13 posts
Published on: February 25, 2026 2 min read Passkeys now available for passwordless sign-in and 2FA on GitLab Learn how to register a passkey to your account and how two-factor authentication works as a phishing-resistant method. security product Passkeys are now available on Git…
GitLab has introduced a 99.9% availability service-level agreement (SLA) specifically for Ultimate customers on GitLab.com and GitLab Dedicated. This commitment is backed by service credits to ensure that mission-critical DevSecOps workflows remain uninterrupted and to align GitLab's interests with customer business outcomes. By formalizing this uptime guarantee, GitLab aims to provide a reliable foundation for high-velocity teams that depend on continuous code pushes and automated deployments. ## Scope of Covered Services The SLA covers the core platform experiences essential to daily software delivery workflows: * Issues and merge requests management. * Git operations, including push, pull, and clone actions via both HTTPS and SSH protocols. * Operations within the Container Registry and Package Registry. * API requests associated with the aforementioned core services. ## Defining and Measuring Downtime Service availability is tracked via automated monitoring across multiple geographic locations to reflect actual user experience. * A "downtime minute" is triggered when 5% or more of valid customer requests result in server errors. * Server errors are strictly defined as HTTP 5xx status codes or connection timeouts exceeding 30 seconds. * While monitoring focuses on server-side failures, GitLab will also holistically review claims for issues that might not trigger 5xx errors, such as Sidekiq job processing outages or specific application bugs. ## Service Credit Claim Procedure To maintain accountability, GitLab has established a formal process for Ultimate customers to recoup costs during outages: * Customers must submit a support request at support.gitlab.com within 30 days of the end of the month in which the downtime occurred. * The GitLab team validates the claim against internal and external monitoring data. * Validated service credits are applied directly to the customer's next issued invoice, with the credit amount scaled based on the severity of the availability shortfall. Ultimate customers should familiarize their operations teams with these specific performance thresholds and the 30-day claim window to ensure they are adequately compensated during significant service disruptions.
GitLab has extended the expiration of its GNU Privacy Guard (GPG) key used for signing Omnibus packages from February 2026 to February 16, 2028. This extension ensures the continued integrity of packages created within CI pipelines while remaining compliant with GitLab’s internal security policies regarding key exposure. By opting to extend the current key rather than rotating to a new one, GitLab aims to minimize administrative overhead for users who would otherwise be required to replace their trusted keys. ### Purpose and Scope of the Key Extension * The GPG key is specifically dedicated to signing Omnibus packages to prevent tampering; it is distinct from the keys used for repository metadata (apt/yum) and the GitLab Runner. * GitLab periodically extends the expiration of these keys to limit the potential impact of a compromise while adhering to modern security standards. * The decision to extend rather than rotate was made specifically to be less disruptive to the user base, as rotation mandates a manual replacement of the trusted key on all client systems. ### Impact and Required Actions * Users who do not specifically verify package signatures or have not configured their package managers to do so require no action to continue installing updates. * Administrators who validate Omnibus package signatures must update their local copies of the public key to reflect the 2028 expiration date. * The updated key can be found on GPG keyservers by searching for the ID `98BF DB87 FCF1 0076 416C 1E0B AD99 7ACC 82DD 593D` or the email `packages@gitlab.com`. * A direct download of the public key is also available through the official GitLab packages repository URL. Organizations that verify package signatures should refresh their trusted GPG keys as soon as possible to ensure seamless updates leading up to the original 2026 deadline. If technical issues arise during the update process, GitLab recommends opening an issue in the omnibus-gitlab tracker for support.
Published on: February 24, 2026 2 min read GPG key used to sign GitLab package repositories' metadata has been extended The GPG key used to sign repository metadata on GitLab's Packagecloud instance at packages.gitlab.com has been extended – here's what you need to know. product…
Data Intensity’s DevSecOps-as-a-Service provides a solution for organizations that require the granular control of GitLab Self-Managed but wish to eliminate the operational burden of infrastructure maintenance. By hosting dedicated GitLab instances on Oracle Cloud Infrastructure (OCI), the service combines the security and customization of a self-managed environment with the convenience of a fully managed platform. This partnership enables teams to focus on software delivery while leveraging expert management for high availability and disaster recovery. ### The Benefits of GitLab Self-Managed * Offers complete ownership of data residency and instance configuration to meet strict regulatory and compliance requirements. * Enables deep customization and integration possibilities that are often restricted in standard SaaS environments. * Addresses the challenges of manual server management, upgrades, and high-availability scaling by offloading these tasks to a managed provider. ### Managed Service Features and Support * Provides 24/7 monitoring, alarming, and expert technical support for standalone GitLab instances. * Includes scheduled quarterly patching performed during customer-specified maintenance windows to minimize disruption. * Ensures business continuity through automated backups and professional disaster recovery protection. * Utilizes tiered architectures designed to scale based on specific user capacities and recovery time objectives. ### Infrastructure Optimization via OCI * Delivers significant cost efficiency, with organizations typically realizing 40-50% reductions in infrastructure spending compared to other hyperscalers. * Supports diverse deployment models, including Public Cloud, Government Cloud, EU Sovereign Clouds, and dedicated infrastructure behind a corporate firewall. * Maintains consistent pricing and operational tooling across hybrid, global, and regulated environments. ### Implementation and Migration * Data Intensity offers optional migration services to transition existing code repositories and configurations to the OCI environment seamlessly. * The service is specifically designed for organizations with predictable cost requirements and those lacking in-house infrastructure expertise. * Deployment planning involves tailored consultations to match specific compliance and data residency needs with OCI’s global region availability. This managed service is a recommended path for enterprise teams that need to prioritize data sovereignty and flexibility without sacrificing the speed of a turnkey solution. Organizations currently using or planning to adopt OCI can leverage this service to standardize their DevSecOps workflows while achieving significant infrastructure savings.
GitLab has integrated Anthropic’s Claude Opus 4.6 into its Duo Agent Platform, providing developers with a high-intelligence frontier model designed for complex agentic workflows. By combining a 1-million-token context window with native access to DevSecOps data, the update enables more autonomous task execution and deeper reasoning within the software development lifecycle. This integration allows teams to delegate multi-step tasks to AI agents that can now process entire codebases and project histories in a single interaction. ## Advanced Agentic Capabilities and Reasoning * Claude Opus 4.6 features enhanced "agentic" behavior, meaning it can proactively take actions and drive tasks forward with minimal human intervention. * The model supports multi-agent orchestration, allowing it to spin up subagents and coordinate parallel workstreams to solve complex, multi-step problems. * Adaptive thinking capabilities allow the model to calibrate its reasoning depth based on the query, using extended thinking for difficult tasks while maintaining speed for simpler ones. * Deep reasoning via test-time compute helps the model navigate challenging development bottlenecks and architectural decisions. ## Full-Context DevSecOps Integration * The model boasts a 1-million-token context window—a fivefold increase over Opus 4.5—enabling the processing of massive codebases and extensive documentation. * Integration with the GitLab Duo Agent Platform provides the model with direct access to repositories, merge requests, pipelines, and security findings. * Enterprise-grade security features, including human-in-the-loop controls and group-based access, ensure that agentic actions remain transparent and governed. * Native integration ensures developers can utilize these frontier capabilities without leaving their established GitLab workflows. ## Availability and Resource Consumption * Opus 4.6 is currently available for GitLab.com users via the Duo Agent Platform and Agentic Chat, though it is not supported for GitLab Duo Classic features. * Support for the model within various Integrated Development Environments (IDEs) is expected to be released in the near future. * Usage is managed via GitLab credits, with multipliers determined by the size of the prompt. * Prompts containing 200k tokens or fewer are charged at 1.2 requests per credit, while larger prompts exceeding 200k tokens are charged at 0.7 requests per credit. Organizations aiming to automate complex development workstreams should migrate their specialized agents to Claude Opus 4.6 to take advantage of its superior orchestration and context handling. By leveraging the model's ability to coordinate parallel subagents, teams can significantly reduce the manual effort required for codebase-wide refactors and security remediation.
GitLab has updated its HackerOne Bug Bounty program policies to improve transparency and streamline the reporting process for security researchers. These changes emphasize a shift toward local testing environments and provide much-needed clarity on the scope of emerging threats like AI prompt injection and denial-of-service attacks. By refining these guidelines, GitLab aims to protect its production infrastructure while ensuring researchers have clear, objective criteria for submitting high-impact vulnerabilities. ### Enhanced Testing Guidance * GitLab now strongly recommends using the GitLab Development Kit (GDK) for local testing, allowing researchers to experiment with cutting-edge features without risking production stability. * Researchers investigating potential Denial-of-Service (DoS) impacts are advised to use self-managed GitLab instances that meet or exceed standard installation requirements. * Any testing performed on GitLab.com production architecture must utilize test accounts created specifically with the `@wearehackerone.com` email alias. ### Refined Vulnerability Scope * Denial-of-Service (DoS) is generally classified as out of scope, though exceptions exist for application-layer vulnerabilities—such as ReDoS or logic bombs—that cause persistent service disruption via unauthenticated endpoints. * Standalone prompt injection is no longer eligible for bounties unless it serves as a primary vector to achieve security breaches beyond the initial AI boundary. * The policy clarifies the distinction between metadata enumeration and privacy breaches, noting that general information gathering remains out of scope while exposure of confidential data is strictly in scope. ### Transition and Grace Period * To support researchers with ongoing investigations, GitLab is honoring a seven-day grace period for DoS reports submitted before January 22, 2026 (9:00 p.m. PT). * Reports submitted during this window will be evaluated under the previous policy to ensure fairness and maintain trust within the researcher community. Security researchers should immediately update their testing workflows by downloading the GitLab Development Kit and reviewing the updated CVSS calculator on the HackerOne program page to ensure their findings align with the new severity standards.
GitLab 18.9 introduces critical updates designed to provide regulated enterprises with governed, agentic AI capabilities through self-hosted infrastructure and model flexibility. By combining the Duo Agent Platform with Bring Your Own Model (BYOM) support, organizations in sectors like finance and government can now automate complex DevSecOps workflows while maintaining total control over data residency. This release transforms GitLab into a high-security AI control plane that balances the need for advanced automation with the rigid sovereignty requirements of high-compliance environments. ## Self-Hosted Duo Agent Platform for Online Cloud Licenses The Duo Agent Platform allows engineering teams to automate sequences of tasks, such as hardening CI/CD pipelines and triaging vulnerabilities, but was previously difficult to deploy for customers under strict online cloud licensing. This update makes the platform generally available for these environments, bridging the gap between cloud-based licensing and self-hosted security needs. * **Usage-Based Billing:** The platform now utilizes GitLab Credits to provide transparent, per-request metering, which is essential for internal chargeback and regulatory reporting. * **Infrastructure Control:** Enterprises can host models on their own internal infrastructure or within approved cloud environments, ensuring that inference traffic is routed according to internal security policies. * **Deployment Readiness:** By removing the requirement to route data through external AI vendors, the platform is now a viable option for critical infrastructure and government agencies. ## Bring Your Own Model (BYOM) Integration Recognizing that many enterprises have already invested in domain-tuned LLMs or air-gapped deployments, GitLab now allows customers to integrate their existing models directly into the Duo Agent Platform. This ensures that organizations are not locked into a specific vendor and can leverage models that have already passed internal risk assessments. * **AI Gateway Connectivity:** Administrators can connect third-party or internal models via the GitLab AI Gateway, allowing these models to function as enterprise-ready options within the GitLab ecosystem. * **Granular Model Mapping:** The system provides the ability to map specific models to individual Duo Agent Platform flows or features, giving admins fine-grained control over which agent uses which model. * **Administrative Ownership:** While GitLab provides the orchestration layer, administrators retain full responsibility for model validation, performance tuning, and risk evaluation for the models they choose to bring. For organizations operating in high-compliance sectors, these updates offer a path to consolidate fragmented AI tools into a single, governed platform. Engineering leaders should evaluate their current model investments and leverage the GitLab AI Gateway to unify their automation workflows under one secure DevSecOps umbrella.
The updated GitLab Security Dashboard addresses the challenge of vulnerability overload by shifting the focus from simple detection to contextual remediation and risk management. By providing integrated trend tracking and sophisticated risk scoring, the platform enables security and development teams to prioritize high-risk projects and measure the actual progress of their security programs. This update transforms raw security data into actionable insights that are tracked directly within the existing DevSecOps workflow. ## Transitioning from Detection to Remediation Context * Consolidates vulnerability data into a single view that spans across projects, groups, and entire business units to eliminate data silos. * Introduced initial time-based tracking in version 18.6, with version 18.9 adding expanded filters for severity, status, scanner type, and project. * Provides visualizations for remediation velocity and vulnerability age distribution, moving beyond static raw counts to show how quickly threats are being addressed. ## Data-Driven Prioritization with Risk Scoring * Utilizes a dynamic risk score calculated from multiple factors, including vulnerability age and repository security postures. * Integrates external threat intelligence such as the Exploit Prediction Scoring System (EPSS) and Known Exploited Vulnerability (KEV) scores to identify the most critical threats. * Allows teams to monitor risk scores over time to pinpoint specific areas of the infrastructure that require additional resources or immediate intervention. ## Strategic Impact for Security and Development Teams * Enables security leaders to prove program effectiveness to executives by showing downward trends in Common Weakness Enumeration (CWE) types and shrinking backlogs. * Streamlines the developer experience by highlighting critical vulnerabilities within active projects, removing the need for external spreadsheets or manual reporting tools. * Identifies specific teams or departments that may require additional remediation training based on their ability to meet company security policies. Organizations should leverage these updated dashboard features to transition from manual, reactive security tracking to an automated, risk-based posture. By integrating EPSS and KEV data into daily workflows, teams can ensure they are solving the most dangerous vulnerabilities first while maintaining a clear, measurable record of their security improvements.
The GitLab Duo Agent Platform’s Automate capabilities provide a centralized framework for managing, executing, and monitoring AI-driven development workflows within the software development lifecycle. By integrating event-driven triggers and detailed session logging, the platform allows developers to transition from manual AI interactions to fully autonomous, production-ready processes. This orchestration layer ensures that AI agents are not only performant but also transparent and easy to audit across projects. ## Resource Management for Agents and Flows The Automate hub serves as the control center for organizing AI resources, distinguishing between agents (entities that perform tasks) and flows (structured sequences of actions). * Resources are categorized into "Enabled" (those available for project use) and "Managed" (those created and owned specifically by the project). * Custom agents and flows must be enabled at the top-level group before they can be activated for specific projects. * Users can expand their automation library by browsing and enabling pre-configured resources from the GitLab AI Catalog. ## Event-Driven Automation with Triggers Triggers allow AI agents to respond automatically to specific actions within the GitLab interface, eliminating the need for manual invocation. * Automation can be initiated through three primary event types: user mentions (e.g., `@agent-name`), issue/MR assignments, or reviewer assignments. * When a trigger is activated, the system identifies the associated flow, executes the agent, and posts the final results directly back to the relevant issue or merge request. * Common use cases include using the `/assign` quick action to trigger a CI/CD optimizer or a code explanation agent. ## Workflow Monitoring and Session Transparency The Sessions interface provides a detailed audit trail for every execution, offering visibility into the "black box" of AI decision-making. * The Activity tab tracks step-by-step reasoning, showing exactly which tools the agent used and the results of individual actions. * Execution statuses are monitored in real-time, with labels such as Running, Finished, Failed, or Input Required. * The Details tab provides deep technical context by linking directly to Runner job logs, including system messages and full tool invocation outputs. ## Practical Conclusion To maximize the utility of the GitLab Duo Agent Platform, teams should move beyond experimental chat prompts and begin configuring triggers for repetitive tasks like code review assignments or issue triaging. Utilizing the Sessions tool is recommended during the initial rollout phase to verify agent reasoning and ensure that custom flows are interacting correctly with project data before full-scale deployment.
Published on: February 26, 2026 4 min read Introducing the GitLab Managed Service Provider (MSP) Partner Program Build a profitable, services-led DevSecOps practice - backed by GitLab. DevSecOps news partners This blog is written for managed service providers (MSPs) looking to b…
Published on: February 26, 2026 6 min read Secure and fast deployments to Google Agent Engine with GitLab Follow this step-by-step guide to build an AI agent with Google's Agent Development Kit and deploy to Agent Engine using GitLab. AI/ML google CI/CD DevSecOps In this tutoria…
The GitLab Duo Agent Platform represents a shift in AI-assisted development by moving from individual chat-based interactions to a collaborative multi-agent orchestration layer. By integrating specialized AI agents throughout the software development lifecycle, the platform transforms linear DevSecOps workflows into parallel processes that leverage full project context for tasks like security scanning and code refactoring. This architecture allows development teams to delegate routine technical burdens to autonomous agents, focusing human efforts on high-level innovation and complex problem-solving. ### Orchestrating the DevSecOps Lifecycle The platform functions as a central intelligence layer that connects AI agents to the broader GitLab ecosystem. * Agents access comprehensive project context, including source code management, CI/CD pipelines, issue tracking, and security scan results. * Specialized agents can be assigned to specific technical domains such as research, refactoring, and automated testing. * The system enables asynchronous collaboration, allowing multiple agents to work on different stages of a project simultaneously. ### Evolution from Duo Enterprise to Agentic AI The Duo Agent Platform is a superset of previous GitLab AI offerings, moving beyond simple 1:1 user-to-AI interactions. * GitLab Duo Pro focused on individual IDE productivity through code suggestions and basic chat. * GitLab Duo Enterprise expanded AI to the wider software lifecycle but remained primarily a 1:1 Q&A experience. * The Agent Platform introduces a many-to-many collaboration model where teams and multiple specialized agents interact autonomously to handle production-ready workflows. ### Advanced Integration and Customization To support enterprise-grade automation, the platform provides a roadmap for scaling AI from basic interactions to production environments. * Integration with the Model Context Protocol (MCP) allows for expanded data access and agent capabilities. * The platform supports a progression from initial agent interactions to full workflow customization and production-ready automation. * Developers can leverage the eight-part guide series to move from foundational concepts to advanced technical implementations. To maximize the benefits of agentic AI, organizations should transition from viewing AI as a simple Q&A tool to treating it as an orchestration layer. Teams are encouraged to explore the complete introductory series to begin delegating routine maintenance and security tasks to specialized agents, thereby accelerating overall delivery speed.