Open-core DevOps vendor GitLab has shipped versions 18.10 and 18.11 of its DevSecOps platform, with changes that give agentic AI to users on the free tier, that cut the per-review cost of automated code analysis, and give administrators hard limits on how much teams can spend on AI credits each month.
GitLab reports that code review times have increased by 91% at companies using AI coding tools, with a typical engineer at a large company waiting 13 hours for a merge request to be merged, which is the motivation for the pricing change. Shipping code faster while reviews pile up is a self-defeating loop, and GitLab’s 18.10 release is largely aimed at that gap.
The headline pricing change is a flat $0.25 per automated code review, regardless of the size or complexity of the merge request. GitLab claims competing tools charge $15 to $25 per review using token-based models, a structure that encourages teams to ration AI reviews to their most important changes, and this in turn causes backlogs and delays. GitLab argues that at $0.25 per review, there’s no longer much reason to skip a review for a small or low-stakes change.
Development teams are shipping more code faster than ever, and the AI automation that keeps code secure and ensures it gets safely deployed has to keep pace -- running across every project and every group, with the context of the entire platform.
-- Manav Khurana, Chief Product and Marketing Officer, GitLab
Free-tier users on GitLab.com can now access the Duo Agent Platform (which reached General Availability in January 2026) by buying GitLab Credits. Credits are allocated at the group level rather than per seat, so teams don’t need to assign licences to individuals, and are sold in monthly blocks. Group owners get a usage dashboard showing which agents and flows are consuming credits.
Version 18.10 also brings a security feature to GA: SAST false positive detection for Ultimate customers. After each static analysis scan, the Duo Agent Platform scores new critical and high-severity findings by how likely they are to be false positives, and surfaces that assessment in the Vulnerability Report. Security teams still decide what to dismiss — the scoring is advisory. The problem it’s aimed at is real: security teams flooded with irrelevant alerts tend to start ignoring them, leaving actual vulnerabilities to wait.
The 18.11 release, announced in April 2026, has some changes to help control costs. The new controls work in two ways: billing account managers can set a hard monthly limit for the entire subscription, and platform administrators can set per-user credit limits separately, either as a single cap across the whole organisation, or as individual allocations.
Without budget caps, a busy month could produce unexpected expenses. Without per-user limits, a handful of power users could burn through the team's credits before the month is over.
-- Bryan Rothwell, GitLab
The credits model is a notable move away from seat-based licensing, which charges a fixed amount per user regardless of how much each person actually uses the tools. GitLab’s 18.11 notes mention that seat-based vendors have been adding premium tiers and usage-based overages on top of their seat fees, reducing the predictability that seat licensing was supposed to offer. Hard credit caps address this directly: the ceiling is enforceable, not just advisory.
There is also a new integration with Vertex AI. When customers choose Google Cloud as their inference environment, model calls are routed through Vertex AI via GitLab’s AI Gateway. For organisations already running on Google Cloud, that means AI development tool usage can sit inside existing cloud agreements rather than creating a separate spend category — and GitLab’s subscription-level caps apply regardless.
Community reaction has been mixed. On Reddit’s GitLab community, at least one user reported that a GitLab sales rep described Duo Pro and Duo Enterprise licenses as being phased out in favour of the credits model: a pay-as-you-go shift with both per-user and pool-based options, which prompted concerns about how existing contracts would be handled. GitLab Consulting UK called the 18.11 budget controls a welcome addition, particularly for large organisations using the Vertex AI integration, where consumption can scale quickly.
GitLab has not published adoption data for the flat-rate review model, so its effect on team behaviour at scale is still an open question. The budget controls are available now for both GitLab.com and self-managed customers on 18.11 or later. The full release notes are available for 18.10 and 18.11.