GitLab 19.0 Embeds Agentic AI in Secrets, Merge Requests, and Supply Chain Security

2026-06-19 · Source: InfoQ · Field: Technology & Digital — Software Development & Engineering, Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy · Depth: Intermediate, quick

Summary

GitLab 19.0, released on May 21st, introduces agentic AI capabilities beyond code generation, focusing on enhancing security and workflow automation. Key features include the public beta of GitLab Secrets Manager for Premium and Ultimate users, which centralizes credential management with granular access control and audit logging. The Developer Flow agent is expanded across the merge request lifecycle, now assisting with reviewer feedback, MR splitting, and conflict resolution, guided by project standards defined in an AGENTS.md file. A new "Resolve with Duo" button (beta) automates conflict fixes. The release also makes SBOM-based dependency scanning generally available for ecosystems like Maven and npm, with automatic dependency resolution for Maven, Gradle, and Python. GitLab Duo Core transitions to usage-based billing via GitLab Credits, and the GitLab Duo Agent Platform now supports open-source models like Mistral Devstral 2 123B for air-gapped environments, alongside Claude Opus 4.7 and Gemini. Platform requirements are tightened, mandating PostgreSQL 17 and ending Redis 6 support.

Key takeaway

For MLOps Engineers or AI Security Engineers evaluating platform upgrades, GitLab 19.0 offers significant advancements in securing AI-driven development. You should assess its integrated agentic AI features, like the Secrets Manager and enhanced Developer Flow, to streamline security and compliance within your CI/CD pipelines. Consider how the new SBOM-based dependency scanning and agent platform support for various LLMs can improve your supply chain security and air-gapped deployments, aligning governance with your specific budget and security needs.

Key insights

GitLab 19.0 integrates agentic AI to secure credentials, automate merge requests, and bolster supply chain security within a unified platform.

Principles

• Unify security and development tools.
• Agentic AI enhances workflow automation.
• Governance should align with platform.

Method

The Developer Flow agent reads project standards from an AGENTS.md file, then uses AI to address reviewer feedback, split oversized merge requests, and resolve conflicts, proposing fixes via a "Resolve with Duo" button.

In practice

• Implement GitLab Secrets Manager for centralized credential control.
• Define project standards in AGENTS.md for AI-guided MRs.
• Utilize SBOM scanning for comprehensive dependency security.

Topics

• Agentic AI
• Software Supply Chain Security
• Secrets Management
• Merge Request Automation
• GitLab Duo
• SBOM Scanning

Code references

• features/copilot

Best for: CTO, VP of Engineering/Data, AI Architect, AI Engineer, MLOps Engineer, AI Security Engineer

Related on AIssential

• GitLab 19.0 released — The release deepens AI integration and security automation while streamlining CI/CD and platform management.
• GitLab named a Leader in the 2026 Gartner® Magic Quadrant™ for DevSecOps Platforms — Agentic AI platforms can automate security, upgrades, and tech debt, significantly reducing developer toil.
• RSA recap, the LiteLLM breach, and the quest to fix AI agent security — Securing agentic AI requires isolating workflows and dynamic identity management, as traditional IAM fails against non-deterministic threats.
• GitHub confirms 3,800 internal repos stolen through poisoned VS Code extension as supply chain worm hits Microsoft’s Python SDK — Chained supply chain and AI agent vulnerabilities are actively exploited, bypassing traditional security measures.
• I Read Cursor's Security Agent Prompts, So You Don't Have To — Simple LLM prompts, when supported by robust orchestration, can effectively automate security reviews at scale.
• Securing our codebase with autonomous agents — Autonomous agents can significantly scale codebase security by automating vulnerability identification and remediation.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by InfoQ.