architecture, and project structure, in the IDE or inside a GitLab repo.
• Code Agentic Chat can generate code, configurations, and infrastructure-as-code across a wide range of languages and frameworks. It can help fix bugs, modernize architecture and code, generate tests, and produce documentation for faster onboarding. Directly at developers' fingertips, Agentic Chat is their collaboration partner in VS Code, JetBrains IDEs, Cursor, and Windsurf, with optional user- and workspace-level rules to tailor responses.
• CI/CD Agentic Chat can help you better understand, configure, and troubleshoot existing pipelines, or create new ones from scratch.
• Secure Agentic Chat can explain vulnerabilities, prioritize issues based on reachability, and recommend fixes that can help save you time.

Agents: Specialists that collaborate on demand

GitLab Duo Agent Platform enables developers to delegate tasks to specialized agents. The platform offers a unique combination of foundational, custom, and external agents, all seamlessly integrated into GitLab user experience, making it easy to choose the right agent for any task.

Foundational agents are pre-built by GitLab experts and are ready out-of-the-box to handle the most complex tasks in the software delivery cycle. The following foundational agents are included as part of GitLab Duo Agent Platform’s general availability, with others currently in beta and coming soon.

• Planner Agent helps teams structure, prioritize, and break down work directly inside GitLab so planning becomes clearer, faster, and easier to act on.
• Security Analyst Agent reviews vulnerabilities and security signals, explains their impact in plain language, and helps teams understand what to address first.

Custom agents can be built using the AI Catalog, a central repository where teams create, publish, manage, and share custom agents and flows across the organization. Teams can create agents and flows with specific context and capabilities to replicate the way their engineering team works — and tackle problems using the engineering standards and guardrails their engineers use.

External agents are seamlessly integrated into GitLab and include some of the very best AI tools available, including Claude Code from Anthropic and Codex CLI from OpenAI. Users will enjoy native GitLab access to these tools for use cases like code generation, code review, and analysis with transparent security and embedded LLM subscriptions.

Together, these approaches give teams flexibility in how they adopt agentic AI, from specialized agents, to organization-specific automation, to integrating external AI tools — all within a single, governed platform.

Flows: Turning multi-step work into repeatable, guided progress

Flows automate complex tasks with multiple agentic workflows, from start to finish.

Our engineering team has built several flows included at GA, with more on the way:

• Developer (Issue to Merge Request) flow builds a structured MR from a well-defined issue so teams can begin work immediately.
• Convert to GitLab CI/CD flow helps teams migrate or modernize pipeline configurations without manual rewriting.
• Fix CI/CD pipeline flow analyzes failures, identifies likely causes, and prepares recommended changes.
• Code Review flow analyzes code changes, merge request comments, and more to streamline code reviews with AI-native analysis and feedback.
• Software development in IDE flow guides work through everyday development and review stages.

MCP Client: Connect GitLab Duo Agent Platform to the tools your teams already use

The MCP Client enables GitLab Duo Agent Platform in IDEs to securely connect to external systems like Jira, Slack, Confluence, and other MCP-compatible tools to pull in context and take action across your DevSecOps toolchain.

Instead of AI assistance being siloed inside individual tools, the MCP Client allows GitLab Duo Agent Platform to understand and operate across the systems where planning, collaboration, and execution actually happen. This reduces manual context switching and enables more complete, end-to-end AI-powered workflows that reflect how teams work in practice.

Included at GA:

• Connection to external MCP-compatible systems such as Jira, Confluence, Slack, Playwright, and Grafana
• Configuration at the workspace and user level
• Group-level controls to enable or restrict MCP usage
• User approval flow for tool access
• Support across Agentic Chat in the IDE extensions

We plan to add more features to the GitLab MCP server capability, which is currently in beta, and make it generally available in upcoming releases.

Choose the right model for your team and workloads

GitLab Duo Agent Platform is built on a flexible model selection framework that enables teams to tailor the platform to align with their privacy, security, and compliance needs. GitLab defaults to an optimal LLM for each feature, but administrators have the option to select from supported models such as OpenAI GPT-5 variants, Mistral, Meta Llama, and Anthropic Claude. This gives teams more precise control and flexibility over what is used for chat, coding tasks, and agent interactions for each specific use case, based on your organization’s standards. For a full list of supported models and details on model section configuration, see the Model Selection section of our documentation.

Governance, visibility, and deployment flexibility

The GitLab Duo Agent Platform gives organizations the control and transparency they need to help them adopt AI responsibly, while offering flexible deployment options that work across different environments.

Included at GA:

• Available on all platforms: GitLab.com, GitLab Self-Managed, and GitLab Dedicated as part of the GitLab 18.8 release cycle.
• Governance and visibility: Teams can see how agents are used, what actions they perform, and how they contribute to work. Usage and activity details help leaders understand adoption, measure impact, and ensure AI is being used appropriately. These controls make it easier to roll out AI at scale with confidence.
• Group-based access controls: Administrators can define namespace-level rules governing which users can access GitLab Duo Agent Platform features, supporting flexible adoption from immediate organization-wide enablement to phased rollouts. With LDAP and SAML integration, they can enable governance at scale without manual configuration.
• Model selection and self-hosted options: LLM selection is available for all GA features across GitLab.com, Self-Managed, and Dedicated. Top-level namespace owners choose the model, and subgroups inherit those settings automatically. For organizations that want more control, the platform supports self-hosted models for GitLab Self-Managed deployments.

Watch a demo of GitLab Duo Agent Platform in action:

Stay up to date with GitLab

To make sure you’re getting the latest features, security updates, and performance improvements, we recommend keeping your GitLab instance up to date. The following resources can help you plan and complete your upgrade:

• Upgrade Path Tool – enter your current version and see the exact upgrade steps for your instance
• Upgrade Documentation – detailed guides for each supported version, including requirements, step-by-step instructions, and best practices

By upgrading regularly, you’ll ensure your team benefits from the newest GitLab capabilities and remains secure and supported.

For organizations that want a hands-off approach, consider GitLab’s Managed Maintenance service. Managed Maintenance can help your team stay focused on innovation while GitLab experts keep your Self-Managed instance reliably upgraded, secure, and ready to lead in DevSecOps. Ask your account manager for more information.

* GitLab customers with active Premium and Ultimate subscriptions will automatically receive $12 and $24 of included credits per user, respectively, which will reset each month. These credits are available for a limited time, and are subject to change (see promo terms).

This blog post contains "forward‑looking statements" within the meaning of Section 27A of the Securities Act of 1933, as amended, and Section 21E of the Securities Exchange Act of 1934. Although we believe that the expectations reflected in these statements are reasonable, they are subject to known and unknown risks, uncertainties, assumptions and other factors that may cause actual results or outcomes to differ materially. Further information on these risks and other factors is included under the caption "Risk Factors" in our filings with the SEC. We do not undertake any obligation to update or revise these statements after the date of this blog post, except as required by law.

Seat-based pricing creates AI “haves" and "have-nots” for engineering teams, a fundamental misalignment with the way that modern agentic AI should be used across the software development lifecycle. Today, you have to buy a seat for every individual before they can start using AI. While this works for the few heavy users, it can be too expensive and unfair for the majority of the team with light or spiky usage. That's why in many organizations, only a portion of the team gets to have an “AI seat."

Add to that, GitLab Duo Agent Platform is different from Duo Pro, Duo Enterprise, and other AI developer tools in the market. Agents and agentic workflows can be invoked by your team when they need AI assistance and triggered by SDLC events running in the background. With Duo Agent Platform, agentic AI is no longer only tied to user seats.

GitLab Credits addresses these issues as our new virtual currency for usage-based pricing, starting with GitLab Duo Agent Platform. That means, every member in your organization with a GitLab account (Premium or Ultimate) can now use agentic AI capabilities without you paying for an AI seat, whether invoked by them or set up as background agents.

How GitLab Credits work

GitLab Credits are pooled across your entire organization. Your GitLab Duo Agent Platform usage is drawn down from GitLab Credits. That includes both synchronous and asynchronous use of agents and agentic flows. This includes:

• Foundational agents such as Security Analyst, Planner, and Data Analyst
• Foundational flows such as Code Review, Developer, and Fix CI/CD Pipeline
• External agents such as Anthropic Claude Code and OpenAI Codex
• Custom agents and flows you build and publish in your GitLab AI Catalog
• Agentic Chat in the GitLab UI and in the IDE used by your developers

Note: External agents are available to try at no cost in 18.8 and do not consume GitLab Credits. We will be introducing pricing next month with our 18.9 release. Custom flows are currently in beta and do not consume GitLab Credits.

The amount of credits drawn down is based on the number of agentic requests by large language models (more details here). As more LLMs become available, we will certify them for use with GitLab Duo Agent Platform and add to this list, providing customers with a transparent view of how they are consumed.

The total count of GitLab Credits is calculated at the end of the month based on actual usage. This model also automatically offsets usage from power users against that of lighter users, effectively lowering your total cost of AI for every individual (as compared to paying per seat for every individual).

For simplicity, each GitLab Credit has an on-demand list price of $1. You can use GitLab Duo Agent Platform without any commitments and usage is billed monthly (at the end of each month). For enterprise customers that sign up for annual commitments, we offer volume discounts for monthly credits.

As a limited-time promotion*, all GitLab customers that have active Premium and Ultimate subscriptions will automatically receive $12 and $24 in included credits per user, respectively. These credits will refresh every month until the end of the promotion period and give your team access to all GitLab Duo Agent Platform features at no extra cost. When you accept our billing terms, any usage above these included credits will be billed through committed monthly credits or on-demand credits.

Cost governance with GitLab Credits

Sizing GitLab Credits: Your account team has a sizing calculator as part of the GA of GitLab Duo Agent Platform to estimate the number of GitLab Credits you’ll need every month. This calculator was built with usage patterns we’ve observed during the beta period. In addition, as an existing or a new customer, you can request a free trial to confirm your estimated actual usage.

Usage visibility: With the 18.8 release, you have detailed usage information through two complementary dashboards — one in the GitLab Customers Portal for billing managers focused on financial oversight, and one in-product for administrators focused on operational monitoring. Both provide attribution of usage, cost breakdowns, and historical trends so you always know exactly how your credits are being consumed. If you follow a cross-charging practice internally, you’ll be able to use project- and group-level rollups for cost allocations.

Usage controls: You can enable or disable GitLab Duo Agent Platform access for specific teams or projects, ensuring only approved usage can tally up to your credits. We also plan to add user-level controls shortly after GA to help you manage who can use GitLab Duo Agent Platform capabilities and draw-down credits.

Automated usage notifications: We’ll proactively keep you informed about your GitLab Credit usage via email alerts when you reach 50%, 80%, and 100% of your committed monthly credits, giving you time to adjust usage, purchase additional commitments, or plan for on-demand billing.

Upgrading from seat-based GitLab Duo Pro/Enterprise to GitLab Credits for Duo Agent Platform

If you’ve purchased and are using GitLab Duo Pro and Duo Enterprise, you can keep using those capabilities as supported options. You can upgrade to GitLab Duo Agent Platform at any time and do what you can with “classic” Duo and access new capabilities such as agentic chat, additional foundational agents, custom agents and flows, external agents, and more.

At the time of upgrade, we will roll forward your investment in seats for GitLab Duo Pro and Duo Enterprise to GitLab Credits for Duo Agent Platform. The remaining dollar amount of seat commitments will be exchanged for monthly GitLab Credits with volume-based discounts. The monthly GitLab Credits can then be shared across every team member in your organization you allow, not just the users who had assigned Duo seats before.

Competitive comparison: GitLab Credits vs. seat-based pricing

Getting started

1. For existing Premium/Ultimate customers: With GA, GitLab Duo Agent Platform will be available for customers with active Premium and Ultimate licenses**. GitLab.com SaaS customers will gain access automatically. GitLab Self-Managed customers will gain access when they upgrade to the GitLab 18.8 release (with the planned Duo Agent Platform general availability). GitLab Dedicated customers will be upgraded to GitLab 18.8 during their scheduled maintenance window in February and will be able to use Duo Agent Platform from that point.
2. Enable GitLab Duo: Ensure GitLab Duo Agent Platform is enabled in your namespace settings.
3. Start exploring: Use your included monthly GitLab Credits to try GitLab Duo Agent Platform capabilities.
4. Go beyond included credits: You will be able to opt-in to GitLab Credits for expanded usage beyond included credits at the on-demand list price. For volume discounts with commitment, please contact us to get a quote for your specific usage level.

Visit our GitLab Duo Agent Platform documentation to learn more about getting started.

Notes

* These included promotional credits are available for a limited time at GA, and subject to change at GitLab’s discretion.

** Excludes GitLab Duo with Amazon Q and GitLab Dedicated for Government customers.

To learn more about GitLab Duo Agent Platform and all the ways agentic AI can transform how your team works, visit our GitLab Duo Agent Platform page. If you are an existing GitLab customer, reach out to your GitLab account manager or partner to schedule a live demonstration of our platform capabilities.

GitLab Credits FAQ

1. What are GitLab Credits and why did GitLab introduce them?

GitLab Credits is a new virtual currency for usage-based GitLab capabilities, starting with GitLab Duo Agent Platform. GitLab introduced this model because seat-based pricing was forcing organizations to ration AI access within engineering teams, and Duo Agent Platform usage is not just tied to seats. Credits are pooled across your entire organization, allowing you to give every team member access to AI capabilities, or set up background agentic workflows, without requiring individual seat purchases upfront.

2. How does credit consumption work?

Credits are drawn down based on the number of agentic requests made, with different rates depending on which LLM is used. For example, you get two model requests per credit for Claude-sonnet-4.5 (the default for most features), and 20 requests per credit for models like gpt-5-mini or claude-3-haiku.

3. What's included for existing Premium and Ultimate customers?

As a limited-time promotion, customers with active Premium and Ultimate subscriptions automatically receive included credits free of charge alongside the GA release of Duo Agent Platform in GitLab 18.8:

• $12 in credits per user per month for Premium
• $24 in credits per user per month for Ultimate

Included credits are at a per-user level, refresh monthly, and enable access to all GitLab Duo Agent Platform features at no extra cost. Usage above these included credits will be billed separately. These included promotional credits are available for a limited time after GA, and subject to change at GitLab’s discretion.

4. How can I control and monitor credit usage?

GitLab provides multiple governance tools: detailed usage dashboards in both the Customers Portal and in-product, the ability to enable/disable access for specific teams or projects, upcoming user-level controls, and automated email alerts at 50%, 80%, and 100% of committed monthly credits. We also expect to offer a sizing calculator to estimate your monthly credit needs.

5. How do I get started with GitLab Duo Agent Platform?

Once GA, for existing Premium/Ultimate customers, access is automatic on GitLab.com SaaS. Self-Managed customers gain access when upgrading to GitLab 18.8 with the planned Duo Agent Platform general availability. Simply enable GitLab Duo Agent Platform in your namespace settings and start exploring using your included monthly credits. For usage beyond included credits, you can opt-in to on-demand billing or contact GitLab for volume discounts with annual commitments.

This blog post contains "forward‑looking statements" within the meaning of Section 27A of the Securities Act of 1933, as amended, and Section 21E of the Securities Exchange Act of 1934. Although we believe that the expectations reflected in these statements are reasonable, they are subject to known and unknown risks, uncertainties, assumptions and other factors that may cause actual results or outcomes to differ materially. Further information on these risks and other factors is included under the caption "Risk Factors" in our filings with the SEC. We do not undertake any obligation to update or revise these statements after the date of this blog post, except as required by law.

In this article:

• What is the AI Catalog?
• Browsing and enabling agents and flows
• Creating, sharing, and managing visibility
• Understanding versioning

🎯 Try GitLab Duo Agent Platform today!

Introduction to the AI Catalog

The AI Catalog is a central repository for discovering, creating, and sharing agents and flows across your organization. It promotes consistency, reusability, and collaboration by enabling teams to leverage pre-built solutions and best practices.

What you can do:

• Discover: Browse agents and flows created by GitLab and the community.
• Create: Create and maintain custom agents and flows in a single interface.
• Enable: Enable agents and flows at your top-level group level, then use them in your projects.
• Share: Publish your agents and flows for others to use (Public or Private).
• Duplicate: Copy and customize existing agents and flows.

Accessing and working with the AI Catalog

Navigate to Explore → AI Catalog.

The catalog currently provides two types:

• Agents — Custom agents for on-demand, interactive, or context-specific tasks.
• Flows — Custom flows for repeatable, multi-step automations, orchestrating a team of agents.

For detailed information, see the AI Catalog documentation.

Discover agents and flows

The AI Catalog makes it easy to find agents and flows that fit your needs:

How to browse:

1. Navigate to Explore → AI Catalog.
2. Select either Agents or Flows tab.
3. Browse the available agents or flows and inspect title, description and visibility status.
4. Click on any agent or flow to view more details.

Enabling agents and flows:

Once you find an agent or flow you want to use:

1. Click the agent or flow to view details.
2. Click the Enable in group button to add the agent or flow to your top-level group.
3. Enable it in your project to start using it.

Creating, sharing, and managing visibility

Create agents and flows

Here are step-by-step instructions for creating agents and flows.

Create agents:

Navigate to Explore → AI Catalog → Agents → New agent.

1. Brainstorm and define a specific task or specialization for this agent, for example, a debugging and troubleshooting agent.
2. Add a display name and description to allow others to identify the purpose and why they would want to use the agent, for example troubleshoot-debugger.
3. Specify visibility and access. Select a private project and set visibility to private to start with experiments.
4. Define the agent behavior, capabilities, and specialization in the system prompt. For details on crafting effective system prompts, see Part 3: Understanding agents.
5. Optionally select and limit the tool access for agents. For example, a debugging agent needs read access to code, issues, and merge requests, but may not require write access to make changes.

Create flows:

Navigate to Explore → AI Catalog → Flows → New flow.

1. Brainstorm and define a complex multi-step specific task, for example, a CI/CD pipeline optimizer flow.
2. Add a display name and description to allow others to identify the purpose and why they would want to use the flow, for example ci-cd-optimizer.
3. Specify visibility and access. Select a private project and set visibility to private to start with experiments.
4. Define the flow behavior and its agent components, prompts, and routers. For details on flow YAML structure, see Part 4: Understanding flows.

For more details, see:

• Custom Agents documentation
• Custom Flows documentation

Share your work and set visibility

When creating agents or flows, you can choose between Private and Public visibility to control who can access and use them.

Private:

• Can be viewed only by members of the managing project who have at least the Developer role, or by users with the Owner role for the top-level group.
• Cannot be enabled in other projects.
• Useful for team-specific or sensitive workflows.

Public:

• Viewable by anyone on the instance.
• Can be enabled in any project that meets prerequisites.
• Appears in AI Catalog for discovery.

Best practices for sharing

When publishing agents and flows to the AI Catalog, follow these guidelines:

Naming:

• Use clear, descriptive names (e.g., security-code-review, api-documentation-generator).
• Avoid generic names like agent1 or my-flow.
• Include the purpose in the name when possible.

Documentation:

• Provide a clear description of what the agent or flow does.
• Include use cases and examples.
• Document any prerequisites or dependencies.

Quality:

• Test thoroughly before publishing.
• Ensure the agent or flow solves a real problem.
• Keep it maintainable and well-documented.
• Consider edge cases and error handling.

Visibility decisions:

• Start with Private to test with your team.
• Move to Public once validated and documented.
• Only publish if it provides value to others.
• Consider the audience and use cases.

Understanding versioning

Custom agents and flows in the AI Catalog maintain a version history to track changes.

How versioning works:

• GitLab automatically creates a new version when you update an agent's system prompt or modify a flow's configuration.
• Versions use semantic versioning (e.g., 1.0.0, 1.1.0).
• GitLab manages semantic versioning automatically — updates always increment the minor version.
• Versions are immutable, ensuring consistent behavior.

Version pinning:

When you enable an agent or flow:

• In a group: GitLab pins it to the latest version.
• In a project: GitLab pins it to the same version as your top-level group.

This means:

• Your projects use a fixed, stable version of the agent or flow.
• Updates in the AI Catalog don't automatically affect your configuration.
• You must opt-in to update to new versions — updates are never automatic.
• You maintain full control over when to adopt new versions.

Viewing versions:

• Navigate to Automate → Agents or Automate → Flows.
• Select the agent or flow to view its version on the right side in the About section.

Updating to the latest version

When a new version of an agent or flow is available in the AI Catalog, you can update your projects to use it.

1. Navigate to Automate → Agents or Automate → Flows.
2. Click the agent or flow you want to update.
3. Click the Update button (appears when a newer version is available).
4. Review the changes in the new version.
5. Confirm the update to pin your project to the latest version.

What's next?

You now understand how to discover, create, and share agents and flows through the AI Catalog. Next, in Part 6, learn how to monitor agent and flow activity through sessions, set up event-driven triggers, and manage your AI workflows.

Resources

• AI Catalog documentation
• Custom Agents documentation
• Custom Flows documentation

Next: Part 6: Monitor, manage, and automate AI workflows

Previous: Part 4: Understanding flows

In this article:

• Introduction to customization
• Customize agent behavior
• Extend capabilities with MCP
• Create custom agents and flows

🎯 Try GitLab Duo Agent Platform today!

Introduction to customization

GitLab Duo Agent Platform delivers powerful capabilities right away, and you can unlock even greater value by tailoring it to your team's specific needs. GitLab offers flexible customization options across multiple levels:

• User-level: Personal preferences that apply across all projects (custom rules, AGENTS.md, MCP config)
• Workspace-level: Project-specific configurations (custom rules, AGENTS.md, MCP config)
• Project-level: Custom agents and flows you create and manage within a specific project

Part 1: Customize agent behavior

Custom rules

Custom rules provide instructions for agents and flows, ensuring consistent behavior across your team without requiring repetition. For example, in development style guides or how to execute tests.

Navigate to IDE workspace or user configuration directory.

User-level custom rules

User-level rules apply to all your projects and workspaces.

For detailed instructions on creating user-level custom rules, see the GitLab documentation. Create the file ~/.gitlab/duo/chat-rules.md in your home directory. Example rules:

- Include JSDoc comments for all functions
- Use single quotes for strings
- Follow the existing code style in the repository
- Write concise explanations, avoid lengthy descriptions
- Suggest tests for any code changes
- Use async/await instead of promises

Workspace-level custom rules

Workspace rules apply only to a specific project. They override user-level rules for that project.

Create the file .gitlab/duo/chat-rules.md in your project root.

Example rules for a Vue.js project:

- Use Vue 3 Composition API with `<script setup>`
- Always include TypeScript types for props
- Use scoped styles with SCSS
- Follow the Slippers UI design system
- Keep components under 300 lines
- Use kebab-case for component names
- Include accessibility attributes (aria-*, role)

Best practices for custom rules

• Be specific: "Use single quotes" is better than "follow style guide."
• Prioritize: List most important rules first.
• Team-focused: Rules should reflect your team's standards, not personal preferences.
• Actionable: Rules should be clear enough for an AI agent to follow.
• Maintainable: Update rules when your standards change.
• Avoid conflicts: Don't contradict your codebase's actual style.

Tip: Use Code Owners to manage who approves changes to .gitlab/duo/chat-rules.md.

For a detailed use case tutorial for custom rules, see the Custom rules in GitLab Duo Agentic Chat for greater developer efficiency deep-dive blog post.

AGENTS.md for customizing agent behavior

AGENTS.md is an industry-standard file for customizing agent behavior. It allows you to define how agents should behave in your chat conversations, foundational flows, and custom flows without modifying the agents themselves.

Difference to custom rules: AGENTS.md are consumed by all agents and flows (foundational and custom). It also follows an industry standard that other AI tools can use, for example, Claude Code as external agent. Use AGENTS.md when you want your instructions to apply across multiple contexts.

User-level (applies to all your projects and workspaces):

• macOS/Linux: ~/.gitlab/duo/AGENTS.md
• Windows: %APPDATA%\GitLab\duo\AGENTS.md

Workspace-level (applies to a specific project):

• Create AGENTS.md in your project root.

Subdirectory-level (applies to specific directories in monorepos):

• Create AGENTS.md in subdirectories for context-specific instructions.

How it works:

• User-level AGENTS.md applies globally across all projects.
• Workspace-level AGENTS.md applies to a specific project.
• Subdirectory-level AGENTS.md files provide context for specific parts of your codebase.
• Agents and flows combines instructions from all applicable levels.
• Newly added or updated AGENTS.md instructions require triggering new flows, or starting a new chat with a (custom) agent.

What AGENTS.md controls

• Agent personality and tone
• Project-specific instructions
• Coding standards and conventions
• Tool usage preferences
• Output formatting requirements
• Repository structure and organization

Example AGENTS.md

# Agent Customization for Our Project
## General Guidelines
- Always prioritize code quality over speed
- Follow our project's architecture patterns
- Reference existing code examples when suggesting changes
- Ask for clarification if requirements are ambiguous
## Code Style
- Use TypeScript for all new code
- Follow ESLint configuration in the project
- Include unit tests for all new functions
- Use descriptive variable names (no single letters except loops)
## Documentation
- Add JSDoc comments to all public functions
- Update README.md if adding new features
- Include examples in code comments
## Security
- Never suggest hardcoding secrets or API keys
- Always validate user input
- Use parameterized queries for database operations
- Flag potential security issues immediately

Best practices for AGENTS.md

• Be specific: Include concrete examples from your project.
• Keep it concise: Focus on what's unique to your project.
• Version control: Commit to your repository and track changes.
• Team alignment: Discuss with your team before finalizing.
• Update regularly: Refine as your project evolves.
• Document repository structure: Help agents understand your codebase organization.

Requirements

• GitLab 18.8 or later
• For VS Code: GitLab Workflow extension 6.60 or later
• For JetBrains: GitLab plugin 3.26.0 or later
• For flows: Update flow configuration to access the user_rule context

Learn more about AGENTS.md.

Custom review instructions

Custom review instructions provide specific guidelines for the Code Review foundational flow. The instructions ensure consistent code review standards, and can be tailored to specific file types in your project.

Create the file .gitlab/duo/mr-review-instructions.yaml in your project root.

Example review instructions:

instructions:
  - name: Ruby Style Guide
    fileFilters:
      - "*.rb"           # Ruby files in the root directory
      - "lib/**/*.rb"    # Ruby files in lib and its subdirectories
      - "!spec/**/*.rb"  # Exclude test files
    instructions: |
      1. Ensure all methods have proper documentation
      2. Follow Ruby style guide conventions
      3. Prefer symbols over strings for hash keys

  - name: TypeScript Source Files
    fileFilters:
      - "**/*.ts"        # TypeScript files in any directory
      - "!**/*.test.ts"  # Exclude test files
    instructions: |
      1. Ensure proper TypeScript types (avoid 'any')
      2. Follow naming conventions
      3. Document complex functions

Best practices for custom review instructions:

• Be specific and actionable: Clear, numbered instructions work best.
• Use glob patterns: Target specific file types with fileFilters.
• Focus on important standards: Prioritize the most critical review points.
• Explain the "why": Help reviewers understand the reasoning.
• Test patterns: Ensure glob patterns match the intended files.

Tip: Use Code Owners to protect changes to .gitlab/duo/mr-review-instructions.yaml.

For detailed setup instructions and examples, see the Custom Review Instructions documentation.

Part 2: Extend capabilities with MCP

Model Context Protocol (MCP) enables agents to access external systems like Jira, Slack, AWS, and more. This section covers MCP configuration for extending agent capabilities.

🎯 Try it now: Interactive demo of MCP - Explore how to use Model Context Protocol.

MCP configuration for external integrations

Model Context Protocol (MCP) enables agents to access external systems like Jira, Slack, AWS, and more.

Scope: User-level (applies to all workspaces) or Workspace-level (project-specific, overrides user config)

Create user configuration:

• macOS/Linux: ~/.gitlab/duo/mcp.json
• Windows: C:\Users\<username>\AppData\Roaming\GitLab\duo\mcp.json
• VS Code: Run command GitLab MCP: Open User Settings (JSON)

Create workspace configuration:

• Create file: .gitlab/duo/mcp.json in your project root

Best practices:

• Security first: Use MCP servers that require OAuth and not plain-text password tokens.
• Minimal scope: Only enable MCP servers you actually use and trust.
• Test locally: Verify MCP connections and authorization work before sharing across teams.
• Document integrations: Explain what each MCP server provides.
• Version control: Store configuration in .gitlab/duo/mcp.json with Code Owners' approval.

For detailed setup instructions and configuration examples, see Part 7: Model Context Protocol (MCP) Integration.

Part 3: Create custom agents and flows

Custom agents and flows allow you to automate your team's specific workflows. Before diving into customization, it's helpful to understand what they are and how they work. Here are parts of the Getting started with GitLab Duo Agent Platform guide that can help.

• Part 3: Understanding agents — Learn about foundational, custom, and external agents, and when to use each type.
• Part 4: Understanding flows — Discover how flows orchestrate multiple agents to solve complex problems.
• Part 5: AI Catalog — Learn how to discover, create, and share agents and flows across your organization. Once you understand the basics, this section provides an overview of customization options with links to detailed guides.

System prompts for custom agents

System prompts define an agent's personality, expertise, and behavior. A well-crafted prompt makes agents more effective and aligned with your team's needs.

What are system prompts? System prompts are instructions that tell an agent how to behave, what expertise it has, and how to respond to requests. They're the foundation of custom agent behavior.

Key elements of a strong system prompt:

• Role definition: What the agent is and what it does
• Expertise areas: Specific domains or technologies
• Behavior guidelines: How it should interact and respond
• Output format: Structure of responses
• Constraints: What it should avoid

Best practices:

• Be detailed: More specific prompts produce better results.
• Use examples: Show the agent what good output looks like.
• Define scope: Clearly state what the agent should and shouldn't do.
• Test iteratively: Refine prompts based on agent behavior.
• Version control: Track prompt changes in your repository.

For detailed guidance on crafting system prompts and creating custom agents, see Part 3: Understanding agents.

Custom agents and flows

There is a lot to learn, and for easier reading, the tutorials are split:

Custom agents:

• Learn how to create agents with custom system prompts, configure tools, and manage permissions.
• See Part 3: Understanding agents - Custom agents section.

Custom flows:

• Learn how to create multi-step workflows, configure components, and set up event-driven automation.
• See Part 4: Understanding flows — Custom flows section.

Agent tools:

• Tools determine what actions agents can perform. Configure tools based on your agent's purpose and security requirements.
• See Part 3: Understanding agents for tool configuration details.

Quick reference: When to use customizations

What's next?

Congratulations! You've completed the entire GitLab Duo Agent Platform series. You now understand:

• How to use agents and flows across the entire SDLC, tailored to your use cases
• How to discover and share solutions in the AI Catalog
• How to monitor and manage your AI workflows
• How to extend capabilities with MCP integrations
• How to customize every aspect of GitLab Duo Agent Platform for your team

Return to complete series overview to review all parts and explore specific topics in depth.

Resources

• Custom Rules documentation
• AGENTS.md documentation
• Custom Review Instructions documentation
• Custom Agents documentation
• Custom Flows documentation
• MCP Clients documentation

Previous: Part 7: Model Context Protocol integration

Back to start: Complete series overview

In this article:

• What is GitLab Duo Agentic Chat?
• Accessing GitLab Duo Agentic Chat
• Model selection
• Agent selection
• Common use cases
• Troubleshooting

What is GitLab Duo Agentic Chat?

GitLab Duo Agentic Chat is your primary interface for interacting with AI agents throughout your development workflow. Unlike simple Q&A chatbots that only answer questions, it's an autonomous AI collaboration partner that can take action on your behalf: Creating and modifying code, opening merge requests, triaging and updating issues/epics, and running workflows with full SDLC platform context. It does so while keeping you informed every step of the way.

🎯 Try GitLab Duo Agent Platform today!

Key capabilities:

• Code operations: Create files, edit code, and open merge requests.
• Project insights: Query issues, epics, merge requests, Git commits, CI/CD pipelines, analytics (GLQL), and security scans.
• Actionable tasks: Triage, update, or create issues and epics, remediate vulnerabilities, generate documentation and tests, fix failing CI/CD pipelines.
• Context awareness: Remember conversation history, understand project architecture, and search the codebase, wiki, and GitLab docs.
• Extensibility: Integrate with external services through Model Context Protocol (MCP).
• Multi-agent support: Use specialized agents for different tasks.

🎯 Try it now: Interactive demo of GitLab Duo Agentic Chat — Explore the chat interface and features.

Accessing GitLab Duo Agentic Chat

Web UI panel features

• Collapsed: Icon visible in top-right
• Panel open: Sidebar slides out (~400px width)
• Maximized: Expands for detailed responses

Model selection

Large language models (LLMs) excel at different tasks and knowledge requirements. Choose the right model for your needs when necessary.

Configuration levels

• Group-level: Set by Group Owner, applies to all users
• User-level: Individual control when group allows

Agent selection

Agents are specialized AI collaboration partners for specific tasks. Switch between them based on your needs:

Agent selection

How to switch agents

1. Open GitLab Duo Agentic Chat.
2. IDE: Click the agent dropdown (below model selector).
3. Web UI: Create a new chat.
4. Select the agent you need.

Common use cases

Issue management and triage

For issue management and planning workflows, use the Planner Agent, a specialized agent designed for product management tasks.

Example prompts:

• "List all open issues labeled 'bug' and 'high-priority' created in the last 30 days."
• "Create an issue for implementing user authentication with OAuth2, include acceptance criteria and technical requirements."
• "Analyze Issue #456 and suggest related issues that might have the same root cause."
• "Break down Epic #123 into smaller tasks with estimated complexity."

Vulnerability analysis and remediation

For security workflows, use the Security Analyst Agent, a specialized agent designed for vulnerability management and remediation.

Example prompts:

• "Show me all critical vulnerabilities in the latest pipeline scan."
• "Triage all vulnerabilities from the latest security scan and identify which are false positives."
• "Explain vulnerability #789 in simple terms and show me where it's located in the code."
• "What's the recommended fix for the SQL injection vulnerability in the user search endpoint?"
• "Create an MR to fix the XSS vulnerability found in src/components/UserProfile.vue."

Code understanding and documentation

Get answers about your codebase without having to manually search through files with the GitLab Duo Agent.

Example prompts:

• "How does the authentication flow work in this application?"
• "Find all places where the sendEmail function is called."
• "Explain what the calculateDiscount method does in src/pricing/calculator.ts."
• "Generate documentation for the API endpoints in src/api/routes/."
• "What design patterns are used in the src/services/ directory?"

Onboarding to a new project

Quickly get up to speed on a new project by understanding its architecture, setup, and dependencies using the GitLab Duo Agent.

Example prompts:

• "Give me an overview of this project's architecture and main components."
• "Where is the database schema defined?"
• "How do I set up my local development environment?"
• "What are the main dependencies and what do they do?"

Debugging and pipeline troubleshooting

Quickly identify and resolve issues in your code and CI/CD pipelines with AI-powered analysis using the GitLab Duo Agent.

Example prompts:

• "Why is the CI/CD pipeline failing on the test stage?"
• "Analyze the error logs from Job #12345 and suggest fixes."
• "Why did Pipeline #9876 fail? Show me the error logs from the failed deployment job."
• "The application crashes when processing large files. Help me debug this."
• "Review the recent commits that might have caused the performance regression."
• "How can I optimize the build time for this pipeline?"
• "Create a new CI/CD job to run security scans on every MR."

Code review and quality improvement

Get AI assistance during code reviews to catch issues and improve code quality using a Custom Agent trained on your team's coding standards and best practices.

Example prompts:

• "Review MR !234 for potential bugs and security issues."
• "Suggest performance optimizations for the database queries in this MR."
• "Check if MR !456 follows our coding standards and best practices."
• "Identify any accessibility issues in the new UI components."

Feature implementation

Accelerate development by generating code, tests, and documentation using the GitLab Duo Agent.

Example prompts:

• "Create a REST API endpoint for user registration with validation."
• "Generate unit tests for the OrderService class with 80% coverage."
• "Implement pagination for the product listing page."
• "Add error handling and logging to the file upload functionality."

Refactoring and code improvement

Modernize and improve existing code with AI guidance using GitLab Duo Agent.

Example prompts:

• "Refactor the UserController to follow SOLID principles."
• "Convert this JavaScript file to TypeScript with proper type definitions."
• "Suggest improvements to make this function more testable."
• "Identify code duplication in the src/utils/ directory and suggest how to consolidate it."
• "Modernize the project from Java 8 to 21. Follow the guidance in Epic 188."
• "Create a migration plan for modernizing the COBOL mainframe code, and evaluate Java/Python."

Troubleshooting

What's next?

GitLab Duo Agentic Chat is supported in IDEs and the GitLab UI. Future releases will bring terminal support with GitLab Duo CLI, currently in development. Follow the product epic for more insights. Now that you've learned GitLab Duo Agentic Chat, explore the different types of agents and how to create custom ones in Part 3: Understanding agents. Explore foundational agents, create custom agents for your team, and integrate external agents like Claude Code and OpenAI Codex.

Resources

• GitLab Duo Agentic Chat documentation
• GitLab Duo Agent Platform documentation

Next: Part 3: Understanding agents

Previous: Part 1: Introduction to GitLab Duo Agent Platform

Routine tasks, from code refactoring and security scans to research, can be delegated to specialized AI agents, freeing human developers to focus on solving complex problems and driving innovation.

The platform leverages GitLab's role as a central DevSecOps platform (encompassing code management, CI/CD pipelines, issue tracking, test results, security scans, and more) to provide these agents with complete project context, enabling them to contribute meaningfully while adhering to your team's standards and practices.

This comprehensive eight-part guide will take you from your first interaction to production-ready automation workflows with full customization.

💡 Join GitLab Transcend on February 10 to learn how agentic AI transforms software delivery. Hear from customers and discover how to jumpstart your own modernization journey. Register now.

Evolution from GitLab Duo Pro/Enterprise to Duo Agent Platform

GitLab Duo Agent Platform is an evolution, not a replacement of Duo Pro and Enterprise. It's a superset that moves from 1:1 developer-AI interactions to many-to-many team-agent collaboration.

• Duo Pro enhanced individual developer productivity in the IDE with AI-powered code suggestions and chat.
• Duo Enterprise expanded beyond coding to deliver comprehensive AI capabilities across the entire software development lifecycle. But it was still primarily an approach in enabling 1:1 interaction between the user and an AI assistant — mostly a Q&A experience with one use case at a time.
• Duo Agent Platform moves from 1:1 interactions to many-to-many team-agent collaboration, where specialized agents autonomously handle routine tasks across the software lifecycle.

The complete series

Key concepts reference

Core components

Essential terminology

Ready to get started?

Begin your journey with Part 1: Introduction to GitLab Duo Agent Platform to learn the platform fundamentals.

Feedback

We'd love to hear from you! Found an error? Have a suggestion?

• Open an issue
• Contribute
• Discuss

GitLab Duo Agent Platform represents a fundamental shift in how developers interact with AI during the software development lifecycle. Moving beyond code into full SDLC context, GitLab Duo Agent Platform enables multiple specialized AI agents to work alongside your team, handling complex tasks asynchronously while you focus on innovation and problem-solving.

GitLab Duo Agent Platform transforms traditional linear development workflows into dynamic, multi-agent collaboration systems.

What is GitLab Duo Agent Platform?

GitLab Duo Agent Platform is an AI orchestration layer that enables:

• Asynchronous collaboration between developers and specialized AI agents
• Full SDLC context across code, issues, epics, merge requests, CI/CD pipelines, wikis, analytics, and security scans
• Multi-agent flows where many agents collaborate in parallel on complex tasks
• Intelligent automation that understands your organization's standards, practices, and compliance requirements

Think of it as adding AI team members who can take on entire workflows, from understanding requirements to creating merge requests, while you maintain full visibility and control.

🎯 Try GitLab Duo Agent Platform today!

Platform architecture

GitLab Duo Agent Platform consists of several interconnected components working together to provide comprehensive AI assistance. The diagram below shows the user interaction methods with GitLab Duo Agent Platform. It illustrates the four ways users can engage with agents:

How teams interact with GitLab Duo Agent Platform

Four ways to use agents

1. GitLab Duo Agentic Chat — Open the chat panel in the GitLab UI or your IDE for interactive conversations with foundational and custom agents. Select from available AI models and get real-time help.
2. Trigger Custom Flows — Mention flows in issue or merge request comments, or assign reviewers to automatically trigger Custom Flows. These run asynchronously via runner execution.
3. Trigger Foundational Flows — Built and maintained by GitLab, including Developer, Code Review, Fix CI/CD Pipeline, Convert Jenkins to GitLab CI/CD, and Software Development Flow.
4. Trigger External Agents — Assign or mention external AI agents (like Claude Code or OpenAI Codex) in issue or merge request comments to automatically trigger them. These run asynchronously via runner execution.

Where to manage and discover

• AI Catalog — Browse, create, and share agents and flows across your organization. Discover agents and flows created by GitLab and your team, then add them to your projects. You can also create and publish your own custom agents and flows for others to use.
• Automate Capabilities — Your central hub for managing everything. View and manage your agents, configure and monitor flows, review all activity in sessions (including pipeline status), and set up triggers for event-based automation.

Let's explore each component briefly (we'll dive deeper in subsequent posts):

GitLab Duo Agentic Chat

Your primary interface for interacting with agents. Available as a persistent panel in the GitLab UI and in your IDE. Learn more in Part 2: Getting Started with GitLab Duo Agentic Chat.

Agents

Agents are specialized AI-powered assistants designed to handle specific tasks throughout your development workflow. Think of them as team members with unique expertise and capabilities.

About external agents

External agents run in the background on GitLab platform compute when triggered by mentions (e.g., @ai-codex) or assignments in issues and merge requests. Unlike foundational and custom agents that use synchronous feedback loops, external agents execute asynchronously, enabling powerful automation with specialized AI providers.

What makes agents powerful

• Specialized prompts: Each agent has a unique system prompt that defines its expertise, behavior, and communication style.
• Access to tools: Agents can read files, access issues/MRs/epics, search code, analyze CI/CD job logs and vulnerability reports, and more based on their configuration.
• Project context: Access to issues, merge requests, code, CI/CD pipelines, and security vulnerabilities.

Learn more in Part 3: Understanding agents. Discover how to create custom agents, integrate external AI providers, and configure agent prompts and tools for your team's specific needs.

Flows

Flows are multi-step workflows that combine multiple actions to solve complex problems. Unlike agents that respond to questions, flows execute complete workflows autonomously via runner execution.

What makes flows powerful

• Multi-step execution: Combine multiple operations into a single workflow
• Asynchronous processing: Run in background while you continue working
• Full pipeline access: Execute via runner execution with complete project context
• Event-driven: Automatically triggered by GitLab events

Learn more in Part 4: Understanding flows, including multi-agent workflows.

Agents vs. flows: What's the difference?

Understanding when to use an agent vs. a flow is key to working effectively with GitLab Duo Agent Platform.

Quick decision guide

• Working interactively or want instant feedback? → Use chat
• Need background automation, MR review, or complex multi-file tasks? → Use flow

Key insight

Both agents and flows can take actions and create code. The main difference is how they interact and run: Agents communicate interactively in your chat interface, while flows run asynchronously in the background on platform compute.

AI Catalog

A centralized library where you can browse, discover, create, and share agents and flows across your organization, detailed in Part 5: AI Catalog.

Automate capabilities

Your hub for managing agent and flow workflows:

• Agents: View and manage agents in your project, detailed in Part 3.
• Flows: View, create, and manage flows in your project, detailed in Part 4.
• Sessions: Agent activity logs
• Triggers: Event-based automation management for flows in your project

Understanding sessions

Every agent and flow execution creates a session that logs agentic activities. Sessions provide full transparency into what happened, including agent reasoning, execution details, tool calling, outputs, and the complete decision trail.

To view sessions: Navigate to your project > Automate > Sessions. From there, you can access the pipeline console to see detailed execution logs.

Model selection

One of the powerful features of GitLab Duo Agent Platform is the ability to choose which AI model powers your conversation.

Available in: GitLab 18.4 and later

How to select:

1. Open GitLab Duo Agentic Chat.
2. Look for the model dropdown.
3. Click to see available models.
4. Select the model best suited for your task.

Note: Model selection is currently available in the Web UI only. IDE integration uses the default model selected for your group.

Your first agent interaction

Let's walk through a simple first interaction with GitLab Duo Agentic Chat:

Example 1: Understanding your project (Agent)

Scenario: You've just joined a project and need to understand its structure and architecture.

Steps:

1. Open GitLab Duo Chat panel (click Duo icon in top-right).
2. Ensure Agentic mode (Beta) is toggled on.
3. Select the Duo Agent (default).
4. Type: "Give me an overview of this project's architecture."
5. Press Enter.

What happens:

The agent:

• Analyzes your repository structure
• Reviews your README, code organization, and documentation
• Provides a comprehensive overview with key components

You can ask follow-up questions for clarification.

Example 2: Generating a merge request (Flow)

Scenario: You have an issue that needs to be resolved with code changes.

Steps:

1. Open the issue in GitLab.
2. Click Generate MR with Duo button.
3. An agent session starts.
4. Within a few minutes, an MR is created with:
   • Code changes across multiple files
   • A descriptive commit message
   • An explanation of changes in MR description

What happens:

The Developer Flow:

• Analyzes the issue
• Understands repository structure, design patterns, and SDLC context
• Makes appropriate code changes
• Opens a ready-to-review MR


Common questions

Q: Are my conversations with agents private?

A: Yes. Conversations follow GitLab's standard privacy and security models. Learn more.

Q: Can I use GitLab Duo Agent Platform with self-hosted models?

A: Yes, starting with GitLab 18.8, it requires additional setup. See GitLab documentation.

What's next?

Now that you understand the basics of GitLab Duo Agent Platform, you're ready to dive deeper into each component:

• Part 2: Getting started with GitLab Duo Agentic Chat — Master the persistent chat panel, learn model selection strategies, understand agent switching, and use chat effectively across Web UI and all supported IDEs.
• Part 3: Understanding agents — Explore foundational agents built by GitLab, create custom agents with specialized prompts for your team's workflows, and integrate external CLI agents from providers like Claude Code and OpenAI Codex.
• Part 4: Understanding flows — Discover how flows orchestrate multiple agents to solve complex problems, create custom YAML-defined workflows, and leverage external AI providers for automated pipeline execution.
• Part 5: AI Catalog — Browse the centralized repository to discover agents and flows created by GitLab and the community, add them to your projects, and publish your own solutions for others to use.
• Part 6: Monitor, manage, and automate AI workflows — Monitor all agent and flow activity through sessions, set up event-driven triggers to automate workflows, and manage your entire GitLab Duo Agent Platform ecosystem from one central location.
• Part 7: Model Context Protocol integration — Extend GitLab Duo's capabilities by connecting to external tools like Jira, Slack, and AWS through the open MCP standard, and enable external AI tools to access your GitLab data.
• Part 8: Customizing GitLab Duo Agent Platform - Configure custom chat rules, create system prompts for agents, set up agent tools, integrate external systems with MCP, and customize flows for your team's specific needs.

Resources

• GitLab Duo Agent Platform documentation
• GitLab Duo Agent Platform site
• GitLab Community Forum

Next: Part 2: Getting started with GitLab Duo Agentic Chat

In this article:

• Introduction to Automate capabilities
• Managing agents in your project
• Managing flows in your project
• Setting up event-driven triggers
• Monitoring flows activity with sessions

🎯 Try GitLab Duo Agent Platform today!

Introduction to the Automate capabilities

The Automate capabilities are your central hub for managing AI workflows in GitLab. They provide visibility into agent and flow activity, and enable event-driven automation.

Navigate to Project → Automate.

The Automate menu provides these main sections:

• Agents: View, create, and manage agents in your project
• Flows: View, create, and manage flows in your project
• Triggers: Configure event-based automation for flows
• Sessions: Monitor agent and flow execution with detailed logs

Managing agents

The Agents section allows you to view, create, and manage agents in your project.

Navigate to Automate → Agents.

Both Agents and Flows sections provide two tabs for organizing your resources:

• Enabled: Agents/flows available to your project
• Managed: Agents/flows created and owned by your project

To expand your available agents:

• Create new custom agents, enable at the top-level group, then enable them in your project.
• Browse the AI Catalog and enable existing agents in your top-level group first, then in your project.

For details on creating custom agents, see Part 3: Understanding agents.

Managing flows

The Flows section allows you to view, create, and manage flows in your project.

Navigate to Automate → Flows.

To expand your available flows:

• Create new custom flows, enable at the top level group, then enable them in your project.
• Browse the AI Catalog and enable existing flows in your top-level group first, then in your project.

For details on creating custom flows, see Part 4: Understanding flows.

Automating with triggers

Triggers enable event-driven automation by automatically executing agents or flows when specific GitLab SDLC events occur.

Navigate to Automate → Triggers.

Available trigger event types:

• Mention: Mentioned in a comment, for example, @ci-cd-optimizer.
• Assign: Assigned to an issue or MR, for example, in the UI or quick action /assign @ci-cd-optimizer.
• Assign Reviewer: Assigned as MR reviewer, for example, in the UI or quick action /assign_reviewer @ci-cd-optimizer.

How triggers work:

1. Event occurs (e.g., @ci-cd-optimizer mentioned in MR comment)
2. Trigger identifies the flow to execute
3. Flow runs and starts a session
4. Results posted back to the issue/MR

For setup instructions, see the Triggers documentation.

Monitoring with sessions

Sessions provide transparency into agents and flows execution, including reasoning, executed tools, and outputs. Every run creates a session with an activity log.

Navigate to Automate → Sessions. Sessions show:

• Execution status (Created, Running, Finished, Failed, Input Required, and more)
• Step-by-step progress and actions taken
• Agent reasoning and decision-making process
• Link to Runner job logs (Details tab)

Activity tab

The Activity tab displays the step-by-step execution flow, showing each action the agent took, the tools it used, and the results of those actions.

Details tab

The Details tab provides access to the complete runner job logs, allowing you to see the full execution context and any system-level information about the flow run.

The job logs contain the full execution output, including all system messages, tool invocations, and detailed information about what the flow executed.

For more details, see the Sessions documentation.

What's next?

You now understand how to monitor agent and flow activity through sessions, set up event-driven automation with triggers, and manage your AI workflows from the Automate capabilities. Next, learn how to extend GitLab Duo with external tools and data sources in Part 7: Model Context Protocol integration.

Resources

• Sessions documentation
• Triggers documentation
• Custom Flows documentation
• Custom Agents documentation

Next: Part 7: Model Context Protocol integration

Previous: Part 5: AI Catalog

In this article:

• What are agents?
• Types of agents
• Common use cases
• How to create a custom agent
• Best practices

🎯 Try GitLab Duo Agent Platform today!

What are agents?

Agents are specialized AI collaboration partners within GitLab Duo Agent Platform. Each agent type serves different purposes and runs in different contexts.

Types of agents

Foundational agents

Built and maintained by GitLab, these agents are available immediately with no setup required. The availability of foundational agents can be managed by namespace owners or instance administrators. Start the interaction with foundational agents by opening GitLab Duo Agentic Chat in the IDE or Web UI.

GitLab Duo

This is the default agent, your general-purpose development collaboration partner for creating and modifying code, opening merge requests, triaging and updating issues/epics, and running workflows with full SDLC platform context.

Example prompts:

• "Explain how the authentication system works."
• "Where is the user profile logic located?"
• "How should I implement feature X?"

Planner Agent

Helps with product planning, breaking down epics, and creating structured issues.

Example prompts:

• "Create an epic for the new payment system with subtasks."
• "Break down issue #789 into smaller tasks."
• "Generate acceptance criteria for this feature."

Learn more about Planner Agent.

Security Analyst Agent

Triages vulnerabilities, identifies false positives, and prioritizes security risks.

Example prompts:

• "Triage all vulnerabilities from the latest scan."
• "Which SAST findings are false positives?"
• "Prioritize security issues by actual risk"

Learn more about Security Analyst Agent.

Data Analyst Agent

Queries, visualizes, and surfaces data across the GitLab platform using GitLab Query Language (GLQL) to provide actionable insights about your projects and teams.

Example prompts:

• "How many merge requests were created in the last quarter?"
• "Show me what each team member has worked on this month."
• "What are the trends in issue resolution times?"
• "Find all open issues with the 'bug' label in my project."
• "Generate a GLQL query to count merge requests by author."

Learn more about Data Analyst Agent.

Custom agents

Create your own agents tailored to your team's specific workflows and standards.

Common use cases

• Troubleshooting and Debugging Agent: Debug software bugs and regressions, and analyze deployment failures.
• Documentation Agent: Maintain docs following your conventions.
• Onboarding Assistant: Help new team members with company-specific practices.
• Compliance Monitor: Ensure regulatory requirements are met.
• Localized Support Agent: Triage support issues in a localized language, for example, German.

Watch the GitLab DACH Roadshow Vienna 2025 Duo Agent Platform use cases talk recording:

🎯 Try it now: Interactive demo of Custom Agents — Explore how to create and configure custom agents.

How to create a custom agent

Custom agents are configured through your project or group settings. The key component is the system prompt, which defines your agent's behavior and expertise.

System Prompt Example from the custom agent devops-debug-failures-agent:

Your speciality is that you can correlate static SDLC data with runtime data from CI/CD pipelines, logs, and other tool calls necessary.
Expect that the user has advanced knowledge, but always provide commands and steps to reproduce your analysis so they can learn from you.
Start with a short summary and suggested actions, and then go into detail with thoughts, analysis, suggestions.
Think creative and consider unknown unknowns in your debug journey.

Visibility options:

• Private: Only viewable by members of the managing project (Developer role+). Cannot be enabled in other projects.
• Public: Can be viewed by anyone and enabled in any project that meets the prerequisites. Appears in the AI Catalog for discovery.

Full setup guide available in the documentation.

Best practices

System prompt tips:

• Be specific about the agent's role and responsibilities.
• Define clear quality standards and constraints.
• Include examples of expected output.
• Keep prompts focused on one primary task.

Start small:

• Begin with read-only permissions.
• Test thoroughly before granting write access.
• Gather team feedback and iterate.

External agents

External agents run in the background on the GitLab platform when triggered by mentions (e.g., @ai-codex) or assignments in issues and merge requests. Unlike foundational and custom agents that work interactively in chat, external agents execute asynchronously, enabling powerful automation with specialized AI providers.

Credential management: Starting with GitLab Duo Agent Platform general availability, GitLab-managed credentials will be used to support external agents, preventing the need for customers to manage and rotate API keys themselves.

When to use external agents

• You need specific agentic AI behavior or LLMs for specialized tasks.
• You want event-triggered automation (not interactive chat).
• You need to meet specific compliance or data residency requirements.

Why use external agents?

• Leverage specialized AI models: Access provider-specific capabilities like Claude Code's code analysis or OpenAI Codex's task delegation.
• Meet compliance requirements: Keep data within approved AI providers for regulatory or security policies.
• Experiment with providers: Test different agentic AI and LLM behavior to find the best fit for your workflows.
• Access unique features: Use provider-specific tools like Claude Code's code analysis or OpenAI Codex's task delegation.

Real-world example

A development team uses OpenAI Codex as an external agent for code review. When developers create merge requests, they assign Codex as a reviewer. The agent:

1. Analyzes the code changes in the MR.
2. Checks for best practices and code quality issues.
3. Suggests improvements and optimizations.
4. Posts detailed review comments with specific recommendations.
5. Links to relevant documentation.

All of this happens automatically in the background while the developer continues working, with results posted directly in the merge request.

Supported external agents

The following integrations have been tested and are available:

• Anthropic Claude — Code generation, review, and analysis
• OpenAI Codex — GPT-powered code assistance

Example usage:

@ai-codex Please implement this issue

This triggers a runner execution job that runs the external AI tool and posts results back to GitLab.

Setting up external agents

For complete setup instructions including service accounts, triggers, and configuration examples, see the External Agents documentation.

Customizing agent behavior with AGENTS.md

Customize how agents using AGENTS.md files following the agents.md standard. Learn more in Part 8: Customizing GitLab Duo Agent Platform: Chat rules, prompts, and workflows.

Choosing the best agent type for your use cases

Summary

GitLab Duo Agent Platform offers these agent types:

• Foundational: Ready-to-use agents for common tasks (Chat, Planner, Security Analyst, Data Analyst)
• Custom: Create team-specific agents with custom prompts and behaviors
• External: Integrate external AI tools

Start with foundational agents, create custom agents for team-specific needs, and explore external agents when you need specialized AI providers.

Next: Part 4: Understanding flows

Previous: Part 2: GitLab Duo Agentic Chat

In this article:

• What are flows and how do they work?
• Foundational flows provided by GitLab
• Creating custom flows
• Flow execution and orchestration
• Real-world examples and use cases

🎯 Try GitLab Duo Agent Platform today!

Introduction to flows

Flows are combinations of one or more agents collaborating together. They orchestrate multi-step workflows to solve complex problems, and are executed on the GitLab platform compute.

Key characteristics of flows:

• Multi-agent orchestration: Combine multiple specialized agents
• Built-in: Run on platform compute, no extra environment necessary
• Event-driven: Triggered by mention, assignment, or assign as reviewer
• Asynchronous: Run in background while you continue working
• Complete workflows: Handle end-to-end tasks from analysis to implementation

Think of flows as autonomous workflows that can gather context, make decisions, execute changes, and deliver results, all while you focus on other work.

Flows vs. agents: Understanding the difference

Agents work with you interactively. Flows work for you autonomously.

Flow types overview

Foundational flows

Foundational flows are production-ready workflows created and maintained by GitLab. They're accessible through dedicated UI controls or IDE interfaces.

Currently available foundational flows

Custom flows

Custom flows are YAML-defined workflows you create for your team's specific needs. They run in GitLab Runner and can be triggered by GitLab events.

🎯 Try it now: Interactive demo of Custom Flows — Explore how to create and configure Custom Flows.

Why create custom flows?

Custom flows automate repetitive multi-step tasks that are specific to your team's workflow. Unlike foundational flows that serve general purposes, custom flows are tailored to your organization's processes, tools, and requirements.

Common use cases:

• Automated code review: Multi-stage review process (security scan → quality check → style validation)
• Compliance checking: Verify regulatory requirements, license compliance, or security policies on each MR
• Documentation generation: Auto-update API docs, README files, or changelogs based on code changes
• Dependency management: Weekly security scans, automated updates, and vulnerability reports
• Custom testing: Specialized test suites for your tech stack or integration tests

Real-world example

A fintech company creates a compliance flow that runs on every merge request. When triggered by @compliance-flow, the flow executes the following steps:

1. Security agent scans code for PCI-DSS violations and checks for exposed sensitive data.
2. Code review agent verifies that changes follow secure coding standards and best practices.
3. Documentation agent checks that API changes include updated documentation.
4. Summary agent aggregates findings and posts a compliance report with pass/fail status.

The entire compliance review happens automatically in 5-10 minutes, providing consistent checks across all merge requests.

How to trigger custom flows

Custom flows can be triggered in multiple ways:

1. Via mentions in Issues/MRs: Mention the flow in a comment to trigger it. Example for a documentation generation flow:

@doc-generator Generate API documentation for this feature

2. By assigning the flow to an issue or MR: Assign the flow using either:

• GitLab UI: Click the "Assign" button on the issue/MR and select the flow
• Command: Use the /assign command in a comment. Example:

/assign @doc-generator

3. By assigning the flow as a reviewer: Assign the flow as a reviewer on a merge request using either:

• GitLab UI: Click the "Assign reviewer" button on the merge request and select the flow
• Command: Use the /assign_reviewer command in a comment. Example:

/assign_reviewer @doc-reviewer

Any of these methods automatically triggers the flow to execute and perform its tasks.

How to create custom flows

Custom flows are created through the GitLab UI at Automate → Flows → New flow in your project, or from Explore → AI Catalog → Flows → New flow. You define your flow using YAML configuration that specifies components, prompts, routing, and execution flow. The YAML schema allows you to create sophisticated multi-agent workflows with precise control over agent behavior and orchestration.

Key elements of a custom flow:

• Components: Define the agents and steps in your workflow
• Prompts: Configure AI model behavior and instructions
• Routers: Control the flow between components
• Toolsets: Specify which GitLab API tools agents can use

Example custom flow YAML

Background: This example shows a feature implementation flow for a travel booking platform. When a developer creates an issue with feature requirements, they can trigger this flow to automatically analyze the requirements, review the codebase, implement the solution, and create a merge request, all without manual intervention. Here's the YAML configuration:

version: "v1"
environment: ambient
components:
  - name: "implement_feature"
    type: AgentComponent
    prompt_id: "implementation_prompt"
    inputs:
      - from: "context:goal"
        as: "user_goal"
      - from: "context:project_id"
        as: "project_id"
    toolset:
      - "get_issue"
      - "get_repository_file"
      - "list_repository_tree"
      - "find_files"
      - "blob_search"
      - "create_file"
      - "create_commit"
      - "create_merge_request"
      - "create_issue_note"
    ui_log_events:
      - "on_agent_final_answer"
      - "on_tool_execution_success"
      - "on_tool_execution_failed"

prompts:
  - name: "Cheapflights Feature Implementation"
    prompt_id: "implementation_prompt"
    unit_primitives: []
    prompt_template:
      system: |
        You are an expert full-stack developer specializing in travel booking platforms, specifically Cheapflights.

        Your task is to:
        1. Extract the issue IID from the goal (look for "Issue IID: XX")
        2. Use get_issue with project_id={{project_id}} and issue_iid to retrieve issue details
        3. Analyze the requirements for the flight search feature
        4. Review the existing codebase using list_repository_tree, find_files, and get_repository_file
        5. Design and implement the solution following Cheapflights best practices
        6. Create all necessary code files using create_file (call multiple times for multiple files)
        7. Commit the changes using create_commit
        8. Create a merge request using create_merge_request
        9. Post a summary comment to the issue using create_issue_note with the MR link

        Cheapflights Domain Expertise:
        - Flight search and booking systems (Amadeus, Sabre, Skyscanner APIs)
        - Fare comparison and pricing strategies
        - Real-time availability and inventory management
        - Travel industry UX patterns
        - Performance optimization for high-traffic flight searches

        Code Standards:
        - Clean, maintainable code (TypeScript/JavaScript/Python/React)
        - Proper state management for React components
        - RESTful API endpoints with comprehensive error handling
        - Mobile-first responsive design
        - Proper timezone handling (use moment-timezone or date-fns-tz)
        - WCAG 2.1 accessibility compliance

        Flight-Specific Best Practices:
        - Accurate fare calculations (base fare + taxes + fees + surcharges)
        - Flight duration calculations across timezones
        - Search filter logic (price range, number of stops, airlines, departure/arrival times)
        - Sort algorithms (best value, fastest, cheapest)
        - Handle edge cases: date line crossing, daylight saving time, red-eye flights
        - Currency amounts use proper decimal handling (avoid floating point errors)
        - Dates use ISO 8601 format
        - Flight codes follow IATA standards (3-letter airport codes)

        Implementation Requirements:
        - No TODOs or placeholder comments
        - All functions must be fully implemented
        - Include proper TypeScript types or Python type hints
        - Add JSDoc/docstring comments for all functions
        - Comprehensive error handling and input validation
        - Basic unit tests for critical functions
        - Performance considerations for handling large result sets

        CRITICAL - Your final comment on the issue MUST include:
        - **Implementation Summary**: Brief description of what was implemented
        - **Files Created/Modified**: List of all files with descriptions
        - **Key Features**: Bullet points of main functionality
        - **Technical Approach**: Brief explanation of architecture/patterns used
        - **Testing Notes**: How to test the implementation
        - **Merge Request Link**: Direct link to the created MR (format: [View Merge Request](MR_URL))

        IMPORTANT TOOL USAGE:
        - Extract the issue IID from the goal first (e.g., "Issue IID: 12" means issue_iid=12)
        - Use get_issue with project_id={{project_id}} and issue_iid=<extracted_iid>
        - Create multiple files by calling create_file multiple times (once per file)
        - Use create_commit to commit all files together with a descriptive commit message
        - Use create_merge_request to create the MR and capture the MR URL from the response
        - Use create_issue_note with project_id={{project_id}}, noteable_id=<issue_iid>, and body=<your complete summary with MR link>
        - Make sure to include the MR link in the comment body so users can easily access it

      user: |
        Goal: {{user_goal}}
        Project ID: {{project_id}}

        Please complete the following steps:
        1. Extract the issue IID and retrieve full issue details
        2. Analyze the requirements thoroughly
        3. Review the existing codebase structure and patterns
        4. Implement the feature with production-ready code
        5. Create all necessary files (components, APIs, tests, documentation)
        6. Commit all changes with a clear commit message
        7. Create a merge request
        8. Post a detailed summary comment to the issue including the MR link

      placeholder: history
    params:
      timeout: 300

routers:
  - from: "implement_feature"
    to: "end"

flow:
  entry_point: "implement_feature"

What this flow does: This flow orchestrates an AI agent to automatically implement a feature by analyzing issue requirements, reviewing the codebase, writing production-ready code with domain expertise, and creating a merge request with a detailed summary comment.

For complete documentation and examples, see:

• Custom Flows documentation
• Flow Registry Framework (YAML Schema)

Flow execution

Flows run on GitLab platform compute. When triggered by an event (mention, assignment, or button click), a session is created and the flow starts to execute.

Available environment variables

Flows have access to environment variables that provide context about the trigger and the GitLab object:

• AI_FLOW_CONTEXT — JSON-serialized context including MR diffs, issue descriptions, comments, and discussion threads
• AI_FLOW_INPUT — The user's prompt or comment text that triggered the flow
• AI_FLOW_EVENT — The event type that triggered the flow (mention, assign, assign_reviewer)

These variables allow your flow to understand what triggered it and access the relevant GitLab data to perform its task.

Multi-agent flows

Custom flows can include multiple agent components that work together sequentially. The flow's YAML configuration defines:

• Components: One or more agents (AgentComponent) or deterministic steps
• Routers: Define the flow between components (e.g., from component A to component B to end)
• Prompts: Configure each agent's behavior and model

For example, a code review flow might have a security agent, then a quality agent, then an approval agent, with routers connecting them in sequence.

Monitoring flow execution

To view flows that are running for your project:

1. Navigate to Automate → Sessions.
2. Select any session to view more details.
3. The Details tab shows a link to the CI/CD job logs.

Sessions show detailed information including step-by-step progress, tool invocations, reasoning, and decision-making process.

When to use flows

• Complex multi-step tasks
• Background automation
• Event-driven workflows
• Multi-file changes
• Tasks that take time
• Automated reviews/checks

What's next?

You now understand flows, how to create them, and when to use them vs. agents. Next, learn how to discover, create, and share agents and flows across your organization in Part 5: AI Catalog. Explore the AI Catalog to browse available flows and agents, add them to your projects, and publish your own agents and flows.

Resources

• GitLab Duo Agent Platform Flows
• Foundational Flows documentation
• Custom Flows documentation
• Flow execution configuration
• GitLab CI/CD Variables guide
• Service Accounts

Next: Part 5: AI Catalog

Previous: Part 3: Understanding agents

Why this is happening

This move is a vital part of our Secure by Design commitment. MFA provides critical defense against credential stuffing and account takeover attacks, which remain persistent threats across the software development industry.

Key information to know

What is changing?

GitLab is making MFA mandatory for sign-ins that authenticate with a username and password. This introduces a critical second layer of security beyond just a password.

Does this apply to me?

1. Yes, it applies if: You sign in to GitLab.com with a username and a password, or use a password to authenticate to the API.
2. No, it does not apply if: You exclusively use social sign-on (such as Google) or single sign-on (SSO) for access. (Please note: If you use SSO, but also have a password for direct login, you will still need MFA for any non-SSO, password-based login.)

When is the rollout?

1. The implementation will be a phased approach over the coming months, intended to both minimize unexpected interruptions and productivity loss for users and prevent account lockouts. Groups of users will be asked to enable MFA over time. Each group will be selected based on the actions they’ve taken or the code they’ve contributed to. You will be notified in the following ways:
   • ✉️ Email notification - prior to the phase where you will be impacted
   • 🔔 Regular in-product reminders - 14 days before
   • ⏱️ After a specific time period (this will be shared via email) - blocked from accessing GitLab until you enable MFA

What action do I need to take?

1. If you sign in to GitLab.com with a username and a password:
   • We highly recommend you proactively set up one of the available MFA methods today, such as passkeys, an authenticator app, a WebAuthn device, or email verification. This ensures the most secure and seamless transition:
   • Go to your GitLab.com User Settings.
   • Select the Account section.
   • Activate two-factor authentication and configure your preferred method (e.g., authenticator app or a WebAuthn device).
   • Securely save your recovery codes to guarantee you can regain access if needed.
2. If you use a password to authenticate to the API:
   • We highly recommend you proactively switch to a personal access token (PAT). Read our documentation to learn more.

FAQ

What happens if I don't enable MFA by the deadline?

• You'll be required to set up MFA before you can sign in.

Does this affect CI/CD pipelines or automation?

• Yes, unless you're using PATs or deploy tokens instead of passwords.

I use SSO but sometimes sign in directly, do I need MFA?

• Yes, MFA is required for any password-based authentication, including fallback scenarios.

Which MFA recovery options are available?

• Review the troubleshooting documentation.*

Specific timelines and further resources will be shared as rollout dates approach. Thank you for your attention to this important change.

This is the AI paradox: AI accelerates coding, but software delivery slows down as teams struggle to test, secure, and deploy all that code.

Productivity gains meet workflow bottlenecks

The problem isn't AI itself. It's how software gets built today. The traditional DevSecOps lifecycle contains hundreds of small tasks that developers must navigate manually: updating tickets, running tests, requesting reviews, waiting for approvals, fixing merge conflicts, addressing security findings. These tasks drain an average of seven hours per week from every team member, according to our research.

Development teams are producing code faster than ever, but that code still crawls through fragmented toolchains, manual handoffs, and disconnected processes. In fact, 60% of DevSecOps teams use more than five tools for software development overall, and 49% use more than five AI tools. This fragmentation creates collaboration barriers, with 94% of DevSecOps professionals experiencing factors that limit collaboration in the software development lifecycle.

The answer isn't more tools. It's intelligent orchestration that brings software teams and their AI agents together across projects and release cycles, with enterprise-grade security, governance, and compliance built in.

Seeking deeper human-AI partnerships

DevSecOps professionals don't want AI to take over — they want reliable partnerships. The vast majority (82%) say using agentic AI would increase their job satisfaction, and 43% envision an ideal future with a 50/50 split between human and AI contributions. They're ready to trust AI with 37% of their daily tasks without human review, particularly for documentation, test writing, and code reviews.

What we heard resoundingly from DevSecOps professionals is that AI won't replace them; rather, it will fundamentally reshape their roles. 83% of DevSecOps professionals believe AI will significantly change their work within five years, and notably, 76% think this will create more engineering jobs, not fewer. As coding becomes easier with AI, engineers who can architect systems, ensure quality, and apply business context will be in high demand.

Critically, 88% agree there are essential human qualities that AI will never fully replace, including creativity, innovation, collaboration, and strategic vision.

So how can organizations bridge the gap between AI’s promise and the reality of fragmented workflows?

Join us at GitLab Transcend: Explore how to drive real value with agentic AI

On February 10, 2026, GitLab will be hosting Transcend, where we'll reveal how intelligent orchestration transforms AI-powered software development. You'll get a first look at GitLab's upcoming product roadmap and learn how teams are solving real-world challenges by modernizing development workflows with AI.

Organizations winning in this new era balance AI adoption with security, compliance, and platform consolidation. AI offers genuine productivity gains when implemented thoughtfully — not by replacing human developers, but by freeing DevSecOps professionals to focus on strategic thinking and creative innovation.

Register for Transcend today to secure your spot and discover how intelligent orchestration can help your software teams stay in flow.

Through our GitLab for Education program, we aim to empower the next generation of developers with tools and opportunity. Here is a look at what the students built, and how they used GitLab to bridge the gap between idea and reality.

The challenge: Build faster, build securely

The premise for the GitLab track of the hackathon was simple: Don't just show us a product; show us how you built it. We wanted to see how students utilized GitLab's platform — from Issue Boards to CI/CD pipelines — to accelerate the development lifecycle.

The results were inspiring.

The winners

1st place: Team Decode — Democratizing Scientific Research

Project: FIRE (Fast Integrated Research Environment)

Team Decode took home the top prize with a solution that warms a developer's heart: a local-first, blazing-fast data processing tool built with Rust and Tauri. They identified a massive pain point for data science students: existing tools are fragmented, slow, and expensive.

Their solution, FIRE, allows researchers to visualize complex formats (like NetCDF) instantly. What impressed the judges most was their "hacker" ethos. They didn't just build a tool; they built it to be open and accessible.

How they used GitLab: Since the team lived far apart, asynchronous communication was key. They utilized GitLab Issue Boards and Milestones to track progress and integrated their repo with Telegram to get real-time push notifications. As one team member noted, "Coordinating all these technologies was really difficult, and what helped us was GitLab... the Issue Board really helped us track who was doing what."

2nd place: Team BichdeHueDost — Reuniting to Solve Payments

Project: SemiPay (RFID Cashless Payment for Schools)

The team name, BichdeHueDost, translates to "Friends who have been set apart." It's a fitting name for a group of friends who went to different colleges but reunited to build this project. They tackled a unique problem: handling cash in schools for young children. Their solution used RFID cards backed by a blockchain ledger to ensure secure, cashless transactions for students.

How they used GitLab: They utilized GitLab CI/CD to automate the build process for their Flutter application (APK), ensuring that every commit resulted in a testable artifact. This allowed them to iterate quickly despite the "flaky" nature of cross-platform mobile development.

3rd place: Team ZenYukti — Agentic Repository Intelligence

Project: RepoInsight AI (AI-powered, GitLab-native intelligence platform)

Team ZenYukti impressed us with a solution that tackles a universal developer pain point: understanding unfamiliar codebases. What stood out to the judges was the tool's practical approach to onboarding and code comprehension: RepoInsight-AI automatically generates documentation, visualizes repository structure, and even helps identify bugs, all while maintaining context about the entire codebase.

How they used GitLab: The team built a comprehensive CI/CD pipeline that showcased GitLab's security and DevOps capabilities. They integrated GitLab's Security Templates (SAST, Dependency Scanning, and Secret Detection), and utilized GitLab Container Registry to manage their Docker images for backend and frontend components. They created an AI auto-review bot that runs on merge requests, demonstrating an "agentic workflow" where AI assists in the development process itself.

Beyond the code: A lesson in inclusion

While the code was impressive, the most powerful moment of the event happened away from the keyboard.

During the feedback session, we learned about the journey Team ZenYukti took to get to Mumbai. They traveled over 24 hours, covering nearly 1,800 kilometers. Because flights were too expensive and trains were booked, they traveled in the "General Coach," a non-reserved, severely overcrowded carriage.

As one student described it:

"You cannot even imagine something like this... there are no seats... people sit on the top of the train. This is what we have endured."

This hit home. Diversity, Inclusion, and Belonging are core values at GitLab. We realized that for these students, the barrier to entry wasn't intellect or skill, it was access.

In that moment, we decided to break that barrier. We committed to reimbursing the travel expenses for the participants who struggled to get there. It's a small step, but it underlines a massive truth: talent is distributed equally, but opportunity is not.

The future is bright (and automated)

We also saw incredible potential in teams like Prometheus, who attempted to build an autonomous patch remediation tool (DevGuardian), and Team Arrakis, who built a voice-first job portal for blue-collar workers using GitLab Duo to troubleshoot their pipelines.

To all the students who participated: You are the future. Through GitLab for Education, we are committed to providing you with the top-tier tools (like GitLab Ultimate) you need to learn, collaborate, and change the world — whether you are coding from a dorm room, a lab, or a train carriage. Keep shipping.

💡 Learn more about the GitLab for Education program.

💡 Join GitLab Transcend on February 10 to learn how agentic AI transforms software delivery. Hear from customers and discover how to jumpstart your own modernization journey. Register now.

What's new in 2025?

The shift from 2021 (the last time the list came out) to 2025 represents more than minor adjustments, it's a fundamental shift in application security. Two entirely new categories entered the list and one category was consolidated into another, which highlights emerging risks that traditional testing often misses.

These additions and shifts can be seen in the chart below:

Two new categories

• A03: Software Supply Chain Failures: Expands the 2021 category "Vulnerable and Outdated Components" to encompass the entire software supply chain, including dependencies, build systems, and distribution infrastructure. Despite having the fewest occurrences in testing data, this category has the highest average exploit and impact scores from CVEs.
• A10: Mishandling of Exceptional Conditions: Focuses on improper error handling, logical errors, and failing open scenarios. This addresses how systems respond to abnormal conditions.

Major ranking changes

• Security Misconfiguration surged from #5 (2021) to #2 (2025), now affecting 3% of tested applications.
• Server-Side Request Forgery (SSRF) has been consolidated into A01: Broken Access Control.
• Cryptographic Failures dropped from #2 to #4.
• Injection fell from #3 to #5.
• Insecure Design moved from #4 to #6.

Why these changes were made

The OWASP methodology combines data-driven analysis with community insights. The 2025 edition analyzed 589 Common Weakness Enumerations (CWEs), which is a substantial increase from the approximately 400 CWEs in 2021. This expansion reflects the growing complexity of modern software systems and the need to capture emerging threats.

The community survey component addresses a fundamental limitation: testing data essentially looks into the past. By the time security researchers develop testing methodologies and integrate them into automated tools, years may have passed. The two community-voted categories ensure that emerging risks identified by frontline practitioners are included, even if they're not yet prevalent in automated testing data.

The rise of Security Misconfiguration highlights an industry trend toward configuration-based security, while Software Supply Chain Failures acknowledges the rise of sophisticated attacks targeting compromised packages.

Using GitLab Ultimate for vulnerability detection and management

GitLab Ultimate provides comprehensive security scanning to detect risks across the 2025 OWASP Top 10 categories. For instance, the end-to-end platform analyzes your project's source code, dependencies, and infrastructure definitions. It also uses Advanced Static Application Security Testing (SAST) to detect injection flaws, cryptographic failures, and insecure design patterns in source code. Infrastructure as Code (IaC) scanning finds security misconfigurations in your deployment definitions. Secret Detection prevents the leakage of credentials, and Dependency Scanning uncovers libraries with known vulnerabilities in your software supply chain, which directly addresses the new A03 category for Software Supply Chain Failures.

In addition:

• Dynamic Application Security Testing (DAST) probes your deployed application for broken access control, authentication failures, and injection vulnerabilities by simulating attack vectors.
• API Security Testing probes your API endpoints for input validation weaknesses and authentication bypasses.
• Web API Fuzz Testing uncovers how your application handles exceptional conditions by generating unexpected inputs, which directly addresses the new A10 category for mishandling of exceptional conditions.

Security scanning integrates seamlessly into your CI/CD pipeline, running when code is pushed from a feature branch so developers can remediate vulnerabilities before they reach production. Security findings are consolidated in the Vulnerability Report, where security teams can triage, analyze, and track remediation. GitLab also allows you to leverage AI agents such as Security Analyst Agent, available in GitLab Duo Agent Platform, to quickly determine what are the most critical vulnerabilities and how to take action on them.

You can enforce additional controls through merge request approval policies and pipeline execution policies to ensure security scanning runs consistently across your organization. Customer Success and Professional Services teams at GitLab ensure you derive value from an investment in GitLab in a timely manner.

Deliver secure software faster with security testing in the same platform developers already use. To learn more, visit our application security testing solutions site.

The OWASP Top 10 2025: Complete breakdown

A01: Broken Access Control

What it is

Failures in enforcing policies that prevent users from acting outside their intended permissions, leading to unauthorized access.

Impact on your system

• Unauthorized information disclosure
• Complete data destruction or data modification
• Privilege escalation (users gaining admin rights)
• Viewing or editing other users' accounts
• API access from unauthorized or untrusted sources

Notable CWEs

• CWE-22: Path Traversal
• CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
• CWE-352: Cross-Site Request Forgery (CSRF)

A02: Security Misconfiguration

What it is

Systems, applications, or cloud services configured incorrectly from a security perspective.

Impact on your system

• Exposure of sensitive information through error messages
• Unauthorized access through default accounts
• Unnecessary services or features enabled
• Outdated security patches
• Server does not send security headers or directives

Notable CWEs

• CWE-16: Configuration
• CWE-521: Weak Password Requirements
• CWE-798: Use of Hard-coded Credentials

A03: Software Supply Chain Failures

What it is

Breakdowns or compromises in building, distributing, or updating software through vulnerabilities or malicious changes in dependencies, tools, or build processes.

Impact on your system:

• Compromised packages introducing backdoors
• Malicious code injected during build processes
• Vulnerable dependencies cascading through your application
• Use of components from untrusted sources in production
• Changes within your supply chain are not tracked

Notable CWEs

• CWE-1395: Dependency on Vulnerable Third-Party Component
• CWE-1104: Use of Unmaintained Third Party Components

A04: Cryptographic Failures

What it is

Failures related to lack of cryptography, insufficiently strong cryptography, leaking of cryptographic keys, and related errors.

Impact on your system:

• Sensitive data exposure (passwords, credit cards, health records)
• Man-in-the-middle attacks
• Data breach through weak encryption
• Key compromise leading to system-wide exposure
• Regulatory compliance failures (GDPR, PCI DSS)

Notable CWEs

• CWE-327: Use of a Broken or Risky Cryptographic Algorithm
• CWE-330: Use of Insufficiently Random Values

A05: Injection

What it is

System flaws allowing attackers to insert malicious code or commands (SQL, NoSQL, OS commands, LDAP, etc.) into programs.

Impact on your system

• Data loss or corruption through SQL injection
• Complete database compromise
• Server takeover through command injection
• Cross-site scripting (XSS) attacks
• Information disclosure
• Denial of service

Notable CWEs

• CWE-89: SQL Injection
• CWE-78: OS Command Injection

A06: Insecure Design

What it is

Weaknesses in design representing different failures, expressed as missing or ineffective control design—architectural flaws rather than implementation bugs.

Impact on your system

• Weak password reset flows
• Missing authorization steps
• Flawed business logic allowing bypasses
• Inadequate threat modeling leading to blind spots
• Design patterns that fail under attack scenarios

Notable CWEs

• CWE-209: Generation of Error Messages Containing Sensitive Information
• CWE-522: Insufficiently Protected Credentials
• CWE-656: Reliance on Security Through Obscurity

A07: Authentication Failures

What it is

Vulnerabilities allowing attackers to trick systems into recognizing invalid or incorrect users as legitimate.

Impact on your system

• Account takeover and credential stuffing
• Session hijacking
• Brute force attacks succeeding
• Weak password recovery mechanisms exploited
• Multi-factor authentication bypass

Notable CWEs

• CWE-287: Improper Authentication
• CWE-306: Missing Authentication for Critical Function
• CWE-521: Weak Password Requirements

A08: Software or Data Integrity Failures

What it is

Code and infrastructure failing to protect against invalid or untrusted code/data being treated as trusted and valid.

Impact on your system

• Unsigned updates allowing malicious code injection
• Insecure deserialization leading to remote code execution
• CI/CD pipeline compromise
• Auto-update mechanisms exploited
• Tampered software artifacts

Notable CWEs

• CWE-345: Insufficient Verification of Data Authenticity
• CWE-346: Origin Validation Error
• CWE-347: Improper Verification of Cryptographic Signature

A09: Security Logging & Alerting Failures

What it is

Insufficient logging and monitoring with inadequate alerting, which makes rapid response difficult.

Impact on your system

• Attacks go undetected for extended periods
• Breach investigation becomes impossible
• Compliance violations from lack of audit trails
• Delayed incident response
• Inability to determine scope of compromise

Notable CWEs

• CWE-117: Improper Output Neutralization for Logs
• CWE-532: Insertion of Sensitive Information into Log File
• CWE-778: Insufficient Logging

A10: Mishandling of Exceptional Conditions

What it is

Programs failing to prevent, detect, and respond to unusual and unpredictable situations, which leads to crashes, unexpected behavior, or vulnerabilities.

Impact on your system

• Information disclosure through verbose error messages
• Denial of service from unhandled exceptions
• State corruption from improper error handling
• Race conditions exploited
• Systems failing open instead of closed
• Application crashes exposing sensitive data

Notable CWEs

• CWE-248: Uncaught Exception
• CWE-390: Detection of Error Condition Without Action
• CWE-391: Unchecked Error Condition

Prevention and remediation best practices

GitLab provides tools to enable you to not only quickly find and remediate vulnerabilities within the OWASP Top 10, but also to prevent them from making it into your production system. By following these best practices you can enhance and maintain your security posture:

Automated security scanning for all repositories

• Perform SAST Scanning to detect insecure design patterns like plaintext password storage, inadequate error handling, and missing encryption during code review, catching design flaws early in the development lifecycle.
• Perform Secret Detection to identify credentials in configuration files, environment variables, and code, preventing plaintext password storage and ensuring secrets are properly managed through GitLab's CI/CD variables with masking and encryption.
• Perform DAST Scanning to detect broken access control vulnerabilities
• Perform Dependency Scanning to scan project dependencies against vulnerability databases, identifying known CVEs in direct and transitive dependencies across multiple package managers (npm, pip, Maven, etc.).
• Perform Container Scanning to analyze Docker images for vulnerable base layers and packages, ensuring container supply chain security before deployment.
• Perform IaC Scanning to check your infrastructure definition files for known vulnerabilities.
• Leverage API Security Tools to secure and protect web APIs from unauthorized access, misuse, and attacks.
• Perform Web API Fuzz Testing to discover bugs and potential vulnerabilities that other QA processes might miss.

Understand your security posture

• Generate a software bill of materials (SBOM) for complete dependency visibility and compliance requirements.
• Leverage the Vulnerability Report to sort through and triage vulnerabilites via consolidated view of security vulnerabilities found in your codebase.
• Quickly take action on vulnerabilities using detailed remdiation guidance and risk assessment data.
• Use Security Iventory to visualize which assets you need to secure and understand the actions you need to take to improve security.
• Leverage Compliance Center to manage compliance standards adherence reporting, violations reporting, and compliance frameworks.

Set up prevention and maintain documentation

• Configure Security Policies to block merges or deployments when high-severity vulnerabilities are detected in dependencies, enforcing security standards automatically.
• Use Compliance Frameworks to enforce organizational security standards through automated policy checks that verify encryption requirements, credential management practices, and secure workflow implementations are followed.
• Use GitLab Wiki and repository documentation to maintain security design principles, approved patterns, and architectural decision records that guide developers toward secure-by-design implementations.
• Implement merge request approval rules requiring security architect review for features involving authentication, authorization, encryption, or sensitive data handling, ensuring design-level security validation.
• Create tests to verify input validation and allowlist approaches for file paths
• Use GitLab Issues and Epics to document security requirements and threat models during the design phase, creating a traceable record of security decisions and ensuring security considerations are addressed before implementation begins.

Leverage AI

• Use Code Suggestions for proactive guidance during development, suggesting secure design patterns like proper password hashing (bcrypt, Argon2), encrypted storage mechanisms, and appropriate error handling that doesn't leak sensitive information.
• Use Security Analyst Agent to review detected insecure design vulnerabilities in context, explaining the architectural implications, assessing risk based on your application's threat model, and providing remediation strategies that address root design flaws rather than just symptoms.
• Review your code using AI to help ensure consistent code review standards in your project.

Key takeaways for development teams

• Supply chain security is critical: With A03's addition and high-impact scores, securing your software supply chain is no longer optional. Implement SBOM tracking, dependency scanning, and integrity verification throughout your pipeline.
• Configuration matters more than ever: The rise to #2 shows that configuration-based security is now a primary attack vector. Automate configuration verification and implement IaC with security baked in.
• Traditional threats persist: While Injection and Cryptographic Failures dropped in ranking, they remain critical. Don't deprioritize them just because they've fallen on the list.
• Error handling is security: The new A10 category emphasizes that how your application handles failures is a security concern. Implement secure error handling from the start.
• Testing must evolve: The expanded CWE coverage (589 vs. 400 in 2021) means testing strategies must be comprehensive. Combine SAST, DAST, source code analysis, and manual penetration testing for effective coverage.

Explore our GitLab Security and Governance Solutions and security scanning documentation to start strengthening your security posture today.

In this article, we'll explore how GitLab's integrated security scanning capabilities combined with the GitLab Duo Security Analyst Agent can transform vulnerability management from a time-consuming manual process into an intelligent, efficient workflow.

💡 Join GitLab Transcend on February 10 to learn how agentic AI transforms software delivery. Hear from customers and discover how to jumpstart your own modernization journey. Register now.

What is vulnerability triaging?

Vulnerability triaging is the process of analyzing, prioritizing, and deciding how to address security findings discovered in your applications. Not all vulnerabilities are created equal — some represent critical risks requiring immediate attention, while others may be false positives or pose minimal threat in your specific context.

Traditional triaging involves:

• Reviewing scan results from multiple security tools
• Assessing severity based on CVSS scores and exploitability
• Understanding context such as whether vulnerable code is actually reachable
• Prioritizing remediation based on business impact and risk
• Tracking resolution through to deployment

This process becomes overwhelming when dealing with large codebases and frequent scans. GitLab addresses these challenges through integrated security scanning and AI-powered analysis.

How to add integrated security scanners in GitLab

GitLab provides built-in security scanners that integrate seamlessly into your CI/CD pipelines. These scanners run automatically during pipeline execution and populate GitLab's Vulnerability Report with findings from the default branch.

Available security scanners

GitLab offers the following security scanning capabilities:

• Static Application Security Testing (SAST): Analyzes source code for vulnerabilities
• Dependency Scanning: Identifies vulnerabilities in project dependencies
• Container Scanning: Scans Docker images for known vulnerabilities
• Dynamic Application Security Testing (DAST): Tests running applications for vulnerabilities
• Secret Detection: Finds accidentally committed secrets and credentials
• Infrastructure-as-Code (IaC) Scanning: Analyzes infrastructure as code for misconfigurations
• API Security Testing: Test web APIs to help discover bugs and potential security issues
• Web API Fuzzing: Passes unexpected values to API operation parameters to cause unexpected behavior and errors in the backend

Example: Adding SAST and Dependency Scanning

To enable security scanning, add the scanners to your .gitlab-ci.yml file.

In this example, we are including SAST and Dependency Scanning templates which automatically run those scanners on the test stage. Each scanner can be overwritten using variables (which differ for each scanner). For example, the SAST_EXCLUDED_PATHS variable tells SAST to skip the directories/files provided. Security jobs can be further overwritten using the GitLab Job Syntax.

include:
  - template: Security/SAST.gitlab-ci.yml
  - template: Security/Dependency-Scanning.gitlab-ci.yml

stages:
  - test

variables:
  SAST_EXCLUDED_PATHS: "spec/, test/, tests/, tmp/"

Example: Adding Container Scanning

GitLab provides a built-in container registry where you can store container images for each GitLab project. To scan those containers for vulnerabilities, you can enable container scanning.

This example shows how a container is built and pushed in the build-container job running in the build stage and how it is then scanned in the same pipeline in the test stage:

include:
  - template: Security/Container-Scanning.gitlab-ci.yml

stages:
  - build
  - test

build-container:
  stage: build
  variables:
    IMAGE: $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:$CI_COMMIT_SHA
  before_script:
    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
  script:
    - docker build -t $IMAGE .
    - docker push $IMAGE

container_scanning:
  variables:
    CS_IMAGE: $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:$CI_COMMIT_SHA

Once configured, these scanners execute automatically in your pipeline and report findings to the Vulnerability Report.

Note: Although not covered in this blog, in merge requests, scanners show the diff of vulnerabilities from a feature branch to the target branch. Additionally, granular security policies can be created to prevent vulnerable code from being merged (without approval) if vulnerabilities are detected, as well as force scanners to run, regardless of how the .gitlab-ci.yml is defined.

Triaging using the Vulnerability Report and Pages

After scanners run, GitLab aggregates all findings in centralized views that make triaging more manageable.

Accessing the Vulnerability Report

Navigate to Security & Compliance > Vulnerability Report in your project or group. This page displays all discovered vulnerabilities with key information:

• Severity levels (Critical, High, Medium, Low, Info)
• Status (Detected, Confirmed, Dismissed, Resolved)
• Scanner type that detected the vulnerability
• Affected files and lines of code
• Detection date and pipeline information

Filtering and organizing vulnerabilities

The Vulnerability Report provides powerful filtering options:

• Filter by severity, status, scanner, identifier, and reachability
• Group by severity, status, scanner, OWASP Top 10
• Search for specific CVEs or vulnerability names
• Sort by detection date or severity
• View trends over time with the security dashboard

Manual workflow triage

Traditional triaging in GitLab involves:

1. Reviewing each vulnerability by clicking into the detail page
2. Assessing the description and understand the potential impact
3. Examining the affected code through integrated links
4. Checking for existing fixes or patches in dependencies
5. Setting status (Confirm, Dismiss with reason, or create an issue)
6. Assigning ownership for remediation

This is an example of vulnerability data provided to allow for triage including the code flow:

When on the vulnerability data page, you can select Edit vulnerability to change its status as well as provide a reason. Then you can create an issue and assign ownership for remediation.

While this workflow is comprehensive, it requires security expertise and can be time-consuming when dealing with hundreds of findings. This is where GitLab Duo Security Analyst Agent, part of GitLab Duo Agent Platform, becomes invaluable.

About Security Analyst Agent and how to set it up

GitLab Duo Security Analyst Agent is an AI-powered tool that automates vulnerability analysis and triaging. The agent understands your application context, evaluates risk intelligently, and provides actionable recommendations.

What Security Analyst Agent does

The agent analyzes vulnerabilities by:

• Evaluating exploitability in your specific codebase context
• Assessing reachability to determine if vulnerable code paths are actually used
• Prioritizing based on risk rather than just CVSS scores
• Explaining vulnerabilities in clear, actionable language
• Recommending remediation steps specific to your application
• Reducing false positives through contextual analysis

Prerequisites

To use Security Analyst Agent, you need:

• GitLab Ultimate subscription with GitLab Duo Agent Platform enabled
• Security scanners configured in your project
• At least one vulnerability in your Vulnerability Report

Enabling Security Analyst Agent

Security Analyst Agent is a foundational agent. Unlike the general-purpose GitLab Duo agent, foundational agents understand the unique workflows, frameworks, and best practices of their specialized domains. Foundational agents can be accessed directly from your project without any additional configuration.

You can find Security Analyst Agent in the AI Catalog:

To dive in and see the details of the agent, such as its system prompt and tools:

1. Navigate to gitlab.com/explore/.
2. Select AI Catalog from the side tab.
3. Select Security Analyst Agent from the list.

The agent is integrated directly into your existing workflow without requiring additional configuration beyond the defined prerequistes.

Using Security Analyst Agent to find most critical vulnerabilities

Now let's explore how to leverage Security Analyst Agent to quickly identify and prioritize the vulnerabilities that matter most.

Starting an analysis

To start an analysis, navigate to your GitLab project (ensure it meets the prerequistes). Then you can open GitLab Duo Chat and select the Security Agent.

From the chat, select the model to use with the agent and make sure to enable Agentic mode.

A chat will open where you can engage with Security Analyst Agent by using the agent's conversational interface. This agent can perform:

• Vulnerability triage: Analyze and prioritize security findings across different scan types.
• Risk assessment: Evaluate the severity, exploitability, and business impact of vulnerabilities.
• False positive identification: Distinguish genuine threats from benign findings.
• Compliance management: Understand regulatory requirements and remediation timelines.
• Security reporting: Generate summaries of security posture and remediation progress.
• Remediation planning: Create actionable plans to address security vulnerabilities.
• Security workflow automation: Streamline repetitive security assessment tasks.

Additionally, these are the tools which Security Analyst Agent has at its disposal:

For example, I can ask "What are the most critical vulnerabilities and which vulnerabilities should I address first?" to make it easy to determine what is important. The agent will respond as follows:

Example queries for effective triaging

Here are powerful queries to use with the Security Analyst Agent:

Identify critical issues:

"Show me vulnerabilities that are actively exploitable in our production code"

Focus on reachable vulnerabilities:

"Which high-severity vulnerabilities are in code paths that are actually executed?"

Understand dependencies:

"What are the most critical dependency vulnerabilities and are patches available?"

Get remediation guidance:

"Explain how to fix the SQL injection vulnerability in user authentication"

You can also directly assign developers to vulnerabilities.

Understanding agent recommendations

When Security Analyst Agent analyzes vulnerabilities, it provides:

Risk assessment: The agent explains why a vulnerability is critical beyond just the CVSS score, considering your application's specific architecture and usage patterns.

Exploitability analysis: It determines whether vulnerable code is actually reachable and exploitable in your environment, helping filter out theoretical risks.

Remediation steps: The agent provides specific, actionable guidance on how to fix vulnerabilities, including code examples when appropriate.

Priority ranking: Instead of overwhelming you with hundreds of findings, the agent helps identify the top issues that should be addressed first.

Real-world workflow example

Here's how a typical triaging session might look:

1. Start with the big picture: "Analyze the security posture of this project and highlight the top 5 most critical vulnerabilities."
2. Dive into specifics: For each critical vulnerability identified, ask "Is this vulnerability actually exploitable in our application?"
3. Plan remediation: "What's the recommended fix for this SQL injection issue, and are there any side effects to consider?"
4. Track progress: After addressing critical issues, ask "What vulnerabilities should I prioritize next?"

Benefits of agent-assisted triaging

Using Security Analyst Agent transforms vulnerability management:

• Time savings: Reduce hours of manual analysis to minutes of guided review
• Better prioritization: Focus on vulnerabilities that actually pose risk to your specific application
• Knowledge transfer: Learn security best practices through agent explanations
• Consistent standards: Apply consistent triaging logic across all projects
• Reduced alert fatigue: Filter noise and false positives effectively

Get started today

Vulnerability triaging doesn't have to be an overwhelming manual process. By combining GitLab's integrated security scanners with GitLab Duo Security Analyst Agent, development teams can quickly identify and prioritize the vulnerabilities that truly matter.

The agent's ability to understand context, assess real risk, and provide actionable guidance transforms security scanning from a compliance checkbox into a practical, efficient part of your development workflow. Instead of drowning in hundreds of vulnerability reports, you can focus your energy on addressing the issues that actually threaten your application's security.

Start by enabling security scanners in your GitLab pipelines, then leverage Security Analyst Agent to make intelligent, informed decisions about vulnerability remediation. Your future self — and your security team — will thank you.

Ready to get started? Check out the GitLab Duo Agent Platform documentation and security scanning documentation to begin transforming your vulnerability management workflow today.

Our comprehensive study of 13 agentic tool users from companies of different sizes identified that adoption happens through "micro-inflection points," subtle design choices and interaction patterns that gradually build the trust needed for developers to rely on AI agents in their daily workflows. These findings offer crucial insights for organizations implementing AI agents in their DevSecOps processes.

Traditional software tools earn trust through predictable behavior and consistent performance. AI agents, however, operate with a degree of autonomy that introduces uncertainty. Our research shows that users don't commit to AI tools through single "aha" moments. Instead, they develop trust through accumulated positive micro-interactions that demonstrate the agent understands their context, respects their guardrails, and enhances rather than disrupts their workflows.

This incremental trust-building is especially critical in DevSecOps environments where mistakes can impact production systems, customer data, and business operations. Each small interaction either reinforces or erodes the foundation of trust necessary for productive human-AI collaboration.

Four pillars of trust in AI agents

Our research identified four key categories of micro-inflection points that build user trust:

1. Safeguarding actions

Trust begins with safety. Users need confidence that AI agents won't cause irreversible damage to their systems. Essential safeguards include:

• Confirmation dialogs for critical changes: Before executing operations that could affect production systems or delete data, agents should pause and seek explicit approval
• Rollback capabilities: Users must know they can undo agent actions if something goes wrong
• Secure boundaries: For organizations with compliance requirements, agents must respect data residency and security policies without constant manual oversight

2. Providing transparency

Users can't trust what they can't understand. Effective AI agents maintain visibility through:

• Real-time progress updates: Especially crucial when user attention might be needed
• Action explanations: Before executing high-stakes operations, agents should clearly communicate their planned approach
• Clear error handling: When issues arise, users need immediate alerts with understandable error messages and recovery paths

This transparency transforms AI agents from mysterious black boxes into comprehensible partners whose logic users can follow and verify.

3. Remembering context

Nothing erodes trust faster than having to repeatedly teach an AI agent the same information. Trust-building agents demonstrate memory through:

• Preference retention: Accepting and applying user feedback about coding styles, deployment patterns, or workflow preferences
• Context awareness: Remembering previous instructions and project-specific requirements
• Adaptive learning: Evolving based on user corrections without requiring explicit reprogramming

Our research participants consistently highlighted frustration with tools that couldn't remember basic preferences, forcing them to provide the same guidance repeatedly.

4. Anticipating needs

Trust emerges when AI agents proactively support user workflows. Agents could support the user in the following ways:

• Pattern recognition: Learning user routines and predicting tasks based on time of day or project context
• Intelligent agent selection: Automatically recognizing which specialized agents are most relevant for specific tasks
• Environment analysis: Understanding coding environments, dependencies, and project structures without explicit configuration

These anticipatory capabilities transform AI agents from reactive tools into proactive partners that reduce cognitive load and streamline development processes.

Implementing trust-building features

For organizations deploying AI agents, our research suggests several practical implementations:

• Start with low-risk environments: Allow users to build trust gradually by beginning with non-critical tasks. As confidence grows through positive micro-interactions, users naturally expand their reliance on AI capabilities.
• Design for continuous orchestration of agents, which includes intervention: Unlike traditional automation, AI agents should know when to pause and seek human input. This intervention assures users they maintain ultimate control while benefiting from AI efficiency. Agents also need autonomy level controls so that they can calibrate autonomy for different types of action, in different contexts.
• Maintain audit trails: Every agent action should be traceable, allowing users to understand not just what happened, but why the agent made specific decisions.
• Personalize the experience: Agents that adapt to individual user preferences and team workflows create stronger trust bonds than one-size-fits-all solutions.

The compounding impact of trust

Our findings reveal that trust in AI agents follows a compound growth pattern. Each positive micro-interaction makes users slightly more willing to rely on the agent for the next task. Over time, these small trust deposits accumulate into deep confidence that transforms AI agents from experimental tools into essential development partners.

This trust-building process is delicate – a single significant failure can erase weeks of accumulated confidence. That's why consistency in these micro-inflection points is crucial. Every interaction matters.

Supporting these micro-inflection points is a cornerstone of having software teams and their AI agents collaborate at enterprise scale with intelligent orchestration.

Next steps

Building trust in AI agents requires intentional design focused on user needs and concerns.

Organizations implementing agentic tools should:

• Audit their AI agents for trust-building micro-interactions
• Prioritize transparency and user control in agent design
• Invest in memory and learning capabilities that reduce user friction
• Create clear escalation paths for when agents encounter uncertainty

Key takeaways

• Trust in AI agents builds incrementally through micro-inflection points rather than breakthrough moments
• Four key categories drive trust: safeguarding actions, providing transparency, remembering context, and anticipating needs
• Small design choices in AI interactions have compound effects on user adoption and long-term reliance
• Organizations must intentionally design for trust through consistent, positive micro-interactions

Help us learn what matters to you: Your experiences and insights are invaluable in shaping how we design and improve agentic interactions. Join our research panel to participate in upcoming studies.

Explore GitLab’s agents in action: GitLab Duo Agent Platform extends AI's speed beyond just coding to your entire software lifecycle. With your workflows defining the rules, your context maintaining organizational knowledge, and your guardrails ensuring control, teams can orchestrate while agents execute across the SDLC. Visit the GitLab Duo Agent Platform site to discover how intelligent orchestration can transform your DevSecOps journey.

Whether you're exploring agents for the first time or looking to optimize your existing implementations, we believe that understanding and designing for trust is the key to successful adoption. Let's build that future together!

GitLab Duo Agent Platform's GA is designed to introduce a unified, governed way for organizations to orchestrate agentic AI across their software lifecycle. With foundational agents, custom agents, and automated flows working together inside GitLab, teams will be able to adopt agentic workflows that help accelerate work while staying aligned to organizational standards. At GA, we also plan to include expanded AI Catalog functionality, stronger administrative controls, reliability enhancements, and a flexible usage-based billing model designed to provide flexibility for agentic AI usage across many roles and projects.

The 18.7 release adds important building blocks to support GitLab Duo Agent Platform’s upcoming GA. New automation features, stronger governance controls, and enhancements across security and pipeline authoring help teams streamline their work and lay the groundwork for an even more reliable agentic experience in 18.8 and beyond.

On February 10, 2026, we will host a global event that brings our vision of GitLab as the intelligent orchestration platform to life, where software teams and their AI agents stay in flow. You will hear how customers are tackling the AI paradox in software delivery, see intelligent orchestration in action across DevSecOps workflows, and get a jump start on what this next chapter means for your own modernization journey. Reserve your spot to see how GitLab’s next chapter comes together.

Here's what is new in 18.7:

GitLab Duo Agent Platform

As more teams bring AI into their development and security workflows, GitLab continues to focus on making adoption powerful and predictable. The updates in 18.7 strengthen the foundation for guided, governed AI experiences that will become fully realized when GitLab Duo Agent Platform reaches GA, as planned for 18.8.

Custom Flows

Custom Flows introduce a new way for teams to automate multistep workflows using YAML-defined sequences that orchestrate agents to complete repetitive development tasks. Custom Flows help eliminate manual effort for scenarios that follow predictable patterns — such as diagnosing and fixing failed pipelines, updating dependencies, or running policy checks when reviewers are assigned. Instead of handling these tasks interactively, teams can define flows that automatically trigger from GitLab events like mentions and assignments. This capability supports developers who want tailored automations for their own projects, as well as administrators who need consistent, organization-wide workflows for compliance and operational efficiency.

SAST False Positive Detection Flow

AI-powered false positive management for Static Application Security Testing (SAST) works to introduce a faster, more accurate way for teams to assess and act on potential false positives. GitLab now uses AI to help identify which findings may be false positives earlier in the review process, reducing the time developers and security teams spend triaging noise. Users can see an overview of how many vulnerabilities may warrant review, track their analysis progress, and dismiss false positives directly from the vulnerability report. Once dismissed, these findings stay dismissed across future pipelines and continue to reflect the correct dismissed status in merge request widgets. This assists with a consistent and reliable signal as code evolves and helps teams focus on real risks, streamline remediation, and cut down on unnecessary security review cycles.

Custom Agent Versioning

Custom Agent Versioning gives teams control over which version of an AI Catalog agent or flow they use in their projects. Instead of automatically inheriting updates from the creator, GitLab now pins each project to the exact version of the agent and flow enabled for the team. This helps prevent breaking changes, security risks, and workflow disruptions, especially in production pipelines or security-sensitive environments. Teams can upgrade when they choose, test new versions in staging before promoting them, and clearly see which version is running to avoid confusion. It also enables safer customization by letting users fork an agent at a specific version and evolve it independently. The result is a more predictable, stable, and secure way to adopt custom agents across development and CI/CD workflows.

New Settings for Foundational Agents

Admins now have the ability to turn foundational agents on or off, giving teams greater control over how AI is used across their organization. With this update, admins can enable or disable these agents at the instance or group level, choose default availability, and control how new agents are introduced while still providing access to the core agent. The result is more flexible AI adoption with the governance, consistency, and control enterprise teams need.

Data Analyst Agent

The Data Analyst Agent gives teams a simple way to explore GitLab data using natural language, automatically generating GitLab Query Language (GLQL) queries, retrieving relevant information, and presenting clear insights without requiring dashboards or manual query writing. Users can analyze work volume, understand team activity, identify development trends, monitor issue and merge request status, and quickly discover work items by labels, authors, milestones, or other criteria. It also creates reusable GLQL queries that can be embedded anywhere GitLab Flavored Markdown is supported, making it easier to share findings and answer everyday questions about project activity directly within GitLab.

Core DevOps

Innovations with GitLab Duo Agent Platform are most effective when the underlying DevOps experience is equally streamlined and dependable. The improvements in 18.7 to core GitLab workflows help ensure that automation, pipelines, and reusable components operate with highest levels of clarity and consistency.

Dynamic Input Selection in GitLab Pipelines

Dynamic Input Selection in GitLab Pipelines introduces a more intuitive way to trigger pipelines through dynamic, cascading dropdown fields in the GitLab UI. This allows cross-functional teams to run pipelines without editing YAML or relying on developers, while ensuring that only valid, context-aware options are shown as they make selections. The feature supports complex workflows, assists with reducing misconfigured runs, and removes a key blocker for teams migrating from Jenkins Active Choice, helping organizations standardize their CI/CD processes entirely on GitLab.

CI/CD Catalog Publication Guardrails

Administrators of GitLab Self-Managed and GitLab Dedicated can now control which projects are allowed to publish components to the CI/CD Catalog. This new setting helps organizations maintain a curated, trusted ecosystem by ensuring only approved sources can add components. It strengthens governance for enterprise customers who want to preserve control over their CI/CD landscape while still enabling teams to discover and reuse sanctioned components.

Platform Security

As automation and pipeline workflows become more efficient, it remains essential that teams maintain strong visibility and control over how code changes meet organizational standards. The Platform Security update in 18.7 reinforces this balance by giving teams a more flexible way to introduce and refine policy guidance without interrupting delivery.

Warn Mode for MR Approval Policies

Warn Mode for MR Approval Policies allows violations to be surfaced without blocking merges, giving teams a lower-friction way to introduce or adjust policies while assessing their impact before full enforcement. It also supports a guidance-based approach, where developers can review or dismiss violations with all actions audited to help AppSec refine policy effectiveness. Beyond merge requests, violations already present or introduced into the default branch now appear with a visual badge in the Vulnerability Report, making it easier to identify and prioritize issues that break policy.

Elevating how teams build, secure, and deliver software

The 18.7 release is about strengthening the foundation for reliable, flexible automation across your GitLab environment.

GitLab Premium and Ultimate users can start using these capabilities today on GitLab.com and self-managed environments, with availability for GitLab Dedicated customers planned for next month.

GitLab Duo Agent Platform is currently in beta — enable beta and experimental features to experience how full-context AI can transform the way your teams build software. New to GitLab? Start your free trial and see why the future of development is AI-powered, secure, and orchestrated through the world’s most comprehensive DevSecOps platform.

Note: Platform capabilities that are in beta are available as part of the GitLab Beta program. They are free to use during the beta period, and when generally available, they will be made available with a paid add-on option for GitLab Duo Agent Platform.

Stay up to date with GitLab

To make sure you’re getting the latest features, security updates, and performance improvements, we recommend keeping your GitLab instance up to date. The following resources can help you plan and complete your upgrade:

• Upgrade Path Tool – enter your current version and see the exact upgrade steps for your instance
• Upgrade Documentation – detailed guides for each supported version, including requirements, step-by-step instructions, and best practices

By upgrading regularly, you’ll ensure your team benefits from the newest GitLab capabilities and remains secure and supported.

For organizations that want a hands-off approach, consider GitLab’s Managed Maintenance service. With Managed Maintenance, your team stays focused on innovation while GitLab experts keep your Self-Managed instance reliably upgraded, secure, and ready to lead in DevSecOps. Ask your account manager for more information.

This blog post contains "forward‑looking statements" within the meaning of Section 27A of the Securities Act of 1933, as amended, and Section 21E of the Securities Exchange Act of 1934. Although we believe that the expectations reflected in these statements are reasonable, they are subject to known and unknown risks, uncertainties, assumptions and other factors that may cause actual results or outcomes to differ materially. Further information on these risks and other factors is included under the caption "Risk Factors" in our filings with the SEC. We do not undertake any obligation to update or revise these statements after the date of this blog post, except as required by law.

The problem was that back in 2015 learning materials were scattered across a dozen different tools, like the Blackboard platform, customized Wiki pages, personal websites, and shared Google Docs. On top of that, students were left to choose their own tools for coursework. All of this led to a constant state of confusion. As if that weren’t enough, few of these disparate systems provided proper version history or reliable issue tracking.

This all-too-familiar lack of standardization was creating massive headaches for both lecturers and students.

"Information was fragmented across multiple files, multiple formats — sitting often on file systems, not necessarily under good version control," says Quilty, who is now program director for engineering at the New Zealand university.

After consolidating on GitLab Self-Managed Ultimate in 2017, Victoria University saw 483% growth in student users by 2021. They also added 35 GitLab-enabled courses and now host more than 8,000 projects. The university also deployed GitLab as a unified DevSecOps platform for academic coursework, replacing what had become a fragmented and complicated toolchain. More importantly, they've redirected faculty time from administration to actual education.

This pattern isn't unique. Across higher education, IT teams struggle with the same tool sprawl — multiple tools and incompatible systems that lead to hours lost to context switching and administering disparate and costly tools. Simplifying how teams build and deliver software is the answer to this widespread problem.

The teams making real progress are reducing complexity instead of creating it.

Facing the complexity problem

Higher education IT teams are faced with managing aging infrastructure, legacy systems, and resource constraints that force difficult tradeoffs with every technology decision they have to make.

Development workflows exist in silos since many departments use different version control systems, CI/CD tools, and security scanners. That means teams struggle to collaborate on cross-functional projects because they're working with incompatible toolchains and a lack of shared visibility.

Legacy technology compounds these problems. Many institutions run development environments that are outdated and incompatible with modern DevSecOps practices. But replacing them isn't realistic when budgets are tight and IT staff are already stretched thin.

To take on these problems, institutions need to modernize, but because of administrative processes, budget constraints, and the reality of managing critical systems, they have to do it in phases, not overnight. For instance, some workloads may move to the cloud while others remain on-premises. A research department, for instance, might shift large datasets off-site while central IT functions stay in-house.

Organizations need the flexibility to be able to do that, and that’s what they get with GitLab Ultimate, the enterprise-ready DevSecOps platform that delivers the same capabilities whether you deploy on GitLab.com or self-host on your own infrastructure: on-premises servers, data centers, or cloud providers, including AWS, GCP, Azure, or even multi-cloud. Self-hosted deployments include all features, including air-gapped support for sensitive environments.

This means, with GitLab Ultimate, institutions can modernize on their own timeline without abandoning governance requirements or forcing wholesale infrastructure changes.

Moving from manual compliance to automated enforcement

IT teams also have to work with regulatory mandates and that adds another layer of complexity. Student privacy requirements, research grant stipulations, and institutional security policies all demand audit trails and governance controls. For institutions supporting U.S. Department of Defense research or contractors, CMMC 2.0 compliance requirements add stringent cybersecurity controls based on NIST SP 800-171. Meeting these obligations while modernizing traditionally meant manually documenting everything — a process that didn't scale easily.

In conversations with team members from educational institutions at events like EDUCAUSE we've learned it's all too common for dedicated compliance staff to spend the majority of their time gathering evidence for audits, instead of actually improving security. Not building better software. Just proving that policies were followed. This administrative burden extends to development teams, as well. According to Forrester Consulting’s study The Total Economic Impact™ of GitLab Ultimate, which was commissioned by GitLab, software development team members save 90% of the time previously spent on annual auditing and compliance efforts after adopting GitLab's end-to-end platform.

GitLab saves all of that time and effort by enabling automation through custom compliance frameworks that map multiple, overlapping controls from different standards and regulations into a single, unified structure. They then cascade automatically from the instance level to all subgroups and projects, ensuring consistent enforcement without manual configuration.

Pipeline execution policies enforce compliance directly in CI/CD pipelines where development work happens. Rather than operating disparate governance, risk, and compliance tools, compliance validation occurs automatically as code moves through the pipeline. To make all of this easier, GitLab’s Compliance Center provides oversight through dashboards that show where projects fail to meet framework requirements — whether due to failed security scans or other control gaps.

Complete audit trails also capture every code change with timestamps and attribution. And policy-as-code enforces security rules that can't be bypassed. When an auditor asks who changed what code and when, you have the answer instantly — without weeks spent manually gathering evidence. Every pipeline execution automatically generates compliance documentation, enabling teams to instantly prove adherence to requirements and quickly identify any control gaps.

AI: Governance over guesswork

This visibility across the entire security posture matters now more than ever. Artificial intelligence (AI) is changing how software gets built with many teams testing AI code generation tools to enable them to move faster. But higher education institutions are uniquely positioned to lead on a critical question: How do you adopt AI responsibly?

Cornell University and Cal State Fullerton already are developing ethical frameworks for AI use, asking essential questions about transparency, explainability, and bias. The University of California San Diego is adapting its existing data governance framework — originally built for analytics platforms — to secure its on-premises AI assistants, ensuring the same access controls and approval workflows that protect institutional data now extend to AI-driven tools. Educational institutions understand that AI adoption requires more than just enabling new tools — it requires proper oversight and protection.

The problem isn't AI itself. It's AI without guardrails integrated into development workflows. Most organizations haven't considered what secure AI development looks like — what governance is needed for AI-generated code, how to maintain visibility into what gets committed to repositories, or how to ensure the same rigor applies whether code comes from a human or AI.

This is exactly where platform-level AI integration becomes essential. GitLab Duo Agent Platform goes beyond fragmented AI tools and coding assistants alone to provide an orchestration layer that integrates AI across the entire software development lifecycle.

AI agents handle planning, testing, security remediation, and deployment tasks, while working alongside developers rather than just generating code on command. When security scans identify vulnerabilities, for example, AI agents explain findings, assess risks, and prioritize issues to reduce noise and accelerate mean time to recovery (MTTR). This platform approach ensures AI accelerates development without compromising the security standards and governance controls institutions require.

The benefits extend beyond technical capabilities. Through GitLab's AI Transparency Center, institutions get clear documentation of data privacy protections, AI ethics principles, and vendor selection processes. This means schools can adopt AI tools while maintaining the governance standards they're developing institution-wide.

AI will change how we build software. The question is whether institutions can do it with the same responsible approach they're bringing to AI adoption across campus.

See results in your education environment

The universities making real progress aren't adding more tools to manage complexity. They're consolidating onto platforms that prevent problems rather than just detecting them, creating visibility and automation across their development workflows.

Forrester's The Total Economic Impact™ of GitLab Ultimate study found that a composite organization representative of interviewed customers reclaimed up to 305 hours per developer year through automated testing within a single interface, eliminating constant context switching between tools. New hires ramped to full productivity 75% faster — in 1.5 weeks instead of 1.5 months. Teams spend their time building rather than maintaining fragmented toolchains.

Your institution can achieve similar results. Learn more about how GitLab Ultimate can help your institution deliver secure software faster while meeting compliance requirements. Talk to our team about platform approaches for higher education IT.

The unique challenge of the Japanese market

Japan represents one of the world's largest economies and is a critical market for enterprise software. However, it also presents a distinctive challenge: despite its technological sophistication and massive developer community, English proficiency remains a significant barrier for many users.

Japan's developers and DevSecOps teams often face challenges with English-only documentation, as indicated by the country's ranking on the EF English Proficiency Index. This language barrier can significantly impact the speed of learning and ultimately influence the decision to evaluate, adopt, and champion a platform within Japanese organizations.

We've heard directly from our Japanese customers and partners that English-only documentation wasn't merely an inconvenience, it was a barrier preventing them from getting the most out of GitLab. The impact rippled through every stage of the user journey: From initial evaluation where teams struggled to assess GitLab's capabilities, to daily operations where finding solutions took longer than necessary, to staying current with new features and best practices.

In a market as competitive and mature as in Japan, this language barrier directly affected GitLab's market penetration. When Japanese companies evaluate enterprise software, the availability of comprehensive Japanese documentation signals long-term commitment to the market. It demonstrates that a provider isn't just making a token effort, but is genuinely invested in supporting Japanese users throughout their entire journey.

To address this challenge and demonstrate our commitment to the Japanese market, we built localization infrastructure from the ground up, integrating with how we create and maintain documentation at GitLab.

Localization built on docs-as-code principles

GitLab's documentation is treated like any other code contribution, residing alongside product code in GitLab projects and managed via merge requests. This system ensures documentation is version-controlled, collaboratively reviewed, and automatically tested through CI/CD pipelines, which includes checks for issues with language, formatting, and links. Both the English and Japanese documentation sites are dynamically generated using the Hugo static site generator and deployed after merging changes, guaranteeing users always access the latest information.

The documentation is extensive and comprehensive, drawing content from various source projects, including GitLab, GitLab Runner, Omnibus GitLab, GitLab Charts, GitLab Operator, and GitLab CLI (glab) (see architecture for details). This sheer scale and rapid update velocity presented a significant localization challenge. To keep pace with the continuous evolution of these source English projects, we had to design a localization infrastructure for our GitLab product documentation that could handle these unique complexities and provide an enterprise-grade solution for a fully localized site, all while adhering to our CI/CD pipeline requirements.

How we localized GitLab Documentation

For our initial Japanese localization, we adopted a strategy of integrating new folders within our existing English content structure. Specifically, we introduced doc-locale/ja-jp folders within each project that stores source Markdown files. This architecture keeps the translations right alongside their source content while maintaining a clear organizational separation. Not only that, but it also enables us to apply the same robust version control, established review and collaboration workflows, and even some of the automated quality checks used for our English documentation to the translated content.

This internationalization infrastructure built for Japanese documentation provides a scalable foundation for future language expansion. With the architecture, tooling, and processes now in place, we are well-positioned to support additional languages as we continue our commitment to making GitLab accessible to users worldwide.

An AI-assisted translation workflow that balances speed and quality

We adopted a strategic, phased approach to processing the content through translation, prioritizing pages based on their English-language page views. The highest-traffic pages underwent AI translation first, followed by comprehensive human linguistic review, and we intentionally paused subsequent phases until these priority pages completed the full human review cycle. This deliberate sequencing allowed us to build a robust, curated translation memory and termbase from our most important content. These linguistic assets accelerated and improved quality across all remaining content. In parallel, this initial phase served as our testing ground on the technical infrastructure on the GitLab side. We used it to iterate and reinforce our CI/CD pipelines, refine our translation and post-editing AI scripts, and solidify our Translation MR review process.

To provide our international users with the most current documentation while guaranteeing high-quality translated content, we implemented an AI-assisted translation workflow with human post-editing, consisting of:

• Phase 1: AI-powered translation. We built a custom AI translation system enriched with GitLab-specific context including style guides, GitLab UI content translations, terminology databases, and original file context. This system intelligently handles GitLab's specialized markdown syntax (GLFM) and protects elements like placeholder variables, alert boxes, Hugo shortcodes, and GitLab-specific references that standard translation tools can't process out of the box.
• Phase 2: Human linguistic review. Professional Japanese translators specialized in technical content then review and refine the AI translations. They work with GitLab's Japanese style guide, translation memory, and terminology database to ensure accuracy, natural language flow, and cultural appropriateness. These human-reviewed translations progressively replace the AI versions on the site.

Technical challenges and solutions

Localizing GitLab's extensive documentation, while maintaining our docs-as-code principles and CI/CD-driven publishing workflow, required significant technical innovation. The challenges extended beyond translation itself: we needed to preserve complex markdown syntax, maintain automated testing standards, ensure seamless content fallbacks, and create sustainable processes for continuous updates across multiple source projects.

The English markdown file syntax complexity led us to developing custom code and regex in our Translation Management System (TMS) to protect codeblocks, URLs, and other functional elements that should not be exposed for translation.

Due to the dynamics of how the English content is generated, we established an English fallback mechanism. Essentially, when the Japanese translation is not ready yet, the localized site seamlessly displays English content with translated navigation and UI, preventing 404s and maintaining language context via Hugo’s rendering system.

We enhanced the localized navigation and linking so that it adjusts dynamically and would persist the locale. We added anchor IDs in the translated files by pre-processing the English file before it’s sent for translation. That improves the experience for people navigating to a docs page from a link. The consistent anchor ID means they can change to either language and still land in the correct place in the page.

We also extended CI/CD pipelines to test localized content in Translation MRs following the same quality standards as the English docs. It allows us to catch invalid Hugo shortcodes, spaces inside links, or bare URLs. It also identifies orphaned files and redirects files with no target files. You can see the jobs that run on the MRs containing translated documentation on the GitLab project .gitlab/ci/docs.gitlab-ci.yml file.

A centralized translation request system orchestrates the workflow, monitors the English files, identifies new and updated content, routes files for translation, automatically creates translation merge requests, tracks file status in translation requests and maintains an audit trail. To get docs translated we processed 430 Translation MRs with files ranging from 1-10 in each Translation MR.

The result is a Japanese documentation experience that stays synchronized with English content updates, giving users faster access to critical information. Users can discover and navigate content fully in their language, with English appearing only for content that’s still in translation. They can trust GitLab’s quality standards while accessing the latest features quickly. All of this creates a sustainable, scalable foundation for future languages and documentation growth.

Learn more about all the technical details in our GitLab Product Documentation Handbook page.

Visit our Japanese docs site

Whether you're a longtime GitLab user or just getting started, we hope this localized documentation makes your DevSecOps journey smoother and more accessible.

This is just the beginning of our localization efforts, and your feedback is invaluable in helping us improve. If you notice any translation issues, have suggestions for improvement, or simply want to share your experience using the Japanese documentation, please don't hesitate to reach out. You can provide comments in our feedback issue.

As we continue evolving this localization infrastructure, our immediate priorities include enhancing the search experience for Japanese users, and accelerating our continuous localization workflow to minimize the time gap between English updates and their Japanese translations. Thank you to our Japanese community for your continued support and patience as we work to serve you better. We're committed to making GitLab the best DevSecOps platform for Japanese teams, and comprehensive Japanese documentation is a crucial step in that journey.

Start exploring today at docs.gitlab.com/ja-jp!