GitLab 13.9 Release

Email notifications when PAT / SSH Keys are revoked

Email notifications when PAT / SSH Keys are revoked

Managing your namespace includes ensuring you know who has access and how. To promote the security of Personal Access Tokens (PATs), you should be able to revoke a user’s PAT when appropriate. To support this control, we’ve added a revoke button for self-managed administrators to revoke these credentials as needed. Now you can manage your users’ PATs and SSH keys from the Credential Inventory in a single screen.

Your users will now also receive an email notification when their PAT(s) or SSH key(s) are revoked or deleted by an administrator. These improvements provide more control for you to manage your users’ credentials and also provides transparency to the user so they can take actions to replace their credentials with minimal disruption.

Improve SAML Timeout Experience

Improve SAML Timeout Experience

When a user’s SAML session for a GitLab.com group reaches the 7 day timeout limit, the user will no longer need to click a confirmation page to renew their session. GitLab will automatically reach out to the Group’s Identity Provider to check for a valid session and extend it as needed. This change improves the group member’s experience and opens the door for decreasing the SAML session timeout in the future.

Manage Project Access Tokens through the API

Manage Project Access Tokens through the API

In GitLab 13.9, we introduced an API to manage project access tokens. API Access for project access tokens enable integration for users that want to control project access tokens provisioning in external systems or through custom automation.

User Busy status in issue and MR sidebar

User Busy status in issue and MR sidebar

In 13.8 we added a User Busy indicator to indicate whether coworkers are available for code reviews and other tasks. In this release, we’ve now included the User Busy indicator in the Assignee section of issue and merge request sidebars.

Filter roadmaps by confidentiality

Filter roadmaps by confidentiality

When viewing a roadmap, there used to be no way to hide confidential epics from the main view. This could be frustrating if you wanted to share your roadmap with a public audience.

In this release we’ve updated the search bar filter to include confidentiality. You now have another layer in which you can refine your roadmap.

Show epic comments on user activity feeds

Show epic comments on user activity feeds

Until now, interacting with epics didn’t add a note to the user’s activity page. This could have caused user to think they weren’t creating, managing or interacting with an epic properly, or may simply have made it more difficult for them to find their recent activity.

As of this release, you’ll be able to view all of your epic activity on the user activity page and in user profiles and use it to track your collaboration on epics.

Autocomplete GitLab CI Variables in VS Code

Autocomplete GitLab CI Variables in VS Code

GitLab CI is fast and highly configurable, but it can be hard to remember all the predefined environment variables, and the wrong typo can make your .gitlab-ci.yml file invalid. To make it easier to configure your GitLab CI pipeline, the 3.11.0 Release of GitLab Workflow provides auto completion for predefined environment variables when editing your .gitlab-ci.yml file.

Tooltips in the auto complete dialog provide information on what the variable can be used for as well as information on supported GitLab and Runner versions. These additional pieces of information really help to ensure your CI configuration will be valid.

Thanks to @KevSlashNull for the contribution!

Mark changes as viewed in merge requests

Mark changes as viewed in merge requests

When reviewing a merge request that changes many files, it is challenging to keep track of which files you have already reviewed. Reviews are inefficient when you’re required to re-review or spend additional time regaining context on each file in the merge request.

Files can now be marked as Viewed in merge requests to help signal to yourself that the file has been reviewed. This change allows reviewers to quickly stay up to speed on what they’ve reviewed and what still needs to be reviewed for the merge request.

View code review comments in VS Code

View code review comments in VS Code

In a previous release of GitLab Workflow for VS Code it became possible for you to view merge request changes in VS Code. However, seeing the changes proposed by a merge request is only part of reviewing that change and being able to respond to feedback.

With GitLab Workflow 3.10.0, comments provided on changes are now available as part of the diff view. This greatly improves your ability to action feedback provided on your merge request directly in the editor without the additional context switch between VS Code and GitLab.

We’re continuing to expand on Code Review experiences in VS Code. Responding to comments is up next.

GPU and smart scheduling support for GitLab Runner

GPU and smart scheduling support for GitLab Runner

Specialized compute workloads like those used in machine learning can significantly benefit from access to GPUs. Developers can configure GitLab Runner to leverage GPUs in the Docker executor by forwarding the --gpu flag. You can also use this with recent support in GitLab’s fork of Docker Machine, which allows you to accelerate workloads with attached GPUs. Doing so can help control costs associated with potentially expensive machine configurations.

Group code coverage data graph

Group code coverage data graph

Previously released, group code coverage data is an easy way to see current test coverage of the projects in a group and to get raw data for visualization outside of GitLab. Group code coverage data now includes a graph of the average coverage for all of a group’s projects so you can see how test coverage for the group is trending over time at a glance.

Instance configuration to control latest artifacts storage

Instance configuration to control latest artifacts storage

In the last release, we wanted to improve storage consumption management by adding a project setting to disable keeping the latest artifacts. GitLab recognizes that as a self-managed user, you may want to opt-out for your entire instance, so we have added a one-click option for you to disable keeping the latest artifacts for all your projects.

Automatically authenticate when using the Dependency Proxy

Automatically authenticate when using the Dependency Proxy

By proxying and caching container images from Docker Hub, the Dependency Proxy helps you to improve the performance of your pipelines. Even though the proxy is intended to be heavily used with CI/CD, to use the feature, you had to add your credentials to the DOCKER_AUTH_CONFIG CI/CD variable or manually run docker login in your pipeline. These solutions worked fine, but when you consider how many .gitlab-ci.yml files that you need to update, it would be better if the GitLab Runner could automatically authenticate for you.

Since the Runner is already able to automatically authenticate with the integrated GitLab Container Registry, we were able to leverage that functionality to help you automatically authenticate with the Dependency Proxy.

Now it’s easier to use the Dependency Proxy to proxy and cache your container images from Docker Hub and start having faster, more reliable builds.

Dedicated URL for CI/CD dashboard tabs

Dedicated URL for CI/CD dashboard tabs

In 13.8, we added support for deployment frequency charts under CI/CD Analytics. In this milestone, we added the ability to navigate directly to each of the CI/CD analytics charts by introducing a URL for each tab, making it easy to bookmark this page or send it to additional colleagues to view.

Support PRIVATE-TOKEN to create releases using the Release-CLI

Support PRIVATE-TOKEN to create releases using the Release-CLI

In this milestone, we added the ability to use the release-cli with a PRIVATE-TOKEN as defined in the Create a release API documentation. This enables overriding the user that creates a release, and supports automation by allowing connection of a project-level PRIVATE-TOKEN or by using a bot user account’s PRIVATE-TOKEN.

Assign incidents to milestones

Assign incidents to milestones

Not all incidents have the same severity. Many incidents must be immediately addressed to restore the services customers depend on. But some incidents are less critical and can be prioritized against other work and scheduled for a specific release or milestone for implementation. You can now assign low-severity incidents to a milestone from the right sidebar to manage them from your issue boards.

GitLab chart improvements

GitLab chart improvements

• Access Control for GitLab Pages is now available for Kubernetes deployments.
• It is now possible to set labels on all objects, such as deployments and horizontal pod autoscalers, in a more configurable manner. A new common.labels setting is available for each subchart.
• It is now possible to enable proxy protocol support, to support SSH in environments with an upstream proxy that adds the proxy protocol header, such as AWS ELB’s.
• redis has been updated to 6.0.10, and gitlab-exporter to v10

GitLab Exporter uses significantly less memory

GitLab Exporter uses significantly less memory

GitLab exporter measures various metrics from Redis and the database. We’ve reduced the memory consumption of GitLab exporter by ~60% (~67-71MB) by optimizing its configuration.

This is especially important when running GitLab exporter in memory-constrained environments.

Sort global search results by last updated time

Sort global search results by last updated time

You can choose to sort search results on the GitLab search result page. In GitLab 13.9, we added the ability to sort issues and merge requests results by their last updated time.

Dependency Scanning now supports npm lock files v2

Dependency Scanning now supports npm lock files v2

Users with node projects using npm 7’s lock file version 2 are now supported. Previously, Dependency Scanning would output the following error:[FATA] [Gemnasium] [2020-10-29T19:02:20Z] ▶ Wrong file format version.

Expanded support for Ruby in SAST scans

Expanded support for Ruby in SAST scans

We want to help developers write better code and worry less about common security mistakes. Static Application Security Testing (SAST) helps prevent security vulnerabilities by allowing developers to easily identify common security issues as code is being contributed and mitigate proactively. We’ve updated our Ruby on Rails SAST analyzer (Brakeman) to a new version (v5) which adds support for most Ruby files, not just Rails projects. This change expands the types of Ruby projects we support and introduces new detection rules. If you have a custom SAST.gitlab-ci.yml file, or override the GitLab SAST brakeman job, you may need to update your CI file to enable this additional scanning.

License Scanning now starts within its stage

License Scanning now starts within its stage

Previously, the default behavior was to start License Scanning when the pipeline started. This behavior was unexpected and inconsistent with other GitLab Secure jobs. The default behavior has now been changed so that License Scanning starts when the stage it’s in starts, not when the pipeline starts. If you have customized your .gitlab-ci.yml file and want your License Scanning job to only start when its stage starts, remove the needs: [] statement. If you use the default template and wish to revert the behavior, add the needs: [] statement.

Performance improvements

Performance improvements

In every release, we continue to make great strides improving GitLab’s performance. We’re committed to making every GitLab instance faster. This includes GitLab.com, an instance with over 1 million registered users!

In GitLab 13.9, we’re shipping performance improvements for issues, projects, milestones, and much more! Some improvements in GitLab 13.9 are:

• Multi-label search 5x-10x faster
• MR Analytics page load over 7x faster
• Set 1 second server side timeout on Elasticsearch counts
• Remove N+1 when loading labels in search dropdowns
• Improve epics limit in when rendering Roadmaps
• Remove blocked_by from issue link queries

Security Configuration page for all users

Security Configuration page for all users

With SAST and Secret Detection available to all GitLab customers, we wanted to improve the experience for developers enabling available security scans. We have had a guided configuration experience for Ultimate users and have now made a simplified version of this experience available to all users. This new configuration experience makes it easier for developers to understand which security scans are available to them, find relevant documentation, and provide simple enablement tools. With this initial release, we support a button to create a merge request for SAST. In a future release, we will add additional buttons to easily enable other scan types.

Group webhooks for subgroups

Group webhooks for subgroups

GitLab has made it easier for you to build subgroup management automation with a subgroup webhook. This webhook is triggered when a subgroup is created or deleted. Automation can now be built without relying on continuous API calls, which is cumbersome and puts an unnecessary performance load on your GitLab instance.

Improved user experience for the projects member list

Improved user experience for the projects member list

Our project members list has been redesigned to help project administrators quickly identify key attributes about their members for more effective user management. It includes more descriptive terminology, a new layout, headers for all columns, tooltips for key data elements, and more!

New merge request metric: mean time to merge

New merge request metric: mean time to merge

A new metric, mean time to merge (MTTM), is available in project-level merge request analytics. MTTM is the average time from when a merge request (MR) is created, until the time it is merged. By selecting different dates in the date range selector, you can see how your time to merge MRs changes over time and understand whether you are becoming more efficient at reviewing and merging code.

Bulk edit iterations on issues in groups and projects

Bulk edit iterations on issues in groups and projects

Instead of having to manually update the iteration on issues one at a time, you can now bulk update iterations from the issue list of a group or project.

Filter roadmaps by milestones

Filter roadmaps by milestones

Communicating your strategic plans or reporting on current work in flight requires being able to focus and filter the view of your roadmap. Further refine your roadmap view by filtering the visible epics by milestone.

This feature was behind a feature flag since GitLab 13.7, and now it’s available for everyone.

Apply a suggestion with a custom commit message

Apply a suggestion with a custom commit message

Suggesting changes to a merge request makes code review faster and easier by quickly proposing changes and applying the given feedback at a click of a button. However, we had a default commit message for applied suggestions that couldn’t be customized, preventing users from describing the change and eventually violating the project’s commit messages guidelines.

As a result, merge request authors were often forced to squash commits for the whole merge request, or having to manually apply suggestions locally, or going back and rewording the commits after applying the suggestions.

When applying a suggestion you’re now able to write a custom commit message. This allows authors and contributors to accept suggestions and follow commit message best practices for their projects. If no custom commit message is specified the suggestion is committed with a default commit message.

Create changelogs using the GitLab API

Create changelogs using the GitLab API

Previously, generating a changelog using GitLab was a manual process. Release Managers had to collect all the changes for a given release and then manually add them to a changelog file, which was time-consuming and prone to error. To make this process easier, we have now added an API that will automatically generate a changelog for a given release based on commit history. This enables development teams to better communicate changes to end users by delivering a consistent and comprehensive set of changelogs for every release.

Merge Refs for changes in merge requests

Merge Refs for changes in merge requests

Merge request diffs have been calculated by git diff target...source which compares HEAD of the target with the merge base of target and source. This works well, until changes from the target branch are merged into the source branch, creating a complete mess of the diff.

Merge requests now compare to <default branch> (HEAD) by default when viewing the changes tab of a merge request. This provides a more accurate and up-to-date diff of the changes during your review.

Access webhook pipeline trigger payloads in CI/CD jobs

Access webhook pipeline trigger payloads in CI/CD jobs

When triggering a pipeline with a webhook, the webhook’s payload was not accessible from any jobs in the resulting pipeline. In some cases, the payload carries important information that can determine how the triggered pipeline should work. In this release, we’ve added a new predefined variable to capture the webhook payload so you can easily incorporate it within your triggered pipelines.

GitLab Runner 13.9

GitLab Runner 13.9

We’re also releasing GitLab Runner 13.9 today! GitLab Runner is the lightweight, highly-scalable agent that runs your build jobs and sends the results back to a GitLab instance. GitLab Runner works in conjunction with GitLab CI/CD, the open-source continuous integration service included with GitLab.

What’s new:

• Add support for Nvidia docker runtime to the Kubernetes executor
• Control cache ZIP compression level
• Show artifact/cache upload progress
• Upgrade to PowerShell Core in Windows helper an CI image to 7.1.1
• Enable PowerShell Core support in Docker executor on Linux
• Enable PowerShell Core support in Kubernetes executor
• Automatically authenticate with the Dependency Proxy
• Use configured helper image for updating permissions in Kubernetes executor
• Connect to gitlab instance using self-signed cert with runner on OpenShift

Bug Fixes:

• Gitlab CI script doesn’t pass exit code of previous command properly
• Windows service “shutdown timed out”
• Variable masking issue with repeating characters
• OpenShift Operator-concurrent property of config.toml defined in config map not used

The list of all changes is in the GitLab Runner CHANGELOG.

Install GitLab Runner more easily with in-product help

Install GitLab Runner more easily with in-product help

When you’re not using the shared runners on GitLab.com, getting started with GitLab CI requires installing GitLab Runner and registering the runner to execute jobs in your pipeline. While the GitLab Runner installation process is well-documented, one of our goals is to make it as easy as possible for users to get started with GitLab CI. An initial step on this journey is to release a new GitLab Runner guided install modal window. With this feature, you can select a target platform, copy, and run the install commands without navigating away from the GitLab UI.

Allow or prevent duplicate Maven uploads

Allow or prevent duplicate Maven uploads

You can use the GitLab Package Registry to publish your Java dependencies with Maven or Gradle. By default, you can publish the same package name and version multiple times. This default was chosen based on the behavior of the most common public registries.

However, many of you have expressed that you’d like to prevent duplicate uploads, especially when it comes to releases. We’ve added a new group setting for the Package Registry, and you can now choose whether you’d like to allow or prevent duplicate Maven or Gradle uploads. As mentioned, to match the behavior of the public registries, duplicates will be allowed by default.

You can adjust this setting by using the GitLab API or from the application by navigating to Settings > Packages & Registries. In the coming milestones, we plan to expand this setting for each package manager format and add it to the user interface. Please follow along in the epic or consider contributing a change!

ConfigMap support for Kubernetes Agent Server

ConfigMap support for Kubernetes Agent Server

Users of Kubernetes Agent Server (kas) until now had to use command line arguments to customize their Agent Server installations. This setup proves inadequate for large-scale installations where declarative, repeatable setups are a core part of the workflow, and many arguments need custom settings. With the current GitLab release, the Kubernetes Agent Server helm charts can be installed by custom configs that get merged with the default configurations to make it simple to integrate an Agent Server installation with existing observability and monitoring tools.

Keyboard shortcut to toggle between GitLab and GitLab Next

Keyboard shortcut to toggle between GitLab and GitLab Next

This milestone introduces a keyboard shortcut that toggles between GitLab and GitLab Next. By using the g and x keys, which work from any area of GitLab, you can easily switch between GitLab and GitLab Next. A huge thanks to Yogi for a great community contribution!

Vault JWT (JSON Web Token) supports GitLab environments.

Vault JWT (JSON Web Token) supports GitLab environments.

To simplify integrations with HashiCorp Vault, we’ve shipped Vault JWT token support. From the launch, you could restrict access based on data in the JWT. This release gives you a new dimension for restricting access to credentials: the environment a job targets.

This release extends the existing Vault JWT token to support environment-based restrictions too. As the environment name could be supplied by the user running the pipeline, we recommend you use the new environment-based restrictions with the already-existing ref_type values for maximum security.

Access Control for Pages is now supported for Kubernetes deployments of GitLab

Access Control for Pages is now supported for Kubernetes deployments of GitLab

In GitLab 13.8 initial support for GitLab Pages was introduced for deployments of GitLab on Kubernetes, allowing users to easily deploy static websites.

With the release of GitLab 13.9, Access Control is now supported, optionally restricting access to the pages site to members of the project. All Pages features are now supported in the GitLab Helm chart.

Omnibus improvements

Omnibus improvements

• GitLab’s repository installation script now utilizes CentOS 7 packages for Amazon Linux 2 systems. Existing deployments of GitLab on Amazon Linux 2 can re-run the installation script to update. Note Amazon Linux 2 is not currently officially supported.
• redis has been updated to 6.0.10, logrotate to 3.18.0, and libtiff to 4.2.0
• GitLab 13.9 includes Mattermost 5.31.1, an open source Slack-alternative whose newest Extended Support Release offers bug fixes for increased stability and improvements in plugins. This version also includes security updates and upgrade from earlier versions is recommended.

Reduced Puma memory consumption on small instances

Reduced Puma memory consumption on small instances

By default Puma, the web server used by GitLab, uses multiple workers to improve performance. This is important for scaling GitLab but also results in increased memory consumption.

Small instances with few users and limited resources might not require multiple workers. For this use case, GitLab now supports running Puma in single mode, which reduces the memory consumption of the application at rest by around 250 MB.

Check out the list of current limitations. when running Puma in single mode.

Bug fixes

Bug fixes

Some of the notable bug fixes in GitLab 13.9 are:

• Opening Admin Settings page results in the 500 error
• Unit test report not populating when filename attribute is not present
• Builds with a dot “.” in their name fails to load test details in the UI
• SAST flawfinder fails in sast CI job with UnicodeDecodeError error
• SAST security-code-scan panics: index out of range error
• Housekeeping is not run on wiki repos, causing performance degradation over time
• Create issue from Vulnerability details - Edited text is discarded
• Description of Vulnerability is empty in GraphQL
• Network policy preview for deny all shows as allow all
• Error “Filenames contained invalid characters” when attaching images to ticket
• not_adjacent error when moving designs around
• Bug with roadmaps where epics show up twice in the UI
• When adding sub epic from sub group, wrong epic is added
• Geo: Fix concurrent VerificationBatchWorker jobs
• gitlab-ctl promotion-preflight-checks incorrectly fails with 0%
• UpdatePagesService jobs may cause backup jobs to fail with error ‘directory has vanished’
• Dependency Scanning analyzer was not updating the Vulnerability Database each scan for specific customers. Please read our blog for more details. Impacted customers are:
  • Customers with an edited Dependency Scanning template that pins their analyzers to a non-major-only tag (for example gemnasium:2.27.0)
  • Customers running in an Offline Environment
  • Customers that have a mirror of the analyzer docker registry
  • self-managed customers with a pull policy of never or if-not-present.
• Resource events created via the issue update API does not follow the updated_at param
• Project labels API return “404 Label Not Found” if label name contains dot “.”
• Project name to path conversion in API mangles dots
• Iteration reports not scoping correctly
• “List pipeline jobs” GitLab API does not return an information about retired jobs anymore
• Delayed and manual jobs with DAG are not skipped even they need a failed job

Dependency Scanning support added for sbt 1.3.0

Dependency Scanning support added for sbt 1.3.0

Users with Scala projects using sbt 1.3 and later can now benefit from Dependency Scanning. Previously only sbt versions 1.2 and below were supported.

Improved Android SAST Support

Improved Android SAST Support

Since GitLab 13.5, we’ve supported mobile SAST via MobSF. We’ve updated this analyzer to version 2.5 which includes many improvements to mobile scanning capabilities for Android. Major improvements include: adding OWASP MSTG mappings for improved vulnerability information, support for Android 10 API 29, xapk support, and National Information Assurance Partnership (NIAP) analysis for Android.

Our Mobile SAST security scanner is still considered experimental and requires enabling experimental features via a CI variable, SAST_EXPERIMENTAL_FEATURES. We expect to remove this requirement in an upcoming GitLab release.

Multi-project support for .NET SAST scanning

Multi-project support for .NET SAST scanning

GitLab security scans automatically detect code language and run appropriate analyzers. With monorepos, microservices, and multi-project repositories, more than one project can exist within a single GitLab repository. Previously our .NET SAST tool could only detect single projects in repositories. With this release, our .NET SAST analyzer can now intelligently detect multiple solution files (.sln) in .NET projects and report vulnerabilities across them. This will make it easier and more streamlined for users with multi-project .NET repos to leverage our SAST scanning.

SAST Support for .NET 5

SAST Support for .NET 5

Microsoft’s release of .NET 5.0 is the next major release of .NET Core which supports more types of apps and more platforms than .NET Core or .NET Framework. We have updated our .NET SAST analyzer, Security Code Scan to support this new version which is also now supported with our SAST language detection allowing GitLab SAST to automatically detect .NET 5 projects. This change was part of a community contribution by @shaun.burns.

Vulnerability Report Activity filter

Vulnerability Report Activity filter

Vulnerability Reports are often the primary way security teams triage and manage vulnerabilities. The current filtering and sorting options provide quick ways to focus the list view on a subset of vulnerabilities for more efficient workflows. You can also see any vulnerabilities that have associated issues or which subsequent scans indicate are resolved. This Activity column indicates at a glance which vulnerabilities might be ready to close out, which are in progress, and which ones might need some attention. However, this column was not one you could filter or sort on!

Now have even more control of your Vulnerability Report experience with the introduction of an Activity filter. Available in the Project, Group, and Security Center Vulnerability Reports, this new filter allows you to view vulnerabilities with issues that are not yet resolved, that are resolved but have no associated issues, that have issues and are resolved, or that have no activity. The available filter options are mutually exclusive sets, allowing you to drill into precisely the vulnerability list view you need for any task.