GitLab 19.0: Intelligent DevSecOps Orchestration for AI-Era Delivery

GitLab 19.0 closes the gap between writing code and shipping it by embedding security, automation and governance into the same platform where teams already work.

Engineering organizations are shipping more code than ever, yet the workflows that surround that code, credential handling, merge request review, CI standardization and AI in regulated environments, have not kept pace. This is the AI Paradox: faster generation, slower trust. GitLab 19.0 responds by extending its agentic core directly into those workflows, reducing handoffs between development, security and operations.

What was announced

On May 21, 2026, GitLab Inc. released GitLab 19.0, expanding capabilities across five key areas: secrets management, agentic merge request workflows, CI/CD component visibility, self-hosted open source AI models, and software supply chain governance.

GitLab Secrets Manager enters public beta for Premium and Ultimate users, storing credentials inside the same platform that runs code and pipelines and scoping each secret to only the jobs authorized to use it. Developer Flow now spans the full merge request lifecycle, including a Resolve with Duo button and one-click rebase-and-merge for semi-linear or fast-forward merge strategies. Components Analytics gives platform engineering teams visibility into which CI/CD Catalog components and versions run across the organization. GitLab Duo Agent Platform Self-Hosted adds four open source models, Mistral Devstral 2 123B, GLM-5.1, Kimi-K2.6 and MiniMax-M2.7, for air-gapped and regulated deployments. Dependency scanning with SBOM output and security configuration profiles round out the supply chain story.

Why this matters

For CIO, CISO, IT directors and procurement leaders, GitLab 19.0 consolidates capabilities that traditionally lived in separate tools. Secrets, audit trails, CI policies, AI agents and dependency inventories now share the same group and project model, which simplifies access governance and reduces the cost of correlating logs across systems during incident response.

The self-hosted AI options matter for regulated industries that cannot send source code to external APIs. SBOM-based dependency scanning gives Ultimate tier customers auditable evidence of what entered each build, supporting compliance with emerging supply chain regulations.

AI made it faster to generate code, but it did not make it easier to trust or secure it at scale. When security, automation, and governance share the same platform as the code, teams can move fast on AI without losing control of what ships, and that is exactly what GitLab 19.0 delivers.

Technical details

• GitLab Secrets Manager (public beta): per-job credential scoping, native audit trail, interoperability with HashiCorp Vault, AWS Secrets Manager, Azure Key Vault and Google Cloud Secret Manager.
• Developer Flow across MR lifecycle: reads project standards from AGENTS.md, resolves conflicts, splits oversized MRs, includes Resolve with Duo and one-click rebase-and-merge (beta).
• Components Analytics: adoption data for Free, Premium and Ultimate; per-component drill-down for Ultimate.
• GitLab Duo Agent Platform Self-Hosted: adds Mistral Devstral 2 123B, GLM-5.1, Kimi-K2.6, MiniMax-M2.7; on-premises and private cloud via vLLM on GPU infrastructure, plus hybrid configurations.
• Supply chain controls: SBOM-based dependency scanning matched against GitLab security advisories; security configuration profiles enable Secret Detection, SAST and Dependency Scanning via policy rather than per-project CI edits.

Softprom and GitLab

Softprom is the official partner of GitLab. Our team supports organizations in evaluating, deploying and scaling GitLab across DevSecOps initiatives, including licensing, architecture consulting and enablement for engineering and security teams.

This content was prepared as part of the Softprom DistriFlow project — an automated system for monitoring and adapting vendor news. Original source: original article.