What GitLab 19.0 Changes for DevSecOps Teams
GitLab 19.0 is an integrated DevSecOps platform update that combines a new secrets manager, expanded agentic workflows, self-hosted AI models, and supply chain insights so development, security, and operations teams can manage code, credentials, automation, and risk from a single environment across the full software lifecycle. At the heart of the release is a response to the AI paradox: AI-generated code has increased delivery speed, but governance and CI/CD security have lagged. GitLab now embeds more of that control directly where work happens, from merge requests to pipelines. Manav Khurana, GitLab’s chief product and marketing officer, stresses that “AI made it faster to generate code, but it didn’t make it easier to trust or secure it at scale,” and the company is positioning 19.0 as the bridge between AI acceleration and reliable, compliant software delivery.
Secrets Manager GitLab: Least Privilege for CI/CD Security
The new GitLab Secrets Manager, now in public beta for Premium and Ultimate, is designed to move credential handling away from broad CI/CD variables and into tightly scoped, auditable secrets. Instead of a token being exposed to every job in a project, each secret can be bound to specific jobs, branches, environments, and protection status, aligning CI/CD security with the principle of least privilege. According to GitLab’s Manav Khurana, “putting a credential into a CI/CD variable grants that secret to every job in the project… GitLab Secrets Manager flips the default.” Access control and audit logs reuse GitLab’s existing group and project model, reducing extra policy silos. If a secret is compromised, teams can trace every pipeline job that used it without correlating logs from separate tools, while still working alongside Vault, AWS Secrets Manager, Azure Key Vault, and Google Cloud Secret Manager.
Agentic Workflows Extend Developer Flow Across the MR Lifecycle
GitLab 19.0 expands GitLab Duo’s Developer Flow so agentic workflows cover the full merge request lifecycle, not just code generation. The agent can now address reviewer feedback, split large merge requests, resolve conflicts, and implement features at different stages, helping teams keep momentum without constant context switching. Two beta features highlight this direction: Resolve with Duo, which compares branches, proposes a fix, commits it, and leaves a summary comment; and one-click rebase-and-merge for semi-linear or fast-forward workflows. Because Developer Flow reads AGENTS.md and agent-config.yml inside each project, the agent works with local conventions, commands, and guardrails. This allows the AI workflow to run tests and pre-commit hooks before committing, reducing noisy changes. For enterprises, the combination of context-aware agents and tighter GitLab audit trails means AI assistance becomes part of a governed development process instead of an external helper.
Self-Hosted AI Models and Supply Chain Insights for Regulated Teams
To reduce vendor lock-in and meet regulatory expectations, GitLab Duo Agent Platform Self-Hosted now supports four additional self-hosted AI models: Mistral Devstral 2 123B, GLM-5.1, Kimi-K2.6, and MiniMax-M2.7. These self-hosted AI models were evaluated against GitLab Duo’s needs for multi-step tool use, code generation quality, and reasoning across large code diffs, giving enterprises more flexibility in how they deploy AI inside their own infrastructure. Alongside AI, GitLab 19.0 expands software supply chain insights. Components Analytics lets platform teams see which CI/CD catalog components and versions are running across the organization, closing a visibility gap in shared CI infrastructure. With secrets manager GitLab capabilities, agentic workflows, and supply chain data connected in one DevSecOps platform, security teams gain a clearer picture of dependency risk, pipeline behavior, and AI-driven changes, all without stitching together point solutions.
From Point Tools to a Unified DevSecOps Platform
Viewed together, GitLab 19.0 is less about individual features and more about reinforcing GitLab’s identity as a unified DevSecOps platform. Secrets are now stored, scoped, and audited inside the same system that runs code and pipelines. Agentic workflows live in merge requests and are configured through project files, not remote templates. CI/CD security and supply chain insights draw from the same data about components, jobs, and environments. This convergence helps reduce the handoffs and context shifts that often weaken security in AI-accelerated delivery. Instead of separate tools for credential management, pipeline governance, and AI coding assistants, teams can standardize on one system that understands their projects end to end. For organizations wrestling with AI-driven scale, GitLab 19.0’s direction suggests that the future of DevSecOps will be dictated less by isolated features and more by how well platforms connect people, automation, and controls.