GitLab 18.4 release notes

You can now use group or application settings to enable automatic Duo Code Review for multiple projects. This can help you quickly enable Duo Code Review for all projects in a group, rather than individually enabling specific projects.

This feature is currently available in GitLab.com, and we plan to make it available for GitLab Self-Managed in a future release. Provide feedback in issue 517386.

GitLab Duo Code Review on GitLab Duo Self-Hosted is now generally available. Use Code Review on GitLab Duo Self-Hosted to accelerate your development process without compromising on data sovereignty. When Code Review reviews your merge requests, it identifies potential bugs and suggests improvements for you to apply directly. Use Code Review to iterate on and improve your changes before you ask a human to review. This feature includes support for Mistral, Meta Llama, Anthropic Claude, and OpenAI GPT model families.

Provide feedback on Code Review in issue 517386.

Version 7.12.0 of the secret detection analyzer adds significant improvements to the way Git commits are fetched. The analyzer now parses --depth and --since options passed from SECRET_DETECTION_LOG_OPTIONS, so you can further specify how many commits you want to scan. The analyzer also selects appropriate fetch strategies based on context, which prevents a known issue where potentially millions of commits were unnecessarily fetched, even with shallow depth configurations.

This enhancement reduces job timeouts, decreases resource consumption, and provides more predictable scan performance. Experience faster secret detection scans, especially in large repositories, with clearer logging that matches the actual fetching behavior.

Every minute counts when you’re enabling security scans in your merge requests and pipelines. We routinely ship performance improvements for Advanced SAST, targeting both the engine and its detection rules.

In this release, we’re highlighting a specific improvement that cuts scan runtime by as much as 78% in our benchmark and real-world tests. We’ve added caching in a performance-sensitive part of the scanning process, leading to significantly faster scans in large repositories.

This improvement is automatically enabled in Advanced SAST analyzer version 2.9.6 and later. You can see which analyzer version you’re using by checking scan job logs.

You can now configure Operational Container Scanning (OCS) to only return vulnerabilties at or above a certain severity level. After you set a severity threshold, vulnerabilities below the severity you choose are no longer returned in the Vulnerability Report, API payloads, and other reporting mechanisms. This can help you focus on the vulnerabilities you want to remediate.

To enable this filtering, set a severity_threshold in your OCS configuration.

We gratefully acknowledge this community contribution from John Walsh. To learn more about contributing to GitLab, check out the Community Contribution program.

The GitLab container registry now supports the media types to host OpenTofu modules and providers.

Version 3.1.0 of the OpenTofu CI/CD component supports a new provider-release template to deploy an OpenTofu provider into the GitLab registry using the OCI format. Now, you can host private OpenTofu providers directly in GitLab.

In addition, the module-release template now supports a new type input that you can set to oci to deploy the OpenTofu module in the GitLab registry using the OCI format.

Users with the Owner role for a group can now bypass user confirmation when reassigning placeholders to active enterprise users in that group. This way, enterprise users do not have to keep checking their emails to confirm reassignments. After the time limit for the setting is reached, email confirmation requests are sent again for all new reassignments.

Enterprise users still receive notification emails after the reassignment is complete, ensuring transparency throughout the process.

You now have full control over your listing page view, choose which metadata appears and whether to open work items in a drawer, making it easier to focus on the information that matters most to you.

Previously, all metadata fields were always visible, which could make scanning through work items overwhelming. Now you can customize your view by turning on or off specific fields like assignees, labels, dates, and milestones.

With the new toggle that switches between the drawer view and full-page navigation you can quickly review details while maintaining context of your list, or open the full page when you need more screen space for detailed editing and comprehensive navigation.

The GitLab plain text editor now includes the same formatting options as the rich text editor. The plain text editor toolbar has been updated with a “More options” menu that provides access to advanced formatting tools like:

• Code blocks
• Details blocks
• Horizontal rules
• Mermaid diagrams
• PlantUML diagrams
• Table of contents

Both editors now have consistent button placement and separators, making it easier to switch between editing modes while maintaining access to familiar formatting options.

When troubleshooting vulnerabilities that have been automatically resolved, and later redetected, it can be helpful to compare the current pipeline to the pipeline where the vulnerability was resolved.

If a vulnerability is automatically resolved, the vulnerability notes in the vulnerability details page now include the pipeline ID where it occurred.

In GitLab 16.11, we added the artifacts:access keyword enabling users to control whether artifacts can be downloaded by all users with access to the pipeline, only users with the Developer role or higher, or no user at all.

In this release, you can now restrict who can download artifacts to only the Maintainer role or higher, giving you one more option for controlling who can download job artifacts.

We’re also releasing GitLab Runner 18.4 today! GitLab Runner is the highly-scalable build agent that runs your CI/CD jobs and sends the results back to a GitLab instance. GitLab Runner works in conjunction with GitLab CI/CD, the open-source continuous integration service included with GitLab.

Bug Fixes:

• FIPS runners fail to start jobs with GitLab Runner 18.2.1
• The chown command for runners with custom ConfigMap & security context constraints (SCC) fails after Operator v1.37.0 upgrade on OpenShift 4.16.27
• Reinstate FF_RETRIEVE_POD_WARNING_EVENTS in GitLab 17.x.x releases due to early removal in 17.2
• All GitLab Runner jobs fail due to filesystem permission errors
• Build jobs fail sporadically with permission denied error
• Gitlab Runner Helm chart upgrade broke the variables
• Enabling FF_USE_FASTZIP does not enable fastzip
• GitLab Runner encounters an UnsupportedOperation error when trying to stop Spot instances created with one-time requests
• Long polling for GitLab Runners does not work properly in Kubernetes deployed environments
• Allow admins to override image:kubernetes:user value

The list of all changes is in the GitLab Runner CHANGELOG.