On July 16, 2026, GitLab 19.2 was released with the following features.

Vivek is a Senior Data Engineer at Emirates who made a high-impact contribution to add Scala language support to GitLab Orbit. This change improves the code graph capabilities for developers who work in Scala codebases.

Primary features

GitLab Duo CLI is now generally available

GitLab Duo CLI brings the GitLab Duo Agent Platform directly to your terminal.

Use the CLI to ask complex questions about your codebase and to autonomously perform actions on your behalf. Unlike external tools, the CLI has context about your GitLab project, pipelines, and agent configurations.

Key features include:

  • Two modes: interactive chat mode and headless mode for CI/CD
  • Administrator on/off control for GitLab Self-Managed and GitLab Dedicated
  • Model selection and shared sessions
  • Tool approvals
  • Model Context Protocol (MCP) connections
  • Slash commands, including commands for context usage and context compaction
  • Support for skills and AGENTS.md customization files

Install the GitLab Duo CLI through the GitLab CLI (glab) or as a standalone tool.

GitLab Duo custom flows are now generally available

Custom flows are AI-powered workflows you create and configure to automate complex, multi-step tasks across your GitLab projects. They let teams define workflow steps, components, and triggers so repetitive development and operational work can run automatically in response to GitLab events. In the GitLab UI, flows run directly in GitLab CI/CD, helping teams automate common tasks without leaving GitLab.

Key features include:

  • YAML-defined, reusable workflows for team-specific automation
  • Multi-agent orchestration for complex, multi-step tasks
  • User-defined human-in-the-loop (HITL) checkpoints for approval or feedback at sensitive steps
  • Native GitLab triggers, including mentions, assignments, pipeline events, and merge request lifecycle events
  • Flow creation and management from projects or the AI Catalog
  • Public and private visibility controls
  • Secure execution using service accounts and composite identity
  • YAML validation to catch configuration issues before runtime

Scheduled pipeline execution policies are GA

Scheduled pipeline execution policies are now generally available. Define a schedule once in a security policy project and enforce it across every project in scope, without editing each project’s .gitlab-ci.yml. If requirements change, update the policy in one place instead of coordinating changes across many CI/CD configuration files.

Use scheduled policies to run compliance scripts, security scans, or other custom CI/CD jobs on a daily, weekly, or monthly cadence, independent of commit activity. This is useful for repositories without regular code changes, such as running dependency scans to detect newly discovered vulnerabilities. Each policy runs as a separate pipeline, with time zone support, time window distribution, and branch targeting.

Start foundational flows from Agentic Chat

In previous versions of GitLab, you started foundational flows from specific UI actions, mentions, or assignments. Now you can start them from Agentic Chat in the GitLab UI as part of your conversation.

When your request matches a specialist workflow, Agentic Chat hands off to one of these flows:

You approve the handoff in chat, then follow progress in the conversation or from AI > Sessions.

Dependency scanning auto-remediation (Beta)

GitLab 19.2 introduces Dependency scanning auto-remediation in Beta. The feature brings automated vulnerability remediation directly into your dependency scanning workflow, with two capabilities:

  • Automated dependency version bumps, available on GitLab.com, GitLab Self-Managed, and GitLab Dedicated.
  • Agentic Breaking Change Resolution, available on GitLab.com, GitLab Self-Managed, and GitLab Dedicated, and consumes GitLab Credits.

Automated dependency version bumps automatically opens merge requests to update vulnerable dependencies to their safe versions. Once turned on, GitLab monitors your projects for vulnerable dependencies and opens remediation MRs without manual intervention. By default, updates target patch and minor versions.

Agentic Breaking Change Resolution extends the remediation flow to handle complex updates. When a merge request that bumps dependency versions has a pipeline fails on a breaking change, GitLab Duo analyzes the pipeline errors, the dependency’s changelog, and how your code uses the dependency.

GitLab Duo commits fixes to the same MR and re-runs the pipeline until the pipeline passes. When you enable Agentic Breaking Change Resolution, version bumps extend to include major versions.

Together, the two capabilities form a complete remediation loop: GitLab opens the MR, and when the update is complex, GitLab Duo resolves it.

For setup instructions, see Dependency scanning auto-remediation.

Share feedback in the beta feedback issue.

Non default branch tracking (beta)

You can now track vulnerabilities on branches other than the default branch. For the best results, target a small number of long-lived release branches, such as branches for specific environments (project-qa, project-prod) or deployment platforms (project-iOS, project-android).

This beta includes the following capabilities:

  • Add tracked branches on the security configuration page, up to twice the number of projects in the namespace.
  • Filter by branch on the vulnerability report.
  • Filter by branch on the project-level security dashboard.
  • Track all vulnerability types on tracked branches, including CVEs, which were previously out of scope.
  • Keep vulnerability status metadata consistent when a branch merges into the default branch.
  • Update vulnerability status on tracked branches.

Selective GitLab Duo availability for subgroups

Administrators of GitLab Dedicated instances can make GitLab Duo and GitLab Duo Agent Platform unavailable for selected subgroups while other subgroups still have the option to turn them on.

Previously, you could either disable GitLab Duo and Agent Platform for an entire instance, or make them potentially available for all.

Now you can enforce a default-deny, per-subgroup allowlist. Mark specific subgroups as Always off (locked) so their descendant groups and projects can never enable GitLab Duo and Agent Platform, while leaving other subgroups up to the discretion of users with the Owner role. Only administrators can apply or remove the lock, and affected Owners see clear messaging that GitLab Duo is locked by a parent group.

This feature helps compliance and platform governance teams meet strict data-classification requirements.

AI audit event report (beta)

  • Tier: Premium, Ultimate
  • Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government
  • Links: Documentation · Related Issue

AI audit event reports are now available in beta, giving security and compliance teams a unified, downloadable record of GitLab Duo agent activity.

Previously, agent activity was scattered across pipeline jobs and event histories, making it difficult to reconstruct a session for:

  • Incident investigation.
  • Compliance review.
  • AI governance reporting.

Now, each agent session produces a comprehensive audit artifact capturing:

  • Inputs.
  • Model and configuration context.
  • The chronological event timeline.
  • Outputs.

You can browse AI audit events from the Governance page, filter by agent and session details, drill into individual events, and download the underlying session artifact.

Security Review Flow (beta)

Security Review Flow detects business logic vulnerabilities directly in merge requests. Unlike static analysis tools that scan for known patterns, Security Review Flow reasons about the intent of your code and identifies authorization bypasses, data exposure, and logic errors that pattern-based scanners routinely miss.

To request a review, assign the Duo Security Review service account as a reviewer on your merge request. The flow analyzes the diff and posts findings as threaded comments at the exact lines where vulnerabilities occur, each with a Common Weakness Enumeration (CWE) classification, severity rating, and where possible, an inline suggested fix you can apply without leaving the merge request.

Each review consumes GitLab Credits based on the complexity of the merge request diff.

Agentic Core

Bulk AI Catalog items enablement

  • Tier: Premium, Ultimate
  • Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government
  • Links: Documentation · Related Issue

When enabling public custom and external agents and public custom flows in the AI Catalog, you can now select up to 100 projects in a single action, instead of selecting individual projects one at a time.

Configure ID tokens in flows

  • Tier: Free, Premium, Ultimate
  • Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government
  • Links: Documentation · Related Issue

Use ID tokens to authenticate with third-party OpenID Connect (OIDC) services without storing long-lived credentials. For example, use ID tokens for keyless signing of binaries and commits, or to retrieve secrets from a secrets manager.

To use this feature, update your agent configuration to include the id_tokens keyword, then configure the service to trust tokens issued by GitLab Duo Agent Platform.

Custom Agent validation

Previously, you could save a custom agent in AI Catalog whose prompt would fail when run. For example, prompts that tripped security rules caused the agent to silently do nothing when being used.

Now, when you create or update a custom agent, GitLab validates the prompt configuration, and tells you about any errors before you save that agent.

Automatic rebase before merge

In previous versions of GitLab, if your project used the semi-linear or fast-forward merge method, you had to complete an additional step when the source branch fell behind the target branch. To merge, you had to select Rebase, wait for it to complete, then return to the merge request to select Merge. That two-step handoff added friction to every merge.

You can now select Enable automatic rebase prior to merge in your project’s merge request settings. When the setting is on, GitLab rebases the source branch onto the target branch at merge time and you can merge with a single action. If it’s important to preserve GPG signatures on individual commits, you can leave the setting off.

Code Review Flow for GitLab Duo Enterprise seats

In previous versions of GitLab, when users with GitLab Duo Enterprise seats requested a code review from GitLab Duo, GitLab Duo Code Review would complete the review. This would occur even if Code Review Flow was turned on for the group. There was no way to turn on the agentic flow for all users.

Now, top-level group Owners can change this default and configure all code reviews to use Code Review Flow instead, regardless of the user’s seat. All reviews will consume GitLab Credits.

This change gives users with GitLab Duo Enterprise seats the same repository-wide context awareness, multi-step reasoning, and review sessions as everyone else.

Exclude merge requests from automatic code reviews (Beta)

In previous versions of GitLab, when automatic reviews were turned on for a project or group, GitLab Duo reviewed every eligible merge request. This included bot-authored dependency updates, feature branches, and experimental work, not just changes the team actually wanted feedback on.

You can now exclude specific merge requests from automatic reviews using exclusion rules. Define a .gitlab/duo/mr-review-automated-rules.yaml file for a project or group, with exclusion rules based on the author, source branch, or target branch. Rules support glob patterns like dependabot/* or *-bot.

You can still request a review manually for any excluded merge request.

This feature is in beta and is gated behind the duo_code_review_automated_rules feature flag, enabled by default.

Instance-level custom review instructions

In previous versions of GitLab, you could only define custom review instructions for GitLab Duo at the project or group level. Administrators who wanted consistent review guidance across an entire instance, such as security rules or internal coding standards, had to duplicate the same instructions in every project.

Now you can configure custom review instructions for an entire instance.

As an administrator, select a project in your instance to use as a template. When GitLab Duo performs a code review, it combines the instructions from the instance-level .gitlab/duo/mr-review-instructions.yaml file with any group-level and project-level instructions. This gives organizations a single source of truth for instance-wide review standards.

Both Code Review Flow and GitLab Duo Code Review support instance-level custom instructions.

Resolve review discussions with GitLab Duo (Beta)

In previous versions of GitLab, to resolve a code review comment, you had to switch to your editor, implement the fix, commit and push the change, and then manually close the thread. You had to repeat the cycle for every unresolved discussion, and the context-switch overhead would add up across a busy review.

You can now select Resolve with GitLab Duo on any review discussion. GitLab Duo reads the review comment and the code around it, implements the change the reviewer described, and commits it to your branch. GitLab Duo then replies to the discussion with a short summary of what changed and why, and resolves the thread for you. You can review the changes and reopen the thread if the fix doesn’t address the comment correctly.

Usage billing checks for GitLab Duo Agent Platform Self-Hosted

For GitLab Self-Managed customers using self-hosted models with an online license, the GitLab Duo Health now checks that the GitLab instance can reach the following endpoints:

  • Customers Portal
  • The AI Gateway
  • Duo Workflow Service

Connection to these endpoints is necessary for usage billing.

Previously, if a firewall blocked any of these components, administrators had no indication of connectivity issues until users were unable to use a feature. Administrators can now use this new validation check to diagnose issues and review their firewall allowlist before any disruption to users.

Unified DevOps and Security

Fix CI/CD Pipeline Flow suggests targeted fixes

  • Tier: Free, Premium, Ultimate
  • Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government
  • Links: Documentation · Related Issue

GitLab Duo’s Fix CI/CD Pipeline Flow now gives you two core improvements:

  • When relevant files are already in your merge request diff, you get fixes as code suggestions directly on that merge request.
  • The flow classifies pipeline failures before acting, so you get a more targeted diagnosis.

The flow also analyzes child pipeline failures across the full pipeline hierarchy, lets you customize its behavior for your project with an AGENTS.md file, and collapses AI reasoning by default to keep your merge request comments clean.

Share your feedback in the feedback issue.

Disable built-in project templates

When organizations rely on custom project templates, built-in vendor templates can add noise to the template selection experience and, in some cases, bypass server-side hooks or other repository controls.

Administrators can now disable built-in project templates globally from the Admin area, or at the group level for subgroups. The setting cascades automatically so you do not need to configure it for every group individually. Administrators can enforce the value of the setting to ensure groups or subgroups cannot override it. Both the instance and group settings are also manageable with the REST and GraphQL APIs. On GitLab.com, only the group-level setting is available.

Fine-grained PAT permissions generally available

Fine-grained personal access tokens (PATs) are now generally available. Unlike legacy PATs, which grant access to every project and group you belong to, fine-grained PATs allow you to limit each token to specific resources and actions. This makes it easier to apply the principle of least privilege to automation and integrations, which helps reduce the potential impact of a leaked or compromised token.

To make setup easier, use the Add permissions with Duo feature to choose the correct permissions during token creation. Your existing legacy PATs continue to work as before. For new tokens, GitLab recommends fine-grained PATs so each token is scoped only to the resources and actions it needs.

With the GA release, fine-grained PATs now have complete coverage for REST API endpoints, and coverage for the most commonly used GraphQL types and mutations.

GitLab Flavored Markdown references in personal snippets

  • Tier: Free, Premium, Ultimate
  • Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government
  • Links: Documentation · Related Issue

You can now use GitLab Flavored Markdown (GFM) references with personal snippets in two ways:

  • GitLab processes GFM references inside personal snippet descriptions and comments, just like in project snippets and other areas of GitLab.
  • You can reference a personal snippet from anywhere GFM is supported, such as comments and issue or merge request descriptions, using the $<id> syntax that already works for project snippets.

Because snippet IDs are unique across personal and project snippets, each ID resolves to a single snippet.

Recognize contributors with GitLab Achievements

Previously GitLab had no built-in way to formally recognize team members, customers, and contributors for their work. Efforts often went unacknowledged, and communities lacked a consistent way to celebrate the people who make their projects successful.

You can now create custom achievements at the group level and award them to users for their contributions. Each achievement includes a name, description, and avatar. Awarded users can choose which achievements to display on their profile. Achievements give maintainers a visible way to reward participation and help build stronger, more motivated communities.

Thank you to Niklas van Schrick for your contributions to this feature!

Security manager can configure agentic flows

  • Tier: Ultimate
  • Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government
  • Links: Documentation · Related Issue

Users with the Security Manager role can now configure SAST VR, SAST FP, Secrets FP, and Dependency Scanning VR for projects.

Vulnerability report exports correctly apply filters

  • Tier: Ultimate
  • Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government
  • Links: Documentation · Related Issue

When exporting a vulnerability report with filters applied, the exported CSV file only includes the filtered data.

GitLab Runner 19.2

  • Tier: Free, Premium, Ultimate
  • Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government
  • Links: Documentation · Related Issue

Scale and Deployments

GitLab Duo reads and responds to reviews in merge requests

  • Tier: Free, Premium, Ultimate
  • Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated, GitLab Dedicated for Government
  • Links: Documentation · Related Issue

You can now use GitLab Duo and MCP-based agents to read merge request review conversations. This gives your AI assistant the full context of reviewer feedback, unresolved threads, and discussion history.

You can ask your agent to summarize review comments, draft responses to feedback, and post replies directly to merge request discussions without ever leaving your workflow.