New features are regularly released to GitLab SaaS (GitLab.com), with a packaged release available for GitLab Self-Managed every month. Read on to learn more about the new features available on GitLab.com. Note that it may take a few days for a feature to become fully available on GitLab.com, due to deployment schedule and potential
feature flags.
Additional information on
past
releases is available; be sure to check out the
release for other features we've launched recently. We also have information about
upcoming releases
if you're interested in seeing what we are doing next.
Key improvements released in GitLab Preview
Use self-hosted model for GitLab Duo Chat
You can now host your own supported large language models (LLMs) and configure them to enable self-hosted GitLab Duo Chat. This feature is in beta and available with an Ultimate and Duo Enterprise subscription on GitLab self-managed.
With self-hosted models, you can use models hosted either on-premise or in a private cloud to enable GitLab Duo Chat or Code Suggestions (introduced as a beta feature in GitLab 17.5). We currently support open-source Mistral models on vLLM or AWS Bedrock, Claude 3.5 Sonnet on AWS Bedrock, and OpenAI models on Azure OpenAI. By enabling self-hosted models, you can leverage the power of generative AI while maintaining complete data sovereignty and privacy.
Please leave feedback in issue 501268.
Filter by Identifier on the Vulnerability Report
On the project level Vulnerability Report you can now filter by vulnerability identifiers. This will allow you to find specific vulnerabilities that are in your project.
For this iteration, filtering by identifier will be limited to the first 100 records. The identifier can be used in conjunction with other filters, i.e. severity, status, or tool.
Admin setting to enforce CI/CD job token allowlist
Previously, we announced that the default CI/CD job token (CI_JOB_TOKEN
) behavior will change in GitLab 18.0, requiring you to explicitly add indvidual projects or groups to your project’s job token allowlist if you want them to continue to be able to access your project.
Now, we are giving self-managed and Dedicated instance administrators the ability to enforce this more secure setting on all projects on an instance. After you enable this setting, all projects will need to make use of their allowlist if they want to use CI/CD job tokens for authentication. Note: We recommend enabling this setting as part of a strong security policy.
Vulnerability report grouping
Users require the ability to view vulnerabilities in groups. This will help security analysts optimize their triage tasks by utilizing bulk actions. In addition users can see how many vulnerabilities match their group; i.e. how many OWASP Top 10 vulnerabilities are there?
Other improvements in GitLab Preview
Project events for group webhooks
In this release, we’ve added project events to group webhooks. Project events are triggered when:
- A project is created in a group.
- A project is deleted in a group.
These events are triggered for group webhooks only.
Easily remove closed items from your view
You can now hide closed items from the linked and child items lists by turning off the Show closed items toggle. With this addition, you have greater control over your view and can focus on active work while reducing visual clutter in complex projects.
macOS Sequoia 15 and Xcode 16 job image
You can now create, test, and deploy applications for the newest
generations of Apple devices using macOS Sequoia 15 and Xcode 16.
GitLab’s hosted runners on macOS
help your development teams build and deploy macOS applications faster in a secure,
on-demand build environment integrated with GitLab CI/CD.
Try it out today by using the macos-15-xcode-16
image in your .gitlab-ci.yml
file.
Select a GitLab agent for an environment in a CI/CD job
To use the dashboard for Kubernetes, you need to select an agent for Kubernetes connection from the environment settings. Until now, you could select the agent only from the UI or (from GitLab 17.5) the API, which made configuring a dashboard from CI/CD difficult. In GitLab 17.6, you can configure an agent connection with the environment.kubernetes.agent
syntax.
In addition, issue 500164 proposes to add support for selecting a namespace and Flux resource from your CI/CD configuration.
Filter GitLab Duo users by assigned seat
In previous versions of GitLab, the user list displayed on the GitLab Duo seat assignment page could not be filtered, making it difficult to see which users had previously been assigned a GitLab Duo seat. Now, you can filter your user list by Assigned seat = Yes or Assigned seat = No to see to see which users are currently assigned or not assigned a GitLab Duo seat, allowing for ease in adjusting seat allocations.
New audit event when merge requests are merged
With this release, when a merge request is merged, a new audit event type called merge_request_merged
is triggered that contains key information about
the merge request, including:
- The title of the merge request
- The description or summary of the merge request
- How many approvals were required for merge
- How many approvals were granted for merge
- Which users approved the merge request
- Whether committers approve the merge request
- Whether authors approved the merge request
- The date/time of the merge
- The list of SHAs from Commit history
Service accounts badge
Service accounts now have a designated badge and can be easily identified in the users list. Previously, these accounts only had the bot
badge, making it difficult to distinguish between them and group and project access tokens.
Deploy your Pages site with any CI/CD job
To give you more flexibility in designing your pipelines, you no longer
need to name your Pages deploy job pages
. You can now simply use the
pages
attribute in any CI/CD job to trigger a Pages deployment.
JaCoCo test coverage visualization now generally available
You can now see JaCoCo test coverage results directly in your merge request diff view. This visualization allows you to quickly identify which lines are covered by tests and which need additional coverage before merging.
Add support for values to the glab agent bootstrap
command
In the last release, we introduced support for easy agent bootstrapping to the GitLab CLI tool. GitLab 17.6 further improves the glab cluster agent bootstrap
command with support for custom Helm values. You can use the --helm-release-values
and --helm-release-values-from
flags to customize the generated HelmRelease
resource.
Audit events for privileged actions
There are now additional audit events for privileged settings-related administrator actions. A record of when these settings were changed can help improve security by providing an audit trail.
More information in sign in emails from new locations
GitLab optionally sends an email when a sign-in from a new location is detected. Previously, this email only contained the IP address, which is difficult to correlate to a location. This email now contains city and country location information as well.
Thank you Henry Helm for your contribution!
Prevent modification of group protected branches
When a merge request approval policy is configured to prevent group branch modification, policies now account for protected branches configured for a group. This setting ensures that branches protected at the group level cannot be unprotected. Protected branches restrict certain actions, such as deleting the branch and force pushing to the branch. You can override this behavior and declare exceptions for specific top-level groups with the new approval_settings.block_group_branch_modification
property to allow group owners to temporarily modify protected branches when necessary.
This new project override setting ensures that group protected branch settings cannot be modified to circumvent security and compliance requirements, ensuring more stable enforcement of protected branches.
Use API to get information about tokens
Administrators can use the new token information API to get information about personal access tokens, deploy tokens, and feed tokens. Unlike other API endpoints that expose token information, this endpoint allows administrators to retrieve token information without knowing the type of the token.
Thank you Nicholas Wittstruck and the rest of the crew from Siemens for your contribution!
Deprecations
The complete list of all features that are currently deprecated can be viewed in the GitLab documentation. To be notified of upcoming breaking changes, subscribe to our Breaking Changes RSS feed.
Removals and breaking changes
The complete list of all removed features can be viewed in the GitLab documentation. To be notified of upcoming breaking changes, subscribe to our Breaking Changes RSS feed.