GitLab 18.5: Intelligence that moves software development forward

Software development teams are drowning in noise. Thousands of vulnerabilities flood security dashboards, but only a fraction pose real risk. Developers context-switch between planning backlogs, triaging security findings, reviewing code, and responding to CI/CD failures — losing hours to manual work. GitLab 18.5 calms this chaos.

At the heart of this release is a valuable improvement in overall usability of GitLab and how AI integrates into your user experience. A new panel-based UI makes it easier to see data in context, and allows GitLab Duo Chat to be persistently visible across the platform, wherever it is needed. Purpose-built agents tackle vulnerability triage and backlog management, and popular AI tools integrate with agentic workflows even more seamlessly than before. We’ve also extended our market-leading security capabilities to help you better identify exploitable vulnerabilities versus theoretical ones, distinguish active credentials from expired ones, and scan only changed code to keep developers in flow.

What’s new in 18.5

18.5 represents our biggest release so far this year — watch our introduction to the release, and read more details below.

Modern user experience with quick access to GitLab Duo everywhere

GitLab 18.5 delivers a modernized user experience with a more intuitive interface driven by a new panel-based layout.

With panels, key information appears side by side so that you can work contextually, without losing your place. For example, when you click on an issue in the issues list, its details automatically open in a side panel. You can also launch the GitLab Duo panel on the right, bringing Duo wherever you are in GitLab. This lets you ask contextual questions or give instructions, right alongside your work.

Several usability improvements make navigation easier. The global search box now appears at the top center for improved accessibility. Global navigation elements, including Issues, Merge Requests, To-Dos, and your avatar have moved to the top right. Additionally, the left sidebar is now collapsible and expandable, giving you more control over your workspace.

Teams using experimental and GitLab Duo beta features will be the first to receive the new interface, followed by all GitLab.com users who will be able to turn this experience on using the toggle located under your user icon. To learn more about this feature, reference our documentation here. Please share your feedback or report any issues here, you're helping us shape a better GitLab!

Updates to GitLab Duo Agent Platform

Security Analyst Agent: Transform manual vulnerability triage into intelligent automation

GitLab Duo Security Analyst Agent automates vulnerability management workflows through AI-powered analysis, helping transform hours of manual triage into intelligent automation. Building on the Vulnerability Management Tools available through GitLab Duo Agentic Chat, Security Analyst Agent orchestrates multiple tools, applying security policies, and creating custom flows for recurring workflows automatically.

Security teams can access enriched vulnerability data, including CVE details, static reachability analysis, and code flow information, while executing operations like dismissing false positives, confirming threats, adjusting severity levels, and creating linked issues for remediation — all through conversational AI. The agent reduces repetitive clicking through vulnerability dashboards and replaces custom scripts with simple natural language commands.

For example, when a security scan reveals dozens of vulnerabilities, simply prompt: "Dismiss vulnerabilities with reachable=FALSE and create issues for critical findings." Security Analyst Agent analyzes reachability data, applies security policies, and completes bulk operations in moments — helping decrease work that would otherwise take hours.

While individual Vulnerability Management Tools can be accessed directly through Agentic Chat for specific tasks, Security Analyst Agent orchestrates these tools intelligently and automates complex multi-step workflows. Note that Vulnerability Management Tools are available through Agentic Chat on GitLab Self-managed and GitLab.com instances, and Security Analyst Agent is available on GitLab.com only for 18.5, while availability in Self-managed and Dedicated environments will come with our next release. Watch this demo:

GitLab Duo Planner: Turn backlog chaos into strategic clarity

Managing complex software delivery requires constant context-switching between planning tasks. GitLab Duo Planner addresses the real-world planning challenges we see teams face every day. Duo Planner acts as your teammate with awareness of your project context, including how you manage issues, epics, and merge requests. Unlike generic AI assistants, it's purpose-built with deep knowledge of GitLab's planning workflows coupled with Agile and prioritization frameworks to help you balance effort, risk, and strategic alignment.

GitLab Duo Planner can turn vague ideas into structured planning hierarchies, identify stale backlog items, and draft executive updates. For example, when refining your backlog with hundreds of issues accumulated over months, simply prompt: "Identify stale backlog items and suggest priorities." Within seconds, you'll receive a structured summary showing issues without recent activity, items missing key details, duplicate work, and recommended priorities based on labels and milestones, complete with actionable recommendations.

For teams managing complex roadmaps, the Planner aims to eliminate hours of manual analysis and context-switching, helping Product Managers and engineering leads make faster, more informed decisions. As of 18.5, GitLab Duo Planner is currently “read-only,” meaning that it can analyze, plan, and suggest, but cannot yet take direct action to modify anything. Please see our documentation for more information.

Extensible Agent Catalog: Popular AI tools as native GitLab agents

GitLab 18.5 introduces popular AI agents directly into the AI Catalog, making external tools like Claude, OpenAI Codex, Google Gemini CLI, Amazon Q Developer, and OpenCode available as native GitLab agents. Users can now discover, configure, and deploy these agents through the same unified catalog interface used for GitLab's built-in agents, with automatic syncing of foundational agents across organization catalogs.

This eliminates the complexity of manual agent setup by providing a point-and-click catalog experience while maintaining enterprise-grade security through GitLab's authentication and audit systems. GitLab Duo Enterprise subscriptions now include built-in usage of Claude and Codex within GitLab, allowing you to use your existing GitLab subscription for these tools without requiring separate API keys or additional billing setup. Other agents may still require separate subscriptions and configuration while we finalize our integration plans.

Self-hosted GitLab Duo Agent Platform (Beta): Address data sovereignty requirements without sacrificing AI power

GitLab 18.5 moves GitLab Duo Agent Platform's self-hosted capabilities from experimental to beta, enabling organizations to execute AI agents and flows entirely within their own infrastructure — critical for regulated industries and data sovereignty requirements. The beta release includes improved timeout configurations and AI Gateway settings, allowing teams to use AI agents for code reviews, bug fixes, and feature implementations, while providing enterprise-grade security for sensitive code.

Smarter, faster security: Prioritize real risks and keep developers in the flow

GitLab 18.5 introduces new application security capabilities that help teams focus on exploitable risk, reduce noise, and strengthen software supply chain security. These updates continue our commitment to building security directly into the development process — delivering precision, speed, and insight without disrupting developer flow.

Static Reachability Analysis

With over 37,000 new CVEs issued this year, security teams face an overwhelming volume of vulnerabilities and struggle to understand which ones are truly exploitable. Static Reachability Analysis, now in limited availability, brings library-level precision by helping to identify whether vulnerable code is actually invoked in your application, not just present in dependencies.

Paired with our recently released Exploit Prediction Scoring System (EPSS) and Known Exploited Vulnerability (KEV) data, security teams can more effectively accelerate vulnerability triage and prioritize real risks to help strengthen overall supply chain security. In 18.5, we’re adding support for Java, alongside existing support for Python, JavaScript, and TypeScript.

Secret Validity Checks

Just as Static Reachability Analysis helps teams prioritize exploitable vulnerabilities from open source dependencies, Secret Validity Checks bring the same insight to exposed secrets — currently available in beta on GitLab.com and GitLab Self-Managed. For GitLab-issued security tokens, instead of manually verifying whether a leaked credential or API key is active, GitLab automatically distinguishes active secrets from expired ones directly in the Vulnerability Report. This helps enable security and development teams to focus remediation efforts on genuine risks. Support for AWS- and GCP-issued secrets is planned for future releases.

Custom rules for Advanced SAST

Advanced SAST runs on rules informed by our in-house security research team, designed to maximize accuracy out of the box. However, some teams required additional flexibility to tune the SAST engine for their specific organization. With Custom Rules for Advanced SAST, AppSec teams can define atomic, pattern-based detection logic to help capture security issues specific to their organization — like flagging banned function calls — while still using GitLab’s curated ruleset as the baseline. Customizations are managed through simple TOML files, just like other SAST ruleset configurations. While these rules will not support taint analysis, they do give organizations greater flexibility in achieving accurate SAST results.

Advanced SAST C and C++ language support

We’re expanding our language coverage for Advanced SAST to include C and C++, which are widely used languages in embedded systems software development. To enable scanning, projects must generate a compilation database that captures compiler commands and includes paths used during builds. This works to ensure the scanner can accurately parse and analyze source files, delivering precise, context-aware results that help security teams identify real vulnerabilities in the development process. The implementation requirements for C and C++ require specific configurations, which can be found in our documentation. Advanced SAST C and C++ support are currently available in beta.

Diff-based SAST scanning

Traditional SAST scans re-analyze entire codebases with every commit, slowing pipelines and disrupting developer flow. The developer experience is a critical consideration that can make or break the adoption of application security testing. Diff-based SAST scanning aims to speed up scan times by focusing only on the code changed in a merge request, reducing redundant analysis and surfacing relevant results tied to the developer’s work. By aligning scans with actual code changes, GitLab delivers faster, more focused feedback that helps keep developers in flow while maintaining strong security coverage.

Simplify API configurations

API-driven workflows offer power and flexibility, but they can also create unnecessary complexity for tasks that teams need to perform regularly. The new Maven Virtual Registry interface brings a UI layer to these operations.

Maven Virtual Registry interface

The new web-based interface for managing Maven Virtual Registries turns complex API configurations into visual simplicity, providing a more intuitive experience for package administrators and platform engineers.

Previously, teams configured and maintained virtual registries only through API calls, which made routine maintenance time-consuming and required specialized platform knowledge. The new interface removes that barrier, helping to make everyday tasks faster and easier.

With this update, you can now:

• Create virtual registries to simplify dependency configuration
• Create and order upstreams to help improve performance and compliance
• Browse and clear stale cache entries directly in the UI

This visual experience helps reduce operational overhead and provides development teams with clearer insight into how dependencies are resolved, enabling them to make better decisions about build performance and security policies.

Watch a demo:

We invite enterprise customers to join the Maven Virtual Registry Beta program and share feedback to help shape the final release.

AI that adapts to your workflow

This release represents more than new capabilities — it's about choice and control. Watch the walkthrough video here:

GitLab Premium and Ultimate users can start using these capabilities today on GitLab.com and self-managed environments, with availability for GitLab Dedicated customers planned for next month.

GitLab Duo Agent Platform is currently in beta — enable beta and experimental features to experience how full-context AI can transform the way your teams build software. New to GitLab? Start your free trial and see why the future of development is AI-powered, secure, and orchestrated through the world’s most comprehensive DevSecOps platform.

Note: Platform capabilities that are in beta are available as part of the GitLab Beta program. They are free to use during the beta period, and when generally available, they will be made available with a paid add-on option for GitLab Duo Agent Platform.

Stay up to date with GitLab

To make sure you’re getting the latest features, security updates, and performance improvements, we recommend keeping your GitLab instance up to date. The following resources can help you plan and complete your upgrade:

• Upgrade Path Tool – enter your current version and see the exact upgrade steps for your instance
• Upgrade Documentation – detailed guides for each supported version, including requirements, step-by-step instructions, and best practices

By upgrading regularly, you’ll ensure your team benefits from the newest GitLab capabilities and remains secure and supported.

For organizations that want a hands-off approach, consider GitLab’s Managed Maintenance service. With Managed Maintenance, your team stays focused on innovation while GitLab experts keep your Self-Managed instance reliably upgraded, secure, and ready to lead in DevSecOps. Ask your account manager for more information.

This blog post contains "forward‑looking statements" within the meaning of Section 27A of the Securities Act of 1933, as amended, and Section 21E of the Securities Exchange Act of 1934. Although we believe that the expectations reflected in these statements are reasonable, they are subject to known and unknown risks, uncertainties, assumptions and other factors that may cause actual results or outcomes to differ materially. Further information on these risks and other factors is included under the caption "Risk Factors" in our filings with the SEC. We do not undertake any obligation to update or revise these statements after the date of this blog post, except as required by law.