techlist.io
KR EN
gitlab

Get started with GitLab Duo Agent Platform: The complete guide (opens in new tab)

The GitLab Duo Agent Platform represents a shift in AI-assisted development by moving from individual chat-based interactions to a collaborative multi-agent orchestration layer. By integrating specialized AI agents throughout the software development lifecycle, the platform transforms linear DevSecOps workflows into parallel processes that leverage full project context for tasks like security scanning and code refactoring. This architecture allows development teams to delegate routine technical burdens to autonomous agents, focusing human efforts on high-level innovation and complex problem-solving. ### Orchestrating the DevSecOps Lifecycle The platform functions as a central intelligence layer that connects AI agents to the broader GitLab ecosystem. * Agents access comprehensive project context, including source code management, CI/CD pipelines, issue tracking, and security scan results. * Specialized agents can be assigned to specific technical domains such as research, refactoring, and automated testing. * The system enables asynchronous collaboration, allowing multiple agents to work on different stages of a project simultaneously. ### Evolution from Duo Enterprise to Agentic AI The Duo Agent Platform is a superset of previous GitLab AI offerings, moving beyond simple 1:1 user-to-AI interactions. * GitLab Duo Pro focused on individual IDE productivity through code suggestions and basic chat. * GitLab Duo Enterprise expanded AI to the wider software lifecycle but remained primarily a 1:1 Q&A experience. * The Agent Platform introduces a many-to-many collaboration model where teams and multiple specialized agents interact autonomously to handle production-ready workflows. ### Advanced Integration and Customization To support enterprise-grade automation, the platform provides a roadmap for scaling AI from basic interactions to production environments. * Integration with the Model Context Protocol (MCP) allows for expanded data access and agent capabilities. * The platform supports a progression from initial agent interactions to full workflow customization and production-ready automation. * Developers can leverage the eight-part guide series to move from foundational concepts to advanced technical implementations. To maximize the benefits of agentic AI, organizations should transition from viewing AI as a simple Q&A tool to treating it as an orchestration layer. Teams are encouraged to explore the complete introductory series to begin delegating routine maintenance and security tasks to specialized agents, thereby accelerating overall delivery speed.

gitlabautomationci-cddevsecops+3
gitlab

Understanding agents: Foundational, custom, and external (opens in new tab)

The GitLab Duo Agent Platform provides a tiered framework for integrating AI into the software development lifecycle through foundational, custom, and external agents. By combining built-in expertise with the ability to define bespoke behaviors or connect to specialized external models, the platform enables teams to automate complex tasks ranging from product planning to runtime debugging. This structured approach ensures that AI assistance is deeply integrated into GitLab’s ecosystem while remaining flexible enough to meet specific organizational standards. ## Foundational Agents These are pre-configured, GitLab-maintained agents available immediately in the IDE or Web UI for general and specialized SDLC tasks. * **GitLab Duo:** The primary general-purpose partner for code modification, merge request management, and issue triaging within the full platform context. * **Planner Agent:** Specifically designed to assist with product management by breaking down epics into structured issues and generating acceptance criteria. * **Security Analyst Agent:** Focuses on triaging vulnerabilities, identifying false positives from scans, and prioritizing risks based on actual impact. * **Data Analyst Agent:** Leverages GitLab Query Language (GLQL) to visualize platform data, such as merge request trends, team workloads, and issue resolution times. ## Custom Agents Organizations can create specialized agents tailored to internal workflows by defining unique system prompts and visibility settings. * **Configuration and Control:** Custom agents are defined by a system prompt that dictates their persona and expertise—such as a DevOps agent that correlates static code data with CI/CD logs. * **Visibility Tiers:** Agents can be set to "Private" for use within a specific project or "Public" to be listed in the AI Catalog for broader organizational discovery. * **Operational Use Cases:** Common implementations include onboarding assistants for company-specific practices, compliance monitors for regulatory requirements, and localized support agents for non-English languages. * **Deployment Best Practices:** It is recommended to start with read-only permissions and highly specific constraints before granting agents write access to the repository or platform. ## External Agents External agents operate asynchronously and are triggered by mentions or assignments within issues and merge requests, rather than through interactive chat. * **Asynchronous Automation:** These agents, such as Anthropic Claude or OpenAI Codex, execute tasks in the background when triggered by commands like `@ai-codex`. * **Managed Credentials:** GitLab handles API key management and rotation for these integrations, simplifying the security overhead for teams using third-party models. * **Specialized Performance:** External agents allow teams to leverage provider-specific strengths, such as Claude’s code analysis or Codex’s task delegation, while maintaining compliance with specific data residency requirements. * **Integrated Review:** A typical workflow involves assigning an external agent as a reviewer on a merge request, where it automatically analyzes code quality and posts improvement suggestions directly as comments. To maximize the value of the platform, teams should begin by leveraging foundational agents for immediate productivity gains before developing custom agents that encode specific organizational knowledge. External agents should be reserved for specialized automation tasks or when specific third-party large language models (LLMs) are required for compliance or advanced code generation.

database-designci-cdai-mlgitlab-duo+4
gitlab

Introduction to GitLab Duo Agent Platform (opens in new tab)

GitLab Duo Agent Platform introduces an AI orchestration layer designed to move beyond simple code generation into full software development lifecycle (SDLC) automation. By utilizing specialized agents and asynchronous flows, the platform enables teams to delegate complex tasks like code reviews and pipeline fixes to AI "team members" who possess full context of the project. This transition from linear workflows to multi-agent collaboration allows developers to maintain oversight through detailed session logs while focusing on high-level innovation. ### Core Functionality and SDLC Context * The platform acts as an orchestration layer that enables asynchronous collaboration between human developers and specialized AI agents. * It utilizes deep SDLC context, pulling data from issues, epics, merge requests, CI/CD logs, wikis, and security scans to inform AI actions. * Automation is designed to understand and adhere to specific organizational standards, practices, and compliance requirements. ### Agent Interaction and Interface Methods * **GitLab Duo Agentic Chat:** Provides a real-time, synchronous interface via a persistent panel in both the GitLab Web UI and supported IDEs. * **Triggered Foundational Flows:** Users can invoke pre-built GitLab workflows, such as "Fix CI/CD Pipeline" or "Convert Jenkins to GitLab CI/CD," directly within the platform. * **Custom and External Flows:** Automated workflows can be triggered asynchronously by @mentioning agents or assigning reviewers in issue and merge request comments. * **External Agent Support:** The platform supports third-party models like Claude Code and OpenAI Codex, executing them on GitLab platform compute via runner execution. ### Distinguishing Agents from Flows * **Agents:** These are specialized assistants defined by unique system prompts and toolsets; they are best suited for interactive tasks and instant feedback within the chat interface. * **Flows:** These are autonomous, multi-step workflows designed for complex background tasks, such as multi-file refactoring or event-driven automation. * **Execution Environment:** While agents are interactive, flows run asynchronously on platform compute, triggered by specific GitLab events or user assignments. ### Platform Management and Transparency * **AI Catalog:** A centralized library for discovering, creating, and sharing custom agents and flows across an entire organization. * **Automate Hub:** A management center used to configure triggers, monitor active flows, and manage agent permissions. * *Sessions:** Every interaction creates a session log that provides a transparent "decision trail," including agent reasoning, tool calls, and pipeline execution status. * **Model Selection:** Starting with GitLab 18.4, users can select specific foundational models for their conversations within the Web UI to better suit the task at hand. Teams looking to implement the GitLab Duo Agent Platform should begin by utilizing foundational flows for common tasks like pipeline debugging before moving toward custom agent creation. Reviewing the transparency logs in the "Sessions" view is highly recommended to refine agent prompts and ensure that automated actions align with internal development standards.

developer-toolsevent-driven-automationmulti-agent-workflowsgitlab-duo-agent-platform+4
gitlab

GitLab Threat Intelligence Team reveals North Korean tradecraft (opens in new tab)

The GitLab Threat Intelligence Team has detailed its efforts to disrupt North Korean (DPRK) cyber campaigns, specifically focusing on "Contagious Interview" malware distribution and fraudulent IT worker schemes. By analyzing internal platform data, GitLab identified that these state-sponsored actors leverage legitimate tools and fake recruitment scenarios to compromise software developers and generate illicit revenue for the regime. The report concludes that while these operations are sophisticated and persistent, proactive monitoring and cross-industry intelligence sharing are essential to mitigating these evolving threats. ### Contagious Interview Mechanics * Threat actors pose as recruiters to trick software developers into executing malicious JavaScript projects under the guise of technical interviews. * The primary goal is to deploy malware families such as BeaverTail and Ottercookie, which facilitate credential theft and provide remote control of the victim's device. * A notable evolution in tradecraft includes the use of "ClickFix," a compiled BeaverTail variant identified in late 2025. * Malicious repositories often use a specific execution pattern where base64-encoded URLs and secret headers are hidden within `.env` files, masquerading as benign configuration variables. * To execute the payload, actors utilize `Function.constructor` to load strings as executable code, often triggered by custom error handlers designed to source remote content. ### 2025 Campaign Trends and Infrastructure * GitLab banned 131 unique accounts linked to these campaigns in 2025, with activity peaking in September and averaging 11 bans per month. * Nearly 90% of malicious accounts were created using Gmail addresses, and actors typically accessed the platform through consumer VPNs or dedicated VPS infrastructure. * In more than 80% of cases, malware payloads were not stored on GitLab. Instead, actors used concealed loaders to fetch content from legitimate hosting services, most commonly Vercel. * Recent tactics include the creation of malicious NPM dependencies immediately before use and the exploitation of VS Code tasks to pipe remote content into native shells. ### IT Worker Campaigns and Sanctions Evasion * Beyond malware distribution, DPRK actors use GitLab to support "IT worker" cells that generate revenue and evade international sanctions. * One identified pipeline involved the creation of at least 135 synthetic identities, automated to generate professional connections and contact leads at scale. * Threat actors have been observed adding their own images to stolen U.S. identity documents to bypass employment verification processes. * Forensic analysis revealed financial records from cell managers detailing revenue proceeds from 2022 through 2025, often earned while operating from locations like Moscow, Russia. Organizations should remain vigilant against recruitment-themed social engineering and scrutinize unexpected requests to run external code. GitLab recommends that the security community use the provided indicators of compromise to update defensive posture, as these actors continue to refine their ability to hide malicious intent within legitimate development workflows.

database-designgitlabjavascriptthreat-intelligence+3
gitlab

Getting started with GitLab Duo Agentic Chat (opens in new tab)

GitLab Duo Agentic Chat marks a shift from traditional Q&A chatbots to autonomous AI collaboration partners integrated directly into the software development lifecycle. By leveraging specialized agents and context-aware large language models, the platform enables developers to automate complex tasks like code refactoring, security remediation, and issue triaging. This system serves as a centralized interface across both the GitLab Web UI and IDEs to streamline workflows from initial planning to production deployment. ## Capabilities of Agentic AI * **Autonomous Actions:** The system can move beyond simple chat by creating files, modifying existing code, and opening merge requests on behalf of the user. * **Deep Context Integration:** Agents have access to the full GitLab ecosystem, including issues, epics, Git commits, CI/CD pipelines, and security scans. * **Extensibility:** Through the Model Context Protocol (MCP), the chat can integrate with external services to expand its functional scope. * **Information Retrieval:** Users can query project architecture or use GitLab Query Language (GLQL) to pull specific project analytics and insights. ## Model and Agent Customization * **Flexible Model Selection:** Users and administrators can choose from different LLMs based on task requirements, with configuration available at both the group and individual user levels. * **Specialized Agents:** The platform features dedicated agents for specific roles, such as the **Planner Agent** for product management and the **Security Analyst Agent** for vulnerability management. * **Contextual Switching:** In IDEs, users can switch between agents via a dropdown menu, while the Web UI allows for agent selection when starting new chat sessions. ## Specialized Workflow Use Cases * **Project Planning:** The Planner Agent can break down epics into smaller tasks, list high-priority bugs, and generate technical requirements for new features. * **Security Remediation:** Security-focused agents can explain vulnerabilities in simple terms, identify false positives in scans, and suggest specific code fixes for SQL injection or XSS risks. * **Troubleshooting and Debugging:** The system can analyze CI/CD pipeline logs to identify why a build failed and suggest optimizations for job performance. * **Legacy Modernization:** Specific prompts can guide the AI to refactor code to follow SOLID principles or create migration plans for modernizing legacy languages like COBOL to Java or Python. ## Access and Integration * **Interface Options:** The chat is accessible via a collapsible sidebar in the Web UI and through dedicated plugins in popular IDEs. * **Future Development:** While currently limited to UI and IDE interfaces, a GitLab Duo CLI is in development to bring agentic capabilities to the terminal. To get the most out of GitLab Duo Agentic Chat, it is recommended to transition between specialized agents as you move through different project phases. Using the Security Analyst for code reviews and the Planner for backlog grooming ensures that the underlying models are optimized for the specific metadata and constraints of those tasks.

database-designai-agentgitlabci-cd+4