GitLab 18.9 release notes

You can now troubleshoot and verify data integrity directly from the primary site, thanks to the new data management view that brings detailed verification status information to the primary Geo site. This enhancement eliminates the need to access secondary sites for basic verification and troubleshooting tasks.

Previously, this verification status was only accessible through the secondary site UI. Now, with the data management view on the primary site, you can:

• View detailed verification status for all replicable data types on the primary site
• Perform data sanitization and troubleshooting tasks directly from the primary UI
• Set up and verify your Geo configuration on the primary site before adding secondary sites

This enhancement is the first step toward comprehensive self-serve troubleshooting with the UI, reducing the need to access multiple sites for routine maintenance and issue resolution.

Teams evaluating GitLab can now test agentic AI capabilities that automate complex development workflows and reduce manual tasks. Sign up for a GitLab Ultimate trial and get access to Duo Agent Platform with 24 evaluation credits per user, enabling hands-on experience with autonomous task execution and multi-step workflow orchestration during a 30-day evaluation. Evaluation credits are available for 30 days from the provision date, so consider your team’s readiness before starting.

Start your free trial. Current paid customers can access evaluation credits through their account team. Contact Sales to learn more.

Zero Downtime Upgrades are now officially supported for Cloud Native Hybrid deployments.

Enterprise customers require their DevSecOps platform to be available at all times, making upgrade-related downtime a significant operational concern. Until now, Zero Downtime Upgrades were only supported for Linux package-based high availability deployments, which drove many customers toward VM-based architectures even when cloud-native Kubernetes deployments would have better suited their infrastructure strategy.

We’ve been upgrading our own Cloud Native Hybrid SaaS instances with zero downtime for years. With this release, we’re bringing that same operational experience to self-managed customers running GitLab on Kubernetes.

The upgrade procedure has been comprehensively tested and is now fully documented, giving you the confidence to maintain availability during version upgrades.

Managing completed initiatives and abandoned projects is now easier. You can now archive entire groups, including all subgroups and projects, in one action, eliminating the need to manually archive each project individually.

When you archive a group:

• All nested subgroups and projects are automatically archived.
• Archived content moves to the Inactive tab with clear status badges.
• Group data remains fully accessible in read-only mode for reference or restoration.
• Write permissions are disabled across the archived group and its content.

Beyond the Settings page, you can archive groups and projects directly from the actions menu in list views. No more navigating through multiple screens for simple administrative tasks. This highly requested feature dramatically reduces administrative overhead while keeping your workspace organized with clear separation between active and inactive work. Share your feedback in epic 18616.

Starting with GitLab 18.9, Valkey is bundled as an opt-in replacement for Redis in the Linux package. Redis changed their license to AGPLv3, which is not suitable for open source customers. To guarantee security and maintainability for our GitLab Self-Managed customers, we are transitioning from Redis to Valkey, a community-driven fork that maintains the permissive BSD license.

Transition timeline:

• GitLab 18.9 (this release): Valkey is bundled as an opt-in replacement (beta). You can switch from Redis to Valkey at your convenience. Valkey Sentinel support is included.
• GitLab 19.0 (May 2026): Valkey becomes the default and Redis binaries are removed from the Linux package. Existing Redis configuration settings remain functional and are honored for backwards compatibility.

This transition only affects the bundled Redis in Linux packages. Customers on scaled architectures using external Redis deployments can continue to use Redis. We are monitoring the potential feature divergence between Redis and Valkey and will provide guidance as the ecosystem evolves.

GitLab dependency scanning by using SBOM now supports scanning Java pom.xml manifest files. Previously, dependency scanning for Java projects using Maven required a graph file to be present. Now, when a graph file is not available, the analyzer automatically falls back to scanning pom.xml files, extracting and reporting only direct dependencies for vulnerability analysis. This improvement makes it easier for Java projects to enable dependency scanning without requiring a graph file.

To enable manifest fallback, set the DS_ENABLE_MANIFEST_FALLBACK CI/CD variable to "true".

GitLab dependency scanning by using SBOM now supports scanning Python requirements.txt manifest files. Previously, dependency scanning for Python projects required a lock file to be present. Now, when a lock file is not available, the analyzer automatically falls back to scanning requirements.txt files, extracting and reporting only direct dependencies for vulnerability analysis. This improvement makes it easier for Python projects to enable dependency scanning without requiring a lock file.

To enable manifest fallback, set the DS_ENABLE_MANIFEST_FALLBACK CI/CD variable to "true".

Organizations using GitLab.com need to ensure that enterprise users don’t accidentally expose sensitive code through personal snippets. Previously, there was no way to prevent users from creating snippets in their personal namespace, which can pose a security risk if snippets are inadvertently set to public.

Group Owners can now restrict personal snippet creation for enterprise users, helping maintain tighter control over where code is shared. When restricted, enterprise users cannot create snippets in their personal namespace.

Reviewing commits with many changed files or substantial modifications can be slow. Rapid Diffs technology now powers the commits page (/-/commits/<SHA>), delivering faster loading times, smoother scrolling, and more responsive interactions.

With Rapid Diffs, you’ll notice:

• A pagination-free experience.
• Faster initial load, so you can start working with code sooner.
• A refreshed interface with a new file browser for quicker navigation between files.
• Responsive interactions, even with large numbers of changed files.

All existing functionality is preserved. As Rapid Diffs expands to other areas of GitLab, the same performance benefits will follow.

The GitLab import API now supports Bitbucket Cloud API tokens, providing a more secure way to import repositories from Bitbucket Cloud.

Atlassian has deprecated app passwords in favor of API tokens, and we’re planning to remove support for app passwords in 19.0.

Importing from Bitbucket Cloud through the GitLab UI is not affected by this change.

Manage and visualize security scanner coverage across your organization. This release introduces security configuration profiles, starting with the secret detection profile. Security teams now have a more powerful command center to secure your organization at scale.

Profile-based security configuration

Instead of manually editing YAML files for each project, you can now use preconfigured security configuration profiles that provide several advantages:

• Standardized governance: Preconfigured profiles apply appropriate boundaries without interrupting productivity. You can apply standardized security best practices, without requiring custom role configurations.
• Scalable management: Apply the same profile across hundreds or thousands of projects with a single action.

The secret detection profile is the first security configuration profile available. It provides the following advantages:

• Actively identifies and blocks secrets from being committed to your repositories.
• One profile manages secret detection across your entire development workflow. No need to manage separate configurations for different trigger types.

Enhanced security inventory

The security inventory has been upgraded to act as your primary dashboard to assess each group’s security posture:

• Group and project hierarchies: Easily distinguish between subgroups and projects in the inventory with clear iconography.
• Bulk actions: A new Bulk Action menu allows you to apply or disable security scanner profiles across all selected projects and subgroups simultaneously.
• Visual coverage status: Quickly identify gaps with color-coded status bars (Enabled, Not Enabled, or Failed) with tooltips for details.
• Profile status indicators: See which trigger types are available in the profile details.

Security attributes, introduced as a beta in GitLab 18.6, are now generally available.

Security attributes allow security teams to apply business context to their projects, including business impact, application, business unit, internet exposure, and location. You can also create custom attribute categories to match your organization’s taxonomy. By applying these attributes, you can filter and prioritize the items in your security inventory based on risk posture and organizational context.

The Vulnerabilities over time chart is updated to provide a more accurate view of your vulnerability inventory.

The chart previously included vulnerabilities that were no longer detected, leading to inflated numbers that did not accurately represent the state of active vulnerabilities.

We are aware of two additional issues that may slightly alter counts in some cases. Follow issue 590022 and issue 590018 for updates.

You can now view security and compliance reports from child pipelines directly in merge request widgets. Previously, you had to manually navigate through multiple pipelines to identify security issues, creating inefficient workflows especially with monorepos and complex testing setups.

With this enhancement, the merge request widget displays reports from child pipelines directly alongside parent pipeline results, with each child pipeline’s reports presented individually and artifacts available for download. This provides a unified view of all security checks, significantly reducing time spent investigating failures and enables faster merge request reviews when using parent-child pipelines.