GitLab 19.0: One DevSecOps Platform for AI, Security, and Delivery
GitLab 19.0 is a DevSecOps platform release that combines agentic AI workflows, a built-in secrets management tool, CI/CD security visibility, and supply chain insights to connect code creation, review, and deployment on one integrated stack. It is designed for teams hit by the AI paradox, where faster AI-generated code increases the pressure on credential protection, pipeline governance, and regulatory checks. By centering automation, security, and governance in the same place developers write and ship code, GitLab 19.0 aims to reduce context switching and tool sprawl. Manav Khurana, chief product and marketing officer at GitLab, argues that “when security, automation, and governance share the same platform as the code, teams can move fast on AI without losing control of what ships,” framing this release as a shift from scattered tools to full DevSecOps orchestration.
Secrets Manager Brings Principle-of-Least-Privilege to CI/CD
A centerpiece of the GitLab 19.0 features is GitLab Secrets Manager, now in public beta for Premium and Ultimate users. Instead of scattering credentials across external services and CI/CD variables, Secrets Manager stores them inside the same DevSecOps platform that runs pipelines, scoping each secret to the specific jobs, branches, and environments allowed to use it. This flips the old pattern where a single CI/CD variable exposed credentials to every job in a project. According to GitLab’s Manav Khurana, “putting a credential into a CI/CD variable grants that secret to every job in the project,” while the new model enforces least-privileged access so compromised jobs stay contained. Access control and audit logs reuse GitLab’s existing group and project structure, and responders can trace every job that used a credential without correlating data from multiple systems. It also continues to integrate with Vault and hyperscaler secret stores.
Agentic Developer Flow Keeps MRs, Pipelines, and AI in Sync
GitLab 19.0 extends its Developer Flow agentic workflows across the full merge request lifecycle, with the goal of keeping programmers in flow while tightening CI/CD security. The agent can now address reviewer feedback, resolve conflicts, split large merge requests, and implement features at any stage, all while reading project-specific rules from AGENTS.md and agent-config.yml. That context lets the AI-driven flow run tests, pre-commit hooks, and project-specific commands before committing, so output aligns with each team’s standards rather than generic templates. New beta features include a Resolve with Duo button, which evaluates both branches, proposes a fix, and leaves a summary comment, and one-click rebase-and-merge for semi-linear or fast-forward workflows. Because these tools live inside the same DevSecOps platform as pipelines and secrets, teams can automate multi-step tasks without wiring together separate CI/CD security plugins or external AI services.
Self-Hosted AI Models and Supply Chain Insights for Regulated Teams
For organizations that need control over AI infrastructure, GitLab 19.0 adds support for self-hosted AI models in the GitLab Duo Agent Platform. The platform now runs its agents on four open source AI models—Mistral Devstral 2 123B, GLM-5.1, Kimi-K2.6, and MiniMax-M2.7—each evaluated for multi-step tool use, code-generation quality, and reasoning on large code differences. This lets enterprises keep AI inside their own environments while still benefiting from agentic workflows. On the supply chain side, Components Analytics provides visibility into which CI/CD catalog components and versions run across the organization, closing blind spots in shared CI infrastructure. Combined with supply chain insights and expanded CI pipeline visibility, GitLab 19.0 helps teams track dependencies and vulnerabilities throughout development. The result is a single DevSecOps platform where CI/CD security, self-hosted AI models, and supply chain risk management share the same data and governance surface.