GitLab 19.2 adds AI tools for security & workflows
Thu, 16th Jul 2026 (Today)
GitLab has released version 19.2 of its software development platform, adding AI-driven tools for security review and workflow automation.
The release centres on what GitLab calls agentic automation, with features designed to handle security fixes, code review and multi-step development tasks while keeping existing approval and audit controls in place.
One of the main additions is Dependency Scanning Auto-Remediation, now in public beta. When GitLab detects a vulnerable package, the feature opens a merge request and suggests a fix for the affected dependency.
If the upgrade causes the build to fail, the system can make further changes within the same merge request. Developers can also set severity thresholds and define the version range that should trigger remediation.
Each proposed change still goes through existing approval gates and keeps an audit trail. GitLab is positioning the feature as a way to reduce the security backlog without requiring developers to spend time manually upgrading dependencies.
Security review
Another public beta feature, Security Review Flow, is designed to identify issues that pattern-based scanners often miss, including business logic errors, race conditions, missing authorisation on state-changing operations, broken object-level and function-level authorisation, information disclosure and mass assignment.
Rather than looking only for known signatures, the tool assesses what code is intended to do in a merge request. Findings include a severity rating and, where possible, a suggested fix.
The flow does not approve code on its own. A human reviewer remains responsible for the final decision on whether software is shipped.
"Coding agents made it possible to generate far more code and moved the bottleneck downstream to reviews and security," said Manav Khurana, Chief Product and Marketing Officer at GitLab. "GitLab 19.2 puts agents to work on that bottleneck: fixing vulnerable dependencies, catching the flaws scanners miss, and automating the steps in between with a person still approving what ships."
Developer access
GitLab Duo CLI is now generally available across GitLab.com, self-managed deployments and dedicated deployments. The command-line tool gives developers access to agents and multi-step flows from the terminal, where much day-to-day software work is already done.
That lets users call on GitLab agents from an environment that already includes context from their projects, pipelines and existing agent settings. Administrators can also manage rollout across an organisation.
Custom Flows are also now generally available. They let teams set up automated workflows that run when specific GitLab events occur, replacing manual development sequences with predefined, agent-led processes.
These flows can authenticate to external services with short-lived, job-scoped tokens. The approach also applies to links with cloud providers and internal application programming interfaces, using a model similar to the keyless methods already used in GitLab CI/CD pipelines.
Controls and oversight
Alongside the new automation functions, GitLab has added controls intended to give security and compliance teams more oversight. The AI Audit Event Report, now in beta, records AI-assisted actions as dedicated audit events.
Those records can be used in audit reporting, access reviews and incident investigations. GitLab has also introduced group-level custom instructions for GitLab Duo Code Review, allowing administrators to set review behaviour across projects at the group level.
New MCP access controls have also been added to govern which agents can run and which systems or services they can access. Throughout the release, the emphasis is on fitting AI-assisted work into existing governance structures rather than creating separate review paths.
GitLab linked the release to a broader shift in software development, where AI coding tools can increase the volume of code and changes produced, leaving review, remediation and security checks as a growing operational constraint.
It also cited a Forrester Consulting study it commissioned, which found that organisations using GitLab Duo Agent Platform can achieve a 400% return on investment with payback in under six months.
The 19.2 release also includes improvements to GitLab's existing Fix CI/CD Pipeline Flow. The updated flow classifies failures before taking action and can deliver targeted fixes either as inline suggestions or through a new merge request.
GitLab Duo Agentic Chat has also been updated to delegate multi-step work to agents. Together with the terminal tools and custom workflows, the additions point to a broader effort by GitLab to push AI assistance beyond code generation into review, remediation and process orchestration.
Every change introduced through these flows remains subject to existing organisational controls, with a person retaining the final say over what is approved and released.