GitLab Extends Agentic AI with New Automated Security Remediation, Pipeline Setup, and Delivery Analytics (3 minute read)

DevOps aisecurityagents Read original

GitLab 18.11 introduces AI agents that automatically fix security vulnerabilities, configure CI/CD pipelines, and answer analytics questions directly within the platform.

What: GitLab's latest release expands its agentic AI capabilities with automated SAST vulnerability remediation (now generally available), pipeline setup assistance, and natural language delivery analytics queries, plus spending controls for AI credit usage.

Why it matters: This tackles what GitLab calls the "AI Paradox" where code generation speeds up but security, delivery, and operations lag behind. Rather than just writing code faster, these agents address the operational bottlenecks that prevent AI-generated code from reaching production safely and quickly.

Takeaway: GitLab Ultimate customers can enable the security remediation agent to automatically generate merge requests that fix SAST vulnerabilities with confidence scores.

Deep dive

The security remediation agent analyzes confirmed SAST true positives after scans complete, generates code fixes targeting root causes, and opens merge requests with confidence scores so developers can address vulnerabilities before production deployment
According to GitLab's 2025 DevSecOps Report, developers currently spend 11 hours per month remediating vulnerabilities that already reached production and are exploitable
Two new prebuilt agents address CI/CD pipeline setup (a common adoption barrier for new teams) and delivery analytics queries (eliminating the need to file dashboard requests or learn query languages)
The agents leverage platform-native context including code, pipelines, issues, and security findings already stored in GitLab rather than requiring external data sources
New spending controls include subscription-level caps (configured by billing account managers with enforcement) and per-user caps to prevent individual users from exhausting the AI credit pool
Usage visibility comes through a GitLab Credits dashboard and Customers Portal showing consumption and cap status for both GitLab.com and Self-Managed deployments
The release positions GitLab's strategy around giving agents deeper access to development context rather than just accelerating code writing
All new agent capabilities are part of the GitLab Duo Agent Platform available in GitLab 18.11

Decoder

Agentic AI: AI systems that can autonomously perform multi-step tasks like analyzing security findings, generating fixes, and creating merge requests without human intervention at each step
SAST: Static Application Security Testing, which analyzes source code for security vulnerabilities without executing the program
MR: Merge Request, GitLab's equivalent to a pull request for proposing code changes
GitLab Duo Agent Platform: GitLab's framework for deploying AI agents with access to platform data like code repositories, pipelines, and security scans
GitLab Credits: GitLab's usage-based billing system for on-demand AI features

Original article

GitLab Extends Agentic AI with New Automated Security Remediation, Pipeline Setup, and Delivery Analytics

April 20, 2026

GitLab released GitLab 18.11, expanding agentic AI across the entire software lifecycle with security remediation, pipeline configuration, and delivery analytics.

AI-generated code moves faster than the systems around it can keep up with, creating the AI Paradox: faster code generation without faster delivery, security, or operations to match. As code volume grows, so does the backlog of pipelines to configure, security findings to remediate, and delivery questions to answer. GitLab 18.11 helps address those gaps with platform-native agents that have access to the code, pipelines, issues, and security findings already in GitLab.

Agentic SAST Vulnerability Resolution Reaches General Availability

Agentic SAST Vulnerability Resolution is now generally available for GitLab Ultimate customers using GitLab Duo Agent Platform. According to GitLab's 2025 DevSecOps Report, developers spend 11 hours per month remediating vulnerabilities after release, fixing issues that are already exploitable in production. When a SAST scan completes, the agent analyzes confirmed true positives, generates a code fix designed to address the root cause, and opens a ready-to-merge request with a confidence score enabling developers to act without context switching and close vulnerabilities before they reach production.

New Prebuilt Agents for CI and Analytics

For many teams, standing up a first pipeline can be a significant adoption barrier. Teams that want to know how long MRs sit in review or which pipelines are slowing them down have to file a dashboard request or learn a query language. GitLab 18.11 ships two new foundational agents for GitLab Duo Agent Platform that help address both gaps.

New subscription-level and per-user spending caps for GitLab Credits give organizations direct control over on-demand AI spend. Subscription-level caps let billing account managers configure a monthly limit with enforcement controls, while per-user caps ensure no single user exhausts the pool. Together, these controls enable enterprises to deploy GitLab Duo Agent Platform at scale with cost predictability. The GitLab Credits dashboard and Customers Portal give administrators full visibility into usage and cap status.

Usage controls are available for both GitLab.com and Self-Managed customers running GitLab 18.11.

"Much of the AI investment in software development has focused on writing code faster. The bigger opportunity is what comes next," said Manav Khurana, chief product and marketing officer at GitLab. "Agents are only as effective as the context they can access. GitLab 18.11 extends our agents deeper into security, pipelines, and delivery analytics, where that context already lives. That's how GitLab is defining the future of software engineering in the AI era."