GitLab 19.0 adds secrets manager & AI workflow tools

GitLab has released GitLab 19.0, broadening its DevSecOps platform across security, workflow automation and software supply chain oversight.

The update adds a public beta for GitLab Secrets Manager, expands Developer Flow across the merge request process, introduces analytics for shared CI components, adds more self-hosted open source model options for GitLab Duo Agent Platform, and extends dependency scanning and security policy controls.

One of the main changes is the public beta launch of GitLab Secrets Manager for Premium and Ultimate users. The tool stores credentials within GitLab and limits each secret to authorised jobs, using the same group and project access controls and audit logging already applied to code and pipelines.

Teams can trace how a compromised credential was used through GitLab's audit trail and back to the originating pipeline, rather than piecing together records from separate systems. The feature also works alongside existing integrations with HashiCorp Vault, AWS Secrets Manager, Azure Key Vault and Google Cloud Secret Manager.

Merge request flow

GitLab has also expanded its Developer Flow feature to cover the full merge request lifecycle. It can now address reviewer feedback, resolve conflicts, split oversized merge requests and implement features at different stages of the review process.

The flow reads project-specific standards from AGENTS.md before committing changes so outputs follow a team's own standards and processes. Two new beta features are part of that expansion: a Resolve with Duo button that evaluates both branches, commits a proposed fix and leaves a summary comment for the next reviewer, and a one-click rebase-and-merge option for teams using semi-linear or fast-forward merge methods.

These merge request functions are available across Free, Premium and Ultimate tiers. The move reflects a broader push by software vendors to apply AI-based assistance to day-to-day engineering workflows beyond code generation alone.

Pipeline visibility

GitLab 19.0 also introduces Components Analytics for platform engineering teams managing shared continuous integration infrastructure. The feature shows which CI/CD Catalog components are running across an organisation and identifies the versions in use.

The information sits within GitLab's platform, allowing teams to view and act on the data without switching tools. Adoption data is available to users on Free, Premium and Ultimate tiers, while per-component drill-down is reserved for Ultimate users.

The addition addresses a common problem for larger engineering organisations that rely on reusable CI components across multiple teams. Without central visibility, platform teams can struggle to understand uptake, detect outdated versions or enforce standardisation.

Self-hosted models

For customers running AI tools in controlled environments, GitLab has added four open source model options to GitLab Duo Agent Platform Self-Hosted: Mistral Devstral 2 123B, GLM-5.1, Kimi-K2.6 and MiniMax-M2.7. The offering is aimed at teams in air-gapped or regulated settings that cannot send source code to external application programming interfaces.

GitLab evaluated the models against task requirements including multi-step tool use, code generation quality and reasoning across large code differences. It supports both on-premises and private cloud deployment, including vLLM on GPU-enabled infrastructure and hybrid setups that combine self-hosted and GitLab-managed models.

Supply chain controls

The release also extends software supply chain oversight. Dependency scanning with a software bill of materials gives Ultimate users an auditable inventory of third-party components matched against GitLab security advisories, creating a record of what entered each build without requiring a separate tool.

Security configuration profiles have also been added, allowing teams to enable Secret Detection, SAST and Dependency Scanning across projects through policy controls rather than changing CI configuration on each project individually. The central approach is designed to help engineering and security teams apply common rules across large code estates.

GitLab framed the release around the gap between faster code production and the operational work needed to secure, review and ship that code. It argued that teams are producing more software with AI assistance, while surrounding controls and workflows have lagged behind.

"AI made it faster to generate code, but it didn't make it easier to trust or secure it at scale," said Manav Khurana, Chief Product and Marketing Officer, GitLab. "When security, automation, and governance share the same platform as the code, teams can move fast on AI without losing control of what ships, and that's exactly what GitLab 19.0 delivers."