Introduction
GitLab has released two significant updates in autumn 2025 that fundamentally transform how development teams collaborate, secure their code, and leverage artificial intelligence. Versions 18.4 and 18.5, released in close succession, represent a clear acceleration of GitLab's AI-first strategy while simultaneously strengthening the platform's core DevSecOps capabilities.
Together, these releases deliver meaningful improvements across every layer of the platform — from the code editor to the compliance dashboard. Whether you are evaluating an upgrade from an older self-managed version or assessing the AI features for your engineering organisation, these two releases deserve careful attention.
Executive Summary
Combined, GitLab 18.4 and 18.5 introduce over twenty major features spanning AI-powered development, security automation, CI/CD pipeline efficiency, and governance tooling. The headline additions are the Knowledge Graph (18.4), end-user AI model selection (18.4, extended in 18.5), and two new autonomous agents — Duo Planner and Security Analyst — arriving in beta with 18.5.
For teams already running GitLab Ultimate, these releases unlock capabilities that previously required third-party tooling. For teams on older versions, the gap between what they have and what is now available has widened significantly.
Version Feature Comparison
| Feature Category | GitLab 18.4 Features | GitLab 18.5 Features |
|---|---|---|
| AI and Machine Learning | Knowledge Graph (beta), end-user model selection in UI | Duo Planner Agent (beta), Security Analyst Agent (beta), model selection extended to VS Code and JetBrains, GPT-5 added |
| Security and Compliance | AI context exclusion for sensitive files | DAST authentication scripts, compliance policy groups, MR approval bypass with audit trails |
| CI/CD and Development | Job token authentication for git push, pipeline simulation | Dependency scanning v2, static reachability analysis, diff-based SAST |
| User Experience | Improved model selection interface | Personal homepage, Maven virtual registry UI improvements |
| Platform and Infrastructure | Knowledge Graph indexing infrastructure | Centralised policy management, ISO 27001 compliance frameworks |
GitLab Knowledge Graph (18.4)
The most architecturally significant addition in 18.4 is the Knowledge Graph, released in beta. This feature creates a comprehensive mapping of file relationships, dependencies, and code interconnections across your entire repository.
In practical terms, the Knowledge Graph enables impact analysis at a level that was previously impossible within GitLab. When a developer modifies a file, the Knowledge Graph can surface every other file, test, and pipeline that could be affected by the change. This is not simple text matching — it is a genuine understanding of code relationships built through static analysis and dependency resolution.
For AI features, the Knowledge Graph provides dramatically richer context. Rather than feeding Duo a single file or a snippet, the graph supplies the full web of related code, making suggestions more accurate and more relevant. Teams that have struggled with AI code generation producing technically correct but contextually wrong suggestions will find this a meaningful step forward.
The Knowledge Graph requires indexing infrastructure, so self-managed instances will need to plan for additional compute and storage. The indexing process runs asynchronously and should not impact day-to-day performance, but initial indexing of large monorepos may take several hours.
AI Model Selection and Customisation
GitLab 18.4 introduced end-user model selection directly in the GitLab UI, giving individual developers the ability to choose which AI model powers their Duo interactions. This was a significant shift from the previous approach, where model selection was an administrator-only decision applied uniformly across the instance.
In 18.5, this capability was extended to VS Code and JetBrains IDE extensions, meaning developers can now select their preferred model regardless of whether they are working in the GitLab web IDE or their local editor. GPT-5 was also added to the available model roster, joining the existing options from Anthropic and Google.
This flexibility matters for teams with mixed workloads. A developer writing Python data pipelines may find one model more effective, while a colleague working on Terraform infrastructure code may prefer another. Giving the choice to the individual rather than the administrator removes a bottleneck and lets teams optimise for their own context. For organisations looking to roll out GitLab Duo across their engineering teams, model selection flexibility significantly eases adoption.
GitLab Duo Agent Platform (18.5)
Version 18.5 introduces two new autonomous agents that represent GitLab's move from AI-assisted development to AI-driven development.
Duo Planner Agent
The Duo Planner Agent, released in beta, can take a high-level description of a feature or task and break it down into a structured implementation plan. It analyses the existing codebase, identifies relevant files and patterns, and produces a step-by-step plan that a developer can review, modify, and execute.
This is not a replacement for human judgement. The Planner Agent is most effective when used as a starting point — particularly for developers who are new to a codebase or working in an unfamiliar area. It reduces the time spent understanding existing code before writing new code.
Security Analyst Agent
The Security Analyst Agent, also in beta, automatically analyses security scan results and provides contextualised remediation guidance. Rather than presenting a list of CVEs and severity scores, it explains what each vulnerability means in the context of your specific codebase and suggests concrete fixes.
For teams without dedicated application security engineers, this agent effectively provides a first-pass triage that would otherwise require specialist knowledge. It does not replace a security team, but it dramatically reduces the noise-to-signal ratio in vulnerability reports.
Enhanced Security Features
Security improvements span both releases and address different aspects of the DevSecOps pipeline.
AI Context Exclusion (18.4)
Version 18.4 introduced the ability to exclude specific files and directories from AI context. This is critical for organisations handling sensitive data — you can now ensure that AI features never process credentials files, customer data schemas, or proprietary algorithms. The exclusion is enforced at the platform level, not relying on individual developers to remember.
DAST Authentication Scripts (18.5)
Dynamic Application Security Testing in 18.5 gains support for custom authentication scripts. This means DAST scans can now navigate complex authentication flows — multi-factor, SSO, custom login pages — without manual intervention. For teams whose applications were previously only partially covered by DAST, this is a significant improvement in coverage.
Compliance Policy Groups and Approval Bypasses (18.5)
Version 18.5 introduces compliance policy groups, allowing organisations to define and enforce policies across multiple projects from a single location. MR approval bypasses are now permitted in emergency situations but generate comprehensive audit trails, giving compliance teams the documentation they need without blocking critical fixes.
CI/CD Pipeline Improvements
Job Token Authentication for Git Push (18.4)
A long-requested feature, 18.4 allows CI/CD jobs to push back to repositories using job tokens. This eliminates the need for personal access tokens or deploy keys in pipelines that need to commit generated files, update version numbers, or push tags. The security improvement is substantial — job tokens are scoped, short-lived, and automatically rotated.
Pipeline Simulation (18.4)
Pipeline simulation lets developers validate their CI/CD configuration without actually running a pipeline. This is particularly valuable for complex multi-stage pipelines where a YAML syntax error or misconfigured rule could waste significant compute time. The simulation validates the configuration, evaluates rules, and shows which jobs would run — all without consuming any runner minutes.
Dependency Scanning v2 (18.5)
The second generation of dependency scanning brings significant accuracy improvements, with static reachability analysis that can determine whether a vulnerable dependency is actually called in your code. This reduces false positives dramatically — a vulnerability in a function you never call is still worth knowing about, but it is not the same priority as one in your critical path.
Diff-Based SAST (18.5)
Diff-based Static Application Security Testing scans only the code that has changed in a merge request, rather than scanning the entire codebase. The result is faster feedback loops and more relevant findings. Developers see security issues related to their changes, not inherited problems from other parts of the codebase.
Compliance and Governance Features (18.5)
Version 18.5 makes a significant investment in centralised compliance and governance tooling. The centralised policy management framework allows organisations to define security and compliance policies at the group or instance level and have them automatically applied to all child projects.
ISO 27001 compliance frameworks are now available as templates, providing pre-configured policy sets that align with the standard's control objectives. For organisations pursuing or maintaining ISO 27001 certification, this reduces the manual work of translating controls into GitLab configuration.
User Experience Improvements (18.5)
The personal homepage in 18.5 gives each user a customisable dashboard showing their assigned issues, merge requests, review requests, and pipeline statuses. This replaces the previous one-size-fits-all landing page with something that adapts to how each developer actually works.
The Maven virtual registry UI improvements simplify management of Java dependencies, particularly for organisations that maintain internal Maven registries alongside public ones. The new interface makes it easier to configure registry priorities and troubleshoot dependency resolution issues.
Implementation Considerations
Both releases contain features in beta that warrant careful evaluation before enabling in production environments. We recommend the following approach:
- Beta evaluation: Enable Knowledge Graph and Duo agents in a staging environment first. Assess indexing performance, AI suggestion quality, and agent accuracy against your specific codebase before rolling out to production.
- Phased migration: If upgrading from a version older than 18.3, plan a phased approach rather than jumping directly to 18.5. Each version may require database migrations and configuration changes that compound when skipped.
- Pilot programmes: Roll out AI model selection and Duo agents to a small group of willing early adopters. Collect feedback on accuracy and usefulness before expanding access. This is especially important for Duo enablement programmes where developer confidence in the tooling drives adoption.
If you are running a self-managed instance and considering an upgrade to 18.4 or 18.5, plan for additional infrastructure requirements — particularly the Knowledge Graph indexing and AI model hosting.
Deployment Recommendations
When to target 18.4: If your primary goal is the Knowledge Graph and improved AI context, and you want to give your team time to adapt before the agent features arrive. Version 18.4 is also the right choice if you need job token authentication for git push immediately.
When to target 18.5: If you need the Duo agents, enhanced security scanning (dependency scanning v2, diff-based SAST), or centralised compliance policy management. Version 18.5 builds on everything in 18.4, so there is no penalty for going directly to 18.5 if your upgrade path supports it.
For most organisations, we recommend targeting 18.5 directly and enabling 18.4-era features (Knowledge Graph, model selection) as part of the same rollout. This avoids two upgrade cycles and gives you the fullest feature set from day one.
Conclusion
GitLab 18.4 and 18.5 are not incremental releases. They represent a strategic shift in what the platform can do — particularly around AI-assisted development, autonomous agents, and compliance automation. Teams that view these releases as simple version bumps will miss the opportunity they represent.
The Knowledge Graph changes the fundamental quality of AI interactions. The Duo agents move AI from suggestion to action. The compliance features close gaps that previously required manual processes or third-party tools.
We recommend developing an upgrade plan now, even if your target deployment date is months away. The infrastructure requirements, beta evaluation, and pilot programmes all take time — and the competitive advantage of these features goes to teams that adopt early and iterate.
If you would like to discuss your upgrade strategy or need help planning a GitLab Duo rollout, get in touch. We have been working with these features since their beta programmes and can help you avoid the common pitfalls.