GitLab 18.11: Agentic AI for Security, CI, and Analytics
GitLab 18.11 landed on April 16, 2026, and it is the most agentic release the platform has shipped. Three separate AI agents — one for security vulnerability remediation, one for CI pipeline configuration, and one for delivery analytics — moved from concept to either general availability or public beta. If you are running GitLab on any tier and have the Duo Agent Platform enabled, at least one of these agents is available to you today.
This review covers what each agent actually does, who can use it, what the limitations are, and whether the hype holds up.
What Is GitLab 18.11?
GitLab 18.11 is the eleventh monthly release in the GitLab 18.x series. It builds directly on the GitLab Duo Agent Platform, which reached general availability in GitLab 18.8 (January 2026). The Duo Agent Platform is the runtime layer that hosts GitLab's foundational agents — pre-built, domain-specific AI assistants that can take multi-step actions inside the GitLab platform without requiring the developer to orchestrate each step manually.
Prior to 18.11, the platform had agents for planning and for security analysis (Security Analyst Agent). This release adds three more:
- Agentic SAST Vulnerability Resolution — automatically generates merge requests that fix confirmed security vulnerabilities
- CI Expert Agent — proposes a complete CI/CD pipeline from a natural-language description of your project
- Data Analyst Agent — answers natural-language questions about your delivery metrics with visual charts
All three are backed by the same underlying agent infrastructure, which means they share the same Credits consumption model, the same IDE access points (VS Code, JetBrains, GitLab UI), and the same access controls.
Agentic SAST Vulnerability Resolution
This is the headline feature of 18.11, and it earns that billing. Agentic SAST Vulnerability Resolution is now generally available for GitLab Ultimate customers who have the Duo Agent Platform enabled.
How it works
When a SAST scan completes on the main branch, the agent:
- Reviews each detected vulnerability and filters out likely false positives
- For confirmed High and Critical severity findings, analyzes the root cause using multi-shot reasoning
- Generates a context-aware code fix targeting that specific root cause
- Opens a merge request with the proposed fix, a confidence score, and a short explanation
- Runs the pipeline automatically to validate the fix resolves the issue without introducing regressions
Developers receive a ready-to-review MR in their inbox. They can inspect the diff, see the confidence score, and merge or close it — without ever switching to a separate security dashboard.
Why this matters
The bottleneck in most DevSecOps workflows is not scanning. Scans run automatically. The bottleneck is the gap between "scan found a vulnerability" and "developer fixed it." Security teams file tickets, developers deprioritize them, and vulnerabilities sit unresolved for weeks. This agent collapses that gap by delivering the fix alongside the finding.
The confidence score is an important detail. GitLab is not silently auto-merging fixes — it surfaces a signal that lets the developer make an informed call. A 92% confidence fix for a SQL injection is a different decision than a 61% confidence fix for a complex deserialization issue.
Caveats
This feature is Ultimate only. Teams on Free or Premium do not get auto-remediation. Additionally, the agent currently targets SAST findings — DAST, dependency scanning, and secret detection are not yet covered by auto-remediation. Incremental SAST scanning (which analyzes only changed files rather than the full codebase) is a separate 18.11 improvement that speeds up scans generally, but that is distinct from the agentic remediation feature.
CI Expert Agent (Beta)
The CI Expert Agent is in public beta in 18.11. It is aimed at a specific problem that has blocked teams for years: the blank .gitlab-ci.yml file.
Writing a CI pipeline from scratch requires knowing GitLab's YAML syntax, understanding which stages your project needs, knowing your test runner commands, and figuring out caching and parallelization. Developers who have not configured CI before either copy from an existing project (with mismatches), stitch together docs examples (fragile), or wait for someone who has done it.
What the CI Expert Agent does
The agent inspects your repository — file structure, detected language and framework, existing scripts — and proposes a complete build-and-test pipeline in natural language. It targets a running pipeline in under five minutes without manual YAML authoring.
Beyond initial setup, the CI Expert Agent can:
- Debug failing jobs by reading pipeline logs and explaining what went wrong
- Suggest optimizations: caching, needs dependencies to start jobs earlier, parallelization
- Help migrate from other CI systems
This is a beta feature, which means it works but is not recommended for production pipelines without human review of the generated YAML. GitLab's docs are explicit: test in a fork or staging branch first.
Practical example
You tell the agent: "This is a Python FastAPI project using pytest for tests and Docker for deployment." It reads your repo, identifies the framework, and proposes:
stages:
- test
- build
- deploy
test:
stage: test
image: python:3.12
script:
- pip install -r requirements.txt
- pytest --cov=app tests/
cache:
paths:
- .pip_cache/
build-docker:
stage: build
image: docker:24
services:
- docker:dind
script:
- docker build -t $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA .
- docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
You review it, adjust any project-specific details, and push. The agent handles the structural thinking; you own the configuration.
Data Analyst Agent
The Data Analyst Agent is generally available in 18.11 and is notable for its tier availability: Free, Premium, and Ultimate customers with the Duo Agent Platform enabled can use it.
What it does
You ask questions in natural language. The agent translates them into GitLab Query Language (GLQL) queries, runs them against your project or group data, and returns visual charts or tables.
Example questions you can ask:
- "How many merge requests did the backend team close last month?"
- "What is our average MR cycle time this quarter compared to last quarter?"
- "Which pipelines are failing most often and on which branches?"
- "Show me deployment frequency for the production environment over the last 90 days."
The agent covers the four DORA metrics (deployment frequency, lead time, change failure rate, mean time to restore), merge request analytics, pipeline health, and team contribution summaries.
Why this is useful
Engineering managers previously needed to export data from GitLab, load it into a BI tool, and write queries manually. Teams with dedicated analytics tooling (like Grafana or Tableau) could build dashboards, but smaller teams could not justify the overhead.
The Data Analyst Agent brings that capability to anyone on the platform with a Duo subscription. The answers are not static dashboards — you can ask follow-up questions, drill into specific time ranges, or compare teams.
Limitations
The agent is powered by GLQL, which has coverage gaps. Not every data point across the GitLab platform is queryable through natural language yet. Complex cross-project analytics (for example, correlating security findings across five repos) may require falling back to manual GLQL queries or the API.
GitLab Credits Spending Controls
18.11 also ships a practical addition for teams worried about AI cost creep: subscription-level and per-user spending caps for GitLab Credits.
GitLab Credits are the consumption unit for on-demand AI features on the platform. Prior to 18.11, teams had visibility into usage but limited enforcement controls.
Now:
- Billing account managers can set a monthly Credits cap at the subscription level. When the cap is hit, Duo Agent Platform features are suspended until the next billing period or until an admin adjusts the cap.
- Per-user caps let admins prevent any single user from consuming the full team allocation. If one user hits their cap, only that user is suspended — other team members are unaffected.
- Free namespaces have an automatic on-demand cap of $25,000 per calendar month as a safety floor.
This matters because agentic features (particularly the SAST remediation agent, which can open many MRs at once) consume more Credits than a standard Duo Chat query. Having hard stops prevents a single automated scan from generating an unexpected bill.
What's Good and What's Not
- SAST auto-remediation GA — genuinely closes the scan-to-fix gap without requiring a separate security tool
- Confidence scores on generated fixes prevent blind merges
- Data Analyst Agent available on all tiers — not locked behind Ultimate
- Per-user and subscription-level credit caps give CFOs and engineering managers real spend controls
- Incremental SAST scanning reduces pipeline time for large repos independently of the agentic features
- Kubernetes 1.35 support keeps GitLab current with the k8s release schedule
- SAST auto-remediation is Ultimate-only — teams on Premium still have to fix vulnerabilities manually
- CI Expert Agent is beta only — generated YAML needs human review before shipping to production
- Auto-remediation covers SAST only; DAST and dependency scanning are not yet included
- Data Analyst Agent has GLQL coverage gaps for complex cross-project queries
- Duo Agent Platform still requires a paid add-on even on GitLab.com free tier
Pricing Breakdown
Understanding which features you can access requires mapping your GitLab tier to the Duo Agent Platform availability.
| Feature | Free | Premium ($29/user/mo) | Ultimate ($99/user/mo) |
|---|---|---|---|
| Data Analyst Agent | Yes (Duo required) | Yes (Duo required) | Yes (Duo required) |
| CI Expert Agent (Beta) | Yes (Duo required) | Yes (Duo required) | Yes (Duo required) |
| Agentic SAST Remediation | No | No | Yes (Duo required) |
| Credits Spending Caps | Yes ($25K auto-cap) | Yes (manual cap) | Yes (manual cap) |
| Best Value Tier | Analytics only | Analytics + CI Agent | Full agentic suite |
GitLab Duo add-on pricing sits at approximately $19/user/month on top of your base plan. For Ultimate customers, the Duo add-on is bundled starting in certain enterprise arrangements — check your GitLab contract for specifics.
Who It's For — and Who Should Skip
Go all-in on 18.11 if you are:
- A security-conscious team on GitLab Ultimate: the SAST auto-remediation agent alone justifies the upgrade if you have a backlog of unresolved vulnerabilities
- A mid-size team without a dedicated DevOps engineer: the CI Expert Agent reduces the YAML expertise required to maintain pipelines
- An engineering manager who wants DORA metrics without a separate BI tool: the Data Analyst Agent handles most common delivery questions
The upgrade is less compelling if you are:
- On Free or Premium with no plans to upgrade: you get the Data Analyst Agent and CI Expert Agent beta, but the highest-value feature (SAST remediation) is out of reach
- Running a very small project with a simple pipeline: the CI Expert Agent adds value primarily for teams maintaining complex multi-stage pipelines
- Relying on DAST or dependency scanning for your primary security workflow: auto-remediation does not cover those vectors yet
FAQ
Q: Does Agentic SAST Vulnerability Resolution work on self-managed GitLab?
Yes. The Duo Agent Platform is available on GitLab.com, GitLab Self-Managed, and GitLab Dedicated. For self-managed instances, you need to enable the Duo Agent Platform in your admin settings and ensure your instance has network access to GitLab's AI gateway.
Q: Can the CI Expert Agent write pipelines for non-standard languages or frameworks?
The agent identifies language and framework from your repository structure. For common stacks (Python, Node, Go, Java, Ruby, PHP), it performs well. For less common stacks or custom toolchains, the generated YAML provides a reasonable starting point but will likely need manual adjustments. The docs recommend treating it as a first draft, not a final config.
Q: What counts as a GitLab Credit?
Credits are consumed when you use on-demand AI features — Duo Agent Platform agent actions, certain Duo Chat queries, and AI-powered MR summaries. Standard GitLab features (CI minutes, storage, Packages) use separate consumption units and do not draw from your Credits balance. The Credits dashboard in the Admin area shows a per-feature breakdown.
Q: Is the Data Analyst Agent aware of data across multiple projects?
It can query data from projects and groups you have access to. Cross-group analytics (comparing metrics across separate top-level groups) is limited. For complex multi-group rollups, the GitLab Analytics API remains the more powerful path.
Q: How does the SAST agent handle false positives?
The agent filters out likely false positives before generating a fix. It assigns a confidence score to each fix it does generate. Developers are expected to review the MR and decide whether to merge — the agent does not auto-merge anything without human approval.
Key Takeaways
GitLab 18.11 is a meaningful release, not a marketing refresh. The SAST auto-remediation agent solves a workflow problem that security teams have been complaining about for years. The Data Analyst Agent's broad tier availability means most teams can use it today without an upgrade. The CI Expert Agent is beta — useful, but not ready to hand off without review.
The per-user credit caps are an underrated addition. Agentic features are inherently higher-consumption than chat-style AI, and organizations need budget controls before deploying them at scale. GitLab shipping the controls in the same release as the agents is the right sequencing.
The outstanding gap is coverage: SAST auto-remediation is excellent, but teams that depend on DAST or dependency scanning for their primary security findings will not see the same workflow improvement yet. That feels like an obvious 18.12 candidate.
GitLab 18.11 is the best DevSecOps release of 2026 so far. If you are on Ultimate, enable the Duo Agent Platform and let the SAST remediation agent start clearing your vulnerability backlog. Everyone else gets the Data Analyst Agent for free — that alone is worth turning on Duo.
Prefer a deep-dive walkthrough? Watch the full video on YouTube.
Need content like this
for your blog?
We run AI-powered technical blogs. Start with a free 3-article pilot.