Stay updated with our latest features and improvements.
Duo Agent Platform now available on free GitLab.com accounts, agentic code reviews for $0.25 each, and SAST false-positive detection is generally available.
Free GitLab.com teams can purchase GitLab Credits and start using AI agents, flows, and flat-rate automated code review.
Read the blogYour team no longer needs a Premium or Ultimate subscription to start using agentic AI. Group owners on free GitLab.com namespaces can now purchase a monthly commitment of GitLab Credits, giving every member immediate access to agents, flows, and agentic chat. Credits are pooled across the group so you pay for what AI does, not how many people use it. This purchase path:
Gives teams access to the same agents and flows as Premium and Ultimate customers, including Planner Agent, Developer Flow, Code Review Flow, Fix CI/CD Pipeline Flow, Agentic Chat, Code Suggestions, and more.
Shares credits across the group so teams can track what work agents complete through the usage dashboard, sorted by top consumers with per-user, per-action breakdowns and CSV export.
Provides immediate access after the group owner purchases credits; every member can use Duo Agent Platform right away.
Code Review Flow now costs one GitLab Credit for four reviews, regardless of merge request size or complexity. At that price, there is no reason not to run it on every MR across every project. No more token math, no more reserving AI reviews for high-priority changes. This change:
Replaces variable request-based pricing with a flat, predictable per-review cost that teams can forecast directly.
Runs across all groups and projects simultaneously; each review analyzes code in the context of your repository, pipeline, and security findings.
Is in effect today for GitLab.com and self-managed instances running 18.8.4 or later.
The credits dashboard now surfaces your biggest consumers, lets you audit specific sessions, and export usage data. The user table opens sorted by credits consumed so top users appear immediately. Session actions in the user detail view are clickable links for direct audit or debugging. This dashboard:
Finds top consumers instantly with the pre-sorted user table and search by user, action, or event type.
Exports all usage as CSV with per-day, per-action breakdowns for internal chargeback and reporting.
Shows trial customers on GitLab.com a "Usage by user" tab for the same visibility during evaluation.
After every SAST scan, Duo Agent Platform automatically checks critical and high severity findings and tells you which ones are likely false positives. Each finding gets a confidence score, an AI-generated explanation, and a visual badge so you can quickly separate real issues from noise. If you dismiss a false positive, it stays dismissed in future pipeline runs. Pricing is flat: one flow per credit. This flow:
Saves developers hours of manual investigation per scan cycle by surfacing real threats first.
Attaches a confidence score and AI-generated reasoning to every assessment for transparent decision-making.
Carries dismissed status forward so validated false positives do not resurface in future pipeline runs.
See how GitLab can automatically take a SAST vulnerability from detection to a ready-to-review merge request. Watch the agent read the code, generate and validate a fix, and open an MR with clear, explainable changes.
A separate flow from SAST false-positive detection, this analyzes secret detection findings to flag test credentials, example values, and placeholder secrets before they clutter your vulnerability report. Each assessment comes with AI reasoning and a confidence score. Disabled by default; administrators opt in through a feature flag. This capability:
Runs after each security scan, analyzing critical and high-severity secret detection findings without manual triggers.
Provides contextual AI reasoning and a confidence score for each assessment to help teams prioritize review.
Surfaces results directly in the vulnerability report alongside existing severity, status, and remediation information.
Epics, issues, and other work items now share a single unified list, removing the need to switch between separate pages to find and manage work. Saved views let teams create and store customized list configurations at the namespace level, so the filters and layouts you rely on every day are always one click away. This view:
Combines epics, issues, and all work item types into one list with sorting, filtering, and grouping across label, milestone, iteration, health, and status.
Saves display preferences as reusable views at the group or project level so teams share a consistent way of looking at work.
Replaces the tab-hopping and filter-rebuilding that slows down standups, sprint planning, and backlog grooming.
Available on Free, Premium, and Ultimate across GitLab.com, Self-Managed, and Dedicated.
Manual jobs in CI/CD pipelines can now accept input parameters at run time. If a parameter depends on an earlier job output or an external condition, you set it when you trigger the job; no need to re-run the full pipeline. Teams migrating from Jenkins will recognize this pattern immediately. This feature:
Allows individual job parameter configuration without full pipeline re-runs.
Supports dynamic inputs based on earlier job outputs or external conditions.
Reduces deployment errors from parameter mismatches and simplifies CI/CD tool consolidation.
Filter the security dashboard by business context
Secure
Analyze
Security attributes like business impact, application name, business unit, and internet exposure are now filterable directly on the Security Dashboard. Security managers can slice vulnerability data by what matters to their organization rather than scrolling through raw scan counts. This view:
Filters by business impact, application, business unit, and internet exposure directly on the dashboard.
Combines with existing Report Type and Project filters for scoped, shareable views.
Gives compliance teams and engineering leads focused, relevant security data without custom reporting.
Container virtual registries now have a web interface. Create Docker virtual registries, add upstream sources like Docker Hub, Harbor, and Quay, set their priority order, and clear caches; all without touching the API. Previously this was API-only. This registry:
Provides visual management for creating Docker virtual registries with multiple upstream sources.
Supports upstream source ordering, priority configuration, and cache clearing directly in the UI.
Reduces configuration overhead for teams consolidating container image management onto GitLab.