GitLab 18.7 release notes

Advanced search now returns matching results from both merge request descriptions and comments. Previously, users had to search merge request descriptions and comments separately.

This improvement provides a more streamlined and comprehensive search workflow for GitLab merge requests.

GitLab Duo Chat now supports the AGENTS.md specification, an emerging standard for providing context and instructions to AI coding assistants.

Unlike custom rules that are only available to GitLab Duo, AGENTS.md files are also available for other AI coding tools to use. This makes your build commands, testing instructions, code style guidelines, and project-specific context available to any AI tool that supports the specification.

GitLab Duo Chat in your IDE automatically applies available instructions from AGENTS.md files in your repository, set at the user or workspace level. For monorepos, you can place AGENTS.md files in subdirectories to provide tailored instructions for different components.

When you enable an agent or flow from the AI Catalog in your project, GitLab now pins it to a specific version.

This means your AI-powered workflows stay stable and predictable even as catalog items evolve, so you can test and validate new versions before you upgrade.

For GitLab Duo Self-Hosted, you can now configure a timeout value for requests to self-hosted models.

This value can range from 60 to 600 seconds.

You can now report agents and flows to instance administrators when you encounter problematic content. Submit an abuse report that includes your feedback, and an administrator can choose to hide or delete the harmful item.

Use this feature to keep your agents and flows safe across your entire organization.

You can now control which foundational agents are available in your top-level group or instance.

Turn all foundational agents on or off by default, or toggle individual agents to align with your organization’s security and governance policies.

GitLab Self-Managed users on an Ultimate trial can now access their active trial status, remaining days, accessible features, and expiration notifications from the left sidebar.

These enhancements help eliminate confusion about trial duration and make it easier to evaluate paid features before purchase.

Advanced vulnerability management is available to all Ultimate customers and includes the following features:

• Grouping data by OWASP 2021 categories in the vulnerability report for a project or group.
• Filtering based on a vulnerability identifier in the vulnerability report for a project or group.
• Filtering based on the reachability value in the vulnerability report for a project or group.
• Filtering by policy violation bypass reason.

The Data Analyst Agent is a specialized AI assistant that helps you query, visualize, and surface data across the GitLab platform. It uses GitLab Query Language (GLQL) to retrieve and analyze data, then provides clear, actionable insights about your projects.

You can find example prompts and use cases in the documentation.

This agent is currently in beta status, so please share your thoughts in the feedback issue to help us improve and provide insight into where you’d like to see this go next.

The compliance violations report provides a centralized view of all compliance violations across your organization’s projects. The report displays comprehensive details about control violations, related audit events, and enables teams to track violation statuses effectively.

In GitLab 18.7, we’ve introduced powerful filtering capabilities to help you quickly find the violations that matter most. You can now filter by:

• Status
• Project
• Control

Teams can now also collaborate directly on resolving violations through comments. Within the violation record itself, teams can:

• Tag team members for investigation
• Discuss remediation approaches
• Document findings—all within the violation record itself.

Together, these features evolve the compliance violations report into a dynamic collaboration platform, enabling organizations to efficiently discover, analyze, and resolve compliance violations in their groups and projects.

GitLab compliance controls can be used in compliance frameworks. Controls are checks against the configuration or behavior of projects that are assigned to a compliance framework.

Previously, controls related to scanners (for example, checking if SAST is enabled) required your projects to have a passing pipeline in the default branch before the compliance centre displayed the success or failure status of your controls.

In GitLab 18.7, we have changed this behavior to show whether your controls have succeeded or failed based solely on scan completion, regardless of the overall pipeline status. This helps ease confusion because the compliance status of your controls reflects whether security scans ran and completed, not whether the entire pipeline passed.

Heading anchor links now announce with the same text as their corresponding heading, improving the experience for screen reader users. The links also appear after the heading text, providing a cleaner visual presentation.

These changes make it easier for all users to understand and navigate to specific sections of documentation, issues, and other content.

Security teams can now use warn mode to test and validate the impact of security policies before applying enforcement or to roll out soft gates for accelerating your security program. Warn mode helps to reduce developer friction during security policy rollouts, while continuing to ensure detected vulnerabilities are addressed.

When you create or edit a merge request approval policy, you can now choose between warn or enforce enforcement options.

Policies in warn mode generate informative bot comments without blocking merge requests. Optional approvers can be designated as points of contact for policy questions. This approach enables security teams to assess policy impact and build developer trust through transparent, gradual policy adoption.

Clear indicators in merge requests tell users when policies are in warn or enforce mode, and audit events track policy violations and dismissals for compliance reporting. Developers can bypass scan finding and license policy violations by providing a reasoning for the policy dismissal, creating a collaborative feedback loop between developers and security teams for more effective policy enablement.

When policy violations are detected on a project’s default branch, policies identify vulnerabilities that violate the policy in the vulnerability reports for projects and groups. The dependency list for projects also displays badges that indicate license compliance policy violations.

Additionally, you can use the API to query a filtered list of policy violations on the default branch in a project.

We’re also releasing GitLab Runner 18.7 today!

GitLab Runner is the highly-scalable build agent that runs your CI/CD jobs and sends the results back to a GitLab instance. GitLab Runner works in conjunction with GitLab CI/CD, the open-source continuous integration service included with GitLab.

What’s New:

• Configurable taskscaler reservation throttling
• Enable FF_TIMESTAMPS by default

Bug Fixes:

• Shell executor fails on existing Git repository if a relative builds_dir is specified
• Authentication failure in GitLab Runner 18.6.0 on subsequent pipeline runs (SSH executor)
• Authentication failure in GitLab Runner 18.6.0 on subsequent pipeline runs (shell executor)
• Docker 29 API compatibility issues
• Variables that reference file variables no longer work in GitLab Runner 18.6.0 with the shell executor
• GitLab Runner now supports Windows 11 2025 (25H2)
• ECR credential helper is not working with the Docker Autoscaler executor
• Job timeouts now properly enforced in GitLab Runner

The list of all changes is in the GitLab Runner CHANGELOG.

Teams using parent-child CI/CD pipelines previously had to navigate through multiple pipeline pages to check test results, code quality reports, and infrastructure changes, disrupting their merge request review workflow.

You can now view and download all reports in a unified view, including unit tests, code quality checks, Terraform plans, and custom metrics, without leaving the merge request.

This eliminates context switching and accelerates merge request velocity, giving teams the ability to deliver features faster without compromising quality.