• GitLab Secrets Manager, now in public beta, scopes credentials to individual jobs and governs access through the same controls used for code.
• Developer Flow now handles the full merge request lifecycle, from reviewer feedback and conflict resolution to one-click rebase-and-merge.
• Components Analytics gives platform engineering teams visibility into which CI/CD Catalog components and versions are running across their organization.
• GitLab Duo Agent Platform Self-Hosted gains four new open source model options for teams using air-gapped and regulated environments.
• Dependency scanning with a software bill of materials and security configuration profiles gives teams auditable control and visibility over what ships.

SAN FRANCISCO--(BUSINESS WIRE)--May 21, 2026-- All Remote — GitLab Inc., the intelligent orchestration platform for DevSecOps, today released GitLab 19.0, expanding secrets management, agentic merge request workflows, CI pipeline visibility, self-hosted open source model support, and supply chain visibility.

Engineering organizations shipping more code than ever are confronting the AI Paradox firsthand, as the surrounding workflows for securing credentials, reviewing and merging changes, enforcing pipeline standards, and running AI in regulated environments have not kept pace. GitLab 19.0 advances the platform's agentic core by embedding those capabilities where teams already work, helping reduce the handoffs between writing code and shipping it.

GitLab Secrets Manager Enters Public Beta

GitLab Secrets Manager, now in public beta for GitLab Premium and Ultimate users, stores credentials inside the same platform that runs code and pipelines, scoping each secret to only the jobs authorized to use it. Access control and audit logging use the same group and project structure already in GitLab, with no separate permission model to maintain. If a credential is compromised, responders can trace every job that used it from the GitLab audit trail, linked to the originating pipeline, without correlating logs across separate systems. It works alongside existing integrations with HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, and Google Cloud Secret Manager.

Developer Flow Extends Across the Full Merge Request Lifecycle

GitLab 19.0 extends Developer Flow across the full MR lifecycle to address reviewer feedback, resolve conflicts, split oversized MRs, and implement features at any stage. Since the flow reads project-specific standards from AGENTS.md before committing, the output reflects team context, workflows, and guardrails rather than generic defaults.

Two new capabilities, now in beta, round out the flow including a Resolve with Duo button that evaluates both branches, commits a proposed fix, and leaves a summary comment for the next reviewer, and one-click rebase-and-merge for teams using semi-linear or fast-forward merge methods. It is available for Free, Premium, and Ultimate tier users.

Components Analytics Closes the Visibility Gap in Shared CI Infrastructure

Components Analytics gives platform engineering teams visibility into which CI/CD Catalog components are running across their organization, and which versions are in use. The data resides in GitLab's unified platform, so teams can see and act on it without switching tools. Adoption data is available for Free, Premium, and Ultimate tier users, and the per-component drill-down is available for Ultimate tier users.

GitLab Duo Agent Platform Self-Hosted Gains New Open Source Model Options

GitLab Duo Agent Platform Self-Hosted now runs its agents on four additional open source models, Mistral Devstral 2 123B, GLM-5.1, Kimi-K2.6, and MiniMax-M2.7. The additions support teams in air-gapped or regulated environments that can’t send source code to external APIs. Each model was evaluated against GitLab Duo Agent Platform task requirements including multi-step tool use, code generation quality, and reasoning across large code differences. Both on-premises and private cloud deployment options are supported, including deployment via vLLM on GPU-enabled infrastructure and hybrid configurations that mix self-hosted and GitLab-managed models.

Strengthening Software Supply Chain Visibility

GitLab 19.0 adds security capabilities that give teams more control over governing what ships and who can access the platform. Dependency scanning with a software bill of materials (SBOM) produces an auditable inventory of third-party components matched against GitLab security advisories, giving Ultimate tier users evidence of what entered each build without a separate tool. Security configuration profiles allow teams to turn on Secret Detection, SAST, and Dependency Scanning across projects through policies rather than per-project CI configuration changes.

To learn more about GitLab 19.0, please read the what’s new page.

Supporting Quote

• “AI made it faster to generate code, but it didn't make it easier to trust or secure it at scale," said Manav Khurana, chief product and marketing officer at GitLab. "When security, automation, and governance share the same platform as the code, teams can move fast on AI without losing control of what ships, and that's exactly what GitLab 19.0 delivers.”

About GitLab

GitLab is the intelligent orchestration platform for DevSecOps. GitLab enables organizations to increase developer productivity, improve operational efficiency, reduce security and compliance risk, and accelerate digital transformation. More than 50 million registered users and 50% of the Fortune 100* trust GitLab to ship better, more secure software faster.

*Fortune 500® is a registered trademark of Fortune Media IP Limited, used under license. Claim based on GitLab data. Fortune 100 refers to the top 20% ranked companies in the 2025 Fortune 500 list, published in June 2025. Fortune and Fortune Media IP Limited are not affiliated with, and do not endorse products or services of GitLab.

View source version on businesswire.com: https://www.businesswire.com/news/home/20260521893408/en/

Media Contact
Christina Weaver
press@gitlab.com

Source: GitLab Inc.