In GitLab 18.3, we laid the groundwork for true human-AI collaboration. We introduced leading AI tools such as Claude Code, Codex CLI, Amazon Q CLI, and Gemini CLI as native integrations to GitLab, delivered our first preview of the GitLab Model Context Protocol (MCP) server in partnership with Cursor, and shipped two new flows, Issue to MR and Convert CI File for Jenkins Flows, to help teams tackle every day problems.

With GitLab 18.4 we are expanding your ability to build and share custom agents, collaborate more effectively through Agentic Chat, navigate codebases with the Knowledge Graph, and keep pipelines green with the Fix Failed Pipelines Flow, while also delivering greater security and governance over your AI usage.

<div style="padding:56.25% 0 0 0;position:relative;"><iframe src="https://player.vimeo.com/video/1120293274?badge=0&autopause=0&player_id=0&app_id=58479" frameborder="0" allow="autoplay; fullscreen; picture-in-picture; clipboard-write; encrypted-media; web-share" referrerpolicy="strict-origin-when-cross-origin" style="position:absolute;top:0;left:0;width:100%;height:100%;" title="18.4 Release video placeholder"></iframe></div><script src="https://player.vimeo.com/api/player.js"></script>

Have questions on the latest features in the GitLab 18.4 release? Join us for The Developer Show live on LinkedIn on Sept. 23 at 10:00 am PT, or on-demand shortly after!

Build your experience

Start your day by pulling from the AI Catalog — a library of specialized agents that surface priorities, automate routine work, and keep you focused on building.

AI Catalog as your library of specialized agents

With GitLab 18.4, we're introducing the GitLab Duo AI Catalog — a central library where teams can create, share, and collaborate with custom-built agents across their organization. Every team has ‘their way' of doing things. So creating a custom agent is just like training a fellow engineer on the ‘right way' to do things in your organization.

For example, a custom Product Planning agent can file bugs in the specific format, following your labeling standards, or a Technical Writer agent can draft concise documentation following your conventions, or a Security agent can make sure your security and compliance standards are met for every MR. Instead of functioning as disconnected tools, these agents become part of the natural stream of work inside GitLab — helping accelerate tasks without disrupting established processes.

Note: This capability is currently only available on GitLab.com. We plan to deliver this to our self-managed customers next month in the 18.5 release.

Stay in your flow

GitLab Duo Agentic Chat makes collaboration with agents seamless.

Smarter Agentic Chat to streamline collaboration with agents

As the centerpiece of GitLab Duo Agent Platform, Agentic Chat gives you a seamless way to collaborate with AI agents. The latest update to Agentic Chat with GitLab 18.4 improves the chat experience and expands how sessions are managed and surfaced.

• Chat with custom agent

  Let's start with your newly-created custom agent. Once designed, you can immediately put that agent to work through Agentic Chat. For example, you could ask your new agent “give me a list of assignments” to get started with your priorities for the day. Additionally, you now have the ability to start fresh conversations with new agents and resume previous conversations with agents without losing context.

• User model selection

  With previous releases, you're able to select models at a namespace level, but in 18.4 you can now choose models at the user level for a given chat session. This empowers you to make the call on which LLM is right for the job, or experiment with different LLMs to see which delivers the best answer for your task.

• Improved formatting and visual design

  We hope you love the new visual design for GitLab Duo Agentic Chat, including improved handling of tool call approvals to ensure your experience is more enjoyable.

• Agent Sessions available through Agentic Chat

  Sessions are expanding to become a core part of the Agentic Chat experience. Any agent run or flow now appears in the Sessions overview available from Agentic Chat. Within each session, you'll see rich details like job logs, user information, and tool metadata — providing critical transparency into how agents are working on your behalf.

  Note: Sessions in Agentic Chat is available on GitLab.com only, this enhancement is planned for self-managed customers next month in the 18.5 update.

Unlock your codebase

With agents, context is king. With Knowledge Graph, you can give your agents more context so they can reason faster and give you better results.

Introducing the GitLab Knowledge Graph (Beta)

The GitLab Knowledge Graph in 18.4 transforms how developers and agents understand and navigate complex codebases. The Knowledge Graph provides a connected map of your entire project, linking files, routes, and references across the software development lifecycle. By leveraging tools such as go-to-definition, codebase search, and reference tracking through in-chat queries, developers gain the ability to ask precise questions like “show me all route files” or “what else does this change impact?” This deeper context helps teams move faster and with more confidence — whether it's onboarding new contributors, conducting deep research across a project, or exploring how a modification impacts dependent code. The more of your ecosystem that lives in GitLab, the more powerful the Knowledge Graph becomes, giving both humans and AI agents the foundation to build with accuracy, speed, and full project awareness. In future releases, we'll be stitching all of your GitLab data into the Knowledge Graph, including plans, MRs, security vulnerabilities, and more. This release of the Knowledge Graph focuses on local code indexing, where the gkg CLI turns your codebase into a live, embeddable graph database for RAG. You can install it with a simple one-line script, parse local repositories, and connect via MCP to query your workspace. Our vision for the Knowledge Graph project is twofold: building a vibrant community edition that developers can run locally today, which will serve as the foundation for a future, fully-integrated Knowledge Graph Service within GitLab.com and self-managed instances. <div style="padding:56.25% 0 0 0;position:relative;"><iframe src="https://player.vimeo.com/video/1121017374?badge=0&autopause=0&player_id=0&app_id=58479" frameborder="0" allow="autoplay; fullscreen; picture-in-picture; clipboard-write; encrypted-media; web-share" referrerpolicy="strict-origin-when-cross-origin" style="position:absolute;top:0;left:0;width:100%;height:100%;" title="18.4 Knowledge Graph Demo"></iframe></div><script src="https://player.vimeo.com/api/player.js"></script>

Automate your pipeline maintenance

Fix pipeline failures faster and stay in the flow with the Fixed Failed Pipelines Flow.

Fix Failed Pipelines Flow with business awareness

Keeping pipelines green is critical for your development velocity, but traditional approaches focus only on technical troubleshooting without considering the business impact. The Fix Failed Pipelines Flow addresses this challenge by combining technical analysis with strategic context. For example, it can automatically prioritize fixing a failed deployment pipeline for a customer-facing service ahead of a nightly test job, or flag build issues in a high-priority release branch differently than experimental feature branches.

• Business-aware failure detection monitors pipeline executions while understanding the importance of different workflows and deployment targets.
• Contextual root cause analysis analyzes failure logs alongside business requirements, recent changes, and cross-project dependencies to identify underlying causes.
• Strategic fix prioritization generates appropriate fixes while considering business impact, deadlines, and resource allocation priorities.
• Workflow-integrated resolution automatically creates merge requests with fixes that maintain proper review processes while providing business context for prioritization decisions.

This flow keeps pipelines green while maintaining strategic alignment, enabling automated fixes to support business objectives rather than just resolving technical issues in isolation.

Customize your AI environment

Automation only works if you trust the models behind it. That's why 18.4 delivers governance features like model selection and GitLab-managed keys.

GitLab Duo model selection to optimize feature performance

Model selection is now generally available, giving you direct control over which large language models (LLMs) power GitLab Duo. You and your team can select the models of your choice, apply them across the organization or tailor them per feature. You can set defaults to ensure consistency across namespaces and tools, with governance, compliance, and security requirements in mind.

For customers using GitLab Duo Self-Hosted, newly added support for GPT OSS and GPT-5 provides additional flexibility for AI-powered development workflows.

Note: Model selection is not available for GitLab.com customers, and GPT models are not supported on GitLab.com.

Protect your sensitive context

Alongside governance comes data protection, giving you fine-grained control over what AI can and can't see.

GitLab Duo Context Exclusion for granular data protection

It's no surprise — you need granular control over what information AI agents can access. GitLab Duo Context Exclusion in 18.4 provides project-level settings that let teams exclude specific files or file paths from AI access. Capabilities include:

• File-specific exclusions to help protect sensitive files such as password configurations, secrets, and proprietary algorithms.
• Path-based rules to create exclusion patterns based on directory structures or file naming conventions.
• Flexible configuration to apply exclusions at the project level while maintaining development workflow efficiency.
• Audit visibility to track what content is excluded to support compliance with data governance policies.

GitLab Duo Context Exclusion helps you protect sensitive data while you accelerate development with agentic AI.

Extend your AI capabilities with new MCP tools

Expanded MCP tools extend those capabilities even further, connecting your GitLab environment with a broader ecosystem of intelligent agents.

New tools for GitLab MCP server

Expanding on the initial MCP server introduced in 18.3, GitLab 18.4 adds more MCP tools — capabilities that define how MCP clients interact with GitLab. These new tools extend integration possibilities, enabling both first-party and third-party AI agents to take on richer tasks such as accessing project data, performing code operations, or searching across repositories, all while respecting existing security and permissions models. For a full list of MCP tools, including the new additions in 18.4, visit our MCP server documentation.

Experience the future of intelligent software development

With GitLab Duo Agent Platform, engineers can begin to move from working on one issue at a time in single threaded fashion, to multi-threaded collaboration with asynchronous agents that act like teammates to get work done, faster. We are bringing to market this unique vision with our customer's preferences for independence and choice: run in your preferred cloud environments using the LLMs and AI tools that work best for you, within the security and compliance guardrails you set.

As an integral part of this innovation, GitLab 18.4 is more than a software upgrade — it's about making the day-to-day experience of developers smoother, smarter, and more secure. From reusable agents to business-aware pipeline fixes, every feature is designed to keep teams in flow while balancing speed, security, and control. For a deeper look at how these capabilities come together in practice, check out our walkthrough video.

<div style="padding:56.25% 0 0 0;position:relative;"><iframe src="https://player.vimeo.com/video/1120288083?badge=0&autopause=0&player_id=0&app_id=58479" frameborder="0" allow="autoplay; fullscreen; picture-in-picture; clipboard-write; encrypted-media; web-share" referrerpolicy="strict-origin-when-cross-origin" style="position:absolute;top:0;left:0;width:100%;height:100%;" title="A day in the life with GitLab Duo Agent Platform"></iframe></div><script src="https://player.vimeo.com/api/player.js"></script> <p></p>

GitLab Premium and Ultimate users can start using these capabilities today on GitLab.com and self-managed environments, with availability for GitLab Dedicated customers coming next month.

Enable beta and experimental features in GitLab Duo Agent Platform today and experience how full-context AI can transform the way your teams build software. New to GitLab? Start your free trial and see why the future of development is AI-powered, secure, and orchestrated through the world's most comprehensive DevSecOps platform.

Stay up to date with GitLab

To make sure you're getting the latest features, security updates, and performance improvements, we recommend keeping your GitLab instance up to date. The following resources can help you plan and complete your upgrade:

• Upgrade Path Tool – enter your current version and see the exact upgrade steps for your instance
• Upgrade documentation – detailed guides for each supported version, including requirements, step-by-step instructions, and best practices

By upgrading regularly, you'll ensure your team benefits from the newest GitLab capabilities and remains secure and supported.

For organizations that want a hands-off approach, consider GitLab's Managed Maintenance service. With Managed Maintenance, your team stays focused on innovation while GitLab experts keep your Self-Managed instance reliably upgraded, secure, and ready to lead in DevSecOps. Ask your account manager for more information.

This blog post contains "forward-looking statements" within the meaning of Section 27A of the Securities Act of 1933, as amended, and Section 21E of the Securities Exchange Act of 1934. Although we believe that the expectations reflected in these statements are reasonable, they are subject to known and unknown risks, uncertainties, assumptions and other factors that may cause actual results or outcomes to differ materially. Further information on these risks and other factors is included under the caption "Risk Factors" in our filings with the SEC. We do not undertake any obligation to update or revise these statements after the date of this blog post, except as required by law.

While static code analysis catches vulnerabilities in source code, it cannot identify runtime security issues that emerge when applications interact with real-world environments, third-party services, and complex user workflows. This is where Dynamic Application Security Testing (DAST) becomes invaluable. GitLab's integrated DAST solution provides teams with automated security testing capabilities directly within their CI/CD pipelines, on a schedule, or on-demand, enabling continuous security validation without disrupting development workflows.

Why DAST?

DAST should be implemented because it provides critical runtime security validation by testing applications in their actual operating environment, identifying vulnerabilities that static analysis cannot detect. Additionally, GitLab DAST can be seamlessly integrated into shift-left security workflows, and can enhance compliance assurance along with risk management.

Runtime vulnerability detection

DAST excels at identifying security vulnerabilities that only manifest when applications are running. Unlike static analysis tools that examine code at rest, DAST scanners interact with live applications as an external attacker would, uncovering issues such as:

• Authentication and session management flaws that could allow unauthorized access
• Input validation vulnerabilities, including SQL injection, cross-site scripting (XSS), and command injection
• Configuration weaknesses in web servers, databases, and application frameworks
• Business logic flaws that emerge from complex user interactions
• API security issues, including improper authentication, authorization, and data exposure

DAST complements other security testing approaches to provide comprehensive application security coverage. When combined with Static Application Security Testing (SAST), Software Composition Analysis (SCA), manual penetration testing, and many other scanner types, DAST fills critical gaps in security validation:

• Black-box testing perspective that mimics real-world attack scenarios
• Environment-specific testing that validates security in actual deployment configurations
• Third-party component testing, including APIs, libraries, and external services
• Configuration validation across the entire application stack

Seamless shift-left security integration

GitLab DAST seamlessly integrates into existing CI/CD pipelines, enabling teams to identify security issues early in the development lifecycle. This shift-left approach provides several key benefits:

• Cost reduction — Fixing vulnerabilities during development is significantly less expensive than addressing them in production. Studies show that remediation costs can be 10 to 100 times higher in production environments.
• Faster time-to-market — Automated security testing eliminates bottlenecks caused by manual security reviews, allowing teams to maintain rapid deployment schedules while ensuring security standards.
• Developer empowerment — By providing immediate feedback on security issues, DAST helps developers build security awareness and improve their coding practices over time.

Compliance and risk management

Many regulatory frameworks and industry standards require regular security testing of web applications. DAST helps organizations meet compliance requirements for standards such as:

• PCI DSS for applications handling payment card data
• SOC 2 security controls for service organizations
• ISO 27001 information security management requirements

The automated nature of GitLab DAST ensures consistent, repeatable security testing that auditors can rely on, while detailed reporting provides the documentation needed for compliance validation.

Implementing DAST

Before implementing GitLab DAST, ensure your environment meets the following requirements:

• GitLab version and Ultimate subscription — DAST is available in GitLab Ultimate and requires GitLab 13.4 or later for full functionality; however, the latest version is recommended.
• Application accessibility — Your application must be accessible via HTTP/HTTPS with a publicly reachable URL or accessible within your GitLab Runner's network.
• Authentication setup — If your application requires authentication, prepare test credentials or configure authentication bypass mechanisms for security testing.

Basic implementation

The simplest way to add DAST to your pipeline is by including the DAST template in your .gitlab-ci.yml file and providing a website to scan:

include:
  - template: DAST.gitlab-ci.yml

variables:
  DAST_WEBSITE: "https://your-application.example.com"

This basic configuration will:

• Run a DAST scan against your specified website
• Generate a security report in GitLab's security dashboard
• Fail the pipeline if high-severity vulnerabilities are detected
• Store scan results as pipeline artifacts

However, it is suggested to gain the full benefit of CI/CD, you can first deploy the application and set DAST to run only after an application has been deployed. The application URL can be dynamically created and the DAST job can be configured fully with GitLab Job syntax.

stages:
  - build
  - deploy
  - dast

include:
  - template: Security/DAST.gitlab-ci.yml

# Builds and pushes application to GitLab's built-in container registry
build:
  stage: build
  variables:
    IMAGE: $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:$CI_COMMIT_SHA
  before_script:
    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
  script:
    - docker build -t $IMAGE .
    - docker push $IMAGE

# Deploys application to your suggested target, setsup the dast site dynamically, requires build to complete
deploy:
  stage: deploy
  script:
    - echo "DAST_WEBSITE=http://your-application.example.com" >> deploy.env
    - echo "Perform deployment here"
  environment:
    name: $DEPLOY_NAME
    url: http://your-application.example.com
  artifacts:
    reports:
      dotenv: deploy.env
  dependencies:
    - build

# Configures DAST to run a an active scan on non-main branches, and a passive scan on the main branches and requires a deployment to complete before it is run
dast:
  stage: dast
  rules:
    - if: $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH
      variables:
        DAST_FULL_SCAN: "false"
    - if: $CI_COMMIT_REF_NAME != $CI_DEFAULT_BRANCH
      variables:
        DAST_FULL_SCAN: "true"
  dependencies:
    - deploy

You can learn from an example by seeing the Tanuki Shop demo application, which generates the following pipeline:

Understanding passive vs. active scans

In the example above we enabled active scanning for non-default branches:

- if: $CI_COMMIT_REF_NAME != $CI_DEFAULT_BRANCH
  variables:
    DAST_FULL_SCAN: "true"

GitLab DAST employs two distinct scanning methodologies (passive and active), each serving different security testing needs.

Passive scans analyze application responses without sending potentially harmful requests. This approach:

• Examines HTTP headers, cookies, and response content for security misconfigurations
• Identifies information disclosure vulnerabilities like exposed server versions or stack traces
• Detects missing security headers (CSP, HSTS, X-Frame-options)
• Analyzes SSL/TLS configuration and certificate issues

Active scans send crafted requests designed to trigger vulnerabilities. This approach:

• Tests for injection vulnerabilities (SQL injection, XSS, command injection)
• Attempts to exploit authentication and authorization flaws
• Validates input sanitization and output encoding
• Tests for business logic vulnerabilities

Note: The DAST scanner is set to passive by default.

DAST has several configuration options that can be applied via environment variables. For a list of all the possible configuration options for DAST, see the DAST documentation.

Authentication configuration

DAST requires authentication configuration in CI/CD jobs to achieve complete security coverage. Authentication enables DAST to simulate real attacks and test user-specific features only accessible after login. The DAST job typically authenticates by submitting login forms in a browser, then verifies success before continuing to crawl the application with saved credentials. Failed authentication stops the job.

Supported authentication methods:

• Single-step login form
• Multi-step login form
• Authentication to URLs outside the target scope

Here is an example for a single-step login form in a Tanuki Shop MR which adds admin authentication to non-default branches.

dast:
  stage: dast
  before_script:
    - echo "DAST_TARGET_URL set to '$DAST_TARGET_URL'" # Dynamically loaded from deploy job
    - echo "DAST_AUTH_URL set to '$DAST_TARGET_URL'" # Dynamically loaded from deploy jobs
  rules:
    - if: $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH
      variables:
        DAST_FULL_SCAN: "false"
    - if: $CI_COMMIT_REF_NAME != $CI_DEFAULT_BRANCH
      variables:
        DAST_FULL_SCAN: "true" # run both passive and active checks
        DAST_AUTH_USERNAME: "admin@tanuki.local" # The username to authenticate to in the website
        DAST_AUTH_PASSWORD: "admin123" # The password to authenticate to in the website
        DAST_AUTH_USERNAME_FIELD: "css:input[id=email]" # A selector describing the element used to enter the username on the login form
        DAST_AUTH_PASSWORD_FIELD: "css:input[id=password]" # A selector describing the element used to enter the password on the login form
        DAST_AUTH_SUBMIT_FIELD: "css:button[id=loginButton]" # A selector describing the element clicked on to submit the login form
        DAST_SCOPE_EXCLUDE_ELEMENTS: "css:[id=navbarLogoutButton]" # Comma-separated list of selectors that are ignored when scanning
        DAST_AUTH_REPORT: "true" # generate a report detailing steps taken during the authentication process
        DAST_REQUEST_COOKIES: "welcomebanner_status:dismiss,cookieconsent_status:dismiss" # A cookie name and value to be added to every request
        DAST_CRAWL_GRAPH: "true" # generate an SVG graph of navigation paths visited during crawl phase of the scan
  dependencies:
    - deploy-kubernetes

You can see if the authentication was successful by viewing the job logs:

Once this job completes it provides an authentication report which includes screenshots of the login page:

You can also see more examples on DAST with authentication in our DAST demos group. To learn more about how to perform DAST with authentication with your specific requirements, see the DAST authentication documentation.

Viewing results in MR

GitLab's DAST seamlessly integrates security scanning into your development workflow by displaying results directly within merge requests:

These results include comprehensive vulnerability data within MRs to help developers identify and address security issues before code is merged. Here's what DAST typically reports:

Vulnerability details

• Vulnerability name and type (e.g., SQL injection, XSS, CSRF)
• Severity level (Critical, High, Medium, Low, Info)
• CVSS score when applicable
• Common Weakness Enumeration (CWE) identifier
• Confidence level of the finding

Location information

• URL/endpoint where the vulnerability was detected
• HTTP method used (GET, POST, etc.)
• Request/response details showing the vulnerable interaction
• Parameter names that are vulnerable
• Evidence demonstrating the vulnerability

Technical context

• Description of the vulnerability and potential impact
• Proof of concept showing how the vulnerability can be exploited
• Request/response pairs that triggered the finding
• Scanner details (which DAST tool detected it)

Remediation guidance

• Solution recommendations for fixing the vulnerability
• References to security standards (OWASP, etc.)
• Links to documentation for remediation steps

Viewing results in GitLab Vulnerability Report

For managing vulnerabilities located in the default (or production) branch, the GitLab Vulnerability Report provides a centralized dashboard for monitoring all security findings (in the default branch) across your entire project or organization. This comprehensive view aggregates all security scan results, offering filtering and sorting capabilities to help security teams prioritize remediation efforts.

When selecting a vulnerability, you are taken to its vulnerability page:

Just like in merge requests, the vulnerability page provides comprehensive vulnerability data, as seen above. From here you can triage vulnerabilities by assigning them with a status:

• Needs triage (Default)
• Confirmed
• Dismissed (Acceptable risk, False positive, Mitigating control, Used in tests, Not applicable)
• Resolved

When a vulnerability status is changed, the audit log includes a note of who changed it, when it was changed, and the reason it was changed. This comprehensive system allows security teams to efficiently prioritize, track, and manage vulnerabilities throughout their lifecycle with clear accountability and detailed risk context.

On-demand and scheduled DAST

GitLab provides flexible scanning options beyond standard CI/CD pipeline integration through on-demand and scheduled DAST scans. On-demand scans allow security teams and developers to initiate DAST testing manually whenever needed, without waiting for code commits or pipeline triggers. This capability is particularly valuable for ad-hoc security assessments, incident response scenarios, or when testing specific application features that may not be covered in regular pipeline scans.

On-demand scans can be configured with custom parameters, target URLs, and scanning profiles, making them ideal for focused security testing of particular application components or newly-deployed features. Scheduled DAST scans provide automated, time-based security testing that operates independently of the development workflow. These scans can be configured to run daily, weekly, or at custom intervals, ensuring continuous security monitoring of production applications.

To learn how to implement on-demand or scheduled scans within your project, see the DAST on-demand scan documentation

DAST in compliance workflows

GitLab's security policies framework allows organizations to enforce consistent security standards across all projects, while maintaining flexibility for different teams and environments. Security policies enable centralized governance of DAST scanning requirements, ensuring that critical applications receive appropriate security testing without requiring individual project configuration. By defining security policies at the group or instance level, security teams can mandate DAST scans for specific project types, deployment environments, or risk classifications.

Scan/Pipeline Execution Policies can be configured to automatically trigger DAST scans based on specific conditions such as merge requests to protected branches, scheduled intervals, or deployment events. For example, a policy might require full active DAST scans for all applications before production deployment, while allowing passive scans only for development branches. These policies can include custom variables, authentication configurations, and exclusion rules that are automatically applied to all covered projects, reducing the burden on development teams and ensuring security compliance.

Merge Request Approval Policies provide an additional layer of security governance by enforcing human review for code changes that may impact security. These policies can be configured to require security team approval when DAST scans detect new vulnerabilities, when security findings exceed defined thresholds, or when changes affect security-critical components. For example, a policy might automatically require approval from a designated security engineer when DAST findings include high-severity vulnerabilities, while allowing lower-risk findings to proceed with standard code review processes.

To learn more about GitLab security policies, see the policy documentation. Additionally, for compliance, GitLab provides Security Inventory and Compliance center, which can allow you to oversee if DAST is running in your environment and where it is required.

To learn more about these features, visit our software compliance solutions page.

Summary

GitLab DAST represents a powerful solution for integrating dynamic security testing into modern development workflows. By implementing DAST in your CI/CD pipeline, your team gains the ability to automatically detect runtime vulnerabilities, maintain compliance with security standards, and build more secure applications without sacrificing development velocity.

The key to successful DAST implementation lies in starting with basic configuration and gradually expanding to more sophisticated scanning profiles as your security maturity grows. Begin with simple website scanning, then progressively add authentication, custom exclusions, and advanced reporting to match your specific security requirements.

Remember that DAST is most effective when combined with other security testing approaches. Use it alongside static analysis, dependency scanning, and manual security reviews to create a comprehensive security testing strategy. The automated nature of GitLab DAST ensures that security testing becomes a consistent, repeatable part of your development process rather than an afterthought.

To learn more about GitLab security, check out our security testing solutions page. To get started with GitLab DAST, sign up for a free trial of GitLab Ultimate today.

Download the report.

From AI features to intelligent collaboration

The Gartner evaluation, we feel, focused on GitLab Duo's generative AI code assistance capabilities. While GitLab Duo began as an AI add-on to the GitLab DevSecOps platform, it laid the groundwork for where we are going today with agentic AI built natively into the GitLab DevSecOps platform.

GitLab Duo Agent Platform enables developers to work alongside multiple AI agents that automate tasks across the software lifecycle. Agents collaborate with each other and with humans, using GitLab’s Knowledge Graph to act with full project context. This empowers teams to move faster while keeping visibility and control.

• Specialized agents handle tasks such as code generation, security analysis, and research in parallel.

• Knowledge Graph connects agents to a unified system of record across code, issues, pipelines, and compliance data.

• Human + agent collaboration happens through natural-language chat and customizable flows, with review and oversight built in.

• Interoperability with external tools and systems is supported through Model Context Protocol (MCP) and agent-to-agent frameworks.

With agents handling routine work under human guidance, teams can move faster, focus on higher-value tasks, and keep projects secure and compliant.

Secure by design, flexible in practice

The GitLab Duo Agent Platform is designed to keep security and compliance front and center. Agents run inside GitLab’s trusted DevSecOps environment, with every action visible and reviewable before changes are made. Secure integrations help ensure credentials and sensitive data are handled safely, while interoperability through open standards connects agents to external tools without exposing an organization to risk.

The platform gives teams confidence that AI is enhancing productivity without compromising governance. Here's how:

• Developers can stay focused on complex, high-impact work, while handing off routine tasks to agents for faster results and more granular context delivered through their existing workflows.

• Engineering leaders gain visibility into how work moves across the lifecycle, with agents operating within clear guardrails. They also can ensure their teams stay aligned to priorities and simplify onboarding with guided support through agent-driven context and workflows.

• IT organizations maintain control over agent activity with governance features that enforce coding and security policies, offer model selection flexibility, and ensure secure interoperability — all while keeping humans in the loop.

Leading the move to AI-native development

GitLab continues to build on the vision that began with Duo, and will continue to expand GitLab Duo Agent Platform with new agents, advanced workflows, and more orchestration capabilities. This commitment to innovation ensures you can amplify team productivity on the platform you know and trust. Stay tuned for exciting updates on our roadmap as we continue to revolutionize AI-native DevSecOps.

Download the 2025 Gartner® Magic Quadrant™ for AI Code Assistants and try GitLab Duo Agent Platform today.

Source: Gartner, Magic Quadrant for AI Code Assistants, Philip Walsh, Haritha Khandabattu, Matt Brasier, Keith Holloway, Arun Batchu, 15 September 2025

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and MAGIC QUADRANT is a registered trademark of Gartner, Inc. and/or its affiliates and are used herein with permission. All rights reserved.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

This graphic was published by Gartner Inc. as part of a larger report and should be evaluated in the context of the entire document. The Gartner document is available upon request from Gartner B.V.

But what if you could automate this entire process? In this walkthrough, I'll show you exactly how GitLab Duo Agent Platform can generate comprehensive dbt models in just minutes, complete with proper structure, tests, and documentation.

What we're building

Our marketing team wants to effectively manage and optimize advertising investments. One of the advertising platforms is Reddit, so, therefore, we are extracting data from the Reddit Ads API to our enterprise Data Platform Snowflake. At GitLab, we have three layers of storage:

1. raw layer - first landing point for unprocessed data from external sources; not ready for business use
2. prep layer - first transformation layer with source models; still not ready for general business use
3. prod layer - final transformed data ready for business use and Tableau reporting

For this walkthrough, data has already landed in the raw layer by our extraction solution Fivetran, and we'll generate dbt models that handle the data through the prep layer to the prod layer.

Without having to write a single line of dbt code ourselves, by the end of the walkthrough we will have:

• Source models in the prep layer
• Workspace models in the prod layer
• Complete dbt configurations for all 13 tables (which includes 112 columns) in the Reddit Ads dataset
• Test queries to validate the outcomes

The entire process will take less than 10 minutes, compared to the hours it would typically require manually. Here are the steps to follow:

1. Prepare the data structure

Before GitLab Duo can generate our models, it needs to understand the complete table structure. The key is running a query against Snowflake's information schema, because we are currently investigating how to connect GitLab Duo via Model Context Protocol (MCP) to our Snowflake instance:

SELECT 
    table_name,
    column_name,
    data_type,
    is_nullable,
    CASE 
        WHEN is_nullable = 'NO' THEN 'PRIMARY_KEY'
        ELSE NULL 
    END as key_type
FROM raw.information_schema.columns
WHERE table_schema = 'REDDIT_ADS'
ORDER BY table_name, ordinal_position;

This query captures:

• All table and column names
• Data types for proper model structure
• Nullable constraints
• Primary key identification (non-nullable columns in this dataset)

Pro tip: In the Reddit Ads dataset, all non-nullable columns serve as primary keys — a pattern. I validated by checking tables like ad_group, which has two non-nullable columns (account_id and id) that are both marked as primary keys. Running this query returned 112 rows of metadata that I exported as a CSV file for model generation. While this manual step works well today, we're investigating a direct GitLab Duo integration with our Data Platform via MCP to automate this process entirely.

2. Set up GitLab Duo

There are two ways to interact with GitLab Duo:

1. Web UI chat function
2. Visual Studio Code plugin

I chose the VS Code plugin because I can run the dbt models locally to test them.

3. Enter the 'magic' prompt

Here's the exact prompt I used to generate all the dbt code:

Create dbt models for all the tables in the file structure.csv.

I want to have the source models created, with a filter that dedupes the data based on the primary key. Create these in a new folder reddit_ads.
I want to have workspace models created and store these in the workspace_marketing schema.

Take this MR as example: [I've referenced to previous source implementation]. Here is the same done for Source A, but now it needs to be done for Reddit Ads. 

Please check the dbt style guide when creating the code: https://handbook.gitlab.com/handbook/enterprise-data/platform/dbt-guide/

Key elements that made this prompt effective:

• Clear specifications for both source and workspace models.
• Reference example from a previous similar merge request.
• Style guide reference to ensure code quality and consistency.
• Specific schema targeting for proper organization.

4. GitLab Duo's process

After submitting the prompt, GitLab Duo got to work. The entire generation process took a few minutes, during which GitLab Duo:

1. Read and analyzed the CSV input file.
2. Examined table structures from the metadata.
3. Referenced our dbt style guide for coding standards.
4. Took similar merge request into account to properly structure.
5. Generated source models for all 13 tables.
6. Created workspace models for all 13 tables.
7. Generated supporting dbt files:
   • sources.yml configuration.
   • schema.yml files with tests and documentation.
   • Updated dbt_project.yml with schema references.

The results

The output was remarkable:

• 1 modified file: dbt_project.yml (added reddit_ads schema configuration)
• 29 new files:
  • 26 dbt models (13 source + 13 workspace)
  • 3 YAML files
• Nearly 900 lines of code generated automatically
• Built-in data tests, including unique constraints on primary key columns
• Generic descriptions for all models and columns
• Proper deduplication logic in source models
• Clean, consistent code structure following the GitLab dbt style guide

transform/snowflake-dbt/
├── dbt_project.yml                                                    [MODIFIED]
└── models/
    ├── sources/
    │   └── reddit_ads/
    │       ├── reddit_ads_ad_group_source.sql                        [NEW]
    │       ├── reddit_ads_ad_source.sql                              [NEW]
    │       ├── reddit_ads_business_account_source.sql                [NEW]
    │       ├── reddit_ads_campaign_source.sql                        [NEW]
    │       ├── reddit_ads_custom_audience_history_source.sql         [NEW]
    │       ├── reddit_ads_geolocation_source.sql                     [NEW]
    │       ├── reddit_ads_interest_source.sql                        [NEW]
    │       ├── reddit_ads_targeting_community_source.sql             [NEW]
    │       ├── reddit_ads_targeting_custom_audience_source.sql       [NEW]
    │       ├── reddit_ads_targeting_device_source.sql                [NEW]
    │       ├── reddit_ads_targeting_geolocation_source.sql           [NEW]
    │       ├── reddit_ads_targeting_interest_source.sql              [NEW]
    │       ├── reddit_ads_time_zone_source.sql                       [NEW]
    │       ├── schema.yml                                            [NEW]
    │       └── sources.yml                                           [NEW]
    └── workspaces/
        └── workspace_marketing/
            └── reddit_ads/
                ├── schema.yml                                        [NEW]
                ├── wk_reddit_ads_ad.sql                              [NEW]
                ├── wk_reddit_ads_ad_group.sql                        [NEW]
                ├── wk_reddit_ads_business_account.sql                [NEW]
                ├── wk_reddit_ads_campaign.sql                        [NEW]
                ├── wk_reddit_ads_custom_audience_history.sql         [NEW]
                ├── wk_reddit_ads_geolocation.sql                     [NEW]
                ├── wk_reddit_ads_interest.sql                        [NEW]
                ├── wk_reddit_ads_targeting_community.sql             [NEW]
                ├── wk_reddit_ads_targeting_custom_audience.sql       [NEW]
                ├── wk_reddit_ads_targeting_device.sql                [NEW]
                ├── wk_reddit_ads_targeting_geolocation.sql           [NEW]
                ├── wk_reddit_ads_targeting_interest.sql              [NEW]
                └── wk_reddit_ads_time_zone.sql                       [NEW]

Sample generated code

Here's an example of the generated code quality. For the time_zone table, GitLab Duo created:

Prep Layer Source Model

WITH source AS (
  SELECT *
  FROM {{ source('reddit_ads','time_zone') }}
  QUALIFY ROW_NUMBER() OVER (PARTITION BY id ORDER BY _fivetran_synced DESC) = 1
),

renamed AS (
  SELECT
    id::VARCHAR                               AS time_zone_id,
    code::VARCHAR                             AS time_zone_code,
    dst_offset::NUMBER                        AS time_zone_dst_offset,
    is_dst_active::BOOLEAN                    AS is_time_zone_dst_active,
    name::VARCHAR                             AS time_zone_name,
    offset::NUMBER                            AS time_zone_offset,
    _fivetran_synced::TIMESTAMP               AS fivetran_synced_at
  FROM source
)

SELECT * FROM renamed

Schema.yml

models:
  - name: reddit_ads_time_zone_source
    description: Time zone data from Reddit Ads system
    columns:
      - name: time_zone_id
        description: Unique identifier for time zone records
        data_tests:
          - unique
          - not_null
      - name: time_zone_code
        description: Code for the time zone
      - name: time_zone_dst_offset
        description: Daylight saving time offset for the time zone
      - name: is_time_zone_dst_active
        description: Flag indicating if daylight saving time is active
      - name: time_zone_name
        description: Name of the time zone
      - name: time_zone_offset
        description: Offset for the time zone
      - name: fivetran_synced_at
        description: Timestamp when the record was last synced by Fivetran

Source.yml

sources:
  - name: reddit_ads
    database: RAW
    schema: reddit_ads
    loaded_at_field: _fivetran_synced
    loader: fivetran
    description: Reddit Ads data

    quoting:
      database: true
      schema: false
      identifier: false

    tables:
      - name: time_zone

Workspace Model

WITH source AS (
  SELECT *
  FROM {{ ref('reddit_ads_time_zone_source') }}
)

SELECT * FROM source

5. Quality validation

Now that the code looks good, I pushed it to the MR and executed CI test pipeline to test the code and validate the outcome. I asked GitLab Duo to create a validation query:

Create a test query to test the row counts between the raw layer and the workspace layer. Keep in mind that we do deduplication, so we can compare both using distinct on the primary keys.

The AI generated a comprehensive validation query that:

• Compared row counts between raw and workspace layers.
• Accounted for deduplication logic.
• Tested all 13 tables.
• Calculated data retention percentages.

<details> <summary>Generated SQL Test query</summary>

-- Reddit Ads Row Count Validation Test
-- Compares distinct counts between RAW layer and WORKSPACE_MARKETING layer
-- Accounts for deduplication logic in source models

WITH raw_counts AS (
  -- Single primary key tables
  SELECT 'ad' AS table_name, COUNT(DISTINCT id) AS raw_count
  FROM RAW.REDDIT_ADS.AD
  
  UNION ALL
  
  SELECT 'business_account' AS table_name, COUNT(DISTINCT id) AS raw_count
  FROM RAW.REDDIT_ADS.BUSINESS_ACCOUNT
  
  UNION ALL
  
  SELECT 'campaign' AS table_name, COUNT(DISTINCT id) AS raw_count
  FROM RAW.REDDIT_ADS.CAMPAIGN
  
  UNION ALL
  
  SELECT 'custom_audience_history' AS table_name, COUNT(DISTINCT id) AS raw_count
  FROM RAW.REDDIT_ADS.CUSTOM_AUDIENCE_HISTORY
  
  UNION ALL
  
  SELECT 'geolocation' AS table_name, COUNT(DISTINCT id) AS raw_count
  FROM RAW.REDDIT_ADS.GEOLOCATION
  
  UNION ALL
  
  SELECT 'interest' AS table_name, COUNT(DISTINCT id) AS raw_count
  FROM RAW.REDDIT_ADS.INTEREST
  
  UNION ALL
  
  SELECT 'time_zone' AS table_name, COUNT(DISTINCT id) AS raw_count
  FROM RAW.REDDIT_ADS.TIME_ZONE
  
  -- Composite primary key tables
  UNION ALL
  
  SELECT 'ad_group' AS table_name, COUNT(DISTINCT CONCAT(account_id, '|', id)) AS raw_count
  FROM RAW.REDDIT_ADS.AD_GROUP
  
  UNION ALL
  
  SELECT 'targeting_community' AS table_name, COUNT(DISTINCT CONCAT(ad_group_id, '|', community_id)) AS raw_count
  FROM RAW.REDDIT_ADS.TARGETING_COMMUNITY
  
  UNION ALL
  
  SELECT 'targeting_custom_audience' AS table_name, COUNT(DISTINCT CONCAT(ad_group_id, '|', custom_audience_id)) AS raw_count
  FROM RAW.REDDIT_ADS.TARGETING_CUSTOM_AUDIENCE
  
  UNION ALL
  
  SELECT 'targeting_device' AS table_name, COUNT(DISTINCT _fivetran_id) AS raw_count
  FROM RAW.REDDIT_ADS.TARGETING_DEVICE
  
  UNION ALL
  
  SELECT 'targeting_geolocation' AS table_name, COUNT(DISTINCT CONCAT(ad_group_id, '|', geolocation_id)) AS raw_count
  FROM RAW.REDDIT_ADS.TARGETING_GEOLOCATION
  
  UNION ALL
  
  SELECT 'targeting_interest' AS table_name, COUNT(DISTINCT CONCAT(ad_group_id, '|', interest_id)) AS raw_count
  FROM RAW.REDDIT_ADS.TARGETING_INTEREST
),

workspace_counts AS (
  -- Workspace layer counts using primary keys from schema.yml
  SELECT 'ad' AS table_name, COUNT(DISTINCT ad_id) AS workspace_count
  FROM REDDIT_DBT_MODEL_GENERATION_PROD.WORKSPACE_MARKETING.WK_REDDIT_ADS_AD
  
  UNION ALL
  
  SELECT 'business_account' AS table_name, COUNT(DISTINCT business_account_id) AS workspace_count
  FROM REDDIT_DBT_MODEL_GENERATION_PROD.WORKSPACE_MARKETING.WK_REDDIT_ADS_BUSINESS_ACCOUNT
  
  UNION ALL
  
  SELECT 'campaign' AS table_name, COUNT(DISTINCT campaign_id) AS workspace_count
  FROM REDDIT_DBT_MODEL_GENERATION_PROD.WORKSPACE_MARKETING.WK_REDDIT_ADS_CAMPAIGN
  
  UNION ALL
  
  SELECT 'custom_audience_history' AS table_name, COUNT(DISTINCT custom_audience_id) AS workspace_count
  FROM REDDIT_DBT_MODEL_GENERATION_PROD.WORKSPACE_MARKETING.WK_REDDIT_ADS_CUSTOM_AUDIENCE_HISTORY
  
  UNION ALL
  
  SELECT 'geolocation' AS table_name, COUNT(DISTINCT geolocation_id) AS workspace_count
  FROM REDDIT_DBT_MODEL_GENERATION_PROD.WORKSPACE_MARKETING.WK_REDDIT_ADS_GEOLOCATION
  
  UNION ALL
  
  SELECT 'interest' AS table_name, COUNT(DISTINCT interest_id) AS workspace_count
  FROM REDDIT_DBT_MODEL_GENERATION_PROD.WORKSPACE_MARKETING.WK_REDDIT_ADS_INTEREST
  
  UNION ALL
  
  SELECT 'time_zone' AS table_name, COUNT(DISTINCT time_zone_id) AS workspace_count
  FROM REDDIT_DBT_MODEL_GENERATION_PROD.WORKSPACE_MARKETING.WK_REDDIT_ADS_TIME_ZONE
  
  -- Composite primary key tables
  UNION ALL
  
  SELECT 'ad_group' AS table_name, COUNT(DISTINCT CONCAT(ad_group_account_id, '|', ad_group_id)) AS workspace_count
  FROM REDDIT_DBT_MODEL_GENERATION_PROD.WORKSPACE_MARKETING.WK_REDDIT_ADS_AD_GROUP
  
  UNION ALL
  
  SELECT 'targeting_community' AS table_name, COUNT(DISTINCT CONCAT(targeting_community_ad_group_id, '|', targeting_community_id)) AS workspace_count
  FROM REDDIT_DBT_MODEL_GENERATION_PROD.WORKSPACE_MARKETING.WK_REDDIT_ADS_TARGETING_COMMUNITY
  
  UNION ALL
  
  SELECT 'targeting_custom_audience' AS table_name, COUNT(DISTINCT CONCAT(targeting_custom_audience_ad_group_id, '|', targeting_custom_audience_id)) AS workspace_count
  FROM REDDIT_DBT_MODEL_GENERATION_PROD.WORKSPACE_MARKETING.WK_REDDIT_ADS_TARGETING_CUSTOM_AUDIENCE
  
  UNION ALL
  
  SELECT 'targeting_device' AS table_name, COUNT(DISTINCT targeting_device_fivetran_id) AS workspace_count
  FROM REDDIT_DBT_MODEL_GENERATION_PROD.WORKSPACE_MARKETING.WK_REDDIT_ADS_TARGETING_DEVICE
  
  UNION ALL
  
  SELECT 'targeting_geolocation' AS table_name, COUNT(DISTINCT CONCAT(targeting_geolocation_ad_group_id, '|', targeting_geolocation_id)) AS workspace_count
  FROM REDDIT_DBT_MODEL_GENERATION_PROD.WORKSPACE_MARKETING.WK_REDDIT_ADS_TARGETING_GEOLOCATION
  
  UNION ALL
  
  SELECT 'targeting_interest' AS table_name, COUNT(DISTINCT CONCAT(targeting_interest_ad_group_id, '|', targeting_interest_id)) AS workspace_count
  FROM REDDIT_DBT_MODEL_GENERATION_PROD.WORKSPACE_MARKETING.WK_REDDIT_ADS_TARGETING_INTEREST
)

-- Final comparison with validation results
SELECT 
  r.table_name,
  r.raw_count,
  w.workspace_count,
  r.raw_count - w.workspace_count AS count_difference,
  CASE 
    WHEN r.raw_count = w.workspace_count THEN '✅ PASS'
    WHEN r.raw_count > w.workspace_count THEN '⚠️ RAW > WORKSPACE (Expected due to deduplication)'
    ELSE '❌ FAIL - WORKSPACE > RAW (Unexpected)'
  END AS validation_status,
  ROUND((w.workspace_count::FLOAT / r.raw_count::FLOAT) * 100, 2) AS data_retention_percentage
FROM raw_counts r
JOIN workspace_counts w ON r.table_name = w.table_name
ORDER BY r.table_name;

</details>

Running this query showed:

• Zero differences in row counts after deduplication
• 100% data retention across all tables
• All tests passed successfully

The bottom line: Massive time savings

• Traditional approach: 6-8 hours of manual coding, testing, and debugging

• GitLab Duo approach: 6-8 minutes of generation + review time

This represents a 60x improvement in developer efficiency (from 6-8 hours to 6-8 minutes), while maintaining high code quality.

Best practices for success

Based on this experience, here are key recommendations:

Prepare your metadata

• Extract complete table structures including data types and constraints.
• Identify primary keys and relationships upfront.
• Export clean, well-formatted CSV input files.

Note: By connecting GitLab Duo via MCP to your (meta)data, you could exclude this manual step.

Provide clear context

• Reference existing example MRs when possible.
• Specify your coding standards and style guides.
• Be explicit about folder structure and naming conventions.

Validate thoroughly

• Always create validation queries for data integrity.
• Test locally before merging.
• Run your CI/CD pipeline to catch any issues.

Leverage AI for follow-up tasks

• Generate test queries automatically.
• Create documentation templates.
• Build validation scripts.

What's next

This demonstration shows how AI-powered development tools like GitLab Duo are also transforming data engineering workflows. The ability to generate hundreds of lines of production-ready code in minutes — complete with tests, documentation, and proper structure — represents a fundamental shift in how we approach repetitive development tasks.

By leveraging AI to handle the repetitive aspects of dbt model creation, data engineers can focus on higher-value activities like data modeling strategy, performance optimization, and business logic implementation.

Ready to try this yourself? Start with a small dataset, prepare your metadata carefully, and watch as GitLab Duo transforms hours of work into minutes of automated generation.

Trial GitLab Duo Agent Platform today.

Read more

• GitLab 18.3: Expanding AI orchestration in software engineering
• GitLab Duo Agent Platform Public Beta: Next-gen AI orchestration and more

A milestone in collaboration

This collaboration combines GitLab's comprehensive, intelligent DevSecOps platform with Accenture's extensive expertise in digital transformation and implementation services, enabling organizations to build and deliver secure software at scale. The global reseller agreement provides a global framework that can be easily adapted to local conditions.

The collaboration will initially focus on several key areas:

1. Enterprise-scale DevSecOps Transformation: Helping organizations modernize their development practices and streamline their software delivery lifecycle
2. Mainframe Modernization: Assisting customers with migrating from legacy systems
3. GitLab Duo with Amazon Q: Offering AI-driven software development to organizations looking to accelerate development velocity while maintaining end-to-end security and compliance

Looking ahead

We’re looking forward to helping our joint customers accelerate innovation, streamline development processes, and strengthen their security posture to achieve their business objectives more effectively.

For more information about how GitLab and Accenture can help your organization, please visit our partner site or contact your Accenture or GitLab representative.

The problem: Polling in 2025

It's 2025, WebSockets are in and polling is out. Polling is more of a legacy method of getting "real-time" updates for software. It's time-driven, meaning clients make network calls to a server on an interval usually between 5 and 30 seconds. Even if the data hasn't changed, those network requests are made to try and get the most accurate data served to the client. WebSockets are event-driven, so you only make network requests to the server when the data has actually changed, i.e., a status in a database column changes from pending to running. Unlike traditional HTTP requests where the client repeatedly asks the server for updates (polling), WebSockets establish a persistent, two-way connection between the client and server. This means the server can instantly push updates to the client the moment something changes, eliminating unnecessary network traffic and reducing latency. For monitoring job statuses or real-time data, this is far more efficient than having clients poll the server every few seconds just to check if anything is different.

The transformation

Previously, the job header on the job log view was utilizing polling to get the most recent status for a single job. That component made a network request every 30 seconds no matter what to try and get the true state of the job.

Our metrics showed that:

• 547,145 network calls happened per 15 minutes
• 45,729,530 network calls happened per 24 hours Users experienced frustrating delays seeing status updates, and we were hammering our database.

Enter GraphQL subscriptions

In comes GraphQL subscriptions with WebSockets. GraphQL subscriptions are a feature that extends GraphQL beyond simple request-response queries and mutations, allowing clients to maintain a real-time connection to the server. While regular GraphQL queries fetch data once and return it, subscriptions let you say 'notify me whenever this specific data changes.' Under the hood, GraphQL subscriptions typically use WebSockets to maintain that persistent connection. Here's what we did:

1. First, we refactored the job header component to use GraphQL for its data
2. Then we implemented a GraphQL subscription to serve real-time updates with ActionCable (Rails' WebSocket framework).

The results

After this implementation, our users now get truly real-time accurate job status – updates appear instantly when jobs change state. The performance gains are remarkable:

• 92.56% reduction in API calls for this component
• Now averaging 39,670 network calls per 15 minutes (down from 547,145)
• Only 3,403,395 network calls per 24 hours (down from 45,729,530) We also monitored CPU utilization and operation rate per command over the last week and have not seen any significant increase on our services. Win-win for the software and the team.

What's next

This is just the beginning. We're working on making every CI status in the GitLab product real-time. Currently, many parts of GitLab's UI still rely on polling to check for updates. Our goal is to systematically replace these polling mechanisms with GraphQL subscriptions, giving users instant feedback across the entire CI/CD workflow. Want to see this capability in action? Check out any job log view and watch those status updates fly. Not a GitLab user yet? Try GitLab Ultimate with GitLab Duo Enterprise for free for 30 days.

The productivity impact is staggering. CI/CD pipelines grind to a halt waiting for repository clones. Infrastructure costs skyrocket as compute resources sit idle. Developer frustration mounts as context-switching becomes the norm.

But what if that 95-minute wait could be reduced to just 6 minutes? What if you could achieve a 93% reduction in clone times using proven techniques?

Enter Git Much Faster — a comprehensive benchmarking and optimization script that transforms how you work with large Git repositories. Built from real-world experience optimizing embedded development workflows, this script provides practical strategies delivering measurable performance improvements across standard git clones, optimized configurations, and Git's built-in Scalar tool.

You'll discover how to dramatically reduce git clone times using optimization strategies, explore real-world performance benchmarks from major repositories like the Linux kernel and Chromium, and understand how to implement these optimizations safely in both development and CI/CD environments.

Project overview: What is Git Much Faster?

Git Much Faster is a script I wrote as an enablement tool to allow you to benchmark multiple clone optimization approaches on the same client — whether that is a traditional developer workstation, CI, cloud-hosted development environments or specialized clones for GitOps. It also contains the curated configuration settings for the fastest clone optimization. You can use these settings as a starting point and adapt or remove configurations that create too lean of a clone for your client's intended use of the repository clone.

Git Much Faster addresses a fundamental challenge: Git's default clone behavior prioritizes safety over speed. While this works for small repositories, it becomes a significant bottleneck with large codebases, extensive binary assets, or complex monorepo structures.

The problem manifests across increasingly common scenarios. Embedded development teams inherit repositories filled with legacy firmware binaries, bootloaders, and vendor SDKs stored directly in version control. Web applications accumulate years of marketing assets and design files. Game development projects contain massive 3D models and audio files growing repository sizes into tens of gigabytes.

Enterprise CI/CD pipelines suffer particularly acute pain. Each job requires a fresh repository clone, and when operations take 20 to 90 minutes, entire development workflows grind to a halt. Infrastructure costs multiply as compute resources remain idle during lengthy clone operations.

Git Much Faster solves this through comprehensive benchmarking comparing four distinct strategies: standard git clone (baseline with full history), optimized git clone (custom configurations with compression disabled and sparse checkout), Git's Scalar clone (integrated partial cloning), and current directory assessment (analyzing existing repositories without re-cloning).

The tool provides measurable, repeatable benchmarking in controlled AWS environments, eliminating variables that make performance testing unreliable. The real power of Git Much Faster is to run all the benchmarks in whatever your target environment looks like — so if slow network connections are a reality for some developers, you can decipher the best clone optimization for their situation.

Technical deep dive: The optimization strategies

Understanding Git Much Faster's effectiveness requires examining specific configurations that address Git's performance bottlenecks through a layered approach tackling network transfer efficiency, CPU utilization, and storage patterns.

The most significant gains come from two key optimizations. The first, core.compression=0, eliminates CPU-intensive compression during network operations. CPU cycles spent compressing often exceed bandwidth savings on modern high-speed networks. This optimization alone reduces clone times by 40% to 60%.

The second major optimization, http.postBuffer=1024M, addresses Git's conservative HTTP buffer sizing. Large repositories benefit tremendously from increased buffer sizes, allowing Git to handle larger operations without breaking them into multiple requests, reducing protocol overhead.

Git Much Faster leverages shallow clones using --depth=1 (fetching only the latest commit) and partial clones with --filter=blob:none (deferring file content downloads until checkout). Shallow clones reduce data by 70%-90% for mature repositories, while partial clones prove particularly effective for repositories with large binary assets.

Sparse checkout provides surgical precision in controlling checked-out files. Git Much Faster implements comprehensive exclusion covering 30+ binary file types — images, documents, archives, media files, and executables — reducing working directory size by up to 78% while maintaining full source code access.

Git's Scalar tool, integrated into Git since Version 2.38, combines partial clone, sparse checkout, and background maintenance. However, benchmarking reveals Scalar doesn't implement the aggressive compression and buffer optimizations providing the most significant performance gains. Testing shows the custom optimized approach typically outperforms Scalar by 48%-67% while achieving similar disk space savings.

End-to-end load reduction

An interesting thing about optimizing the clone operation is that it also reduces complete system loading because you are reducing the size of your request. GitLab has a specialized, horizontal scaling layer known as Gitaly Cluster. When full history clones and large monorepos are the norm, the sizing of Gitaly Cluster is driven higher. This is because all git clone requests are serviced by a server-side binary to create “pack files” to be sent over the wire. Since these server-side git operations involve running compression utilities, it drives all three of memory, CPU, and I/O requirements at once.

When git clone operations are optimized to reduce the size of the total content ask, it reduces load on the end-to-end stack: Client, Network, Gitaly Service and Storage. All layers speed up and become cheaper at the same time.

Real-world performance results

Git Much Faster's effectiveness is demonstrated through rigorous benchmarking across diverse, real-world repositories using consistent AWS infrastructure with Arm instances and controlled network conditions.

Linux kernel repository (7.5GB total): Standard clone took 6 minutes 29 seconds. Optimized clone achieved 46.28 seconds — an 88.1% improvement, reducing the .git directory from 5.9GB to 284MB. Scalar took 2 minutes 21 seconds (63.7% improvement), completing 67.3% slower than the optimized approach.

Chromium repository (60.9GB total): Standard clone required 95 minutes 12 seconds. Optimized clone achieved 6 minutes 41 seconds — a dramatic 93% improvement, compressing the .git directory from 55.7GB to 850MB. Scalar took 13 minutes 3 seconds (86.3% improvement) but remained 48.8% slower than the optimized approach.

GitLab website repository (8.9GB total): Standard clone took 6 minutes 23 seconds. Optimized clone achieved 6.49 seconds — a remarkable 98.3% improvement, reducing the .git directory to 37MB. Scalar took 33.60 seconds (91.2% improvement) while remaining 80.7% slower.

The benchmarking reveals clear patterns: Larger repositories show more dramatic improvements, binary-heavy repositories benefit most from sparse checkout filtering, and the custom optimization approach consistently outperforms both standard Git and Scalar across all repository types.

Practical implementation guide

Implementation requires understanding when to apply each technique based on use case and risk tolerance. For development requiring full repository access, use standard Git cloning. For read-heavy workflows needing rapid access to current code, deploy optimized cloning. For CI/CD pipelines where speed is paramount, optimized cloning provides maximum benefit.

Getting started requires only simple download and execution:

curl -L https://gitlab.com/gitlab-accelerates-embedded/misc/git-much-faster/-/raw/master/git-much-faster.sh -o ./git-much-faster.sh

# For benchmarking
bash ./git-much-faster.sh --methods=optimized,standard --repo=https://github.com/your-org/your-repo.git

For production-grade testing, Git Much Faster project includes complete Terraform infrastructure for AWS deployment, eliminating variables that skew local testing results.

Optimized clones require careful consideration of limitations. Shallow clones prevent access to historical commits, limiting operations like git log across file history. For teams adopting optimizations it is best to create specific optimizations for high volume usage. For instance, developers can perform an optimized clone, and if and when needed, convert to full clones when needed via git fetch --unshallow. If a given CI job accesses commit history (e.g. using GitVersion), then you may need the full history, but not a checkout.

Use cases and industry applications

Embedded development presents unique challenges where projects historically stored compiled firmware and hardware design files directly in version control. These repositories often contain FPGA bitstreams, PCB layouts, and vendor SDK distributions ballooning sizes into tens of gigabytes. Build processes frequently require cloning dozens of external repositories, multiplying performance impact.

Enterprise monorepos encounter Git performance challenges as repositories grow encompassing multiple projects and accumulated historical data. Media and asset-heavy projects compound challenges, as mentioned above — web applications accumulate marketing assets over years, while game development faces severe challenges with 3D models and audio files pushing repositories beyond 100GB. More use cases can be found in the project.

CI/CD pipelines represent the most impactful application. Each container-based CI job requires a fresh repository clone, and when operations consume 20 to 90 minutes, entire development workflows become unviable.

Geographically spread out development teams may have team members whose network performance to their primary development workstation is extremely limited or varies dramatically. Optimizing the Git clone can help by reducing over the wire sizes dramatically.

Next steps

Git clone optimization represents a transformative opportunity delivering measurable improvements — up to 93% reduction in clone times and 98% reduction in disk space usage — that fundamentally change how teams interact with codebases.

The key insight is that Git's default conservative approach leaves substantial performance opportunities untapped. By understanding specific bottlenecks — network transfer inefficiency, CPU-intensive compression, unnecessary data downloads — teams can implement targeted optimizations delivering transformative results.

Ready to revolutionize your Git workflows?

Read the docs in the Git Much Faster repository and get started running benchmarks against your largest repositories. Begin with read-only optimization in CI/CD pipelines where benefits are immediate and risks minimal. As your team gains confidence, gradually expand optimization to development workflows based on measured results.

The future of Git performance optimization continues evolving, but fundamental principles — eliminating unnecessary work, optimizing for actual bottlenecks, measuring results rigorously — remain valuable regardless of future tooling evolution. Teams mastering these concepts today position themselves to leverage whatever improvements tomorrow's Git ecosystem provides.

Traditional security approaches that once worked in simpler retail environments now struggle to keep up. Security processes are often bolted on as an afterthought, slowing teams down and increasing risk. But it doesn’t have to be this way.

Modern platforms embed security throughout the development lifecycle, making protection a seamless part of the developer workflow, not a barrier to delivery. This approach turns security into a strategic advantage, enabling innovation without compromising resilience.

In this article, you'll discover how an integrated DevSecOps platform helps retail teams meet rising security demands without slowing down delivery or compromising customer experience.

Why retail security demands a different approach

In retail, security is about more than protecting data — it’s about protecting the customer experience that drives revenue. Any slowdown, outage, or vulnerability can lead to lost sales and broken trust. Retail platforms must stay online, meet compliance standards, and defend against nonstop attacks from the open internet. Unlike enterprise systems, they’re fully public-facing, with a much broader attack surface. Add in third-party integrations, APIs, and legacy systems, and it’s clear: traditional security approaches aren’t enough.

Adding to the complexity, retailers face a unique set of challenges that further increase their security risks, including:

Supply chain fragility and API sprawl

Shipping delays, global instability, and interconnected systems disrupt logistics. Nearly half of retailers report product availability issues, and 25% lack real-time inventory visibility, according to a 2024 Fluent Commerce survey. While AI-powered forecasting helps, insecure APIs and fragile integrations across the digital supply chain create attack vectors.

Legacy systems meet modern demands

Many retailers operate on monolithic, outdated systems that struggle to support mobile apps, IoT devices, and real-time analytics securely. Without secure, agile foundations, each new digital touchpoint becomes a potential vulnerability.

AI and compliance complexity

AI reshapes retail experiences through personalized recommendations and advanced customer tracking technologies like beacon sensors, facial recognition, and mobile app location services that monitor movement and behavior within physical stores. These AI-powered systems enhance both customer experiences and demand forecasting capabilities for retailers. However, GDPR (the European Union's General Data Protection Regulation) and similar global privacy laws require secure data handling and transparent AI logic. Security missteps can result in significant fines and lasting reputational damage.

Customer-facing automation risks

Self-checkouts, kiosks, and chatbots promise convenience and cost savings but often lack security hardening. These touchpoints become entry points for cyber attackers and enable traditional theft through weak fraud detection, limited monitoring, and easily manipulated systems that make shoplifting harder to detect.

Disparate threat surfaces

Retailers are in a unique position where they must secure across multiple vectors, often maintained by globally distributed teams (depending on the size of the organization). E-commerce platforms, mobile applications, point-of-sale (POS) systems, and in-store IoT devices all provide an entry point for threat actors with unique characteristics requiring different security solutions to ensure resiliency.

This creates a unique paradox: Retailers must innovate faster than ever while maintaining higher security standards than most industries, all while delivering seamless customer experiences across every channel.

Why traditional AppSec falls short in retail

Most retailers rely on disconnected security tools such as static application security testing (SAST) scanners, license checkers, and vulnerability assessments that work in isolation. This fragmented approach creates critical gaps:

• Limited lifecycle coverage: Tools focus on narrow development phases, missing supply chain and runtime risks.

• Integration challenges: Legacy system gaps and poor tool connectivity create security blind spots between teams and solutions.

• Manual processes: Security handoffs create bottlenecks, and issues are often discovered late, when they’re more costly to fix.

• Team silos: Security remains isolated from daily development workflows and separate from compliance and IT teams.

The path forward

In today’s fast-paced retail landscape, security can’t slow down innovation. Embedding it directly into the development lifecycle and bringing every team together on a single unified DevSecOps platform makes security a strategic advantage rather than a bottleneck.

A DevSecOps platform enables secure innovation at scale

GitLab provides the most comprehensive set of security scanners to maximize application coverage, including:

• SAST
• DAST
• Dependency scanning
• Container scanning
• Secret detection
• Infrastructure-as-code scanning
• Fuzz testing

But security isn’t just about scanning. It's about enforcing the right policies to ensure vulnerabilities are identified and remediated consistently. With GitLab, security teams get full control to ensure the right scan is run on the right application, at the right time, and that the findings are addressed before they reach production.

<center><i>Security scans run in the CI/CD pipeline, ensuring immediate feedback on potential vulnerabilities.</i></center> <p></p>

<center><i>Vulnerability Report shows all vulnerabilities for a specific project or group.</i></center>

One platform for Dev, Sec, and Ops

Retail teams waste countless hours switching between tools, manually transferring data, losing information between systems due to fragile integrations, and reconciling conflicting reports. A unified platform eliminates this friction:

• Single source of truth for source code, pipelines, vulnerabilities, and compliance
• No integration overhead or tool compatibility issues
• Consistent workflows across all teams and projects

The result? Teams spend time solving problems instead of managing tools.

<center><i>The compliance center is where you can enforce compliance frameworks for your projects.</i></center> <p></p>

<center><i>In the merge request, developers require approval if risks are detected before merging code, according to defined policies.</i></center>

Shared security responsibility, not silos

The most successful retail security programs make security everyone's responsibility, not just the security team's burden.

Developer empowerment

Security and compliance guidance appears directly in merge requests, making it impossible to miss critical issues. Developers get immediate feedback on each commit, with clear explanations of risks and remediation steps. For example, AI-powered vulnerability explanation and vulnerability resolution help developers understand and fix security issues independently, reducing bottlenecks and building security expertise across the team.

<center><i>Vulnerability page with a button for explaining or resolving issues with AI. Helps to bridge the knowledge gap with AI.</i></center>

<p></p>

Automated compliance

Generate audit reports, track license usage, and maintain a software bill of materials (SBOM) without manual effort.

<center><i>GitLab's automated dependency report provides a comprehensive SBOM, displaying all project dependencies with their vulnerability status, license details, and security findings for complete transparency and compliance.</i></center> <p></p>

This approach transforms security from a gate that slows delivery into a foundation that enables confident, rapid innovation.

Platform vs. point tools: What retailers need to know

The bottom line: Security excellence drives retail success

In retail, security isn't just about protecting data, it's about protecting the customer experience that drives revenue. When security slows down releases or creates vulnerabilities, it directly impacts sales. Your customers expect secure, seamless experiences every time.

GitLab's integrated DevSecOps platform helps retailers:

• Deploy faster without compromising security with automated scans that catch issues before customers do.
• Meet compliance requirements effortlessly through built-in reporting for GDPR, PCI-DSS, and industry standards.
• Significantly reduce security tool costs by replacing multiple point solutions with one platform.
• Turn developers into security advocates with guidance and automation, not roadblocks.

Take a tour of some of GitLab's security capabilities:

• Resolving vulnerabilities with GitLab Duo
• Adding scans to pipeline
• Compliance frameworks
• Advanced SAST

Ready to get started? Discover how GitLab Ultimate with Duo Enterprise can streamline your retail security strategy with a free trial.

"Issue to MR" is an agent Flow that streamlines turning a well-scoped issue into a draft merge request (MR). The Flow analyzes an issue’s description and requirements, opens a draft MR linked to the issue, creates a development plan, and proposes an implementation — right from the GitLab UI.

The developer challenge

Product tweaks such as rearranging a UI layout, adjusting component sizing, or making a minor workflow change shouldn't require hours of setup work. Yet developers find themselves caught in a frustrating cycle: hunting through codebases to locate the right files, creating branches, piecing together scattered changes across multiple components, and navigating complex review processes. And this is all before they can even see if their solution works. Development overhead transforms what should be quick iterations into time-consuming tasks, slowing down feedback loops and making simple product improvements feel like major undertakings.

How to use the Issue to MR Flow to accelerate an application update

You first need to fulfill these prerequisites before using the Issue to MR Flow.

Prerequisites:

• An existing issue with clear requirements and acceptance criteria. This will help GitLab Duo Agent Platform better understand what you're trying to achieve and improve the quality of your output.
• Project access at Developer or higher permissions as the Flow will be making edits to your project's source code.
• GitLab Duo Agent Platform enabled for your group or project, with Flows allowed. For this, go to your project’s Settings > General > GitLab Duo > Allow flow execution toggle and enable it. GitLab is committed to helping provide guardrails, so agentic AI features require turning on these toggles to protect sensitive projects and ensure only the projects you want are accessible to GitLab Duo Agent Platform.

Once you have fulfilled all the prerequisites above, you can follow these steps to take advantage of the Issue to MR Flow:

1. Create a project issue that describes what you’d like GitLab Duo Agent Platform to accomplish for you. Provide as much detail as possible in the issue description. If the issue already exists, open it by going to Plan > Issues and clicking on the issue describing the update you want. Keep the issue well-scoped and specific.

2. Below the issue header, click on Generate MR with Duo to kick off the Flow.

3. If you’d like to track the progress of the agents working on implementing your issue, go to Automate > Agent sessions to see the live session log as agents plan and propose changes.

4. When the pipeline completes, a link to the MR appears in the issue’s activity. Open it to review the summary and file-level changes.

5. If you’d like to validate the proposed updates by GitLab Duo Agent Platform locally, you can pull the branch on your laptop, build and run your app, and verify that the update behaves as expected. If needed, make edits in the MR and proceed with normal review.

6. If you’re happy with all the proposed application updates, merge the MR to the main branch.

Why the Issue to MR Flow works well for application changes

The Issue to MR Flow proposes code changes and updates the MR directly, so you spend less time locating files and only have to evaluate and review the result. In addition, the MR is automatically linked to the originating issue, keeping context tight for reviewers and stakeholders. Finally, you can monitor the agent session to understand what’s happening at each step.

Benefits of GitLab Duo Agent Platform

GitLab Duo Agent Platform is an agentic orchestration layer that brings full project context, including planning to coding, building, securing, deploying, and monitoring, so agents can help across the entire software development lifecycle (SDLC), not just code editing.

• Unified data model: GitLab Duo Agents operate on GitLab’s unified SDLC data, enabling higher-quality decisions and collaboration across tasks — including non-coding ones.

• Security and compliance are built-in: GitLab Duo Agents run within enterprise guardrails and are usable even in highly-regulated or offline/air-gapped environments.

• Interoperability and extensibility: Orchestrate flows across vendors and tools; connect external data via MCP/A2A for richer context.

• Scale collaboration: GitLab Duo Agents work in the GitLab UI and IDEs, enabling many-to-many human-agent collaboration.

• Discoverable and shareable: Find and share agents and Flows in a centralized AI Catalog.

Try the Issue to MR Flow today

For application updates, like a modest UI adjustment, the Issue to MR Flow helps you move from a clear issue to a reviewable MR quickly, with progress you can monitor and changes you can validate and merge through your standard workflow. It keeps context, reduces handoffs, and lets your team focus on quality rather than busywork.

Watch the Issue to MR Flow in action:

<!-- blank line --> <figure class="video_container"> <iframe src="https://www.youtube.com/embed/BrrMHN4gXF4?si=J7beTgWOLxvS4hOw" frameborder="0" allowfullscreen="true"> </iframe> </figure> <!-- blank line -->

Try the Issue to MR Flow on GitLab Duo Agent Platform now with a free trial of GitLab Ultimate with Duo Enterprise.

As part of our commitment to responsible AI management, we're excited to announce that GitLab has achieved the ISO/IEC 42001 certification, the first internationally recognized standard for establishing, implementing, maintaining, and continually improving an Artificial Intelligence Management System (AIMS) within organizations.

The scope of the certification includes our comprehensive AI offering, GitLab Duo, as well as GitLab Duo Agent Platform and its components. As a leader in DevSecOps, GitLab provides AI-powered features across the development lifecycle, including capabilities such as:

• GitLab Duo Agent Platform (now in public beta, general availability planned for later this year): Enables asynchronous collaboration between developers and specialized AI agents throughout the software development lifecycle, helping transform linear development processes into dynamic, parallel workflows while providing agents with access to all of the software engineering context stored within GitLab's unified platform.

• Code Suggestions (generally available): Allows developers to stay in flow by predictively completing code blocks, defining function logic, generating tests, and proposing common code like regex patterns, all in the same environment where they already code.

• Vulnerability Explanation (generally available): Helps developers and security analysts understand vulnerabilities, how they might be exploited, and how to fix them.

• Test Generation (generally available): Creates tests automatically for selected code, improving coverage and reducing manual effort.

What this certification means for GitLab users

Enhanced trust and transparency: Our AI features are built and managed according to globally recognized best standards for AI governance, supporting reliability and ethical implementation.

Strategic risk management: We've implemented risk assessment and risk treatment strategies for AI components within our platform, considering aspects such as operational business continuity risks, technical risks, security and privacy risks, and broader societal implications. This proactive approach enhances customer data protection and facilitates more reliable AI-powered features.

Continuous improvement: Under the ISO/IEC 42001 framework, we will work to continuously evaluate and enhance our AI capabilities through annual external surveillance audits, regular internal assessments, and leadership AIMS review while maintaining standards of quality and responsibility.

Regulatory alignment: As AI regulations continue to evolve globally, like the EU AI Act, this certification supports GitLab's alignment with emerging regulatory requirements.

This achievement validates GitLab's position as the trusted platform for AI-powered DevSecOps, and we are excited to continue leading the way in responsible AI innovation.

Learn more

• View the ISO/IEC 42001 certificate at the GitLab Trust Center.
• Read about our AIMS in our handbook.
• Check out the GitLab AI Transparency Center.
• Explore all GitLab Duo features and capabilities in our documentation.

GitLab's appeal to Rust developers extends beyond simple code hosting. The platform offers robust CI/CD capabilities that align perfectly with Rust's emphasis on safety, performance, and reliability. GitLab makes it easy to create repositories and use off-the-shelf Docker containers to put together custom CI jobs. Developers can easily set up automated testing, cross-platform builds, and documentation generation. The platform's integrated approach to DevSecOps resonates with Rust's philosophy of providing comprehensive tooling out of the box.

About the demo application

Being interested in how mortgage rates affect monthly payments and how hard it is to to afford a house in the current times, I decided to write a mortgage calculator in Rust, which I will use as an example throughout this tutorial. Feel free to import this project and follow along.

The mortgage calculator will help users calculate monthly mortgage payments, including principal, interest, property taxes, insurance, PMI, and HOA fees. It provides a modern, intuitive GUI using the egui framework, as well as a CLI for running it in the terminal.

This application contains a .gitlab-ci.yml that generates a pipeline, which will build, test, package, scan, and deploy the software. We will go over this pipeline definition in detail in the sections below.

Building and testing Rust applications

GitLab's Docker-based CI/CD system excels at Rust development workflows, providing a robust foundation for compilation, testing, and code quality checks. The platform's caching mechanisms are particularly valuable for Rust projects, which can have lengthy compilation times due to the language's thorough optimization and safety checking processes.

Building

Rust's excellent cross-compilation capabilities combined with GitLab's flexible CI/CD system create a powerful solution for building applications across multiple platforms. This is particularly valuable for Rust applications that need to run on various operating systems and architectures without sacrificing performance or requiring platform-specific code.

Note: You can learn more about the .gitlab-ci.yml by reading the CI/CD YAML syntax reference.

# Cache configuration to speed up builds by reusing dependencies
cache:
  key: $CI_COMMIT_REF_SLUG                               # Use branch name as cache key
  paths:
    - .cargo/                                            # Cache Cargo registry and git dependencies
    - target/                                            # Cache compiled artifacts

# Base template for Rust jobs - shared configuration
.rust-template:
  image: rust:$RUST_VERSION-slim                         # Use slim Rust image for faster downloads
  before_script:
    # Install system dependencies required for building the Rust application
    - apt-get update && apt-get install -y pkg-config libssl-dev libgtk-3-dev libxcb-shape0-dev libxcb-xfixes0-dev

# Template for cross-compilation build jobs
.build-template:
  extends: .rust-template                                # Inherit from rust-template
  stage: build                                           # Execute during build stage
  script:
    - rustup target add $TARGET                          # Add the target platform for cross-compilation
    - cargo build --release --target $TARGET             # Build optimized release binary for target platform

# Build for Linux x86_64 (primary target platform)
build-linux:
  extends: .build-template                               # Use build template configuration
  variables:
    TARGET: x86_64-unknown-linux-gnu                     # Linux 64-bit target
  artifacts:
    paths:
      - target/$TARGET/release/mortgage-calculator       # Save the compiled binary
    expire_in: 1 week                                    # Keep artifacts for 1 week
  allow_failure: false                                   # This build must succeed

# Build for Windows x86_64 (cross-compilation)
build-windows:
  extends: .build-template                               # Use build template configuration
  variables:
    TARGET: x86_64-pc-windows-gnu                        # Windows 64-bit target
  artifacts:
    paths:
      - target/$TARGET/release/mortgage-calculator       # Save the compiled binary
    expire_in: 1 week                                    # Keep artifacts for 1 week
  allow_failure: true                                    # Allow this build to fail (cross-compilation can be tricky)

# Build for macOS x86_64 (cross-compilation)
build-macos:
  extends: .build-template                               # Use build template configuration
  variables:
    TARGET: x86_64-apple-darwin                          # macOS 64-bit target
  artifacts:
    paths:
      - target/$TARGET/release/mortgage-calculator       # Save the compiled binary
    expire_in: 1 week                                    # Keep artifacts for 1 week
  allow_failure: true                                    # Allow this build to fail (cross-compilation can be tricky)

This GitLab CI configuration defines three build jobs that cross-compile a Rust mortgage calculator application for different platforms:

• build-linux creates a Linux x86_64 binary (required to pass)
• build-windows creates Windows binaries (allowed to fail)
• build-macos creates macOS x86_64 binaries (allowed to fail)

All builds use shared templates for dependency caching and consistent build environments.

Testing

GitLab CI/CD streamlines code testing through its integrated pipeline system that automatically triggers test suites whenever code is pushed to the repository. Developers can define multiple types of tests — unit tests, integration tests, linting, and formatting checks — all within a single .gitlab-ci.yml configuration file, with each test running in isolated Docker containers to ensure consistent environments.

# Run unit tests
test:unit:
  extends: .rust-template                                # Use Rust template configuration
  stage: test                                            # Execute during test stage
  script:
    - cargo test --verbose                               # Run all unit tests with verbose output

# Run integration tests using the compiled binary
test:integration:
  extends: .rust-template                                # Use Rust template configuration
  stage: test                                            # Execute during test stage
  script:
    # Test the compiled binary with sample inputs and verify expected output
    - target/x86_64-unknown-linux-gnu/release/mortgage-calculator --cli calculate --property-value 350000 --down-payment 70000 --interest-rate 5.0 | grep -q "TOTAL MONTHLY PAYMENT"
  needs:
    - build-linux                                        # Depends on Linux build job completing

# Run Clippy linter for code quality checks
test:clippy:
  extends: .rust-template                                # Use Rust template configuration
  stage: test                                            # Execute during test stage
  script:
    - rustup component add clippy                        # Install Clippy linter
    - cargo clippy -- -D warnings                       # Run Clippy and treat warnings as errors
  allow_failure: true                                    # Allow linting failures (can be improved over time)

# Check code formatting
test:format:
  extends: .rust-template                                # Use Rust template configuration
  stage: test                                            # Execute during test stage
  script:
    - rustup component add rustfmt                       # Install Rust formatter
    - cargo fmt -- --check                              # Check if code is properly formatted
  allow_failure: true                                    # Allow formatting failures (can be improved over time)

This GitLab CI configuration creates four test jobs that validate a Rust mortgage calculator application:

• test:unit runs unit tests
• test:integration executes the compiled Linux binary with sample inputs to verify functionality
• test:clippy performs code quality linting (allowed to fail)
• test:format checks code formatting compliance (allowed to fail)

Package and Container Registries

GitLab's Package Registry provides a secure solution to the common challenge of sharing internal libraries and proprietary code within organizations. This capability is essential for enterprises and teams that need to maintain artifacts while leveraging the broader Rust ecosystem.

The registry supports generic artifacts with fine-grained access controls that align with GitLab's project permissions. This means teams can share libraries securely across projects while maintaining intellectual property protection and compliance requirements.

Additonally, we can containerize our application and store the container images in GitLab's built-in Container Registry.

Publishing to GitLab Package Registry

This section of our .gitlab-ci.yml demonstrates how to package and publish Rust applications as tar archives to GitLab's generic package registry using CI/CD automation.

# Package application as tar archive
package:tar:
  image: alpine/curl:8.12.1                             # Lightweight image with curl for uploading
  stage: package                                         # Execute during package stage
  variables:
    PACKAGE_NAME: mortgage-calculator.tar.gz             # Name of the archive file
  script:
    # Create tar archive of the Linux binary
    - tar -czvf $PACKAGE_NAME target/x86_64-unknown-linux-gnu/release/mortgage-calculator
    # Upload archive to GitLab Package Registry using API
    - |
      curl -v --location --header "JOB-TOKEN: $CI_JOB_TOKEN" \
      --upload-file $PACKAGE_NAME \
      "$CI_API_V4_URL/projects/$CI_PROJECT_ID/packages/generic/tar/$CI_COMMIT_BRANCH/$PACKAGE_NAME"
  artifacts:
    paths:
      - target/x86_64-unknown-linux-gnu/release/mortgage-calculator  # Save binary
      - mortgage-calculator.tar.gz                      # Save archive
    expire_in: 1 week                                    # Keep artifacts for 1 week
  needs:
    - build-linux                                        # Depends on Linux build completing

This GitLab CI configuration defines one packaging job package:tar that creates a compressed tar archive of the Linux mortgage calculator binary and uploads it to GitLab's Package Registry, while also saving both the binary and archive as pipeline artifacts.

Publishing to GitLab Container Registry

The below shows the process of building Dockerfiles and publishing Docker images to GitLab's Container Registry with proper tagging and authentication.

# Package application as Docker image
package:docker:
  image: docker:24.0                                     # Use Docker image for building containers
  stage: package                                         # Execute during package stage
  services:
    - docker:24.0-dind                                   # Docker-in-Docker service for building images
  before_script:
    # Login to GitLab Container Registry
    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
  script:
    - docker build -t $DOCKER_IMAGE_NAME:$DOCKER_IMAGE_TAG .  # Build Docker image with commit SHA tag
    - docker tag $DOCKER_IMAGE_NAME:$DOCKER_IMAGE_TAG $DOCKER_IMAGE_NAME:latest  # Also tag as latest
    - docker push $DOCKER_IMAGE_NAME:$DOCKER_IMAGE_TAG  # Push tagged image to registry
    - docker push $DOCKER_IMAGE_NAME:latest             # Push latest image to registry

This GitLab CI configuration defines one Docker packaging job package:docker that builds a Docker image of the mortgage calculator application, tags it with both the commit SHA and "latest," and then pushes both tagged versions to GitLab's Container Registry.

Security scanning

GitLab security scanning provides comprehensive protection that goes beyond Rust's built-in memory safety guarantees. While Rust prevents many common security vulnerabilities at compile time, applications still need protection against dependency vulnerabilities, unsafe code blocks, and logical security issues.

The platform's Static Application Security Testing (SAST) integrates seamlessly with Rust's toolchain, providing automated security analysis as part of the CI/CD pipeline This proactive approach catches security issues before they reach production, supporting both compliance requirements and secure development practices.

GitLab's comprehensive security features including SAST, dependency scanning, secret detection and more can easily be implemented via templates, as seen below. Note: Additional configuration is required to enable SAST for Rust.

# Include GitLab's security scanning templates for DevSecOps
include:
  - template: Jobs/SAST.gitlab-ci.yml                    # Static Application Security Testing
  - template: Jobs/Dependency-Scanning.latest.gitlab-ci.yml  # Scan dependencies for vulnerabilities
  - template: Jobs/Container-Scanning.gitlab-ci.yml      # Scan Docker containers for vulnerabilities
  - template: Jobs/SAST-IaC.gitlab-ci.yml               # Infrastructure as Code security scanning
  - template: Jobs/Secret-Detection.gitlab-ci.yml        # Detect secrets in source code

Security scanners can be configured similar to how you would configure any GitLab job:

# Configure Semgrep SAST scanning for Rust files
semgrep-sast:
  rules:
    - if: $CI_COMMIT_BRANCH                              # Run on any branch
      exists:
        - "**/*.rs"                                      # Only if Rust files exist
  variables:
    SAST_EXCLUDED_PATHS: ".cargo/**"                     # Exclude Cargo cache from scanning

# Scan Docker container for security vulnerabilities
container_scanning:
  stage: container-security                              # Execute during container-security stage
  variables:
    CS_IMAGE: $DOCKER_IMAGE_NAME:$DOCKER_IMAGE_TAG      # Image to scan
    CS_DOCKERFILE_PATH: Dockerfile                       # Path to Dockerfile for context
  needs:
    - package:docker                                     # Depends on Docker image being built

When vulnerabilites are detected in a merge request (MR), you can see all the vulnerabilites detected and use the provided information to either resolve or dismiss vulnerabilities.

You also can add Security Policies to require approval before vulnerable code can be merged, or to force scanners to run regardless of what is in the .gitlab-ci.yml.

You can triage all the vulnerabilities found in your default branch by using the Vulnerability Report:

Documentation with GitLab Pages

GitLab Pages provides an excellent platform for hosting Rust documentation, integrating seamlessly with Cargo's built-in documentation generation. This creates a powerful workflow where API documentation, project guides, and examples are automatically generated and deployed with every code change.

The combination of cargo doc and GitLab Pages enables teams to maintain up-to-date documentation without manual intervention, ensuring that documentation stays synchronized with code changes. This is particularly valuable for Rust projects where comprehensive documentation is essential to understand complex APIs and safety contracts.

Automated documentation deployment

The following code shows the CI/CD configuration for automatically generating and deploying Rust documentation using cargo doc and GitLab Pages.

# Generate and publish documentation using GitLab Pages
build-documentation:
  extends: .rust-template                                # Use Rust template configuration
  stage: build                                           # Execute during build stage
  variables:
    GIT_SUBMODULE_STRATEGY: recursive                    # Clone submodules recursively if needed
  pages: true                                            # Enable GitLab Pages deployment
  script:
    - cargo doc --no-deps                                # Generate documentation without dependencies
    - mv target/doc public                               # Move docs to public directory for Pages
  artifacts:
    paths:
      - public                                           # GitLab Pages serves from public directory
  rules:
    - if: $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH     # Only run on default branch (main/master)
  environment:
    name: documentation                                  # Environment name for tracking
    url: $CI_PAGES_URL/mortgage_calculator/index.html   # Documentation URL
  allow_failure: true                                    # Allow documentation build to fail

Once the job is complete, you can see the deployed documentation by visiting the GitLab Environment it has been deployed to.

This allows you to manage multiple versions of the documentation in different envrionments. The documentation will be deployed consistent with the cargo doc output:

Deploy anywhere

One of GitLab's greatest strengths is its infrastructure-agnostic approach to deployment. Whether your organization runs on traditional on-premises servers, modern cloud platforms, hybrid environments, or edge computing infrastructure, GitLab's CI/CD system can deploy Rust applications seamlessly across any target environment.

GitLab's deployment flexibility stems from its container-first approach and extensive integration ecosystem. The platform supports deployment to virtually any infrastructure that can run containers, virtual machines, or bare-metal applications. This versatility is particularly valuable for Rust applications, which often need to run in diverse environments ranging from resource-constrained embedded systems to high-performance cloud clusters.

Kubernetes deployment

GitLab simplifies Kubernetes deployments by providing built-in cluster integration and pre-configured Docker images that include essential tools like Helm and kubectl, eliminating the need for developers to set up complex deployment environments.

# Deploy application to Kubernetes cluster
deploy:kubernetes:
  stage: deploy                                          # Execute during deploy stage
  image: registry.gitlab.com/gitlab-org/cluster-integration/helm-install-image:helm-3.10.0-kube-1.24.6-alpine-3.15  # Image with Helm and kubectl
  variables:
    HELM_HOST: "localhost:44134"                         # Helm host configuration
    HELM_DEPLOY_NAME: mortgage-calc-$CI_COMMIT_REF_NAME  # Deployment name based on branch
    HELM_DEPLOY_NAMESPACE: calc-app                      # Kubernetes namespace for deployment
    KUBE_CONTEXT: $CI_PROJECT_PATH:rust-mortgage-calculator  # Kubernetes context to use
  script:
    - kubectl config use-context $KUBE_CONTEXT          # Set the kubectl context
    # Deploy using Helm with custom values and Docker image
    - helm upgrade --install $HELM_DEPLOY_NAME chart -f chart/values.yaml
      --namespace $HELM_DEPLOY_NAMESPACE
      --create-namespace
      --set image=$DOCKER_IMAGE_NAME:$DOCKER_IMAGE_TAG
      --set calc.name=$HELM_DEPLOY_NAME 
  needs:
    - package:docker                                     # Depends on Docker image being available

This GitLab CI configuration defines one deployment job deploy:kubernetes that uses Helm to deploy the mortgage calculator application to a Kubernetes cluster, creating or upgrading the deployment in a dedicated namespace while using the Docker image built in the previous packaging stage.

GitLab Duo AI features

GitLab Duo AI features provide significant advantages for Rust development by offering intelligent code suggestions and explanations specifically tailored to the language's unique syntax and patterns.

The GitLab platform supports Rust as one of its directly-supported languages for every IDE, ensuring high-quality code completion and generation that understands Rust's ownership model, memory safety principles, and idiomatic patterns.

GitLab Duo Code Suggestions

GitLab Duo's ability to provide contextual code suggestions while typing helps developers navigate Rust's sometimes complex syntax more efficiently, reducing the learning curve for newcomers and accelerating productivity for experienced developers.

GitLab Duo Chat

GitLab Duo Chat complements the code suggestions by offering conversational assistance for explaining Rust code sections, debugging compiler errors, and providing guidance on best practices. This is particularly valuable in Rust development where compiler error messages, while helpful, can sometimes be overwhelming for developers transitioning from other languages. The AI can help interpret Rust's detailed error messages and suggest fixes, making the development process more efficient by reducing the time spent deciphering compilation issues.

GitLab Duo Chat can also be used directly from Vulnerability Report to explain a vulnerability. GitLab Duo Vulnerability Explanation represents a significant advancement in making application security more accessible and actionable for development teams. Rather than simply flagging potential issues with cryptic error codes. or technical jargon, AI breaks down each vulnerability's nature, potential impact, and remediation steps in terms that developers at all skill levels can quickly grasp. This democratization of security knowledge accelerates the remediation process, reduces the back-and-forth between security and development teams, and ultimately helps organizations ship more secure code faster:

<p></p>

<p></p>

<p></p>

<p></p>

GitLab Duo also provides Agentic Chat, which serves as an intelligent development companion for Rust applications, offering context-aware assistance throughout the entire development lifecycle. Developers can leverage its conversational interface to generate Rust code snippets, scaffold new Rust projects with appropriate Cargo.toml configurations, and much more.

GitLab Duo Vulnerability Resolution

GitLab Duo Vulnerability Resolution uses AI to automatically generate specific code fixes for detected security issues, dramatically reducing remediation time from hours to minutes. AI analyzes vulnerable code patterns and proposes precise patches tailored to the project's context, language, and dependencies while maintaining code functionality and style consistency. This automation is particularly effective for common vulnerabilities like SQL injection and cross-site scripting, enabling development teams to maintain velocity while significantly improving their security posture without disrupting the development workflow.

<p></p>

<p></p>

GitLab Duo Code Review

GitLab Duo's AI-powered code review enhances the development process by providing intelligent, automated feedback on MRs before human reviewers engage. AI analyzes code changes for potential bugs, security vulnerabilities, performance issues, and adherence to coding standards, offering contextual suggestions and explanations that help developers catch issues early. By augmenting traditional peer reviews with consistent, immediate AI insights, this feature reduces the burden on senior developers, accelerates the review cycle, and ensures that basic quality checks are consistently applied across all code contributions, ultimately improving code quality while allowing human reviewers to focus on higher-level architectural and business logic concerns.

<p></p>

<p></p>

These are just some of the AI feautures that can be used to allow you to ship more secure Rust software faster than ever. To learn about all the GitLab AI features provided, visit the GitLab Duo solution page.

The GitLab advantage for Rust

GitLab provides a complete development platform that matches Rust's comprehensive approach:

Integrated Workflow:

• Single Platform: Code, CI/CD, security, and deployment in one place
• Rust-optimized: Docker-based builds perfect for Rust's toolchain
• Security First: Built-in security scanning
• Enterprise-ready: Scalable infrastructure for large teams

Performance Benefits:

• Efficient Caching: Speeds up Rust's longer compilation times
• Parallel Builds: Maximizes GitLab Runner efficiency
• Artifact Management: Streamlined binary distribution

Developer Experience:

• Familiar Tools: Leverage standard Rust tooling (Cargo, Clippy, rustfmt)
• Visual Feedback: Comprehensive dashboards and reporting
• Automation: Reduces manual deployment and testing overhead
• GitLab Duo AI: Ship more secure software faster with AI throughout the entire software development lifecycle

GitLab's platform capabilities perfectly complement Rust's strengths, creating an ecosystem where safety, performance, and developer productivity converge. Rust applications on GitLab represent the cutting edge of software development—powered by a platform that understands and enhances the Rust development experience.

To learn more about the benefits of GitLab, sign up for a free trial of GitLab Ultimate with Duo Enterprise.

Last month, we announced GitLab 18.3, the latest release of our AI-native DevSecOps platform. Agent Insights, part of GitLab Duo Agent Platform, provides visibility into agent decision-making processes. Expanded AI model support means no vendor lock-in. Enhanced governance controls help enable compliance across multiple jurisdictions.

These aren't just features. They're demonstrations of the transparency, independence, and developer-first approach that defines GitLab. Here's how this strategy translates into practice.

<div style="padding:56.25% 0 0 0;position:relative;"><iframe src="https://player.vimeo.com/video/1115249475?badge=0&autopause=0&player_id=0&app_id=58479" frameborder="0" allow="autoplay; fullscreen; picture-in-picture; clipboard-write; encrypted-media; web-share" referrerpolicy="strict-origin-when-cross-origin" style="position:absolute;top:0;left:0;width:100%;height:100%;" title="Who is GitLab_Robin_090225_FINAL"></iframe></div><script src="https://player.vimeo.com/api/player.js"></script>

AI transparency across the DevSecOps lifecycle

At GitLab, our decade-long commitment to transparency directly addresses these concerns. As artificial intelligence becomes increasingly integrated into development workflows, organizations are rightfully concerned about how their code and data are being used for AI training.

The GitLab AI Transparency Center, launched in April 2024, provides clear documentation of our data governance practices, privacy protections, and ethical AI principles. Unlike platforms that may operate AI features with unclear data usage policies, GitLab prioritizes transparency so that customers can understand exactly how their data is processed, stored, and protected — with no training on that data.

Our approach extends to model flexibility and vendor independence. While some platforms lock customers into single, large language model (LLM) providers, creating additional vendor dependencies and potential single points of failure, GitLab's AI features are powered by a variety of models. This approach enables us to support a wide range of use cases, providing customers with the flexibility to align with their strategic priorities.

As we further develop GitLab Duo Agent Platform, we remain focused on data control and maintaining comprehensive human-in-the-loop controls. And GitLab Duo Self-Hosted provides complete data sovereignty with air-gapped deployment options, zero-day data retention policies, and the ability to process all AI requests within your own infrastructure.

Since May 2024, we've also maintained an AI continuity plan with an industry-leading commitment: the ability to evaluate and move to a new model within 30 days if a provider changes its practices regarding customer data. This proactive approach to AI vendor risk management reflects our dedication to customer control.

Choice in deployment, choice in cloud provider

You should be able to choose how and where to deploy your DevSecOps environment. GitLab provides genuine deployment flexibility. Organizations can choose from on-premises installations, multi-tenant SaaS, or GitLab Dedicated, our fully managed single-tenant SaaS solution, without sacrificing functionality or facing artificial restrictions designed to drive ecosystem lock-in. GitLab is also cloud-neutral, allowing customers to use the cloud provider that best suits their business needs and environment.

This flexibility proves invaluable when navigating complex jurisdictional requirements and regulatory challenges. When new data localization laws emerge — as we've seen across the European Union and other regions — organizations using GitLab can rapidly adapt their deployment strategies without being constrained by ecosystem dependencies.

From a procurement and risk management perspective, platform independence also provides crucial leverage in contract negotiations. Organizations aren't forced into restrictive licensing agreements that prioritize vendor interests over customer needs. This independence becomes particularly critical as enterprises become more vigilant about who controls their AI stack.

Security and compliance: Built-in and always a priority

Security and compliance are now equally important to development features and should be built into the platform, not retrofitted as an afterthought. GitLab's single platform approach provides significant advantages over fragmented platforms that rely on third-party add-ins to match basic security and governance features. This architectural difference has significant implications for possible legal risk, operational efficiency, and regulatory compliance. Each additional tool in the chain represents another potential point of failure, another set of terms and conditions to negotiate, and another source of risk.

GitLab provides comprehensive built-in security and compliance capabilities, including custom compliance frameworks, dynamic application security testing (DAST), API fuzz testing, coverage-guided fuzzing, and infrastructure-as-code testing. These capabilities are natively integrated into the platform, offering consistent policy enforcement and reducing the compliance complexity and additional costs that come with managing multiple third-party tools.

Our compliance center provides a central location for teams to manage their compliance standards, adherence reporting, violations reporting, and compliance frameworks for their group. This unified approach to compliance management is particularly valuable for organizations operating in highly-regulated industries where audit trails and compliance documentation are critical.

Staying close to our open source community

The best tools are shaped by the people who use them. Our commitment to open source and engagement with our community has been core to GitLab since our founding. For instance, our Co-Create program is a collaborative initiative that enables customers to work directly with GitLab engineers to contribute features, fixes, and enhancements to the GitLab platform.

Our transparency value remains fundamental to our business. An example of this is our open issue tracker, where customers can follow our progress and engage directly with the GitLab team in discussions about ways we can improve our product. We recently launched our Healthy Backlog Initiative to give customers even greater visibility into our planning and direct their feedback to places with the greatest impact.

Our approach enables organizations to contribute to and benefit from open source innovation while maintaining the governance, audit trails, and security controls required for regulated environments.

Data governance: Your data, your control

You maintain complete control over your data and how it's processed. Data governance has become an increasingly critical factor in enterprise technology decisions, driven by a complex web of national and regional data protection laws and growing concern about control over sensitive intellectual property — like source code, customer insights, strategic initiatives, and competitive intelligence.

With GitLab, you can manage who has access to AI-powered capabilities within the platform, extending beyond simple access controls to encompass encryption standards and audit capabilities aligned to regulatory frameworks. Also, customers' code and data are never used to train AI models.

The choice is clear

GitLab continues to lead in AI-native DevSecOps platform innovation – our recent 18.3 release demonstrates this – while staying true to the independence and transparency commitments that have always guided us.

Customers have a choice and it's clear: retaining control vs. vendor lock-in; transparency vs. uncertainty; dedication to innovation vs. whims of the larger ecosystem.

GitLab provides the foundation for sustainable digital transformation that balances innovation with independence, helping you achieve business value for your customers.

Try GitLab Ultimate with GitLab Duo for free today.

This capability allows maintainers to implement granular permissions that control job token access to API resources. Following the principle of least privilege, these job tokens have no ability to access any API resources until you explicitly grant them permissions.

This initial release includes fine-grained permissions for the following resources:

• Repositories
• Deployments
• Environments
• Jobs
• Packages
• Pipelines
• Releases
• Secure Files
• Terraform State

Additional API endpoints are planned for future releases. For more information, see the associated epic.

The bigger picture

This release represents a critical step in GitLab's broader mission to improve your software supply chain security. Historically, job tokens have been bound to the user running the pipeline, inheriting their privileges and creating security risks if pipelines are compromised.

Fine-grained permissions for job tokens provide a foundation for a more secure CI/CD ecosystem that:

• Reduces attack surface: Implements the principle of least privilege by limiting access to only necessary resources
• Eliminates dependency on long-lived tokens: Provides a secure alternative that reduces the need for personal access tokens and other persistent credentials
• Prepares for machine-based identity: This opt-in approach lays the groundwork for eventually decoupling job tokens from user identities entirely, moving toward true machine-to-machine authentication
• Enables secure automation at scale: Supports complex deployment workflows and CI/CD components without compromising security

Getting started

Security teams and DevOps engineers should evaluate this feature for any projects running automated deployments, package publishing, or infrastructure management. Since this is an opt-in capability, you can migrate gradually to minimize disruption to your existing pipelines.

Start by identifying your most critical pipelines and auditing their current permission requirements. Then enable fine-grained permissions and configure the minimal access needed for each project. For more information, see the documentation on fine-grained permissions for CI/CD job tokens.

These granular admin permissions allow organizations to create purpose-built administrative roles instead of granting complete administrator access to users. Potential use cases include:

• Platform Team: Access to runner management, instance monitoring, and performance metrics
• Support Team: Access to user management and troubleshooting workflows
• Leadership Team: Access to dashboards, usage statistics, and licensing

Features

• Granular permissions: Custom permissions let you build a role that fits your needs.
• Instance-level management: Custom admin roles are created and managed centrally.
• LDAP integration: Support for mapping large user sets to roles through directory servers.
• Audit integration: Works with existing Admin mode and audit events.

Mission: Improve software supply chain security

This feature represents a critical step in GitLab's broader mission to improve your software supply chain security. As part of this mission, GitLab has also added custom roles for projects and groups and granular permissions for CI/CD job tokens.

For more information on custom admin roles, see custom roles. Additional permissions are planned for future releases. To share feedback, see the custom roles issue.

If that sounds familiar, you’re definitely not alone. So many teams waste time and energy flipping through various items in their project management software, just trying to get a handle on their work.

That's why we created embedded views, powered by GitLab Query Language (GLQL). With embedded views, available in 18.3, you get live, relevant information right where you’re already working in GitLab. No more endless context switching. No more outdated reports. Just the info you need, right when you need it.

Why embedded views matter

Embedded views are more than just a new feature, they're a fundamental shift in how teams understand and track their work within GitLab. With embedded views, teams can maintain context while accessing real-time information, creating shared understanding, and improving collaboration without ever leaving their current workflow. It’s about making work tracking feel natural and effortless, so you can focus on what matters.

How it works: Real-time data right where you need it the most

Embedded views let you insert live GLQL queries in Markdown code blocks throughout wiki pages, epics, issues, and merge requests. Here's what makes them so useful:

Always up to date

GLQL queries are dynamic, pulling fresh data each time the page loads, so your embedded views always reflect the current state of your work, not the state when you embedded the view. When changes happen to issues, merge requests, or milestones, a page refresh will show those updates in your embedded view.

Contextual awareness

Use functions like currentUser() and today() to make queries context-specific. Your embedded views automatically adapt to show relevant information for whoever is viewing them, creating personalized experiences without manual configuration.

Powerful filtering

Filter by fields like assignee, author, label, milestone, health status, creation date, and more. Use logical expressions to get exactly the data you want. We support more than 30 fields as of 18.3.

Customizable display

You can display your data as a table, a list, or a numbered list. Choose which fields to show, set a limit on the number of items, and specify the sort order to keep your view focused and actionable.

Availability

You can use embedded views in group and project wikis, epic and issue descriptions, merge requests, and comments. GLQL is available across all GitLab tiers: Free, Premium, and Ultimate, on GitLab.com, GitLab Self-Managed, and GitLab Dedicated. Certain functionality, such as displaying epics, status, custom fields, iterations, and weights, is available in the Premium and Ultimate tiers. Displaying health status is available only in Ultimate.

See embedded views in action

The syntax of an embedded view's source is a superset of YAML that consists of:

• The query parameter: Expressions joined together with a logical operator, such as and.
• Parameters related to the presentation layer, like display, limit, or fields, title, and description represented as YAML.

A view is defined in Markdown as a code block, similar to other code blocks like Mermaid.

For example:

Display a table of first 5 open issues assigned to the authenticated user in gitlab-org/gitlab. Display columns title, state, health, description, epic, milestone, weight, and updated.

```glql
display: table
title: GLQL table 🎉
description: This view lists my open issues
fields: title, state, health, epic, milestone, weight, updated
limit: 5
query: project = "gitlab-org/gitlab" AND assignee = currentUser() AND state = opened
```

This source should render a table like the one below:

An easy way to create your first embedded view is to navigate to the More options dropdown in the rich text editor toolbar. Once in this toolbar, select Embedded view, which populates the following query in a Markdown code block:

```glql
query: assignee = currentUser()
fields: title, createdAt, milestone, assignee
title: Issues assigned to current user
```

Save your changes to the comment or description where the code block appears, and you're done! You've successfully created your first embedded view!

How GitLab uses embedded views

Whether tracking merge requests targeting security releases, triaging bugs to improve backlog hygiene, or managing team onboarding and milestone planning, we rely on embedded views for mission-critical processes every day. This isn't just a feature we built, it's a tool we depend on to run our business effectively. When you adopt embedded views, you're getting a tested solution that's already helping GitLab teams work more efficiently, make data-driven decisions, and maintain visibility across complex workflows. Simply stated, embedded views can transform how your team accesses and analyzes the work that matters most to your success.

To learn and see more about how GitLab is using embedded views internally, check out How GitLab measures Red Team impact: The adoption rate metric, and Global Search Release Planning issues for the 18.1, 18.2, and 18.3 milestones.

What's next

Embedded views are just the start of Knowledge Group's vision for work tracking. Learn more about what we're focusing on next in the embedded views post-GA epic. As embedded views evolve we're committed to making them even more powerful and accessible.

Share your experience

Share your feedback in the embedded views GA feedback issue or via the embedded views GA survey. Whether you've discovered innovative use cases, encountered challenges, or have ideas for improvements, we want to hear from you.

This transformation is happening at three distinct layers that go beyond what other AI dev tools are doing:

First, we are a system of record. Our unified data platform holds your most valuable digital assets. This includes your source code and intellectual property, as well as a wealth of unstructured data spanning project plans, bug backlogs, CI/CD configurations, deployment histories, security reports, and compliance data. This creates a treasure trove of contextual data that remains securely within your GitLab environment, unavailable to generic agents or large language models.

Second, we act as your software control plane. We orchestrate your most critical business processes through Git repositories, REST APIs, and webhook-based interfaces that power your end-to-end software delivery. Many of our customers consider this a tier-0 dependency that their critical business processes rely on daily.

Third, we deliver a powerful user experience. We deliver an integrated interface that helps eliminate the costly context-switching that slows down most engineering teams. With complete lifecycle visibility and collaboration tools in one platform, over 50 million registered users and our vast community depend on GitLab to get their work done. This expertise positions GitLab uniquely to pioneer intuitive human-to-AI collaboration that amplifies team productivity while preserving the workflows that our users know and trust.

Extending our platform with AI natively integrated at every layer

GitLab Duo Agent Platform integrates and extends all three of these layers. It is designed for extensibility and interoperability, enabling customers and partners to build solutions that create even more value. Our open platform approach emphasizes seamless connectivity with external AI tools and systems while being deeply integrated into our existing stack at all three layers.

• First, we're extending our unified data platform with a Knowledge Graph, which indexes and stitches together code with all of the rest of your unstructured data, specifically optimized for agentic access. AI thrives on context, and we believe this will not only accelerate reasoning and inference by agents but also deliver lower-cost and higher-quality agentic outcomes.
• Second, we're adding an important Orchestration Layer to our existing Control Plane in three distinct parts: enabling agents and flows to register as subscribers for GitLab SDLC events, building a new orchestration engine that allows for purpose-built, multi-agent flows, and exposing GitLab tools, agents, and flows via MCP and standard protocols for unparalleled interoperability.
• Finally, we're extending the GitLab experience to deliver first-class agents and agent flows across the entire software development lifecycle. You'll be able to assign async tasks to agents, @ mention them in comments, and create custom agents with context specific to your workflows — but more importantly, GitLab is shipping native agents for every stage of development while unlocking a rich ecosystem of third-party agents. This creates true human-to-AI collaboration where agents become as natural to work with as your human teammates.

Watch this video to see what's coming in 18.3 and beyond, or read on.

<div style="padding:75% 0 0 0;position:relative;"><iframe src="https://player.vimeo.com/video/1111796316?badge=0&autopause=0&player_id=0&app_id=58479" frameborder="0" allow="autoplay; fullscreen; picture-in-picture; clipboard-write; encrypted-media; web-share" referrerpolicy="strict-origin-when-cross-origin" style="position:absolute;top:0;left:0;width:100%;height:100%;" title="GitLab_18.3 Release_081925_MP_v1"></iframe></div><script src="https://player.vimeo.com/api/player.js"></script>

What's new in GitLab 18.3

With 18.2, we introduced specialized AI agents that work alongside developers across the software development lifecycle, plus our Software Development Flow — a powerful feature that gives users the ability to orchestrate multiple agents to plan, implement, and test code changes end-to-end.

GitLab 18.3 introduces expanded integrations and interoperability, more Flows, and enhanced context awareness across the entire software development lifecycle.

Expanded integrations and interoperability

We're delivering comprehensive AI extensibility through both first-party GitLab agents and a rich ecosystem of third-party agents, all with full access to project context and data. This approach maintains native GitLab workflows and governance while providing the flexibility to choose preferred tools through highly integrated orchestration between these agents and GitLab's core platform. Teams gain enhanced AI functionality while preserving key integration, oversight, and user experience benefits.

• MCP server - Universal AI integration: GitLab's MCP (Model Context Protocol) server enables AI systems to securely integrate directly with your GitLab projects and development processes. This standardized interface eliminates custom integration overhead and allows your AI tools — including Cursor — to work intelligently within your existing GitLab environment. See our docs for a full list of tools included with 18.3. This is only the start; additional tools are planned for 18.4.

“Bringing GitLab workflows directly into Cursor is a critical step in reducing friction for developers. By minimizing the need for context switching, teams can check issue status, review merge requests, and monitor pipeline results without ever leaving their coding environment. This integration is a natural fit for our shared customers, and we look forward to a long-term partnership with GitLab to continue enhancing developer productivity.”

- Ricky Doar, VP of Field Engineering at Cursor

“GitLab's MCP server and CLI agent support create powerful new ways for Amazon Q to integrate with development workflows. Amazon Q Developer can now connect directly through GitLab's remote MCP interface, while teams can delegate development tasks by simply @ mentioning Amazon Q CLI in issues and merge requests. The robust security and governance capabilities built into these integrations give enterprises the confidence to leverage AI coding tools while preserving their development standards. Our partnership with GitLab demonstrates AWS' ongoing commitment to expanding our AI ecosystem and making intelligent development tools accessible wherever developers work."

- Deepak Singh, Vice President of Developer Agents and Experiences at AWS

• CLI agent support for Claude Code, Codex, Amazon Q, Google Gemini, and opencode (Bring Your Own Key): 18.3 introduces integrations that enable teams to delegate routine development work by @ mentioning their agents directly in issues or merge requests. When developers mention these AI assistants, they automatically read the surrounding context and repository code, then respond to the user's comment with either ready-to-review code changes or inline comments. These integrations require you to bring your own API key for the respective AI providers and keep all interactions natively within GitLab's interface while maintaining proper permissions and audit trails.

  Note: Third-party agents is a GitLab Premium Beta feature and only available to GitLab Duo Enterprise customers for evaluation.

<div style="padding:56.25% 0 0 0;position:relative;"><iframe src="https://player.vimeo.com/video/1111784124?badge=0&autopause=0&player_id=0&app_id=58479" frameborder="0" allow="autoplay; fullscreen; picture-in-picture; clipboard-write; encrypted-media; web-share" referrerpolicy="strict-origin-when-cross-origin" style="position:absolute;top:0;left:0;width:100%;height:100%;" title="Third Party Agents Flows Claude Code"></iframe></div><script src="https://player.vimeo.com/api/player.js"></script>

“Bringing Claude Code directly into GitLab puts AI assistance where millions of developers already collaborate and ship code daily. The ability to mention Claude directly in issues and merge requests removes friction while maintaining quality with human oversight and review processes. This update brings Claude Code's capabilities to more places where teams work, making AI a natural part of their developer workflow.”

- Cat Wu, Claude Code Product Lead, Anthropic

“With GitLab's new agent integration in 18.3 you can use opencode within your existing workflows. You can @mention opencode in an issue or merge request and it'll run your agent right in your CI pipeline. This ability to configure and run opencode the way you want is the type of integration we know the open source community really values.”

- Jay V., CEO, opencode

• Agentic Chat support for Visual Studio IDE and GitLab UI available to all Premium and Ultimate customers: With 18.3, you no longer need to context-switch between tools to access GitLab's full development lifecycle data. Our enhanced integrations bring the complete power of GitLab Duo into the GitLab UI as well as IDEs — expanding support from JetBrains and VS Code to now include Visual Studio. This helps developers stay in flow while accessing rich project context, deployment history, and team collaboration data directly within their preferred environment.
• Expanded AI model support: GitLab Duo Self-Hosted now supports additional AI models, giving teams more flexibility in their AI-supported development workflows. You can now deploy open source OpenAI GPT models (20B and 120B parameters) through vLLM on your datacenter hardware, or through cloud services like Azure OpenAI and AWS Bedrock in your private cloud. Additionally, Anthropic's Claude 4 is available on AWS Bedrock

New automated development flows

GitLab Flows coordinate multiple AI agents with pre-built instructions to autonomously handle those time-consuming, mundane tasks so developers can focus on the work that matters most.

GitLab 18.3 comes with two new Flows:

• Issue to MR Flow enabling automated code generation from concept to completion in minutes: This Flow automatically converts issues into actionable merge requests (MRs) by coordinating agents to analyze requirements, prepare comprehensive implementation plans, and generate production-grade code that's ready for review — helping you turn ideas into reviewable implementations in minutes, not hours.

<div style="padding:75% 0 0 0;position:relative;"><iframe src="https://player.vimeo.com/video/1111782058?badge=0&autopause=0&player_id=0&app_id=58479" frameborder="0" allow="autoplay; fullscreen; picture-in-picture; clipboard-write; encrypted-media; web-share" referrerpolicy="strict-origin-when-cross-origin" style="position:absolute;top:0;left:0;width:100%;height:100%;" title="Issue to MR"></iframe></div><script src="https://player.vimeo.com/api/player.js"></script>

• Convert CI File Flow built for seamless migration intelligence: Our Convert CI File Flow streamlines migration workflows by having agents analyze existing CI/CD configurations and intelligently convert them to GitLab CI format with full pipeline compatibility. This helps eliminate the manual effort and potential errors of rewriting CI configurations from scratch, enabling teams to migrate entire deployment pipelines with confidence. 18.3 includes support for Jenkins migrations. Additional support is planned for future releases.

<div style="padding:56.25% 0 0 0;position:relative;"><iframe src="https://player.vimeo.com/video/1111783724?badge=0&autopause=0&player_id=0&app_id=58479" frameborder="0" allow="autoplay; fullscreen; picture-in-picture; clipboard-write; encrypted-media; web-share" referrerpolicy="strict-origin-when-cross-origin" style="position:absolute;top:0;left:0;width:100%;height:100%;" title="Convert to CI Flow"></iframe></div><script src="https://player.vimeo.com/api/player.js"></script>

Intelligent code and search

AI point solutions typically operate with limited visibility into isolated code snippets, but GitLab's Knowledge Graph provides agents with environment context to help inform faster and more intelligent responses.

• Knowledge Graph for real-time code intelligence: With 18.3, GitLab's Knowledge Graph now delivers real-time code indexing to enable faster code searches, delivering more accurate and contextual results. By understanding the relationships between files, dependencies, and development patterns across your entire codebase, our agents are designed to provide insights that would take human developers hours to uncover — and this is just the first step in unlocking the powerful capabilities that are planned for Knowledge Graph.

Enterprise governance

AI transparency and organizational control are critical challenges that can hold teams back from fully adopting AI-powered development tools, with 85% of executives agreeing that agentic AI will create unprecedented security challenges.

These new features in 18.3 help address concerns around data governance, compliance requirements, and the need for visibility into AI decision-making processes so organizations can integrate AI within their existing security and policy frameworks.

• Agent Insights for transparency through intelligence: Our built-in agent tracking provides visibility into agent decision-making processes. Users can optimize workflows and follow best practices through transparent activity tracking.

<div style="padding:56.25% 0 0 0;position:relative;"><iframe src="https://player.vimeo.com/video/1111783244?badge=0&autopause=0&player_id=0&app_id=58479" frameborder="0" allow="autoplay; fullscreen; picture-in-picture; clipboard-write; encrypted-media; web-share" referrerpolicy="strict-origin-when-cross-origin" style="position:absolute;top:0;left:0;width:100%;height:100%;" title="Agent Insights"></iframe></div><script src="https://player.vimeo.com/api/player.js"></script> <p></p>

• GitLab Duo Code Review for Self-Hosted: This brings the intelligence of GitLab Duo to organizations with strict data governance requirements by allowing teams to keep sensitive code in controlled environments.
• Hybrid model configurations for flexible AI deployment: GitLab Duo Self-Hosted customers can now use hybrid model configurations, combining self-hosted AI models via their local AI gateway with GitLab's cloud models through GitLab's AI gateway, enabling access to various features.

<div style="padding:56.25% 0 0 0;position:relative;"><iframe src="https://player.vimeo.com/video/1111783569?badge=0&autopause=0&player_id=0&app_id=58479" frameborder="0" allow="autoplay; fullscreen; picture-in-picture; clipboard-write; encrypted-media; web-share" referrerpolicy="strict-origin-when-cross-origin" style="position:absolute;top:0;left:0;width:100%;height:100%;" title="Self Hosted Models Code Review"></iframe></div><script src="https://player.vimeo.com/api/player.js"></script> <p></p>

• Enhanced security with OAuth support: Our MCP server now includes full OAuth 2.0 authentication support, enabling secure connections to protected resources and sensitive development environments. This implementation follows the draft OAuth specification for MCP, handling authorization flows, token management, and dynamic client registration.

Secure by Design platform: Governance that scales

True platform security requires consistent application of governance principles across every layer of the development lifecycle. The same security fundamentals that make AI adoption safe — least-privilege access, centralized policy management, proactive monitoring, and granular permissions — must be embedded throughout the entire SDLC to create a cohesive, defense-in-depth approach.

GitLab 18.3 strengthens the foundational controls that help protect your entire software supply chain with these new updates:

• Custom admin role: Provides granular, purpose-built administrative permissions, replacing blanket admin access with precise, least-privilege controls. Instead of granting blanket administrative privileges that create security risks, organizations can now create specialized roles tailored to specific functions — platform teams managing runners and monitoring, support teams handling user management, and leadership accessing dashboards and usage statistics. With complete role lifecycle management through UI and API, audit logging, and auto-generated documentation, this feature enables true least-privilege administration while helping maintain operational efficiency and improve overall instance security.
• Instance-level compliance framework and security policy management: Organizations can now designate a dedicated compliance group that has the authority to apply standardized frameworks and security policies directly to top-level groups, automatically cascading enforcement to all their subgroups and projects. This centralized approach eliminates the compliance adoption blocker of fragmented policy management while maintaining group autonomy for additional local policies.
• Enhanced violations reporting: Teams now receive immediate notifications when unauthorized changes are made to MR approval rules, framework policies lack proper approvals, or time-based compliance controls are violated. By directly linking violations to specific compliance framework controls, teams get actionable insights that tell them exactly which requirement was breached, turning compliance from a reactive checkbox exercise into a proactive, integrated part of the development and security workflow.
• Fine-grained permissions for CI/CD job tokens: Replaces broad token access with granular, explicit permissions that grant CI/CD jobs access only to specific API endpoints they actually need. Instead of allowing jobs blanket access to project resources, teams can now define precise permissions for deployments, packages, releases, environments, and other critical resources, reducing the attack surface and potential for privilege escalation.
• AWS Secrets Manager integration: Teams using AWS Secrets Manager can now retrieve secrets directly in GitLab CI/CD jobs, simplifying the build and deploy processes. Secrets are accessed by a GitLab Runner using OpenID Connect protocol-based authentication, masked to prevent exposure in job logs, and destroyed after use. This approach eliminates the need to store secrets in variables and integrates cleanly into existing GitLab and AWS-based workflows. Developed in close collaboration with Deutsche Bahn and the AWS Secrets Manager team, this integration reflects our commitment to building solutions alongside customers to solve real-world challenges.

Artifact management: Securing your software supply chain

When artifacts aren't properly governed, small changes can have big consequences. Mutable packages, overwritten container images, and inconsistent rules across tools can trigger production outages, introduce vulnerabilities, and create compliance gaps. For enterprise DevSecOps, secure, centralized artifact management is essential for keeping the software supply chain intact.

Enterprise-grade artifact protection in 18.3

Building on our comprehensive package protection capabilities, GitLab 18.3 adds important new features:

• Conan revisions support: New in 18.3, Conan revisions provide package immutability for C++ developers. When changes are made to a package without changing its version, Conan calculates unique identifiers to track these changes, enabling teams to maintain immutable packages while preserving version clarity.
• Enhanced Container Registry security: Following the successful launch of immutable container tags in 18.2, we're seeing strong enterprise adoption. Once a tag is created that matches an immutable rule, no one — regardless of permission level — can modify that container image, preventing unintended changes to production dependencies.

These enhancements complement our existing protection capabilities for npm, PyPI, Maven, NuGet, Helm charts, and generic packages, enabling platform teams to implement consistent governance across their entire software supply chain — a requirement for organizations building secure internal developer platforms.

Unlike standalone artifact solutions, GitLab's integrated approach eliminates context switching between tools while providing end-to-end traceability from code to deployment, enabling platform teams to implement consistent governance across their entire software delivery pipeline.

Embedded views: Real-time visibility and reports

As GitLab projects grow in complexity, teams find themselves navigating between issues, merge requests, epics, and milestones to maintain visibility into work status. The challenge lies in consolidating this information efficiently while ensuring teams have real-time access to project progress without context switching or breaking their flow. Launching real-time work status visibility in 18.3 GitLab 18.3's embedded views, powered by our powerful GitLab Query Language (GLQL), eliminate context switching by bringing live project data directly into your workflow:

• Dynamic views: Insert live GLQL queries in Markdown code blocks throughout wiki pages, epics, issues, and merge requests that automatically refresh with current project states each time you load the page.
• Contextual personalization: Views automatically adapt using functions like currentUser() and today() to show relevant information for whoever is viewing, without manual configuration.
• Powerful filtering: Filter by 25+ fields, including assignee, author, label, milestone, health status, and creation date.
• Display flexibility: Present data as tables, lists, or numbered lists with customizable field selection, item limits, and sort orders to keep your views focused and actionable

Unlike fragmented project management approaches, we've designed embedded views to maintain your workflow continuity while providing real-time visibility, enabling teams to make informed decisions without losing focus or switching between multiple tools and interfaces.

Learn about the newest features in GitLab 18.3.

Get started today

GitLab 18.3 is available now for GitLab Premium and Ultimate users on GitLab.com and self-managed environments.

GitLab Dedicated customers are now upgraded to 18.2 and will be able to use the features released with GitLab 18.3 next month.

Ready to experience the future of software engineering? Enable beta and experimental features for GitLab Duo and start collaborating with AI agents that understand your complete development context.

New to GitLab? Start your free trial today and discover why the future of software engineering is human and AI collaboration, orchestrated through the world's most comprehensive DevSecOps platform.

<p><small><em>This blog post contains “forward-looking statements” within the meaning of Section 27A of the Securities Act of 1933, as amended, and Section 21E of the Securities Exchange Act of 1934. Although we believe that the expectations reflected in the forward-looking statements contained in this blog post are reasonable, they are subject to known and unknown risks, uncertainties, assumptions and other factors that may cause actual results or outcomes to be materially different from any future results or outcomes expressed or implied by the forward-looking statements.</em></p> <p><em>Further information on risks, uncertainties, and other factors that could cause actual outcomes and results to differ materially from those included in or contemplated by the forward-looking statements contained in this blog post are included under the caption “Risk Factors” and elsewhere in the filings and reports we make with the Securities and Exchange Commission. We do not undertake any obligation to update or release any revisions to any forward-looking statement or to report any events or circumstances after the date of this blog post or to reflect the occurrence of unanticipated events, except as required by law.</em></small></p>

Top five new features

Dark mode: The most requested feature is finally here. Toggle between light and dark themes in the upper-right corner for improved readability and reduced eye strain.

Brand alignment: Our docs now reflect the modern colors and design language of both the GitLab marketing site and product UI, creating a cohesive experience across all GitLab properties.

Simplified feedback: Users can now give thumbs up/down feedback and add comments directly on any documentation page.

Redesigned navigation: We've moved primary navigation to the top and restructured our left sidebar to make our 2,300+ pages feel less overwhelming and more discoverable.

Addressed technical debt: Dozens of small but impactful fixes to typography, spacing, code blocks, and visual inconsistencies that had accumulated over the years.

Why now? The foundation for change

Earlier this year, led by Sarah German, our documentation engineering team completed a critical replatforming project, migrating from Nanoc to Hugo. While largely invisible to users, this change delivered dramatic performance improvements — 130x faster local builds and 30x faster full builds — and provided the solid technical foundation needed for these improvements.

This replatforming was essential groundwork that enabled us to focus on user experience enhancements rather than wrestling with outdated infrastructure.

Let's look more closely at the changes.

Dark mode

Possibly the biggest news for this release: dark mode is now available across the entire documentation site. Change the setting in the upper-right corner, and the site will remember your preference. For many users, dark mode makes content easier to read and reduces eye strain.

Brand alignment with marketing site

The new design creates visual harmony between our documentation and the broader GitLab experience. We've incorporated GitLab's modern color palette and design elements while maintaining the clean, functional feel users expect from technical documentation.

The updated homepage focuses on our primary documentation areas, including tutorials and getting started guides that help new users learn GitLab.

Simplified feedback mechanism

We've eliminated friction in the feedback process. Instead of requiring users to leave the docs site and create GitLab issues, they can now provide immediate feedback with thumbs up/down ratings and comments directly on any page. Scroll down on any documentation page to see this new functionality in action.

Navigation redesign

One of our biggest challenges was organizing over 2,300 pages in a way that doesn't overwhelm users. Our previous single left navigation, while comprehensive, created a daunting experience:

The new approach moves primary navigation to the top, creating shorter, more manageable table of contents sections that feel less overwhelming to traverse:

This structure better reflects the relationships between features while making individual sections more digestible.

Style updates and technical debt

Over the years, small style inconsistencies had accumulated — inconsistent padding in lists, extra spacing around alerts, and various typography issues. While these might seem minor, they created a subtly jarring experience for daily users.

Our tabs and code blocks received particular attention, becoming better-defined in the process.

Before, tabs with code looked like this:

And now, with a few small tweaks, they look like this:

These "papercut" fixes may be small individually, but collectively they create a much more polished, professional experience.

What's next?

This redesign represents how we iterate at GitLab — shipping meaningful improvements while building toward an even better future. We expect to continue refining the structure and adding features that help users find what they need more easily.

User feedback will drive our next iterations, and with our new simplified feedback mechanism, we're better positioned than ever to hear directly from our documentation users.

The team

This transformation was a true team effort. Kudos to UX Papercuts and Julia Miocene for taking what started as a simple request and turning it into a comprehensive design vision. Thanks to the engineers in Technical Writing: Sarah German, Pearl Latteier, and Hiru Fernando, who brought these designs to life.

The new design balances information density with visual clarity, modernizes our site while maintaining usability and accessibility standards, and represents a significant step forward in both user experience and visual design.

Performance optimizations for git-push(1) and git-fetch(1)

The git-push(1) and git-fetch(1) commands allow users to synchronize local and remote repositories. Part of the operation involves updating references in the repository. In repositories with many references, this can take significant time, especially for users who work with large development environments, monorepos, or repositories with extensive CI/CD pipelines.

Git reference transactions can include multiple reference updates, but they follow an all-or-nothing approach. If any single update within the transaction fails, the entire transaction fails and none of the reference updates are applied. But reference updates as part of git-push(1) and git-fetch(1) are allowed to fail, which allows repositories to synchronize a subset of references even in the case where a different subset has diverged. To facilitate this behavior, Git creates a separate transaction for each reference update, allowing some transactions to fail while the rest succeed.

Creating a separate transaction per update incurs significant overhead, as each transaction includes an initiation and teardown phase and also checks for whether there are conflicting reference names. The “reftable” backend also performs auto-compaction at the end of a transaction, so multiple transactions would trigger multiple auto-compactions, which would drastically increase the latency of the command.

In Git 2.51.0, these commands now use batched updates instead of separate transactions. Batched updates allow updating multiple references under a single transaction, while still allowing some updates to fail. This removes the overhead and scales better with the number of references to be updated, since only a single transaction is used. This significantly improves the performance of the “reftable” backend, which now outperforms the “files” backend. Users can reap these performance improvements without needing to make any changes.

For git-fetch(1) we see a 22x performance improvement for the “reftable” backend and 1.25x improvement for the “files” backend when used in a repository with 10,000 references.

Benchmark 1: fetch: many refs (refformat = reftable, refcount = 10000, revision = master)
  Time (mean ± σ):      3.403 s ±  0.775 s    [User: 1.875 s, System: 1.417 s]
  Range (min … max):    2.454 s …  4.529 s    10 runs

Benchmark 2: fetch: many refs (refformat = reftable, refcount = 10000, revision = HEAD)
  Time (mean ± σ):     154.3 ms ±  17.6 ms    [User: 102.5 ms, System: 56.1 ms]
  Range (min … max):   145.2 ms … 220.5 ms    18 runs

Summary
  fetch: many refs (refformat = reftable, refcount = 10000, revision = HEAD) ran
   22.06 ± 5.62 times faster than fetch: many refs (refformat = reftable, refcount = 10000, revision = master)

Benchmark 1: fetch: many refs (refformat = files, refcount = 10000, revision = master)
  Time (mean ± σ):     605.5 ms ±   9.4 ms    [User: 117.8 ms, System: 483.3 ms]
  Range (min … max):   595.6 ms … 621.5 ms    10 runs

Benchmark 2: fetch: many refs (refformat = files, refcount = 10000, revision = HEAD)
  Time (mean ± σ):     485.8 ms ±   4.3 ms    [User: 91.1 ms, System: 396.7 ms]
  Range (min … max):   477.6 ms … 494.3 ms    10 runs

Summary
  fetch: many refs (refformat = files, refcount = 10000, revision = HEAD) ran
    1.25 ± 0.02 times faster than fetch: many refs (refformat = files, refcount = 10000, revision = master)

For git-push(1) we see a 18x performance improvement for the reftable backend and 1.21x improvement for the “files” backend when used in a repository with 10,000 references.

Benchmark 1: push: many refs (refformat = reftable, refcount = 10000, revision = master)
  Time (mean ± σ):      4.276 s ±  0.078 s    [User: 0.796 s, System: 3.318 s]
  Range (min … max):    4.185 s …  4.430 s    10 runs

Benchmark 2: push: many refs (refformat = reftable, refcount = 10000, revision = HEAD)
  Time (mean ± σ):     235.4 ms ±   6.9 ms    [User: 75.4 ms, System: 157.3 ms]
  Range (min … max):   228.5 ms … 254.2 ms    11 runs

Summary
  push: many refs (refformat = reftable, refcount = 10000, revision = HEAD) ran
   18.16 ± 0.63 times faster than push: many refs (refformat = reftable, refcount = 10000, revision = master)

Benchmark 1: push: many refs (refformat = files, refcount = 10000, revision = master)
  Time (mean ± σ):      1.121 s ±  0.021 s    [User: 0.128 s, System: 0.975 s]
  Range (min … max):    1.097 s …  1.156 s    10 runs

Benchmark 2: push: many refs (refformat = files, refcount = 10000, revision = HEAD)
  Time (mean ± σ):     927.9 ms ±  22.6 ms    [User: 99.0 ms, System: 815.2 ms]
  Range (min … max):   903.1 ms … 978.0 ms    10 runs

Summary
  push: many refs (refformat = files, refcount = 10000, revision = HEAD) ran
    1.21 ± 0.04 times faster than push: many refs (refformat = files, refcount = 10000, revision = master)

This project was led by Karthik Nayak.

Planning towards Git 3.0

11 years ago, Git 2.0 was released, which was the last major version release of Git. While we don’t have a specific timeline for the next major Git release, this release includes decisions made towards Git 3.0.

The Git 3.0 release planning allows us to plan for and implement breaking changes and communicate them to the extended Git community. Next to documentation, Git can also be compiled with these breaking changes for those who want to experiment with these changes. More information can be found in the BreakingChanges document.

The Git 2.51.0 release makes some significant changes towards Git 3.0.

Reftable as the default reference backend

In the Git 2.45.0 release, the “reftable” format was introduced as a new backend for storing references like branches or tags in Git, which fixes many of the issues with the existing "files" backend. Please read our beginner's guide to how reftables work for more insight into the “reftable” backend.

The Git 2.51.0 release marks the switch to using the "reftable" format as default in Git 3.0 for newly created repositories and also wires up the change behind a feature flag. The “reftable” format provides the following improvements over the traditional “files” backend:

• It is impossible to store two references that only differ in casing on case-insensitive filesystems with the "files" format. This issue is common on Windows and macOS platforms. As the "reftable" backend does not use filesystem paths to encode reference names this problem goes away.

• Similarly, macOS normalizes path names that contain unicode characters, which has the consequence that you cannot store two names with unicode characters that are encoded differently with the "files" backend. Again, this is not an issue with the "reftable" backend.

• Deleting references with the "files" backend requires Git to rewrite the complete "packed-refs" file. In large repositories with many references this file can easily be dozens of megabytes in size; in extreme cases it may be gigabytes. The "reftable" backend uses tombstone markers for deleted references and thus does not have to rewrite all of its data.

• Repository housekeeping with the "files" backend typically performs all-into-one repacks of references. This can be quite expensive, and consequently housekeeping is a tradeoff between the number of loose references that accumulate and slow down operations that read references, and compressing those loose references into the "packed-refs" file. The "reftable" backend uses geometric compaction after every write, which amortizes costs and ensures that the backend is always in a well-maintained state.

• Operations that write multiple references at once are not atomic with the "files" backend. Consequently, Git may see in-between states when it reads references while a reference transaction is in the process of being committed to disk.

• Writing many references at once is slow with the "files" backend because every reference is created as a separate file. The "reftable" backend significantly outperforms the "files" backend by multiple orders of magnitude.

• The “reftable” backend uses a binary format with prefix compression for reference names. As a result, the format uses less space compared to the "packed-refs" file.

This project was led by Patrick Steinhardt.

SHA-256 as the default hash function

The Git version control system stores objects in a content-addressable filesystem. This means it uses the hash of an object to address content such as files, directories, and revisions, unlike traditional filesystems, which use sequential numbers. Using a hash function has the following advantages:

• Easy integrity checks as a single bit flip would change the hash output completely.

• Fast object lookup as objects can be indexed by their hash.

• Object names can be signed and third parties can trust the hash to address the signed object and all objects it references.

• Communication using Git protocol and out of band communication methods have a short reliable string that can be used to reliably address stored content.

Since its inception, Git has used the SHA-1 hashing algorithm. However, security researchers have discovered some flaws in SHA-1, specifically the SHAttered attack, which shows a practical SHA-1 hash collision. We moved to using a hardened SHA-1 implementation by default since Git 2.13.0. However, SHA-1 is still a weak hashing algorithm and it is only a matter of time before additional attacks will further reduce its security.

SHA-256 was identified as the successor to SHA-1 in late 2018. Git 2.51.0 marks it as the default hash algorithm to be used in Git 3.0.

This project was led by brian m. carlson.

Removal of git-whatchanged(1)

The git-whatchanged(1) command shows logs with differences each commit introduces. While this is now succeeded by git log --raw, the command was kept around for historical reasons.

Git 2.51.0 requires users of the command to explicitly use the --i-still-use-this flag to capture any users who still use the deprecated command, and also marks the command for removal in Git 3.0.

This project was led by Junio C Hamano.

git switch and git restore are no longer experimental

The git-checkout(1) command can be used for multiple different use cases. It can be used for switching references:

$ git status
On branch master
Your branch is up to date with 'origin/master'.

nothing to commit, working tree clean

$ git checkout next
Switched to branch 'next'
Your branch is up to date with 'origin/next'.

Or for restoring files:

$ echo "additional line" >> git.c

$ git status
On branch master
Your branch is up to date with 'origin/master’.

Changes not staged for commit:
  (use "git add <file>..." to update what will be committed)
  (use "git restore <file>..." to discard changes in working directory)
    modified:   git.c

no changes added to commit (use "git add" and/or "git commit -a")

$ git checkout git.c
Updated 1 path from the index

$ git status
On branch master
Your branch is up to date with 'origin/master’.

nothing to commit, working tree clean

For new users of Git, this can cause a lot of confusion. So in Git 2.33.0, these were split into two new commands, git-switch(1) and git-restore(1).

The git-switch(1) command allows users to switch to a specific branch:

$ git status
On branch master
Your branch is up to date with 'origin/master'.

nothing to commit, working tree clean

$ git switch next
Switched to branch 'next'
Your branch is up to date with 'origin/next'.

And the git-restore(1) command allows users to restore working tree files:

$ echo "additional line" >> git.c

$ git status
On branch master
Your branch is up to date with 'origin/master’.

Changes not staged for commit:
  (use "git add <file>..." to update what will be committed)
  (use "git restore <file>..." to discard changes in working directory)
    modified:   git.c

no changes added to commit (use "git add" and/or "git commit -a")

$ git restore git.c

$ git status
On branch master
Your branch is up to date with 'origin/master’.

nothing to commit, working tree clean

While the two commands have existed since 2019, they were marked as experimental. The effect is that the Git project doesn’t guarantee backwards compatibility for those commands: the behavior may change at any point in time. While the intent originally was to stabilize those commands after a couple of releases, this hasn’t happened up to this point.

This has led to several discussions on the Git mailing list where users are unsure whether they can start using these new commands, or whether they might eventually go away again. But given that no significant changes have ever been proposed, and that some users are already using these commands, we have decided to no longer declare them as experimental in Git 2.51.

This project was led by Justin Tobler.

git for-each-ref(1) receives pagination support

The git for-each-ref command is used to list all references present in the repository. As it is part of the plumbing layer of Git, this command is frequently used for example by hosting forges to list references that exist in the repository in their UI. But as repositories grow, it becomes less realistic to list all references at once – after all, the largest repositories may contain millions of them! So instead, forges tend to paginate the references.

This surfaces an important gap: git-for-each-ref does not know to skip references from previous pages that have already been shown. Consequently, it may have to list a large number of uninteresting references before it finally starts to yield the references required for the current page. This is inefficient and leads to higher-than-necessary latency or even timeouts.

Git 2.51.0 supports a new --start-after flag for git for-each-ref, which allows paginating the output. This can also be combined with the --count flag to iterate over a batch of references.

$ git for-each-ref --count=10
9751243fba48b34d29aabfc9784803617a806e81 commit    refs/heads/branch-001
9751243fba48b34d29aabfc9784803617a806e81 commit    refs/heads/branch-002
9751243fba48b34d29aabfc9784803617a806e81 commit    refs/heads/branch-003
9751243fba48b34d29aabfc9784803617a806e81 commit    refs/heads/branch-004
9751243fba48b34d29aabfc9784803617a806e81 commit    refs/heads/branch-005
9751243fba48b34d29aabfc9784803617a806e81 commit    refs/heads/branch-006
9751243fba48b34d29aabfc9784803617a806e81 commit    refs/heads/branch-007
9751243fba48b34d29aabfc9784803617a806e81 commit    refs/heads/branch-008
9751243fba48b34d29aabfc9784803617a806e81 commit    refs/heads/branch-009
9751243fba48b34d29aabfc9784803617a806e81 commit    refs/heads/branch-010

$ git for-each-ref --count=10 --start-after=refs/heads/branch-010
9751243fba48b34d29aabfc9784803617a806e81 commit    refs/heads/branch-011
9751243fba48b34d29aabfc9784803617a806e81 commit    refs/heads/branch-012
9751243fba48b34d29aabfc9784803617a806e81 commit    refs/heads/branch-013
9751243fba48b34d29aabfc9784803617a806e81 commit    refs/heads/branch-014
9751243fba48b34d29aabfc9784803617a806e81 commit    refs/heads/branch-015
9751243fba48b34d29aabfc9784803617a806e81 commit    refs/heads/branch-016
9751243fba48b34d29aabfc9784803617a806e81 commit    refs/heads/branch-017
9751243fba48b34d29aabfc9784803617a806e81 commit    refs/heads/branch-018
9751243fba48b34d29aabfc9784803617a806e81 commit    refs/heads/branch-019
9751243fba48b34d29aabfc9784803617a806e81 commit    refs/heads/branch-020

This project was led by Karthik Nayak.

What's next?

Ready to experience these improvements? Update to Git 2.51.0 and start using git switch and git restore in your daily workflow.

For GitLab users, these performance enhancements will automatically improve your development experience once your Git version is updated.

Learn more in the official Git 2.51.0 release notes and explore our complete archive of Git development coverage.

The software powering today's financial institutions is anything but ordinary. It includes credit risk models that protect billions in assets, payment processing algorithms handling millions of transactions, customer intelligence platforms that drive business strategy, and regulatory systems ensuring operational compliance — all powered by source code that serves as both operational core and strategic asset.

When shared infrastructure becomes systemic risk

The rise of software-as-a-service platforms has created an uncomfortable reality for financial institutions. Every shared tenant becomes an unmanaged third-party risk, turning platform-wide incidents into industry-wide disruptions. This is the exact kind of concentration risk drawing increasing attention from regulators.

JPMorgan Chase's Chief Information Security Officer Patrick Opet recently issued a stark warning to the industry in an open letter to third-party suppliers. He highlighted how SaaS adoption "is creating a substantial vulnerability that is weakening the global economic system" by embedding "concentration risk into global critical infrastructure." The letter emphasizes that "an attack on one major SaaS or PaaS provider can immediately ripple through its customers,” creating exactly the systemic risk that multi-tenant cloud platforms for source code management, CI builds, CD deployments, and security scanning introduce.

Consider the regulatory complexity this creates. In shared environments, your compliance posture becomes hostage to potential incidents impacting other tenants as well as the concentration risks of large attack surface providers. A misconfiguration affecting any organization on the platform can trigger wider impact across the entire ecosystem.

Data sovereignty challenges compound this risk. Shared platforms distribute workloads across multiple regions and jurisdictions, often without granular control over where your source code executes. For institutions operating under strict regulatory requirements, this geographic distribution can create compliance gaps that are difficult to remediate.

Then there's the amplification effect. Every shared tenant effectively becomes an indirect third-party risk to your operations. Their vulnerabilities increase your attack surface. Their incidents can impact your availability. Their compromises can affect your environment.

Purpose-built for what matters most

GitLab recognizes that your source code deserves the same security posture as your most sensitive customer data. Rather than forcing you to choose between cloud-scale efficiency and enterprise-grade security, GitLab delivers both through GitLab Dedicated, purpose-built infrastructure that maintains complete isolation.

Your development workflows, source code repositories, and CI/CD pipelines run in an environment exclusively dedicated to your organization. The hosted runners for GitLab Dedicated exemplify this approach. These runners connect securely to your data center through outbound private links, allowing access to your private services without exposing any traffic to the public internet. The auto-scaling architecture provides the performance you need, without compromising security or control.

Rethinking control

For financial institutions, minimizing shared risk is only part of the equation — true resilience requires precise control over how systems operate, scale, and comply with regulatory frameworks. GitLab Dedicated enables comprehensive data sovereignty through multiple layers of customer control. You maintain complete authority over encryption keys through bring-your-own-key (BYOK) capabilities, ensuring that sensitive source code and configuration data remains accessible only to your organization. Even GitLab cannot access your encrypted data without your keys.

Data residency becomes a choice rather than a constraint. You select your preferred AWS region to meet regulatory requirements and organizational data governance policies, maintaining full control over where your sensitive source code and intellectual property are stored.

This control extends to compliance frameworks that financial institutions require. The platform provides comprehensive audit trails and logging capabilities that support compliance efforts for financial services regulations like Sarbanes-Oxley and GLBA Safeguards Rule.

When compliance questions arise, you work directly with GitLab's dedicated support team — experienced professionals who understand the regulatory challenges that organizations in highly regulated industries face.

Operational excellence without operational overhead

GitLab Dedicated maintains high availability with built-in disaster recovery, ensuring your development operations remain resilient even during infrastructure failures. The dedicated resources scale with your organization's needs without the performance variability that shared environments introduce.

The zero-maintenance approach to CI/CD infrastructure eliminates a significant operational burden. Your teams focus on development while GitLab manages the underlying infrastructure, auto-scaling, and maintenance — including rapid security patching to protect your critical intellectual property from emerging threats. This operational efficiency doesn't come at the cost of security: the dedicated infrastructure provides enterprise-grade controls while delivering cloud-scale performance.

The competitive reality

While some institutions debate infrastructure strategies, industry leaders are taking decisive action. NatWest Group, one of the UK's largest financial institutions, chose GitLab Dedicated to transform their engineering capabilities:

"NatWest Group is adopting GitLab Dedicated to enable our engineers to use a common cloud engineering platform; delivering new customer outcomes rapidly, frequently and securely with high quality, automated testing, on demand infrastructure and straight-through deployment. This will significantly enhance collaboration, improve developer productivity and unleash creativity via a 'single-pane-of-glass' for software development."

Adam Leggett, Platform Lead - Engineering Platforms, NatWest

The strategic choice

The most successful financial institutions face a unique challenge: They have the most to lose from shared infrastructure risks, but also the resources to architect better solutions.

The question that separates industry leaders from followers: Will you accept shared infrastructure risks as the price of digital transformation, or will you invest in infrastructure that treats your source code with the strategic importance it deserves?

Your trading algorithms aren't shared. Your risk models aren't shared. Your customer data isn't shared.

Why is your development platform shared?

Ready to treat your source code like the strategic asset it is? Let’s chat about how GitLab Dedicated provides the security, compliance, and performance that financial institutions demand — without the compromises of shared infrastructure.

We'll cover:

• Version control: Lock AI to Java 8, handle Python3 environments, and generate multi-platform C++ code
• Style enforcement: Prevent C goto anti-patterns, enforce VueJS design patterns, and ensure Ansible linter compliance
• DevSecOps automation: Bootstrap projects with proper CI/CD security scanning and documentation standards

Each example includes working GitLab projects to fork, complete configurations, and before/after demonstrations. Learn how banking systems stay Java 8 compliant, IoT collectors work cross-platform, and VueJS components follow GitLab's production standards.

Table of Contents

• First steps with custom rules for Duo Agentic Chat
  • Requirements
  • Quick start: 5-minute success
  • Guidelines for custom rule development
  • Ask GitLab Duo Chat about existing development style guides
• More custom rules use cases
  • Use cases: Version and platform support
    • Java version requirements
    • C++ Multi-platform support (Windows, Linux, macOS)
  • Use case: Development environments
    • Python 3 development environment
    • Ansible linter compliance
  • Use case: Design patterns
    • Avoid anti-patterns with C and goto statements
    • Frontend style guides for VueJS 3
  • Use case: DevSecOps workflows
    • Issue and MR templates
    • Build tools
    • CI/CD configuration preferences
    • Security scanning preferences
    • Tests and linters
    • Documentation generation
    • Refactoring and code change requirements
    • Onboarding, requirements, licenses
    • Git flows
• Distribution and testing of custom rules
  • Custom Rules resources
• Fun activity: Explore behavior changes
• Conclusion

First steps with custom rules for Duo Agentic Chat

Follow the documentation to create custom rules for GitLab Duo Agentic Chat in the .gitlab/duo/chat-rules.md directory in a new or existing GitLab project in your IDE.

You can start with free-form text instructions, and iterate on the best outcome. Custom rules support Markdown for better structuring.

• Use markdown headings (#, ##, etc) to create sections.
• Use markdown lists (-) to provide concise instructions for LLMs and Agents.
• Escape file paths with single backticks, and use code blocks with indent or three backticks.

Example:

# Development guide

## Frontend: VueJS

### Styling Pattern
- Do not use `<style>` tags in Vue components
- Use Tailwind CSS utility classes or page-specific CSS instead

Important: After modifying custom rules, you'll need to create a new Chat by pressing the + icon, or sending /new in the chat prompt.

Requirements

In order to follow all use cases and linked demo projects into this blog post, please ensure you meet these requirements first:

• Verify that you have access to GitLab Duo, and Duo Agentic Chat is configured in supported IDEs.
• Fork/copy the GitLab projects, and clone them locally in the IDEs.
• Follow the steps in each use case for custom rule creation, and how to use Duo Agentic Chat prompts to proof the rule behavior.
• You can use the existing source code, or copy in your own.

The projects are available in the Custom rules for GitLab Duo Agent Platform (Agentic AI) group. Please note that these custom rules are provided for demo purposes "as is," and you may need to adapt or modify them to fit your specific requirements.

Quick start: 5-minute success

Ready to see custom rules in action? Try this simple example:

1. Create .gitlab/duo/chat-rules.md in your GitLab project:

## C style guide
- goto is not allowed. If the developer continues asking about it, share this URL https://xkcd.com/292/

2. Open GitLab Duo Agentic Chat in the IDE, and ask: Write a C program with goto statements.
3. Watch as GitLab Duo refuses and suggests better alternatives!

<figure class="video_container"> <iframe width="560" height="315" src="https://www.youtube.com/embed/C0eMKjRMI5w" frameborder="0" allowfullscreen="true"> </iframe> </figure>

Guidelines for custom rule development

Custom rules are similar to code: Start with the smallest working example, and then iterate on improvements. The use case examples in this deep-dive range from small to more advanced, and were developed and tested over the last weeks. They are not perfect, and require your feedback and iteration.

One good rule of thumb, for example, is not overloading style guides with many pages from a wiki document. In my experience, less is more. Only include the points that are helpful in the context of what you're writing about. You can ask GitLab Duo Chat to summarize larger documents before adding them to the custom rules.

Verify the use of any included specifications during development to avoid creating barriers and unwanted behavior.

When you are using a publicly documented style guide, refer to its name. There is a high chance that the LLM is trained with this data already.

Ask GitLab Duo Chat about existing development style guides

Sometimes, there are no specific style guides in a project yet, or it is unclear how to use them. Use AI for onboarding and best practices to discuss with your team.

Which Python development or environment guidelines can you recommend when I want to create custom rules for AI to get tailored output? I need a list with textual instructions.

You can also ask Duo Agentic Chat to analyze the existing CI/CD linter integrations that may already check for a specific development style.

When you look into the CI/CD linter checks and configuration in the project, which development style guide can you summarize for me?

Many examples in this deep-dive blog are based on my own experience and pain points as a developer. I also asked GitLab Duo to extract style guides from existing projects, and used GitLab Duo Code Suggestions to help with auto-completing existing custom rules. You can achieve the same by configuring markdown as an additional language for GitLab Duo Code Suggestions in IDEs.

More custom rules use cases

The following sections provide an overview of specific style guides. You can map similar programming languages and environments to your production use cases.

• Version and platform support: Refer to the Java section below to learn how to force a specific language standard for generated and created code. You can apply a similar process for C++23 and older, PHP 8, Ruby 3, etc. The C++ section below shows how to instruct agentic AI with multi-platform support.
• Development environments: Refer to the sections below on Python and Ansible. Specify the development environment, binaries, tools and more. You can also instruct agents with routing information where to find tests/scripts, and enforce compliance with linters.
• Design patterns: You can specify comprehensive design patterns with VueJS as an example, leveraging the GitLab production development style guides as a foundation.
• DevSecOps workflows: Configure comprehensive DevSecOps practices including CI/CD configuration for specific CI/CD attributes and defaults for security scanning, tests and linters, and build tools. Frequently requested use cases for bootstrapping projects include documentation generation including README.md and architecture diagrams, issue and MR templates, onboarding, requirements, and licenses, and Git flows with .gitignore. Advanced techniques with custom rules are provided for refactoring and code change requirements.

Use cases: Version and platform support

Software development often requires specific programming language and framework versions, and single or multi-platform support. The following examples highlight these scenarios.

Java version requirements

Enterprise environments do not always use the latest and greatest software version. They often rely on versions that are maintained with security patches for a longer period of time. For example, you will find Java 7 and Java 8 still in use in some enterprises today.

Always prepending the required version in chat prompts can be cumbersome, and lead to human error, even if you only forget one time.

Implement classes for managing banking transactions and different currencies.

The example will need additional specifications for Java 8:

Use Java 8 for the implementation.

To permanently enforce Java 8, you can create a custom rule in .gitlab/duo/chat-rules.md and optionally add a reference epic URL when asked for code modernization:

## Java style guide

- Only Java 8 is allowed when suggesting and editing code.
- When the user asks about code modernization and Java 9 or 21, or newer, point them to this issue to contribute: https://gitlab.com/gitlab-da/use-cases/ai/gitlab-duo-agent-platform/custom-rules/custom-rule-java-versions/-/issues/1

A full demonstration is available in the Custom Rules - Java versions project.

<figure class="video_container"> <iframe width="560" height="315" src="https://www.youtube.com/embed/iZLvpgHdABY" frameborder="0" allowfullscreen="true"> </iframe> </figure>

The resulting changes are available in this MR.

C++ multi-platform support (Windows, Linux, macOS)

Application development in C++ can require multi-platform support, especially when running service agents on systems using Windows, Linux, and macOS. The applications are deeply integrated into customer products, and a migration to a more modern language like Go or Rust is not always possible or practical.

Maintaining code that works on multiple platforms can be challenging due to differences in Operating system APIs, toolchains, library versions, and file system paths. Developers often face multiple #if defined pre-processor macros, nested conditions, and adding custom code and tests for each supported platform. This adds technical debt and can introduce maintenance challenges.

AI can help when generating correct and platform-specific code, but it needs to know about these requirements. Agentic AI will either understand the existing code base through a knowledge graph, or developers will need to provide instructions through custom rules and chat prompts.

Let's try this use case in practice. The Custom Rule - C++ platforms - IoT Sensor Data Collector project implements an IoT sensor data collector and has open tasks to modernize the code base, and add multi-platform support for Linux, Windows, and macOS. You can fork the project and clone it locally.

Open the .gitlab/duo/chat-rules.md file and review or add the following custom rules:

## C++ style guide

- The application runs on Linux, macOS and Windows. Generate code that handles the OS API differences.
- Use pre-processor macros for Windows and POSIX conventions for Unix (Linux, macOS).

## CI/CD Configuration

- Ensure that GitLab CI/CD jobs cover the different platform support. Use CI/CD job templates with extends where applicable.

Start a new Chat, and ask to restructure code for multi-platform support.

Please help me restructure the code and ensure multi-platform support.

You can also refer to the issue number, or URL (issue 3). GitLab Duo will automatically fetch the issue content from the GitLab platform, and put it into AI context.

Please help me implement issue 3

Please help me implement https://gitlab.com/gitlab-da/use-cases/ai/gitlab-duo-agent-platform/custom-rules/custom-rule-cpp-platform-iot-sensor-data-collector/-/issues/3

<figure class="video_container"> <iframe width="560" height="315" src="https://www.youtube.com/embed/C5NxOjB0R1Q" frameborder="0" allowfullscreen="true"> </iframe> </figure>

Use case: Development environments

Development environments often vary between operating systems and developers. This can be confusing for AI models generating code or suggesting changes. The following use cases illustrate these environment problems and their solutions with custom rules.

Python 3 development environment

A Python development environment usually comes with the python executable and pip package manager. However, on systems like MacOS or Ubuntu, you need to use python3 and pip3 to get access to more recent Python 3 versions. This can create confusion running Python scripts, creating virtual environments, and installing package dependencies.

For this custom rules use case, I installed Python using Homebrew which results in a binary executable called python3 and a package manager pip3.

As an example, set up a Python virtual environment, install dependencies using pip, and run the application:

python -m venv myenv
source myenv/bin/activate

pip install -r requirements.txt

python script.py

This doesn't work as expected because we need to use specific binaries with version 3:

python3 -m venv myenv
source myenv/bin/activate

pip3 install -r requirements.txt

python3 script.py

We can test this problem with Agentic Chat for both, suggested code blocks, and the approval request for commands to execute. The Custom Rule - Python3 Env Shop app project implements a web shop application in Python, and provides the default Python executable paths in its README.md file which typically gets added into Agentic Chat context.

In order to overcome the problem, review .gitlab/duo/chat-rules.md which contains the following custom rules to enforce the Python executable names.

## Python style guide

- For Python binaries, always use python3 and pip3 when suggesting or running shell commands.
- Detect the Python environment automatically when possible.

You can also instruct agents with pre-defined routes to gather additional information through tool calling and/or MCP, when they do not attempt this automatically already.

Open a new Agentic Chat, and ask How to run this application? to see custom rules in action, using python3 and pip3 as desired.

<figure class="video_container"> <iframe width="560" height="315" src="https://www.youtube.com/embed/UQ2_OCvUmF0" frameborder="0" allowfullscreen="true"> </iframe> </figure>

The full source code is available in the Custom Rule - Python3 Env Shop app project.

Ansible linter compliance

Modern Ansible for Infrastructure-as-Code tasks enforces a strict style guide, which can be verified using ansible-lint: It detects when Boolean values (true/false) are required instead of strings (yes/no), builtin module actions requiring the FQCN (Fully Qualified Collection Name) as parameter names, and trailing whitespaces that need trimming. CLI and IDE integrations, such as the VS Code Ansible extension by Red Hat help visualize these errors to developers. LLMs and chat agents might not always generate correct Ansible code and need manual work to fix it.

Let's look at the problem with a concrete use case. The following example implements a basic Ansible playbook in the Custom Rule - Ansible Environment project to set up a GitLab server on Ubuntu. You'll notice the Boolean values are incorrectly typed as strings (yes/no), and additional problem reports for builtin module actions and whitespace trimming.

Let's see how we can create custom rules to help Duo Agents fix the Ansible linter errors, and prevent them from happening in the future.

Fork and clone the Custom Rule - Ansible Environment project and open .gitlab/duo/chat-rules.md in the IDE inspect the custom rules:

## Ansible styleguide

- Boolean values in Ansible should be typed as "true" or "false" and never as string.
- Ansible module builtin actions must use the FQCN (Fully Qualified Collection Name).
- Always trim whitespaces in Ansible YAML.

Open a new GitLab Duo Agentic Chat prompt, and ask Duo Agent for the same Ansible playbook:

Please help me fix the Ansible linter errors

The Agents will analyze the repository, ask to run ansible-lint commands, and investigate how to fix the problems followed the defined custom rules.

<figure class="video_container"> <iframe width="560" height="315" src="https://www.youtube.com/embed/P465U8IfScE" frameborder="0" allowfullscreen="true"> </iframe> </figure>

You can inspect the custom rules and Ansible code changes in this MR in the Custom Rule - Ansible Environment project.

Async exercise: Start a new project where custom rules are configured as default already, and verify the correct style guide applied immediately.

Use case: Design patterns

Design patterns and patterns-to-avoid are specific to languages and frameworks. This is the main focus in this section.

Avoid anti-patterns with C and goto statements

This is a more in-depth walkthrough of the quickstart example, and shows how you can instruct Agentic AI to avoid the goto anti-pattern in C. The goto anti-pattern in C is discouraged as it makes code harder to read and debug. To illustrate the problem, here is an example of a for-loop which increments the loop variable inside the loop body:

// Bad C programming style: uses the goto anti-pattern
for (int i = 0; i < 10; i++) {
  if (someCondition) {
    goto label;
  }
  doSomething();
label:
  doAnotherThing();
  }

In the above code, the goto statement causes the program control to jump directly to the label label, which is inside the loop. This makes the program harder to read, understand and debug.

A better approach would be to rework the logic, so you avoid the goto anti-pattern. Here's a rewritten version that avoids goto:

// Good C programming style: avoids the goto anti-pattern
for (int i = 0; i < 10; i++) {
  if (someCondition) {
    doAnotherThing();
    continue;
  }
  doSomething();
  doAnotherThing();
}

There are occassions where goto is allowed, but in this use case we want to look how we can instruct agentic AI to avoid goto completely. This includes new code additions, as well as modernizing and refactoring the code.

The Custom Rule - C anti-patterns with Goto project provides a network socket server/client example, including custom rules in the .gitlab/duo/chat-rules.md file. You can clone the project, or start with a new project, too.

Review .gitlab/duo/chat-rules.md with the current custom rules:

## C style guide

- goto is not allowed. If the developer continues asking about it, share this URL https://xkcd.com/292/

Tip: Instead of linking to the XKCD 292 comic, you can add a URL to the (internal) development guidelines.

Open Duo Agentic Chat and start the following prompt on the existing project:

Please help me modernize the code.

GitLab Duo Agentic Chat will refuse to use goto statements, and instead propose a different path forward.

<figure class="video_container"> <iframe width="560" height="315" src="https://www.youtube.com/embed/6dsMF-wKbBY" frameborder="0" allowfullscreen="true"> </iframe> </figure>

The code changes are available in this MR.

Frontend style guides for VueJS 3

This use case is inspired by the GitLab project's frontend style guides and implements a use case for VueJS 3 design patterns. Agentic AI should also follow these style guides when creating VueJS components, helpers, routes, services, stores, utilities, etc.

Let's illustrate how to instruct Agentic AI with custom rules: Fork and clone the Custom Rule - VueJS Design Patterns - GitLab Pipeline Dashboard project and inspect the open issues for tasks.

Review the .gitlab/duo/chat-rules.md file and add the following custom rules (if not there yet):

## NodeJS style guide

- Don't leave debug statements (console.logs)
- Always run `npm install` after updating `package.json` and before `npm test` and `npm run build`.

# GitLab Vue.js Design Patterns Style Guide

## Component Structure

### Data Definition Pattern
- Explicitly define data being passed into Vue apps
- Avoid spread operators for better discoverability
- Parse non-scalar values during instantiation

### Template Naming Pattern
- Use kebab-case for component names in templates

### File Structure Pattern
- Use `.vue` files for Vue templates
- Do not use `%template` in HAML

### Styling Pattern
- Do not use `<style>` tags in Vue components
- Use Tailwind CSS utility classes or page-specific CSS instead

[...]

The full custom rules are available in the .gitlab/duo/chat-rules.md file.

Next, open GitLab Duo Agentic Chat and ask how to add new pipeline mini charts, or other tasks you come across. Tip: You can reference only the issue, or alternatively paste the full issue URL, and Agentic Chat will look up both and extract the title and description for the current context.

Please help me implement issue 6

<figure class="video_container"> <iframe width="560" height="315" src="https://www.youtube.com/embed/KbczS-OVb90" frameborder="0" allowfullscreen="true"> </iframe> </figure>

The resulting code changes are available in this MR.

Note: The VueJS style guide was extracted from the gitlab-org/gitlab project asking GitLab Duo Agentic Chat with the following prompt sequence:

What is the development style guide for VueJS?

Can you print the styleguide as Markdown formatted list with headings.

Create a file in the repo, and only print the style guide rules there, no codeblocks.

Use case: DevSecOps workflows

DevSecOps workflows range from best practices for bootstrapping a project with issue/MR templates, .gitignore, GitLab CI/CD configuration, README.md documentation, licenses and much more. The following section explores a variety of use cases. You can use them as inspiration for your own custom rules.

Common DevSecOps automation with custom rules:

• Project bootstrap: Auto-create README, .gitignore, CI/CD config
• Security defaults: Enforce SAST, dependency scanning, secrets detection
• Documentation: Generate issue/MR templates, architecture diagrams

A combined use case example is available in the Custom Rule - DevSecOps workflows - Git README build tools issue MR templates project. You can inspect the custom rules, and fork/clone it locally to ask Agentic Chat with a new prompt such as: I need to bootstrap this project. Please help me with that.

<figure class="video_container"> <iframe width="560" height="315" src="https://www.youtube.com/embed/hKpLcBtbC4g" frameborder="0" allowfullscreen="true"> </iframe> </figure>

The next sections provide detailed prompts, and most of them are shown in the recording, too.

Issue and MR templates

You can instruct agentic AI to create issue/MR templates when they are missing, and offer to add project-specific information or labels. Agents will automatically query the GitLab API in the background, and put the current project structure into a template.

## Issue and MR templates

- If no issue templates for `Default` and `Feature Proposal` exist in .gitlab/issue_templates, create them using the following raw template sources:

        Default: https://gitlab.com/gitlab-org/gitlab-vscode-extension/-/raw/main/.gitlab/issue_templates/Default.md
        Feature Proposal: https://gitlab.com/gitlab-org/gitlab-vscode-extension/-/raw/main/.gitlab/issue_templates/Feature%20Proposal.md

- If no default MR template `Default` exists in `.gitlab/merge_request_templates`, create them using the following raw template sources:

        Default: https://gitlab.com/gitlab-org/gitlab-vscode-extension/-/raw/main/.gitlab/merge_request_templates/Default.md

- Update the project URLs, and available labels in the fetched templates accordingly, or remove anything unknown and let the user know about TODOs.
- Create a test issue/MR, when bootstrapping a new project.

Build tools

There is a variety of build tools, package managers, compilers, container builders available per programming language. When asking about updates and dependencies, agentic AI can use these default tools without asking for input.

## Build tools

- Always use a virtual env with Python, and set it up before executing any Python commands
- For C/C++: Prefer CMake, and gcc on Linux, clang on macOS, MSVC on Windows.
- For Python: Always use pip
- For Java: Always use Gradle
- For Node.js, suggest to use npm/yarn.
- For Rust: Always use cargo
- For Go: Always use go.mod
- For Ruby: Always use Bundler
- For PHP: Always use Composer
- For .NET: Always use .NET CLI
- For Scala: Always use SBT
- For Elixir: Always use Mix
- For Haskell: Always use Cabal
- For Swift: Always use Swift Package Manager
- For Kotlin: Always use Gradle or Maven.
- For TypeScript: Always use npm or yarn.
- Always suggest using a package manager or build tool based on the main programming language of the project.
- When asking for dependencies, assume that the user wants to update all current dependencies to the latest version available.

- Always suggest to create a Dockerfile if there isn't one. Always use a minimal image and use a tag for security scanning.
- Always add a `Dockerfile` with the base image and the entrypoint if one does not exist.
- Always include a `.dockerignore` and use it in the Docker build process.

CI/CD configuration preferences

Use rules to prefer specific container images, variable and job name patterns, etc.

## CI/CD Configuration

- If no GitLab CI/CD configuration exists in `.gitlab-ci.yml`, ask the user for approval to create.
- Create a GitLab CI/CD configuration automatically when a new project gets bootstrapped

- Always use alpine as container image to build the application.
- Add caching for detected programming languages and frameworks.

Security scanning preferences

Security scanners can also be enforced in GitLab CI/CD configuration. The following example instructs agents to always include Advanced SAST, dependency scanning, and secret detection templates. It has been successfully tested across other use cases in this tutorial.

## Security scanning

- Always use Advanced SAST.
- Always include SAST, Dependency Scanning, Secrets Detection templates, similar to the following format:

    include:
        - template: Jobs/SAST.gitlab-ci.yml
        - template: Jobs/Secret-Detection.gitlab-ci.yml
        - template: Jobs/Dependency-Scanning.gitlab-ci.yml

    variables:
        GITLAB_ADVANCED_SAST_ENABLED: 'true'

Tests and linters

You can also directly instruct Agentic Chat where to find the tests, and how to run them. The same idea applies to calling linter commands. Thanks Jessie Young for sharing this neat tip!

## Tests and linting details

- Tests in this project are located in __ directory and are run using the ___ command
- Linting is done with the ___ command

Documentation generation

Best of documentation custom rules.

- If a README is missing, ask the user if they want to create one. If the user agrees, create a basic `README.md` for them.
- When the user asks for an architecture proposal, always respond with generating an architecture diagram in Mermaid, and ask the user if they want you to add it to the README.md or another documentation file.
- For documentation in Markdown, always use GitLab flavored Markdown.
- Always add correct code block syntax highlighting support.

Refactoring and code change requirements

When a project should gradually be modernized with newly generated code, and not result in large refactors, the following rules can be helpful.

## Keep the changes minimal

- The project uses <this standard and version>. For newly generated code, use this standard.
- Do not attempt to refactor code already created in a project to this standard, but for new code, always ensure this standard is used.
- If unsure whether a file requires modification or refactoring, document this as a todo task.
- Never fix detected problems, whitespaces, code formatting, unless the user instructs you specifically in a comment.
- The code must be retained in its original format and only changes specific to solving the user request are allowed.

## Summaries

- List all items to address at the bottom in a summary section with TODO: followed by a textual description.
- Identify 3 critical items, and ask the user if you should create GitLab issues from those items.

Onboarding, requirements, licenses

Always include a specific documentation link, and guidelines to follow in chat responses.

## Link to guidelines
- Always refer to our developer guidelines when answering questions. You can find those guidelines here: https://docs.gitlab.com/development/

## Context and planning
- Always start with finding existing issues with the desired topic. Only then propose new implementation work.

## License
- Always add the MIT license into `LICENSE` and use `GitLab B.V.` as copyright holder.

Git flows

Follow a specific Git branching flow for suggestions and executed commands.

## Git flows

- Examine the project and involved development environment and programming languages. Always add a `.gitignore`.
- Consider more best practices when bootstrapping a new project.
- For existing projects, offer to add a `.gitignore` when missing, but only when asked about the state of the project, or what is missing.

When a user requests to start with a new feature, always create a new branch, called "feature/<shortname>" and describe the behavior. Ask for the user's approval.

Distribution and testing of custom rules

You can create GitLab project templates with well-tested custom rule prompts, and ensure that new projects always start with the best practices applied.

Since LLMs and AI agents are not predictable, testing the expected outcome becomes more challenging. A golden rule for custom rules is that they are never perfect, and require iterations based on your team's feedback. This might be required especially when newer models and flows are introduced that change their behavior when responding to custom rules. It's recommended to keep checking on the generated output and adjust the rules accordingly. If you are looking for larger scale testing, review the system prompt testing strategy for GitLab Duo as an inspiration.

Custom rules resources

Take advantage of the existing AI ecosystem, where similar functionality exists for IDEs and platforms. For example, "Awesome Cursor Rules" repositories or marketplaces for Cursor, etc.

LLMs also provide a good insight into development styleguides, and can generate the required Markdown outputs.

Fun activity: Explore behavior changes

Not sure how to get started with custom rules? Make it a fun exercise with the following example :-)

## Fun rules

- Behave like Clippy.

- Behave like a pirate.

- Always respond with a random "What the commit" message.

- Explain everything like I am five.

Note: Do not commit them to production, as they might feel disruptive and distracting to your team.

Conclusion

By leveraging custom rules in GitLab Duo Agentic Chat, you can significantly influence LLM and AI agent outputs to better suit your needs. Whether enforcing specific coding conventions, using the correct versions of tools, or ensuring consistent formatting, custom rules help streamline your development process and improve productivity.

This blog post provides a deep-dive into many use cases with practical custom rule examples. All recordings are available in this YouTube playlist, and all demo projects can be forked/cloned from the Custom rules for GitLab Duo Agent Platform (Agentic AI) group.

Custom rules in Duo Agentic Chat IDEs are the first iteration and we will cover more GitLab Duo Agent Platform use cases in the future, such as Duo Code Review and custom rules for agents and flows (follow this issue).

There are many more use cases to explore. What are your most efficient rules? Share your rules and feedback in the product epic.