GitLab 19.0 Extends Intelligent Orchestration to Close the Gap Between Writing Code and Shipping It

Key Terms

devsecops technical

DevSecOps is the practice of building security checks into the whole software creation and delivery process instead of treating security as a separate step at the end. For investors, it matters because products that find and fix vulnerabilities earlier tend to ship faster, cost less to maintain, and carry lower risk of damaging breaches or regulatory fines — much like installing quality and safety checks on a car while it’s being assembled rather than after it leaves the factory.

merge request technical

A merge request is a formal proposal by a software developer to combine a set of code changes into a project’s main codebase. Think of it like suggesting edits to a shared document that others review and approve before the edits become permanent. For investors, the number, speed and discussion around merge requests can signal product progress, engineering quality, security fixes and release cadence—factors that affect a company’s competitiveness and execution risk.

ci/cd technical

CI/CD stands for Continuous Integration and Continuous Delivery (or Deployment), a set of practices and tools that automate the building, testing and releasing of software so code changes reach users quickly and reliably. Think of it as an assembly line that checks each new part before it leaves the factory. For investors, CI/CD lowers the risk of costly bugs, speeds product improvements, reduces development costs, and makes a company’s road map and revenue more predictable.

software bill of materials technical

A software bill of materials is a detailed inventory of all the components, libraries and open-source pieces used to build a software product—think of it like an ingredient label for software. It matters to investors because it makes security, licensing and maintenance risks visible, helping assess potential costs from vulnerabilities, legal obligations or required updates and therefore influencing a company’s risk profile and future cash needs.

sbom technical

A software bill of materials (SBOM) is a detailed inventory listing all the underlying pieces — code libraries, open-source components, and modules — that make up a software product, like an ingredient list for a recipe. Investors care because an SBOM reveals potential security vulnerabilities, licensing risks, and supply-chain exposures that can lead to costly breaches, regulatory penalties, or downtime; knowing what’s inside software helps assess operational and compliance risk.

• GitLab Secrets Manager, now in public beta, scopes credentials to individual jobs and governs access through the same controls used for code.
• Developer Flow now handles the full merge request lifecycle, from reviewer feedback and conflict resolution to one-click rebase-and-merge.
• Components Analytics gives platform engineering teams visibility into which CI/CD Catalog components and versions are running across their organization.
• GitLab Duo Agent Platform Self-Hosted gains four new open source model options for teams using air-gapped and regulated environments.
• Dependency scanning with a software bill of materials and security configuration profiles gives teams auditable control and visibility over what ships.

SAN FRANCISCO--(BUSINESS WIRE)-- All Remote — GitLab Inc., the intelligent orchestration platform for DevSecOps, today released GitLab 19.0, expanding secrets management, agentic merge request workflows, CI pipeline visibility, self-hosted open source model support, and supply chain visibility.

Engineering organizations shipping more code than ever are confronting the AI Paradox firsthand, as the surrounding workflows for securing credentials, reviewing and merging changes, enforcing pipeline standards, and running AI in regulated environments have not kept pace. GitLab 19.0 advances the platform's agentic core by embedding those capabilities where teams already work, helping reduce the handoffs between writing code and shipping it.

GitLab Secrets Manager Enters Public Beta

GitLab Secrets Manager, now in public beta for GitLab Premium and Ultimate users, stores credentials inside the same platform that runs code and pipelines, scoping each secret to only the jobs authorized to use it. Access control and audit logging use the same group and project structure already in GitLab, with no separate permission model to maintain. If a credential is compromised, responders can trace every job that used it from the GitLab audit trail, linked to the originating pipeline, without correlating logs across separate systems. It works alongside existing integrations with HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, and Google Cloud Secret Manager.

Developer Flow Extends Across the Full Merge Request Lifecycle

GitLab 19.0 extends Developer Flow across the full MR lifecycle to address reviewer feedback, resolve conflicts, split oversized MRs, and implement features at any stage. Since the flow reads project-specific standards from AGENTS.md before committing, the output reflects team context, workflows, and guardrails rather than generic defaults.

Two new capabilities, now in beta, round out the flow including a Resolve with Duo button that evaluates both branches, commits a proposed fix, and leaves a summary comment for the next reviewer, and one-click rebase-and-merge for teams using semi-linear or fast-forward merge methods. It is available for Free, Premium, and Ultimate tier users.

Components Analytics Closes the Visibility Gap in Shared CI Infrastructure

Components Analytics gives platform engineering teams visibility into which CI/CD Catalog components are running across their organization, and which versions are in use. The data resides in GitLab's unified platform, so teams can see and act on it without switching tools. Adoption data is available for Free, Premium, and Ultimate tier users, and the per-component drill-down is available for Ultimate tier users.

GitLab Duo Agent Platform Self-Hosted Gains New Open Source Model Options

GitLab Duo Agent Platform Self-Hosted now runs its agents on four additional open source models, Mistral Devstral 2 123B, GLM-5.1, Kimi-K2.6, and MiniMax-M2.7. The additions support teams in air-gapped or regulated environments that can’t send source code to external APIs. Each model was evaluated against GitLab Duo Agent Platform task requirements including multi-step tool use, code generation quality, and reasoning across large code differences. Both on-premises and private cloud deployment options are supported, including deployment via vLLM on GPU-enabled infrastructure and hybrid configurations that mix self-hosted and GitLab-managed models.

Strengthening Software Supply Chain Visibility

GitLab 19.0 adds security capabilities that give teams more control over governing what ships and who can access the platform. Dependency scanning with a software bill of materials (SBOM) produces an auditable inventory of third-party components matched against GitLab security advisories, giving Ultimate tier users evidence of what entered each build without a separate tool. Security configuration profiles allow teams to turn on Secret Detection, SAST, and Dependency Scanning across projects through policies rather than per-project CI configuration changes.

To learn more about GitLab 19.0, please read the what’s new page.

Supporting Quote

• “AI made it faster to generate code, but it didn't make it easier to trust or secure it at scale," said Manav Khurana, chief product and marketing officer at GitLab. "When security, automation, and governance share the same platform as the code, teams can move fast on AI without losing control of what ships, and that's exactly what GitLab 19.0 delivers.”

About GitLab

GitLab is the intelligent orchestration platform for DevSecOps. GitLab enables organizations to increase developer productivity, improve operational efficiency, reduce security and compliance risk, and accelerate digital transformation. More than 50 million registered users and 50% of the Fortune 100* trust GitLab to ship better, more secure software faster.

*Fortune 500® is a registered trademark of Fortune Media IP Limited, used under license. Claim based on GitLab data. Fortune 100 refers to the top 20% ranked companies in the 2025 Fortune 500 list, published in June 2025. Fortune and Fortune Media IP Limited are not affiliated with, and do not endorse products or services of GitLab.

View source version on businesswire.com: https://www.businesswire.com/news/home/20260521893408/en/

Media Contact
Christina Weaver
press@gitlab.com

Source: GitLab Inc.