What GitLab 19.0 Changes in Enterprise DevSecOps
GitLab 19.0 is a DevSecOps platform release that combines AI automation, secrets management, and software supply chain visibility so that development, security, and operations teams can manage code, pipelines, and credentials from a single, integrated workflow. The update targets the “AI paradox,” where faster AI-generated code multiplies credentials, reviews, and compliance checks without improving trust or security at the same pace. Manav Khurana, GitLab’s chief product and marketing officer, states that “when security, automation, and governance share the same platform as the code, teams can move fast on AI without losing control of what ships.” In practice, the new GitLab 19.0 features tie AI DevSecOps tools to the same groups, projects, and pipelines engineers already use, aiming to reduce handoffs between writing code, securing it, and promoting it into production environments.
Secrets Manager: Least-Privilege Credentials for CI/CD
The headline change for security teams is GitLab Secrets Manager, now in public beta for Premium and Ultimate users and central to modern Secrets Manager DevOps practices. Instead of broad CI/CD variables that expose a credential to every job in a project, Secrets Manager scopes each secret to only the jobs allowed to use it. Khurana explains that “GitLab Secrets Manager flips the default” by letting developers define which branch, environment, and protection level can access a credential, so a compromised job remains contained. Access control and audit logging reuse GitLab’s existing group and project structure, avoiding a parallel permission system. If a secret is exposed, responders can track every job that used it through the GitLab audit trail linked to the original pipeline, without correlating logs across multiple tools. The feature also works beside Vault, AWS, Azure, and Google Cloud secrets services.
Agentic Developer Flow and AI-Powered Merge Requests
GitLab 19.0 extends its Developer Flow so AI agents can support the full merge request lifecycle, not only initial code generation. The AI DevSecOps tools can now help address reviewer feedback, split large merge requests, resolve conflicts, and implement changes at any stage. Crucially, Developer Flow reads project-specific standards from AGENTS.md and configuration from agent-config.yml, so the agent respects team conventions, architectural decisions, environment quirks, and required tooling. That context lets agents run tests and pre-commit hooks before proposing changes, reducing rework. New beta features include a Resolve with Duo button that compares both branches, commits a suggested fix, and leaves a summary comment, plus one-click rebase-and-merge for semi-linear or fast-forward workflows. By keeping agents inside the same platform used for code review and CI, GitLab aims to keep developers “in flow” while still enforcing security and governance rules.
Self-Hosted AI Models and Supply Chain Insights
For organizations wary of external AI services, GitLab Duo Agent Platform Self-Hosted now supports four open source models: Mistral Devstral 2 123B, GLM-5.1, Kimi-K2.6, and MiniMax-M2.7. Each model was evaluated for multi-step tool use, code generation quality, and reasoning across large code diffs, giving teams self-hosted AI models that fit enterprise data privacy expectations and reduce vendor lock-in. These self-hosted options let enterprises keep sensitive code and pipeline data inside their own infrastructure while still benefiting from agentic workflows. On the visibility side, Components Analytics shows platform and security teams which CI/CD catalog components and versions run across the organization, closing gaps in supply chain and pipeline oversight. Together with improved CI pipeline visibility and Secrets Manager, these GitLab 19.0 features strengthen security posture from code to deployment while aligning AI workflows with compliance-focused DevSecOps practices.