GitLab 19.0: Intelligent Orchestration for DevSecOps

Engineering teams shipping more code than ever face a growing gap: AI accelerates code generation, but securing credentials, reviewing changes, and governing what ships have not kept pace. GitLab 19.0 addresses this directly.

GitLab 19.0 is the latest major release of the GitLab DevSecOps platform, introducing capabilities that embed security, automation, and governance into the same environment where code is written and deployed. The release targets the AI Paradox — the reality that faster code generation creates new operational and security risks if surrounding workflows remain manual or fragmented.

What was announced

GitLab Inc. released GitLab 19.0 on May 21, 2026, advancing the platform's agentic core with five major capability areas spanning secrets management, merge request automation, CI/CD component observability, self-hosted AI model support, and supply chain visibility.

GitLab Secrets Manager enters public beta for Premium and Ultimate users. It stores credentials inside the same platform that runs code and pipelines, scoping each secret to only the jobs authorized to use it. Access control and audit logging use the existing group and project structure in GitLab, with no separate permission model to maintain. Integration with HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, and Google Cloud Secret Manager is preserved.

Developer Flow now covers the full merge request lifecycle. Two new beta capabilities complement the existing flow: a Resolve with Duo button that evaluates both branches, commits a proposed fix, and leaves a summary comment for the next reviewer; and one-click rebase-and-merge for teams using semi-linear or fast-forward merge methods. Developer Flow reads project-specific standards from AGENTS.md before committing, ensuring output reflects team context rather than generic defaults. Available for Free, Premium, and Ultimate tiers.

Components Analytics gives platform engineering teams visibility into which CI/CD Catalog components and versions are running across their organization. Adoption data is available for Free, Premium, and Ultimate tiers; per-component drill-down is available for Ultimate tier users.

GitLab Duo Agent Platform Self-Hosted gains four new open source model options: Mistral Devstral 2 123B, GLM-5.1, Kimi-K2.6, and MiniMax-M2.7. These additions support teams in air-gapped or regulated environments that cannot send source code to external APIs. Deployment is supported via vLLM on GPU-enabled infrastructure and hybrid configurations mixing self-hosted and GitLab-managed models.

Software supply chain visibility is strengthened through dependency scanning with a software bill of materials (SBOM) for Ultimate tier users, producing an auditable inventory of third-party components matched against GitLab security advisories. Security configuration profiles allow teams to enable Secret Detection, SAST, and Dependency Scanning across projects through policies rather than per-project CI configuration changes.