GitLab has released GitLab 19.0, moving its agentic AI from code generation into the work that surrounds it: securing credentials, reviewing and merging changes, and scanning released packages. The 21st May release adds a public beta of GitLab Secrets Manager, extends the Developer Flow agent across the full merge request lifecycle, and makes software bill of materials (SBOM) dependency scanning generally available.
GitLab Secrets Manager, in public beta for Premium and Ultimate users, saves credentials within the same platform that runs code and pipelines, and restricts each secret to the jobs authorised to use it. Access control and audit logging use the existing group and project hierarchy in GitLab, avoiding a separate authorisation model. If a credential is compromised, responders can trace every job that used it from the GitLab audit trail. It works with HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, and Google Cloud Secret Manager instead of replacing them.
On merge requests, Developer Flow now addresses reviewer feedback, splits oversized MRs, and resolves conflicts. The flow reads project standards from an AGENTS.md file before committing, so output reflects team context rather than generic defaults. A new Resolve with Duo button (beta) evaluates both branches, commits a proposed fix, and leaves a summary comment for the next reviewer. One-click rebase-and-merge supports fast-forward and semi-linear merges. GitLab Duo respects branch protection rules and does not force-push to protected branches.
This release also moves the GitLab Duo Core to usage-based billing. Code Suggestions in the Web IDE and desktop IDEs now use GitLab Credits, and GitLab Duo Chat becomes agent-based, running on the GitLab Duo Agent Platform that teams must enable to keep using it. Platform engineers gain Components Analytics, which shows which CI/CD Catalog components and versions run across an organisation and where security fixes have not yet landed.
On the supply chain, the SBOM-based dependency scanner becomes generally available, covering ecosystems including Maven, npm, NuGet, PyPI, Go, and Cargo. Automatic dependency resolution, which generates the required lockfiles or dependency graph exports when a project hasn't committed them, is enabled by default for Maven, Gradle, and Python, with manifest scanning as a fallback when necessary. Security configuration profiles let teams turn on Secret Detection, SAST, and dependency scanning through policies rather than per-project CI changes. For self-hosted teams, the GitLab Duo Agent Platform adds four open-source models, including Mistral Devstral 2 123B and GLM-5.1, for air-gapped environments, and now supports Claude Opus 4.7 and Gemini.
Manav Khurana, chief product and marketing officer at GitLab, said that "AI made it faster to generate code, but it didn't make it easier to trust or secure it at scale." He added that "when security, automation, and governance share the same platform as the code, teams can move fast on AI without losing control of what ships, and that's exactly what GitLab 19.0 delivers."
GitLab 19.0 also tightens platform requirements, setting PostgreSQL 17 as the minimum, ending Redis 6 support, and dropping Linux packages for Ubuntu 20.04 and SUSE distributions. Competing firms, including GitHub and Atlassian, are pursuing similar agentic features, so the practical decision for platform teams is which governance and pricing model aligns best with their security needs and budget constraints.